[***] Summary: [***]

5 new OPEN, 9 new PRO (5 + 4). DonotGroup, Dridex, Emotet, Various
Others.

Thanks @ShadowChasing1, @TrendMicroRSRCH

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2034542 - ET TROJAN Dridex CnC Request - Spam/Worm Component
(trojan.rules)
2034543 - ET TROJAN Win32/InfoTester Checkin (trojan.rules)
2034544 - ET TROJAN DonotGroup Related Domain in DNS Lookup (wordfile
.live) (trojan.rules)
2034545 - ET TROJAN DonotGroup Maldoc Activity (GET) (trojan.rules)
2034546 - ET TROJAN Datoploader Activity M2 (GET) (trojan.rules)

Pro:

2850556 - ETPRO CURRENT_EVENTS Successful Generic Phish 2021-11-24
(current_events.rules)
2850557 - ETPRO CURRENT_EVENTS Successful Generic Phish 2021-11-24
(current_events.rules)
2850558 - ETPRO TROJAN PowerShell/MSF Stager Inbound (trojan.rules)
2850559 - ETPRO TROJAN Office Macro Emotet Download URI Nov 24 2021
(trojan.rules)

[///] Modified active rules: [///]

2014002 - ET TROJAN Fake Variation of Mozilla 4.0 - Likely Trojan
(trojan.rules)
2028867 - ET POLICY Vulnerable Java Version 11.0.x Detected (policy.rules)
2034045 - ET CURRENT_EVENTS BulletProofLink Phishkit Activity (GET)
(current_events.rules)
2034046 - ET CURRENT_EVENTS BulletProofLink Phishkit Activity (POST)
(current_events.rules)
2034047 - ET CURRENT_EVENTS BulletProofLink Phishkit Password-Processing
URL (current_events.rules)
2850088 - ETPRO CURRENT_EVENTS BulletProofLink Form POST M1
(current_events.rules)
2850089 - ETPRO CURRENT_EVENTS BulletProofLink Form POST M2
(current_events.rules)

[///] Modified inactive rules: [///]

2034533 - ET TROJAN Dridex Dotted Quad CnC Request (flowbit set)
(trojan.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team