[***] Summary: [***]
10 new OPEN, 16 new PRO (10 + 6) BulletProofLink Phishkit, Cobalt
Strike DNS, WIRTE APT, and STRRAT.
Thanks @TheDFIRReport, @twinwavesec, @Securelist
If you enjoy digging into pcaps, making threat actors have a bad
day, and giving back to the community, you should come create IDS
signatures with us. https://t.co/rqnzCGdo7B
Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2034547 - ET TROJAN MSIL/Bobik CnC Traffic (trojan.rules)
2034548 - ET USER_AGENTS Suspicious User-Agent (test-upload)
(user_agents.rules)
2034549 - ET POLICY owncloud .online Hosted Site Observed in TLS SNI
(policy.rules)
2034550 - ET POLICY Owncloud Observed Self Signed TLS Certificate
(policy.rules)
2034551 - ET TROJAN Cobalt Strike Related Domain in DNS Lookup
(checkauj .com) (trojan.rules)
2034552 - ET POLICY Observed DNS Query to Cloudflare Lookalike
Domain (trycloudflare .com) (policy.rules)
2034553 - ET CURRENT_EVENTS Possible BulletProofLink Phishkit
Activity - Retrieving Images (current_events.rules)
2034554 - ET CURRENT_EVENTS Possible BulletProofLink Phishkit
Activity - Retrieving Resources (current_events.rules)
2034555 - ET CURRENT_EVENTS Possible BulletProofLink Phishkit
Activity - Redirect (current_events.rules)
2034556 - ET CURRENT_EVENTS BulletProofLink Phishkit Template
(current_events.rules)
Pro:
2850574 - ETPRO ATTACK_RESPONSE Obfuscated VBS Inbound - Chr, Heavy
Concat, Replace (attack_response.rules)
2850575 - ETPRO TROJAN Win32/Remcos RAT Checkin 762 (trojan.rules)
2850576 - ETPRO TROJAN WIRTE APT Group Activity (trojan.rules)
2850577 - ETPRO TROJAN EtterSilent Requesting Payload (trojan.rules)
2850578 - ETPRO TROJAN STRRAT Initial HTTP Activity (trojan.rules)
2850579 - ETPRO TROJAN Emotet CnC Beacon (trojan.rules)
[///] Modified active rules: [///]
2025261 - ET CURRENT_EVENTS Generic Phishing Landing M2 2018-01-29
(current_events.rules)
2025658 - ET CURRENT_EVENTS Generic Phishing Landing M1 2017-02-13
(current_events.rules)
2814213 - ETPRO TROJAN LatentBot/GrayBird CnC Checkin (trojan.rules)
2839393 - ETPRO TROJAN VNCStartServer BOT Variant CnC Beacon (trojan.rules)