Daily Ruleset Update Summary
Daily Ruleset Update Summary 2020/04/24

[***]            Summary:            [***]

12 new Open, 37 new Pro (12 + 25). Win32/Kryptik.HCRF, NSO Group, Win32/Remcos, Ursnif SSL Certs, VARIOUS Phishing.

Many rules in the Suricata 5 ruleset have been updated with Suricata 5 rule syntax/keywords. A complete list of rules that were changed can be found via the changelog here:
https://rules.emergingthreats.net/changelogs/suricata-5.0-enhanced.etpro.2020-04-24T22:11:40.txt

Please be aware that after the deprecation of our Suricata 2/3 support (April 15th 2020), the path for downloading the last pushed production Suricata 2/3 rulesets have changed.  Deprecated rulesets are available at https://rules.emergingthreatspro.com/OINK/old for ETPro and https://rules.emergingthreatspro.com/open/old/ for ETOpen.  All requests for the Suricata 2/3 at their previous locations will now lead to the Suricata 4.0 production rules for ETPro and the rule download instructions for ETOpen.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2030015 - ET WEB_CLIENT Leaf PHPMailer Accessed on External Server
(web_client.rules)
  2030016 - ET WEB_SERVER Leaf PHPMailer Accessed on Internal Server
(web_server.rules)
  2030017 - ET WEB_CLIENT Generic Webshell Accessed on Compromised External
Server (web_client.rules)
  2030018 - ET WEB_SERVER Generic Webshell Accessed on Compromised Internal
Server (web_server.rules)
  2030019 - ET WEB_CLIENT Generic Webshell Accessed on Compromised External
Server (web_client.rules)
  2030020 - ET WEB_SERVER Generic Webshell Accessed on Compromised Internal
Server (web_server.rules)
  2030021 - ET WEB_CLIENT Generic Webshell Accessed on Compromised External
Server (web_client.rules)
  2030022 - ET WEB_SERVER Generic Webshell Accessed on Compromised Internal
Server (web_server.rules)
  2030023 - ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup
(mobile_malware.rules)
  2030024 - ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup
(mobile_malware.rules)
  2030025 - ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup
(mobile_malware.rules)
  2030026 - ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup
(mobile_malware.rules)

Pro:

  2842174 - ETPRO TROJAN Possible MuddyWater DNSClient CnC (Outbound)
(trojan.rules)
  2842175 - ETPRO TROJAN ELF/Gafgyt Variant CnC Checkin (trojan.rules)
  2842176 - ETPRO USER_AGENTS Observed Suspicious UA (open support)
(user_agents.rules)
  2842177 - ETPRO USER_AGENTS Observed Suspicious UA (NSA)
(user_agents.rules)
  2842178 - ETPRO TROJAN ELF/Unk.Gafygt Variant Malicious Bash Script
Inbound (trojan.rules)
  2842179 - ETPRO TROJAN Win32/Kryptik.HCRF CnC Checkin (trojan.rules)
  2842180 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-24 1) (trojan.rules)
  2842181 - ETPRO TROJAN Win32/Agent.ABQS CnC Host Checkin (trojan.rules)
  2842182 - ETPRO CURRENT_EVENTS Successful Turkey Gov TR Phish 2020-04-24
(current_events.rules)
  2842183 - ETPRO CURRENT_EVENTS Successful DBS Phish 2020-04-24
(current_events.rules)
  2842184 - ETPRO CURRENT_EVENTS Successful Banco Estado Phish 2020-04-24
(current_events.rules)
  2842185 - ETPRO CURRENT_EVENTS Successful Regions Bank Phish 2020-04-24
(current_events.rules)
  2842186 - ETPRO CURRENT_EVENTS Successful Banco Security Phish 2020-04-24
(current_events.rules)
  2842187 - ETPRO CURRENT_EVENTS Successful First Federal Bank Phish
2020-04-24 (current_events.rules)
  2842188 - ETPRO CURRENT_EVENTS Successful SunTrust Phish 2020-04-24
(current_events.rules)
  2842189 - ETPRO CURRENT_EVENTS Successful UBI Banca Phish 2020-04-24
(current_events.rules)
  2842190 - ETPRO TROJAN DonotGroup Payload - CnC Checkin (trojan.rules)
  2842191 - ETPRO TROJAN DonotGroup CnC Domain in DNS Query (trojan.rules)
  2842192 - ETPRO TROJAN Win32/Remcos RAT Checkin 407 (trojan.rules)
  2842193 - ETPRO TROJAN Win32/Remcos RAT Checkin 408 (trojan.rules)
  2842194 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
  2842195 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
  2842196 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
  2842197 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
  2842198 - ETPRO TROJAN MUDDYWATER DNS CnC Response (trojan.rules)

[---]  Disabled and modified rules:  [---]

  2017113 - ET TROJAN VBulletin Backdoor C2 Domain  (trojan.rules)
  2806208 - ETPRO MOBILE_MALWARE Android.Uracto Checkin
(mobile_malware.rules)

[---]         Disabled rules:        [---]

  2012087 - ET SHELLCODE Possible Call with No Offset UDP Shellcode
(shellcode.rules)

Date:
Summary title:
12 new Open, 37 new Pro (12 + 25). Win32/Kryptik.HCRF, NSO Group, Win32/Remcos, Ursnif SSL Certs, VARIOUS Phishing.