[***] Summary: [***]

7 new OPEN, 12 new PRO (7 + 5). APT29, ChromeLoader, Warzone RAT, Others.

Thanks @h2jazi, @Unit42_Intel

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2037793 - ET MALWARE ChromeLoader Activity (GET) (malware.rules)
2037794 - ET MALWARE Sidewinder APT Related Domain in DNS Lookup (ksew
.kpt-gov .org) (malware.rules)
2037795 - ET MALWARE APT29/CloakedUrsa Related Domain in DNS Lookup
(crossfity .com) (malware.rules)
2037796 - ET MALWARE APT29/CloakedUrsa Related Domain in DNS Lookup
(techspaceinfo .com) (malware.rules)
2037797 - ET MALWARE APT29/CloakedUrsa Google Drive Authentication (POST)
(malware.rules)
2037798 - ET MALWARE HTML/TrojanDropper.Agent.T Payload Inbound
(malware.rules)
2037799 - ET MALWARE Win32/MSIL.Heracles Checkin (malware.rules)

Pro:

2851947 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Basbanke.b Checkin
(mobile_malware.rules)
2851948 - ETPRO MALWARE Ave Maria/Warzone RAT VNC GetModule
(malware.rules)
2851949 - ETPRO MALWARE Ave Maria/Warzone RAT RemoteModuleLoadResponse
(malware.rules)
2851950 - ETPRO MALWARE Ave Maria/Warzone RAT DownloadandExecuteResponse
(malware.rules)
2851951 - ETPRO MALWARE Ave Maria/Warzone RAT ListPasswordsResponse
(malware.rules)

[///] Modified active rules: [///]

2022647 - ET MALWARE Cryptolocker Payment Domain (3qbyaoohkcqkzrz6)
(malware.rules)
2024708 - ET MALWARE CCleaner Backdoor DGA Domain (ab6d54340c1a .com) Feb
2017 (malware.rules)
2024709 - ET MALWARE CCleaner Backdoor DGA Domain (aba9a949bc1d .com) Mar
2017 (malware.rules)
2024710 - ET MALWARE CCleaner Backdoor DGA Domain (ab2da3d400c20 .com)
Apr 2017 (malware.rules)
2024711 - ET MALWARE CCleaner Backdoor DGA Domain (ab3520430c23 .com) May
2017 (malware.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team