Daily Ruleset Update Summary 2020/04/08

Daily Ruleset Update Summary

[***] Summary: [***]

11 Open, 32 Pro (11 + 21). KPOT, Sorano Stealer, SmsThief, Flowbit
Cleanup/Optimization, Various Phish.

Suricata 2/3 Support from Emerging Threats will become End-Of-Life on
April 15th, 2020.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2029829 - ET CURRENT_EVENTS Observed DNS Query to Knowb4 Simulated Phish
Domain (current_events.rules)
2029830 - ET CURRENT_EVENTS Observed DNS Query to Knowb4 Simulated Phish
Domain (current_events.rules)
2029831 - ET CURRENT_EVENTS Observed DNS Query to Knowb4 Simulated Phish
Domain (current_events.rules)
2029832 - ET CURRENT_EVENTS Observed DNS Query to Knowb4 Simulated Phish
Domain (current_events.rules)
2029833 - ET CURRENT_EVENTS Observed DNS Query to Knowb4 Simulated Phish
Domain (current_events.rules)
2029834 - ET CURRENT_EVENTS Observed DNS Query to Knowb4 Simulated Phish
Domain (current_events.rules)
2029835 - ET CURRENT_EVENTS Observed DNS Query to Knowb4 Simulated Phish
Domain (current_events.rules)
2029836 - ET CURRENT_EVENTS Observed DNS Query to Knowb4 Simulated Phish
Domain (current_events.rules)
2029837 - ET TROJAN KPOT Stealer Initial CnC Activity M4 (trojan.rules)
2029838 - ET TROJAN Sorano Stealer CnC Checkin (trojan.rules)
2029839 - ET TROJAN ELF Linux/Dnsamp.AB Variant CnC (trojan.rules)

Pro:

2841916 - ETPRO TROJAN Burp Collector Reporting Group Information
(trojan.rules)
2841934 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.oi TLS SNI
(mobile_malware.rules)
2841935 - ETPRO TROJAN Unk.MalDoc Reporting System Information
(trojan.rules)
2841936 - ETPRO USER_AGENTS Observed Suspicious UA (Microsoft Windows
Network Diagnostics) (user_agents.rules)
2841937 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-08 1) (trojan.rules)
2841938 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-08 2) (trojan.rules)
2841939 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-04-08
(current_events.rules)
2841940 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-04-08 (current_events.rules)
2841941 - ETPRO CURRENT_EVENTS Successful Banco do Brasil Phish
2020-04-08 (current_events.rules)
2841942 - ETPRO CURRENT_EVENTS Successful Galicia Bank Phish 2020-04-08
(current_events.rules)
2841943 - ETPRO CURRENT_EVENTS Successful Generic Webmail Phish
2020-04-08 (current_events.rules)
2841944 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-04-08
(current_events.rules)
2841945 - ETPRO CURRENT_EVENTS Successful Alibaba Phish 2020-04-08
(current_events.rules)
2841946 - ETPRO CURRENT_EVENTS Successful Generic Personalized Phish
2020-04-08 (current_events.rules)
2841947 - ETPRO TROJAN MSIL/Spy.Agent.BXY Variant CnC Checkin
(trojan.rules)
2841948 - ETPRO TROJAN TrojanDropper.Binder.FR CnC Activity M1
(trojan.rules)
2841949 - ETPRO TROJAN TrojanDropper.Binder.FR CnC Activity M2
(trojan.rules)
2841950 - ETPRO TROJAN TrojanDropper.Binder.FR CnC Activity M3
(trojan.rules)
2841951 - ETPRO TROJAN TrojanDropper.Binder.FR CnC Activity M4
(trojan.rules)
2841952 - ETPRO TROJAN TrojanDropper.Binder.FR CnC Activity M5
(trojan.rules)
2841953 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)

[///] Modified active rules: [///]

2024513 - ET TROJAN [PTsecurity] Win32/TinyNuke Payload ACF40 Inbound
(trojan.rules)
2024991 - ET TROJAN Win32/TinyNuke CnC Checkin (trojan.rules)
2027250 - ET INFO Dotted Quad Host DLL Request (info.rules)
2027251 - ET INFO Dotted Quad Host DOC Request (info.rules)
2027252 - ET INFO Dotted Quad Host DOCX Request (info.rules)
2027253 - ET INFO Dotted Quad Host XLS Request (info.rules)
2027254 - ET INFO Dotted Quad Host XLSX Request (info.rules)
2027255 - ET INFO Dotted Quad Host PPT Request (info.rules)
2027256 - ET INFO Dotted Quad Host PPTX Request (info.rules)
2027257 - ET INFO Dotted Quad Host RTF Request (info.rules)
2027258 - ET INFO Dotted Quad Host PS Request (info.rules)
2027259 - ET INFO Dotted Quad Host PS1 Request (info.rules)
2027260 - ET INFO Dotted Quad Host VBS Request (info.rules)
2027261 - ET INFO Dotted Quad Host HTA Request (info.rules)
2027262 - ET INFO Dotted Quad Host ZIP Request (info.rules)
2027263 - ET INFO Dotted Quad Host GZ Request (info.rules)
2027264 - ET INFO Dotted Quad Host TGZ Request (info.rules)
2027265 - ET INFO Dotted Quad Host PDF Request (info.rules)
2027266 - ET INFO Dotted Quad Host RAR Request (info.rules)
2800869 - ETPRO EXPLOIT Microsoft Office PowerPoint Download Verification
(exploit.rules)
2802013 - ETPRO TROJAN Trojan.Win32.Banker.qmd Activity - SET
(trojan.rules)
2832577 - ETPRO TROJAN Win32/TinyNuke CnC Checkin (trojan.rules)
2833514 - ETPRO TROJAN Win32/TinyNuke CnC Checkin M2 (trojan.rules)

[///] Modified inactive rules: [///]

2805142 - ETPRO CURRENT_EVENTS Possible WORM W32.Printlove spreading via
cve 2010-2729 (SPOOLSS StartDocPrinter request SET) (current_events.rules)

[---] Disabled and modified rules: [---]

2009128 - ET TROJAN Bifrose Connect to Controller (PING PONG)
(trojan.rules)
2011502 - ET EXPLOIT Possible Etrust Secure Transaction Platform
Identification and Entitlements Server File Disclosure Attempt
(exploit.rules)
2014264 - ET POLICY IP Geo Location Request (policy.rules)
2014645 - ET INFO RuggedCom Banner with MAC (info.rules)
2014758 - ET TROJAN Trojan.BAT.Qhost - SET (trojan.rules)
2014922 - ET CURRENT_EVENTS DRIVEBY Incognito Landing Page Requested
.php?showtopic=6digit (current_events.rules)
2018360 - ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF Struct
(current_events.rules)
2018361 - ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF Struct
(current_events.rules)
2019209 - ET CURRENT_EVENTS DRIVEBY Nuclear EK PDF Struct (no alert)
(current_events.rules)
2019358 - ET CURRENT_EVENTS Nuclear EK Payload URI Struct Oct 5 2014 (no
alert) (current_events.rules)
2019844 - ET CURRENT_EVENTS DRIVEBY Nuclear EK Exploit Struct
(current_events.rules)
2019872 - ET CURRENT_EVENTS DRIVEBY Nuclear EK Payload (flowbits set)
(current_events.rules)
2020837 - ET CURRENT_EVENTS Malicious Doc Download EXE Primer (flowbits
set) (current_events.rules)
2020993 - ET CURRENT_EVENTS IonCube Encoded Page (no alert)
(current_events.rules)
2022572 - ET TROJAN Andromeda Download (set) (trojan.rules)
2022770 - ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 27 2016
(fbset) (current_events.rules)
2025038 - ET CURRENT_EVENTS Evil Redirector Leading to EK Feb 24 2016
(Evil Keitaro FB Set) (current_events.rules)
2025039 - ET CURRENT_EVENTS Evil Redirector Leading to EK Feb 29 2016
(Evil Keitaro FB Set) (current_events.rules)
2029424 - ET INFO [TGI] Entrust Entelligence Security Provider (Flowbits
Set) (info.rules)
2800638 - ETPRO EXPLOIT Cisco IOS Show Memory URI Connection
(exploit.rules)
2800843 - ETPRO WEB_CLIENT RealNetworks RealPlayer CDDA Access
(web_client.rules)
2800844 - ETPRO WEB_CLIENT RealNetworks RealPlayer CDDA Access 2
(web_client.rules)
2800854 - ETPRO EXPLOIT Oracle Java Runtime CMM readMabCurveData Buffer
Overflow ICC DL (exploit.rules)
2800855 - ETPRO EXPLOIT Oracle Java Runtime CMM readMabCurveData Buffer
Overflow ICM DL (exploit.rules)
2800879 - ETPRO EXPLOIT Adobe Shockwave Player Lnam Chunk Processing
Buffer Overflow Big Endian Header (exploit.rules)
2800881 - ETPRO EXPLOIT Adobe Shockwave Player Lnam Chunk Processing
Buffer Overflow Little Endian Header (exploit.rules)
2800954 - ETPRO TROJAN Backdoor.Win32.Ripinip Requesting Config
(trojan.rules)
2801290 - ETPRO WORM Worm.Win32.Slenfbot.G Checkin 2 (worm.rules)
2801304 - ETPRO POP3 Inetserv 3.23 POP3 DoS (pop3.rules)
2801383 - ETPRO WORM Worm.Win32.Imamihong.A flowbits set 1 (worm.rules)
2801385 - ETPRO WORM Worm.Win32.Imamihong.A flowbits set 1 (worm.rules)
2801404 - ETPRO TROJAN Unknown RBN Based BiFrost Botnet Query
(trojan.rules)
2802835 - ETPRO SMTP Postfix SASL AUTH Handle Reuse Memory
Corruption(Published Exploit) 2 (smtp.rules)
2815138 - ETPRO CURRENT_EVENTS Possible Nuclear EK Payload Nov 30 2015
(fb set) (current_events.rules)
2815534 - ETPRO CURRENT_EVENTS Possible Nuclear EK Payload Dec 30 2015 M2
(fb set) (current_events.rules)
2815955 - ETPRO CURRENT_EVENTS Phishing Landing via Sitey.me Jan 25 M2
(current_events.rules)

[---] Disabled rules: [---]

2006398 - ET TROJAN Socks666 Checkin Packet (trojan.rules)
2007751 - ET TROJAN Saturn Proxy Initial Outbound Checkin (404.txt)
(trojan.rules)
2009238 - ET TROJAN PcClient Backdoor Checkin Packet 1 (trojan.rules)
2010695 - ET TROJAN Aurora Backdoor (C&C) client connection to CnC
(trojan.rules)
2012960 - ET TROJAN Trojan.Vaklik.kku Checkin Request (trojan.rules)
2013135 - ET TROJAN FakeAV FakeAlert.Rena.n Checkin Flowbit set
(trojan.rules)
2013419 - ET TROJAN FakeAV FakeAlert.Rena or similar Checkin Flowbit Set
2 (trojan.rules)
2025985 - ET INFO Adobe PDX in HTTP Flowbit Set (info.rules)
2027956 - ET CURRENT_EVENTS Successful Gmail Phish (set) 2016-09-12
(current_events.rules)
2800808 - ETPRO TROJAN Backdoor.Win32.VBKrypt.dxe Checkin (trojan.rules)
2800950 - ETPRO TROJAN Backdoor.Win32.Loopas Initial checkin
(trojan.rules)
2801347 - ETPRO TROJAN Mariposa or Palevo Bot Checkin to Server
(trojan.rules)
2801420 - ETPRO MALWARE RogueSoftware.Win32.AVGAntivirus2011 Checkin 3
(malware.rules)
2801914 - ETPRO TROJAN NCom Linux Rootkit Checkin (trojan.rules)
2802002 - ETPRO TROJAN Backdoor.Win32.Refpron.I Checkin flowbit set
(trojan.rules)
2802159 - ETPRO TROJAN Delf/Hupigon/PWS.Banker.54377 Checkin Response
from CnC (trojan.rules)
2802197 - ETPRO TROJAN Trojan.Win32.Banker.bkvd Checkin flowbit set
(trojan.rules)
2803059 - ETPRO TROJAN Win32.Coinbit.A Checkin Flowbit Set (trojan.rules)
2815667 - ETPRO WEB_CLIENT Ezweb123 Phishing (set) Jan 8
(web_client.rules)
2815892 - ETPRO CURRENT_EVENTS Phishing Landing via Stinge.com (set) Jan
22 (current_events.rules)
2815896 - ETPRO CURRENT_EVENTS Phishing Landing via Jimdo.com (set) Jan
22 (current_events.rules)
2816290 - ETPRO WEB_CLIENT Igg.biz Phishing Redirector (set) Feb 17
(web_client.rules)
2824151 - ETPRO CURRENT_EVENTS Successful Santander Phish (set) M1 Dec 30
2016 (current_events.rules)
2827610 - ETPRO CURRENT_EVENTS Evil Redirector iFrame Observed Aug 18
2017 (current_events.rules)
2829091 - ETPRO CURRENT_EVENTS Magnitude EK Payload URI Struct 2017-12-27
(current_events.rules)
2830648 - ETPRO MALWARE Win32/InstallCore set bit (malware.rules)

[---] Removed rules: [---]

2836370 - ETPRO TROJAN MSIL/Spy.Agent.BXY Variant CnC Checkin
(trojan.rules)
2841916 - ETPRO MALWARE Burp Collector Reporting Group Information
(malware.rules)

Date:

Wednesday, April 8, 2020

Summary title:

11 Open, 32 Pro (11 + 21). KPOT, Sorano Stealer, SmsThief, Flowbit Cleanup/Optimization, Various Phish. Suricata 2/3 Support from Emerging Threats will become End-Of-Life on April 15th, 2020.