[***] Summary: [***]
12 new OPEN, 18 new PRO (12 + 6) Lockbit, NSO Pegasus, and TakeMyFile.
Thanks @Unit42_Intel and @ShadowChasing1
Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2033858 - ET INFO Office Retrieving .rtf (GET) (info.rules)
2033859 - ET ACTIVEX Suspicious Request to iplogger .org Contains Period
(activex.rules)
2033860 - ET INFO Lockbit Ransomware Related Domain in DNS Lookup
(decoding .at) (info.rules)
2033861 - ET INFO Lockbit Ransomware Related Domain in DNS Lookup
(bigblog .at) (info.rules)
2033862 - ET INFO Lockbit Ransomware Related Domain in DNS Lookup
(lockbit-decryptor .com) (info.rules)
2033863 - ET INFO Lockbit Ransomware Related Domain in DNS Lookup
(lockbit-decryptor .top) (info.rules)
2033864 - ET TROJAN Observed Pegasus Domain (hooklevel .com in TLS SNI)
(trojan.rules)
2033865 - ET TROJAN Observed Pegasus Domain (api1r3f4 .redirectweburl
.com in TLS SNI) (trojan.rules)
2033866 - ET TROJAN Observed DNS Query to Pegasus Domain (start-anew
.net) (trojan.rules)
2033867 - ET TROJAN Observed DNS Query to Pegasus Domain (news-now .co)
(trojan.rules)
2033868 - ET TROJAN Observed DNS Query to Pegasus Domain (reunionlove
.net) (trojan.rules)
2033869 - ET TROJAN Observed DNS Query to Pegasus Domain (helpusfind
.biz) (trojan.rules)
Pro:
2849812 - ETPRO TROJAN AutoIt Script Activity (GET) (trojan.rules)
2849813 - ETPRO MALWARE TakeMyFile Installer Checkin (malware.rules)
2849814 - ETPRO MALWARE TakeMyFile User-Agent (malware.rules)
2849815 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT)
(trojan.rules)
2849816 - ETPRO TROJAN ELF/Multiverze CnC Checkin (trojan.rules)
2849817 - ETPRO CURRENT_EVENTS Successful Generic Credential Phish
2021-09-01 (current_events.rules)
[///] Modified active rules: [///]
2017935 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 12
SET (trojan.rules)
2018007 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 17
(trojan.rules)
2018032 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 19
(trojan.rules)
2018193 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 30
(trojan.rules)
2020607 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 48
(trojan.rules)
2020614 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 55
(trojan.rules)
2020696 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 61
(trojan.rules)
2020775 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 74
(trojan.rules)
2020788 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 87
(trojan.rules)
2020792 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 91
(trojan.rules)
2849811 - ETPRO EXPLOIT Possible Confluence OGNL Injection Inbound
(CVE-2021-26084) (exploit.rules)
[---] Disabled and modified rules: [---]
2033761 - ET TROJAN SiameseKitten/Lyceum/Hexane MSIL/Shark Response - 1
Byte XOR Key (trojan.rules)