[***] Summary: [***]

39 new OPEN, 51 new PRO (39 + 12). Multiple Android droppers, Cobalt Strike, CEELOADER, Various Vulnerabilities.

Thanks: Kevin Ross

Proofpoint is looking to hire a Product Manager to oversee the Emerging Threats products group. Interested? Check out the posting here<https://proofpoint.wd5.myworkdayjobs.com/ProofpointCareers/job/Sunnyval…;, and reach out with any questions.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2034591 - ET MOBILE_MALWARE Trojan-Dropper.AndroidOS.Anatsa Checkin (mobile_malware.rules)

2034592 - ET MOBILE_MALWARE Android Brunhilda Dropper (protectionguardapp .club in DNS Lookup) (mobile_malware.rules)

2034593 - ET MOBILE_MALWARE Android Brunhilda Dropper (protectionguardapp .club in TLS SNI) (mobile_malware.rules)

2034594 - ET MOBILE_MALWARE Android Brunhilda Dropper (readyqrscanner .club in DNS Lookup) (mobile_malware.rules)

2034595 - ET MOBILE_MALWARE Android Brunhilda Dropper (readyqrscanner .club in TLS SNI) (mobile_malware.rules)

2034596 - ET MOBILE_MALWARE Android Brunhilda Dropper (flowdivison .club in DNS Lookup) (mobile_malware.rules)

2034597 - ET MOBILE_MALWARE Android Brunhilda Dropper (flowdivison .club in TLS SNI) (mobile_malware.rules)

2034598 - ET MOBILE_MALWARE Android Brunhilda Dropper (multifuctionscanner .club in DNS Lookup) (mobile_malware.rules)

2034599 - ET MOBILE_MALWARE Android Gymdrop Dropper (onlinefitnessanalysis .com in DNS Lookup) (mobile_malware.rules)

2034600 - ET MOBILE_MALWARE Android Brunhilda Dropper (multifuctionscanner .club in TLS SNI) (mobile_malware.rules)

2034601 - ET MOBILE_MALWARE Android Gymdrop Dropper (onlinefitnessanalysis .com in TLS SNI) (mobile_malware.rules)

2034602 - ET TROJAN NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup (trojan.rules)

2034603 - ET TROJAN NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup (trojan.rules)

2034604 - ET TROJAN NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup (trojan.rules)

2034605 - ET TROJAN NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup (trojan.rules)

2034606 - ET TROJAN NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup (trojan.rules)

2034607 - ET TROJAN NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup (trojan.rules)

2034608 - ET TROJAN NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup (trojan.rules)

2034609 - ET TROJAN NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup (trojan.rules)

2034610 - ET TROJAN NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup (trojan.rules)

2034611 - ET TROJAN NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup (trojan.rules)

2034612 - ET TROJAN NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup (trojan.rules)

2034613 - ET TROJAN NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup (trojan.rules)

2034614 - ET TROJAN NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup (trojan.rules)

2034615 - ET TROJAN NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup (trojan.rules)

2034616 - ET TROJAN NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup (trojan.rules)

2034617 - ET TROJAN NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup (trojan.rules)

2034618 - ET TROJAN NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup (trojan.rules)

2034619 - ET TROJAN NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup (trojan.rules)

2034620 - ET TROJAN NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup (trojan.rules)

2034621 - ET TROJAN NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup (trojan.rules)

2034622 - ET TROJAN NOBELIUM (TA421) CnC Domain in DNS Lookup (trojan.rules)

2034623 - ET TROJAN NOBELIUM (TA421) CnC Domain in DNS Lookup (trojan.rules)

2034624 - ET TROJAN NOBELIUM (TA421) CEELOADER CnC Domain in DNS Lookup (trojan.rules)

2034625 - ET TROJAN NOBELIUM (TA421) CEELOADER CnC Domain in DNS Lookup (trojan.rules)

2034626 - ET EXPLOIT Exiftool RCE Inbound (CVE-2021-22204) (exploit.rules)

2034627 - ET EXPLOIT MS-Officecmd Remote Code Execution Attempt (exploit.rules)

2034628 - ET INFO Suspicious Response (MS-Officecmd) (info.rules)

2034629 - ET EXPLOIT Grafana 8.x Path Traversal (CVE-2021-43798) (exploit.rules)

Pro:

2850637 - ETPRO INFO Unusually Small PDF Upload (info.rules)

2850647 - ETPRO TROJAN Win32/Lmbmiad .ps1 Backdoor (trojan.rules)

[///] Modified active rules: [///]

2033050 - ET TROJAN NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup (trojan.rules)

2033051 - ET TROJAN NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup (trojan.rules)

2033052 - ET TROJAN NOBELIUM (TA421) EnvyScout Fingerprint Checkin (trojan.rules)

2034590 - ET EXPLOIT NodeBB Path Traversal (CVE-2021-43788) (exploit.rules)

2810607 - ETPRO TROJAN Upatre Retrieving encoded payload (Common Header Struct) (trojan.rules)