[***] Summary: [***]

8 new OPEN, 17 new PRO (8 + 9). PurpleFox Backdoor/Rootkit,
TransparentTribe APT, PlugX and Android/Spy.Agent.BZM.

Thanks @0xrb

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2035621 - ET MALWARE PurpleFox Backdoor/Rootkit Download Server
Response M3 (malware.rules)
2035622 - ET MALWARE PurpleFox Backdoor/Rootkit Download Server
Response M4 (malware.rules)
2035623 - ET MALWARE Suspected SmokeLoader Retrieving Next Stage
(GET) (malware.rules)
2035624 - ET MALWARE TransparentTribe APT Related Activity (POST)
(malware.rules)
2035625 - ET MALWARE TransparentTribe APT Related Backdoor Activity
(malware.rules)
2035626 - ET MALWARE PlugX Related Domain in DNS Lookup (ntpserver
.xyz) (malware.rules)
2035627 - ET MALWARE PlugX Related Domain in DNS Lookup (cxks8 .com)
(malware.rules)
2035628 - ET PHISHING Successful Generic Phish 2022-03-28 (phishing.rules)

Pro:

2851341 - ETPRO MOBILE_MALWARE Android/Spy.Agent.BZM Checkin
(mobile_malware.rules)
2851342 - ETPRO MOBILE_MALWARE Android/Spy.Agent.BZM Checkin 2
(mobile_malware.rules)
2851343 - ETPRO MOBILE_MALWARE Android/Spy.Agent.BTS Checkin
(mobile_malware.rules)
2851344 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-03-26 1) (coinminer.rules)
2851345 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-03-26 2) (coinminer.rules)
2851346 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-03-26 3) (coinminer.rules)

[///] Modified active rules: [///]

2012647 - ET POLICY Dropbox.com Offsite File Backup in Use (policy.rules)
2020215 - ET MALWARE Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 5
(malware.rules)
2020290 - ET MALWARE Possible Upatre or Dyre SSL Cert Jan 22 2015
(malware.rules)
2020966 - ET MALWARE CozyDuke APT Possible SSL Cert 1 (malware.rules)
2020967 - ET MALWARE CozyDuke APT Possible SSL Cert 2 (malware.rules)
2020968 - ET MALWARE CozyDuke APT Possible SSL Cert 3 (malware.rules)
2020969 - ET MALWARE CozyDuke APT Possible SSL Cert 4 (malware.rules)
2020970 - ET MALWARE CozyDuke APT Possible SSL Cert 5 (malware.rules)
2020971 - ET MALWARE CozyDuke APT Possible SSL Cert 6 (malware.rules)
2020972 - ET MALWARE CozyDuke APT Possible SSL Cert 7 (malware.rules)
2021432 - ET MALWARE Possible Dyre SSL Cert M1 (L O) (malware.rules)
2021433 - ET MALWARE Possible Dyre SSL Cert M2 (L CN) (malware.rules)
2021434 - ET MALWARE Possible Dyre SSL Cert M3 (O CN) (malware.rules)
2025315 - ET POLICY Possible Windows Binary Observed in SSL/TLS
Certificate (policy.rules)
2034851 - ET WEB_SPECIFIC_APPS Joolma Simple File Upload Plugin
Remote Code Execution (CVE-2011-5148) (web_specific_apps.rules)
2807507 - ETPRO MALWARE Win32.Foreign.jowy 2 (malware.rules)
2829004 - ETPRO MALWARE FormBook CnC Checkin (POST) (malware.rules)
2832388 - ETPRO EXPLOIT_KIT SocEng Redirect Chain - Evil Keitaro
Set-Cookie Inbound (78e5a) (exploit_kit.rules)
2836838 - ETPRO MALWARE Kimsuky Group FTP CnC Activity (malware.rules)
2838466 - ETPRO WEB_CLIENT Evil Keitaro Set-Cookie Inbound (d1a5f)
(web_client.rules)
2838527 - ETPRO EXPLOIT_KIT Evil Keitaro Set-Cookie Inbound (9d2da)
(exploit_kit.rules)
2839549 - ETPRO EXPLOIT_KIT Evil Keitaro Set-Cookie Inbound (aef4f)
(exploit_kit.rules)
2840741 - ETPRO WEB_CLIENT Evil Keitaro Set-Cookie Inbound (0df9c)
(web_client.rules)
2842056 - ETPRO WEB_CLIENT Evil Keitaro Set-Cookie Inbound (e1d02)
(web_client.rules)
2847057 - ETPRO WEB_CLIENT Evil Keitaro Set-Cookie Inbound (e0bce)
(web_client.rules)
2847059 - ETPRO WEB_CLIENT Evil Keitaro Set-Cookie Inbound (2e113)
(web_client.rules)
2851232 - ETPRO MALWARE Browser Data Exfil Via Telegram (malware.rules)

[///] Modified inactive rules: [///]

2021743 - ET MALWARE Possible Dyre SSL Cert Sept 2 2015 (malware.rules)

[---] Removed rules: [---]

2850718 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2021-12-21 11) (coinminer.rules)