[***] Summary: [***]

6 new OPEN, 11 new PRO (6 + 5). DangerousPassword, Gamaredon, Others.

Thanks Kevin Ross, @sysopfb, @h2jazi

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2035197 - ET TROJAN Gamaredon APT Related Maldoc Activity (GET)
(trojan.rules)
2035198 - ET TROJAN Gamaredon APT Related Maldoc Activity (GET)
(trojan.rules)
2035199 - ET TROJAN Gamaredon APT Related Maldoc Activity (GET)
(trojan.rules)
2035200 - ET TROJAN Gamaredon APT Related Maldoc Activity (GET)
(trojan.rules)
2035201 - ET TROJAN DangerousPassword APT Related Domain in DNS Lookup
(doc .filesaves .cloud) (trojan.rules)
2035203 - ET INFO Observed Cloudflare Universal (Shared) Certificate,
Retired (info.rules)

Pro:

2851113 - ETPRO TROJAN Win32/Induc.A CnC Activity (GET) (trojan.rules)
2851114 - ETPRO TROJAN Win32/OnlyLogger Connectivity Check M2
(trojan.rules)
2851115 - ETPRO TROJAN Win32/Fabookie.ek CnC Activity M2 (trojan.rules)
2851116 - ETPRO CURRENT_EVENTS Union Bank of the Philippines Phish
Landing Page 2022-02-15 (current_events.rules)

[///] Modified active rules: [///]

2841974 - ETPRO TROJAN Win32/Fabookie CnC Activity M1 (trojan.rules)
2843515 - ETPRO TROJAN Win32/OnlyLogger Connectivity Check M1
(trojan.rules)

[---] Disabled and modified rules: [---]

2035190 - ET INFO Observed Let's Encrypt Certificate from Active
Intermediate, R3 (info.rules)
2035191 - ET INFO Observed Let's Encrypt Certificate from Active
Intermediate, E1 (info.rules)
2035192 - ET INFO Observed Let's Encrypt Certificate from Backup
Intermediate, R4 (info.rules)
2035193 - ET INFO Observed Let's Encrypt Certificate from Backup
Intermediate, E2 (info.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team