Daily Ruleset Update Summary
Daily Ruleset Update Summary 2020/01/22

[***]            Summary:            [***]

11 new Open, 48 new Pro (11 + 37). Magecart, Thanatos Ransomware, Masad Stealer, DiamondFox, Various Phishing.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

2029299 - ET POLICY HTTP Request to IP Logging Service (2no .co) (policy.rules)
2029300 - ET TROJAN Magecart CnC Domain Observed in DNS Query (trojan.rules)
2029301 - ET TROJAN Observed Magecart CnC Domain in TLS SNI (trojan.rules)
2029302 - ET TROJAN Malicious SSL Cert (Magecart) (trojan.rules)
2029303 - ET TROJAN Magecart CnC Domain Observed in DNS Query (trojan.rules)
2029304 - ET TROJAN Observed Magecart CnC Domain in TLS SNI (trojan.rules)
2029305 - ET TROJAN Malicious SSL Cert (Magecart) (trojan.rules)
2029306 - ET TROJAN Observed Thanatos Ransomware Variant Pico User-Agent (trojan.rules)
2029307 - ET TROJAN Observed Malicious SSL Cert (ELF/Rekoobe CnC) (trojan.rules)
2029308 - ET POLICY Website Hosting Service Observed in DNS Query (policy.rules)
2029309 - ET TROJAN ELF/Rekoobe CnC Observed in DNS Query (trojan.rules)

Pro:

2840549 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST Request (Browsers.log) (trojan.rules)
2840550 - ETPRO TROJAN Masad Stealer Exfil Via Telegram (trojan.rules)
2840551 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST Request (Domains.log) (trojan.rules)
2840552 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST Request (information.log) (trojan.rules)
2840553 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST Request (Passwords.log) (trojan.rules)
2840554 - ETPRO TROJAN Observed Malicious SSL Cert (Get2 Downloader) (trojan.rules)
2840555 - ETPRO INFO Inbound Base64 Encoded Wide PowerShell Keyword (New-Object System.Net.WebClient) (info.rules)
2840556 - ETPRO TROJAN ELF/Mirai User-Agent Observed (Outbound) (trojan.rules)
2840557 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)
2840558 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2020-01-22 (current_events.rules)
2840559 - ETPRO CURRENT_EVENTS Successful VK Phish 2020-01-22 (current_events.rules)
2840560 - ETPRO CURRENT_EVENTS Successful VK Phish 2020-01-22 (current_events.rules)
2840561 - ETPRO CURRENT_EVENTS Successful Sando Bank Phish 2020-01-22 (current_events.rules)
2840562 - ETPRO CURRENT_EVENTS Successful Spectrum Webmail Phish 2020-01-22 (current_events.rules)
2840563 - ETPRO TROJAN Muddywater Payload CnC Checkin (trojan.rules)
2840564 - ETPRO CURRENT_EVENTS Successful Banco Itau Phish 2020-01-22 (current_events.rules)
2840565 - ETPRO CURRENT_EVENTS Successful Banco Itau Phish 2020-01-22 (current_events.rules)
2840566 - ETPRO CURRENT_EVENTS Successful Banco Itau Phish 2020-01-22 (current_events.rules)
2840567 - ETPRO CURRENT_EVENTS Successful Sprint Phish 2020-01-22 (current_events.rules)
2840568 - ETPRO CURRENT_EVENTS Successful Rackspace Phish 2020-01-22 (current_events.rules)
2840569 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-01-22 (current_events.rules)
2840570 - ETPRO CURRENT_EVENTS Successful Bank of America Phish 2020-01-22 (current_events.rules)
2840571 - ETPRO CURRENT_EVENTS Successful Tesco Phish 2020-01-22 (current_events.rules)
2840572 - ETPRO CURRENT_EVENTS Successful WeTransfer Phish 2020-01-22 (current_events.rules)
2840573 - ETPRO CURRENT_EVENTS Successful ADCB Phish 2020-01-22 (current_events.rules)
2840574 - ETPRO CURRENT_EVENTS Successful Nubank Phish 2020-01-22 (current_events.rules)
2840575 - ETPRO CURRENT_EVENTS Successful Sharepoint Phish 2020-01-22 (current_events.rules)
2840576 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-01-22 (current_events.rules)
2840577 - ETPRO CURRENT_EVENTS Successful Nubank Phish 2020-01-22 (current_events.rules)
2840578 - ETPRO CURRENT_EVENTS Successful Mobile DE Phish 2020-01-22 (current_events.rules)
2840579 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-01-22 (current_events.rules)
2840580 - ETPRO TROJAN Inbound Base64 Encoded Wide PowerShell Payload Observed (trojan.rules)
2840581 - ETPRO INFO Inbound Base64 Encoded Wide PowerShell Keyword (DownloadFile) (info.rules)
2840582 - ETPRO TROJAN PS/Deathhm Script Inbound via HTTP (trojan.rules)
2840583 - ETPRO INFO Inbound VBS with Possible Heavy Math Obfuscation (info.rules)
2840584 - ETPRO TROJAN Observed Malicious SSL Cert (APT32/OceanLotus CnC) (trojan.rules)
2840585 - ETPRO TROJAN DiamondFox CnC Checkin Variant (trojan.rules)

[///]     Modified active rules:     [///]

2029269 - ET TROJAN Satan/5ss5c Ransomware CnC Activity (trojan.rules)
2833620 - ETPRO TROJAN Powerstats/Muddywater CnC 2nd Stage Activity Checkin (trojan.rules)
2840271 - ETPRO TROJAN Unk.JS/Downloader Activity (trojan.rules)

Date:
Summary title:
11 new Open, 48 new Pro (11 + 37). Magecart, Thanatos Ransomware, Masad Stealer, DiamondFox, Various Phishing.