Daily Ruleset Update Summary
Daily Ruleset Update Summary 2020/03/04

[***]            Summary:            [***]

 9 new Open, 60 new Pro (9 + 51). CROSSWALK, KimKitty,
Win32/Neshta.A, MSIL/MumbaiLoader, Various Mirai, Win32/Presenoker, and
VARIOUS PHISHING

 Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2024420 - ET INFO Request for .bin with BITS/ User-Agent (info.rules)
  2029568 - ET TROJAN Observed Malicious SSL Cert (Get2 CnC) (trojan.rules)
  2029569 - ET USER_AGENTS Observed Suspicious UA (easyhttp client)
(user_agents.rules)
  2029570 - ET TROJAN CROSSWALK CnC Checkin (trojan.rules)
  2029571 - ET TROJAN Observed Malicious SSL Cert (MageCart) (trojan.rules)
  2029572 - ET TROJAN Observed Malicious SSL Cert (MageCart) (trojan.rules)
  2029573 - ET INFO EXE Downloaded from Github (info.rules)
  2029574 - ET MALWARE SharpExec EXE Lateral Movement Tool Downloaded
(malware.rules)
  2029575 - ET POLICY External IP Lookup (avast .com) (policy.rules)

Pro:

  2841332 - ETPRO TROJAN MSIL/MumbaiLoader CnC Checkin (trojan.rules)
  2841333 - ETPRO TROJAN MSIL/MumbaLoader CnC Heartbeat (trojan.rules)
  2841334 - ETPRO TROJAN ELF/Mirai Variant CnC Checkin (trojan.rules)
  2841335 - ETPRO TROJAN ELF/Mirai Variant CnC Checkin (trojan.rules)
  2841336 - ETPRO TROJAN ELF/Mirai Variant CnC Checkin (trojan.rules)
  2841337 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-03-04 1) (trojan.rules)
  2841338 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2020-03-04
(current_events.rules)
  2841339 - ETPRO CURRENT_EVENTS Successful Novo Banco Phish 2020-03-04
(current_events.rules)
  2841340 - ETPRO CURRENT_EVENTS Successful Yahoo Phish 2020-03-04
(current_events.rules)
  2841341 - ETPRO CURRENT_EVENTS Successful Generic Webmail Phish
2020-03-04 (current_events.rules)
  2841342 - ETPRO CURRENT_EVENTS Successful AOL Phish 2020-03-04
(current_events.rules)
  2841343 - ETPRO CURRENT_EVENTS Successful Hotmail Phish 2020-03-04
(current_events.rules)
  2841344 - ETPRO CURRENT_EVENTS Successful Turkey.gov.tr Phish 2020-03-04
(current_events.rules)
  2841345 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-03-04 (current_events.rules)
  2841346 - ETPRO CURRENT_EVENTS Successful My3 Phish 2020-03-04
(current_events.rules)
  2841347 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-03-04 (current_events.rules)
  2841348 - ETPRO CURRENT_EVENTS Successful Umpqua Bank Phish 2020-03-04
(current_events.rules)
  2841349 - ETPRO CURRENT_EVENTS Successful Banco Itau Phish 2020-03-04
(current_events.rules)
  2841350 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-04
(current_events.rules)
  2841351 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-04
(current_events.rules)
  2841352 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2020-03-04 (current_events.rules)
  2841353 - ETPRO TROJAN KimKitty CnC Activity (trojan.rules)
  2841354 - ETPRO CURRENT_EVENTS Successful ABSA Phish 2020-03-04
(current_events.rules)
  2841355 - ETPRO CURRENT_EVENTS Successful Alibaba Phish 2020-03-04
(current_events.rules)
  2841356 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-03-04
(current_events.rules)
  2841357 - ETPRO CURRENT_EVENTS Successful WeTranfser Phish 2020-03-04
(current_events.rules)
  2841358 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-04 M1
(current_events.rules)
  2841359 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-04 M2
(current_events.rules)
  2841360 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-04 M3
(current_events.rules)
  2841361 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-04 M4
(current_events.rules)
  2841362 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-04 M5
(current_events.rules)
  2841363 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-04 M6
(current_events.rules)
  2841364 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-04 M7
(current_events.rules)
  2841365 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-04 M8
(current_events.rules)
  2841366 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-04 M9
(current_events.rules)
  2841367 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-04 M10
(current_events.rules)
  2841368 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-04 M11
(current_events.rules)
  2841369 - ETPRO TROJAN MSIL/Pterodo.AO Variant Host Checkin (trojan.rules)
  2841372 - ETPRO TROJAN Win32/Presenoker Variant Host Checkin
(trojan.rules)
  2841373 - ETPRO CURRENT_EVENTS JS/Skimmer Inbound (Likely MageCart)
(current_events.rules)
  2841374 - ETPRO TROJAN Win32/Neshta.A CnC Activity - Retrieving Settings
(set) (trojan.rules)
  2841375 - ETPRO TROJAN Win32/Neshta.A CnC Activity - Retrieving Settings
(trojan.rules)
  2841376 - ETPRO TROJAN Win32/Black.Gen2 CnC Activity (trojan.rules)
  2841377 - ETPRO TROJAN ELF/Mirai User-Agent Observed (Outbound)
(trojan.rules)
  2841378 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)
  2841379 - ETPRO TROJAN iNerino Loader Checkin (trojan.rules)
  2841380 - ETPRO TROJAN Win32/Remcos RAT Checkin 358 (trojan.rules)
  2841381 - ETPRO TROJAN Observed Malicious SSL Cert (AZORult CnC)
2020-03-04 (trojan.rules)

[///]     Modified active rules:     [///]

  2023576 - ET TROJAN Locky CnC Checkin Dec 5 M1 (trojan.rules)
  2023595 - ET TROJAN Trojan.Kwampirs Outbound GET request (trojan.rules)
  2023670 - ET INFO IE7UA No Cookie No Referer (info.rules)
  2023740 - ET TROJAN Possible Pony Payload DL (trojan.rules)
  2023816 - ET TROJAN WSF/JS Downloader Jan 30 2017 M1 (trojan.rules)
  2023916 - ET TROJAN APT28 Uploader Variant CnC Beacon (trojan.rules)
  2023951 - ET TROJAN MAGICHOUND.FETCH CnC Beacon (trojan.rules)
  2024041 - ET TROJAN Spora Ransomware Checkin (trojan.rules)
  2024048 - ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017
(current_events.rules)
  2024049 - ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017 M2
(current_events.rules)
  2024123 - ET MOBILE_MALWARE Android.C2P.Qd!c Ransomware CnC Beacon
(mobile_malware.rules)
  2024508 - ET CURRENT_EVENTS Nemucod JS Downloader Aug 01 2017
(current_events.rules)
  2024765 - ET MOBILE_MALWARE Trojan-Banker.AndroidOS.RedAlert CnC Beacon
(mobile_malware.rules)
  2024901 - ET TROJAN Trickbot Payload Request (trojan.rules)
  2024996 - ET WEB_CLIENT Google Chrome XSS (CVE-2017-5124)
(web_client.rules)
  2025007 - ET TROJAN Powershell commands sent when remote host claims to
send an image  (trojan.rules)
  2025149 - ET POLICY IP Check (rl. ammyy. com) (policy.rules)
  2025283 - ET TROJAN Trojan-Dropper.Delf Checkin (trojan.rules)
  2025432 - ET EXPLOIT Apache CouchDB JSON Remote Privesc Attempt
(CVE-2017-12636) (exploit.rules)
  2025435 - ET EXPLOIT Apache CouchDB JSON Remote Privesc Attempt
(CVE-2017-12635) (exploit.rules)
  2025458 - ET TROJAN [PTsecurity] Win32/SocStealer.Socelars C2 Response
(trojan.rules)
  2025459 - ET WEB_SPECIFIC_APPS Possible CVE-2013-2618 Attempt (PHP
Weathermap Persistent XSS) (web_specific_apps.rules)
  2025465 - ET TROJAN OSX/OceanLotus.D Requesting Commands from CnC
(trojan.rules)
  2025545 - ET WEB_SPECIFIC_APPS DNN DNNPersonalization Cookie RCE Attempt
(CVE-2017-9822) (web_specific_apps.rules)
  2025671 - ET CURRENT_EVENTS Suspicious Wordpress Redirect - Possible
Phishing Landing Jan 7 2016 (current_events.rules)
  2025747 - ET WEB_SPECIFIC_APPS WordPress Plugin Pie Register SQL
Injection (web_specific_apps.rules)
  2025820 - ET WEB_SPECIFIC_APPS GitList Argument Injection
(web_specific_apps.rules)
  2026002 - ET TROJAN [PTsecurity] Tinba (Banking Trojan) Check-in
(trojan.rules)
  2026435 - ET TROJAN Win32.YordanyanActiveAgent CnC Reporting
(trojan.rules)
  2026517 - ET TROJAN Locky CnC Checkin (trojan.rules)
  2026882 - ET POLICY Observed External IP Lookup SSL Cert (policy.rules)
  2027075 - ET CURRENT_EVENTS Spelevo EK Post-Compromise Data Dump
(current_events.rules)
  2027273 - ET TROJAN Baldr Stealer Checkin M2 (trojan.rules)
  2027380 - ET CURRENT_EVENTS Possible Router EK Landing Page Inbound
2019-05-24 (current_events.rules)
  2029009 - ET INFO Generic IOT Downloader Malware in POST (Outbound)
(info.rules)
  2029011 - ET INFO Generic IOT Downloader Malware in POST (Inbound)
(info.rules)
  2810099 - ETPRO TROJAN Chthonic CnC Beacon 7 (trojan.rules)
  2814068 - ETPRO TROJAN XCodeGhost Beacon (trojan.rules)
  2814103 - ETPRO TROJAN Spammer MSIL/Misnt.A GetList (trojan.rules)
  2814104 - ETPRO TROJAN Spammer MSIL/Misnt.A Get MX (trojan.rules)
  2814105 - ETPRO TROJAN Spammer MSIL/Misnt.A Spam Payload Download
(trojan.rules)
  2814106 - ETPRO TROJAN Spammer MSIL/Misnt.A Fetching Spam List
(trojan.rules)
  2814167 - ETPRO CURRENT_EVENTS Possible Nuclear EK Flash Exploit M2
(current_events.rules)
  2814203 - ETPRO MALWARE Adware.Win32/Bayads Activity (malware.rules)
  2814364 - ETPRO TROJAN Possible IIS Backdoor Receiving Commands via URI
(trojan.rules)
  2814384 - ETPRO WEB_CLIENT APT SWC PluginDetect Landing Cookie Oct 14
2015 (web_client.rules)
  2814429 - ETPRO TROJAN Bergard CnC Beacon (trojan.rules)
  2815025 - ETPRO TROJAN Win32/Kitkiot.A Checkin (trojan.rules)

 [---]         Disabled rules:        [---]

  2814131 - ETPRO TROJAN W32/Unknown.JP Checkin (trojan.rules)
  2814887 - ETPRO TROJAN Bookworm CnC Beacon 4 (trojan.rules)
  2815052 - ETPRO TROJAN Unknown PWS C2 (trojan.rules)
  2822970 - ETPRO TROJAN Malicious SSL certificate detected (Ursnif CnC)
(trojan.rules)

Date:
Summary title:
9 new Open, 60 new Pro (9 + 51). CROSSWALK, KimKitty, Win32/Neshta.A, MSIL/MumbaiLoader, Various Mirai, Win32/Presenoker, and VARIOUS PHISHING