Daily Ruleset Update Summary
Daily Ruleset Update Summary 2020/04/02

[***] Summary: [***]

14 new Open, 40 new Pro (14 + 26). Various ELF/Mirai Variant
User-Agents, CHAOS CnC Commands, Win32/Remcos,Various SSL, Various
Phishing.

Suricata 2/3 Support from Emerging Threats will become End-Of-Life on April
15th, 2020.

Suricata 2/3 EOL information:
https://lists.emergingthreats.net/pipermail/emerging-updates/2019-Octob…

[+++] Added rules: [+++]

Open:

2029788 - ET CURRENT_EVENTS Canada Revenue Agency COVID-19 Assistance
Eligibility Phishing Landing 2020-04-01 (current_events.rules)
2029789 - ET CURRENT_EVENTS Canada Revenue Agency COVID-19 Assistance
Eligibility Phishing Landing 2020-04-01 (current_events.rules)
2029790 - ET SCAN ELF/Mirai Variant User-Agent (Inbound) (scan.rules)
2029791 - ET TROJAN ELF/Mirai Variant User-Agent (Outbound) (trojan.rules)
2029792 - ET SCAN ELF/Mirai Variant User-Agent (Inbound) (scan.rules)
2029793 - ET TROJAN ELF/Mirai Variant User-Agent (Outbound) (trojan.rules)
2029794 - ET TROJAN Suspected Stitch Variant Backdoor CnC (trojan.rules)
2029795 - ET TROJAN Suspected CHAOS CnC Inbound (download command)
(trojan.rules)
2029796 - ET TROJAN Suspected CHAOS CnC Inbound (upload command)
(trojan.rules)
2029797 - ET TROJAN Suspected CHAOS CnC Inbound (screenshot command)
(trojan.rules)
2029798 - ET TROJAN Suspected CHAOS CnC Inbound (keylogger start)
(trojan.rules)
2029799 - ET TROJAN Suspected CHAOS CnC Inbound (persistence enable)
(trojan.rules)
2029800 - ET TROJAN Suspected CHAOS CnC Inbound (getos) (trojan.rules)
2029801 - ET TROJAN Suspected CHAOS CnC Inbound (openurl) (trojan.rules)

Pro:

2841827 - ETPRO TROJAN Observed Malicious SSL Cert (StrongPity CnC)
(trojan.rules)
2841828 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
2841829 - ETPRO TROJAN Observed Malicious SSL Cert (MalDoc DL 2020-04-02)
(trojan.rules)
2841830 - ETPRO CURRENT_EVENTS Successful Apple Phish 2020-04-01
(current_events.rules)
2841831 - ETPRO CURRENT_EVENTS Successful Apple Phish 2020-04-01
(current_events.rules)
2841832 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-04-01
(current_events.rules)
2841833 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-04-01
(current_events.rules)
2841834 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-04-01 (current_events.rules)
2841835 - ETPRO CURRENT_EVENTS Likely Successful Facebook Phish on
000webhostapp.com 2020-04-01 (current_events.rules)
2841836 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-02 1) (trojan.rules)
2841837 - ETPRO TROJAN W32/Unknown Possible BR Downloader (trojan.rules)
2841838 - ETPRO CURRENT_EVENTS Successful Gov UK Tax Refund Phish
2020-04-02 (current_events.rules)
2841839 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-04-02
(current_events.rules)
2841840 - ETPRO CURRENT_EVENTS Successful Scotiabank Phish 2020-04-02
(current_events.rules)
2841841 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-04-02
(current_events.rules)
2841842 - ETPRO CURRENT_EVENTS Successful Verizon Phish 2020-04-02
(current_events.rules)
2841843 - ETPRO CURRENT_EVENTS Successful Genric Credit Card Information
Phish 2020-04-02 (current_events.rules)
2841844 - ETPRO CURRENT_EVENTS Successful BBVA Phish 2020-04-02
(current_events.rules)
2841845 - ETPRO CURRENT_EVENTS Successful Yahoo Phish 2020-04-02
(current_events.rules)
2841846 - ETPRO CURRENT_EVENTS Successful TikTok Phish 2020-04-02
(current_events.rules)
2841847 - ETPRO CURRENT_EVENTS Successful Blizzard Phish 2020-04-02
(current_events.rules)
2841848 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-04-02 (current_events.rules)
2841849 - ETPRO CURRENT_EVENTS Successful Scotiabank Phish 2020-04-02
(current_events.rules)
2841850 - ETPRO TROJAN Win32/Packed.FlyStudio.AA CnC Checkin M3
(trojan.rules)
2841851 - ETPRO TROJAN Win32/Remcos RAT Checkin 382 (trojan.rules)
2841852 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)

[///] Modified active rules: [///]

2029705 - ET INFO Possible COVID-19 Domain in SSL Certificate M1
(info.rules)
2029706 - ET INFO Possible COVID-19 Domain in SSL Certificate M2
(info.rules)
2029707 - ET INFO Suspicious TLS SNI Request for Possible COVID-19 Domain
M1 (info.rules)
2029708 - ET INFO Suspicious TLS SNI Request for Possible COVID-19 Domain
M2 (info.rules)
2029711 - ET INFO Suspicious GET Request with Possible COVID-19 Domain M1
(info.rules)
2029712 - ET INFO Suspicious GET Request with Possible COVID-19 Domain M2
(info.rules)
2029713 - ET INFO Suspicious POST Request with Possible COVID-19 Domain
M1 (info.rules)
2029714 - ET INFO Suspicious POST Request with Possible COVID-19 Domain
M2 (info.rules)
2029753 - ET INFO Suspicious GET Request with Possible COVID-19 URI M1
(info.rules)
2029754 - ET INFO Suspicious GET Request with Possible COVID-19 URI M2
(info.rules)
2029755 - ET INFO Suspicious POST Request with Possible COVID-19 URI M1
(info.rules)
2029756 - ET INFO Suspicious POST Request with Possible COVID-19 URI M2
(info.rules)
2822801 - ETPRO TROJAN DiamondFox HTTP POST CnC Checkin M1 (trojan.rules)
2822967 - ETPRO TROJAN PlugX Variant CnC Beacon (trojan.rules)
2823169 - ETPRO TROJAN Mocker Retrieving Payload (trojan.rules)
2823365 - ETPRO TROJAN Godzilla Loader Retrieving Payload (trojan.rules)
2823420 - ETPRO POLICY External IP Address Lookup - myip.ch (policy.rules)
2823534 - ETPRO CURRENT_EVENTS Likely Magnitude EK Flash Exploit Struct
Nov 30 2016 (current_events.rules)
2823676 - ETPRO TROJAN W32/Quasar 1.3 RAT Connectivity Check
(trojan.rules)
2826697 - ETPRO TROJAN Possible Win32/Jeefo.B Config DL (trojan.rules)
2841290 - ETPRO TROJAN XAE Rat CnC Requesting Command (trojan.rules)

[---] Disabled rules: [---]

2019235 - ET TROJAN Pushdo v3 Checkin (trojan.rules)

Date:
Summary title:
14 new Open, 40 new Pro (14 + 26). Various ELF/Mirai Variant User-Agents, CHAOS CnC Commands, Win32/Remcos,Various SSL, Various Phishing.