[***]            Summary:            [***]

21 new Open, 34 new Pro (21 + 13). MedusaHTTP, Kodiac CnC, Various Phishing.

Thanks @james_inthe_box and @malware_traffic

[+++]          Added rules:          [+++]

Open:

2027861 - ET TROJAN MedusaHTTP Variant CnC Checkin (trojan.rules)
2027863 - ET INFO Observed DNS Query to .biz TLD (info.rules)
2027864 - ET INFO Observed DNS Query to .okinawa TLD (info.rules)
2027865 - ET INFO Observed DNS Query to .cloud TLD (info.rules)
2027866 - ET INFO Observed DNS Query to .desi TLD (info.rules)
2027867 - ET INFO Observed DNS Query to .life TLD (info.rules)
2027868 - ET INFO Observed DNS Query to .work TLD (info.rules)
2027869 - ET INFO Observed DNS Query to .ryukyu TLD (info.rules)
2027870 - ET INFO Observed DNS Query to .world TLD (info.rules)
2027871 - ET INFO Observed DNS Query to .fit TLD (info.rules)
2027872 - ET INFO HTTP Request to Suspicious *.biz Domain (info.rules)
2027873 - ET INFO HTTP Request to Suspicious *.okinawa Domain (info.rules)
2027874 - ET INFO HTTP Request to Suspicious *.cloud Domain (info.rules)
2027875 - ET INFO HTTP Request to Suspicious *.desi Domain (info.rules)
2027876 - ET INFO HTTP Request to Suspicious *.life Domain (info.rules)
2027877 - ET INFO HTTP Request to Suspicious *.work Domain (info.rules)
2027878 - ET INFO HTTP Request to Suspicious *.ryukyu Domain (info.rules)
2027879 - ET INFO HTTP Request to Suspicious *.world Domain (info.rules)
2027880 - ET INFO HTTP Request to Suspicious *.fit Domain (info.rules)
2027881 - ET EXPLOIT NETGEAR R7000/R6400 - Command Injection Inbound (CVE-2019-6277) (exploit.rules)
2027882 - ET EXPLOIT NETGEAR R7000/R6400 - Command Injection Outbound (CVE-2019-6277) (exploit.rules)

Pro:

2838004 - ETPRO TROJAN Observed Malicious SSL Cert (Kodiac CnC) (trojan.rules)
2838005 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-08-13 1) (trojan.rules)
2838006 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-08-13 2) (trojan.rules)
2838007 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2019-08-13 (current_events.rules)
2838008 - ETPRO CURRENT_EVENTS Successful OurTime Phish 2019-08-13 (current_events.rules)
2838009 - ETPRO CURRENT_EVENTS Successful Banco do Brasil Phish 2019-08-13 (current_events.rules)
2838010 - ETPRO CURRENT_EVENTS Successful Banco do Brasil Phish 2019-08-13 (current_events.rules)
2838011 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information Phish 2019-08-13 (current_events.rules)
2838012 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish 2019-08-13 (current_events.rules)
2838013 - ETPRO CURRENT_EVENTS Successful Banco do Brasil Phish 2019-08-13 (current_events.rules)
2838014 - ETPRO CURRENT_EVENTS Successful OneNevada Credit Union Phish 2019-08-13 (current_events.rules)
2838015 - ETPRO CURRENT_EVENTS Successful Desjardins Phish 2019-08-13 (current_events.rules)
2838016 - ETPRO CURRENT_EVENTS Successful HSBC Phish 2019-08-13 (current_events.rules)

[///]     Modified active rules:     [///]

2002400 - ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) (user_agents.rules)
2003626 - ET MALWARE Double User-Agent (User-Agent User-Agent) (malware.rules)
2014634 - ET TROJAN Possible Variant.Kazy.53640 Malformed Client Hello SSL 3.0 (Session_Id length greater than Client_Hello Length) (trojan.rules)
2018403 - ET TROJAN GENERIC Likely Malicious Fake IE Downloading .exe (trojan.rules)
2834303 - ETPRO TROJAN MedusaHTTP Variant CnC Checkin (trojan.rules)
2834367 - ETPRO TROJAN GoBrut CnC Checkin (trojan.rules)
2834368 - ETPRO TROJAN GoBrut Requesting Brute Force List (flowbit set) (trojan.rules)
2834369 - ETPRO TROJAN GoBrut Brute Force List Inbound (trojan.rules)
2836433 - ETPRO TROJAN GoBrut Service Bruter CnC Activity (trojan.rules)
2836434 - ETPRO TROJAN GoBrut Service Bruter CnC Checkin (trojan.rules)

Date: 
Monday, August 12, 2019 - 22:00