[***] Summary: [***]
34 new Open, 65 new Pro (34 + 31). MSIL/Modi RAT, CoreDDRAT, Sekhmet
Ransomware, Various COVID-19 "INFO" rules, Various Phishing.
Thanks @pmelson and @fbgwls248
[+++] Added rules: [+++]
Open:
2029696 - ET TROJAN MSIL/Modi RAT CnC Command Inbound (info)
(trojan.rules)
2029697 - ET TROJAN MSIL/Modi RAT CnC Command Inbound (aw) (trojan.rules)
2029698 - ET TROJAN MSIL/Modi RAT CnC Checkin (DesktopPreview)
(trojan.rules)
2029699 - ET TROJAN MSIL/Modi RAT CnC Command Inbound (plugin)
(trojan.rules)
2029700 - ET CURRENT_EVENTS Successful World Health Organization COVID-19
Phish 2020-03-23 (current_events.rules)
2029701 - ET CURRENT_EVENTS Successful NHS Webmail Phish 2020-03-23
(current_events.rules)
2029702 - ET CURRENT_EVENTS UK GOV Identity Verification Phishing Landing
(current_events.rules)
2029703 - ET INFO Observed Lets Encrypt Certificate - Possible COVID-19
Related M1 (info.rules)
2029704 - ET INFO Observed Lets Encrypt Certificate - Possible COVID-19
Related M2 (info.rules)
2029705 - ET INFO Possible COVID-19 Domain in SSL Certificate M1
(info.rules)
2029706 - ET INFO Possible COVID-19 Domain in SSL Certificate M2
(info.rules)
2029707 - ET INFO Suspicious TLS SNI Request for Possible COVID-19 Domain
M1 (info.rules)
2029708 - ET INFO Suspicious TLS SNI Request for Possible COVID-19 Domain
M2 (info.rules)
2029709 - ET INFO Suspicious Domain Request for Possible COVID-19 Domain
M1 (info.rules)
2029710 - ET INFO Suspicious Domain Request for Possible COVID-19 Domain
M2 (info.rules)
2029711 - ET INFO Suspicious GET Request with Possible COVID-19 Domain M1
(info.rules)
2029712 - ET INFO Suspicious GET Request with Possible COVID-19 Domain M2
(info.rules)
2029713 - ET INFO Suspicious POST Request with Possible COVID-19 Domain
M1 (info.rules)
2029714 - ET INFO Suspicious POST Request with Possible COVID-19 Domain
M2 (info.rules)
2029715 - ET TROJAN Possible APT28 Phishing Domain in DNS Query
(trojan.rules)
2029716 - ET TROJAN Possible APT28 Phishing Domain in DNS Query
(trojan.rules)
2029717 - ET TROJAN Possible APT28 Phishing Domain in DNS Query
(trojan.rules)
2029718 - ET TROJAN Possible APT28 Phishing Domain in DNS Query
(trojan.rules)
2029719 - ET TROJAN Possible APT28 Phishing Domain in DNS Query
(trojan.rules)
2029720 - ET TROJAN Possible APT28 Phishing Domain in DNS Query
(trojan.rules)
2029721 - ET TROJAN Possible APT28 Phishing Domain in DNS Query
(trojan.rules)
2029722 - ET TROJAN Possible APT28 Phishing Domain in DNS Query
(trojan.rules)
2029723 - ET TROJAN Possible APT28 Phishing Domain in DNS Query
(trojan.rules)
2029724 - ET TROJAN CoreDDRAT Initial Checkin (trojan.rules)
2029725 - ET TROJAN CoreDDRAT CnC Activity (trojan.rules)
2029726 - ET TROJAN CoreDDRAT KeepAlive Message (trojan.rules)
2029727 - ET TROJAN CoreDDRAT Screenshot Exfil (trojan.rules)
2029728 - ET TROJAN Sekhmet Ransomware CnC Activity (trojan.rules)
2029729 - ET TROJAN Observed Buer Loader CnC Domain (kkjjhhdff .site in
TLS SNI) (trojan.rules)
Pro:
2835225 - ETPRO SCAN ELF/Mirai Solstice Variant User-Agent (scan.rules)
2841646 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-03-21 1) (trojan.rules)
2841647 - ETPRO CURRENT_EVENTS Successful British Gas Phish 2020-03-23
(current_events.rules)
2841648 - ETPRO CURRENT_EVENTS Successful Caixa Phish 2020-03-23
(current_events.rules)
2841649 - ETPRO CURRENT_EVENTS Successful Caixa Phish 2020-03-23
(current_events.rules)
2841650 - ETPRO CURRENT_EVENTS Successful Caixa Phish 2020-03-23
(current_events.rules)
2841651 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-03-23 (current_events.rules)
2841652 - ETPRO CURRENT_EVENTS Successful Outlook Web App Phish
2020-03-23 (current_events.rules)
2841653 - ETPRO CURRENT_EVENTS Successful EE Phish 2020-03-23
(current_events.rules)
2841654 - ETPRO CURRENT_EVENTS Successful AU ID Phish 2020-03-23
(current_events.rules)
2841655 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-03-23 (current_events.rules)
2841656 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-23
(current_events.rules)
2841657 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2020-03-23 (current_events.rules)
2841658 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-03-23 (current_events.rules)
2841659 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-03-23 (current_events.rules)
2841660 - ETPRO TROJAN ELF/Mirai Variant User-Agent (Outbound)
(trojan.rules)
2841661 - ETPRO TROJAN Backdoor.Wemosis CnC Activity (trojan.rules)
2841662 - ETPRO CURRENT_EVENTS Successful Banque et Assurances Phish
2020-03-23 (current_events.rules)
2841663 - ETPRO CURRENT_EVENTS Successful BMO Phish 2020-03-23
(current_events.rules)
2841664 - ETPRO CURRENT_EVENTS Successful BMO Phish 2020-03-23
(current_events.rules)
2841665 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-03-23 (current_events.rules)
2841666 - ETPRO TROJAN Win32/Remcos RAT Checkin 370 (trojan.rules)
2841667 - ETPRO TROJAN Win32/Remcos RAT Checkin 371 (trojan.rules)
2841668 - ETPRO TROJAN Win32/Remcos RAT Checkin 372 (trojan.rules)
2841669 - ETPRO TROJAN Win32/Remcos RAT Checkin 373 (trojan.rules)
2841670 - ETPRO TROJAN Win32/Remcos RAT Checkin 374 (trojan.rules)
2841671 - ETPRO TROJAN Observed Malicious SSL Cert (IcedID CnC)
(trojan.rules)
2841672 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2841673 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2841674 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2841675 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
[///] Modified active rules: [///]
2014643 - ET TROJAN ConstructorWin32/Agent.V (trojan.rules)
2025114 - ET CURRENT_EVENTS Successful EDU Phish 2017-12-04
(current_events.rules)
2025163 - ET TROJAN W32/Patchwork.Backdoor Communicating with CnC
(trojan.rules)
2025164 - ET TROJAN W32/Patchwork.Backdoor CnC Check-in M2 (trojan.rules)
2027439 - ET TROJAN HAWKBALL CnC Initial Request (trojan.rules)
2027440 - ET TROJAN HAWKBALL CnC Activity (trojan.rules)
2028865 - ET CURRENT_EVENTS Spelevo VBS Payload Downloaded
(current_events.rules)
2029025 - ET SCAN Mirai Variant User-Agent (Inbound) (scan.rules)
2029037 - ET TROJAN Mirai Variant User-Agent (Outbound) (trojan.rules)
2811002 - ETPRO MALWARE Win32/BomJogo.A Checkin (malware.rules)
2815440 - ETPRO TROJAN Elmer Checkin (trojan.rules)
2819677 - ETPRO MOBILE_MALWARE Trojan-Downloader.AndroidOS.Leech.f
Checkin (mobile_malware.rules)
2819789 - ETPRO TROJAN APT.Hedas CnC Beacon 2 (trojan.rules)
2819822 - ETPRO TROJAN Trojan/Win32.Miuref Posting Screenshot M1
(trojan.rules)
2819966 - ETPRO EXPLOIT Linksys wap54gv3 Remote Code Execution
(exploit.rules)
2820007 - ETPRO TROJAN Emissary CnC Beacon 3 (trojan.rules)
2820009 - ETPRO TROJAN Emissary CnC Beacon 4 (trojan.rules)
2820041 - ETPRO TROJAN APT.MADMAX CnC Beacon 1 M1 (trojan.rules)
2820056 - ETPRO TROJAN APT.ZoxPNG CnC Beacon (trojan.rules)
2820537 - ETPRO TROJAN Win32/Neutrino HTTP Structure (trojan.rules)
2826326 - ETPRO MOBILE_MALWARE Anubis Android Loader / BankBot CnC Beacon
(mobile_malware.rules)
2826511 - ETPRO MOBILE_MALWARE Unknown Android Loader CnC Beacon
(mobile_malware.rules)
2826786 - ETPRO MOBILE_MALWARE Trojan-PSW.AndroidOS.Inazun.h CnC Beacon 2
(mobile_malware.rules)
2826933 - ETPRO MOBILE_MALWARE Android/Fobus.BD Retrieving IP
(mobile_malware.rules)
2828575 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.BLR Checkin
(mobile_malware.rules)
2828578 - ETPRO MOBILE_MALWARE Android Bankbot CnC Beacon
(mobile_malware.rules)
2828621 - ETPRO CURRENT_EVENTS MalDoc Retrieving Payload Nov 13 2017
(current_events.rules)
2828747 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Guerrilla.l Checkin
(mobile_malware.rules)
2828803 - ETPRO TROJAN StorageCrypt Downloading SambaCry (trojan.rules)
2828875 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.a Checkin
2 (mobile_malware.rules)
2831402 - ETPRO TROJAN Win32/Predator The Thief CnC Checkin (trojan.rules)
2831998 - ETPRO TROJAN Possible Jenxcus Variant Exfiltrating via
User-Agent (trojan.rules)
2832075 - ETPRO MALWARE Win32/FileTour Adware Activity (malware.rules)
2832094 - ETPRO TROJAN Possible More_eggs Connectivity Check
(trojan.rules)
2832705 - ETPRO TROJAN Win32/ELF Xbash CnC Checkin (trojan.rules)
2833577 - ETPRO TROJAN Banload Variant CnC Activity (trojan.rules)
2833969 - ETPRO TROJAN Silent Downloader CnC Initial Request
(trojan.rules)
2834134 - ETPRO TROJAN Win32/SpyBanker.ADUT Activity (trojan.rules)
2834577 - ETPRO TROJAN GearBest Stealer CnC Activity (trojan.rules)
2834578 - ETPRO TROJAN TinyDeal Stealer CnC Activity (trojan.rules)
2837092 - ETPRO TROJAN Win32/Various Unusual POST to ip-api .com
(trojan.rules)
2837240 - ETPRO INFO Suspicious HTTP 448 Response (info.rules)
2837678 - ETPRO MALWARE Win32/Downloader.Soft32 Checkin (malware.rules)
2838087 - ETPRO TROJAN DonotGroup Maldoc Stage 1 CnC Checkin M2
(trojan.rules)
2838311 - ETPRO TROJAN Win32/Predator The Thief Initial CnC Checkin
Request (trojan.rules)
[///] Modified inactive rules: [///]
2836138 - ETPRO INFO Suspicious POST with 0 Len and Minimal Headers
(info.rules)
[---] Disabled rules: [---]
2819790 - ETPRO TROJAN Ransomware/Coverton Checkin 2 (trojan.rules)
2819953 - ETPRO TROJAN Ransomware TrueCrypter CnC Beacon (trojan.rules)
2820027 - ETPRO TROJAN Unknown Checkin (trojan.rules)
[---] Removed rules: [---]
2835225 - ETPRO TROJAN ELF/Mirai Solstice Variant User-Agent
(trojan.rules)