[***] Summary: [***]
50 new Open, 73 new Pro (50 + 23). Rancour/WatcherDog, PoetRAT,
ELF/Gafgyt, Android/Tabiah, Various PHP Mailer, Webshells, and Phishing.
Many rules in the Suricata 5 ruleset have been updated with Suricata 5
rule syntax/keywords. A complete list of rules that were changed can be
found via the changelog here:
https://rules.emergingthreats.net/changelogs/suricata-5.0-enhanced.etpro.2020-04-20T23:17:52.txt
Please be aware that after the deprecation of our Suricata 2/3 support
(April 15th 2020), the path for downloading the last pushed production
Suricata 2/3 rulesets have changed. Deprecated rulesets are available at
https://rules.emergingthreatspro.com/OINK/old for ETPro and
https://rules.emergingthreatspro.com/open/old/ for ETOpen. All requests
for the Suricata 2/3 at their previous locations will now lead to the
Suricata 4.0 production rules for ETPro and the rule download instructions
for ETOpen.
Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2029932 - ET MOBILE_MALWARE Android Trojan MSO.PJApps checkin 1
(mobile_malware.rules)
2029933 - ET TROJAN SepSys/SepSystem Ransomware Style External IP Address
Check (trojan.rules)
2029934 - ET WEB_CLIENT WSO 2.6 Webshell Accessed on External Compromised
Server (web_client.rules)
2029935 - ET WEB_SERVER WSO 2.6 Webshell Accessed on Internal Compromised
Server (web_server.rules)
2029936 - ET WEB_CLIENT Generic PHP Mailer Accessed on External
Compromised Server (web_client.rules)
2029937 - ET WEB_SERVER Generic PHP Mailer Accessed on Internal
Compromised Server (web_server.rules)
2029938 - ET WEB_CLIENT Generic Webshell Accessed on External Compromised
Server (web_client.rules)
2029939 - ET WEB_SERVER Generic Webshell Accessed on Internal Compromised
Server (web_server.rules)
2029940 - ET WEB_CLIENT Generic PHP Mailer Accessed on External
Compromised Server (web_client.rules)
2029941 - ET WEB_SERVER Generic PHP Mailer Accessed on Internal
Compromised Server (web_server.rules)
2029942 - ET WEB_CLIENT Generic PHP Mailer Accessed on External
Compromised Server (web_client.rules)
2029943 - ET WEB_SERVER Generic PHP Mailer Accessed on Internal
Compromised Server (web_server.rules)
2029944 - ET WEB_CLIENT Generic PHP Mailer Accessed on External
Compromised Server (web_client.rules)
2029945 - ET WEB_SERVER Generic PHP Mailer Accessed on Internal
Compromised Server (web_server.rules)
2029946 - ET WEB_CLIENT Generic PHP Mailer Accessed on External
Compromised Server (web_client.rules)
2029947 - ET WEB_SERVER Generic PHP Mailer Accessed on Internal
Compromised Server (web_server.rules)
2029948 - ET WEB_CLIENT Generic PHP Mailer Accessed on External
Compromised Server (web_client.rules)
2029949 - ET WEB_SERVER Generic PHP Mailer Accessed on Internal
Compromised Server (web_server.rules)
2029950 - ET WEB_CLIENT Generic PHP Mailer Accessed on External
Compromised Server (web_client.rules)
2029951 - ET WEB_SERVER Generic PHP Mailer Accessed on Internal
Compromised Server (web_server.rules)
2029952 - ET TROJAN Targeted Activity - CnC Domain in SNI (trojan.rules)
2029953 - ET TROJAN Observed Malicious SSL Cert (AsyncRAT CnC)
(trojan.rules)
2029954 - ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD
(.parody) (info.rules)
2029955 - ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD
(.oz) (info.rules)
2029956 - ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD
(.cyb) (info.rules)
2029957 - ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD
(.geek) (info.rules)
2029958 - ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD
(.libre) (info.rules)
2029959 - ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD
(.dyn) (info.rules)
2029960 - ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD
(.bbs) (info.rules)
2029961 - ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD
(.neo) (info.rules)
2029962 - ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD (.o)
(info.rules)
2029963 - ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD
(.null) (info.rules)
2029964 - ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD
(.pirate) (info.rules)
2029965 - ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD
(.chan) (info.rules)
2029966 - ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD
(.oss) (info.rules)
2029967 - ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD
(.epic) (info.rules)
2029968 - ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD
(.indy) (info.rules)
2029969 - ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD
(.gopher) (info.rules)
2029970 - ET INFO Observed DNS Query for EmerDNS TLD (.lib) (info.rules)
2029971 - ET INFO Observed DNS Query for EmerDNS TLD (.coin) (info.rules)
2029972 - ET INFO Observed DNS Query for EmerDNS TLD (.emc) (info.rules)
2029973 - ET INFO Observed DNS Query for EmerDNS TLD (.bazar) (info.rules)
2029974 - ET INFO Observed DNS Query for FurNIC TLD (.fur) (info.rules)
2029975 - ET TROJAN Observed PoetRAT Domain (dellgenius .hoptop .org in
TLS SNI) (trojan.rules)
2029976 - ET EXPLOIT Netlink GPON Remote Code Execution Attempt (Inbound)
(exploit.rules)
2029977 - ET TROJAN Cobalt Strike Malleable C2 (Custom) (trojan.rules)
2029978 - ET TROJAN Cobalt Strike Malleable C2 (Custom) (trojan.rules)
2029979 - ET MOBILE_MALWARE Android PHONEMONITOR RAT CnC (getsettings)
(mobile_malware.rules)
2029980 - ET USER_AGENTS Observed Suspicious UA (PhoneMonitor)
(user_agents.rules)
2029981 - ET MOBILE_MALWARE Suspected PROJECTSPY CnC (video)
(mobile_malware.rules)
Pro:
2842092 - ETPRO MOBILE_MALWARE AndroidOS/Trojan.UUPN-8 Checkin
(mobile_malware.rules)
2842093 - ETPRO MOBILE_MALWARE Trojan-Proxy.AndroidOS.Youzicheng.a
Checkin (mobile_malware.rules)
2842094 - ETPRO MOBILE_MALWARE Android/Tabiah Checkin
(mobile_malware.rules)
2842095 - ETPRO MOBILE_MALWARE Android/Tabiah Checkin 2
(mobile_malware.rules)
2842096 - ETPRO INFO Possibly Malicious Bash Script Inbound (info.rules)
2842097 - ETPRO TROJAN Rancour/WatcherDog Payload CnC Activity
(trojan.rules)
2842098 - ETPRO TROJAN Observed Malicious SSL Cert (MalDoc Payload
2020-04-20) (trojan.rules)
2842099 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-18 1) (trojan.rules)
2842100 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-18 2) (trojan.rules)
2842101 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-18 3) (trojan.rules)
2842102 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-18 4) (trojan.rules)
2842103 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-04-20
(current_events.rules)
2842104 - ETPRO CURRENT_EVENTS Successful Santander Phish 2020-04-20
(current_events.rules)
2842105 - ETPRO CURRENT_EVENTS Successful Hulu Phish 2020-04-20
(current_events.rules)
2842106 - ETPRO CURRENT_EVENTS Successful Hulu Phish 2020-04-20
(current_events.rules)
2842107 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-04-20
(current_events.rules)
2842108 - ETPRO TROJAN Win32/ChoiceLoader CnC Checkin (trojan.rules)
2842109 - ETPRO TROJAN ELF/Mirai - Inbound Crontab/Kill Command from CnC
(trojan.rules)
2842110 - ETPRO TROJAN ELF/Gafgyt CnC Response (trojan.rules)
2842111 - ETPRO TROJAN Win32/Remcos RAT Checkin 400 (trojan.rules)
2842112 - ETPRO TROJAN Win32/Remcos RAT Checkin 401 (trojan.rules)
2842113 - ETPRO TROJAN Win32/Remcos RAT Checkin 402 (trojan.rules)
2842114 - ETPRO TROJAN Win32/Remcos RAT Checkin 403 (trojan.rules)
[///] Modified active rules: [///]
2027392 - ET TROJAN Maze/ID Ransomware Activity (trojan.rules)
2029707 - ET INFO Suspicious TLS SNI Request for Possible COVID-19 Domain
M1 (info.rules)
[---] Disabled and modified rules: [---]
2013059 - ET POLICY BitCoin (policy.rules)
2014022 - ET SCAN Gootkit Scanner User-Agent Inbound (scan.rules)
2014023 - ET TROJAN Gootkit Scanner User-Agent Outbound (trojan.rules)
[---] Removed rules: [---]
2012451 - ET MOBILE_MALWARE Android Trojan MSO.PJApps checkin 1
(mobile_malware.rules)