[***] Summary: [***]
45 new OPEN, 53 new PRO (45 + 8) Donot CnC, UsefulTyphon, F5 BIG-IP
rules, PhantomNet, JS/Cryxos, PoshC2 and Eternity.
Thanks @TrendMicro, @AhnLab_SecuInfo, @ShadowChasing1, @nao_sec
Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2031611 - ET INFO Trend Micro Phishing Simulation Service (info.rules)
2036500 - ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Origami.b / Donot
DNS Lookup (mobile_malware.rules)
2036501 - ET MOBILE_MALWARE Observed Trojan-Spy.AndroidOS.Origami.b
/ Donot Domain in TLS SNI (mobile_malware.rules)
2036502 - ET MALWARE UsefulTyphon CnC Activity M1 (malware.rules)
2036503 - ET MALWARE UsefulTyphon CnC Activity M2 (malware.rules)
2036504 - ET POLICY F5 BIG-IP Exposed REST API GET (flowbit set)
(policy.rules)
2036505 - ET POLICY F5 BIG-IP Publicly Accessible Exposed REST API
Detected (policy.rules)
2036506 - ET INFO Trend Micro Phishing Simulation Service (info.rules)
2036507 - ET MALWARE PhantomNet/Smanager Related Domain in DNS
Lookup (malware.rules)
2036508 - ET MALWARE JS/Cryxos Stealer Variant Sending Data to
Telegram (POST) (malware.rules)
2036509 - ET MALWARE Kimsuky APT PebbleDash Related Activity (GET)
(malware.rules)
2036510 - ET MALWARE PoshC2 - Observed Default URI Structure M1
(malware.rules)
2036511 - ET MALWARE PoshC2 - Observed Default URI Structure M2
(malware.rules)
2036512 - ET MALWARE PoshC2 - Observed Default URI Structure M3
(malware.rules)
2036513 - ET MALWARE PoshC2 - Observed Default URI Structure M4
(malware.rules)
2036514 - ET MALWARE PoshC2 - Observed Default URI Structure M5
(malware.rules)
2036515 - ET MALWARE PoshC2 - Observed Default URI Structure M6
(malware.rules)
2036516 - ET MALWARE PoshC2 - Observed Default URI Structure M7
(malware.rules)
2036517 - ET MALWARE PoshC2 - Observed Default URI Structure M8
(malware.rules)
2036518 - ET MALWARE PoshC2 - Observed Default URI Structure M9
(malware.rules)
2036519 - ET MALWARE PoshC2 - Observed Default URI Structure M10
(malware.rules)
2036520 - ET MALWARE PoshC2 - Observed Default URI Structure M11
(malware.rules)
2036521 - ET MALWARE PoshC2 - Observed Default URI Structure M12
(malware.rules)
2036522 - ET MALWARE PoshC2 - Observed Default URI Structure M13
(malware.rules)
2036523 - ET MALWARE PoshC2 - Observed Default URI Structure M15
(malware.rules)
2036524 - ET MALWARE PoshC2 - Observed Default URI Structure M16
(malware.rules)
2036525 - ET MALWARE PoshC2 - Observed Default URI Structure M17
(malware.rules)
2036526 - ET MALWARE PoshC2 - Observed Default URI Structure M18
(malware.rules)
2036527 - ET MALWARE PoshC2 - Observed Default URI Structure M19
(malware.rules)
2036528 - ET MALWARE PoshC2 - Observed Default URI Structure M20
(malware.rules)
2036529 - ET MALWARE PoshC2 - Observed Default URI Structure M21
(malware.rules)
2036530 - ET MALWARE PoshC2 - Observed Default URI Structure M22
(malware.rules)
2036531 - ET MALWARE PoshC2 - Observed Default URI Structure M23
(malware.rules)
2036532 - ET MALWARE PoshC2 - Observed Default URI Structure M24
(malware.rules)
2036533 - ET MALWARE PoshC2 - Observed Default URI Structure M25
(malware.rules)
2036534 - ET MALWARE PoshC2 - Observed Default URI Structure M26
(malware.rules)
2036535 - ET MALWARE PoshC2 - Observed Default URI Structure M27
(malware.rules)
2036536 - ET MALWARE PoshC2 - Observed Default URI Structure M28
(malware.rules)
2036537 - ET MALWARE PoshC2 - Observed Default URI Structure M29
(malware.rules)
2036538 - ET MALWARE PoshC2 - Observed Default URI Structure M30
(malware.rules)
2036539 - ET MALWARE PoshC2 - Observed Default URI Structure M31
(malware.rules)
2036540 - ET MALWARE PoshC2 - Observed Default URI Structure M32
(malware.rules)
2036541 - ET MALWARE Eternity Stealer Screen Capture Activity (malware.rules)
2036542 - ET MALWARE Eternity Stealer Data Exfiltration Activity
(malware.rules)
2036543 - ET MALWARE Eternity Stealer CnC Domain in DNS Lookup
(wasabiwallet .online) (malware.rules)
Pro:
2851582 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-05-05 1) (coinminer.rules)
2851583 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-05-05 2) (coinminer.rules)
2851584 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-05-05 3) (coinminer.rules)
2851585 - ETPRO PHISHING Successful Caixa Bank Phish 2022-05-06
(phishing.rules)
[///] Modified active rules: [///]
2036499 - ET MALWARE Trojan.Win32.DLOADR.TIOIBEPQ CnC Traffic (malware.rules)
2801959 - ETPRO MALWARE Cybergate/Rebhip/Spyrat Backdoor M1 (malware.rules)
2808916 - ETPRO MALWARE Cybergate/Rebhip/Spyrat Backdoor M2 (malware.rules)
2809762 - ETPRO MALWARE Cybergate/Rebhip/Spyrat Backdoor M4 (malware.rules)
2809763 - ETPRO MALWARE Cybergate/Rebhip/Spyrat Backdoor M5 (malware.rules)
2809764 - ETPRO MALWARE Cybergate/Rebhip/Spyrat Backdoor M6 (malware.rules)
2809765 - ETPRO MALWARE Cybergate/Rebhip/Spyrat Backdoor M7 (malware.rules)
2809766 - ETPRO MALWARE Cybergate/Rebhip/Spyrat Backdoor M8 (malware.rules)
2809767 - ETPRO MALWARE Cybergate/Rebhip/Spyrat Backdoor M9 (malware.rules)
2809768 - ETPRO MALWARE Cybergate/Rebhip/Spyrat Backdoor M10 (malware.rules)
2809769 - ETPRO MALWARE Cybergate/Rebhip/Spyrat Backdoor M11 (malware.rules)
2809770 - ETPRO MALWARE Cybergate/Rebhip/Spyrat Backdoor M12 (malware.rules)
2809771 - ETPRO MALWARE Cybergate/Rebhip/Spyrat Backdoor M13 (malware.rules)
2809772 - ETPRO MALWARE Cybergate/Rebhip/Spyrat Backdoor M14 (malware.rules)
2811460 - ETPRO MALWARE Cybergate/Rebhip/Spyrat Backdoor M15 (malware.rules)
[---] Removed rules: [---]
2031611 - ET POLICY Trend Micro Phishing Simulation Service (policy.rules)
2851581 - ETPRO MALWARE Kimsuky APT PebbleDash Related Activity
(GET) (malware.rules)