[***] Summary: [***]

19 new OPEN, 21 new PRO (19 + 2). Multiple Cobalt Strike, Various Phishing, Raccoon Stealer

Thanks: @HONKONE_K

Proofpoint is looking to hire a Product Manager to oversee the Emerging Threats products group. Interested? Check out the posting here<https://proofpoint.wd5.myworkdayjobs.com/ProofpointCareers/job/Sunnyval…;, and reach out with any questions.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2020822 - ET INFO HTTP POST to WP Theme Directory Without Referer (info.rules)

2030515 - ET MALWARE ZoomInfo Contact Contributor Install (malware.rules)

2034398 - ET TROJAN Cobalt Strike Related Domain in DNS Lookup (akastat .app) (trojan.rules)

2034399 - ET TROJAN Observed Malicious Cobalt Strike SSL Cert (cdnengine .biz) (trojan.rules)

2034400 - ET TROJAN Observed Cobalt Strike Related Domain (azurestat .app in TLS SNI) (trojan.rules)

2034401 - ET TROJAN Cobalt Strike Related CnC Domain in DNS Lookup (akamaclouds .tech) (trojan.rules)

2034402 - ET TROJAN Cobalt Strike Activity (GET) (trojan.rules)

2034403 - ET TROJAN Observed Malicious Cobalt Strike SSL Cert (setupfastonline .com) (trojan.rules)

2034404 - ET TROJAN Cobalt Strike Related Domain in DNS Lookup (akamalupdate .site) (trojan.rules)

2034405 - ET TROJAN Cobalt Strike Related Domain in DNS Lookup (c2 .hax .vg) (trojan.rules)

2034406 - ET TROJAN Cobalt Strike Related Domain in DNS Lookup (azuresecure .tech) (trojan.rules)

2034407 - ET TROJAN Cobalt Strike Related Domain in DNS Lookup (securesurvey .cloud) (trojan.rules)

2034408 - ET TROJAN Cobalt Strike Related Domain in DNS Lookup (akabox .tech) (trojan.rules)

2034409 - ET TROJAN Cobalt Strike Related Domain in DNS Lookup (electronicwhosaleonline .com) (trojan.rules)

2034410 - ET TROJAN LNK/Agent.GX CnC Traffic (trojan.rules)

2034411 - ET CURRENT_EVENTS Successful Citibank Phish 2021-11-10 (current_events.rules)

2034412 - ET CURRENT_EVENTS Successful Generic Phish 2021-11-10 (current_events.rules)

2034413 - ET CURRENT_EVENTS Successful PlayerUnknown's Battlegrounds Phish 2021-11-10 (current_events.rules)

2034414 - ET INFO Observed Initial NKN POST Request (info.rules)

Pro:

2850394 - ETPRO TROJAN Win32/Sabsik Server Response (trojan.rules)

2850395 - ETPRO TROJAN Win32.Raccoon Stealer - Telegram Mirror Checkin (teleger .top) (trojan.rules)

[///] Modified active rules: [///]

2016223 - ET TROJAN Andromeda Checkin (trojan.rules)

2031251 - ET TROJAN Possible SombRAT Initial DNS Lookup (trojan.rules)

2034225 - ET TROJAN [CISA AA21-291A] Possible BlackMatter Ransomware Lateral Movement (trojan.rules)

2803613 - ETPRO TROJAN Trojan.Generic.6200998 User-Agent (WT) (trojan.rules)

2815142 - ETPRO TROJAN Bergard Checkin 1 (trojan.rules)

2828107 - ETPRO TROJAN DDoS.Win32/Nitol.B Checkin 5 (trojan.rules)

2850389 - ETPRO INFO Observed DNS Query to DDNS Domain .noip .com (info.rules)

2850390 - ETPRO INFO Observed DNS Query to DDNS Domain .dnsdynamic .org (info.rules)

2850391 - ETPRO INFO Observed DNS Query to DDNS Domain .sitelutions .com (info.rules)

[---] Removed rules: [---]

2020822 - ET TROJAN HTTP POST to WP Theme Directory Without Referer (trojan.rules)

2030515 - ET TROJAN ZoomInfo Contact Contributor Install (trojan.rules)