[***] Summary: [***]

15 new OPEN, 27 new PRO (15 + 12) Spark Backdoor, APT28, DazzleSpy,
Citrix ShareFile Storage Zones Controller RCE CVE-2021-22941,
SolarWinds Web Help Desk CVE-2021-35232 and VARIOUS PHISH.

Thanks @zscaler, @buffaoverflow, @cleafylabs, @Trellix, and @shadowchasing1

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2034962 - ET TROJAN Win32/Tiggre Variant Activity Sending System
Files (POST) (trojan.rules)
2034963 - ET TROJAN Win32/Spark Backdoor Related Domain in DNS
Lookup (bundanesia .com) (trojan.rules)
2034964 - ET TROJAN Cobalt Strike Related Domain in DNS Lookup
(portal .gfinanzen .net) (trojan.rules)
2034965 - ET MOBILE_MALWARE AndroidOS/Basbanke.A Activity (POST)
(mobile_malware.rules)
2034966 - ET TROJAN Suspected APT28 Related Domain in DNS Lookup
(wordkeyvpload .net) (trojan.rules)
2034967 - ET TROJAN Suspected APT28 Related Domain in DNS Lookup
(trojan.rules)
2034968 - ET TROJAN Suspected APT28 Related Domain in DNS Lookup
(jimbeam .live) (trojan.rules)
2034969 - ET TROJAN Maldoc Activity (GET) (trojan.rules)
2034970 - ET EXPLOIT Sonicwall Unauthenticated Stack-Based Buffer
Overflow (CVE-2021-20038) (exploit.rules)
2034971 - ET EXPLOIT SolarWinds Web Help Desk Hard Coded Credentials
Request (CVE-2021-35232) (exploit.rules)
2034972 - ET EXPLOIT Citrix ShareFile Storage Zones Controller RCE
Attempt (CVE-2021-22941) (exploit.rules)
2034973 - ET EXPLOIT NodeJS System Information Library Command
Injection Attempt (CVE-2021-21315) (exploit.rules)
2034974 - ET EXPLOIT Possible vRealize Operations Manager API SSRF
Attempt (CVE-2021-21975) (exploit.rules)
2034975 - ET TROJAN DazzleSpy Related Domain in DNS Lookup (trojan.rules)
2034976 - ET TROJAN DazzleSpy Related Domain in DNS Lookup (trojan.rules)

Pro:

2850920 - ETPRO TROJAN MSIL/Kryptik.AEBF Sending Stolen Credentials
to CnC (trojan.rules)
2850921 - ETPRO MALWARE Win32/Adware.Kraddare Checkin (malware.rules)
2850923 - ETPRO CURRENT_EVENTS Suspected TA4900 Related Landing Page
(current_events.rules)
2850924 - ETPRO CURRENT_EVENTS Successful Generic Phish 2022-01-25
(current_events.rules)
2850925 - ETPRO CURRENT_EVENTS Successful Generic Phish 2022-01-25
(current_events.rules)
2850926 - ETPRO CURRENT_EVENTS DHL Phish Landing Page 2022-01-25
(current_events.rules)
2850927 - ETPRO CURRENT_EVENTS Successful DHL Phish 2022-01-25
(current_events.rules)
2850928 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2022-01-25 1) (trojan.rules)
2850929 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2022-01-25 2) (trojan.rules)
2850930 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2022-01-25 3) (trojan.rules)
2850931 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2022-01-25 4) (trojan.rules)

[///] Modified active rules: [///]

2027916 - ET USER_AGENTS Observed Suspicious UA (Chrome) (user_agents.rules)
2032793 - ET TROJAN Unk.PSAttack Activity (trojan.rules)
2034683 - ET TROJAN Linux/Tsunami Downloader (trojan.rules)
2034684 - ET TROJAN Linux/Tsunami Remote Shell M1 (trojan.rules)
2034685 - ET TROJAN Linux/Tsunami Downloader (trojan.rules)
2808012 - ETPRO TROJAN Win32/Tofsee.AX google.com connectivity check
(trojan.rules)
2838730 - ETPRO TROJAN EvilVBS Loader Retrieving Payload (trojan.rules)
2842302 - ETPRO TROJAN Observed Malicious SSL Cert (Strongpity CnC)
(trojan.rules)
2843074 - ETPRO TROJAN Observed DNS Query to Unk.Loader Domain M6
(trojan.rules)
2847954 - ETPRO TROJAN Cobalt Strike Malleable C2 (Unknown Profile)
(trojan.rules)
2848521 - ETPRO TROJAN Cobalt Strike Malleable C2 (Unknown Profile)
(trojan.rules)
2848735 - ETPRO TROJAN Proverkalogov Stealer CnC Checkin (trojan.rules)
2849208 - ETPRO TROJAN Dridex CnC Activity (trojan.rules)
2849718 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2850889 - ETPRO TROJAN Possible Win32/Yax.Mole Variant Activity
(GET) (trojan.rules)