[***]            Summary:            [***]

5 new Open, 27 new Pro (5 + 22).  Remcos, Evil Keitaro, Various SSL/TLS.

The Proofpoint Emerging Threats Detection team is proud to announce ETPro support for Suricata 5.0--along with additional new features. 11am EDT Wednesday, September 25th, please join us for a webinar to discuss where we've been, where we're going, and where we are.

Link: https://proofpoint.zoom.us/j/347998498  Phone: +1 646 558 8656 or +1 669 900 6833 (US Toll) Meeting ID: 347 998 498
International numbers available: https://zoom.us/u/acddrvsUVN Or Mobile Phone one-tap:  +16465588656,347998498# or
+16699006833,347998498#

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

2027967 - ET TROJAN HTTP Request for Possible ELF/LiLocked Ransomware Note (trojan.rules)
2027968 - ET TROJAN ELF/LiLocked Ransom Note in HTTP Response (trojan.rules)
2028614 - ET TROJAN DonotGroup CnC Domain Observed in DNS Query (trojan.rules)
2028615 - ET TROJAN DonotGroup CnC Domain Observed in DNS Query (trojan.rules)
2028616 - ET CURRENT_EVENTS Facebook Phishing Domain in DNS Lookup (current_events.rules)

Pro:

2838527 - ETPRO CURRENT_EVENTS Evil Keitaro Set-Cookie Inbound (9d2da) (current_events.rules)
2838528 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc DL 2019-09-23) (current_events.rules)
2838529 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc DL 2019-09-23 2) (current_events.rules)
2838530 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-09-20 1) (trojan.rules)
2838531 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-09-20 2) (trojan.rules)
2838532 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-09-20 3) (trojan.rules)
2838533 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-09-20 4) (trojan.rules)
2838534 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-09-23 1) (trojan.rules)
2838535 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-09-23 2) (trojan.rules)
2838536 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-09-23 3) (trojan.rules)
2838537 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-09-23 4) (trojan.rules)
2838538 - ETPRO TROJAN Win32/Presenoker CnC Checkin (trojan.rules)
2838539 - ETPRO TROJAN Win32/Presenoker Requesting Batch File M2 (trojan.rules)
2838540 - ETPRO USER_AGENTS Win32/Presenoker UA Observed (user_agents.rules)
2838541 - ETPRO MALWARE Win32/FlyStudio Checkin (malware.rules)
2838542 - ETPRO MALWARE Win32/FlyStudio Server Response Inbound (malware.rules)
2838543 - ETPRO TROJAN Query For Known Upatre Downloader Domain (trojan.rules)
2838544 - ETPRO TROJAN Win32/Remcos RAT Checkin 171 (trojan.rules)
2838545 - ETPRO TROJAN Win32/Remcos RAT Checkin 172 (trojan.rules)
2838546 - ETPRO TROJAN Win32/Remcos RAT Checkin 173 (trojan.rules)
2838547 - ETPRO TROJAN Win32/Remcos RAT Checkin 174 (trojan.rules)
2838548 - ETPRO TROJAN Win32/Remcos RAT Checkin 175 (trojan.rules)

[///]     Modified active rules:     [///]

2027345 - ET WEB_SPECIFIC_APPS Possible SharePoint RCE Attempt (CVE-2019-0604) (web_specific_apps.rules)
2838133 - ETPRO TROJAN Win32/Presenoker Requesting Batch File M1 (trojan.rules)
2838248 - ETPRO TROJAN Win32/QULAB Telegram Exfiltration (trojan.rules)

Date: 
Sunday, September 22, 2019 - 22:00