[***] Summary: [***]

22 new OPEN, 39 new PRO (22 + 17). Cobalt Strike, SNIcat, FIN8, Others.

Thanks @_brettfitz, @DanielGallagher

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2033795 - ET TROJAN GCleaner Downloader Activity M4 (trojan.rules)
2033796 - ET TROJAN Cobalt Strike Malleable C2 (Custom Profile)
(trojan.rules)
2033797 - ET TROJAN Observed Cobalt Strike CnC Domain (windowsupdatesc
.com in TLS SNI) (trojan.rules)
2033798 - ET TROJAN Observed Cobalt Strike CnC Domain (securityupdateav
.com in TLS SNI) (trojan.rules)
2033799 - ET TROJAN Observed Cobalt Strike CnC Domain (defenderupdateav
.com in TLS SNI) (trojan.rules)
2033800 - ET TROJAN SNIcat - Detected C2 Commands (LIST) (trojan.rules)
2033801 - ET TROJAN SNIcat - Detected C2 Commands (LS) (trojan.rules)
2033802 - ET TROJAN SNIcat - Detected C2 Commands (SIZE) (trojan.rules)
2033803 - ET TROJAN SNIcat - Detected C2 Commands (LD) (trojan.rules)
2033804 - ET TROJAN SNIcat - Detected C2 Commands (CB) (trojan.rules)
2033805 - ET TROJAN SNIcat - Detected C2 Commands (CD) (trojan.rules)
2033806 - ET TROJAN SNIcat - Detected C2 Commands (EX) (trojan.rules)
2033807 - ET TROJAN SNIcat - Detected C2 Commands (ALIVE) (trojan.rules)
2033808 - ET TROJAN SNIcat - Detected C2 Commands (EXIT) (trojan.rules)
2033809 - ET TROJAN SNIcat - Detected C2 Commands (finito) (trojan.rules)
2033810 - ET MALWARE Cobalt Strike Beacon (Custom Wordpress Profile)
(malware.rules)
2033811 - ET TROJAN FIN8 SARDONIC CnC Domain in DNS Lookup (api-cdn .net)
(trojan.rules)
2033812 - ET TROJAN FIN8 SARDONIC CnC Domain in DNS Lookup (git-api .com)
(trojan.rules)
2033813 - ET TROJAN FIN8 SARDONIC CnC Domain in DNS Lookup (api-cdnw5
.net) (trojan.rules)
2033814 - ET TROJAN W32/Witch.3FA0!tr CnC Actiivty (trojan.rules)
2033815 - ET CURRENT_EVENTS Javascript Displays malicious download page
(current_events.rules)
2033816 - ET CURRENT_EVENTS Javascript Click and Removal of Download
Element (current_events.rules)

Pro:

2849757 - ETPRO TROJAN Cobalt Strike Malleable C2 Profile (Baidu Logo)
(trojan.rules)
2849758 - ETPRO INFO Observed Google Apps Script Usage (info.rules)
2849759 - ETPRO TROJAN Win.Trojan.Hupigon-8559 Checkin M2 (trojan.rules)
2849760 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT)
(trojan.rules)
2849761 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT)
(trojan.rules)
2849762 - ETPRO MALWARE Observed Malvertising Script Usage (malware.rules)
2849765 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-08-25 1) (trojan.rules)
2849766 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-08-25 2) (trojan.rules)
2849767 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-08-25 3) (trojan.rules)
2849768 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-08-25 4) (trojan.rules)
2849769 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-08-25 5) (trojan.rules)
2849770 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-08-25 6) (trojan.rules)
2849771 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-08-25 7) (trojan.rules)
2849772 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-08-25 8) (trojan.rules)
2849773 - ETPRO TROJAN Win32/Remcos RAT Checkin 745 (trojan.rules)

[///] Modified active rules: [///]

2030111 - ET TROJAN Observed Default CobaltStrike SSL Certificate
(trojan.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:
Summary title:
22 new OPEN, 39 new PRO (22 + 17). Cobalt Strike, SNIcat, FIN8, Others.