[***] Summary: [***]

11 new OPEN, 21 new PRO (11 + 10). Gamaredon APT, CVE-2021-34979,
Kimsuky, Others.

Several existing SSL/TLS signatures have been optimized for better
performance by utilizing SSL/TLS buffers as opposed to using unbuffered
content matching.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2035444 - ET TROJAN Kimsuky Related Host Data Exfil M3 (trojan.rules)
2035445 - ET USER_AGENTS Suspicious User-Agent (ItIsMe)
(user_agents.rules)
2035446 - ET EXPLOIT Netgear R6260 Mini_httpd Buffer Overflow Attempt -
Possible RCE (CVE-2021-34979) (exploit.rules)
2035447 - ET CURRENT_EVENTS Successful Generic Phish 2022-03-11
(current_events.rules)
2035448 - ET TROJAN Gamaredon APT Related Maldoc Activity (GET)
(trojan.rules)
2035449 - ET TROJAN Gamaredon APT Related Maldoc Activity (GET)
(trojan.rules)
2035450 - ET TROJAN Gamaredon APT Related Maldoc Activity (GET)
(trojan.rules)
2035451 - ET TROJAN Ghostwriter/UNC1151 Related Domain in DNS Lookup
(tvasahi .online) (trojan.rules)
2035452 - ET USER_AGENTS Suspicious User-Agent (HTTP-Test-Program)
(user_agents.rules)
2035453 - ET CURRENT_EVENTS Microsoft Credential Phish 2022-03-14
(current_events.rules)
2035454 - ET CURRENT_EVENTS Ping Identity Landing Page 2022-03-14
(current_events.rules)

Pro:

2851235 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.di (DNS
Lookup) (mobile_malware.rules)
2851236 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.di (TLS
SNI) (mobile_malware.rules)
2851237 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.rz (DNS
Lookup) (mobile_malware.rules)
2851238 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.rz (TLS SNI)
(mobile_malware.rules)
2851239 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.FakeApp.j (DNS
Lookup) (mobile_malware.rules)
2851240 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.FakeApp.j (TLS SNI)
(mobile_malware.rules)
2851241 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2022-03-11 1) (trojan.rules)
2851242 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2022-03-11 2) (trojan.rules)
2851244 - ETPRO TROJAN Win32/Packed.BlackMoon.A Arguments Fetch
(trojan.rules)

[///] Modified active rules: [///]

2013703 - ET INFO Suspicious Self Signed SSL Certificate to 'My Company
Ltd' (info.rules)
2020372 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Dyre CnC) (trojan.rules)
2021513 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Dridex CnC) (trojan.rules)
2021938 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (TorrentLocker CnC) (trojan.rules)
2022100 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Downloader CnC) (trojan.rules)
2022101 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Downloader CnC) (trojan.rules)
2022102 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Downloader CnC) (trojan.rules)
2022209 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Bancos/DarkTequila CnC) (trojan.rules)
2022211 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Bancos/DarkTequila CnC) (trojan.rules)
2022229 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Gootkit MITM) (trojan.rules)
2022234 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Gootkit CnC) (trojan.rules)
2022279 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Dridex) (trojan.rules)
2022534 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Quakbot CnC) (trojan.rules)
2022684 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Zeus CnC) (trojan.rules)
2022907 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL Certificate
Detected (Sinkhole) (trojan.rules)
2022908 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL Certificate
Detected (Sinkhole) (trojan.rules)
2022919 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
Certificate Detected (Malware C2) (trojan.rules)
2022948 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
Certificate Detected (Malware C2) (trojan.rules)
2023161 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Vawtrak CnC) (trojan.rules)
2023490 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Gozi MITM) (trojan.rules)
2023496 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Vawtrak CnC) (trojan.rules)
2023572 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
Certificate Detected (Gootkit C2) (trojan.rules)
2023727 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (TrickBot CnC) (trojan.rules)
2025990 - ET TROJAN SSL Cert Associated with Lazarus Downloader (JEUSD)
(trojan.rules)
2035418 - ET TROJAN HermeticWizard - WMI Spreader - Remote Process
Creation M1 (trojan.rules)

[---] Removed rules: [---]

2843101 - ETPRO TROJAN Kimsuky Related Host Data Exfil M3 (trojan.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:
Summary title:
11 new OPEN, 21 new PRO (11 + 10). Gamaredon APT, CVE-2021-34979, Kimsuky, Others.