[***] Summary: [***]
10 new Open, 40 new Pro (10 + 30). Nazar, nspps Backdoor, Various Exploits, Various Phish, Others.
Please be aware that after the deprecation of our Suricata 2/3 support (April 15th 2020), the path for downloading the last pushed production Suricata 2/3 rulesets have changed. Deprecated rulesets are available at https://rules.emergingthreatspro.com/OINK/old for ETPro and https://rules.emergingthreatspro.com/open/old/ for ETOpen. All requests for the Suricata 2/3 at their previous locations will now lead to the Suricata 4.0 production rules for ETPro and the rule download instructions for ETOpen.
Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2030101 - ET TROJAN Observed Malicious SSL Cert (Lazarus APT MalDoc DL
2020-05-05) (trojan.rules)
2030102 - ET EXPLOIT NEC SL2100 - Session Enumeration Attempt
(exploit.rules)
2030103 - ET EXPLOIT Image Manager 5.2.4 - RCE Attempt (exploit.rules)
2030104 - ET MALWARE Nazar Implant - Sending Ping Response to CnC
(malware.rules)
2030105 - ET TROJAN Nazar Implant - Sending Basic System Info to CnC
(trojan.rules)
2030106 - ET EXPLOIT BlogEngine 3.3 - syndication.axd XXE Injection
Attempt (exploit.rules)
2030107 - ET EXPLOIT Online Scheduling System 1.0 - Authentication Bypass
Attempt (exploit.rules)
2030108 - ET TROJAN nspps Backdoor CnC Activity (trojan.rules)
2030109 - ET TROJAN nspps Backdoor - Sending SOCKS Details (trojan.rules)
2030110 - ET TROJAN nspps Backdoor - Task Response (trojan.rules)
Pro:
2842384 - ETPRO TROJAN Win32/Wacatac.D!ml Variant CnC Activity
(trojan.rules)
2842385 - ETPRO TROJAN ELF/Lady.K Variant CnC Activity (trojan.rules)
2842386 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-05 1) (trojan.rules)
2842387 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-05 2) (trojan.rules)
2842388 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-05 3) (trojan.rules)
2842389 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-05 4) (trojan.rules)
2842390 - ETPRO CURRENT_EVENTS Successful Outlook Web App Phish
2020-05-05 (current_events.rules)
2842391 - ETPRO CURRENT_EVENTS Successful Outlook Web App Phish
2020-05-05 (current_events.rules)
2842392 - ETPRO TROJAN Win32/Agent.TCF Variant CnC Host Checkin
(trojan.rules)
2842393 - ETPRO CURRENT_EVENTS Successful Casas Bahia Phish 2020-05-05
(current_events.rules)
2842394 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2020-05-05
(current_events.rules)
2842395 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2020-05-05
(current_events.rules)
2842396 - ETPRO TROJAN xRAT CnC Domain in DNS Query (trojan.rules)
2842397 - ETPRO TROJAN Win32/Downloader.Paph CnC Checkin (trojan.rules)
2842398 - ETPRO TROJAN Win32/Remcos RAT Checkin 416 (trojan.rules)
2842399 - ETPRO TROJAN Win32/Remcos RAT Checkin 417 (trojan.rules)
2842400 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2842401 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2842402 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2842403 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2842404 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2842405 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2842406 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2842407 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2842408 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2842409 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2842410 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2842411 - ETPRO TROJAN Suspected MEDUSA RAT CnC Response (trojan.rules)
2842412 - ETPRO TROJAN Win32/Unk.Downloader.BR Activity (trojan.rules)
2842413 - ETPRO TROJAN Win32/Unk.Stealer.BR System Info POST
(trojan.rules)
[///] Modified active rules: [///]
2007994 - ET INFO Suspicious User-Agent (1 space) (info.rules)