[***] Summary: [***]
14 new OPEN, 32 new PRO (14 + 18). Win32/PlagueBot, ELF/Facefish,
Android/Agent.BQX, Others.
Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2033099 - ET TROJAN MSIL/NoCry Ransomware Checkin Via Discord (trojan.rules)
2033100 - ET TROJAN Win32/PlagueBot User-Agent (trojan.rules)
2033101 - ET ATTACK_RESPONSE OpenVASVT RCE Test String in HTTP
Request Inbound (attack_response.rules)
2033102 - ET ATTACK_RESPONSE OpenVASVT RCE Test String in HTTP
Request Outbound (attack_response.rules)
2033103 - ET TROJAN ETag HTTP Header Observed at JPCERT Sinkhole
(trojan.rules)
2033104 - ET TROJAN ETag HTTP Header Observed at CNCERT Sinkhole
(trojan.rules)
2033105 - ET TROJAN Known Sinkhole Response Header (trojan.rules)
2033106 - ET TROJAN Known Sinkhole Response Header (trojan.rules)
2033107 - ET TROJAN QuasarRAT/zgRAT C2 Activity (trojan.rules)
2033108 - ET TROJAN zgRAT Activity (trojan.rules)
2033109 - ET TROJAN ELF/Facefish Empty Payload (set) (trojan.rules)
2033110 - ET TROJAN ELF/Facefish Server Response (201) (trojan.rules)
2033111 - ET TROJAN ELF/Facefish Client Response (202) (trojan.rules)
2033112 - ET TROJAN ELF/Facefish Session Closing (400) (trojan.rules)
Pro:
2848841 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 103
(mobile_malware.rules)
2848842 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 104
(mobile_malware.rules)
2848843 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 105
(mobile_malware.rules)
2848844 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 106
(mobile_malware.rules)
2848845 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2848846 - ETPRO TROJAN Win32/PlagueBot CnC Checkin (trojan.rules)
2848847 - ETPRO MALWARE Win32/PlagueBot CnC Server Response (malware.rules)
2848848 - ETPRO TROJAN Win32/PlagueBot CnC Server Response (trojan.rules)
2848849 - ETPRO TROJAN Win32/PlagueBot CnC Activity (trojan.rules)
2848850 - ETPRO TROJAN Win32/PlagueBot CnC Server Command Response
(trojan.rules)
2848851 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-06-04 1) (trojan.rules)
2848852 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-06-04 2) (trojan.rules)
2848853 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-06-04 3) (trojan.rules)
2848854 - ETPRO TROJAN Kimsuky Related Maldoc Sending Windows App
Information (GET) (trojan.rules)
2848855 - ETPRO CURRENT_EVENTS Successful Docusign Phish 2021-06-07
(current_events.rules)
2848856 - ETPRO MALWARE Android/Jiagu Variant Activity (GET) (malware.rules)
2848857 - ETPRO CURRENT_EVENTS Successful Dropbox Phish 2021-06-07
(current_events.rules)
2848858 - ETPRO CURRENT_EVENTS Successful Generic Phish 2021-06-07
(current_events.rules)
[///] Modified active rules: [///]
2013254 - ET TROJAN Yandexbot Request Outbound (trojan.rules)
2032978 - ET SCAN Google Webcrawler User-Agent
(Mediapartners-Google) (scan.rules)
2032979 - ET SCAN Yandex Webcrawler User-Agent (YandexBot) (scan.rules)
2032980 - ET SCAN DuckDuckGo Webcrawler User-Agent (DuckDuckBot) (scan.rules)
2032981 - ET SCAN Bing Webcrawler User-Agent (BingBot) (scan.rules)
2032982 - ET SCAN Naver Webcrawler User-Agent (Naver.me) (scan.rules)
2033002 - ET SCAN Baidu Spider Webcrawler User Agent - inbound (scan.rules)
2807167 - ETPRO POLICY Baidu Spider Crawler User-Agent (baiduspider)
(policy.rules)
2846421 - ETPRO WEB_SPECIFIC_APPS PHPUnit Arbitrary Code Execution
(CVE-2017-9841) M1 (web_specific_apps.rules)
[///] Modified inactive rules: [///]
2002828 - ET POLICY Googlebot User Agent (policy.rules)
2002832 - ET POLICY Yahoo Crawler User Agent (policy.rules)
2002833 - ET SCAN Yahoo Crawler Crawl (scan.rules)
2013253 - ET POLICY Yandexbot Request Inbound (policy.rules)
[---] Removed rules: [---]
2836270 - ETPRO TROJAN QuasarRAT/zgRAT C2 Activity (trojan.rules)
2848425 - ETPRO TROJAN zgRAT Activity (trojan.rules)
James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team