Daily Ruleset Update Summary 2021/08/13

Daily Ruleset Update Summary

[***] Summary: [***]

17 new OPEN, 47 new PRO (17 + 30). Stealbit, APT-C-48, Gamaredon, Others.

Thanks @James_inthe_box, @imp0rtp3, @NinjaOperator, @shadowchasing1,
@aaqeel87

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2033717 - ET TROJAN GoBrut/StealthWorker Requesting Brute Force List
(flowbit set) (trojan.rules)
2033718 - ET TROJAN GoBrut/StealthWorker Service Bruter CnC Activity
(trojan.rules)
2033719 - ET TROJAN GoBrut/StealthWorker Service Bruter CnC Checkin
(trojan.rules)
2033720 - ET TROJAN Unknown Chinese Threat Actor Malicious Redirect
Activity (trojan.rules)
2033721 - ET TROJAN Unknown Chinese Threat Actor CnC Domain in DNS Lookup
(trojan.rules)
2033722 - ET TROJAN Gamaredon CnC Domain in DNS Lookup (office360-expert
.online) (trojan.rules)
2033723 - ET TROJAN Gamaredon Maldoc Activity (GET) (trojan.rules)
2033724 - ET TROJAN APT-C-48 Related CnC Domain in DNS Lookup (ntc-pk
.sytes .net) (trojan.rules)
2033725 - ET TROJAN APT-C-48 Related Activity Retrieving ConsoleHost
(GET) (trojan.rules)
2033726 - ET TROJAN APT-C-48 Related CnC Domain in DNS Lookup (nitb
.pk-gov .org) (trojan.rules)
2033727 - ET TROJAN Stealbit Variant Data Exfil M1 (trojan.rules)
2033728 - ET TROJAN Stealbit Variant Data Exfil M2 (trojan.rules)
2033729 - ET POLICY Observed DNS Query to IP Lookup Domain (me .shodan
.io) (policy.rules)
2033730 - ET MOBILE_MALWARE Android Vultr Checkin (mobile_malware.rules)
2033731 - ET TROJAN PCRat/Gh0st CnC Beacon Request (Xfire variant)
(trojan.rules)
2033732 - ET TROJAN Win32/PSW.Agent.OMP Variant CnC Activity
(trojan.rules)
2033733 - ET EXPLOIT Microsoft Windows VBScript Engine VbsErase Memory
Corruption (CVE-2019-0667) (exploit.rules)

Pro:

2849613 - ETPRO POLICY N-Able Technologies Attiva Agent Repair Alert via
SMTP (policy.rules)
2849614 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT)
(trojan.rules)
2849615 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-08-13 1) (trojan.rules)
2849616 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-08-13 2) (trojan.rules)
2849617 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-08-13 3) (trojan.rules)
2849618 - ETPRO INFO Possible System Info String in POST Body (PCName)
(info.rules)
2849619 - ETPRO INFO Possible System Info String in POST Body (CPU)
(info.rules)
2849620 - ETPRO INFO Possible System Info String in POST Body (GPU)
(info.rules)
2849621 - ETPRO INFO Possible System Info String in POST Body (RAM)
(info.rules)
2849622 - ETPRO INFO Possible System Info String in POST Body (Screen
Resolution) (info.rules)
2849623 - ETPRO INFO Possible System Info String in POST Body (System
Language) (info.rules)
2849624 - ETPRO INFO Possible System Info String in POST Body (PC Time)
(info.rules)
2849625 - ETPRO INFO Suspicious Reversed Registry Key String Inbound
(info.rules)
2849626 - ETPRO TROJAN Reversed WScript CLSID Inbound (trojan.rules)
2849627 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 176
(mobile_malware.rules)
2849628 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 177
(mobile_malware.rules)
2849629 - ETPRO TROJAN MSIL/Agent.WV Variant Screenshot Upload
(trojan.rules)
2849630 - ETPRO TROJAN MSIL/Agent.WV Variant Checkin (trojan.rules)
2849631 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 178
(mobile_malware.rules)
2849632 - ETPRO CURRENT_EVENTS Possible Netlify Hosted Phishing Request
M1 (current_events.rules)
2849633 - ETPRO CURRENT_EVENTS Possible Netlify Hosted Phishing Request
M2 (current_events.rules)
2849634 - ETPRO CURRENT_EVENTS Observed Possible Netlify Hosted Phishing
Domain (current_events.rules)
2849635 - ETPRO CURRENT_EVENTS Possible Netlify Hosted Phishing Landing
2021-08-13 M1 (current_events.rules)
2849636 - ETPRO CURRENT_EVENTS Yahoo Phishing Landing 2021-08-13
(current_events.rules)
2849637 - ETPRO CURRENT_EVENTS Successful Yahoo Phish 2021-08-13
(current_events.rules)
2849638 - ETPRO CURRENT_EVENTS Successful Generic Phish 2021-08-13
(current_events.rules)

[///] Modified active rules: [///]

2828015 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2017-09-20 5) (trojan.rules)
2830844 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-05-14 15) (trojan.rules)
2830856 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-05-15 4) (trojan.rules)
2832254 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-08-21 3) (trojan.rules)
2833045 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-10-10 2) (trojan.rules)
2833869 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-12-10 4) (trojan.rules)
2834839 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2019-02-12 1) (trojan.rules)
2835023 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2019-02-25 4) (trojan.rules)
2835760 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2019-04-08 6) (trojan.rules)
2848084 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-08 8) (trojan.rules)
2848111 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-09 3) (trojan.rules)
2848359 - ETPRO TROJAN RMS Checkin via SMTP (trojan.rules)
2848572 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-18 7) (trojan.rules)
2848574 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-18 9) (trojan.rules)
2848704 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-24 5) (trojan.rules)
2848798 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-06-02 13) (trojan.rules)
2848871 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-06-07 4) (trojan.rules)
2849071 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-06-24 3) (trojan.rules)
2849113 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-06-29 1) (trojan.rules)
2849493 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-29 1) (trojan.rules)
2849611 - ETPRO TROJAN Win32/Gminer CnC Checkin (trojan.rules)

[---] Removed rules: [---]

2017457 - ET INFO SUSPICIOUS Java request to UNI.ME Domain Set 1
(info.rules)
2017458 - ET INFO SUSPICIOUS Java request to UNI.ME Domain Set 2
(info.rules)
2017459 - ET INFO SUSPICIOUS Java request to UNI.ME Domain Set 3
(info.rules)
2017460 - ET INFO SUSPICIOUS Java request to UNI.ME Domain Set 4
(info.rules)
2834368 - ETPRO TROJAN GoBrut Requesting Brute Force List (flowbit set)
(trojan.rules)
2836433 - ETPRO TROJAN GoBrut Service Bruter CnC Activity (trojan.rules)
2836434 - ETPRO TROJAN GoBrut Service Bruter CnC Checkin (trojan.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:

Friday, August 13, 2021

Summary title:

17 new OPEN, 47 new PRO (17 + 30). Stealbit, APT-C-48, Gamaredon, Others.