[***] Summary: [***]

4 new OPEN, 9 new PRO (4 + 5) dotCMS File Upload CVE-2022-26352,
Lazarus DNS sig, Win32/Trojan.Agent.FROG,
Trojan-Spy.AndroidOS.SmsThief.rz.

Thanks @ESETresearch and @assetnote

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2036456 - ET INFO Observed HTTP Request to *.pythonanywhere .com
Domain (info.rules)
2036457 - ET EXPLOIT dotCMS Arbitrary File Upload Attempt
(CVE-2022-26352) M1 (exploit.rules)
2036458 - ET EXPLOIT dotCMS Arbitrary File Upload Attempt
(CVE-2022-26352) M2 (exploit.rules)
2036459 - ET MALWARE Lazarus APT Related Domain in DNS Lookup
(onlinestockwatch .net) (malware.rules)

Pro:

2851577 - ETPRO MOBILE_MALWARE Observed
Trojan-Spy.AndroidOS.SmsThief.rz Domain in TLS SNI
(mobile_malware.rules)
2851578 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-05-03 1) (coinminer.rules)
2851579 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-05-03 2) (coinminer.rules)
2851580 - ETPRO MALWARE Kimsuky APT PebbleDash Related Activity
(GET) (malware.rules)
2851581 - ETPRO MALWARE Win32/Trojan.Agent.FRPG Exfil Activity
(POST) (malware.rules)

[///] Modified active rules: [///]

2035420 - ET MALWARE Win32/Pripyat Activity (POST) (malware.rules)

[---] Removed rules: [---]

2840315 - ETPRO POLICY Observed HTTP Request to *.pythonanywhere
.com Domain (policy.rules)
2850920 - ETPRO MALWARE MSIL/Kryptik.AEBF Sending Stolen Credentials
to CnC (malware.rules)
2851573 - ETPRO MALWARE Downloaded .PNG Contains Reversed Executable
(malware.rules)