[***] Summary: [***]
19 new Open, 28 new Pro (19 + 9). Saltstack Authentication Bypass, Various Generic Webshell Access, Various Cpanel Cracker, PHANTOMLANCE, More_eggs CnC, VARIOUS Phishing.
TIIF
Please be aware that after the deprecation of our Suricata 2/3 support (April 15th 2020), the path for downloading the last pushed production Suricata 2/3 rulesets have changed. Deprecated rulesets are available at https://rules.emergingthreatspro.com/OINK/old for ETPro and https://rules.emergingthreatspro.com/open/old/ for ETOpen. All requests for the Suricata 2/3 at their previous locations will now lead to the Suricata 4.0 production rules for ETPro and the rule download instructions for ETOpen.
Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2030071 - ET EXPLOIT Possible Saltstack Authentication Bypass
CVE-2020-11651 M1 (exploit.rules)
2030072 - ET EXPLOIT Possible SaltStack Authentication Bypass
CVE-2020-11651 M2 (exploit.rules)
2030073 - ET WEB_CLIENT Generic Webshell Accessed on External Server
(web_client.rules)
2030074 - ET WEB_SERVER Generic Webshell Accessed on Internal Server
(web_server.rules)
2030075 - ET WEB_CLIENT Generic Webshell Accessed on External Server
(web_client.rules)
2030076 - ET WEB_SERVER Generic Webshell Accessed on Internal Server
(web_server.rules)
2030077 - ET WEB_CLIENT Generic Mailer Accessed on External Server
(web_client.rules)
2030078 - ET WEB_SERVER Generic Mailer Accessed on Internal Server
(web_server.rules)
2030079 - ET WEB_CLIENT Generic Stolen Credentials Accessed on External
Server (web_client.rules)
2030080 - ET WEB_SERVER Generic Stolen Credentials Accessed on Internal
Server (web_server.rules)
2030081 - ET WEB_CLIENT Generic Stolen Credentials Accessed on External
Server (web_client.rules)
2030082 - ET WEB_SERVER Generic Stolen Credentials Accessed on Internal
Server (web_server.rules)
2030083 - ET WEB_CLIENT Cpanel Cracker Accessed on External Server
(web_client.rules)
2030084 - ET WEB_SERVER Cpanel Cracker Accessed on Internal Server
(web_server.rules)
2030085 - ET WEB_CLIENT Generic Mailer Accessed on External Server
(web_client.rules)
2030086 - ET WEB_SERVER Generic Mailer Accessed on Internal Server
(web_server.rules)
2030089 - ET MOBILE_MALWARE PHANTOMLANCE CnC Domain in DNS Lookup
(mobile_malware.rules)
2030090 - ET MOBILE_MALWARE PHANTOMLANCE CnC Domain in DNS Lookup
(mobile_malware.rules)
2030091 - ET MOBILE_MALWARE PHANTOMLANCE CnC Domain in DNS Lookup
(mobile_malware.rules)
Pro:
2842305 - ETPRO TROJAN More_eggs CnC Activity (trojan.rules)
2842306 - ETPRO MALWARE ELF/Unk.Ameliyat Checkin (malware.rules)
2842307 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2020-05-01 (current_events.rules)
2842308 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-01 1) (trojan.rules)
2842309 - ETPRO CURRENT_EVENTS Successful Generic Server Backup Phish
2020-05-01 (current_events.rules)
2842310 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-05-01
(current_events.rules)
2842311 - ETPRO TROJAN W32/TrojanDownloader.Agent.FCD CnC Activity
(trojan.rules)
2842312 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-05-01 (current_events.rules)
2842313 - ETPRO TROJAN Win32/Remcos RAT Checkin 415 (trojan.rules)
[///] Modified active rules: [///]
2006445 - ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM
(web_server.rules)
2009521 - ET TROJAN Win32/Nubjub.A HTTP Check-in (trojan.rules)
2013026 - ET TROJAN Secure-Soft.Stealer Checkin (trojan.rules)
2014523 - ET TROJAN OSX/Flashback.K/I reporting successful infection 2
(trojan.rules)
2016581 - ET CURRENT_EVENTS SUSPICIOUS Java Request to ChangeIP Dynamic
DNS Domain (current_events.rules)
2016582 - ET CURRENT_EVENTS SUSPICIOUS Java Request to NOIP Dynamic DNS
Domain (current_events.rules)
2016933 - ET CURRENT_EVENTS SUSPICIOUS Java Request to Afraid.org Top 100
Dynamic DNS Domain (current_events.rules)
2018522 - ET TROJAN Soraya C2 User-Agent (default) (trojan.rules)
2018578 - ET TROJAN Dyreza RAT Ex-filtrating Data (trojan.rules)
2018683 - ET TROJAN Dyreza RAT Checkin 2 (trojan.rules)
2018764 - ET TROJAN W32/Zbot.Variant CnC Response (trojan.rules)
2018765 - ET TROJAN Win32/Swizzor User-Agent (Swizz03r) (trojan.rules)
2018770 - ET TROJAN Dridex/Bugat/Feodo Cookie (trojan.rules)
2018771 - ET TROJAN Dridex/Bugat/Feodo POST Checkin (trojan.rules)
2018782 - ET SCAN Internet Scanning Project HTTP scan (scan.rules)
2018787 - ET TROJAN Unknown Locker DL URI Struct Jul 25 2014
(trojan.rules)
2018799 - ET TROJAN Win32/Gatak Activity (trojan.rules)
2018800 - ET SCAN Chroot-apache0day Unknown Web Scanner User Agent
(scan.rules)
2018888 - ET MOBILE_MALWARE Android/Spy.Kasandra.A Checkin
(mobile_malware.rules)
2018895 - ET TROJAN Ddex Loader Check-in (trojan.rules)
2018897 - ET TROJAN Pushdo.S CnC response (trojan.rules)
2018900 - ET TROJAN BITTERBUG Checkin (trojan.rules)
2018914 - ET CURRENT_EVENTS Nuclear Exploit Kit exe.exe Payload
(current_events.rules)
2018926 - ET TROJAN Lurk Downloader Check-in (trojan.rules)
2018927 - ET TROJAN Lurk Click fraud Template Request (trojan.rules)
2018985 - ET TROJAN Suspicious User-Agent (Asteria md5) (trojan.rules)
2030006 - ET CURRENT_EVENTS Possible iOS MobileMail OOB Write/Heap
Overflow Exploit Email (Inbound) (current_events.rules)
2030008 - ET CURRENT_EVENTS Possible iOS MobileMail OOB Write/Heap
Overflow Exploit Email (Inbound) (current_events.rules)
2801468 - ETPRO WEB_CLIENT Insecure Library Loading Request (.dll)
(web_client.rules)
2803669 - ETPRO SCADA Progea Movicon PowerHMI Memory Corruption Negative
Content Length (scada.rules)
2806150 - ETPRO MOBILE_MALWARE AndroidOS_Adrd.VTD Checkin
(mobile_malware.rules)
2806169 - ETPRO MOBILE_MALWARE Android.Enesoluty /
Trojan.AndroidOS.Maistealer.a Checkin (mobile_malware.rules)
2807180 - ETPRO TROJAN Win32.Sisron.B Checkin Checkin (trojan.rules)
2807234 - ETPRO TROJAN Protux CnC traffic (trojan.rules)
2808008 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Ackposts.a Checkin
(mobile_malware.rules)
2808264 - ETPRO TROJAN Trojan.Win32.FrauDrop.dbnyoz Checkin (trojan.rules)
2808309 - ETPRO TROJAN Win32/Beaugrit.gen!AAA Checkin (trojan.rules)
2808314 - ETPRO TROJAN Win32.Tavex.A Checkin 1 (trojan.rules)
2808375 - ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.RZ Checkin
(mobile_malware.rules)
2808395 - ETPRO TROJAN Win32/Rovnix.H checkin (trojan.rules)
2808405 - ETPRO TROJAN Trojan.Win32.Invader Checkin (trojan.rules)
2808408 - ETPRO MOBILE_MALWARE Android.Trojan.FakeInst.BX Checkin 3
(mobile_malware.rules)
2808418 - ETPRO MOBILE_MALWARE Android/Smforw.AJ Checkin
(mobile_malware.rules)
2808427 - ETPRO TROJAN Win32.Nyxem.M checkin (trojan.rules)
2808429 - ETPRO TROJAN Password Stealer TSPY_WOWSPY.A Checkin
(trojan.rules)
2808430 - ETPRO TROJAN Backdoor.Jolob Checkin (trojan.rules)
2808436 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Agent.aj Checkin
(mobile_malware.rules)
2808438 - ETPRO MOBILE_MALWARE Trojan.Android.TrojanSMS.bABM Checkin
(mobile_malware.rules)
2808439 - ETPRO TROJAN Trojan-Clicker.Win32.Agent.adoa Checkin
(trojan.rules)
2808441 - ETPRO MOBILE_MALWARE Android-Spyware/SpyApp Checkin
(mobile_malware.rules)
2808444 - ETPRO TROJAN Trojan.Win32.Stantinko.bF Checkin (trojan.rules)
2808447 - ETPRO MOBILE_MALWARE Android/SMSreg.CL Checkin
(mobile_malware.rules)
2808449 - ETPRO TROJAN Win32/Lmir.BMR Checkin (trojan.rules)
2808462 - ETPRO MOBILE_MALWARE AndroidOS/GinMaster.AR Checkin
(mobile_malware.rules)
2808470 - ETPRO TROJAN Password Stealer MSIL/Vonriamt.A Checkin 3
(trojan.rules)
2808471 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.FakeInst.a Checkin 3
(mobile_malware.rules)
2808474 - ETPRO P2P P2PShare Client Installed Checkin (p2p.rules)
2808477 - ETPRO MOBILE_MALWARE Android.Trojan.Portal.A Checkin
(mobile_malware.rules)
2808478 - ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.AK Checkin
(mobile_malware.rules)
2808499 - ETPRO TROJAN Win32/Zemot User-Agent (trojan.rules)
2808506 - ETPRO TROJAN Trojan.Crypt.CG Checkin (trojan.rules)
2808512 - ETPRO MOBILE_MALWARE Android/SmsSpy.AS Checkin
(mobile_malware.rules)
2808514 - ETPRO MOBILE_MALWARE Android.Riskware.SmsPay.AO Checkin 2
(mobile_malware.rules)
2808515 - ETPRO MOBILE_MALWARE Android.Riskware.SmsPay.C Checkin 4
(mobile_malware.rules)
2808526 - ETPRO TROJAN Win32.Comune.A checkin (trojan.rules)
2808527 - ETPRO USER_AGENTS Suspicious User Agent Get HTML Source Code
Program (user_agents.rules)
2808528 - ETPRO MOBILE_MALWARE Android FakeInst-OG Checkin
(mobile_malware.rules)
2808533 - ETPRO TROJAN TROJAN.WIN32.SYSMAIN.C Checkin (trojan.rules)
2808551 - ETPRO TROJAN Trojan.Win32.Agent.cralxq Checkin (trojan.rules)
2808558 - ETPRO MOBILE_MALWARE AndroidOS/Lemon.A Checkin
(mobile_malware.rules)
2808568 - ETPRO TROJAN TrojanDownloader.Murlo.jr Checkin (trojan.rules)
2808582 - ETPRO MOBILE_MALWARE Android.Trojan.Joye.D Checkin
(mobile_malware.rules)
2808609 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Iconosys.a Checkin 4
(mobile_malware.rules)
2808610 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Iconosys.a Checkin 5
(mobile_malware.rules)
2808617 - ETPRO TROJAN VBS/Safa C2 (trojan.rules)
2808618 - ETPRO MOBILE_MALWARE Android/HippoSms.B Request to C2
(mobile_malware.rules)
2808642 - ETPRO TROJAN Win32.BHO Variant Checkin (trojan.rules)
2808650 - ETPRO TROJAN PWS.MicroGaming Checkin (trojan.rules)
2808651 - ETPRO TROJAN TROJAN-DROPPER.WIN32.FRAUDROP.AETPC Checkin
(trojan.rules)
2808654 - ETPRO TROJAN BackDoor.Ebot Checkin (trojan.rules)
2808655 - ETPRO TROJAN WIN32/LOCKSCREEN.BIK Checkin (trojan.rules)
2808657 - ETPRO TROJAN W32/Delf.GY Callback (trojan.rules)
2836551 - ETPRO TROJAN SSL/TLS Certificate Observed (Default POSHC2 cert)
(trojan.rules)
[---] Removed rules: [---]
2030007 - ET CURRENT_EVENTS Possible iOS MobileMail OOB Write/Heap
Overflow Exploit Email (Inbound) (current_events.rules)