Daily Ruleset Update Summary 2020/04/06

Daily Ruleset Update Summary

[***] Summary: [***]

12 Open, 42 Pro (12 + 30). Sarwent, Parallax, Ave Maria, Nemty
Ransomware, Various Phish.

Suricata 2/3 Support from Emerging Threats will become End-Of-Life on
April 15th, 2020.

Tks: @James_inthe_box @sysopfb @VK_Intel @VirtualAlloc

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2029813 - ET TROJAN Win32/MOOZ.THCCABO CoinMiner CnC Checkin
(trojan.rules)
2029814 - ET TROJAN Parallax CnC Activity M8 (set) (trojan.rules)
2029815 - ET TROJAN Parallax CnC Response Activity M8 (trojan.rules)
2029816 - ET TROJAN Sarwent CnC Response (cmd_exec) (trojan.rules)
2029817 - ET TROJAN Sarwent CnC Response (powershell_exec) (trojan.rules)
2029818 - ET TROJAN Sarwent CnC Response (rdp_exec) (trojan.rules)
2029819 - ET TROJAN Sarwent CnC Response (update_exec) (trojan.rules)
2029820 - ET TROJAN Sarwent CnC Response (download_exec) (trojan.rules)
2029821 - ET TROJAN Sarwent CnC Command (update) (trojan.rules)
2029822 - ET TROJAN Sarwent CnC Command (download) (trojan.rules)
2029823 - ET TROJAN Sarwent CnC Command (powershell) (trojan.rules)
2029824 - ET TROJAN Sarwent CnC Command (rdp) (trojan.rules)

Pro:

2841878 - ETPRO TROJAN Observed Office Doc with Reversed Strings Inbound
(trojan.rules)
2841879 - ETPRO TROJAN MalDoc Reporting Infection (trojan.rules)
2841880 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-04 1) (trojan.rules)
2841881 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-06 1) (trojan.rules)
2841882 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-06 2) (trojan.rules)
2841883 - ETPRO CURRENT_EVENTS Successful Telstra Phish 2020-04-06
(current_events.rules)
2841884 - ETPRO CURRENT_EVENTS Successful Bank of Ireland Phish
2020-04-06 (current_events.rules)
2841885 - ETPRO CURRENT_EVENTS Successful AOL Phish 2020-04-06
(current_events.rules)
2841886 - ETPRO CURRENT_EVENTS Successful AOL Phish 2020-04-06
(current_events.rules)
2841887 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2020-04-06 (current_events.rules)
2841888 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2020-04-06 (current_events.rules)
2841889 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-04-06 (current_events.rules)
2841890 - ETPRO CURRENT_EVENTS Successful SF Express Phish 2020-04-06
(current_events.rules)
2841891 - ETPRO CURRENT_EVENTS Successful Interbank Phish 2020-04-06
(current_events.rules)
2841892 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-04-06 (current_events.rules)
2841893 - ETPRO CURRENT_EVENTS Successful Yahoo Phish 2020-04-06
(current_events.rules)
2841894 - ETPRO CURRENT_EVENTS GOV UK Possible COVID-19 Phish 2020-04-06
(current_events.rules)
2841895 - ETPRO CURRENT_EVENTS GOV UK Possible COVID-19 Phish 2020-04-06
(current_events.rules)
2841896 - ETPRO CURRENT_EVENTS Successful Generic Webmail Phish
2020-04-06 (current_events.rules)
2841897 - ETPRO CURRENT_EVENTS Successful Swiss Bankers Prepaid Services
Phish 2020-04-06 (current_events.rules)
2841898 - ETPRO CURRENT_EVENTS Successful Yahoo Small Business Phish
2020-04-06 (current_events.rules)
2841899 - ETPRO CURRENT_EVENTS Successful Banco do Brasil Phish
2020-04-06 (current_events.rules)
2841900 - ETPRO CURRENT_EVENTS Successful Co-operative Bank Phish
2020-04-06 (current_events.rules)
2841901 - ETPRO CURRENT_EVENTS Successful Comcast/Xfinity Phish
2020-04-06 (current_events.rules)
2841902 - ETPRO CURRENT_EVENTS Successful Generic Bank Account
Information Phish 2020-04-06 (current_events.rules)
2841903 - ETPRO TROJAN Ave Maria RAT Encrypted CnC Checkin (Inbound)
(trojan.rules)
2841904 - ETPRO TROJAN Ransomware Checkin via IPLogger (trojan.rules)
2841905 - ETPRO TROJAN Nemty Ransomware CnC Checkin (trojan.rules)
2841906 - ETPRO TROJAN Win32/Remcos RAT Checkin 383 (trojan.rules)
2841907 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)

[///] Modified active rules: [///]

2015483 - ET INFO Java .jar request to dotted-quad domain (info.rules)
2018421 - ET TROJAN Zbot downloader Installing Zeus (trojan.rules)
2808018 - ETPRO TROJAN Win32.LockScreen.BHI checkin (trojan.rules)
2815364 - ETPRO TROJAN Win32/Qbot/Quakbot Checkin via HTTP GET
(trojan.rules)
2815431 - ETPRO TROJAN Emissary CnC Beacon M1 (trojan.rules)
2815434 - ETPRO TROJAN Emissary CnC Beacon Response (trojan.rules)
2815474 - ETPRO TROJAN Worm.Linux.Mworm Checkin (trojan.rules)
2815478 - ETPRO CURRENT_EVENTS Possible Nuclear EK Landing URI struct Dec
27 2015 M4 (current_events.rules)
2815534 - ETPRO CURRENT_EVENTS Possible Nuclear EK Payload Dec 30 2015 M2
(fb set) (current_events.rules)
2815548 - ETPRO CURRENT_EVENTS Possible CryptoWall JS Dropper GET Request
(current_events.rules)
2815600 - ETPRO CURRENT_EVENTS DHL/Adobe/Excel Phishing Landing Jan 05
2016 (current_events.rules)
2815818 - ETPRO CURRENT_EVENTS Possible Nuclear EK Flash URI Struct Jan
14 M2 (current_events.rules)
2815926 - ETPRO CURRENT_EVENTS Successful IRS Phish Jan 22 2016
(current_events.rules)
2816087 - ETPRO TROJAN Win32/Uloz Botnet Filename Generator (trojan.rules)
2816110 - ETPRO TROJAN Sylavriu.A/TorCT RAT CnC Checkin (trojan.rules)
2816144 - ETPRO TROJAN Win32/VertexNet CnC Checkin (trojan.rules)
2816152 - ETPRO TROJAN Backdoor.Mizzmo CnC Beacon 2 (trojan.rules)
2816180 - ETPRO TROJAN Backdoor.Mizzmo CnC Beacon 3 (trojan.rules)
2816181 - ETPRO TROJAN Backdoor.Mizzmo Service-Proxied CnC Beacon
(trojan.rules)
2816286 - ETPRO TROJAN Tendrit CnC Beacon 3 (trojan.rules)
2816329 - ETPRO CURRENT_EVENTS Possible Magnitude EK Flash Exploit URI
Struct Feb 19 2016 (current_events.rules)
2816433 - ETPRO MOBILE_MALWARE Trojan.Android.AndroRAT.D Checkin
(mobile_malware.rules)
2816441 - ETPRO TROJAN MSIL/Datsup.A Activity (trojan.rules)
2816506 - ETPRO TROJAN Possible Cerber Ransomware IP Check (trojan.rules)
2820263 - ETPRO TROJAN Gozi ISFB CnC Checkin (trojan.rules)
2820364 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish
2016-05-26 (current_events.rules)
2820703 - ETPRO MOBILE_MALWARE Android Unknown Trojan Checkin
(mobile_malware.rules)
2820705 - ETPRO TROJAN W32/Bayrob Attempted Checkin 3 (trojan.rules)
2821424 - ETPRO TROJAN Win32/Daserf CnC Beacon 1 (trojan.rules)
2822231 - ETPRO TROJAN ORK/ARIK Keylogger Download Request - Obsevered
Dropped from Macro (trojan.rules)
2822387 - ETPRO CURRENT_EVENTS Possible Evil Redirector Leading to EK Oct
04 2016 (BossTDS) M3 (current_events.rules)
2822393 - ETPRO TROJAN MSIL/Pony Stealer Variant CnC Checkin
(trojan.rules)
2822394 - ETPRO TROJAN MSIL/UBN CP Downloader Requesting Payload
(trojan.rules)
2822697 - ETPRO CURRENT_EVENTS MalDoc Downloader Retrieving Payload Oct
14 (current_events.rules)
2831008 - ETPRO TROJAN Unix/VPNFilter HTTP Request Structure 1
(trojan.rules)
2831009 - ETPRO TROJAN Unix/VPNFilter HTTP Request Structure 2
(trojan.rules)
2831049 - ETPRO TROJAN PS/QuadAgent Communicating with CnC (trojan.rules)
2832325 - ETPRO TROJAN NewcoreRAT HTTP CnC Pattern (trojan.rules)
2833580 - ETPRO TROJAN ExtremeDownloader CnC Checkin (trojan.rules)
2841814 - ETPRO TROJAN W32/TrojanDownloader.Agent.FBF Variant CnC Host
Checkin (trojan.rules)

[---] Disabled and modified rules: [---]

2815867 - ETPRO TROJAN MSIL/Gurim.A Downloader Request (trojan.rules)
2816183 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.hf Checkin
(mobile_malware.rules)
2816720 - ETPRO MOBILE_MALWARE Android/AdDisplay.Kuguo.V Checkin
(mobile_malware.rules)
2816742 - ETPRO TROJAN Rexpot Receiving Payload M2 (trojan.rules)
2820889 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Cloudatlas.a Checkin
(mobile_malware.rules)
2822526 - ETPRO TROJAN Quant Loader Download Request 2 (trojan.rules)
2822683 - ETPRO TROJAN MSIL/Exotic Ransomware Image Request (trojan.rules)
2831322 - ETPRO TROJAN Observed Malicious SSL Certificate (IcedID)
(trojan.rules)

[---] Disabled rules: [---]

2815338 - ETPRO TROJAN Unknown CnC Checkin (trojan.rules)
2815942 - ETPRO TROJAN W32/Nymaim Checkin 3 (trojan.rules)
2816097 - ETPRO TROJAN Win32/Rogue Browser Extension Installer Checkin
(trojan.rules)
2816440 - ETPRO TROJAN Unknown Bot CnC Checkin (trojan.rules)
2820396 - ETPRO TROJAN Helminth Checkin (trojan.rules)
2821156 - ETPRO CURRENT_EVENTS Likely Magnitude EK Flash Exploit Struct
Jul 13 2016 T1 (current_events.rules)
2821903 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.kz CnC Beacon
(mobile_malware.rules)
2822695 - ETPRO TROJAN MSIL/ApolloHTTP Bot CnC Checkin (trojan.rules)
2822696 - ETPRO TROJAN MSIL/ApolloHTTP Bot CnC Keep-Alive (trojan.rules)

Date:

Monday, April 6, 2020

Summary title:

12 Open, 42 Pro (12 + 30). Sarwent, Parallax, Ave Maria, Nemty Ransomware, Various Phish. Suricata 2/3 Support from Emerging Threats will become End-Of-Life on April 15th, 2020.