[***] Summary: [***]

9 new OPEN, 17 new PRO (9 + 8). Win32/Delf.OKR Variant, Cobalt Strike,
CVE-2021-38647, PCRat/Gh0st CnC, Phish, Coinminers.

Thanks: @benkow_ and @travisbgreen

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2033949 - ET TROJAN Win32/Delf.OKR Variant CnC M1 (trojan.rules)
2033950 - ET TROJAN Win32/Delf.OKR Variant CnC M2 (trojan.rules)
2033951 - ET TROJAN Observed Malicious SSL Cert (CobaltStrike CnC)
(trojan.rules)
2033952 - ET EXPLOIT Microsoft OMI RCE Exploit Attempt (CVE-2021-38647)
(exploit.rules)
2033953 - ET MALWARE Fake Software Download Redirect Leading to Malware
M1 (malware.rules)
2033954 - ET MALWARE Fake Software Download Redirect Leading to Malware
M2 (malware.rules)
2033955 - ET INFO Possible Microsoft OMI Agent Default TLS Certificate
Observed (info.rules)
2033956 - ET INFO Inbound Powershell Creating .hta File (info.rules)
2033957 - ET INFO Inbound Powershell Creating .lnk File (info.rules)

Pro:

2849977 - ETPRO TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND)
108 (trojan.rules)
2849978 - ETPRO TROJAN Win32/Ratfishes Checkin M2 (trojan.rules)
2849979 - ETPRO TROJAN Malicious Powershell Sending Windows Information
(POST) (trojan.rules)
2849980 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-09-15 1) (trojan.rules)
2849981 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-09-15 2) (trojan.rules)
2849982 - ETPRO CURRENT_EVENTS Successful Huntington Bank Phish
2021-09-15 (current_events.rules)
2849983 - ETPRO TROJAN Observed AZORult CnC Domain in TLS SNI
(trojan.rules)
2849984 - ETPRO EXPLOIT Possible Microsoft IE Remote Code Execution
Inbound M2 (CVE-2020-0674) (exploit.rules)

[///] Modified active rules: [///]

2033939 - ET TROJAN SQUIRRELWAFFLE Loader Activity (POST) (trojan.rules)
2808793 - ETPRO TROJAN Win32.Androm.cxb Requesting PE (trojan.rules)
2840517 - ETPRO EXPLOIT Possible Microsoft IE Remote Code Execution
Inbound M1 (CVE-2020-0674) (exploit.rules)
2849913 - ETPRO TROJAN Generic AsyncRAT Style SSL Cert (trojan.rules)