[***] Summary: [***]

12 new OPEN, 15 new PRO (12 + 3). J-Spy, BitterAPT, DCRat, Others.

Thanks @BlackBerry, @SentinelOne, @k3yp0d

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2036637 - ET MALWARE DCRat Related CnC Domain in DNS Lookup
(malware.rules)
2036638 - ET MALWARE DCRat Related CnC Domain in DNS Lookup
(malware.rules)
2036639 - ET MALWARE Observed Malicious SSL Cert (DCRat) (malware.rules)
2036640 - ET MALWARE Observed DCRat Related Domain (crystalfiles .ru in
TLS SNI) (malware.rules)
2036641 - ET MALWARE oRAT Related CnC Domain in DNS Lookup (malware.rules)
2036642 - ET MALWARE Bitter APT Related Domain in DNS Lookup
(emshedulersvc .com) (malware.rules)
2036643 - ET MALWARE Bitter APT Related Domain in DNS Lookup
(huandocimama .com) (malware.rules)
2036644 - ET MALWARE Bitter APT Related Domain in DNS Lookup
(diyefosterfeeds .com) (malware.rules)
2036645 - ET MALWARE Bitter APT Related Activity (GET) (malware.rules)
2036646 - ET MALWARE Bitter APT Related Activity (GET) (malware.rules)
2036647 - ET MALWARE J-Spy JSP webshell response (malware.rules)
2036648 - ET MALWARE J-Spy JSP webshell request (malware.rules)

Pro:

2851675 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-05-20 1) (coinminer.rules)
2851676 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-05-20 2) (coinminer.rules)
2851677 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-05-20 3) (coinminer.rules)

[---] Removed rules: [---]

2018403 - ET MALWARE GENERIC Likely Malicious Fake IE Downloading .exe
(malware.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team