[***] Summary: [***]

27 new OPEN, 34 new PRO (27 + 7). FlawedGrace, Cobalt Strike,
Win32/Netwire, Others.

Thanks @fr0s7_, @Jane_0stin, @ptsecurity, @s1ckb017, @StamusN, @rcwht_

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2034066 - ET USER_AGENTS Suspicious User-Agent (USERAGENT)
(user_agents.rules)
2034067 - ET TROJAN Linux/Sutersu Rootkit CnC Domain in DNS Lookup
(trojan.rules)
2034068 - ET TROJAN Linux/Sutersu Rootkit CnC Domain in DNS Lookup
(trojan.rules)
2034069 - ET TROJAN Linux/Sutersu Rootkit CnC Domain in DNS Lookup
(trojan.rules)
2034070 - ET TROJAN Linux/Sutersu Rootkit CnC Domain in DNS Lookup
(trojan.rules)
2034071 - ET TROJAN Linux/Sutersu Rootkit CnC Domain in DNS Lookup
(trojan.rules)
2034072 - ET TROJAN Linux/Sutersu Rootkit CnC Domain in DNS Lookup
(trojan.rules)
2034073 - ET TROJAN Linux/Sutersu Rootkit CnC Domain in DNS Lookup
(trojan.rules)
2034074 - ET TROJAN Linux/Sutersu Rootkit CnC Domain in DNS Lookup
(trojan.rules)
2034075 - ET TROJAN Linux/Sutersu Rootkit CnC Domain in DNS Lookup
(trojan.rules)
2034076 - ET TROJAN ChamelGang Related CnC Domain in DNS Lookup
(newtrendmicro .com) (trojan.rules)
2034077 - ET TROJAN ChamelGang Related CnC Domain in DNS Lookup
(centralgoogle .com) (trojan.rules)
2034078 - ET TROJAN ChamelGang Related CnC Domain in DNS Lookup
(microsoft-support .net) (trojan.rules)
2034079 - ET TROJAN ChamelGang Related CnC Domain in DNS Lookup
(cdn-chrome .com) (trojan.rules)
2034080 - ET TROJAN ChamelGang Related CnC Domain in DNS Lookup
(mcafee-upgrade .com) (trojan.rules)
2034081 - ET TROJAN Cobalt Strike Activity (GET) (trojan.rules)
2034082 - ET TROJAN Cobalt Strike Activity (GET) (trojan.rules)
2034083 - ET TROJAN Win32/Fake Anti-Pegasus AV CnC Exfil (trojan.rules)
2034084 - ET MALWARE Cobalt Strike Malleable C2 Amazon Profile POST
(JPEG) (malware.rules)
2034085 - ET MALWARE Cobalt Strike Malleable C2 Amazon Profile POST (PNG)
(malware.rules)
2034086 - ET MALWARE Cobalt Strike Malleable C2 Amazon Profile POST
(RIFF) (malware.rules)
2034087 - ET TROJAN Gamaredon Related Maldoc Activity (GET) (trojan.rules)
2034088 - ET TROJAN ELF/MachO.Netwire Connectivity Check (trojan.rules)
2034089 - ET TROJAN W32.Netwire Connectivity Check (trojan.rules)
2034090 - ET POLICY External IP Lookup via ad4989 .co .kr (policy.rules)
2034091 - ET TROJAN MirrorBlast Downloader Activity (trojan.rules)
2034092 - ET EXPLOIT File Sharing Wizard 1.5.0 - POST SEH Overflow
Inbound (CVE-2019-16724) (exploit.rules)

Pro:

2850092 - ETPRO TROJAN MSIL/Masloa.gen CnC Exfil (trojan.rules)
2850093 - ETPRO TROJAN PowerShell/MSF Stager Inbound (trojan.rules)
2850094 - ETPRO CURRENT_EVENTS Successful Generic Phish 2021-10-01
(current_events.rules)
2850095 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-09-30 1) (trojan.rules)
2850096 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-09-30 2) (trojan.rules)
2850097 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-09-30 3) (trojan.rules)
2850098 - ETPRO TROJAN FlawedGrace CnC Actiivty M1 (trojan.rules)

[///] Modified active rules: [///]

2841350 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-03-04
(current_events.rules)
2850088 - ETPRO CURRENT_EVENTS BulletProofLink Form POST M1
(current_events.rules)
2850089 - ETPRO CURRENT_EVENTS BulletProofLink Form POST M2
(current_events.rules)

[---] Removed rules: [---]

2804051 - ETPRO USER_AGENTS Suspicious User-Agent (USERAGENT)
(user_agents.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:
Summary title:
27 new OPEN, 34 new PRO (27 + 7). FlawedGrace, Cobalt Strike, Win32/Netwire, Others.