Daily Ruleset Update Summary 2021/09/03

Daily Ruleset Update Summary

[***] Summary: [***]

8 new OPEN, 22 new PRO (8 + 14). Ursnif, FIN7, AsyncRAT, Others.

Thanks @Anomali.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2033859 - ET INFO Suspicious Request to iplogger .org Contains Period
(info.rules)
2033895 - ET TROJAN Win32/Enemyfear Stealer Exfil (trojan.rules)
2033896 - ET MALWARE ThunderUnion Install Checkin (malware.rules)
2033897 - ET TROJAN FIN7 Related CnC Domain in DNS Lookup
(tnskvggujjqfcskwk .com) (trojan.rules)
2033898 - ET TROJAN FIN7 Related CnC Domain in DNS Lookup (bypassociation
.com) (trojan.rules)
2033899 - ET TROJAN Go/Hack Browser Data Exfil Attempt (trojan.rules)
2033900 - ET MALWARE Observed Honeygain Domain (api .honeygain .com in
TLS SNI) (malware.rules)
2033901 - ET TROJAN Observed DNS Query to herominers Domain (herominers
.com) (trojan.rules)

Pro:

2849837 - ETPRO INFO Image Download From Google Script Redirect
(info.rules)
2849838 - ETPRO INFO Image Download From Google Script Redirect
(info.rules)
2849839 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT)
(trojan.rules)
2849840 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT)
(trojan.rules)
2849841 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-09-03 1) (trojan.rules)
2849842 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-09-03 2) (trojan.rules)
2849843 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-09-03 3) (trojan.rules)
2849844 - ETPRO CURRENT_EVENTS Successful US IRS Phish 2021-09-03
(current_events.rules)
2849845 - ETPRO TROJAN Win32/Agent.mytwin CnC Activity (trojan.rules)
2849846 - ETPRO TROJAN Win32/Agent.mytwin CnC Command Inbound
(trojan.rules)
2849847 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)

[+++] Enabled and modified rules: [+++]

2017913 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 7
(trojan.rules)
2020606 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 47
(trojan.rules)
2020764 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 63
(trojan.rules)
2020767 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 66
(trojan.rules)
2020769 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 68
(trojan.rules)
2020771 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 70
(trojan.rules)
2021716 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND)
102 (trojan.rules)
2023611 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND)
107 (trojan.rules)

[///] Modified active rules: [///]

2017548 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 3
(trojan.rules)
2017707 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 4
(trojan.rules)
2017876 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 5
(trojan.rules)
2017877 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 6
(trojan.rules)
2017914 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 8
(trojan.rules)
2017915 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 9
(trojan.rules)
2017916 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 10
(trojan.rules)
2017934 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 11
(trojan.rules)
2017935 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 12
SET (trojan.rules)
2017936 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 12
(trojan.rules)
2017938 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 13
(trojan.rules)
2017944 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 14
(trojan.rules)
2017974 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 15
(trojan.rules)
2017988 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 16
(trojan.rules)
2018007 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 17
(trojan.rules)
2018013 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 18
(trojan.rules)
2018032 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 19
(trojan.rules)
2018054 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 20
(trojan.rules)
2018057 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 21
(trojan.rules)
2018069 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 22
(trojan.rules)
2018075 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 23
(trojan.rules)
2018076 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 24
(trojan.rules)
2018077 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 25
(trojan.rules)
2018085 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 26
(trojan.rules)
2018153 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 27
(trojan.rules)
2018166 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 28
(trojan.rules)
2018181 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 29
(trojan.rules)
2018193 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 30
(trojan.rules)
2018287 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 31
(trojan.rules)
2018485 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 32
(trojan.rules)
2018486 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 33
(trojan.rules)
2018487 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 34
(trojan.rules)
2018488 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 35
(trojan.rules)
2018636 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 36
(trojan.rules)
2018637 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 37
(trojan.rules)
2018638 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 38
(trojan.rules)
2018639 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 39
(trojan.rules)
2018880 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 40
(trojan.rules)
2019083 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 41
(trojan.rules)
2019602 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 43
(trojan.rules)
2020214 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 44
(trojan.rules)
2020371 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 45
(trojan.rules)
2020586 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 46
(trojan.rules)
2020607 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 48
(trojan.rules)
2020608 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 49
(trojan.rules)
2020609 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 50
(trojan.rules)
2020610 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 51
(trojan.rules)
2020611 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 52
(trojan.rules)
2020612 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 53
(trojan.rules)
2020613 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 54
(trojan.rules)
2020614 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 55
(trojan.rules)
2020691 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 56
(trojan.rules)
2020692 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 57
(trojan.rules)
2020693 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 58
(trojan.rules)
2020694 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 59
(trojan.rules)
2020695 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 60
(trojan.rules)
2020696 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 61
(trojan.rules)
2020763 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 62
(trojan.rules)
2020765 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 64
(trojan.rules)
2020766 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 65
(trojan.rules)
2020768 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 67
(trojan.rules)
2020770 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 69
(trojan.rules)
2020772 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 71
(trojan.rules)
2020773 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 72
(trojan.rules)
2020774 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 73
(trojan.rules)
2020775 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 74
(trojan.rules)
2020776 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 75
(trojan.rules)
2020777 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 76
(trojan.rules)
2020778 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 77
(trojan.rules)
2020780 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 79
(trojan.rules)
2020781 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 80
(trojan.rules)
2020782 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 81
(trojan.rules)
2020783 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 82
(trojan.rules)
2020784 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 83
(trojan.rules)
2020785 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 84
(trojan.rules)
2020786 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 85
(trojan.rules)
2020787 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 86
(trojan.rules)
2020788 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 87
(trojan.rules)
2020789 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 88
(trojan.rules)
2020790 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 89
(trojan.rules)
2020791 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 90
(trojan.rules)
2020792 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 91
(trojan.rules)
2020793 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 92
(trojan.rules)
2020794 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 93
(trojan.rules)
2020795 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 94
(trojan.rules)
2020796 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 95
(trojan.rules)
2020797 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 96
(trojan.rules)
2020798 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 97
(trojan.rules)
2020799 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 98
(trojan.rules)
2020800 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 99
(trojan.rules)
2021012 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND)
100 (trojan.rules)
2021065 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND)
101 (trojan.rules)
2021753 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND)
103 (trojan.rules)
2022401 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND)
104 (trojan.rules)
2022773 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND)
105 (trojan.rules)
2023349 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND)
106 (trojan.rules)
2849818 - ETPRO CURRENT_EVENTS Successful Generic Phish 2021-09-02
(current_events.rules)

[///] Modified inactive rules: [///]

2020779 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 78
(trojan.rules)
2022885 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND)
106 (trojan.rules)

[---] Removed rules: [---]

2033859 - ET ACTIVEX Suspicious Request to iplogger .org Contains Period
(activex.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:

Friday, September 3, 2021

Summary title:

8 new OPEN, 22 new PRO (8 + 14). Ursnif, FIN7, AsyncRAT, Others.