[***] Summary: [***]
14 new Open, 45 new Pro (14 + 31). APT41, Remcos, WinLoader, Various Phish.
We have a blog up now outlining the new Suricata 5.0 ruleset information as well information regarding our upcoming plans to EOL rule support for Suricata 2.0/3.0 Rulesets.
Suricata 5.0 Support blog:
https://www.proofpoint.com/us/corporate-blog/post/emerging-threats-announcing-support-suricata-50
Suricata 2/3 EOL information:
https://lists.emergingthreats.net/pipermail/emerging-updates/2019-October/004655.html
Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2028879 - ET USER_AGENTS Observed Suspicious UA (Windows) (user_agents.rules)
2028880 - ET TROJAN Anchor_DNS Trickbot DNS CnC Command - Sending Data (trojan.rules)
2028881 - ET TROJAN Anchor_DNS Trickbot DNS CnC Command - Prepare to Receive Data (trojan.rules)
2028882 - ET TROJAN Anchor_DNS Trickbot DNS CnC Command - Receive Data (trojan.rules)
2028883 - ET TROJAN APT 41 LOWKEY Backdoor - Ping Command Inbound (trojan.rules)
2028884 - ET TROJAN APT 41 LOWKEY Backdoor - Ping Success Code sent to CnC (trojan.rules)
2028885 - ET TROJAN APT 41 LOWKEY Backdoor - Ping Error Code sent to CnC (trojan.rules)
2028886 - ET TROJAN APT 41 LOWKEY Backdoor [TCP Relay Module] - PID Injection Command (trojan.rules)
2028887 - ET TROJAN APT 41 LOWKEY Backdoor [TCP Relay Module] - Establishing Connection with New Host (trojan.rules)
2028888 - ET TROJAN APT 41 LOWKEY Backdoor [TCP Relay Module] - TCP Relay Successfully Activated on New Host (trojan.rules)
2028889 - ET TROJAN APT 41 LOWKEY Backdoor [TCP Relay Module] - Exchanging RC4 & XOR Encrypted Data with Internal Host (trojan.rules)
2028890 - ET TROJAN APT 41 LOWKEY Backdoor [TCP Relay Module] - Close Socket Command Observed (trojan.rules)
2028891 - ET TROJAN APT 41 LOWKEY Backdoor [TCP Relay Module] - Close Named Pipe Command Observed (trojan.rules)
2028892 - ET TROJAN Unk Spam Bot Template 1 Active - Outbound Malicious Email Spam (trojan.rules)
Pro:
2839018 - ETPRO TROJAN Win32/WinLoader Requesting Payload (trojan.rules)
2839021 - ETPRO CURRENT_EVENTS Observed MalDoc DL 2019-10-21 Domain in TLS SNI (current_events.rules)
2839022 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-10-18 1) (trojan.rules)
2839023 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-10-18 2) (trojan.rules)
2839024 - ETPRO CURRENT_EVENTS Successful OneDrive Phish 2019-10-21 (current_events.rules)
2839025 - ETPRO CURRENT_EVENTS Successful Bank of America Phish 2019-10-21 (current_events.rules)
2839026 - ETPRO CURRENT_EVENTS Successful Sekerbank Phish 2019-10-21 (current_events.rules)
2839027 - ETPRO CURRENT_EVENTS Successful Sekerbank Phish 2019-10-21 (current_events.rules)
2839028 - ETPRO CURRENT_EVENTS Successful Adobe Phish 2019-10-21 (current_events.rules)
2839029 - ETPRO CURRENT_EVENTS Successful Adobe Document Cloud Phish 2019-10-21 (current_events.rules)
2839030 - ETPRO CURRENT_EVENTS Successful Desjardins Phish 2019-10-21 (current_events.rules)
2839031 - ETPRO CURRENT_EVENTS Successful American Express Phish 2019-10-21 (current_events.rules)
2839032 - ETPRO CURRENT_EVENTS Successful American Express Phish 2019-10-21 (current_events.rules)
2839033 - ETPRO CURRENT_EVENTS Successful Amazon Phish 2019-10-21 (current_events.rules)
2839034 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish 2019-10-21 (current_events.rules)
2839035 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish 2019-10-21 (current_events.rules)
2839036 - ETPRO CURRENT_EVENTS Successful Generic Email Web App Phish 2019-10-21 (current_events.rules)
2839037 - ETPRO CURRENT_EVENTS Successful ING Phish 2019-10-21 (current_events.rules)
2839038 - ETPRO CURRENT_EVENTS Successful Caixa Phish 2019-10-21 (current_events.rules)
2839039 - ETPRO CURRENT_EVENTS Successful Generic Webmail Mini Phish 2019-10-21 (current_events.rules)
2839040 - ETPRO CURRENT_EVENTS Successful Generic Mailbox Phish 2019-10-21 (current_events.rules)
2839041 - ETPRO TROJAN Gh0stNoxy CnC Activity (trojan.rules)
2839042 - ETPRO TROJAN Win32/Remcos RAT Checkin 209 (trojan.rules)
2839043 - ETPRO TROJAN Win32/Remcos RAT Checkin 210 (trojan.rules)
2839044 - ETPRO TROJAN Win32/Remcos RAT Checkin 211 (trojan.rules)
2839045 - ETPRO TROJAN Win32/Remcos RAT Checkin 212 (trojan.rules)
2839046 - ETPRO TROJAN Win32/Remcos RAT Checkin 213 (trojan.rules)
2839047 - ETPRO TROJAN Win32/Remcos RAT Checkin 214 (trojan.rules)
2839048 - ETPRO TROJAN Win32/Remcos RAT Checkin 215 (trojan.rules)
2839049 - ETPRO TROJAN Win32/Remcos RAT Checkin 216 (trojan.rules)
2839050 - ETPRO TROJAN Win32/Remcos RAT Checkin 217 (trojan.rules)
[///] Modified active rules: [///]
2002945 - ET POLICY Java Url Lib User Agent Web Crawl (policy.rules)
2027886 - ET TROJAN Win32/DarkRAT CnC Activity (trojan.rules)
2838997 - ETPRO CURRENT_EVENTS Successful DHL Phish 2019-10-18 (current_events.rules)