[***] Summary: [***]

40 new OPEN, 46 new PRO (40 + 6) Android/FakeWallet.AH!tr,
Win32/TrojanDownloader.Agent.GEM, GhostWriter APT, Win32/CrimsonRAT,
Nobelium DNS sigs and some AsyncRAT signatures moved to OPEN ruleset.

Thanks @h2jazi, @jaydinbas, @0xrb, @netresec, @mrd0x

Several hundred Suricata 5 rules were modified to include a slight
performance enhancement, for brevity, these rules are not included in
this summary. For the full list please refer to the change logs
available at https://rules.emergingthreatspro.com/.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2035568 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI)
(mobile_malware.rules)
2035569 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 2
(mobile_malware.rules)
2035570 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 3
(mobile_malware.rules)
2035571 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 4
(mobile_malware.rules)
2035572 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 5
(mobile_malware.rules)
2035573 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 6
(mobile_malware.rules)
2035574 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 7
(mobile_malware.rules)
2035575 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 8
(mobile_malware.rules)
2035576 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 9
(mobile_malware.rules)
2035577 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 10
(mobile_malware.rules)
2035578 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 11
(mobile_malware.rules)
2035579 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 12
(mobile_malware.rules)
2035580 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 20
(mobile_malware.rules)
2035581 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 13
(mobile_malware.rules)
2035582 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 14
(mobile_malware.rules)
2035583 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 15
(mobile_malware.rules)
2035584 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 16
(mobile_malware.rules)
2035585 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 17
(mobile_malware.rules)
2035586 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 18
(mobile_malware.rules)
2035587 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 19
(mobile_malware.rules)
2035588 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 21
(mobile_malware.rules)
2035589 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 22
(mobile_malware.rules)
2035590 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 23
(mobile_malware.rules)
2035591 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 24
(mobile_malware.rules)
2035592 - ET MALWARE Win32/TrojanDownloader.Agent.GEM CnC Checkin
(malware.rules)
2035593 - ET INFO DropBox User Content Domain (dl
.dropboxusercontent .com in TLS SNI) (info.rules)
2035594 - ET INFO DropBox User Content Download Access over SSL M2
(info.rules)
2035595 - ET MALWARE Generic AsyncRAT Style SSL Cert (malware.rules)
2035596 - ET MALWARE Nobelium APT Related Domain in DNS Lookup
(theskoolieblog .com) (malware.rules)
2035597 - ET MALWARE Nobelium APT Related Domain in DNS Lookup
(ernesttheskoolie .com) (malware.rules)
2035598 - ET MALWARE Win32/CrimsonRAT Variant Sending Command
(inbound) (malware.rules)
2035599 - ET MALWARE Win32/CrimsonRAT Variant Sending Command M2
(inbound) (malware.rules)
2035600 - ET MALWARE Win32/CrimsonRAT Variant Sending System
Information (outbound) (malware.rules)
2035601 - ET MALWARE Observed GhostWriter APT Related Cobalt Strike
Domain (ao3 .hmgo .pw in TLS SNI) (malware.rules)
2035602 - ET MALWARE GhostWriter APT Related Cobalt Strike Domain in
DNS Lookup (hmgo .pw) (malware.rules)
2035603 - ET MALWARE GhostWriter APT Related Cobalt Strike Activity
(GET) (malware.rules)
2035604 - ET MALWARE Observed DNS Query to
Win32/TrojanDownloader.Agent.GEM Domain (malware.rules)
2035605 - ET MALWARE Win32/TrojanDownloader.Agent.GEM CnC Command
Fetch (malware.rules)
2035606 - ET MALWARE Win32/TrojanDownloader.Agent.GEM CnC Domain
Fetch (malware.rules)
2035607 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
(malware.rules)

Pro:

2851330 - ETPRO MOBILE_MALWARE Android/FakeWallet.AH!tr CnC Beacon
(mobile_malware.rules)
2851331 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-03-24 1) (coinminer.rules)
2851332 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-03-24 2) (coinminer.rules)
2851333 - ETPRO HUNTING Terse Request for DropBox User Content (hunting.rules)
2851334 - ETPRO MALWARE Win32/Spy.Delf.PNC Bitcoin Wallet Exfil
(malware.rules)
2851335 - ETPRO HUNTING Possible BITB Technique 2022-03-24 (hunting.rules)

[///] Modified active rules: [///]

2016467 - ET MALWARE SERVER SSL Cert APT1 (malware.rules)
2018479 - ET MALWARE Downloader.Win32.Tesch.A Server CnC Sending
Executable (malware.rules)
2022134 - ET WEB_CLIENT Possible eDellRoot Rogue Root CA (web_client.rules)
2022323 - ET MALWARE Malicious SSL certificate detected (Possible
Sinkhole) (malware.rules)
2022953 - ET MALWARE Malicious SSL certificate detected (OSX/Keydnap
CnC) (malware.rules)
2023629 - ET HUNTING Suspicious Empty SSL Certificate - Observed in
Cobalt Strike (hunting.rules)
2025331 - ET POLICY Possible External IP Lookup Domain Observed in
SNI (ipinfo. io) (policy.rules)
2030055 - ET MALWARE NAZAR EYService Pong response (malware.rules)
2030056 - ET MALWARE NAZAR EYService OSInfo response (malware.rules)
2030094 - ET EXPLOIT Online Scheduling System 1.0 - Authentication
Bypass Attempt (exploit.rules)
2030673 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
(malware.rules)

[///] Modified inactive rules: [///]

2022099 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL
certificate detected (FindPOS CnC) (malware.rules)
2022227 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL
certificate detected (FindPOS CnC) (malware.rules)
2022228 - ET MALWARE Malicious SSL certificate detected (FindPOS)
(malware.rules)
2022232 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL
certificate detected (FindPOS CnC) (malware.rules)
2022306 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL
certificate detected (FindPOS CnC) (malware.rules)
2030057 - ET MALWARE NAZAR EYService File exfiltrate response (malware.rules)
2030221 - ET EXPLOIT Possible DNS BIND TSIG Denial of Service
Attempt (CVE-2020-8617) (exploit.rules)

[---] Removed rules: [---]

2836595 - ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT
Server) (malware.rules)
2849913 - ETPRO MALWARE Generic AsyncRAT Style SSL Cert (malware.rules)

Date:
Summary title:
40 new OPEN, 46 new PRO (40 + 6) Android/FakeWallet.AH!tr, Win32/TrojanDownloader.Agent.GEM, GhostWriter APT, Win32/CrimsonRAT, Nobelium DNS sigs and some AsyncRAT signatures moved to OPEN ruleset.