Daily Ruleset Update Summary 2021/05/18

Daily Ruleset Update Summary

[***] Summary: [***]

25 new OPEN, 51 new PRO (25 + 26) Flubot, Cobalt Strike,
DecryptMyFiles, and Ursnif.

Thanks @malwrhunterteam

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2032971 - ET MOBILE_MALWARE Android Flubot / LIKEACHARM Stealer
Exfil (POST) 2 (mobile_malware.rules)
2032972 - ET TROJAN Observed Win32/Ymacco.AA36 User-Agent (trojan.rules)
2032973 - ET INFO Possible ELF executable sent when remote host
claims to send a Text File (info.rules)
2032974 - ET TROJAN Possible Cobalt Strike Server Response (trojan.rules)
2032975 - ET TROJAN Cobalt Strike Malleable C2 Profile (Teams) M1
(trojan.rules)
2032976 - ET TROJAN Cobalt Strike Malleable C2 Profile (Teams) M2
(trojan.rules)
2032977 - ET TROJAN Win32/RiskWare.YouXun.AD CnC Activity (trojan.rules)
2032978 - ET POLICY Google Webcrawler User-Agent
(Mediapartners-Google) (policy.rules)
2032979 - ET POLICY Yandex Webcrawler User-Agent (YandexBot) (policy.rules)
2032980 - ET POLICY DuckDuckGo Webcrawler User-Agent (DuckDuckBot)
(policy.rules)
2032981 - ET POLICY Bing Webcrawler User-Agent (BingBot) (policy.rules)
2032982 - ET POLICY Naver Webcrawler User-Agent (Naver.me) (policy.rules)
2032983 - ET INFO HTTP Request to a *.date domain (info.rules)
2032984 - ET INFO HTTP Request to a *.cam domain (info.rules)
2032985 - ET INFO HTTP Request to a *.surf domain (info.rules)
2032986 - ET INFO HTTP Request to a *.asia domain (info.rules)
2032987 - ET INFO HTTP Request to a *.tw domain (info.rules)
2032988 - ET INFO HTTP Request to a *.ml domain (info.rules)
2032989 - ET INFO HTTP Request to a *.gq domain (info.rules)
2032990 - ET INFO HTTP Request to a *.ga domain (info.rules)
2032991 - ET INFO HTTP Request to a *.buzz domain (info.rules)
2032992 - ET TROJAN Observed Malicious SSL Cert (WastedLoader CnC)
(trojan.rules)
2032993 - ET TROJAN Observed Malicious SSL Cert (WastedLoader CnC)
(trojan.rules)
2032994 - ET TROJAN DecryptmyFiles Ransomware CnC (POST) (trojan.rules)
2032995 - ET TROJAN Observed DecryptmyFiles Ransomware User-Agent
(uniquesession) (trojan.rules)

Pro:

2848563 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2848564 - ETPRO TROJAN ELF/Mirai Variant CnC Checkin (trojan.rules)
2848565 - ETPRO TROJAN Ursnif Variant CnC Beacon 14 (trojan.rules)
2848566 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-18 1) (trojan.rules)
2848567 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-18 2) (trojan.rules)
2848568 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-18 3) (trojan.rules)
2848569 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-18 4) (trojan.rules)
2848570 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-18 5) (trojan.rules)
2848571 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-18 6) (trojan.rules)
2848572 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-18 7) (trojan.rules)
2848573 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-18 8) (trojan.rules)
2848574 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-18 9) (trojan.rules)
2848575 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-18 10) (trojan.rules)
2848576 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-18 11) (trojan.rules)
2848577 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-18 12) (trojan.rules)
2848578 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-18 13) (trojan.rules)
2848579 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-18 14) (trojan.rules)
2848580 - ETPRO TROJAN Win32/Huelar CnC Checkin via SMTP (trojan.rules)
2848581 - ETPRO TROJAN Win32/Huelar Template 1 Active - Outbound
Malicious Email Spam (trojan.rules)
2848582 - ETPRO TROJAN Win32/Huelar Template 2 Active - Outbound
Malicious Email Spam (trojan.rules)
2848583 - ETPRO TROJAN Win32/Huelar Template 3 Active - Outbound
Malicious Email Spam (trojan.rules)
2848584 - ETPRO TROJAN Win32/Huelar Template 4 Active - Outbound
Malicious Email Spam (trojan.rules)
2848585 - ETPRO TROJAN Win32/Huelar Template 5 Active - Outbound
Malicious Email Spam (trojan.rules)
2848586 - ETPRO POLICY Observed DNS Query for Israel Domain (.il)
(policy.rules)
2848587 - ETPRO POLICY Observed DNS Query for Palestine Domain (.ps)
(policy.rules)
2848588 - ETPRO TROJAN Win32/Agent.ULI Variant CnC Activity (trojan.rules)

[///] Modified active rules: [///]

2031445 - ET MOBILE_MALWARE Android Flubot / LIKEACHARM Stealer
Exfil (POST) (mobile_malware.rules)
2807167 - ETPRO POLICY Baidu Spider Crawler User-Agent (baiduspider)
(policy.rules)

[///] Modified inactive rules: [///]

2002828 - ET POLICY Googlebot User Agent (policy.rules)
2002832 - ET POLICY Yahoo Crawler User Agent (policy.rules)

Date:

Tuesday, May 18, 2021

Summary title:

25 new OPEN, 51 new PRO (25 + 26) Flubot, Cobalt Strike, DecryptMyFiles, and Ursnif.