Daily Ruleset Update Summary
Daily Ruleset Update Summary 2020/04/23

[***]            Summary:            [***]

19 new Open, 45 new Pro (19 + 26). METALJACK, iOS MobileMail Exploit, PoetRAT, Zebrocy, Various Phishing.

Thanks @james_inthe_box

Many rules in the Suricata 5 ruleset have been updated with Suricata 5 rule syntax/keywords. A complete list of rules that were changed can be found via the changelog here:
https://rules.emergingthreats.net/changelogs/suricata-5.0-enhanced.etpro.2020-04-23T22:22:47.txt

Please be aware that after the deprecation of our Suricata 2/3 support (April 15th 2020), the path for downloading the last pushed production Suricata 2/3 rulesets have changed.  Deprecated rulesets are available at https://rules.emergingthreatspro.com/OINK/old for ETPro and https://rules.emergingthreatspro.com/open/old/ for ETOpen.  All requests for the Suricata 2/3 at their previous locations will now lead to the Suricata 4.0 production rules for ETPro and the rule download instructions for ETOpen.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2029996 - ET TROJAN NanoCore RAT CnC 27 (trojan.rules)
  2029997 - ET TROJAN METALJACK APT32 CnC Host Checkin (trojan.rules)
  2029998 - ET TROJAN METALJACK APT32 DNS Lookup (m.topiccore.com)
(trojan.rules)
  2029999 - ET TROJAN METALJACK APT32 DNS Lookup (jcdn.jsoid.com)
(trojan.rules)
  2030000 - ET TROJAN METALJACK APT32 DNS Lookup (libjs.inquirerjs.com)
(trojan.rules)
  2030001 - ET TROJAN METALJACK APT32 DNS Lookup (vitlescaux.com)
(trojan.rules)
  2030002 - ET TROJAN SSL/TLS Certificate Observed (APT32 METALJACK)
(trojan.rules)
  2030003 - ET TROJAN SSL/TLS Certificate Observed (APT32 METALJACK)
(trojan.rules)
  2030004 - ET TROJAN SSL/TLS Certificate Observed (APT32 METALJACK)
(trojan.rules)
  2030005 - ET TROJAN SSL/TLS Certificate Observed (APT32 METALJACK)
(trojan.rules)
  2030006 - ET CURRENT_EVENTS Possible iOS MobileMail OOB Write/Heap
Overflow Exploit Email (Inbound) (current_events.rules)
  2030007 - ET CURRENT_EVENTS Possible iOS MobileMail OOB Write/Heap
Overflow Exploit Email (Inbound) (current_events.rules)
  2030008 - ET CURRENT_EVENTS Possible iOS MobileMail OOB Write/Heap
Overflow Exploit Email (Inbound) (current_events.rules)
  2030009 - ET CURRENT_EVENTS Possible iOS MobileMail OOB Write/Heap
Overflow Exploit Email (Inbound) (current_events.rules)
  2030010 - ET CURRENT_EVENTS Possible iOS MobileMail OOB Write/Heap
Overflow Exploit Email (Inbound) (current_events.rules)
  2030011 - ET CURRENT_EVENTS Possible iOS MobileMail OOB Write/Heap
Overflow Exploit Email (Inbound) (current_events.rules)
  2030012 - ET CURRENT_EVENTS Possible iOS MobileMail OOB Write/Heap
Overflow Exploit Email (Inbound) (current_events.rules)
  2030013 - ET CURRENT_EVENTS Possible iOS MobileMail OOB Write/Heap
Overflow Exploit Email (Inbound) (current_events.rules)
  2030014 - ET TROJAN Observed DNS Query to Malvertising Related Domain
(trojan.rules)

Pro:

  2842148 - ETPRO TROJAN Observed Malicious SSL Cert (Cobalt Strike)
(trojan.rules)
  2842149 - ETPRO TROJAN Observed Malicious SSL Cert (Cobalt Strike)
(trojan.rules)
  2842150 - ETPRO TROJAN Observed Win32/Emelent.B!cl User-Agent
(trojan.rules)
  2842151 - ETPRO TROJAN Observed DNS Query to MUDDYWATER CnC Domain
(trojan.rules)
  2842152 - ETPRO TROJAN Win32/Kryptik.GGXP.UNKRAT CnC Checkin
(trojan.rules)
  2842153 - ETPRO TROJAN Observed DNS Query to MUDDYWATER CnC Domain
(trojan.rules)
  2842154 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-23 1) (trojan.rules)
  2842155 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-23 2) (trojan.rules)
  2842156 - ETPRO TROJAN Zebrocy Screenshot Upload (trojan.rules)
  2842157 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-04-23 (current_events.rules)
  2842158 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-04-23
(current_events.rules)
  2842159 - ETPRO CURRENT_EVENTS Successful Dropbox Phish 2020-04-23
(current_events.rules)
  2842160 - ETPRO CURRENT_EVENTS Successful Yahoo Phish 2020-04-23
(current_events.rules)
  2842161 - ETPRO CURRENT_EVENTS Successful Banco do Brasil Phish
2020-04-23 (current_events.rules)
  2842162 - ETPRO CURRENT_EVENTS Successful Banco do Brasil Phish
2020-04-23 (current_events.rules)
  2842163 - ETPRO CURRENT_EVENTS Successful Bancolumbia Phish 2020-04-23
(current_events.rules)
  2842164 - ETPRO CURRENT_EVENTS Successful Bancolumbia Phish 2020-04-23
(current_events.rules)
  2842165 - ETPRO CURRENT_EVENTS Successful ABSA Phish 2020-04-23
(current_events.rules)
  2842166 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2020-04-23
(current_events.rules)
  2842167 - ETPRO CURRENT_EVENTS Successful Lloyds Bank Phish 2020-04-23
(current_events.rules)
  2842168 - ETPRO TROJAN Win32/Agent.RZA CnC Host Checkin (trojan.rules)
  2842169 - ETPRO TROJAN Possible PoetRAT FTP Connection (trojan.rules)
  2842170 - ETPRO TROJAN PoetRAT Screenshot Upload (trojan.rules)
  2842171 - ETPRO TROJAN Win32/Spy.Socelars.AD Variant CnC Activity
(trojan.rules)
  2842172 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
  2842173 - ETPRO TROJAN Observed Malicious SSL Cert (AZORult CnC)
(trojan.rules)

Date:
Summary title:
19 new Open, 45 new Pro (19 + 26). METALJACK, iOS MobileMail Exploit, PoetRAT, Zebrocy, Various Phishing.