[***] Summary: [***]

4 new OPEN, 18 new PRO (4 + 14). Lazarus, Mirai, Valyria Maldoc, Others.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2033132 - ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) (trojan.rules)
2033133 - ET INFO Office Doc Retrieving Shortened URL (bit .do) (info.rules)
2033134 - ET INFO URL Shortening Service Used by Curl (ic9 .in) (info.rules)
2033135 - ET TROJAN Observed Lazarus Maldoc CnC Domain (shopweblive
.com in TLS SNI) (trojan.rules)

Pro:

2848897 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 108
(mobile_malware.rules)
2848898 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 109
(mobile_malware.rules)
2848899 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 110
(mobile_malware.rules)
2848900 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2848901 - ETPRO TROJAN Observed Reversed EXE String Inbound (This
Program...) (trojan.rules)
2848902 - ETPRO TROJAN ELF/Mirai Variant CnC Command Inbound (trojan.rules)
2848903 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-06-09 1) (trojan.rules)
2848904 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-06-09 2) (trojan.rules)
2848905 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-06-09 3) (trojan.rules)
2848906 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-06-09 4) (trojan.rules)
2848907 - ETPRO CURRENT_EVENTS Successful Orange Phish 2021-06-10
(current_events.rules)
2848908 - ETPRO TROJAN Valyria Maldoc Activity (GET) (trojan.rules)
2848909 - ETPRO POLICY Observed Filesharing Domain (privatlab .com
in TLS SNI) (policy.rules)
2848910 - ETPRO CURRENT_EVENTS Successful Unicredit Phish 2021-06-10
(current_events.rules)

[///] Modified active rules: [///]

2010645 - ET POLICY User-Agent (Launcher) (policy.rules)
2015914 - ET CURRENT_EVENTS Possible Successful Phish - Other
Credentials Nov 21 2012 (current_events.rules)
2016327 - ET CURRENT_EVENTS Possible Successful Phish - Generic POST
to myform.php Feb 01 2013 (current_events.rules)
2017754 - ET CURRENT_EVENTS Possible Successful Phish - Other
Credentials Nov 25 2013 (current_events.rules)
2021761 - ET CURRENT_EVENTS Possible Successful Phish - Generic
Status Messages Sept 11 2015 (current_events.rules)
2021890 - ET CURRENT_EVENTS Successful Phish Outlook Credentials Oct
01 2015 (current_events.rules)
2022487 - ET CURRENT_EVENTS Successful Phishing Attempt via
GetGoPhish Phishing Tool (current_events.rules)
2023137 - ET CURRENT_EVENTS Possible Successful Phish to .tk domain
Aug 26 2016 (current_events.rules)
2024377 - ET CURRENT_EVENTS Generic Credit Card Information in HTTP
POST - Possible Successful Phish Jun 12 2017 (current_events.rules)
2024470 - ET INFO HTTP POST to Free Webhost - Possible Successful
Phish (site40 . net) Jul 18 2017 (info.rules)
2024541 - ET CURRENT_EVENTS Possible Successful Phish - Verify Email
Error Message M1 Aug 14 2017 (current_events.rules)
2025000 - ET CURRENT_EVENTS Possible Successful Phish to Hostinger
Domains Apr 4 M4 (current_events.rules)
2026516 - ET CURRENT_EVENTS Possible Successful Phish - Generic
Credential POST to Ngrok.io (current_events.rules)
2026749 - ET CURRENT_EVENTS Suspicious Generic Login - Possible
Successful Phish 2019-01-02 (current_events.rules)
2027146 - ET POLICY Possible Successful Phish - Password Submitted
to *.000webhostapp.com (policy.rules)
2029656 - ET CURRENT_EVENTS Terse POST to Wordpress Folder -
Probable Successful Phishing M2 (current_events.rules)
2030574 - ET CURRENT_EVENTS Possible Successful Phish - Saved
Website Comment Observed (current_events.rules)
2031566 - ET CURRENT_EVENTS Terse POST to Wordpress Folder -
Probable Successful Phishing (current_events.rules)
2031568 - ET CURRENT_EVENTS Terse POST to Wordpress Folder -
Probable Successful Phishing M3 (current_events.rules)
2031571 - ET CURRENT_EVENTS Terse POST to Wordpress Folder -
Probable Successful Phishing M4 (current_events.rules)
2031572 - ET CURRENT_EVENTS Terse POST to Wordpress Folder -
Probable Successful Phishing M6 (current_events.rules)
2031579 - ET CURRENT_EVENTS Terse POST to Wordpress Folder -
Probable Successful Phishing M7 (current_events.rules)
2031750 - ET CURRENT_EVENTS Successful Phish Fake Document Loading
Error 2015-07-27 (current_events.rules)
2031835 - ET CURRENT_EVENTS Successful Phish Gmail Recovery
Information 2015-10-01 (current_events.rules)
2031882 - ET CURRENT_EVENTS Possible Successful Phish
(Google/Dropbox/Netflix) 2015-07-11 (current_events.rules)
2032015 - ET POLICY Tripod/Lycos Form Submission - Possible
Successful Phish (policy.rules)
2032041 - ET CURRENT_EVENTS Successful Phish OWA Credentials
2016-08-16 (current_events.rules)
2032244 - ET CURRENT_EVENTS Possible Successful Phish - Generic Form
Names 2016-09-16 (current_events.rules)
2032377 - ET CURRENT_EVENTS Possible Successful Phish to Hostinger
Domains M1 2016-04-04 (current_events.rules)
2032378 - ET CURRENT_EVENTS Possible Successful Phish to Hostinger
Domains M2 2016-04-04 (current_events.rules)
2032379 - ET CURRENT_EVENTS Possible Successful Phish to Hostinger
Domains M3 2016-04-04 (current_events.rules)
2032380 - ET CURRENT_EVENTS Possible Successful Phish to Hostinger
Domains M5 2016-04-04 (current_events.rules)
2032458 - ET CURRENT_EVENTS Tectite Web Form Submission - Possible
Successful Phish (current_events.rules)
2032677 - ET CURRENT_EVENTS Successful Phish to Compromised
Wordpress Site 2016-03-23 (current_events.rules)
2033107 - ET TROJAN QuasarRAT/zgRAT C2 Activity (trojan.rules)
2826709 - ETPRO INFO Data Submitted to Weebly.com - Possible
Successful Phish (info.rules)
2826914 - ETPRO INFO Form Submitted to Form2pay.com - Possible
Successful Phish Jun 28 2017 (info.rules)
2828327 - ETPRO CURRENT_EVENTS Successful Phish - Generic Processing
Message Oct 17 2017 (current_events.rules)
2828824 - ETPRO INFO Suspicious HTTP Credential Post to IP Address -
Possible Successful Phish (info.rules)
2830001 - ETPRO CURRENT_EVENTS Possible Successful Phish - Generic
Credit Card Information 2018-03-14 (current_events.rules)
2844001 - ETPRO CURRENT_EVENTS Possible Generic Microsoft Hosted
Successful Phish 2020-08-13 (current_events.rules)
2844774 - ETPRO CURRENT_EVENTS Possible Successful Phish Hosted on
Beget.Tech (current_events.rules)
2847613 - ETPRO CURRENT_EVENTS Possible Successful Phishing -
Credentials Sent via AJAX in JSON Blob (current_events.rules)

[///] Modified inactive rules: [///]

2030172 - ET CURRENT_EVENTS Possible Successful Phish to NOIP DynDNS
Domain (current_events.rules)
2030173 - ET CURRENT_EVENTS Possible Successful Phish to ChangeIP
Dynamic DNS Domain (current_events.rules)
2030174 - ET CURRENT_EVENTS Possible Successful Phish to Afraid.org
Top 100 Dynamic DNS Domain (current_events.rules)
2031561 - ET CURRENT_EVENTS Terse POST to Wordpress Folder -
Probable Successful Phishing M5 (current_events.rules)
2814188 - ETPRO CURRENT_EVENTS Successful Phish Yale Credentials Oct
1 (current_events.rules)
2815089 - ETPRO CURRENT_EVENTS Successful Phish Yale Credentials Nov
24 (current_events.rules)
2815831 - ETPRO CURRENT_EVENTS Form Submission to Ezweb123.com -
Possible Successful Phish Jan 15 (current_events.rules)
2821652 - ETPRO INFO Webform Submitted via webnode.fr - Possible
Successful Phish Aug 15 2016 (info.rules)
2821746 - ETPRO CURRENT_EVENTS Possible Successful Phish via Wix.com
M1 Aug 18 2016 (current_events.rules)
2821747 - ETPRO CURRENT_EVENTS Successful Phish via Wix.com M2 Aug
18 2016 (current_events.rules)
2822342 - ETPRO CURRENT_EVENTS Possible Successful Phish to
Hostinger Domains Sep 30 2016 (current_events.rules)
2823602 - ETPRO CURRENT_EVENTS Possible Successful Phish via
imcreator.com / imxprs.com Dec 02 2016 (current_events.rules)

[---] Disabled rules: [---]

2021176 - ET TROJAN Bladabindi/njRAT CnC Command (ll) (trojan.rules)

[---] Removed rules: [---]

2825562 - ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (ll)
(trojan.rules)

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team