[***] Summary: [***]

8 new OPEN, 16 new PRO (8 + 8). MSIL/BlackGuard Stealer, SystemBC,
Various CVE and Win32/LokiBot.

Thanks @0xrb, @ViriBack, @3xp0rtblog and @felixaime

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2035396 - ET INFO Multiple User-Agent Components in a single UA (info.rules)
2035397 - ET TROJAN MSIL/BlackGuard Stealer Variant Exfil via
Telegram (trojan.rules)
2035398 - ET TROJAN MSIL/BlackGuard Stealer Exfil Activity (trojan.rules)
2035399 - ET TROJAN SystemBC Powershell bot registration (trojan.rules)
2035400 - ET TROJAN JS/Skimmer Inbound (Likely MageCart) M2 (trojan.rules)
2035401 - ET EXPLOIT Extreme Networks ExtremeWireless Aerohive
HiveOS and IQ Engine (Log Poisoning) (CVE-2020-16152) M1
(exploit.rules)
2035402 - ET EXPLOIT Extreme Networks ExtremeWireless Aerohive
HiveOS and IQ Engine (LFI) (CVE-2020-16152) M2 (exploit.rules)
2035403 - ET EXPLOIT Azure Automation Authentication Bypass (exploit.rules)

Pro:

2851118 - ETPRO INFO Suspicious PowerShell File Inbound -
ExecutionPolicy Bypass (info.rules)
2851200 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2022-03-04 1) (trojan.rules)
2851201 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2022-03-04 2) (trojan.rules)
2851202 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2022-03-04 3) (trojan.rules)
2851203 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2022-03-04 4) (trojan.rules)
2851204 - ETPRO INFO Observed IP Tracking Domain (grabify .link in
TLS SNI) (info.rules)
2851205 - ETPRO TROJAN Win32/LokiBot Payload Download Request M1
(trojan.rules)
2851206 - ETPRO TROJAN Win32/LokiBot Payload Download Request M2
(trojan.rules)

[///] Modified active rules: [///]

2010875 - ET TROJAN Blackenergy Bot Checkin to C&C (2) (trojan.rules)
2026040 - ET TROJAN CobaltStrike DNS Beacon Response (trojan.rules)
2035024 - ET TROJAN Gamaredon MalDoc CnC Exfil (trojan.rules)
2834979 - ETPRO TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin
(trojan.rules)

[---] Removed rules: [---]

2851118 - ETPRO ATTACK_RESPONSE Suspicious PowerShell File Inbound -
ExecutionPolicy Bypass (attack_response.rules)

Date:
Summary title:
8 new OPEN, 16 new PRO (8 + 8). MSIL/BlackGuard Stealer, SystemBC, Various CVE and Win32/LokiBot.