[***] Summary: [***]

18 new OPEN, 26 new PRO (18 + 8) Gamaredon, Hilal RAT, Bluebox,
Backdoor.AndroidOS.Basdoor.c, Remcos and IcedID.

Thanks @500mk500, @switchingtoguns, @Thingzeye

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2036219 - ET INFO WebSocket Session Initiation Request (info.rules)
2036220 - ET INFO Android Device Connectivity Check (info.rules)
2036221 - ET PHISHING Successful Wells Fargo Phish 2021-03-16 (phishing.rules)
2036222 - ET HUNTING Potential Forced OGNL Evaluation - HTTP URI
(hunting.rules)
2036223 - ET HUNTING Potential Forced OGNL Evaluation - HTTP Header
(hunting.rules)
2036224 - ET HUNTING Potential Forced OGNL Evaluation - HTTP Body
(hunting.rules)
2036225 - ET INFO Empty POST with Terse Headers Over Non Standard
Port (info.rules)
2036226 - ET INFO URL Shortening Service Domain in DNS Lookup
(maxiurl .com) (info.rules)
2036227 - ET INFO Observed URL Shortening Service Domain (maxiurl
.com in TLS SNI) (info.rules)
2036228 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET)
(malware.rules)
2036229 - ET POLICY [TW] IPFS Protocol HTTP Headers Observed (policy.rules)
2036230 - ET POLICY [TW] IPFS File Request Observed (policy.rules)
2036231 - ET MALWARE Observed DNS Query to Hilal RAT Domain (bnt2
.live) (malware.rules)
2036232 - ET MALWARE Observed DNS Query to Hilal RAT Domain (signin
.dedyn .io) (malware.rules)
2036233 - ET MALWARE Observed DNS Query to Hilal RAT Domain (archery
.dedyn .io) (malware.rules)
2036234 - ET MALWARE Observed DNS Query to Hilal RAT Domain (market
.vinam .me) (malware.rules)
2036235 - ET MALWARE Observed DNS Query to Hilal RAT Domain (market
.dedyn .io) (malware.rules)
2036236 - ET ADWARE_PUP Bluebox Data Exfiltration (adware_pup.rules)

Pro:

2851443 - ETPRO MOBILE_MALWARE Observed Backdoor.AndroidOS.Ahmyth.m
Domain in TLS SNI (mobile_malware.rules)
2851444 - ETPRO MOBILE_MALWARE Observed Backdoor.AndroidOS.Basdoor.c
Domain in TLS SNI (mobile_malware.rules)
2851445 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Basdoor.c CnC
Domain in DNS Lookup (mobile_malware.rules)
2851446 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Basdoor.c Checkin
(mobile_malware.rules)
2851447 - ETPRO MOBILE_MALWARE Observed Backdoor.AndroidOS.Basdoor.c
Domain in TLS SNI 2 (mobile_malware.rules)
2851448 - ETPRO MALWARE Win32/Remcos RAT Checkin 790 (malware.rules)
2851449 - ETPRO MALWARE Observed IcedID Domain in TLS SNI (malware.rules)
2851450 - ETPRO MALWARE Ave Maria RAT Encrypted CnC KeepAlive
Outbound (3) (malware.rules)

[---] Removed rules: [---]

2808839 - ETPRO POLICY WebSocket Session Initiation Request (policy.rules)
2832602 - ETPRO POLICY Android Device Connectivity Check (policy.rules)
2847633 - ETPRO PHISHING Successful Wells Fargo Phish 2021-03-16
(phishing.rules)

Date:
Summary title:
18 new OPEN, 26 new PRO (18 + 8) Gamaredon, Hilal RAT, Bluebox, Backdoor.AndroidOS.Basdoor.c, Remcos and IcedID.