[***] Summary: [***]
24 new Open, 40 new Pro (24 + 16). Magecart, PHPs Labyrinth,
SeptemberRAT, OrcusRAT, Various Phishing.
Thanks @dadamitis @prevailion
Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2029501 - ET TROJAN Observed Malicious SSL Cert (MageCart CnC)
(trojan.rules)
2029502 - ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)
(trojan.rules)
2029503 - ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)
(trojan.rules)
2029504 - ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)
(trojan.rules)
2029505 - ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)
(trojan.rules)
2029506 - ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)
(trojan.rules)
2029507 - ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)
(trojan.rules)
2029508 - ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)
(trojan.rules)
2029509 - ET POLICY Observed DNS Query for Suspicious TLD (.management)
(policy.rules)
2029510 - ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI
(trojan.rules)
2029511 - ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI
(trojan.rules)
2029512 - ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI
(trojan.rules)
2029513 - ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI
(trojan.rules)
2029514 - ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI
(trojan.rules)
2029515 - ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI
(trojan.rules)
2029516 - ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI
(trojan.rules)
2029517 - ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI
(trojan.rules)
2029518 - ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI
(trojan.rules)
2029519 - ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI
(trojan.rules)
2029520 - ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI
(trojan.rules)
2029521 - ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI
(trojan.rules)
2029522 - ET TROJAN Observed Malicious SSL Cert (PHPs Labyrinth Stage1
CnC) (trojan.rules)
2029523 - ET MALWARE Fake ProtonVPN/AZORult CnC Domain Query
(malware.rules)
2029524 - ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)
(trojan.rules)
Pro:
2841121 - ETPRO TROJAN MSIL/SeptemberRAT CnC Checkin (trojan.rules)
2841122 - ETPRO TROJAN Observed Orcus RAT Server Name in TLS SNI
(trojan.rules)
2841123 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-02-19 1) (trojan.rules)
2841124 - ETPRO WEB_SPECIFIC_APPS Possible OWA Remote Privilege
Escalation Attempt (CVE-2020-0692) (web_specific_apps.rules)
2841125 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-02-20 (current_events.rules)
2841126 - ETPRO CURRENT_EVENTS Successful Vancity Online Banking Phish
2020-02-20 (current_events.rules)
2841127 - ETPRO CURRENT_EVENTS Successful Credit Agricole Phish
2020-02-20 (current_events.rules)
2841128 - ETPRO CURRENT_EVENTS Successful Outlook Web App Phish
2020-02-20 (current_events.rules)
2841129 - ETPRO CURRENT_EVENTS Successful CIBC Phish 2020-02-20
(current_events.rules)
2841130 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-02-20 (current_events.rules)
2841131 - ETPRO CURRENT_EVENTS Successful Sharefile Phish 2020-02-20
(current_events.rules)
2841132 - ETPRO TROJAN Win32/Brontok Outbound Malicious Email Spam -
Template 1 Active (Outbound) (trojan.rules)
2841133 - ETPRO TROJAN Observed Malicious AHK Downloader Activity
(trojan.rules)
2841134 - ETPRO TROJAN Win32/Remcos RAT Checkin 348 (trojan.rules)
2841135 - ETPRO TROJAN Win32/Remcos RAT Checkin 349 (trojan.rules)
2841136 - ETPRO TROJAN Win32/Remcos RAT Checkin 350 (trojan.rules)
[///] Modified active rules: [///]
2001202 - ET WEB_SPECIFIC_APPS PHPNuke general SQL injection attempt
(web_specific_apps.rules)
2001677 - ET MALWARE Webhancer Data Post (malware.rules)
2001992 - ET MALWARE SurfSidekick Download (malware.rules)
2002001 - ET MALWARE 180solutions Spyware Keywords Download
(malware.rules)
2002402 - ET MALWARE Spyware Related User-Agent (UtilMind HTTPGet)
(malware.rules)
2029453 - ET TROJAN Kimsuky Related CnC (trojan.rules)
2810115 - ETPRO TROJAN TrojanDownloader.Banload.VGH checkin (trojan.rules)
2810148 - ETPRO MALWARE Win32/Autoit.HZ Checkin (malware.rules)
2810326 - ETPRO TROJAN PlugX Related Checkin (trojan.rules)
2810454 - ETPRO TROJAN Mal/Banker-AA Conf Download (trojan.rules)
2810615 - ETPRO WEB_SERVER Possible Information Leak Vuln CVE-2015-1648
(web_server.rules)
2810686 - ETPRO TROJAN Win32/Dupzom Retrieving Payload (trojan.rules)
2810703 - ETPRO TROJAN MSIL/Golroted.B or HawkEye External IP Check with
minimal headers (trojan.rules)
2810936 - ETPRO MOBILE_MALWARE Android.Adware.Wapsx.A Checkin 5
(mobile_malware.rules)
2810982 - ETPRO MALWARE Win32.AdLoad CnC Beacon (malware.rules)
2811002 - ETPRO MALWARE Win32/BomJogo.A Checkin (malware.rules)
2811014 - ETPRO CURRENT_EVENTS Fiesta Java Exploit/Payload
(current_events.rules)
2811221 - ETPRO TROJAN ReactorBot CnC Observed (trojan.rules)
2811238 - ETPRO WEB_SPECIFIC_APPS WP Landing Pages Plugin 1.8.4 SQLi
Attempt (web_specific_apps.rules)
2811243 - ETPRO EXPLOIT DLink DNS/DNR 320 check_login Authentication
Bypass HTTP Request (exploit.rules)
2811402 - ETPRO TROJAN Emotet CnC Beacon (trojan.rules)
2811433 - ETPRO TROJAN Win32/Dishigy CnC Beacon (trojan.rules)
2811631 - ETPRO TROJAN BACKDOOR.EMDIVI Checkin 3 (trojan.rules)
2812052 - ETPRO MALWARE PUA.Spyware.XPCSpyPro GeoLocate Request
(malware.rules)
2825926 - ETPRO TROJAN Callisto RCS CnC Beacon 1 (trojan.rules)
2825927 - ETPRO TROJAN RCS Variant CnC Beacon (trojan.rules)
2826404 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Hqwar.jck Checkin
(mobile_malware.rules)
2826433 - ETPRO TROJAN GhostAdmin/KeyTrap/BlakStar Requesting Config M1
(trojan.rules)
2826434 - ETPRO TROJAN GhostAdmin/KeyTrap/BlakStar Requesting Config M2
(trojan.rules)
2828111 - ETPRO MOBILE_MALWARE Android Unknown Trojan Checkin
(mobile_malware.rules)
2828331 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish Oct 17
2017 (current_events.rules)
2829719 - ETPRO CURRENT_EVENTS Successful Apple Phish 2018-02-19
(current_events.rules)
2830153 - ETPRO CURRENT_EVENTS Successful Blackboard Phish 2018-03-27
(current_events.rules)
2830252 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Triada.dm Checkin
(mobile_malware.rules)
2830267 - ETPRO TROJAN W32/PinoRAT C2 HTTP Pattern (trojan.rules)
2830311 - ETPRO MOBILE_MALWARE Anubis Android Loader / BankBot Checkin 17
(mobile_malware.rules)
2830512 - ETPRO MOBILE_MALWARE Android Trojan-Spy EmSeven File Exfil
(mobile_malware.rules)
2831055 - ETPRO MOBILE_MALWARE Trojan-Downloader.AndroidOS.Agent.bf
Checkin (mobile_malware.rules)
2831093 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC Domain)
(trojan.rules)
2831335 - ETPRO TROJAN W32.1ms0rry Variant Generic Checkin (trojan.rules)
2831491 - ETPRO TROJAN Win32/Agent.QGZR CnC Checkin (trojan.rules)
2831817 - ETPRO CURRENT_EVENTS Likely Malicious JS Inbound
(current_events.rules)
2831896 - ETPRO TROJAN Trojan.Redaman CnC Beacon (trojan.rules)
2831948 - ETPRO CURRENT_EVENTS MalDoc Requesting Ursnif Payload M1
2018-07-23 (current_events.rules)
2831950 - ETPRO CURRENT_EVENTS MalDoc Requesting Ursnif Payload M2
2018-07-23 (current_events.rules)
2832122 - ETPRO TROJAN Win32.Pavica Checkin (trojan.rules)
2832154 - ETPRO TROJAN MSIL/Haunted Miner CnC Checkin (trojan.rules)
2835109 - ETPRO TROJAN Observed Malicious JScript Downloader Inbound
(trojan.rules)
2835275 - ETPRO CURRENT_EVENTS Successful Apple Phish 2019-03-11
(current_events.rules)
2836198 - ETPRO TROJAN Segrev Stealer FakeZip Conn Check (trojan.rules)
2836976 - ETPRO CURRENT_EVENTS Known Evil Inject on Compromised Revive
AdServer (2019-06-20) (current_events.rules)
2841054 - ETPRO TROJAN Win32/IcedID CnC Activity (trojan.rules)
2841098 - ETPRO CURRENT_EVENTS Fallout EK Redirector Domain TLS SNI
(current_events.rules)
2841099 - ETPRO CURRENT_EVENTS Fallout EK Redirector Domain Malicious SSL
Cert (current_events.rules)
[---] Disabled and modified rules: [---]
2026434 - ET TROJAN VBScript Redirect Style Exe File Download
(trojan.rules)
2811492 - ETPRO CURRENT_EVENTS Possible HanJuan EK Secondary Flash File
June 15 2015 (current_events.rules)
2827052 - ETPRO CURRENT_EVENTS Evil Redirector Leading to EK (Known Evil
Keitaro TDS) Jul 07 2017 (current_events.rules)