Daily Ruleset Update Summary
Daily Ruleset Update Summary 2020/02/06

[***]            Summary:            [***]

17 new Open, 35 new Pro (17 + 19). DarkRAT Variant, ELF/Mirai, Win32/VIP6, APT34 TONEDEAF 2.0, Various Phish

Thanks GM CIRT

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

2029381 - ET TROJAN Cobalt Strike Malleable C2 Request (Stackoverflow Profile) (trojan.rules)
2029382 - ET TROJAN APT34 TONEDEAF 2.0 Requesting Commands from CnC (trojan.rules)
2029383 - ET TROJAN APT34 TONEDEAF 2.0 Uploading to CnC (trojan.rules)
2029384 - ET TROJAN Possible APT34 TONEDEAF 2.0 User-Agent Observed (trojan.rules)
2029385 - ET TROJAN Observed Malicious SSL Cert (APT34 CnC) (trojan.rules)
2029386 - ET TROJAN Observed Malicious SSL Cert (BrushaLoader CnC) (trojan.rules)
2029387 - ET TROJAN Observed Malicious SSL Cert (BrushaLoader CnC) (trojan.rules)
2029388 - ET TROJAN Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR CnC) (trojan.rules)
2029389 - ET TROJAN Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR CnC) (trojan.rules)
2029390 - ET TROJAN Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR CnC) (trojan.rules)
2029391 - ET TROJAN Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR CnC) (trojan.rules)
2029392 - ET TROJAN Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR CnC) (trojan.rules)
2029393 - ET TROJAN MINEBRIDGE/MINEDOOR CnC Checkin (malware.rules)
2029394 - ET TROJAN Malicious SSL Certificate detected (Patchwork CnC) (trojan.rules)
2029395 - ET TROJAN Patchwork Backdoor Checkin (trojan.rules)
2029396 - ET TROJAN Patchwork Backdoor - Sending Task Results (trojan.rules)
2029397 - ET TROJAN Patchwork Backdoor - Requesting Task (malware.rules)

Pro:

2816665 - ETPRO INFO Fake Doc Request Retrieving MZ Payload (set) (info.rules)
2816666 - ETPRO INFO Fake Doc Request Retrieving MZ Payload  (info.rules)
2840891 - ETPRO TROJAN DarkRAT Variant CnC Checkin (trojan.rules)
2840892 - ETPRO TROJAN DarkRAT Variant Init Checkin (trojan.rules)
2840893 - ETPRO TROJAN Win32/Occamy.C Activity M3 (malware.rules)
2840895 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2020-02-06 1) (trojan.rules)
2840896 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2020-02-06 2) (trojan.rules)
2840897 - ETPRO CURRENT_EVENTS Successful Mimecast Office 365 Phish 2020-02-06 (current_events.rules)
2840898 - ETPRO CURRENT_EVENTS Successful Yahoo Phish 2020-02-06 (current_events.rules)
2840899 - ETPRO CURRENT_EVENTS Successful Generic Banking Phish 2020-02-06 (current_events.rules)
2840900 - ETPRO CURRENT_EVENTS Successful Maersk Phish 2020-02-06 (current_events.rules)
2840901 - ETPRO CURRENT_EVENTS Successful ADP Phish 2020-02-06 (current_events.rules)
2840902 - ETPRO CURRENT_EVENTS Successful VDK Bank Phish 2020-02-06 (current_events.rules)
2840903 - ETPRO TROJAN ELF/Mirai User-Agent Observed (Outbound) (trojan.rules)
2840904 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)
2840905 - ETPRO TROJAN ELF/Mirai User-Agent Observed (Outbound) (trojan.rules)
2840906 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)
2840907 - ETPRO TROJAN Win32/VIP6 CnC Checkin (malware.rules)

[///]     Modified active rules:     [///]

2009813 - ET TROJAN Trojan.MyDNS DNSChanger - HTTP POST (trojan.rules)
2010439 - ET TROJAN Generic Trojan Checkin (UA VBTagEdit) (trojan.rules)
2013043 - ET POLICY Android.Plankton/Tonclank Successful Installation Device Information POST Message Body (policy.rules)
2013441 - ET TROJAN EXE Download When Server Claims To Send Audio File - Must Be Win32 (trojan.rules)
2014544 - ET CURRENT_EVENTS TDS Sutra - cookie set (current_events.rules)
2014643 - ET TROJAN ConstructorWin32/Agent.V (trojan.rules)
2016108 - ET CURRENT_EVENTS Topic EK Requesting PDF (current_events.rules)
2016452 - ET TROJAN WEBC2-CLOVER Checkin APT1 Related (trojan.rules)
2017086 - ET WEB_SERVER WebShell - GODSpy - MySQL (web_server.rules)
2017368 - ET TROJAN Possible Avatar RootKit Yahoo Group Search (trojan.rules)
2017731 - ET CURRENT_EVENTS Possible Styx EK SilverLight Payload (current_events.rules)
2017999 - ET MOBILE_MALWARE Android/HeHe.Spy getLastVersion CnC Beacon (mobile_malware.rules)
2803338 - ETPRO TROJAN Autorun.ajbk/Alureon.J Checkin (trojan.rules)
2803339 - ETPRO TROJAN Downloader.Win32.BaoFa.cfx checkin (trojan.rules)
2805231 - ETPRO TROJAN Worm.Win32/Taterf.B Checkin (trojan.rules)
2807392 - ETPRO TROJAN Banload Variant Checkin (trojan.rules)
2807401 - ETPRO TROJAN Trojan-Downloader.Win32.Banload.byyi Checkin (trojan.rules)
2840692 - ETPRO TROJAN Lightning Backdoor - GetCommand via JSON (trojan.rules)
2840693 - ETPRO TROJAN Lightning Backdoor - GetCommand via XML (trojan.rules)

[---]  Disabled and modified rules:  [---]

2016345 - ET MOBILE_MALWARE DroidKungFu Variant (mobile_malware.rules)
2017200 - ET CURRENT_EVENTS Possible Sakura Jar Download (current_events.rules)
2018263 - ET CURRENT_EVENTS Dell Kace backdoor (current_events.rules)
2018300 - ET TROJAN Win32/Stoberox.B (trojan.rules)

[---]         Disabled rules:        [---]

2016240 - ET CURRENT_EVENTS Impact Exploit Kit Class Download (current_events.rules)
2807548 - ETPRO TROJAN Win32.VJadtre.2 Checkin (trojan.rules)
2838717 - ETPRO TROJAN Possible Unk JSP WebShell Access M6 (trojan.rules)

[---]         Removed rules:         [---]

2816665 - ETPRO TROJAN Win32/TrojanDownloader.Banload.XAK Fake Doc Request Retrieving Payload (trojan.rules)
2816666 - ETPRO TROJAN Win32/TrojanDownloader.Banload.XAK Downloading PE (trojan.rules)

Date:
Summary title:
17 new Open, 35 new Pro (17 + 19). DarkRAT Variant, ELF/Mirai, Win32/VIP6, APT34 TONEDEAF 2.0, Various Phish