[***] Summary: [***]

34 new OPEN, 46 new PRO (34 + 12). Various Android Malware, RAT and Phishing.

Thanks @0xrb, @ReversingLabs

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2038634 - ET MOBILE_MALWARE Android.Trojan.Banker.XJ Activity
(mobile_malware.rules)
2038635 - ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Ermak.a Checkin
(mobile_malware.rules)
2038636 - ET MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.hf
Checkin (mobile_malware.rules)
2038637 - ET ATTACK_RESPONSE Possible WebShell Upload Attempt via
Directory Traversal M1 (attack_response.rules)
2038638 - ET ATTACK_RESPONSE Possible WebShell Upload Attempt via
Directory Traversal M2 (attack_response.rules)
2038639 - ET INFO Observed File Sharing Service Download Domain
(files .catbox .moe in TLS SNI) (info.rules)
2038640 - ET INFO Observed Temporary File Sharing Service Domain
(litter .catbox .moe in TLS SNI) (info.rules)
2038641 - ET INFO Malware Destroyer FTP Login (info.rules)
2038642 - ET INFO Malware Destroyer Checkin (info.rules)
2038643 - ET INFO Observed Abused Website Archival Domain in DNS
Lookup (archive .ph) (info.rules)
2038644 - ET INFO Observed Abused Website Archival Domain (archive
.ph in TLS SNI) (info.rules)
2038645 - ET INFO Collaboration/File Sharing Platform Domain in DNS
Lookup (notion .so) (info.rules)
2038646 - ET INFO Observed Collaboration/File Sharing Platform
Domain (www .notion .so in TLS SNI) (info.rules)
2038647 - ET INFO URL Shortening Service Domain in DNS Lookup (vk
.cc) (info.rules)
2038648 - ET INFO URL Shortening Service Domain in DNS Lookup (vk
.com) (info.rules)
2038649 - ET INFO Observed URL Shortening Service Domain (vk .cc in
TLS SNI) (info.rules)
2038650 - ET INFO Observed URL Shortening Service Domain (vk .com in
TLS SNI) (info.rules)
2038651 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup
(telecomly .info) (malware.rules)
2038652 - ET HUNTING Suspicious GET Request for .arc File (hunting.rules)
2038653 - ET HUNTING Suspicious GET Request for .i468 File (hunting.rules)
2038654 - ET HUNTING Suspicious GET Request for .i686 File (hunting.rules)
2038655 - ET HUNTING Suspicious GET Request for .mspl File (hunting.rules)
2038656 - ET HUNTING Suspicious GET Request for .arm file File (hunting.rules)
2038657 - ET HUNTING Suspicious GET Request for .ppc File (hunting.rules)
2038658 - ET HUNTING Suspicious GET Request for .spc File (hunting.rules)
2038659 - ET HUNTING Suspicious GET Request for .sh4 File (hunting.rules)
2038660 - ET INFO URL Shortening Service Domain in DNS Lookup
(shrtcnl .com) (info.rules)
2038661 - ET INFO Observed URL Shortening Service Domain (shrtcnl
.com in TLS SNI) (info.rules)
2038662 - ET PHISHING Union Bank Credential Theft Landing Page
2022-08-29 (phishing.rules)
2038663 - ET MALWARE Win32/Unknown RAT CnC Keepalive (malware.rules)
2038664 - ET MALWARE Win32/Unknown RAT CnC Initial Checkin (malware.rules)
2038665 - ET EXPLOIT Attempted Schneider Electric SpaceLogic C-Bus
Home Controller 5200WHC2 Remote Code Execution (CVE-2022-34753)
(exploit.rules)
2038666 - ET MALWARE Win32/Meimaii Checkin (malware.rules)
2038667 - ET PHISHING Successful Telstra Credential Phish 2022-08-29
(phishing.rules)

Pro:

2827745 - ETPRO MALWARE NetSupport RAT CnC Activity (malware.rules)
2852227 - ETPRO MOBILE_MALWARE Android/Spy.Agent.CIO CnC Domain in
DNS Lookup (mobile_malware.rules)
2852228 - ETPRO MOBILE_MALWARE Android/Agent.IBFU CnC Domain in DNS
Lookup (mobile_malware.rules)
2852229 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Cebruser.san
CnC Domain in DNS Lookup (mobile_malware.rules)
2852230 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Teardroid.a CnC
Domain in DNS Lookup (mobile_malware.rules)
2852231 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Agent.fq CnC
Domain in DNS Lookup (mobile_malware.rules)

[///] Modified active rules: [///]

2033431 - ET HUNTING NOP Sled in HTTP URI Inbound - Possible Exploit
Activity (hunting.rules)
2035894 - ET MALWARE NetSupport RAT with System Information (malware.rules)
2037017 - ET MALWARE TA457 Backdoor CnC Response (malware.rules)
2037019 - ET MALWARE TA457 Backdoor CnC Activity (malware.rules)

[---] Removed rules: [---]

2851389 - ETPRO MOBILE_MALWARE Android.Trojan.Banker.XJ Activity
(mobile_malware.rules)
2851738 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Ermak.a
Checkin (mobile_malware.rules)
2851870 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.hf
Checkin (mobile_malware.rules)