[***] Summary: [***]

3 new OPEN, 12 new PRO (3 + 9). Cobalt Strike, Various CVEs, PowerShell
Maldoc Activity, Others.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2034031 - ET TROJAN Maldoc Sending Windows System Information (POST)
(trojan.rules)
2034032 - ET TROJAN Win32/Sabsik.FL.B!ml CnC Activity (trojan.rules)
2034033 - ET EXPLOIT Possible Citrix ShareFile RCE Inbound
(CVE-2021-22941) (exploit.rules)

Pro:

2850052 - ETPRO TROJAN Observed CobaltStrike Domain (wsus-link .global
.ssl .fastly .net in TLS SNI) (trojan.rules)
2850053 - ETPRO CURRENT_EVENTS Successful Generic Phish Hosted at
pythonanywhere .com 2021-09-27 (current_events.rules)
2850054 - ETPRO CURRENT_EVENTS Observed BNZ Phishing Landing Page
2021-09-27 (current_events.rules)
2850055 - ETPRO EXPLOIT VMWare vCenter RCE Exploitation Attempt
(CVE-2021-22005) (exploit.rules)
2850056 - ETPRO TROJAN Win32/Aenjaris.ROC!MTB CnC Checkin (trojan.rules)
2850057 - ETPRO TROJAN Unk.MalDoc/PowerShell Loader CnC Checkin
(trojan.rules)
2850058 - ETPRO TROJAN Unk.MalDoc/PowerShell Loader CnC Activity
(trojan.rules)
2850059 - ETPRO MALWARE Cobalt Strike CnC Domain (malware.rules)
2850060 - ETPRO TROJAN Win32/Remcos RAT Checkin 753 (trojan.rules)

[///] Modified active rules: [///]

2849995 - ETPRO TROJAN Win32/Stelega.cgm/BluStealer SysInfo Exfil via
Telegram (trojan.rules)
2849996 - ETPRO TROJAN Win32/Stelega.cgm/BluStealer Files Exfil via
Telegram (trojan.rules)
2850051 - ETPRO TROJAN MSIL/Spy.Agent.AES CnC Exfil (trojan.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:
Summary title:
3 new OPEN, 12 new PRO (3 + 9). Cobalt Strike, Various CVEs, PowerShell Maldoc Activity, Others.