[***] Summary: [***]
8 new OPEN, 38 new PRO (8 + 30). REvil, Andariel, Android/Agent.BQX,
NightFury.
Thanks @James_inthe_box and @360CoreSec
As some may have noticed there was an update earlier in the day.
That update was to resolve some false positives being seen for two of
the new Ursnif rules released yesterday.
Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2033205 - ET TROJAN REvil Exfil SFTP Certificate Inbound (trojan.rules)
2033206 - ET TROJAN Valyria Downloader Activity (trojan.rules)
2033207 - ET TROJAN Andariel Backdoor Activity (Checkin) (trojan.rules)
2033208 - ET EXPLOIT ForgeRock Access Manager RCE (CVE-2021-35464)
(exploit.rules)
2033209 - ET MALWARE Reborn Stealer 2021 Exfil attempt via Telegram
(malware.rules)
2033210 - ET EXPLOIT ForgeRock Access Manager RCE (CVE-2021-35464)
(exploit.rules)
2033211 - ET TROJAN QuasarRAT/zgRAT C2 Activity (set) (trojan.rules)
2033212 - ET TROJAN zgRAT Activity M2 (trojan.rules)
Pro:
2849124 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2849125 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-06-30 1) (trojan.rules)
2849126 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-06-30 2) (trojan.rules)
2849127 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-06-30 3) (trojan.rules)
2849128 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-06-30 4) (trojan.rules)
2849129 - ETPRO POLICY Observed Windows Printer Spooler Activity -
Add Printer Driver (policy.rules)
2849130 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 130
(mobile_malware.rules)
2849131 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 131
(mobile_malware.rules)
2849132 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 132
(mobile_malware.rules)
2849133 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 133
(mobile_malware.rules)
2849134 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 134
(mobile_malware.rules)
2849135 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 135
(mobile_malware.rules)
2849136 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 136
(mobile_malware.rules)
2849137 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 137
(mobile_malware.rules)
2849138 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 138
(mobile_malware.rules)
2849139 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 139
(mobile_malware.rules)
2849140 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 140
(mobile_malware.rules)
2849141 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 141
(mobile_malware.rules)
2849142 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 142
(mobile_malware.rules)
2849143 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 144
(mobile_malware.rules)
2849144 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 145
(mobile_malware.rules)
2849145 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 146
(mobile_malware.rules)
2849146 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 147
(mobile_malware.rules)
2849147 - ETPRO CURRENT_EVENTS Successful Generic Phish 2021-06-30
(current_events.rules)
2849148 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 148
(mobile_malware.rules)
2849149 - ETPRO TROJAN NightFury CnC Checkin (trojan.rules)
2849150 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 149
(mobile_malware.rules)
2849151 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 150
(mobile_malware.rules)
2849152 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 151
(mobile_malware.rules)
2849153 - ETPRO TROJAN MSIL/Unk.SusPK RAT CnC Checkin (trojan.rules)
[///] Modified active rules: [///]
2033203 - ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
(trojan.rules)
2033204 - ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
(trojan.rules)
2024837 - ET TROJAN [PTsecurity] Ursnif Encoded Payload Inbound (trojan.rules)
2033107 - ET TROJAN QuasarRAT/zgRAT C2 Activity (set) (trojan.rules)
2033197 - ET TROJAN NightfallGT Mercurial Grabber (trojan.rules)
2827272 - ETPRO CURRENT_EVENTS Possible Ursnif TOR Module DL 32-bit
(current_events.rules)
2827273 - ETPRO CURRENT_EVENTS Possible Ursnif TOR Module DL 64-bit
(current_events.rules)
2828152 - ETPRO TROJAN Ursnif Malicious SSL Certificate Detected
(trojan.rules)
2830035 - ETPRO TROJAN Ursnif Payload Request 2018-03-19 M1 (trojan.rules)
2830036 - ETPRO TROJAN Ursnif Payload Request 2018-03-19 M2 (trojan.rules)
2831183 - ETPRO TROJAN Observed Malicious SSL Cert (URLZone/Ursnif
CnC) (trojan.rules)
2834885 - ETPRO CURRENT_EVENTS Ursnif Injects Domain in TLS SNI
(current_events.rules)
2834886 - ETPRO CURRENT_EVENTS Ursnif Injects Domain in TLS SNI
(current_events.rules)
2834904 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC) (trojan.rules)
2837114 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif Worker
CnC) (trojan.rules)
2841326 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif Injects
CnC) (trojan.rules)