Daily Ruleset Update Summary
Daily Ruleset Update Summary 2020/04/28

[***]            Summary:            [***]

10 new Open, 36 new Pro (10 + 26). AntSword, BAZAR, Win32/Mr.Robot Ransomware, Win32/Remcos, Griffon, Various SSL, VARIOUS Phishing.

Please be aware that after the deprecation of our Suricata 2/3 support (April 15th 2020), the path for downloading the last pushed production Suricata 2/3 rulesets have changed.  Deprecated rulesets are available at https://rules.emergingthreatspro.com/OINK/old for ETPro and https://rules.emergingthreatspro.com/open/old/ for ETOpen.  All requests for the Suricata 2/3 at their previous locations will now lead to the Suricata 4.0 production rules for ETPro and the rule download instructions for ETOpen.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2030035 - ET TROJAN AntSword Webshell User-Agent Observed (trojan.rules)
  2030036 - ET WEB_SERVER AntSword Webshell Commands Inbound
(web_server.rules)
  2030037 - ET WEB_SERVER Possible AntSword Webshell Commands Inbound
(web_server.rules)
  2030038 - ET TROJAN DonotGroup CnC Domain in DNS Query (trojan.rules)
  2030039 - ET TROJAN Parallax CnC Response Activity M9 (trojan.rules)
  2030041 - ET TROJAN BAZAR CnC Domain in DNS Lookup (trojan.rules)
  2030042 - ET TROJAN BAZAR CnC Domain in DNS Lookup (trojan.rules)
  2030043 - ET TROJAN BAZAR CnC Domain in DNS Lookup (trojan.rules)
  2030044 - ET TROJAN BAZAR CnC Domain in DNS Lookup (trojan.rules)
  2030045 - ET TROJAN BAZAR CnC Domain in DNS Lookup (trojan.rules)

Pro:

  2842230 - ETPRO POLICY External IP Lookup via plain-text-ip .com
(policy.rules)
  2842231 - ETPRO TROJAN Win32/njRAT Variant CnC Checkin (info)
(trojan.rules)
  2842232 - ETPRO TROJAN Win32/njRAT Variant CnC Keep-Alive (Outbound)
(trojan.rules)
  2842233 - ETPRO TROJAN Win32/Unk.Stealer Exfil via HTTP POST M2
(trojan.rules)
  2842234 - ETPRO TROJAN Win32/Mr.Robot Ransomware CnC Checkin
(trojan.rules)
  2842235 - ETPRO TROJAN Win32/Mr.Robot Ransomware CnC Keep-Alive
(Outbound) (trojan.rules)
  2842236 - ETPRO TROJAN Win32/Mr.Robot Ransomware Requesting Payment
Amount (trojan.rules)
  2842237 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-28 1) (trojan.rules)
  2842238 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-28 2) (trojan.rules)
  2842239 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-28 3) (trojan.rules)
  2842240 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-28 4) (trojan.rules)
  2842241 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-28 5) (trojan.rules)
  2842242 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-28 6) (trojan.rules)
  2842243 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-04-28 (current_events.rules)
  2842244 - ETPRO CURRENT_EVENTS Successful Verizon Phish 2020-04-28
(current_events.rules)
  2842245 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-04-28
(current_events.rules)
  2842246 - ETPRO CURRENT_EVENTS Successful MWeb Phish 2020-04-28
(current_events.rules)
  2842247 - ETPRO TROJAN MSIL/Spy.Agent.QN Variant CnC Account Exfil
(trojan.rules)
  2842248 - ETPRO TROJAN Griffon CnC Activity (trojan.rules)
  2842249 - ETPRO TROJAN SSL/TLS Certificate Observed (Griffon)
(trojan.rules)
  2842250 - ETPRO TROJAN Unk.VBS Loader CnC Host Checkin (trojan.rules)
  2842251 - ETPRO TROJAN SSL/TLS Certificate Observed (More_eggs)
(trojan.rules)
  2842252 - ETPRO TROJAN SSL/TLS Certificate Observed (Unk.VBS)
(trojan.rules)
  2842253 - ETPRO TROJAN MSIL/Disfa Encrypted CnC Response 1 (trojan.rules)
  2842254 - ETPRO TROJAN MSIL/Disfa Encrypted CnC Response 2 (trojan.rules)
  2842255 - ETPRO MALWARE Win32/SysTweak Checkin (malware.rules)

[///]     Modified active rules:     [///]

  2018156 - ET EXPLOIT Linksys Auth Bypass fw_sys_up.cgi (exploit.rules)
  2018157 - ET EXPLOIT Linksys Auth Bypass override.cgi (exploit.rules)
  2018158 - ET EXPLOIT Linksys Auth Bypass share_editor.cgi (exploit.rules)
  2018159 - ET EXPLOIT Linksys Auth Bypass switch_boot.cgi (exploit.rules)
  2018168 - ET WEB_SPECIFIC_APPS MediaWiki thumb.php RCE
(web_specific_apps.rules)
  2026946 - ET TROJAN GanDownloader CnC Checkin (trojan.rules)
  2029606 - ET TROJAN MSIL/Firebird RAT CnC Checkin (trojan.rules)
  2029996 - ET TROJAN NanoCore RAT CnC 27 (trojan.rules)
  2030006 - ET CURRENT_EVENTS Possible iOS MobileMail OOB Write/Heap
Overflow Exploit Email (Inbound) (current_events.rules)
 2805748 - ETPRO TROJAN TROJ_GEN.F47V1018 Checkin (trojan.rules)
  2807472 - ETPRO TROJAN Win32/Bervod.A (trojan.rules)
  2807704 - ETPRO TROJAN Fake installshie1d 1 (trojan.rules)
  2807705 - ETPRO TROJAN Fake installshie1d 2 (trojan.rules)
  2807712 - ETPRO TROJAN Win32/Rovnix.J Checkin (trojan.rules)
  2840310 - ETPRO TROJAN Win32/Valak Generic CnC Activity (trojan.rules)
  2842178 - ETPRO TROJAN ELF/Gafygt Variant Malicious Bash Script Inbound
(trojan.rules)

[---]         Removed rules:         [---]

  2842221 - ETPRO TROJAN Parallax CnC Response Activity M9 (trojan.rules)

Date:
Summary title:
10 new Open, 36 new Pro (10 + 26). AntSword, BAZAR, Win32/Mr.Robot Ransomware, Win32/Remcos, Griffon, Various SSL, VARIOUS Phishing.