[***] Summary: [***]
9 new Open, 28 new Pro (9 + 19). JsOutProx, Ragnarok Ransomware, DNSTEAL, Various Phish, Others.
Thanks Kevin Ross, @malwrhunterteam, @james_inthe_box.
Please be aware that after the deprecation of our Suricata 2/3 support (April 15th 2020), the path for downloading the last pushed production Suricata 2/3 rulesets have changed. Deprecated rulesets are available at https://rules.emergingthreatspro.com/OINK/old for ETPro and https://rules.emergingthreatspro.com/open/old/ for ETOpen. All requests for the Suricata 2/3 at their previous locations will now lead to the Suricata 4.0 production rules for ETPro and the rule download instructions for ETOpen.
Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2030111 - ET TROJAN Observed Default CobaltStrike SSL Certificate
(trojan.rules)
2030112 - ET TROJAN Observed Cobalt Strike Stager Domain in DNS Query
(trojan.rules)
2030113 - ET POLICY Observed iesnare/iovation Tracking Activity
(policy.rules)
2030114 - ET TROJAN JsOutProx Variant CnC Activity (trojan.rules)
2030115 - ET EXPLOIT Possible MPC Sharj 3.11.1 - Arbitrary File Download
Attempt (exploit.rules)
2030116 - ET TROJAN Ragnarok Ransomware CnC Activity M1 (trojan.rules)
2030117 - ET TROJAN Ragnarok Ransomware CnC Activity M2 (trojan.rules)
2030118 - ET CURRENT_EVENTS SEO Injection/Fraud Domain in DNS Lookup
(stat.trackstatisticsss .com) (current_events.rules)
2030119 - ET TROJAN EVILNUM CnC Response (trojan.rules)
Pro:
2842414 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-06 1) (trojan.rules)
2842415 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2020-05-06
(current_events.rules)
2842416 - ETPRO CURRENT_EVENTS Successful Citibank Phish 2020-05-06
(current_events.rules)
2842417 - ETPRO CURRENT_EVENTS Successful AT&T Phish 2020-05-06
(current_events.rules)
2842418 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2020-05-06 (current_events.rules)
2842419 - ETPRO TROJAN W32/Agent.ABXJF Variant Sending Logs (trojan.rules)
2842420 - ETPRO TROJAN VBA/Agent.MR Variant CnC Host Checkin
(trojan.rules)
2842421 - ETPRO TROJAN Win32/Downloader.Pbyw Variant CnC Host Checkin
(trojan.rules)
2842422 - ETPRO CURRENT_EVENTS Successful Yandex Phish 2020-05-06
(current_events.rules)
2842423 - ETPRO CURRENT_EVENTS Successful Apple Phish 2020-05-06
(current_events.rules)
2842424 - ETPRO CURRENT_EVENTS Successful Santander Phish 2020-05-06
(current_events.rules)
2842425 - ETPRO TROJAN Win32/Remcos RAT Checkin 418 (trojan.rules)
2842426 - ETPRO TROJAN Win32/Remcos RAT Checkin 419 (trojan.rules)
2842427 - ETPRO TROJAN Win32/Remcos RAT Checkin 420 (trojan.rules)
2842428 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2842429 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2842430 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2842431 - ETPRO TROJAN Observed Malicious SSL Cert (AZORult CnC)
(trojan.rules)
2842432 - ETPRO POLICY Suspected DNSTEAL DNS Traffic (policy.rules)
[///] Modified active rules: [///]
2002763 - ET TROJAN Dumador Reporting User Activity (trojan.rules)
2011311 - ET POLICY request for hide-my-ip.com autoupdate (policy.rules)
2011375 - ET POLICY HTTP Request to a *.cz.cc domain (policy.rules)
2011821 - ET DOS User-Agent used in known DDoS Attacks Detected outbound
(dos.rules)
2011822 - ET DOS User-Agent used in known DDoS Attacks Detected inbound
(dos.rules)
2011823 - ET DOS User-Agent used in known DDoS Attacks Detected outbound
2 (dos.rules)
2011824 - ET DOS User-Agent used in known DDoS Attacks Detected inbound 2
(dos.rules)
2011861 - ET TROJAN Bredolab CnC URL Detected (trojan.rules)
2011906 - ET CURRENT_EVENTS exploit kit x/load/svchost.exe
(current_events.rules)
2011925 - ET TROJAN Rogue AV Downloader concat URI (trojan.rules)
2011967 - ET TROJAN Suspicious bot.exe Request (trojan.rules)
2011969 - ET TROJAN Ponmocup C2 Post-infection Checkin (trojan.rules)
2011982 - ET TROJAN Suspicious flash_player.exe Download (trojan.rules)
2012113 - ET TROJAN Trojan.BackDoor-DRV.gen.c Reporting-1 (trojan.rules)
2012198 - ET TROJAN Possible Worm W32.Svich or Other Infection Request
for setting.ini (trojan.rules)
2012199 - ET TROJAN Possible Worm W32.Svich or Other Infection Request
for setting.xls (trojan.rules)
2012200 - ET TROJAN Possible Worm W32.Svich or Other Infection Request
for setting.doc (trojan.rules)
2012392 - ET TROJAN Suspicious Download Setup_ exe (trojan.rules)
2012405 - ET TROJAN Potential FakePAV Checkin (trojan.rules)
2012460 - ET TROJAN Possible JKDDOS download wm.exe (trojan.rules)
2012461 - ET TROJAN Possible JKDDOS download cl.exe (trojan.rules)
2012514 - ET TROJAN Hiloti loader requesting payload URL (trojan.rules)
2012542 - ET POLICY HTTP Request to a *.gv.vg domain (policy.rules)
2012593 - ET POLICY HTTP Request to a *.ce.ms domain (policy.rules)
2012616 - ET TROJAN Slugin.A PatchTimeCheck.dat Request (trojan.rules)
2012737 - ET POLICY HTTP Request to a *.cw.cm domain (policy.rules)
2012800 - ET TROJAN Ponmocup C2 Sending Data to Controller 2
(trojan.rules)
2012896 - ET POLICY HTTP Request to a *.ae.am domain (policy.rules)
2012897 - ET POLICY HTTP Request to a *.noc.su domain (policy.rules)
2012898 - ET POLICY HTTP Request to a *.be.ma domain (policy.rules)
2012899 - ET POLICY HTTP Request to a *.qc.cx domain (policy.rules)
2013015 - ET POLICY HTTP Request to Illegal Drug Sales Site (SilkRoad)
(policy.rules)
2013064 - ET TROJAN Possible Tracur.Q HTTP Communication (trojan.rules)
2013123 - ET POLICY HTTP Request to a *.co.be domain (policy.rules)
2013412 - ET INFO HTTP Request to a *.co.com.au domain (info.rules)
2013415 - ET INFO HTTP Request to a *.cz.tf domain (info.rules)
2013460 - ET INFO HTTP Request to a *.c0m.li domain (info.rules)
2013790 - ET TROJAN Cnzz.cn Related Dropper Checkin (trojan.rules)
2013829 - ET INFO HTTP Request to a *.int.tf domain (info.rules)
2013830 - ET INFO HTTP Request to a *.edu.tf domain (info.rules)
2013831 - ET INFO HTTP Request to a *.us.tf domain (info.rules)
2013832 - ET INFO HTTP Request to a *.ca.tf domain (info.rules)
2013833 - ET INFO HTTP Request to a *.bg.tf domain (info.rules)
2013834 - ET INFO HTTP Request to a *.ru.tf domain (info.rules)
2013835 - ET INFO HTTP Request to a *.pl.tf domain (info.rules)
2013837 - ET INFO HTTP Request to a *.de.tf domain (info.rules)
2013838 - ET INFO HTTP Request to a *.at.tf domain (info.rules)
2013839 - ET INFO HTTP Request to a *.ch.tf domain (info.rules)
2013840 - ET INFO HTTP Request to a *.sg.tf domain (info.rules)
2013841 - ET INFO HTTP Request to a *.nl.ai domain (info.rules)
2013842 - ET INFO HTTP Request to a *.xe.cx domain (info.rules)
2013844 - ET INFO HTTP Request to a *.orge.pl Domain (info.rules)
2014141 - ET DOS LOIC Javascript DDoS Outbound (dos.rules)
2016030 - ET DOS LOIC POST (dos.rules)
2016031 - ET DOS LOIC GET (dos.rules)
2017120 - ET POLICY Possible IPMI 2.0 RAKP Remote SHA1 Password Hash
Retrieval RAKP message 1 with default BMC usernames
(Admin|root|Administrator|USERID) (policy.rules)
2017121 - ET ATTACK_RESPONSE Possible IPMI 2.0 RAKP Remote SHA1 Password
Hash Retrieval RAKP message 2 status code Unauthorized Name
(attack_response.rules)
2019162 - ET TROJAN Win.Trojan.Chewbacca connectivity check (trojan.rules)
2030099 - ET CURRENT_EVENTS SEO Injection/Fraud DNS Lookup
(count.trackstatisticsss .com) (current_events.rules)
2030100 - ET TROJAN WEBMONITOR RAT CnC Domain in DNS Lookup
(dabmaster.wm01 .to) (trojan.rules)
2840724 - ETPRO USER_AGENTS Suspicious User-Agent (Bootstrapper/)
(user_agents.rules)
2842383 - ETPRO TROJAN Suspected LIMERAT CnC Domain in DNS Lookup
(trojan.rules)
[---] Removed rules: [---]
2030107 - ET EXPLOIT Online Scheduling System 1.0 - Authentication Bypass
Attempt (exploit.rules)