[***] Summary: [***]
11 Open, 35 Pro (11 + 24). Maze Ransomware, CVE-2020-2551, IcedID, Various Phish, Suricata 5 Rule Updates.
Please be aware that after the deprecation of our Suricata 2/3 support (April 15th 2020), the path for downloading the last pushed production Suricata 2/3 rulesets have changed. Deprecated rulesets are available at https://rules.emergingthreatspro.com/OINK/old for ETPro and https://rules.emergingthreatspro.com/open/old/ for ETOpen. All requests for the Suricata 2/3 at their previous locations will now lead to the Suricata 4.0 production rules for ETPro and the rule download instructions for ETOpen.
Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2030128 - ET EXPLOIT Possible Oracle WebLogic CVE-2020-2551 Scanning
(exploit.rules)
2030129 - ET POLICY External Oracle T3 Requests Inbound (policy.rules)
2030130 - ET POLICY Oracle T3 Response with CVE-2020-2551 Vulnerable
Version (12.2.1) (policy.rules)
2030131 - ET POLICY Oracle T3 Response with CVE-2020-2551 Vulnerable
Version (10.3.6) (policy.rules)
2030132 - ET POLICY Oracle T3 Response with CVE-2020-2551 Vulnerable
Version (12.1.3) (policy.rules)
2030133 - ET TROJAN MAZE Ransomware Payment Domain in DNS Lookup
(trojan.rules)
2030134 - ET TROJAN MAZE Ransomware Payment Domain DNS Lookup
(trojan.rules)
2030135 - ET POLICY MAZE Ransomware Victim Publishing Site DNS Lookup
(policy.rules)
2030136 - ET POLICY MAZE Ransomware Victim Publishing Site DNS Lookup
(policy.rules)
2030137 - ET POLICY External IP Lookup (ipchicken .com) (policy.rules)
2030138 - ET POLICY ipchicken .com DNS Lookup (policy.rules)
Pro:
2842453 - ETPRO TROJAN ELF/Gafygt Variant CnC Activity Inbound
(trojan.rules)
2842454 - ETPRO TROJAN ELF/Gafygt Variant CnC Scanner Status Inbound
(trojan.rules)
2842455 - ETPRO TROJAN Win64/Spy.Agent.CB CnC Activity (trojan.rules)
2842456 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-08 1) (trojan.rules)
2842457 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-08 2) (trojan.rules)
2842458 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-08 3) (trojan.rules)
2842459 - ETPRO CURRENT_EVENTS Successful Generic Banking Information
Phish 2020-05-08 (current_events.rules)
2842460 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-05-08 (current_events.rules)
2842461 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-05-08 (current_events.rules)
2842462 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-05-08 (current_events.rules)
2842463 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-05-08 (current_events.rules)
2842464 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-05-08 (current_events.rules)
2842465 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-05-08 (current_events.rules)
2842466 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-05-08 (current_events.rules)
2842467 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-05-08 (current_events.rules)
2842468 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-05-08
(current_events.rules)
2842469 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-05-08 (current_events.rules)
2842470 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-05-08 (current_events.rules)
2842471 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-05-08 (current_events.rules)
2842472 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-05-08 (current_events.rules)
2842473 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2842474 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2842475 - ETPRO TROJAN Win32/Remcos RAT Checkin 421 (trojan.rules)
2842476 - ETPRO TROJAN Win32/Remcos RAT Checkin 422 (trojan.rules)
[///] Modified active rules: [///]
2014207 - ET WEB_CLIENT Likely MS12-004 midiOutPlayNextPolyEvent Heap
Overflow Midi Filename Requested baby.mid (web_client.rules)
2014289 - ET INFO HTTP Request to a 3322.org.cn Domain (info.rules)
2014752 - ET TROJAN Win32.HLLW.Autoruner USA_Load UA (trojan.rules)
2014822 - ET TROJAN Possible SKyWIper/Win32.Flame POST (trojan.rules)
2015512 - ET TROJAN Urlzone/Bebloh/Bublik Checkin /was/vas.php
(trojan.rules)
2015780 - ET TROJAN Zbot UA (trojan.rules)
2015850 - ET TROJAN Georgian Targeted Attack - Trojan Checkin
(trojan.rules)
2015984 - ET WEB_SERVER Joomla Component SQLi Attempt (web_server.rules)
2016033 - ET SCAN Simple Slowloris Flooder (scan.rules)
2016186 - ET TROJAN W32/Tobfy.Ransomware CnC Request - status.php
(trojan.rules)
2016187 - ET TROJAN W32/Tobfy.Ransomware Invalid URI CnC Request -
(trojan.rules)
2016212 - ET TROJAN BroBot POST (trojan.rules)
2016305 - ET WEB_SERVER Ruby on Rails CVE-2013-0333 Attempt
(web_server.rules)
2016475 - ET TROJAN CommentCrew downloader without user-agent string exe
download without User Agent (trojan.rules)
2016487 - ET TROJAN CommentCrew Possible APT backdoor download logo.png
(trojan.rules)
2017895 - ET TROJAN Kuluoz/Asprox Activity (trojan.rules)
2018184 - ET TROJAN Zeus.Downloader Campaign Second Stage Executable
Request (trojan.rules)
2018385 - ET TROJAN Zeus.Downloader Campaign Second Stage Executable
Request 10/4/2014 (trojan.rules)
2018413 - ET TROJAN Probable OneLouder downloader (Zeus P2P)
(trojan.rules)
2019074 - ET TROJAN Vawtrak/NeverQuest Posting Data (trojan.rules)
2019197 - ET TROJAN NewPosThings Checkin (trojan.rules)
2019198 - ET TROJAN NewPosThings Data Exfiltration (trojan.rules)
2019199 - ET TROJAN NewPosThings POST with Fake UA and Accept Header
(trojan.rules)
2019212 - ET TROJAN Bossabot DDoS tool RFI attempt (trojan.rules)
2100977 - GPL EXPLOIT .cnf access (exploit.rules)
2804562 - ETPRO TROJAN Trojan.Generic.KDV.199860 download (trojan.rules)
2804736 - ETPRO TROJAN Rogue.Win32/FakePAV Checkin (trojan.rules)
2804745 - ETPRO TROJAN Win32/Alureon.V exe download 2 (trojan.rules)
2806414 - ETPRO TROJAN FakeAV-BT Checkin (trojan.rules)
2807450 - ETPRO MOBILE_MALWARE PUP Android/SMSAgent.F
(mobile_malware.rules)
2808810 - ETPRO TROJAN Win32/LightMoon variant C2 (trojan.rules)
2808821 - ETPRO TROJAN Win32.IRCBot Variant C2 (trojan.rules)
2808826 - ETPRO TROJAN Win32/Regitry Checkin (trojan.rules)
2808828 - ETPRO WEB_SPECIFIC_APPS HttpFileServer 2.3.x Remote Command
Execution (web_specific_apps.rules)
2808831 - ETPRO WEB_SPECIFIC_APPS ALCASAR up to 2.8.1 RCE Vulnerabily
being exploited (web_specific_apps.rules)
2808836 - ETPRO TROJAN suspicious User-Agent (payloadworking)
(trojan.rules)
2808837 - ETPRO TROJAN Troj/BadCab CnC (trojan.rules)
2808848 - ETPRO TROJAN Win32/Sefnit.R Checkin (trojan.rules)
2808849 - ETPRO TROJAN Win32.CFPass.dcb Checkin (trojan.rules)
2808851 - ETPRO TROJAN Win32/Spy.Rehtesyk.A Checkin 1 (trojan.rules)
2808852 - ETPRO TROJAN Win32/Spy.Rehtesyk.A Checkin 2 (trojan.rules)
2808856 - ETPRO WEB_SPECIFIC_APPS Possible UFONet DDoS Participation
(web_specific_apps.rules)
2808863 - ETPRO TROJAN TROJAN Win32/Seey.A Checkin (trojan.rules)
2808865 - ETPRO TROJAN TROJAN Win32/Seey.A User-Agent (trojan.rules)
2808866 - ETPRO TROJAN TROJAN Win32/Seey.A Checkin 2 (trojan.rules)
2808876 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.u Checkin 4
(mobile_malware.rules)
2808883 - ETPRO MOBILE_MALWARE Android.Trojan.AutoSMS.BF Checkin 2
(mobile_malware.rules)
2838512 - ETPRO MOBILE_MALWARE Android Trickbot 2fa app Checkin
(mobile_malware.rules)
[---] Disabled and modified rules: [---]
2808891 - ETPRO MOBILE_MALWARE AndroidOS/Agent.EJ Checkin
(mobile_malware.rules)