[***] Summary: [***]

10 new OPEN, 12 new PRO (10 + 2). ReVBShell, Transparent Tribe, Various
Phish, Others.

Thanks @james_inthe_box, @h2jazi, @ESETresearch

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2036627 - ET POLICY ScreenConnect-ConnectWise Initial Checkin Packet
(policy.rules)
2036628 - ET POLICY Observed URL Shortening Service SSL/TLS Cert (rb.gy)
(policy.rules)
2036629 - ET PHISHING Spox Phishkit HTTP POST Observed (phishing.rules)
2036630 - ET PHISHING Spox Phishkit Landing Page Inbound (phishing.rules)
2036631 - ET PHISHING Successful Generic Phish Observed (phishing.rules)
2036632 - ET MALWARE Cobalt Strike Related Activity (GET) (malware.rules)
2036633 - ET MALWARE Transparent Tribe APT Related Domain in DNS Lookup
(malware.rules)
2036634 - ET MOBILE_MALWARE Android ERMAC Banker (PL) Related Domain in
DNS Lookup (bolt-food .site) (mobile_malware.rules)
2036635 - ET MOBILE_MALWARE Observed Android ERMAC Banker (PL) Domain
(bolt-food .site in TLS SNI) (mobile_malware.rules)
2036636 - ET MALWARE ReVBShell Command Response (malware.rules)

Pro:

2851673 - ETPRO PHISHING Observed Malicious SSL/TLS Certificate (Phish
Related) (phishing.rules)
2851674 - ETPRO PHISHING Observed Malicious SSL/TLS Certificate (Phish
Related) (phishing.rules)

[+++] Enabled rules: [+++]

[///] Modified active rules: [///]

Many metadata modifications, refer to the full changelog for a full
listing.

[///] Modified inactive rules: [///]

Many metadata modifications, refer to the full changelog for a full
listing.

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team