Daily Ruleset Update Summary
Daily Ruleset Update Summary 2020/03/31

[***]            Summary:            [***]

16 new Open, 42 new Pro (16 + 26). Various Possible COVID-19 Based
Phish/Spam, Cobalt Strike, Android/Trojan-Spy.AndroidOS.SpyNote.d,
Win32/Vendetta Backdoor, Bandook, Remcos, VARIOUS PHISHING.

Tks: @James_inthe_box, @_scrapbird

Suricata 2/3 Support from Emerging Threats will be become End-Of-Life on
April 15th, 2020.

Suricata 2/3 EOL information:
https://lists.emergingthreats.net/pipermail/emerging-updates/2019-October/004655.html

[+++]          Added rules:          [+++]

Open:

  2029753 - ET INFO Suspicious GET Request with Possible COVID-19 URI M1
(info.rules)
  2029766 - ET TROJAN Observed DNS Query to Stitch C2 Domain (trojan.rules)
  2029767 - ET TROJAN Observed DNS Query to Stitch C2 Domain (trojan.rules)
  2029768 - ET TROJAN Buer Loader Update Request (trojan.rules)
  2029769 - ET SCAN Mirai Variant User-Agent (Inbound) (scan.rules)
  2029770 - ET TROJAN Mirai Variant User-Agent (Outbound) (trojan.rules)
  2029771 - ET USER_AGENTS Shadowcoin Cryptocurrency UA Observed
(user_agents.rules)
  2029772 - ET USER_AGENTS Willowcoin Cryptocurrency UA Observed
(user_agents.rules)
  2029773 - ET TROJAN Win32/Tofsee Covid19 Spam Template 1 Active -
Outbound Email Spam (trojan.rules)
  2029774 - ET TROJAN Win32/Tofsee Malformed Spam Template String
(trojan.rules)
  2029775 - ET TROJAN Win32/Tofsee Unique Email Body Byte Sequence Observed
(trojan.rules)
  2029777 - ET CURRENT_EVENTS Possible Covid19 Themed Email Spam Outbound
M2 (current_events.rules)
  2029778 - ET CURRENT_EVENTS Possible Covid19 Themed Email Spam Outbound
M3 (current_events.rules)
  2029779 - ET CURRENT_EVENTS Possible Covid19 Themed Email Spam Outbound
M4 (current_events.rules)
  2029780 - ET CURRENT_EVENTS Possible Covid19 Themed Email Spam Outbound
M5 (current_events.rules)
  2029781 - ET CURRENT_EVENTS Possible Covid19 Themed Email Spam Outbound
M6 (current_events.rules)

Pro:

  2841778 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SpyNote.d Keep Alive
(mobile_malware.rules)
  2841779 - ETPRO TROJAN Cobalt Strike Malleable C2 (jquery Profile)
(trojan.rules)
  2841780 - ETPRO TROJAN Win32/Vendetta Backdoor CnC Checkin (trojan.rules)
  2841781 - ETPRO TROJAN Win32/Vendetta Backdoor CnC Activity (trojan.rules)
  2841782 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-03-31 1) (trojan.rules)
  2841783 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-03-31 2) (trojan.rules)
  2841784 - ETPRO TROJAN MSIL/Agent.BV Variant CnC Host Checkin
(trojan.rules)
  2841785 - ETPRO TROJAN MSIL/Agent.BV Variant CnC Exfil (trojan.rules)
  2841786 - ETPRO CURRENT_EVENTS Successful Microsoft Excel Phish
2020-03-31 (current_events.rules)
  2841787 - ETPRO CURRENT_EVENTS Successful Paypal FR Phish 2020-03-31
(current_events.rules)
  2841788 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-03-31
(current_events.rules)
  2841789 - ETPRO CURRENT_EVENTS Successful Banco Itau Phish 2020-03-31
(current_events.rules)
  2841790 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-03-31 (current_events.rules)
  2841791 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-03-31 (current_events.rules)
  2841792 - ETPRO CURRENT_EVENTS Successful Match Phish 2020-03-31
(current_events.rules)
  2841793 - ETPRO CURRENT_EVENTS Successful First Bank Phish 2020-03-31
(current_events.rules)
  2841794 - ETPRO CURRENT_EVENTS Successful Santander Phish 2020-03-31
(current_events.rules)
  2841795 - ETPRO CURRENT_EVENTS Successful Santander Phish 2020-03-31
(current_events.rules)
  2841796 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-03-31 (current_events.rules)
  2841797 - ETPRO CURRENT_EVENTS Successful Generic Email Verification
Phish 2020-03-31 (current_events.rules)
  2841798 - ETPRO CURRENT_EVENTS Successful CIBC Phish 2020-03-31
(current_events.rules)
  2841799 - ETPRO TROJAN Win32/Remcos RAT Checkin 379 (trojan.rules)
  2841800 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
  2841801 - ETPRO TROJAN Observed Malicious SSL Cert (AZORult CnC)
(trojan.rules)
  2841802 - ETPRO TROJAN Suspected Bandook CnC (trojan.rules)
  2841803 - ETPRO TROJAN Suspected Bandook CnC Response (trojan.rules)

[///]     Modified active rules:     [///]

  2816365 - ETPRO TROJAN W32.SOCKSBOT CnC Request (trojan.rules)
  2816366 - ETPRO TROJAN W32.SOCKSBOT CnC Response (trojan.rules)
  2816367 - ETPRO POLICY Suspicious 404 OK Response (policy.rules)
  2816739 - ETPRO TROJAN Rexpot Retrieving Payload - set 1 (trojan.rules)
  2816808 - ETPRO CURRENT_EVENTS RIG EK Flash Exploit Mar 29 2016
(current_events.rules)
  2816860 - ETPRO TROJAN Salam Ransomware CnC Checkin (trojan.rules)
  2816901 - ETPRO MALWARE Win32/Shouqu Checkin (malware.rules)
  2819648 - ETPRO CURRENT_EVENTS SunDown/Xer Payload (URL Primer)
(current_events.rules)
  2841722 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-03-26
(current_events.rules)

Date:
Summary title:
16 new Open, 42 new Pro (16 + 26). Various Possible COVID-19 Based Phish/Spam, Cobalt Strike, Android/Trojan-Spy.AndroidOS.SpyNote.d, Win32/Vendetta Backdoor, Bandook, Remcos, VARIOUS PHISHING.