Daily Ruleset Update Summary
Daily Ruleset Update Summary 2022/03/11

[***] Summary: [***]

14 new OPEN, 14 new PRO (14 + 0). Various Android Banking Trojans,
More HermeticWizard, RemcosRAT and Cobalt Strike.

Thanks @NCCGroupplc, @SilasCutler, @Mandiant

Today is Free Sig Friday, so all rules went into the OPEN set.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2035430 - ET MOBILE_MALWARE Android.BankBot.11270 (DNS Lookup)
(mobile_malware.rules)
2035431 - ET MOBILE_MALWARE Android.BankBot.11270 (TLS SNI)
(mobile_malware.rules)
2035432 - ET MOBILE_MALWARE Android/TrojanDropper.Agent.GWO Checkin
(mobile_malware.rules)
2035433 - ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.t (DNS
Lookup) (mobile_malware.rules)
2035434 - ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.t (TLS
SNI) (mobile_malware.rules)
2035435 - ET TROJAN CoinMiner Known Malicious Stratum Authline
(2022-03-11 1) (trojan.rules)
2035436 - ET TROJAN CoinMiner Known Malicious Stratum Authline
(2022-03-11 2) (trojan.rules)
2035437 - ET TROJAN HermeticWizard - SMB Spreader - File Copy via
SMB1 (NT Create AndX Request) (trojan.rules)
2035438 - ET TROJAN Win32/Remcos RAT Checkin 781 (trojan.rules)
2035439 - ET MOBILE_MALWARE Android/SharkBot Related Domain in DNS
Lookup (mobile_malware.rules)
2035440 - ET TROJAN APT41 KEYPLUG Related Domain in DNS Lookup (trojan.rules)
2035441 - ET TROJAN Successful Cobalt Strike Shellcode Download
(x32) (trojan.rules)
2035442 - ET TROJAN Successful Cobalt Strike Shellcode Download
(x64) M1 (trojan.rules)
2035443 - ET TROJAN Successful Cobalt Strike Shellcode Download
(x64) M2 (trojan.rules)

[///] Modified active rules: [///]

2035418 - ET TROJAN HermeticWizard - WMI Spreader - Remote Process
Creation M1 (trojan.rules)

[///] Modified inactive rules: [///]

2009205 - ET TROJAN Possible KEYPLUG/Downadup/Conficker-C P2P
encrypted traffic UDP Ping Packet (bit value 1) (trojan.rules)
2009206 - ET TROJAN Possible KEYPLUG/Downadup/Conficker-C P2P
encrypted traffic UDP Ping Packet (bit value 4) (trojan.rules)
2009207 - ET TROJAN Possible KEYPLUG/Downadup/Conficker-C P2P
encrypted traffic UDP Ping Packet (bit value 5) (trojan.rules)

[---] Disabled and modified rules: [---]

2847971 - ETPRO TROJAN MSIL/Agent.UL Variant CnC Activity (trojan.rules)

[---] Removed rules: [---]

2851218 - ETPRO MOBILE_MALWARE Android.BankBot.11270 (DNS Lookup)
(mobile_malware.rules)
2851219 - ETPRO MOBILE_MALWARE Android.BankBot.11270 (TLS SNI)
(mobile_malware.rules)
2851220 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.GWO
Checkin (mobile_malware.rules)

Date:
Summary title:
14 new OPEN, 14 new PRO (14 + 0). Various Android Banking Trojans, More HermeticWizard, RemcosRAT and Cobalt Strike.