Daily Ruleset Update Summary 2020/04/13

Daily Ruleset Update Summary

[***] Summary: [***]

17 Open, 33 Pro (17 + 16). DCRat, DDG Botnet, Win32/Agent.AAIB, Various
Webshell, Various Phish.

Suricata 2/3 Support from Emerging Threats will become End-Of-Life on
April 15th, 2020.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

Thanks @james_inthe_box

[+++] Added rules: [+++]

Open:

2027363 - ET POLICY Observed DNS Query to DynDNS Domain (dns-report .com)
(policy.rules)
2029881 - ET TROJAN DCRat Initial CnC Activity (trojan.rules)
2029882 - ET WEB_CLIENT Generic WSO Webshell Password Prompt Accessed on
External Compromised Server (web_client.rules)
2029883 - ET WEB_SERVER Generic WSO Webshell Password Prompt Accessed on
Internal Compromised Server (web_server.rules)
2029884 - ET WEB_CLIENT Generic WSO Webshell Password Prompt Accessed on
External Compromised Server (web_client.rules)
2029885 - ET WEB_SERVER Generic WSO Webshell Password Prompt Accessed on
Internal Compromised Server (web_server.rules)
2029886 - ET WEB_CLIENT Anonymous Webshell Accessed on External
Compromised Server (web_client.rules)
2029887 - ET WEB_SERVER Anonymous Webshell Accessed on Internal
Compromised Server (web_server.rules)
2029888 - ET WEB_CLIENT Generic Mini Webshell Accessed on External
Compromised Server (web_client.rules)
2029889 - ET WEB_SERVER Generic Mini Webshell Accessed on Internal
Compromised Server (web_server.rules)
2029890 - ET WEB_CLIENT Generic Webshell Password Prompt Accessed on
External Compromised Server (web_client.rules)
2029891 - ET WEB_SERVER Generic Webshell Password Prompt Accessed on
Internal Compromised Server (web_server.rules)
2029892 - ET USER_AGENTS Observed Malicious CASPER/Mirai UA
(user_agents.rules)
2029893 - ET TROJAN Win32/Agent.AAIB Variant CnC (trojan.rules)
2029894 - ET TROJAN DDG Botnet CnC Job Request (trojan.rules)
2029895 - ET TROJAN DDG Botnet CnC Slave POST (trojan.rules)
2029896 - ET TROJAN DDG Botnet Miner Download (trojan.rules)

Pro:

2841989 - ETPRO TROJAN Unk.BR Email Address Harvester Exfil (trojan.rules)
2841990 - ETPRO INFO Observed Suspicious Base64 Encoded Wide String
Inbound (exe) (info.rules)
2841991 - ETPRO INFO Observed Suspicious Base64 Encoded Wide String
Inbound (zip) (info.rules)
2841992 - ETPRO INFO Observed Suspicious Base64 Encoded Wide String
Inbound ($env:APPDATA) (info.rules)
2841993 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-11 1) (trojan.rules)
2841994 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-11 2) (trojan.rules)
2841995 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-12 1) (trojan.rules)
2841996 - ETPRO CURRENT_EVENTS Successful Banco Itau Phish 2020-04-13
(current_events.rules)
2841997 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-04-13 (current_events.rules)
2841998 - ETPRO CURRENT_EVENTS Successful HSA bank Phish 2020-04-13
(current_events.rules)
2841999 - ETPRO CURRENT_EVENTS Successful ANZ Bank Phish 2020-04-13
(current_events.rules)
2842000 - ETPRO CURRENT_EVENTS Successful Ziraat Bankasi Phish 2020-04-13
(current_events.rules)
2842001 - ETPRO CURRENT_EVENTS Successful Microsoft Excel Phish
2020-04-13 (current_events.rules)
2842002 - ETPRO TROJAN Win32/Remcos RAT Checkin 389 (trojan.rules)
2842003 - ETPRO TROJAN Win32/Remcos RAT Checkin 390 (trojan.rules)
2842004 - ETPRO TROJAN Win32/Remcos RAT Checkin 391 (trojan.rules)

[///] Modified active rules: [///]

2814030 - ETPRO TROJAN W32/Quasar RAT Connectivity Check 2 (trojan.rules)
2814031 - ETPRO TROJAN W32/Quasar RAT Connectivity Check (trojan.rules)
2823674 - ETPRO TROJAN W32/Quasar 1.3 RAT MiscHandler HTTP Pattern
(trojan.rules)
2823675 - ETPRO TROJAN W32/Quasar 1.3 RAT Connectivity Check 2
(trojan.rules)
2823676 - ETPRO TROJAN W32/Quasar 1.3 RAT Connectivity Check
(trojan.rules)
2832799 - ETPRO TROJAN MSIL/Quasar RAT Checkin (trojan.rules)
2832800 - ETPRO TROJAN MSIL/Quasar RAT Checkin Response (trojan.rules)
2836270 - ETPRO TROJAN QuasarRAT C2 Init (trojan.rules)
2836632 - ETPRO TROJAN Possible Quasar RAT Websocket Document Exfil
Parameters Received (trojan.rules)
2836661 - ETPRO TROJAN Observed Malicious SSL Cert (Quasar RAT Staging
Server CnC) (trojan.rules)
2841947 - ETPRO TROJAN MSIL/Spy.Agent.BXY Variant CnC Checkin
(trojan.rules)

[///] Modified inactive rules: [///]

2836269 - ETPRO TROJAN QuasarRAT C2 KeepAlive (trojan.rules)

[---] Removed rules: [---]

2027363 - ET TROJAN BlackTech Plead CnC in DNS Lookup (trojan.rules)

Date:

Monday, April 13, 2020

Summary title:

17 Open, 33 Pro (17 + 16). DCRat, DDG Botnet, Win32/Agent.AAIB, Various Webshell, Various Phish. Suricata 2/3 Support from Emerging Threats will become End-Of-Life on April 15th, 2020.