[***] Summary: [***]
5 new Open, 27 new Pro (5 + 22). Remcos, Evil Keitaro, Various SSL/TLS.
The Proofpoint Emerging Threats Detection team is proud to announce ETPro support for Suricata 5.0--along with additional new features. 11am EDT Wednesday, September 25th, please join us for a webinar to discuss where we've been, where we're going, and where we are.
Link: https://proofpoint.zoom.us/j/347998498 Phone: +1 646 558 8656 or +1 669 900 6833 (US Toll) Meeting ID: 347 998 498
International numbers available: https://zoom.us/u/acddrvsUVN Or Mobile Phone one-tap: +16465588656,347998498# or
+16699006833,347998498#
Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2027967 - ET TROJAN HTTP Request for Possible ELF/LiLocked Ransomware Note (trojan.rules)
2027968 - ET TROJAN ELF/LiLocked Ransom Note in HTTP Response (trojan.rules)
2028614 - ET TROJAN DonotGroup CnC Domain Observed in DNS Query (trojan.rules)
2028615 - ET TROJAN DonotGroup CnC Domain Observed in DNS Query (trojan.rules)
2028616 - ET CURRENT_EVENTS Facebook Phishing Domain in DNS Lookup (current_events.rules)
Pro:
2838527 - ETPRO CURRENT_EVENTS Evil Keitaro Set-Cookie Inbound (9d2da) (current_events.rules)
2838528 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc DL 2019-09-23) (current_events.rules)
2838529 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc DL 2019-09-23 2) (current_events.rules)
2838530 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-09-20 1) (trojan.rules)
2838531 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-09-20 2) (trojan.rules)
2838532 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-09-20 3) (trojan.rules)
2838533 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-09-20 4) (trojan.rules)
2838534 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-09-23 1) (trojan.rules)
2838535 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-09-23 2) (trojan.rules)
2838536 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-09-23 3) (trojan.rules)
2838537 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-09-23 4) (trojan.rules)
2838538 - ETPRO TROJAN Win32/Presenoker CnC Checkin (trojan.rules)
2838539 - ETPRO TROJAN Win32/Presenoker Requesting Batch File M2 (trojan.rules)
2838540 - ETPRO USER_AGENTS Win32/Presenoker UA Observed (user_agents.rules)
2838541 - ETPRO MALWARE Win32/FlyStudio Checkin (malware.rules)
2838542 - ETPRO MALWARE Win32/FlyStudio Server Response Inbound (malware.rules)
2838543 - ETPRO TROJAN Query For Known Upatre Downloader Domain (trojan.rules)
2838544 - ETPRO TROJAN Win32/Remcos RAT Checkin 171 (trojan.rules)
2838545 - ETPRO TROJAN Win32/Remcos RAT Checkin 172 (trojan.rules)
2838546 - ETPRO TROJAN Win32/Remcos RAT Checkin 173 (trojan.rules)
2838547 - ETPRO TROJAN Win32/Remcos RAT Checkin 174 (trojan.rules)
2838548 - ETPRO TROJAN Win32/Remcos RAT Checkin 175 (trojan.rules)
[///] Modified active rules: [///]
2027345 - ET WEB_SPECIFIC_APPS Possible SharePoint RCE Attempt (CVE-2019-0604) (web_specific_apps.rules)
2838133 - ETPRO TROJAN Win32/Presenoker Requesting Batch File M1 (trojan.rules)
2838248 - ETPRO TROJAN Win32/QULAB Telegram Exfiltration (trojan.rules)