Daily Ruleset Update Summary
Daily Ruleset Update Summary 2020/05/04

[***]            Summary:            [***]

9 new Open, 77 new Pro (9 + 66). JAWS Webserver Unauthenticated Shell, IXWARE Stealer, WEBMONITOR RAT, Win32/Emotet, MSIL/CLEARSTEAL.AA, Lots of IcedID CnC Domain, VARIOUS Phishing.

Please be aware that after the deprecation of our Suricata 2/3 support (April 15th 2020), the path for downloading the last pushed production Suricata 2/3 rulesets have changed.  Deprecated rulesets are available at https://rules.emergingthreatspro.com/OINK/old for ETPro and https://rules.emergingthreatspro.com/open/old/ for ETOpen.  All requests for the Suricata 2/3 at their previous locations will now lead to the Suricata 4.0 production rules for ETPro and the rule download instructions for ETOpen.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2030092 - ET TROJAN JAWS Webserver Unauthenticated Shell Command
Execution (trojan.rules)
  2030093 - ET SCAN JAWS Webserver Unauthenticated Shell Command Execution
(scan.rules)
  2030094 - ET EXPLOIT Online Scheduling System 1.0 - Authentication Bypass
Attempt (exploit.rules)
  2030095 - ET EXPLOIT Netis E1+ 1.2.32533 - Unauthenticated WiFi Password
Leak (exploit.rules)
  2030096 - ET TROJAN IXWARE Stealer Domain in DNS Lookup (trojan.rules)
  2030097 - ET TROJAN IXWARE Stealer Domain in DNS Lookup (trojan.rules)
  2030098 - ET TROJAN IXWARE Stealer CnC Activity (trojan.rules)
  2030099 - ET CURRENT_EVENTS SEO Injection/Fraud DNS Lookup
(current_events.rules)
  2030100 - ET TROJAN WEBMONITOR RAT CnC Domain in DNS Lookup (trojan.rules)

Pro:

  2842314 - ETPRO POLICY External Geo Lookup via ip integrator
.mediabarservices .ru (policy.rules)
  2842315 - ETPRO TROJAN Win32/Spy.Socelars.AD Variant CnC Activity M2
(trojan.rules)
  2842316 - ETPRO TROJAN Observed KPOT Stealer CnC Domain in TLS SNI
(trojan.rules)
  2842317 - ETPRO TROJAN Win32/Emotet CnC Activity (POST) M9 (trojan.rules)
  2842318 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-02 1) (trojan.rules)
  2842319 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-02 2) (trojan.rules)
  2842320 - ETPRO TROJAN MSIL/Agent.CNZ Variant CnC Host Checkin
(trojan.rules)
  2842321 - ETPRO TROJAN MSIL/Agent.CNZ Variant CnC Screenshot Check
(trojan.rules)
  2842322 - ETPRO TROJAN MSIL/Agent.CNZ Variant CnC Activity (trojan.rules)
  2842325 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-05-04 (current_events.rules)
  2842326 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2020-05-04
(current_events.rules)
  2842327 - ETPRO CURRENT_EVENTS Successful Docusign Phish 2020-05-04
(current_events.rules)
  2842328 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-05-04
(current_events.rules)
  2842329 - ETPRO CURRENT_EVENTS Successful Regions Bank Phish 2020-05-04
(current_events.rules)
  2842330 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-05-04
(current_events.rules)
  2842331 - ETPRO CURRENT_EVENTS Successful Apple Phish 2020-05-04
(current_events.rules)
  2842332 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-05-04 (current_events.rules)
  2842333 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-05-04
(current_events.rules)
  2842334 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-05-04 (current_events.rules)
  2842335 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-05-04 (current_events.rules)
  2842336 - ETPRO TROJAN MSIL/CLEARSTEAL.AA CnC Activity (trojan.rules)
  2842337 - ETPRO TROJAN IXWARE Checkin via Discord (trojan.rules)
  2842338 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842339 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842340 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842341 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842342 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842343 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842344 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842345 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842346 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842347 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842348 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842349 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842350 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842351 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842352 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842353 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842354 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842355 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842356 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842357 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842358 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842359 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842360 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842361 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842362 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842363 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842364 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842365 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842366 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842367 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842368 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842369 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842370 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842371 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842372 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842373 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842374 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842375 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842376 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842377 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842378 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842379 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842380 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842381 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842382 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
  2842383 - ETPRO TROJAN LimeRAT CnC Domain in DNS Lookup (trojan.rules)

[///]     Modified active rules:     [///]

  2009359 - ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap NSE)
(scan.rules)
  2009827 - ET SCAN Pavuk User Agent Detected - Website Mirroring Tool for
Off-line Analysis (scan.rules)
  2009833 - ET SCAN WITOOL SQL Injection Scan (scan.rules)
  2009882 - ET SCAN Default Mysqloit User Agent Detected - Mysql Injection
Takover Tool (scan.rules)
  2009883 - ET SCAN Possible Mysqloit Operating System Fingerprint/SQL
Injection Test Scan Detected (scan.rules)
  2010004 - ET WEB_SERVER SQL sp_start_job attempt (web_server.rules)
  2010037 - ET WEB_SERVER Possible SQL Injection INTO OUTFILE Arbitrary
File Write Attempt (web_server.rules)
  2010215 - ET SCAN SQL Injection Attempt (Agent uil2pn) (scan.rules)
  2010508 - ET SCAN Springenwerk XSS Scanner User-Agent Detected
(scan.rules)
  2010621 - ET WEB_SERVER SQL Injection Attempt (Agent CZ32ts)
(web_server.rules)
  2010667 - ET WEB_SERVER /bin/bash In URI, Possible Shell Command
Execution Attempt Within Web Exploit (web_server.rules)
  2010720 - ET WEB_SERVER PHP Scan Precursor (web_server.rules)
  2010954 - ET SCAN crimscanner User-Agent detected (scan.rules)
  2010956 - ET SCAN Skipfish Web Application Scan Detected (2) (scan.rules)
  2011175 - ET WEB_SERVER Casper Bot Search RFI Scan (web_server.rules)
  2011389 - ET SCAN w3af Scan Remote File Include Retrieval (scan.rules)
  2011390 - ET SCAN Nikto Scan Remote File Include Retrieval (scan.rules)
  2011720 - ET SCAN Possible WafWoof Web Application Firewall Detection
Scan (scan.rules)
  2012116 - ET WEB_SERVER DD-WRT Information Disclosure Attempt
(web_server.rules)
  2012150 - ET WEB_SERVER PHP Large Subnormal Double Precision Floating
Point Number PHP DoS in URI (web_server.rules)
  2012802 - ET TROJAN Spoofed MSIE 8 User-Agent Likely Ponmocup
(trojan.rules)
  2012937 - ET SCAN Internal Dummy Connection User-Agent Inbound
(scan.rules)
  2019113 - ET TROJAN HighTide trojan Checkin (trojan.rules)
  2019114 - ET TROJAN W32/Threebyte.APT Checkin (trojan.rules)
  2019126 - ET POLICY External IP Lookup (policy.rules)
  2019128 - ET TROJAN W32/Bravix.Dropper CnC Beacon (trojan.rules)
  2019136 - ET TROJAN APT OSX.XSLCmd CnC Beacon (trojan.rules)
  2019137 - ET WEB_SPECIFIC_APPS Possible WP CuckooTap Arbitrary File
Download (web_specific_apps.rules)
  2019161 - ET TROJAN DecebalPOS User-Agent (trojan.rules)
  2030053 - ET TROJAN Win32/IcedID Requesting Encoded Binary M4
(trojan.rules)
  2808043 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.ao
<http://trojan-spy.androidos.agent.ao/> / Cardbuyer Checkin
(mobile_malware.rules)
  2808654 - ETPRO TROJAN BackDoor.Ebot Checkin (trojan.rules)
  2808657 - ETPRO TROJAN W32/Delf.GY Callback (trojan.rules)
  2808662 - ETPRO TROJAN Win32.Boaxxe Variant Callback (trojan.rules)
  2808665 - ETPRO TROJAN KopHack Checkin (trojan.rules)
  2808672 - ETPRO TROJAN Win32/Spy.Agent.OKH Checkin (trojan.rules)
  2808677 - ETPRO MOBILE_MALWARE Android/SMForw.AT Checkin
(mobile_malware.rules)
  2808678 - ETPRO MOBILE_MALWARE Android/SMForw.AT Checkin 2
(mobile_malware.rules)
  2808679 - ETPRO MOBILE_MALWARE Android.Trojan.SmsSpy.BK Checkin
(mobile_malware.rules)
  2808680 - ETPRO MOBILE_MALWARE Adware.Youmi.A Checkin
(mobile_malware.rules)
  2808688 - ETPRO TROJAN Win32/Dynamer Checkin (trojan.rules)
  2808689 - ETPRO TROJAN Win32/Kaaneut.A Callback (trojan.rules)
  2808693 - ETPRO TROJAN Win32.Rogue Checkin (trojan.rules)
  2808702 - ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.IW Checkin
(mobile_malware.rules)
  2808703 - ETPRO MOBILE_MALWARE Android/DDLight.A Checkin
(mobile_malware.rules)
  2808707 - ETPRO TROJAN Trojan.Keylog!1.9946 Checkin (trojan.rules)
  2808712 - ETPRO TROJAN Trojan.Win32.Spy uploading screenshots
(trojan.rules)
  2808716 - ETPRO TROJAN Win32.Downloader.aCm checkin (trojan.rules)
  2808726 - ETPRO TROJAN Win32.Dunik Checkin (trojan.rules)
  2808729 - ETPRO WEB_SPECIFIC_APPS ABE fingerprinting request
(web_specific_apps.rules)
  2808732 - ETPRO TROJAN Win32/Comame Checkin (trojan.rules)
  2808736 - ETPRO TROJAN Backdoor.Comdinter Checkin (trojan.rules)
  2808748 - ETPRO TROJAN Win32/Picazen.A Dropping Files (trojan.rules)
  2808753 - ETPRO TROJAN Win32.Biruleibi Checkin (trojan.rules)
  2808771 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Iconosys.a Checkin 6
(mobile_malware.rules)
  2808778 - ETPRO TROJAN Win32/Malagent!gmb connectivity check
(trojan.rules)
  2808780 - ETPRO WEB_SPECIFIC_APPS WordPress config.php in HTTP response
(web_specific_apps.rules)
  2808786 - ETPRO TROJAN Win32/Pitou.A Checkin (trojan.rules)
  2808787 - ETPRO TROJAN SpyEye Checkin version unknown (trojan.rules)
  2808796 - ETPRO TROJAN W32/Magania.IDPJ C2 (trojan.rules)
  2808798 - ETPRO MOBILE_MALWARE AdWare.AndroidOS.Vidma.a Checkin
(mobile_malware.rules)
  2808801 - ETPRO TROJAN Win32.Reconyc Checkin (trojan.rules)

Date:
Summary title:
9 new Open, 77 new Pro (9 + 66). JAWS Webserver Unauthenticated Shell, IXWARE Stealer, WEBMONITOR RAT, Win32/Emotet, MSIL/CLEARSTEAL.AA, Lots of IcedID CnC Domain, VARIOUS Phishing.