[***] Summary: [***]
9 new Open, 35 new Pro (9 + 26). APT 41, Win32/Unk.LOLBackdoor, Win32/Presenoker, HeavenWard (?:Light|Key)Logger, Various Phishing, Various Mobile.
We have a blog up now outlining the new Suricata 5.0 ruleset information as well information regarding our upcoming plans to EOL rule support for Suricata 2.0/3.0 Rulesets.
Suricata 5.0 Support blog:
https://www.proofpoint.com/us/corporate-blog/post/emerging-threats-announcing-support-suricata-50
Suricata 2/3 EOL information:
https://lists.emergingthreats.net/pipermail/emerging-updates/2019-October/004655.html
Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2028834 - ET USER_AGENTS Observed Suspicious UA (IExplorer 34) (user_agents.rules)
2028835 - ET TROJAN Observed Malicious SSL Cert (MageCart Staging Domain) (trojan.rules)
2028836 - ET TROJAN Observed Malicious SSL Cert (MageCart Staging Domain) (trojan.rules)
2028837 - ET TROJAN Possible APT 41 Fake Server Response (trojan.rules)
2028838 - ET TROJAN APT 41 CnC Domain Observed in DNS Query (trojan.rules)
2028839 - ET TROJAN APT 41 CnC Domain Observed in DNS Query (trojan.rules)
2028840 - ET TROJAN APT 41 CnC Domain Observed in DNS Query (trojan.rules)
2028841 - ET TROJAN APT 41 CnC Domain Observed in DNS Query (trojan.rules)
2028842 - ET USER_AGENTS Suspicious User Agent (reqwest/) (user_agents.rules)
Pro:
2838955 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc DL 2019-10-16) (current_events.rules)
2838956 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-10-15 1) (trojan.rules)
2838957 - ETPRO CURRENT_EVENTS Successful Office 365 Phish 2019-10-16 (current_events.rules)
2838958 - ETPRO CURRENT_EVENTS Successful Outlook Web App Phish 2019-10-16 (current_events.rules)
2838959 - ETPRO CURRENT_EVENTS Successful Office 365 Phish 2019-10-16 (current_events.rules)
2838960 - ETPRO CURRENT_EVENTS Successful Tradekey Phish 2019-10-16 (current_events.rules)
2838961 - ETPRO CURRENT_EVENTS Successful Sparebank Phish 2019-10-16 (current_events.rules)
2838962 - ETPRO CURRENT_EVENTS Successful Scotiabank Phish 2019-10-16 (current_events.rules)
2838963 - ETPRO CURRENT_EVENTS Successful BT Phish 2019-10-16 (current_events.rules)
2838964 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2019-10-16 (current_events.rules)
2838965 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2019-10-16 (current_events.rules)
2838966 - ETPRO CURRENT_EVENTS Successful Coinbase Phish 2019-10-16 (current_events.rules)
2838967 - ETPRO CURRENT_EVENTS Successful Generic Facebook App Login Phish 2019-10-16 (current_events.rules)
2838968 - ETPRO CURRENT_EVENTS Successful Generic Facebook App Login Phish 2019-10-16 (current_events.rules)
2838969 - ETPRO CURRENT_EVENTS Successful Netbank Phish 2019-10-16 (current_events.rules)
2838970 - ETPRO TROJAN Win32/Presenoker Requesting Batch File M5 (trojan.rules)
2838971 - ETPRO USER_AGENTS Win32/Presenoker UA Observed (user_agents.rules)
2838972 - ETPRO TROJAN HeavenWard LightLogger Activity (trojan.rules)
2838973 - ETPRO MALWARE HeavenWard Keylogger Domain in DNS Lookup (malware.rules)
2838974 - ETPRO TROJAN HeavenWard Keylogger Domain in DNS Lookup (trojan.rules)
[///] Modified active rules: [///]
2012384 - ET INFO Suspicious Purported MSIE 7 with terse HTTP Headers GET to PHP (info.rules)
2012802 - ET TROJAN Spoofed MSIE 8 User-Agent Likely Ponmocup (trojan.rules)
2013492 - ET SCAN McAfee/Foundstone Scanner Web Scan (scan.rules)
2013503 - ET POLICY OS X Software Update Request Outbound (policy.rules)
2013510 - ET TROJAN W32/Lalus Trojan Downloader User Agent (Message Center) (trojan.rules)
2013511 - ET TROJAN Win32/CazinoSilver Checkin (trojan.rules)
2013718 - ET TROJAN Trojan Downloader User-Agent (Tiny) (trojan.rules)
2013946 - ET TROJAN FakeAV.EGZ Checkin 1 (trojan.rules)
2013947 - ET TROJAN FakeAV.EGZ Checkin 2 (trojan.rules)
2013959 - ET TROJAN Win32.Sality User-Agent (DEBUT.TMP) (trojan.rules)
2014359 - ET POLICY DNSWatch.info IP Check (policy.rules)
2014576 - ET POLICY eBook Generator User-Agent (EBook) (policy.rules)
2014579 - ET TROJAN Likely Infected HTTP POST to PHP with User-Agent of HTTP Client (trojan.rules)
2015020 - ET TROJAN W32/Numnet.Downloader CnC Checkin 1 (trojan.rules)
2015021 - ET TROJAN W32/Numnet.Downloader CnC Checkin 2 (trojan.rules)
2016014 - ET TROJAN Win32/Trojan.Agent.AXMO CnC Beacon (trojan.rules)
2016212 - ET TROJAN BroBot POST (trojan.rules)
2016355 - ET TROJAN W32/ServStart.Variant CnC Beacon (trojan.rules)
2016638 - ET TROJAN W32/Depyot.Downloader CnC Beacon (trojan.rules)
2016819 - ET TROJAN DEEP PANDA Checkin 1 (trojan.rules)
2017937 - ET TROJAN Fake/Short Google Search Appliance UA Win32/Ranbyus and Others (trojan.rules)
2018071 - ET MOBILE_MALWARE Android/DwnlAPK-A Configuration File Request (mobile_malware.rules)
2018381 - ET TROJAN Suspicious User-Agent (hi) (trojan.rules)
2018508 - ET TROJAN Win32/Enosch.A gtalk connectivity check (trojan.rules)
2018546 - ET TROJAN EtumBot Registration Request (trojan.rules)
2019162 - ET TROJAN Win.Trojan.Chewbacca connectivity check (trojan.rules)
2019502 - ET TROJAN Wonton-JH Checkin (trojan.rules)
2019898 - ET POLICY I2P Retrieving reseed info (policy.rules)
2019946 - ET TROJAN W32/Farfli.BHQ!tr Dropper CnC Beacon (trojan.rules)
2019951 - ET WEB_SERVER MorXploit Shell Command (web_server.rules)
2020064 - ET TROJAN Dridex Post Check-in Activity (trojan.rules)
2020076 - ET TROJAN Andromeda Checkin Dec 29 2014 (trojan.rules)
2020299 - ET TROJAN Win32/Scieron-A Checkin via HTTP POST (trojan.rules)
2020344 - ET TROJAN ArcDoor User-Agent (ALIZER) (trojan.rules)
2020373 - ET TROJAN Possible DEEP PANDA C2 Activity (trojan.rules)
2020433 - ET TROJAN Likely Arid Viper APT Advtravel Campaign POST (trojan.rules)
2020471 - ET TROJAN Babar POST Request (trojan.rules)
2020578 - ET POLICY Privdog Activation (policy.rules)
2020579 - ET POLICY Privdog Checkin (policy.rules)
2027389 - ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW) (user_agents.rules)
2028651 - ET USER_AGENTS Steam HTTP Client User-Agent (user_agents.rules)
2801172 - ETPRO TROJAN Trojan.Win32.Karagany Checkin (trojan.rules)
2801999 - ETPRO MALWARE Suspicious User Agent Possible Spyware Related (Mozilla 0a) 2 (malware.rules)
2802000 - ETPRO TROJAN Win32.AutoRun.bntt Checkin (trojan.rules)
2803464 - ETPRO TROJAN Win32/Banker.LW sending info (trojan.rules)
2803788 - ETPRO TROJAN Backdoor.Win32.Proxyier.k Checkin (trojan.rules)
2803902 - ETPRO TROJAN Win32.Virut.ce Checkin (trojan.rules)
2804231 - ETPRO TROJAN FakeAlert-SysDef.b Checkin (trojan.rules)
2804261 - ETPRO TROJAN Trojan-Dropper.Win32.Microjoin.cn Checkin (trojan.rules)
2804576 - ETPRO TROJAN Win32/Dragon_i Checkin (trojan.rules)
2805030 - ETPRO TROJAN PWS.Win32/Sinowal.gen!Y/Torpig Checkin (trojan.rules)
2805155 - ETPRO TROJAN Kazy.57247 Checkin (trojan.rules)
2805366 - ETPRO TROJAN SHeur4.JEK Checkin 2 (trojan.rules)
2805965 - ETPRO TROJAN TrojanDropper.Win32/Joiner.G reporting via ICQ WWW script (trojan.rules)
2805968 - ETPRO TROJAN Backdoor.Win32/LittleWitch.T reporting via ICQ WWW script (trojan.rules)
2806102 - ETPRO TROJAN Trojan-Ransom.Win32.Blocker.ammt Checkin (trojan.rules)
2806882 - ETPRO TROJAN Trojan.Win32.Agent.btdoqw Checkin (trojan.rules)
2807090 - ETPRO TROJAN Medfos Connectivity Check (trojan.rules)
2807179 - ETPRO TROJAN Trojan.DownLoader10.36780 User-Agent (odin) (trojan.rules)
2807295 - ETPRO TROJAN Trojan-PSW.Win32.Tepfer.sqyx POST (trojan.rules)
2807507 - ETPRO TROJAN Win32.Foreign.jowy 2 (trojan.rules)
2807535 - ETPRO TROJAN Win32/Zawat.A User-Agent (trojan.rules)
2807610 - ETPRO TROJAN DirtJumper DDoS (INBOUND) (trojan.rules)
2807616 - ETPRO TROJAN Win32/Spy.Agent.OIB Checkin (trojan.rules)
2807877 - ETPRO TROJAN TrojanDownloader.Win32/Banup.A Checkin (trojan.rules)
2807901 - ETPRO TROJAN RemoteAdmin.Win32.RAdmin Request (trojan.rules)
2807931 - ETPRO MOBILE_MALWARE Android/Badao.A Checkin 2 (mobile_malware.rules)
2807943 - ETPRO TROJAN Trojan-PSW.Win32.QQDragon.bq Checkin (trojan.rules)
2807993 - ETPRO TROJAN Trojan-Downloader.Win32.Small.gri Checkin (trojan.rules)
2808405 - ETPRO TROJAN Trojan.Win32.Invader Checkin (trojan.rules)
2808429 - ETPRO TROJAN Password Stealer TSPY_WOWSPY.A Checkin (trojan.rules)
2808499 - ETPRO TROJAN Win32/Zemot User-Agent (trojan.rules)
2808748 - ETPRO TROJAN Win32/Picazen.A Dropping Files (trojan.rules)
2808943 - ETPRO TROJAN Win32.Juched Checkin (trojan.rules)
2809017 - ETPRO TROJAN Win32.Pasta Variant Checkin (trojan.rules)
2809112 - ETPRO USER_AGENTS Kaspersky AntiRootkit TDSSKiller User Agent (user_agents.rules)
2809166 - ETPRO TROJAN W32/Ransom.JD Checkin (trojan.rules)
2809204 - ETPRO TROJAN Win32.Trojan.Win32.TravNet HTTP Checkin (trojan.rules)
2809274 - ETPRO TROJAN Win32/Belot Checkin (trojan.rules)
2809337 - ETPRO TROJAN Win32/TrojanDownloader.Autoit.NTF Checkin (trojan.rules)
2809443 - ETPRO USER_AGENTS NateOn User Agent Likely Hostile (user_agents.rules)
2809587 - ETPRO TROJAN Win32/Spy.Agent.OLV Checkin (trojan.rules)
2809673 - ETPRO TROJAN Win32.Banload.bUZH Checkin (trojan.rules)
2809674 - ETPRO TROJAN Win32/Spy.Banker.aahf Checkin (trojan.rules)
2809675 - ETPRO TROJAN Trojan.Win32.Scar Checkin (trojan.rules)
2809677 - ETPRO TROJAN HackTool/Win32.Dohuk Downloading Files (trojan.rules)
2809709 - ETPRO TROJAN Win32/Paskod.M HTTP Checkin (trojan.rules)
2809715 - ETPRO TROJAN Win32/Kilim.D Checkin (trojan.rules)
2809845 - ETPRO TROJAN Win32/Neshta.A Checkin 5 (trojan.rules)
2809853 - ETPRO TROJAN Win32/Spy.Banker.PTM Checkin (trojan.rules)
2809876 - ETPRO TROJAN Win32/Agent.WPN CnC Beacon User-Agent (trojan.rules)
2811215 - ETPRO MALWARE Playtech Installer PUP/Adware (malware.rules)
2838716 - ETPRO TROJAN Possible Unk JSP WebShell Access M5 (trojan.rules)
[---] Removed rules: [---]
2017617 - ET TROJAN W32/Onkod.Downloader Executable Download (trojan.rules)
2020308 - ET TROJAN Dyre Downloading Mailer (trojan.rules)
2020346 - ET TROJAN Dropper YABROD Downloading Files (trojan.rules)
2806827 - ETPRO MOBILE_MALWARE Android/Badao.A Checkin (mobile_malware.rules)
2807384 - ETPRO TROJAN Win32.Hupigon Variant (trojan.rules)