[***] Summary: [***]
91 new OPEN, 109 new PRO (91 + 18) APT-C-23 Android Malware,
Win32/FFDroider, TA455 and Pegasus DNS sigs, and Sidewinder Credential
Phish.
Thanks @facebook, @citizenlab, @__0XYC__, @pevma, @James_inthe_box,
@zscaler, @500mk500
Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2035783 - ET MOBILE_MALWARE Android Spy APT-C-23 (frances-thomas
.com in DNS Lookup) (mobile_malware.rules)
2035784 - ET MOBILE_MALWARE Android Spy APT-C-23 (frances-thomas
.com in TLS SNI) (mobile_malware.rules)
2035785 - ET MOBILE_MALWARE Android Spy APT-C-23 (scott-chapin .com
in DNS Lookup) (mobile_malware.rules)
2035786 - ET MOBILE_MALWARE Android Spy APT-C-23 (scott-chapin .com
in TLS SNI) (mobile_malware.rules)
2035787 - ET MOBILE_MALWARE Android Spy APT-C-23 (linda-gaytan
.website in DNS Lookup) (mobile_malware.rules)
2035788 - ET MOBILE_MALWARE Android Spy APT-C-23 (linda-gaytan
.website in TLS SNI) (mobile_malware.rules)
2035789 - ET MOBILE_MALWARE Android Spy APT-C-23 (david-gardiner
.website in DNS Lookup) (mobile_malware.rules)
2035790 - ET MOBILE_MALWARE Android Spy APT-C-23 (david-gardiner
.website in TLS SNI) (mobile_malware.rules)
2035791 - ET MOBILE_MALWARE Android Spy APT-C-23 (amanda-hart
.website in DNS Lookup) (mobile_malware.rules)
2035792 - ET MOBILE_MALWARE Android Spy APT-C-23 (amanda-hart
.website in TLS SNI) (mobile_malware.rules)
2035793 - ET MOBILE_MALWARE Android Spy APT-C-23 (javan-demsky
.website in DNS Lookup) (mobile_malware.rules)
2035794 - ET MOBILE_MALWARE Android Spy APT-C-23 (javan-demsky
.website in TLS SNI) (mobile_malware.rules)
2035795 - ET MALWARE Win32/FFDroider CnC Activity (malware.rules)
2035796 - ET MALWARE TA455 CnC Domain in DNS Lookup (malware.rules)
2035797 - ET MALWARE TA455 CnC Domain in DNS Lookup (malware.rules)
2035798 - ET MALWARE Win32/FFDroider CnC Activity M2 (malware.rules)
2035799 - ET MALWARE TA455 Related CnC Domain in DNS Lookup (malware.rules)
2035800 - ET MALWARE TA455 Related CnC Domain in DNS Lookup (malware.rules)
2035801 - ET MALWARE TA455 Related CnC Domain in DNS Lookup (malware.rules)
2035802 - ET MALWARE TA455 Related CnC Domain in DNS Lookup (malware.rules)
2035803 - ET MALWARE TA455 CnC Domain in DNS Lookup (malware.rules)
2035804 - ET MALWARE Observed DNS Query to TA455 Domain (enerflex
.org) (malware.rules)
2035805 - ET MALWARE Observed DNS Query to TA455 Domain
(supportskype .com) (malware.rules)
2035806 - ET MALWARE Observed DNS Query to TA455 Domain
(alharbitelecom .co) (malware.rules)
2035807 - ET MALWARE Observed DNS Query to TA455 Domain
(cortanaupdate .co) (malware.rules)
2035808 - ET MALWARE Observed DNS Query to TA455 Domain
(cortanaservice .com) (malware.rules)
2035809 - ET MALWARE Observed DNS Query to TA455 Domain (cloudgoogle
.co) (malware.rules)
2035810 - ET MALWARE Observed DNS Query to TA455 Domain
(onedrivelive .me) (malware.rules)
2035811 - ET MALWARE Observed DNS Query to TA455 Domain
(edge-cloudservices .com) (malware.rules)
2035812 - ET MALWARE Observed DNS Query to TA455 Domain
(online-audible .com) (malware.rules)
2035813 - ET MALWARE Observed DNS Query to TA455 Domain
(updatedefender .net) (malware.rules)
2035814 - ET MALWARE Observed DNS Query to TA455 Domain
(sparrowsgroup .org) (malware.rules)
2035815 - ET MALWARE Observed DNS Query to TA455 Domain
(helpdesk-product .com) (malware.rules)
2035816 - ET MALWARE Observed DNS Query to TA455 Domain
(defenderupdate .ddns .net) (malware.rules)
2035817 - ET MALWARE Observed DNS Query to TA455 Domain (enerflex
.ddns .net) (malware.rules)
2035818 - ET MALWARE Observed DNS Query to TA455 Domain (linkedinz
.me) (malware.rules)
2035819 - ET MALWARE Observed DNS Query to TA455 Domain
(khaleejtimes .co) (malware.rules)
2035820 - ET MALWARE Observed DNS Query to TA455 Domain
(microsoftdefender .info) (malware.rules)
2035821 - ET MALWARE Observed DNS Query to TA455 Domain (outlookde
.live) (malware.rules)
2035822 - ET MALWARE Observed DNS Query to TA455 Domain (lukoil .in)
(malware.rules)
2035823 - ET MALWARE Observed DNS Query to TA455 Domain
(careers-finder .com) (malware.rules)
2035824 - ET MALWARE Observed DNS Query to TA455 Domain
(online-chess .live) (malware.rules)
2035825 - ET MALWARE Observed DNS Query to TA455 Domain (exprogroup
.org) (malware.rules)
2035826 - ET MALWARE Observed DNS Query to TA455 Domain (saipem
.org) (malware.rules)
2035827 - ET MALWARE Observed DNS Query to TA455 Domain
(mastergatevpn .com) (malware.rules)
2035828 - ET MALWARE Observed DNS Query to TA455 Domain
(sauditourismguide .com) (malware.rules)
2035829 - ET MALWARE Observed DNS Query to TA455 Domain
(listen-books .com) (malware.rules)
2035830 - ET MALWARE Observed DNS Query to TA455 Domain
(updateservices .co) (malware.rules)
2035831 - ET MALWARE Observed DNS Query to TA455 Domain
(microsoftcdn .co) (malware.rules)
2035832 - ET MALWARE Observed DNS Query to TA455 Domain (office-shop
.me) (malware.rules)
2035833 - ET MALWARE Observed DNS Query to TA455 Domain
(sharepointnotify .com) (malware.rules)
2035834 - ET MALWARE Observed DNS Query to TA455 Domain
(globaltalent .in) (malware.rules)
2035835 - ET MALWARE Observed DNS Query to TA455 Domain
(savemoneytrick .com) (malware.rules)
2035836 - ET MALWARE Observed DNS Query to TA455 Domain
(microsoftedgesh .info) (malware.rules)
2035837 - ET MALWARE Observed DNS Query to TA455 Domain
(outlookdelivery .com) (malware.rules)
2035838 - ET MALWARE Observed DNS Query to TA455 Domain (remgrogroup
.com) (malware.rules)
2035839 - ET MALWARE Observed DNS Query to TA455 Domain
(onedriveupdate .net) (malware.rules)
2035840 - ET MALWARE Observed DNS Query to TA455 Domain (getadobe
.ddns .net) (malware.rules)
2035841 - ET MALWARE Observed DNS Query to TA455 Domain
(googleservices .co) (malware.rules)
2035842 - ET MALWARE Observed DNS Query to TA455 Domain
(librarycollection .org) (malware.rules)
2035843 - ET MALWARE Observed DNS Query to TA455 Domain (freechess
.live) (malware.rules)
2035844 - ET MALWARE Observed DNS Query to TA455 Domain
(elecresearch .org) (malware.rules)
2035845 - ET MALWARE Observed DNS Query to TA455 Domain
(applytalents .com) (malware.rules)
2035846 - ET MALWARE Observed DNS Query to TA455 Domain (updateddns
.ddns .net) (malware.rules)
2035847 - ET MALWARE Observed DNS Query to TA455 Domain
(mideasthiring .com) (malware.rules)
2035848 - ET MALWARE Observed DNS Query to TA455 Domain
(appslocallogin .online) (malware.rules)
2035849 - ET MALWARE Observed DNS Query to TA455 Domain (apply-jobs
.com) (malware.rules)
2035850 - ET MALWARE Observed DNS Query to TA455 Domain (funnychess
.online) (malware.rules)
2035851 - ET MALWARE Observed DNS Query to TA455 Domain
(talent-recruitment .org) (malware.rules)
2035852 - ET MALWARE Observed DNS Query to TA455 Domain
(googleupdate .co) (malware.rules)
2035853 - ET MALWARE Observed DNS Query to TA455 Domain (updatedns
.ddns .net) (malware.rules)
2035854 - ET MALWARE Observed DNS Query to TA455 Domain
(thefreemovies .net) (malware.rules)
2035855 - ET MALWARE Observed DNS Query to TA455 Domain (talktalky
.azurewebsites .net) (malware.rules)
2035856 - ET MALWARE Observed DNS Query to TA455 Domain
(etisalatonline .com) (malware.rules)
2035857 - ET MALWARE Observed DNS Query to TA455 Domain (getadobe
.net) (malware.rules)
2035858 - ET INFO Observed Ordns DNS over HTTPS Domain (Ordns .he
.net in TLS SNI) (info.rules)
2035859 - ET INFO Ordns DNS Over HTTPS Certificate Inbound (info.rules)
2035860 - ET MALWARE Pegasus Domain in DNS Lookup (malware.rules)
2035861 - ET MALWARE Pegasus Domain in DNS Lookup (malware.rules)
2035862 - ET MALWARE Pegasus Domain in DNS Lookup (malware.rules)
2035863 - ET MALWARE Pegasus Domain in DNS Lookup (malware.rules)
2035864 - ET MALWARE Pegasus Domain in DNS Lookup (malware.rules)
2035865 - ET MALWARE Pegasus Domain in DNS Lookup (malware.rules)
2035866 - ET MALWARE Pegasus Domain in DNS Lookup (malware.rules)
2035867 - ET MALWARE Pegasus Domain in DNS Lookup (malware.rules)
2035868 - ET MALWARE Pegasus Domain in DNS Lookup (malware.rules)
2035869 - ET MALWARE Pegasus Domain in DNS Lookup (malware.rules)
2035870 - ET INFO ET INFO URL Shortening Service Domain in DNS
Lookup (s59 .site) (info.rules)
2035871 - ET INFO ET INFO Observed URL Shortening Service Domain
(s59 .site) in TLS SNI (info.rules)
2035872 - ET MALWARE Vidar Stealer CnC Domain in DNS Lookup (malware.rules)
2035873 - ET MALWARE Observed Vidar Stealer Domain (computerprotect
.me) in TLS SNI (malware.rules)
Pro:
2851400 - ETPRO MOBILE_MALWARE Android.Trojan.Banker.YM Checkin
(mobile_malware.rules)
2851401 - ETPRO MOBILE_MALWARE Android.Trojan.Banker.YM Checkin 2
(mobile_malware.rules)
2851402 - ETPRO MOBILE_MALWARE Android.Trojan.Banker.YM Checkin 3
(mobile_malware.rules)
2851403 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Agent.sm
(DNS Lookup) (mobile_malware.rules)
2851404 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Agent.sm
(TLS SNI) (mobile_malware.rules)
2851405 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Agent.sm
(DNS Lookup) 2 (mobile_malware.rules)
2851406 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Agent.sm
(TLS SNI) 2 (mobile_malware.rules)
2851407 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Agent.sm
(DNS Lookup) 2 (mobile_malware.rules)
2851408 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Agent.sm
(TLS SNI) 3 (mobile_malware.rules)
2851409 - ETPRO MOBILE_MALWARE Android.Trojan.Banker.YM (DNS Lookup)
(mobile_malware.rules)
2851410 - ETPRO MOBILE_MALWARE Android.Trojan.Banker.YM (TLS SNI)
(mobile_malware.rules)
2851411 - ETPRO MALWARE Observed Malicious SSL Cert (Ursnif CnC)
(malware.rules)
2851412 - ETPRO PHISHING Sidewinder Credential Phish Landing Page M1
2022-04-07 (phishing.rules)
2851413 - ETPRO PHISHING Sidewinder Credential Phish Landing Page M2
2022-04-07 (phishing.rules)
2851414 - ETPRO PHISHING Sidewinder Credential Phish Landing Page M3
2022-04-07 (phishing.rules)
2851415 - ETPRO PHISHING Sidewinder Credential Phish Landing Page M4
2022-04-07 (phishing.rules)
2851416 - ETPRO PHISHING Zimbra Credential Phish Landing Page M5
2022-04-07 (phishing.rules)
2851417 - ETPRO PHISHING Successful Siderwinder Credential Phish
2022-04-07 (phishing.rules)
[///] Modified active rules: [///]
2842556 - ETPRO MALWARE VB.Trojan.Valyri CnC Activity M2 (malware.rules)
[---] Removed rules: [---]
2846594 - ETPRO MALWARE Win32/Masson.A!ac CnC Activity (malware.rules)
2847828 - ETPRO MALWARE Win32/Masson.A!ac CnC Activity M2 (malware.rules)
2849642 - ETPRO MALWARE TA455 Related CnC Domain in DNS Lookup (malware.rules)
2849763 - ETPRO MALWARE TA455 CnC Domain in DNS Lookup (malware.rules)
2849764 - ETPRO MALWARE TA455 CnC Domain in DNS Lookup (malware.rules)