[***] Summary: [***]
9 new Open, 29 new Pro (9 + 20). Mermaid Ransomware, Charming Kitten, Gamaredon, Revenge-RAT, Ursnif.
Thanks @dadamitis @prevailion @AdAstra247
Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2029492 - ET TROJAN Spark Backdoor CnC Domain Query (trojan.rules)
2029493 - ET CURRENT_EVENTS Possible Glitch.me Phishing Domain (current_events.rules)
2029494 - ET TROJAN Possible Charming Kitten Backdoor Checkin (trojan.rules)
2029495 - ET TROJAN Possible Charming Kitten Backdoor CnC Activity (trojan.rules)
2029496 - ET TROJAN Mermaid Ransomware Variant CnC Activity M4 (trojan.rules)
2029497 - ET TROJAN PHPs Labyrinth Backdoor Stage2 CnC Activity M1 (trojan.rules)
2029498 - ET TROJAN PHPs Labyrinth Backdoor Stage2 CnC Activity M2 (trojan.rules)
2029499 - ET TROJAN PHPs Labyrinth Backdoor Stage1 CnC Activity (trojan.rules)
2029500 - ET TROJAN Suspected Gamaredon Downloader Activity (trojan.rules)
Pro:
2841101 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc DL 2020-02-18) (current_events.rules)
2841102 - ETPRO CURRENT_EVENTS Observed MalDoc DL 2020-02-18 Domain in TLS SNI (current_events.rules)
2841103 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc DL 2020-02-18 2) (current_events.rules)
2841104 - ETPRO TROJAN Observed Inbound Obfuscated PowerShell/VBS (trojan.rules)
2841105 - ETPRO TROJAN ELF/Gafygt Variant CnC Activity (trojan.rules)
2841106 - ETPRO TROJAN Observed Malicious SSL Cert (PsiXbot CnC) (trojan.rules)
2841107 - ETPRO TROJAN Observed Malicious SSL Cert (MalDoc DL 2020-02-19) (trojan.rules)
2841108 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2020-02-19 1) (trojan.rules)
2841109 - ETPRO CURRENT_EVENTS Successful Ziraat Bankasi Phish 2020-02-19 (current_events.rules)
2841110 - ETPRO CURRENT_EVENTS Successful Outlook Web App Phish 2020-02-19 (current_events.rules)
2841111 - ETPRO CURRENT_EVENTS Successful American Express Phish 2020-02-19 (current_events.rules)
2841112 - ETPRO TROJAN Win32/BlackNET CnC Checkin M3 (trojan.rules)
2841113 - ETPRO TROJAN MSIL/Revenge-RAT CnC Checkin M4 (trojan.rules)
2841114 - ETPRO TROJAN MSIL/Revenge-RAT Keep-Alive Activity (Outbound) M2 (trojan.rules)
2841115 - ETPRO TROJAN MSIL/Revenge-RAT Keep-Alive Activity (Inbound) M2 (trojan.rules)
2841116 - ETPRO TROJAN Observed Malicious SSL Cert (IcedID CnC) (trojan.rules)
2841117 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC) (trojan.rules)
2841118 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC) (trojan.rules)
2841119 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC) (trojan.rules)
2841120 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC) (trojan.rules)
[///] Modified active rules: [///]
2022503 - ET TROJAN Dridex AlphaNum DL Feb 10 2016 (trojan.rules)
2025892 - ET TROJAN Observed Malicious SSL Cert (OilRig QUADAGENT CnC) (trojan.rules)
2025918 - ET TROJAN Observed Malicious SSL Cert (MICROPSIA CnC Domain) (trojan.rules)
2026946 - ET TROJAN Unk.GanDownloader CnC Checkin (trojan.rules)
2027089 - ET EXPLOIT Possible LG SuperSign EZ CMS 2.5 RCE (CVE-2018-17173) (exploit.rules)
2027144 - ET TROJAN Xwo CnC Activity (trojan.rules)
2027417 - ET GAMES Wolfteam HileYapak Server Response (games.rules)
2027424 - ET MALWARE LNKR Possible Response for LNKR js file (malware.rules)
2027425 - ET MALWARE LNKR landing page (possible compromised site) M1 (malware.rules)
2027426 - ET MALWARE LNKR landing page (possible compromised site) M2 (malware.rules)
2027427 - ET MALWARE LNKR landing page (possible compromised site) M3 (malware.rules)
2027429 - ET MALWARE LNKR landing page (possible compromised site) M5 (malware.rules)
2027810 - ET TROJAN Win32/Onliner Mailer Module Communicating with CnC (trojan.rules)
2028913 - ET TROJAN BadPatch CnC Activity (trojan.rules)
2028941 - ET CURRENT_EVENTS Powershell Download Command Observed within Flash File - Probable EK Activity (current_events.rules)
2029298 - ET TROJAN Nexus Stealer CnC Data Exfil (trojan.rules)
2802861 - ETPRO TROJAN Trojan.Win32.Dalgan.A Activity (trojan.rules)
2802952 - ETPRO TROJAN Herpbot.B Checkin (trojan.rules)
2805970 - ETPRO TROJAN Backdoor.Win32.MoSucker.23 reporting via ICQ WWW script (trojan.rules)
2806376 - ETPRO TROJAN Trojan-Spy.Win32.Ambler Checkin (trojan.rules)
2806668 - ETPRO TROJAN Win32.Jorik.Agent.mi 3 (trojan.rules)
2806776 - ETPRO TROJAN Win32/Ghodow.NAS .exe Download (trojan.rules)
2806809 - ETPRO TROJAN Win32/Agent.URS Checkin (trojan.rules)
2806864 - ETPRO TROJAN Win32/Alureon.GD Checkin (trojan.rules)
2806896 - ETPRO TROJAN Backdoor.Graybird Checkin (trojan.rules)
2807440 - ETPRO TROJAN Win32/Ranbyus Check-in (trojan.rules)
2811035 - ETPRO INFO Application Installer Prompt via Smart Installer (info.rules)
2811429 - ETPRO TROJAN Downeks CnC Beacon (trojan.rules)
2811472 - ETPRO TROJAN NSIS/TrojanDownloader.Agent.NRQ Downloader Checkin (trojan.rules)
2811842 - ETPRO TROJAN Win32/Sifre.A Checkin (trojan.rules)
2812016 - ETPRO TROJAN Win32.YY Generic Checkin 1 (trojan.rules)
2812025 - ETPRO MALWARE Win32/Adware.Kraddare.LA Variant PUP Activity (malware.rules)
2812029 - ETPRO EXPLOIT TOTOLINK Possible RCE HTTP Request (exploit.rules)
2812039 - ETPRO TROJAN Win32/Parite.B Connectivity Check (trojan.rules)
2812040 - ETPRO TROJAN Win32/Parite.B Checkin 2 (trojan.rules)
2812117 - ETPRO TROJAN Win32/VB.RZM Checkin (trojan.rules)
2812125 - ETPRO TROJAN Win32/Renocide.gen!H Checkin (trojan.rules)
2812126 - ETPRO TROJAN Win32/Poindampa.A Geolocate Request (trojan.rules)
2812138 - ETPRO MALWARE Win32/VK.SerfingBot PUP Activity (malware.rules)
2812178 - ETPRO TROJAN Win32/Bagsu.A Checkin (trojan.rules)
2812188 - ETPRO TROJAN Win32/Huhk.7005 CnC Checkin (trojan.rules)
2812205 - ETPRO TROJAN Win32/Bagsu.A Connectivity Check (trojan.rules)
2812206 - ETPRO TROJAN Win32/Bagsu.A Connectivity Check 2 (trojan.rules)
2812415 - ETPRO TROJAN Win32.Diztakun.zsg Infostealer M2 (trojan.rules)
2812417 - ETPRO TROJAN Win32.Diztakun.zsg Infostealer M4 (trojan.rules)
2816568 - ETPRO TROJAN Win32/Pottieq.A Ransomware CnC Checkin M2 (trojan.rules)
2826356 - ETPRO MOBILE_MALWARE Anubis Android Loader / BankBot Checkin 5 (mobile_malware.rules)
2830555 - ETPRO TROJAN Observed Malicious SSL Cert (MSIL/Vinstrok.Stealer CnC) (trojan.rules)
2830927 - ETPRO TROJAN Observed Malicious SSL Cert (Bateleur CnC Domain) (trojan.rules)
2830985 - ETPRO TROJAN Observed Malicious SSL Cert (Cobalt Group Loader CnC Domain) (trojan.rules)
2830986 - ETPRO TROJAN Observed Malicious SSL Cert (Cobalt Group Loader CnC Domain) (trojan.rules)
2831027 - ETPRO TROJAN Observed Malicious SSL Cert (Bateleur CnC Domain) (trojan.rules)
2831494 - ETPRO TROJAN Observed Malicious SSL Cert (Zeus Panda CnC Domain) (trojan.rules)
2832026 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif Loader CnC Domain) (trojan.rules)
2832027 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC Domain) (trojan.rules)
2833467 - ETPRO TROJAN Observed Malicious SSL Cert (Zeus Panda CnC) (trojan.rules)
2833468 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC) (trojan.rules)
2833471 - ETPRO TROJAN Observed Malicious SSL Cert (BrushaLoader CnC) (trojan.rules)
2838349 - ETPRO TROJAN Win32/TrickBot CnC Initial Checkin (trojan.rules)
[---] Disabled and modified rules: [---]
2026460 - ET TROJAN Possible Locky JS Downloading Payload (trojan.rules)
2811861 - ETPRO CURRENT_EVENTS Possible Nuclear EK Landing Jul 08 2015 M1 (current_events.rules)
2811862 - ETPRO CURRENT_EVENTS Possible Nuclear EK Landing Jul 08 2015 M2 (current_events.rules)
2811863 - ETPRO CURRENT_EVENTS Possible Nuclear EK Landing Jul 08 2015 M2 (current_events.rules)
2812171 - ETPRO TROJAN Win32/QQpass.gen!E Activity (trojan.rules)
2826158 - ETPRO CURRENT_EVENTS Successful Amazon Phish via JS Form in PDF Apr 27 2017 (current_events.rules)
2826159 - ETPRO INFO Possible Successful Credential Phish via JS Form in PDF Apr 27 2017 (info.rules)
[---] Disabled rules: [---]
2026899 - ET TROJAN Observed Malicious SSL Cert (BrushaLoader CnC) (trojan.rules)
2811144 - ETPRO TROJAN WORM.VBS/JENXCUS.DN Checkin (trojan.rules)
2811335 - ETPRO TROJAN Win32/PSW.Papras.DT CnC (trojan.rules)
2812119 - ETPRO TROJAN Win32/Banload.BBN Checkin (trojan.rules)
2815374 - ETPRO TROJAN Win32.Keylogger.dklygt Checkin (trojan.rules)