Daily Ruleset Update Summary 2020/04/27

[***] Summary: [***]

8 new Open, 36 new Pro (8 + 28). ASNAROK, APT-C-37/MoonLight, Win32/Remcos, Ursnif SSL Certs, VARIOUS Phishing.

Please be aware that after the deprecation of our Suricata 2/3 support (April 15th 2020), the path for downloading the last pushed production Suricata 2/3 rulesets have changed. Deprecated rulesets are available at https://rules.emergingthreatspro.com/OINK/old for ETPro and https://rules.emergingthreatspro.com/open/old/ for ETOpen. All requests for the Suricata 2/3 at their previous locations will now lead to the Suricata 4.0 production rules for ETPro and the rule download instructions for ETOpen.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2030027 - ET TROJAN Parallax CnC Activity M9 (set) (trojan.rules)
2030028 - ET TROJAN Observed Malicious SSL Cert (Gozi ISFB) (trojan.rules)
2030029 - ET TROJAN Observed Malicious SSL Cert (Gozi ISFB) (trojan.rules)
2030030 - ET TROJAN Observed Malicious SSL Cert (Gozi ISFB) (trojan.rules)
2030031 - ET TROJAN ASNAROK Related Domain in DNS Lookup (trojan.rules)
2030032 - ET TROJAN ASNAROK Related Domain in TLS SNI (trojan.rules)
2030033 - ET TROJAN ASNAROK CnC Domain in DNS Lookup (trojan.rules)
2030034 - ET TROJAN ASNAROK Domain in TLS SNI (trojan.rules)

Pro:

2842199 - ETPRO POLICY Observed EICAR Test File String Inbound
(policy.rules)
2842200 - ETPRO TROJAN Win32/Unk.Stealer Exfil via HTTP POST
(trojan.rules)
2842201 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-25 1) (trojan.rules)
2842202 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-25 2) (trojan.rules)
2842203 - ETPRO CURRENT_EVENTS Successful EMS Phish 2020-04-27
(current_events.rules)
2842204 - ETPRO CURRENT_EVENTS Successful Outlook Web App Phish
2020-04-27 (current_events.rules)
2842205 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-04-27
(current_events.rules)
2842206 - ETPRO CURRENT_EVENTS Successful Sparkasse Bank Phish 2020-04-27
(current_events.rules)
2842207 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-04-27
(current_events.rules)
2842208 - ETPRO CURRENT_EVENTS Successful Bankia Phish 2020-04-27
(current_events.rules)
2842209 - ETPRO CURRENT_EVENTS Successful Alibaba Phish 2020-04-27
(current_events.rules)
2842210 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2020-04-27
(current_events.rules)
2842211 - ETPRO CURRENT_EVENTS Successful American Express Phish
2020-04-27 (current_events.rules)
2842212 - ETPRO CURRENT_EVENTS Successful Orange Phish 2020-04-27
(current_events.rules)
2842213 - ETPRO CURRENT_EVENTS Successful SMBC Phish 2020-04-27
(current_events.rules)
2842214 - ETPRO CURRENT_EVENTS Successful Sparkasse Bank Phish 2020-04-27
(current_events.rules)
2842215 - ETPRO CURRENT_EVENTS Successful Societe Generale Phish
2020-04-27 (current_events.rules)
2842216 - ETPRO CURRENT_EVENTS Successful Citibank Phish 2020-04-27
(current_events.rules)
2842217 - ETPRO TROJAN Win32/Downloader.Agent.EZV Batch Script Inbound
(trojan.rules)
2842218 - ETPRO TROJAN APT-C-37/MoonLight VBS Stage 1 Inbound
(trojan.rules)
2842219 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
2842220 - ETPRO TROJAN Observed Malicious SSL Cert (ServHelper CnC)
(trojan.rules)
2842221 - ETPRO TROJAN Parallax CnC Response Activity M9 (trojan.rules)
2842225 - ETPRO TROJAN Win32/Remcos RAT Checkin 409 (trojan.rules)
2842226 - ETPRO TROJAN Win32/Remcos RAT Checkin 410 (trojan.rules)
2842227 - ETPRO TROJAN Win32/Remcos RAT Checkin 411 (trojan.rules)
2842228 - ETPRO TROJAN Win32/Remcos RAT Checkin 412 (trojan.rules)
2842229 - ETPRO TROJAN Win32/Remcos RAT Checkin 413 (trojan.rules)

[///] Modified active rules: [///]

2002677 - ET SCAN Nikto Web App Scan in Progress (scan.rules)
2002801 - ET POLICY Google Desktop User-Agent Detected (policy.rules)
2002823 - ET POLICY Possible Web Crawl using Wget (policy.rules)
2008350 - ET POLICY Autoit Windows Automation tool User-Agent in HTTP
Request - Possibly Hostile (policy.rules)
2008416 - ET SCAN Httprint Web Server Fingerprint Scan (scan.rules)
2010071 - ET TROJAN Hiloti/Mufanom Downloader Checkin (trojan.rules)
2010241 - ET TROJAN WindowsEnterpriseSuite FakeAV check-in GET
(trojan.rules)
2011464 - ET WEB_SERVER /bin/csh In URI Possible Shell Command Execution
Attempt (web_server.rules)
2011466 - ET WEB_SERVER /bin/tsh In URI Possible Shell Command Execution
Attempt (web_server.rules)
2011467 - ET WEB_SERVER /bin/ksh In URI Possible Shell Command Execution
Attempt (web_server.rules)
2011827 - ET TROJAN Xilcter/Zeus related malware dropper reporting in
(trojan.rules)
2011852 - ET WEB_SPECIFIC_APPS W-Agora search.php bn Parameter Cross Site
Scripting Attempt (web_specific_apps.rules)
2011857 - ET TROJAN SpyEye C&C Check-in URI (trojan.rules)
2012619 - ET USER_AGENTS Suspicious User-Agent Mozilla/3.0
(user_agents.rules)
2012620 - ET TROJAN Win32.FakeAV.chhq Checkin (trojan.rules)
2012761 - ET USER_AGENTS Suspicious user agent (mdms) (user_agents.rules)
2012805 - ET WEB_SPECIFIC_APPS Automne upload-controler.php Arbitrary
File Upload Vulnerability (web_specific_apps.rules)
2013533 - ET TROJAN Backdoor.Win32.Fynloski.A Command Response
(trojan.rules)
2013534 - ET TROJAN VirTool.Win32/VBInject.gen!DM Checkin (trojan.rules)
2013556 - ET MALWARE UBar Trojan/Adware Checkin 1 (malware.rules)
2014297 - ET POLICY Vulnerable Java Version 1.7.x Detected (policy.rules)
2014651 - ET ACTIVEX Tracker Software pdfSaver ActiveX InitFromRegistry
Method Access Potential Buffer Overflow 2 (activex.rules)
2014652 - ET ACTIVEX Quest Explain Plan Display ActiveX Control
SaveToFile Insecure Method Access (activex.rules)
2014653 - ET ACTIVEX Quest Explain Plan Display ActiveX Control
SaveToFile Insecure Method Access 2 (activex.rules)
2014654 - ET WEB_SPECIFIC_APPS Joomla com_videogallery controller
parameter Local File Inclusion Attempt (web_specific_apps.rules)
2014726 - ET POLICY Outdated Flash Version M1 (policy.rules)
2015040 - ET WEB_SPECIFIC_APPS Joomla com_rssreader controller parameter
Local File Inclusion Attempt (web_specific_apps.rules)
2015041 - ET WEB_SPECIFIC_APPS WordPress Custom Contact Forms
options-general.php Cross-Site Scripting Attempt (web_specific_apps.rules)
2015045 - ET INFO Potential Common Malicious JavaScript Loop (info.rules)
2015723 - ET TROJAN ZeroAccess Checkin (trojan.rules)
2015786 - ET TROJAN Ransom.Win32.Birele.gsg Checkin (trojan.rules)
2016742 - ET TROJAN Possible W32/Citadel Download From CnC Server Self
Referenced /files/ attachment (trojan.rules)
2016803 - ET TROJAN Known Sinkhole Response Header (trojan.rules)
2016806 - ET INFO Tor2Web .onion Proxy Service SSL Cert (1) (info.rules)
2016810 - ET CURRENT_EVENTS Tor2Web .onion Proxy Service SSL Cert (2)
(current_events.rules)
2016902 - ET TROJAN Trojan.BlackRev Download Executable (trojan.rules)
2016922 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (trojan.rules)
2016988 - ET TROJAN KeyBoy Backdoor File Manager Response Header
(trojan.rules)
2016989 - ET TROJAN KeyBoy Backdoor File Download Response Header
(trojan.rules)
2016990 - ET TROJAN KeyBoy Backdoor File Upload Response Header
(trojan.rules)
2016991 - ET TROJAN Alina Server Response Code (trojan.rules)
2016992 - ET WEB_SERVER WebShell Generic - *.tar.gz in POST body
(web_server.rules)
2017006 - ET EXPLOIT CVE-2013-1331 Microsoft Office PNG Exploit
plugin-detect script access (exploit.rules)
2017007 - ET EXPLOIT CVE-2013-1331 Microsoft Office PNG Exploit
plugin-detect script access (exploit.rules)
2017008 - ET EXPLOIT CVE-2013-1331 Microsoft Office PNG Exploit Specific
(exploit.rules)
2017166 - ET CURRENT_EVENTS Sibhost Zip as Applet Archive July 08 2013
(current_events.rules)
2017308 - ET TROJAN W32/DirCrypt.Ransomware CnC Checkin (trojan.rules)
2017399 - ET WEB_SERVER WebShell Generic eval of base64_decode
(web_server.rules)
2017400 - ET WEB_SERVER WebShell Generic eval of gzinflate
(web_server.rules)
2017401 - ET WEB_SERVER WebShell Generic eval of str_rot13
(web_server.rules)
2017402 - ET WEB_SERVER WebShell Generic eval of gzuncompress
(web_server.rules)
2017403 - ET WEB_SERVER WebShell Generic eval of convert_uudecode
(web_server.rules)
2017404 - ET WORM W32/Njw0rm CnC Beacon (worm.rules)
2017464 - ET TROJAN W32/Hesperus.Banker Tr-mail Variant Sending Data To
CnC (trojan.rules)
2017466 - ET MOBILE_MALWARE Android/FakeAhnAV.A CnC Beacon
(mobile_malware.rules)
2017489 - ET TROJAN W32/Zzinfor.A Retrieving Instructions From CnC Server
(trojan.rules)
2017490 - ET TROJAN W32/Downloader.Mevade.FBV CnC Beacon (trojan.rules)
2017504 - ET INFO DRIVEBY Generic - *.com.exe HTTP Attachment (info.rules)
2017511 - ET TROJAN APT.Agtid callback (trojan.rules)
2017512 - ET CURRENT_EVENTS W32/Caphaw DriveBy Campaign Statistic.js
(current_events.rules)
2017517 - ET TROJAN Worm.VBS.ayr Checkin 2 (trojan.rules)
2017558 - ET TROJAN Mevade Checkin (trojan.rules)
2017560 - ET WEB_SPECIFIC_APPS Possible WHMCS SQLi AES_ENCRYPT at start
of value (web_specific_apps.rules)
2017583 - ET TROJAN CryptoLocker EXE Download (trojan.rules)
2017586 - ET TROJAN Possible W32/KanKan Update officeaddinupdate.xml
Request (trojan.rules)
2017615 - ET SCAN NETWORK Outgoing Masscan detected (scan.rules)
2017616 - ET SCAN NETWORK Incoming Masscan detected (scan.rules)
2017620 - ET TROJAN Kuluoz Activity (trojan.rules)
2017622 - ET WEB_SPECIFIC_APPS WHMCS lt 5.2.8 SQL Injection
(web_specific_apps.rules)
2017637 - ET INFO Java File Sent With X-Powered By HTTP Header - Common
In Exploit Kits (info.rules)
2017641 - ET WEB_SERVER Possible Encrypted Webshell in POST
(web_server.rules)
2017643 - ET TROJAN Linux/Ssemgrvd sshd Backdoor HTTP CNC 2 (trojan.rules)
2017646 - ET TROJAN Possible TRAT proxy component user agent detected
(trojan.rules)
2017655 - ET TROJAN W32/Badur.Spy User Agent lawl (trojan.rules)
2017684 - ET WEB_SERVER Possible SUPERMICRO IPMI login.cgi Name Parameter
Buffer Overflow Attempt CVE-2013-3621 (web_server.rules)
2017685 - ET WEB_SERVER Possible SUPERMICRO IPMI login.cgi PWD Parameter
Buffer Overflow Attempt CVE-2013-3621 (web_server.rules)
2017686 - ET WEB_SERVER Possible SUPERMICRO IPMI close_window.cgi
sess_sid Parameter Buffer Overflow Attempt CVE-2013-3623 (web_server.rules)
2017687 - ET WEB_SERVER Possible SUPERMICRO IPMI close_window.cgi ACT
Parameter Buffer Overflow Attempt CVE-2013-3623 (web_server.rules)
2017688 - ET WEB_SERVER Possible SUPERMICRO IPMI url_redirect.cgi
Directory Traversal Attempt (web_server.rules)
2017689 - ET TROJAN Possible Schneebly Posting ScreenShot (trojan.rules)
2017690 - ET TROJAN W32/Citadel.Arx Variant CnC Beacon 1 (trojan.rules)
2017691 - ET TROJAN W32/Citadel.Arx Varient CnC Beacon 2 (trojan.rules)
2017694 - ET CURRENT_EVENTS Possible Magnitude IE EK Payload Nov 8 2013
(current_events.rules)
2017697 - ET TROJAN FaceBook IM & Web Driven Facebook Trojan Posting Data
(trojan.rules)
2017702 - ET TROJAN Possible Trojan.APT.9002 POST (trojan.rules)
2017710 - ET TROJAN Bamital checkin (trojan.rules)
2017721 - ET TROJAN Trojan.BlackRev V1.Botnet HTTP Login POST Flood
Traffic Outbound (trojan.rules)
2017722 - ET DOS Trojan.BlackRev V1.Botnet HTTP Login POST Flood Traffic
Inbound (dos.rules)
2017725 - ET TROJAN Sisproc update (trojan.rules)
2017730 - ET EXPLOIT JavaX Toolkit Posting Plugin-Detect Data
(exploit.rules)
2017746 - ET TROJAN Trojan-Downloader Win32.Genome.AV (trojan.rules)
2017798 - ET EXPLOIT Zollard PHP Exploit UA (exploit.rules)
2017802 - ET WEB_SPECIFIC_APPS SAP Possible CTC Auth/HTTP Verb Bypass
Attempt (web_specific_apps.rules)
2017803 - ET WEB_SERVER Possible WebLogic Admin Login With Default Creds
(web_server.rules)
2017804 - ET WEB_SERVER Possible WebLogic Admin Login With Default Creds
(web_server.rules)
2017805 - ET WEB_SERVER Possible WebLogic Monitor Login With Default
Creds (web_server.rules)
2017806 - ET WEB_SERVER Possible WebLogic Operator Login With Default
Creds (web_server.rules)
2017807 - ET WEB_SERVER Possible MySQL SQLi User-Dump Attempt
(web_server.rules)
2017808 - ET WEB_SERVER Possible MySQL SQLi Attempt Information Schema
Access (web_server.rules)
2017814 - ET CURRENT_EVENTS Safe/CritX/FlashPack URI Struct .php?id=Hex
(current_events.rules)
2017818 - ET TROJAN Common Zbot EXE filename Dec 09 2013 (trojan.rules)
2017838 - ET TROJAN HTTP Connection To Known Sinkhole Domain sinkdns.org
(trojan.rules)
2017839 - ET TROJAN Vawtrak/NeverQuest Checkin (trojan.rules)
2017853 - ET WEB_SPECIFIC_APPS Wordpress OptimizePress Arbitratry File
Upload (web_specific_apps.rules)
2017855 - ET TROJAN W32/Ke3chang.MovieStar.APT Campaign CnC Beacon
(trojan.rules)
2017856 - ET TROJAN W32/Ke3chang.Snake.APT Campaign CnC Beacon
(trojan.rules)
2017857 - ET TROJAN W32/Ke3chang.MyWeb.APT Campaign CnC Beacon
(trojan.rules)
2017859 - ET TROJAN W32/Ke3chang.Dream.APT Campaign CnC Beacon 2
(trojan.rules)
2017860 - ET TROJAN W32/Ke3chang.MyWeb.APT Eourdegh Campaign CnC Beacon
(trojan.rules)
2017867 - ET TROJAN W32/Liftoh.Downloader Feed404 CnC Beacon
(trojan.rules)
2017868 - ET TROJAN W32/Liftoh.Downloader Images CnC Beacon (trojan.rules)
2017870 - ET TROJAN W32/Liftoh.Downloader Get Final Payload Request
(trojan.rules)
2017896 - ET EXPLOIT Metasploit Plugin-Detect Posting Data 1
(exploit.rules)
2017897 - ET EXPLOIT Metasploit Plugin-Detect Posting Data 2
(exploit.rules)
2017898 - ET EXPLOIT Metasploit Plugin-Detect Posting Data 3
(exploit.rules)
2017917 - ET TROJAN W32/Ferret DDOS Bot CnC Beacon 2 (trojan.rules)
2017949 - ET USER_AGENTS FOCA User-Agent (user_agents.rules)
2017952 - ET WEB_SERVER ATTACKER WebShell - PHP Offender - POST Command
(web_server.rules)
2017959 - ET TROJAN W32/Mevade.Variant CnC POST (trojan.rules)
2017960 - ET POLICY Bitcoin Mining Server Stratum Protocol HTTP Header
(policy.rules)
2017964 - ET TROJAN Kishop.A checkin (trojan.rules)
2017970 - ET TROJAN PWS.Win32/Daceluw.A Checkin (trojan.rules)
2018000 - ET MOBILE_MALWARE Android/HeHe.Spy RegisterRequest CnC Beacon
(mobile_malware.rules)
2018001 - ET MOBILE_MALWARE Android/HeHe.Spy LoginRequest CnC Beacon
(mobile_malware.rules)
2018002 - ET MOBILE_MALWARE Android/HeHe.Spy ReportRequest CnC Beacon
(mobile_malware.rules)
2018003 - ET MOBILE_MALWARE Android/HeHe.Spy GetTaskRequest CnC Beacon
(mobile_malware.rules)
2018004 - ET MOBILE_MALWARE Android/HeHe.Spy ReportMessageRequest CnC
Beacon (mobile_malware.rules)
2018012 - ET P2P Vagaa peer-to-peer (Transfer) (p2p.rules)
2018030 - ET TROJAN Limitless Logger RAT HTTP Activity (trojan.rules)
2018038 - ET TROJAN SolarBot Plugin Download MessageBox (trojan.rules)
2018039 - ET TROJAN SolarBot Plugin Download ComputerInfo (trojan.rules)
2018040 - ET TROJAN SolarBot Plugin Download WalletSteal (trojan.rules)
2018047 - ET TROJAN W32/Neverquest.InfoStealer Configuration Request CnC
Beacon (trojan.rules)
2018071 - ET MOBILE_MALWARE Android/DwnlAPK-A Configuration File Request
(mobile_malware.rules)
2018079 - ET TROJAN W32.Blackshades/Shadesrat Backdoor CnC Beacon
(trojan.rules)
2018092 - ET WEB_SERVER Possible Oracle Reports Forms RCE CVE-2012-3152
(web_server.rules)
2018094 - ET TROJAN DirtJumper Activity (trojan.rules)
2018097 - ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon Acknowledgement
(trojan.rules)
2018100 - ET TROJAN W32/Rshot.Backdoor File Upload CnC Beacon
(trojan.rules)
2018102 - ET TROJAN W32/Woai.Dropper Config Request (trojan.rules)
2018105 - ET TROJAN Possible Mask C2 Traffic (trojan.rules)
2018106 - ET INFO Suspicious Jar name JavaUpdate.jar (info.rules)
2018108 - ET TROJAN Infostealer.Jackpos Checkin (trojan.rules)
2018112 - ET TROJAN Trojan/Win32.FraudPack User-Agent (Downloader MLR
1.0.0) (trojan.rules)
2018118 - ET WEB_SERVER Recon-ng User-Agent (web_server.rules)
2018120 - ET TROJAN Blackbeard Check-in (trojan.rules)
2018122 - ET TROJAN Linkup Ransomware check-in (trojan.rules)
2018137 - ET TROJAN Android/FakeKakao checkin (trojan.rules)
2018138 - ET MOBILE_MALWARE Android/FakeKakao checkin 1
(mobile_malware.rules)
2018139 - ET MOBILE_MALWARE Android/FakeKakao checkin 2
(mobile_malware.rules)
2018140 - ET MOBILE_MALWARE Android/FakeKakao checkin 3
(mobile_malware.rules)
2018142 - ET TROJAN MSIL.Zapchast Checkin (trojan.rules)
2018150 - ET TROJAN W32/Dadobra.Downloader/DNSChanger Dnsmake CnC Beacon
(trojan.rules)
2019401 - ET POLICY Vulnerable Java Version 1.8.x Detected (policy.rules)
2020683 - ET TROJAN Gamarue/Andromeda Downloading Payload (trojan.rules)
2020872 - ET EXPLOIT TP-LINK Known Malicious Router DNS Change GET
Request (exploit.rules)
2020873 - ET EXPLOIT D-link DI604 Known Malicious Router DNS Change GET
Request (exploit.rules)
2020874 - ET EXPLOIT Netgear DGN1000B Router DNS Change GET Request
(exploit.rules)
2020875 - ET EXPLOIT Belkin G F5D7230-4 Router DNS Change GET Request
(exploit.rules)
2020876 - ET EXPLOIT Tenda ADSL2/2+ Router DNS Change GET Request
(exploit.rules)
2020877 - ET EXPLOIT Known Malicious Router DNS Change GET Request
(exploit.rules)
2020878 - ET EXPLOIT TP-LINK TL-WR841N Router DNS Change GET Request
(exploit.rules)
2020879 - ET EXPLOIT Linksys WRT54GL DNS Change GET Request
(exploit.rules)
2020880 - ET EXPLOIT TP-LINK TL-WR750N DNS Change GET Request
(exploit.rules)
2020881 - ET MALWARE PUP Win32/AdWare.Sendori User-Agent (malware.rules)
2022895 - ET CURRENT_EVENTS Xbagger Macro Encrypted DL Jun 13 2016
(current_events.rules)
2024379 - ET POLICY Outdated Flash Version M2 (policy.rules)
2024579 - ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jun
08 2017 (current_events.rules)
2027367 - ET DNS Query for Suspicious shell .now .sh Domain (dns.rules)
2027621 - ET INFO SSL/TLS Certificate Observed (Lucy Phishing Awareness
Default Certificate) (info.rules)
2027683 - ET TROJAN MuddyWater Payload Registering with CnC (trojan.rules)
2027684 - ET TROJAN MuddyWater Payload Requesting Command from CnC
(trojan.rules)
2027685 - ET TROJAN MuddyWater Payload CnC Checkin (trojan.rules)
2028867 - ET POLICY Vulnerable Java Version 11.0.x Detected (policy.rules)
2800816 - ETPRO TROJAN Backdoor.Win32.Remosh.A Checkin (trojan.rules)
2802020 - ETPRO WEB_CLIENT Excel File Containing Integer Overrun
Vulnerability BIFF v6 Record ToolBarDef (web_client.rules)
2802021 - ETPRO WEB_CLIENT Excel File Containing Integer Overrun
Vulnerability BIFF v5 Record ToolBarDef (web_client.rules)
2802191 - ETPRO USER_AGENTS Suspicious User-Agent SameAgent
(user_agents.rules)
2802192 - ETPRO USER_AGENTS Suspicious User-Agent UserLM
(user_agents.rules)
2802193 - ETPRO TROJAN Win32.Adload.BZ Checkin (trojan.rules)
2803829 - ETPRO POLICY Bitcoin Cash Guild Bot Work Request (policy.rules)
2804347 - ETPRO INFO DYNAMIC_DNS HTTP Request to a *.dynamicDNS.biz
Domain (info.rules)
2804466 - ETPRO POLICY Direct Support for Applications Remote control
session (policy.rules)
2804471 - ETPRO TROJAN Win32/TrojanDownloader.Banload.QNW Checkin
(trojan.rules)
2804926 - ETPRO TROJAN Win32/Autorun.GN Checkin (trojan.rules)
2805555 - ETPRO POLICY OpenInstall Adware User-Agent (policy.rules)
2806250 - ETPRO MOBILE_MALWARE Android/Phonerecon.A Checkin
(mobile_malware.rules)
2806275 - ETPRO EXPLOIT DLink DIR-645 / DIR-815 diagnostic.php Command
Execution (exploit.rules)
2806321 - ETPRO TROJAN Win32.Bicololo Checkin 2 (trojan.rules)
2806482 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free
(web_client.rules)
2806483 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free
(web_client.rules)
2806484 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free
(web_client.rules)
2806485 - ETPRO WEB_CLIENT Internet Explorer Double Free CVE-2013-3118
(web_client.rules)
2806486 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free
(web_client.rules)
2806488 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free
(web_client.rules)
2806489 - ETPRO WEB_CLIENT Internet Explorer onscroll CVE-2013-3123
(web_client.rules)
2806492 - ETPRO TROJAN Win32/TrojanDownloader.Banload.RVP Checkin 1
(trojan.rules)
2806493 - ETPRO TROJAN Win32/TrojanDownloader.Banload.RVP Checkin 2
(trojan.rules)
2806546 - ETPRO TROJAN W32/Zbot.AOV!tr Checkin (trojan.rules)
2806612 - ETPRO TROJAN Trojan.Win32.Pincav.cngr Checkin (trojan.rules)
2806676 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Antammi.a Checkin 2
(mobile_malware.rules)
2806677 - ETPRO MOBILE_MALWARE Android/Helos.A Checkin 2
(mobile_malware.rules)
2806678 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Opfake.a Checkin 6
(mobile_malware.rules)
2806680 - ETPRO MOBILE_MALWARE Android-PUP/Wooboo Checkin
(mobile_malware.rules)
2806681 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Iconosys.a Checkin 3
(mobile_malware.rules)
2806682 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Sberik.a Checkin
(mobile_malware.rules)
2806683 - ETPRO TROJAN Email-Worm.Win32.Wangy Checkin (trojan.rules)
2806684 - ETPRO TROJAN Rogue.Win32/Winwebsec Install 6 (trojan.rules)
2806685 - ETPRO TROJAN Netdevil.1_5 reporting via ICQ WWW script
(trojan.rules)
2806926 - ETPRO TROJAN Muldrop Receiving Data (trojan.rules)
2807032 - ETPRO TROJAN Win32.Mudrop.rsj (trojan.rules)
2807036 - ETPRO TROJAN Win32.Clicker.AFKJ (trojan.rules)
2807051 - ETPRO TROJAN DoS DirtJumper bot DDOS attack (trojan.rules)
2807053 - ETPRO TROJAN Win32/Spy.Banker.ZWK Checkin (trojan.rules)
2807076 - ETPRO TROJAN Generic.Banker.Delf.0DD62421 Checkin
(trojan.rules)
2807077 - ETPRO TROJAN Win32.Zbot.f Checkin (trojan.rules)
2807084 - ETPRO CURRENT_EVENTS Latest Internet Explorer 0day used against
Taiwan targets exe download (current_events.rules)
2807091 - ETPRO TROJAN Trojan.Win32.Swisyn.ujq Checkin (trojan.rules)
2807107 - ETPRO WEB_SERVER Microsoft SharePoint XSS attempt CVE-2013-3895
(web_server.rules)
2807131 - ETPRO TROJAN Trojan.Win32.Bublik.aexq/Khan executing DDoS
(OUTBOUND) (trojan.rules)
2807132 - ETPRO TROJAN Trojan.Win32.Bublik.aexq/Khan executing DDoS
(INBOUND) (trojan.rules)
2807142 - ETPRO TROJAN Variant.Kazy.236558 Checkin (trojan.rules)
2807144 - ETPRO POLICY PUP DomainIQ (policy.rules)
2807154 - ETPRO TROJAN Win32/Gapz CnC (trojan.rules)
2807168 - ETPRO TROJAN Win32/SystemHijack.gen Checkin 3 (trojan.rules)
2807169 - ETPRO TROJAN Win32/SystemHijack.gen Checkin 2 (trojan.rules)
2807176 - ETPRO TROJAN Variant.Kazy.253692 Checkin (trojan.rules)
2807187 - ETPRO TROJAN User-Agent (explwer) (trojan.rules)
2807190 - ETPRO TROJAN Trojan-Spy.Win32.Zbot.pnhr Checkin (trojan.rules)
2807214 - ETPRO TROJAN Orbit downloader checkin 1 (trojan.rules)
2807222 - ETPRO TROJAN Trojan-Downloader.Win32.Agent.duzx Checkin
(trojan.rules)
2807225 - ETPRO TROJAN Trojan.Win32.Generic!SB.0 Checkin 2 (trojan.rules)
2807246 - ETPRO TROJAN Variant.Zusy.71154 Checkin 2 (trojan.rules)
2807264 - ETPRO TROJAN Trojan-Ransom.Win32.Blocker.cjfp Checkin
(trojan.rules)
2807270 - ETPRO TROJAN Spider-network related CnC Checkin (trojan.rules)
2807283 - ETPRO TROJAN PSW.Win32.Plagiator.a Checkin (trojan.rules)
2807288 - ETPRO TROJAN Win32/Spy.Banker.AAIW Checkin (trojan.rules)
2807290 - ETPRO TROJAN Win32/Swrort.A Checkin (trojan.rules)
2807295 - ETPRO TROJAN Trojan-PSW.Win32.Tepfer.sqyx POST (trojan.rules)
2807296 - ETPRO TROJAN Viknok (trojan.rules)
2807297 - ETPRO TROJAN Viknok response (trojan.rules)
2807312 - ETPRO TROJAN Trojan-Ransom.Win32.Blocker.cjon Checkin
(trojan.rules)
2807327 - ETPRO TROJAN Dexter Variant (trojan.rules)
2807330 - ETPRO TROJAN Trojan.MSIL.PGen (trojan.rules)
2807344 - ETPRO TROJAN Win32/Uosproy.A Checkin 2 (trojan.rules)
2807345 - ETPRO TROJAN Win32/Uosproy.A Checkin 3 (trojan.rules)
2807347 - ETPRO TROJAN W32/Injector_Autoit.BE!tr Checkin (trojan.rules)
2807348 - ETPRO TROJAN Trojan.Vobfus variant XP checkin (trojan.rules)
2807350 - ETPRO USER_AGENTS Suspicious User Agent D3DL0 G00D N1C3
(user_agents.rules)
2807361 - ETPRO EXPLOIT Cisco DCNM Arbitrary File Upload (exploit.rules)
2807367 - ETPRO TROJAN TROJ_PIDIEF.SMKX PDF Checkin (trojan.rules)
2807368 - ETPRO TROJAN Win32/Bedobot.B Checkin (trojan.rules)
2807382 - ETPRO TROJAN Trojan/Win32.Zbot Variant 1 (trojan.rules)
2807387 - ETPRO TROJAN Worm/Qvod.ey Checkin (trojan.rules)
2807388 - ETPRO TROJAN Downloader.Win32.Genome.fcph (trojan.rules)
2807408 - ETPRO TROJAN NSIS.StartPage.do Checkin (trojan.rules)
2807409 - ETPRO TROJAN W32/Loosky.gen at MM Checkin (trojan.rules)
2807426 - ETPRO TROJAN Trojan.Win32.Badur.gboh Download (trojan.rules)
2807435 - ETPRO EXPLOIT Synology DSM SLICEUPLOAD RCE (exploit.rules)
2807438 - ETPRO TROJAN Win.Trojan.Magania-4120 Checkin (trojan.rules)
2807439 - ETPRO TROJAN Suspicious User-Agent (Opera/8.xx) Likely
Win32/Ranbyus (trojan.rules)
2807442 - ETPRO TROJAN Win32/Tiop.A Checkin (trojan.rules)
2807444 - ETPRO TROJAN Backdoor.Peeper.15.C Checkin (trojan.rules)
2807449 - ETPRO TROJAN Trojan-Dropper.Win32.Kromeser.a Checkin 2
(trojan.rules)
2807458 - ETPRO TROJAN Trojan/Downloader.Agent.gxth Checkin (trojan.rules)
2807467 - ETPRO TROJAN TrojanDownloader.Win32/Unruy.C checkin - SET 2
(trojan.rules)
2807469 - ETPRO TROJAN Win32.Hupigon.AIPM checkin (trojan.rules)
2807471 - ETPRO TROJAN Worm.Win32.Luder.bebt Download (trojan.rules)
2807473 - ETPRO TROJAN Trojan.Win32.Remko.m Checkin (trojan.rules)
2807482 - ETPRO TROJAN Win32/Startpage.JT Checkin (trojan.rules)
2807485 - ETPRO TROJAN Win32/Bervod.A 2 (trojan.rules)
2807489 - ETPRO TROJAN Win32/Layrui.A Checkin (trojan.rules)
2807495 - ETPRO TROJAN Trojan.Win32.Autoit.zk Checkin (trojan.rules)
2807514 - ETPRO TROJAN win32.Kaliox.A (trojan.rules)
2807516 - ETPRO TROJAN Ponmocup (newinstall.ru) (trojan.rules)
2807521 - ETPRO TROJAN Win32/Qhost.Banker.MU Checkin (trojan.rules)
2807523 - ETPRO TROJAN Win32.Genome.srs Downloader (trojan.rules)
2807527 - ETPRO TROJAN Trojan-Downloader.Win32.Dapato.qio Download
(trojan.rules)
2807529 - ETPRO TROJAN Banker.Win32.Banbra.axea Checkin (trojan.rules)
2807535 - ETPRO TROJAN Win32/Zawat.A User-Agent (trojan.rules)
2807543 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Pincer.a Checkin
(mobile_malware.rules)
2807544 - ETPRO MOBILE_MALWARE Android.Fakebank.B Checkin
(mobile_malware.rules)
2807563 - ETPRO TROJAN Win32/Hanove.E (trojan.rules)
2807566 - ETPRO TROJAN Win32.Filezilla.Stealer Checkin (trojan.rules)
2807577 - ETPRO TROJAN BackDoor.DOQ.gen.y Checkin 3 (trojan.rules)
2807594 - ETPRO EXPLOIT D-Link DIR-100 admin password disclosure attempt
(exploit.rules)
2807596 - ETPRO EXPLOIT D-Link DIR-100 information disclosure attempt
(exploit.rules)
2807617 - ETPRO TROJAN Trojan.Win32.VBKrypt.ulrm Checkin (trojan.rules)
2807619 - ETPRO TROJAN Trojan.Win32.Fsysna.jnb Checkin (trojan.rules)
2807620 - ETPRO TROJAN Win32/Meredrop (trojan.rules)
2807630 - ETPRO TROJAN TrojanDropper.Agent.cgsc Checkin (trojan.rules)
2807637 - ETPRO TROJAN Win32.Androm.atfw Checkin (trojan.rules)
2807639 - ETPRO TROJAN TrojanClicker.Win32.Hatigh.C (trojan.rules)
2807667 - ETPRO TROJAN Virus.Win32.Virut.ce Checkin 6 (trojan.rules)
2807672 - ETPRO TROJAN Alman Dropper Checkin 2 (trojan.rules)
2807675 - ETPRO MOBILE_MALWARE Android/MobileTX.A (mobile_malware.rules)
2807676 - ETPRO TROJAN Win32.MSIL/Injector (trojan.rules)
2807677 - ETPRO TROJAN Win32/Miuref.A Checkin (trojan.rules)
2807688 - ETPRO TROJAN Win32/Stitur.A Checkin (trojan.rules)
2807694 - ETPRO TROJAN Win32/Delf.gen!A Checkin (trojan.rules)
2808649 - ETPRO TROJAN Backdoor.Win32.Stantinko.A Checkin 3 (trojan.rules)
2816506 - ETPRO TROJAN Possible Cerber Ransomware IP Check (trojan.rules)
2823311 - ETPRO CURRENT_EVENTS Successful Linkedin Phish Nov 16 2016
(current_events.rules)
2827188 - ETPRO POLICY External IP Address Lookup (utrace .de)
(policy.rules)
2827189 - ETPRO TROJAN MSIL/TeslaWare Ransomware Requesting Image
(trojan.rules)
2827566 - ETPRO CURRENT_EVENTS Successful Yapikredi Bank (TR) Phish M1
Aug 17 2017 (current_events.rules)
2832047 - ETPRO TROJAN Observed Malicious SSL Cert (Hawkeye Keylogger
CnC) (trojan.rules)
2835485 - ETPRO TROJAN Observed Malicious SSL Cert (BrushaLoader CnC)
(trojan.rules)
2837249 - ETPRO TROJAN Win32/Remcos RAT Checkin 110 (trojan.rules)
2838553 - ETPRO TROJAN Gh0stCringe CnC Activity M5 (trojan.rules)
2839680 - ETPRO TROJAN Observed Malicious SSL Cert (ServHelper CnC)
(trojan.rules)
2840223 - ETPRO TROJAN Win32/IcedID CnC Activity (trojan.rules)
2841054 - ETPRO TROJAN Win32/IcedID CnC Activity (trojan.rules)
2841480 - ETPRO TROJAN Win32/Valak PluginHost Request (trojan.rules)
2841552 - ETPRO TROJAN MSIL/Poulight Stealer - Data Exfil (trojan.rules)
2841553 - ETPRO TROJAN MSIL/Poulight Stealer CnC Activity (trojan.rules)
2841554 - ETPRO TROJAN MSIL/Poulight Stealer Domain in DNS Lookup
(trojan.rules)
2841589 - ETPRO TROJAN Win32/IcedID Requesting Encoded Binary M3
(trojan.rules)
2841821 - ETPRO TROJAN Win32/PSW.Agent.OIN CnC Activity (trojan.rules)
2841977 - ETPRO TROJAN Lemon_Duck Powershell Requesting Payload M1
(trojan.rules)
2842061 - ETPRO TROJAN MalDoc Retrieving Lemon_Duck Payload 2020-04-16
(trojan.rules)

Date:

Monday, April 27, 2020

Summary title:

8 new Open, 36 new Pro (8 + 28). ASNAROK, APT-C-37/MoonLight, Win32/Remcos, Ursnif SSL Certs, VARIOUS Phishing.