[***] Summary: [***]

16 Open, 38 Pro (16 + 22). RocketX Stealer, Lemon Duck, Agent.TRM,
Various Phish.

Tks: @James_inthe_box, @w3ndige

Suricata 2/3 Support from Emerging Threats will become End-Of-Life on
April 15th, 2020.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2029840 - ET INFO Request for EXE via WinHTTP M1 (info.rules)
2029841 - ET INFO Request for EXE via WinHTTP M2 (info.rules)
2029842 - ET INFO Request for EXE via WinHTTP M3 (info.rules)
2029843 - ET INFO Suspicious Zipped Filename in Outbound POST Request
(Hardware.txt) (info.rules)
2029844 - ET INFO Suspicious Zipped Filename in Outbound POST Request
(Prgrm.txt) (info.rules)
2029845 - ET INFO Suspicious Zipped Filename in Outbound POST Request
(CookiesList.txt) (info.rules)
2029846 - ET TROJAN Suspicious Zipped Filename in Outbound POST Request
(Passwords.txt) (trojan.rules)
2029847 - ET TROJAN Win32/RocketX Stealer CnC Exfil (trojan.rules)
2029848 - ET TROJAN Lemon_Duck Powershell CnC Checkin M2 (trojan.rules)
2029849 - ET CURRENT_EVENTS GOV UK Possible COVID-19 Phish 2020-04-06
(current_events.rules)
2029850 - ET CURRENT_EVENTS GOV UK Possible COVID-19 Phish 2020-04-06
(current_events.rules)
2029851 - ET TROJAN Possible Kimsuky APT Connectivity Check via Document
(trojan.rules)
2029852 - ET TROJAN Observed Malicious SSL Cert (MSIL/Agent.TRM CnC)
(trojan.rules)
2029853 - ET TROJAN MSIL/Agent.TRM Checkin Response (trojan.rules)
2029854 - ET TROJAN MSIL/Agent.TRM Task Command (trojan.rules)
2029855 - ET TROJAN MSIL/Agent.TRM Data Exfil (sysinfo) (trojan.rules)

Pro:

2841954 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2020-04-09 (current_events.rules)
2841955 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2020-04-09 (current_events.rules)
2841956 - ETPRO CURRENT_EVENTS Successful USAA Phish 2020-04-09
(current_events.rules)
2841957 - ETPRO CURRENT_EVENTS Successful Ziraat Bankasi Phish 2020-04-09
(current_events.rules)
2841958 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-09 1) (trojan.rules)
2841959 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-09 2) (trojan.rules)
2841960 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-04-09 (current_events.rules)
2841961 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-04-09
(current_events.rules)
2841962 - ETPRO CURRENT_EVENTS Successful Offerup Phish 2020-04-09
(current_events.rules)
2841963 - ETPRO CURRENT_EVENTS Successful Runescape Phish 2020-04-09
(current_events.rules)
2841964 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-04-09 (current_events.rules)
2841965 - ETPRO CURRENT_EVENTS Successful Blockchain Phish 2020-04-09
(current_events.rules)
2841966 - ETPRO CURRENT_EVENTS Successful ANZ Bank Phish 2020-04-09
(current_events.rules)
2841967 - ETPRO CURRENT_EVENTS Successful ANZ Bank Phish 2020-04-09
(current_events.rules)
2841968 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-04-09
(current_events.rules)
2841969 - ETPRO TROJAN Win32/Remcos RAT Checkin 384 (trojan.rules)
2841970 - ETPRO TROJAN Win32/Remcos RAT Checkin 385 (trojan.rules)
2841971 - ETPRO TROJAN Win32/Remcos RAT Checkin 386 (trojan.rules)
2841972 - ETPRO TROJAN Win32/Remcos RAT Checkin 387 (trojan.rules)
2841973 - ETPRO TROJAN Win32/Remcos RAT Checkin 388 (trojan.rules)
2841974 - ETPRO TROJAN Win32/Agent.UAW CnC Activity (trojan.rules)
2841975 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)

[///] Modified active rules: [///]

2026420 - ET INFO Generic 000webhostapp.com POST 2018-09-27 (set)
(info.rules)
2029013 - ET TROJAN Lemon_Duck Powershell - Install Tracking
(trojan.rules)
2833021 - ETPRO CURRENT_EVENTS Possible Malicious Second Stage Download
with Terse Headers (set) (current_events.rules)
2833022 - ETPRO CURRENT_EVENTS Possible Malicious Second Stage Download
with Terse Headers (current_events.rules)

[---] Removed rules: [---]

2841894 - ETPRO CURRENT_EVENTS GOV UK Possible COVID-19 Phish 2020-04-06
(current_events.rules)
2841895 - ETPRO CURRENT_EVENTS GOV UK Possible COVID-19 Phish 2020-04-06
(current_events.rules)

Date:
Summary title:
16 Open, 38 Pro (16 + 22). RocketX Stealer, Lemon Duck, Agent.TRM, Various Phish.