Daily Ruleset Update Summary
Daily Ruleset Update Summary 2020/04/03

[***] Summary: [***]

10 new Open, 35 new Pro (10 + 25). FTCode Stealer, Multiple DrayTek
Products Pre-authentication Remote RCE, ELF/Mirai, Win32/Kapers.a
CnC, MSIL/PSW.Agent.RPT CnC, Ursnif SSL, Various Phishing.

TIIF. Thanks: @malware_traffic, @PAsinovsky

Suricata 2/3 Support from Emerging Threats will become End-Of-Life on April
15th, 2020.

Suricata 2/3 EOL information:
https://lists.emergingthreats.net/pipermail/emerging-updates/2019-Octob…

[+++] Added rules: [+++]

Open:

2029802 - ET TROJAN FTCode Stealer Init Activity (trojan.rules)
2029803 - ET TROJAN FTCode Stealer CnC Activity (trojan.rules)
2029804 - ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote
RCE Outbound (CVE-2020-8515) M1 (exploit.rules)
2029805 - ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote
RCE Inbound (CVE-2020-8515) M1 (exploit.rules)
2029806 - ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote
RCE Outbound (CVE-2020-8515) M2 (exploit.rules)
2029807 - ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote
RCE Inbound (CVE-2020-8515) M2 (exploit.rules)
2029808 - ET SCAN ELF/Mirai Variant User-Agent (Inbound) (scan.rules)
2029809 - ET TROJAN ELF/Mirai Variant User-Agent (Outbound) (trojan.rules)
2029811 - ET MOBILE_MALWARE Android/TrojanDropper.Agent.EQO Variant CnC
Activity (mobile_malware.rules)
2029812 - ET TROJAN Malicious VBE Script (COVID-19 Phish 04-03-2020)
(trojan.rules)

Pro:

2841853 - ETPRO TROJAN Win32/Kapers.a CnC Init Checkin (trojan.rules)
2841854 - ETPRO TROJAN Win32/Kapers.a FileZilla Password Exfil
(trojan.rules)
2841855 - ETPRO TROJAN Win32/Kapers.a CnC Checkin Process List Exfil
(trojan.rules)
2841856 - ETPRO CURRENT_EVENTS Successful Keesler Federal Credit Union
Phish 2020-04-03 (current_events.rules)
2841857 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-04-03 (current_events.rules)
2841858 - ETPRO CURRENT_EVENTS Successful Amazon Phish 2020-04-03
(current_events.rules)
2841859 - ETPRO CURRENT_EVENTS Successful SunTrust Phish 2020-04-03
(current_events.rules)
2841860 - ETPRO TROJAN PS/Downloader.EATI UA Observed (trojan.rules)
2841861 - ETPRO CURRENT_EVENTS Successful Banco Itau Phish 2020-04-03
(current_events.rules)
2841862 - ETPRO CURRENT_EVENTS Successful Ebay Phish 2020-04-03
(current_events.rules)
2841863 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-04-03
(current_events.rules)
2841864 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-04-03
(current_events.rules)
2841865 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-03 1) (trojan.rules)
2841866 - ETPRO CURRENT_EVENTS Successful Dropbox Phish 2020-04-03
(current_events.rules)
2841867 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-04-03 (current_events.rules)
2841868 - ETPRO CURRENT_EVENTS Successful Shaw Account Update Phish
2020-04-03 (current_events.rules)
2841869 - ETPRO CURRENT_EVENTS Successful WeTransfer Phish 2020-04-03
(current_events.rules)
2841870 - ETPRO TROJAN Win32/Azden.B!cl CnC Host Checkin (trojan.rules)
2841871 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-04-03
(current_events.rules)
2841872 - ETPRO CURRENT_EVENTS Successful VBV Mastercard Securecode Phish
2020-04-03 (current_events.rules)
2841873 - ETPRO TROJAN MSIL/PSW.Agent.RPT CnC Activity (trojan.rules)
2841874 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
2841875 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
2841876 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
2841877 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)

[///] Modified active rules: [///]

2021245 - ET TROJAN Possible Dridex Download URI Struct with no referer
(trojan.rules)
2024004 - ET TROJAN APT29 Implant8 - MAL_REFERER (trojan.rules)
2029790 - ET SCAN ELF/Mirai Variant User-Agent (Inbound) (scan.rules)
2029791 - ET TROJAN ELF/Mirai Variant User-Agent (Outbound) (trojan.rules)
2809309 - ETPRO WEB_CLIENT IE Double Encoding Reflected XSS Vulnerability
CVE-2014-6365 (web_client.rules)
2809315 - ETPRO WEB_CLIENT Exchange URL Redirection Vulnerability GET
request (CVE-2014-6336) (web_client.rules)
2810578 - ETPRO MALWARE PUP.OptimizerPro Google Connectivity Check
(malware.rules)
2814213 - ETPRO TROJAN LatentBot/GrayBird CnC Checkin (trojan.rules)
2815080 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.DD Checkin
(mobile_malware.rules)
2815081 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.DD Checkin 2
(mobile_malware.rules)
2815102 - ETPRO TROJAN W32/Nymaim Checkin 2 (trojan.rules)
2815138 - ETPRO CURRENT_EVENTS Possible Nuclear EK Payload Nov 30 2015
(fb set) (current_events.rules)
2815177 - ETPRO CURRENT_EVENTS PowerShell Empire Session via Excel Macro
(current_events.rules)
2815181 - ETPRO CURRENT_EVENTS Nuclear EK Landing URI struct Dec 03 2015
M2 (current_events.rules)
2815182 - ETPRO CURRENT_EVENTS Nuclear EK Landing URI struct Dec 03 2015
M3 (current_events.rules)
2815183 - ETPRO CURRENT_EVENTS Nuclear EK Flash Exploit IE Dec 03 2015 M1
(current_events.rules)
2815199 - ETPRO CURRENT_EVENTS Possible Evil Redirector Leading to EK Dec
03 2015 M3 (current_events.rules)
2815200 - ETPRO CURRENT_EVENTS Possible Evil Redirector Leading to EK Dec
03 2015 M3 (current_events.rules)
2815281 - ETPRO MALWARE W32/BrowseFox Checkin (malware.rules)
2815326 - ETPRO TROJAN Andromeda Downloading Payload Fake UA
(trojan.rules)
2820514 - ETPRO TROJAN Suspicious Terse Request to hastebin.com -
Possible Download (trojan.rules)
2824087 - ETPRO TROJAN MSIL/DeriaLock Ransomware CnC Activity
(trojan.rules)
2824449 - ETPRO CURRENT_EVENTS GreenFlash SunDown EK Flash Exploit
2017-01-17 (current_events.rules)
2824567 - ETPRO CURRENT_EVENTS Successful Paypal Phish M1 Jan 20 2017
(current_events.rules)
2824637 - ETPRO TROJAN Troj/Agent-APJC CnC Beacon (trojan.rules)
2824669 - ETPRO TROJAN APT.ChChes CnC Beacon 1 (trojan.rules)
2824670 - ETPRO TROJAN APT.ChChes CnC Beacon 2 (trojan.rules)
2824761 - ETPRO TROJAN MSIL/Agent.RZW CoinMiner CnC Activity
(trojan.rules)
2825027 - ETPRO CURRENT_EVENTS Possible SunDown EK Landing URI Struct T2
Feb 17 2017 (current_events.rules)
2828324 - ETPRO TROJAN Gh0st Variant CnC Beacon (trojan.rules)
2838770 - ETPRO TROJAN MalDoc Requesting FTCode / Stealer Payload
(trojan.rules)

[---] Disabled rules: [---]

2815121 - ETPRO TROJAN Win32/HydraCrypt CnC Beacon 4 (trojan.rules)
2815239 - ETPRO TROJAN Molerats/GazaHacker Checkin (trojan.rules)
2823672 - ETPRO TROJAN LatentBot HTTP POST CnC (trojan.rules)
2823930 - ETPRO MALWARE MSIL/TrojanDownloader.AdLoad.AZ Activity
(malware.rules)
2824186 - ETPRO TROJAN fs0ciety Bot CnC Activity (trojan.rules)
2824617 - ETPRO TROJAN Greenbug Ismdoor Checkin (trojan.rules)

Date:
Summary title:
10 new Open, 35 new Pro (10 + 25). FTCode Stealer, Multiple DrayTek Products Pre-authentication Remote RCE, ELF/Mirai, Win32/Kapers.a CnC, MSIL/PSW.Agent.RPT CnC, Ursnif SSL, Various Phishing.