Daily Ruleset Update Summary
Daily Ruleset Update Summary 2020/05/12

[***]            Summary:            [***]

8 Open, 35 Pro (8 + 27). Hakbit Ransomware, Taurus Stealer, Qbot, Sobinokibi, VaRiOuS Phishing

Thanks: @James_inthe_box, @AdAstra247

Please be aware that after the deprecation of our Suricata 2/3 support (April 15th 2020), the path for downloading the last pushed production Suricata 2/3 rulesets have changed.  Deprecated rulesets are available at https://rules.emergingthreatspro.com/OINK/old for ETPro and https://rules.emergingthreatspro.com/open/old/ for ETOpen.  All requests for the Suricata 2/3 at their previous locations will now lead to the Suricata 4.0 production rules for ETPro and the rule download instructions for ETOpen.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2030155 - ET TROJAN Observed TrojanSpy.SH.HADGLIDER.A Exfil Domain in DNS
Query (trojan.rules)
  2030156 - ET TROJAN Hakbit Ransomware Exfil via FTP (trojan.rules)
  2030157 - ET TROJAN Possible Win32/Qbot/Quakbot Checkin via HTTP GET
(trojan.rules)
  2030158 - ET TROJAN Taurus Stealer CnC Host Checkin (trojan.rules)
  2030159 - ET TROJAN Taurus Stealer CnC Exfil (trojan.rules)
  2030160 - ET EXPLOIT Complaint Management System 1.0 - Authentication
Bypass Attempt (exploit.rules)
  2030161 - ET POLICY NEPHILIM Ransomware Victim Publishing Site DNS Lookup
(corpleaks .net) (policy.rules)
  2030162 - ET POLICY NEPHILIM Ransomware Victim Publishing Site DNS Lookup
(hxt254aygrsziejn .onion) DNS Lookup (policy.rules)

Pro:

  2842507 - ETPRO MOBILE_MALWARE AndroidOS/AdWo.G Reporting Device/Network
Info (mobile_malware.rules)
  2842508 - ETPRO MOBILE_MALWARE Android.Styricka.GEN6212 CnC Beacon
(mobile_malware.rules)
  2842509 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Plangton.a Checkin
(mobile_malware.rules)
  2842510 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Boogr.gsh Checkin
(mobile_malware.rules)
  2842511 - ETPRO MOBILE_MALWARE Android.HiddadCAD.ZQ Checkin
(mobile_malware.rules)
  2842512 - ETPRO TROJAN MalDoc Request for Payload 2020-05-12
(trojan.rules)
  2842513 - ETPRO TROJAN Win32/PredatorTheThief Variant CnC Activity
(trojan.rules)
  2842514 - ETPRO TROJAN Win32/PredatorTheThief Variant CnC Exfil
(trojan.rules)
  2842515 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-12 1) (trojan.rules)
  2842516 - ETPRO TROJAN Possible More_eggs CnC Activity M2 (trojan.rules)
  2842517 - ETPRO TROJAN Hakbit Ransomware Login via FTP (trojan.rules)
  2842518 - ETPRO CURRENT_EVENTS Successful Microsoft Word Online Phish
2020-05-12 (current_events.rules)
  2842519 - ETPRO CURRENT_EVENTS Successful Adobe PDF Online Phish
2020-05-12 (current_events.rules)
  2842520 - ETPRO CURRENT_EVENTS Successful Banco do Brasil Phish
2020-05-12 (current_events.rules)
  2842521 - ETPRO CURRENT_EVENTS Successful Outlook Web Access Phish
2020-05-12 (current_events.rules)
  2842522 - ETPRO CURRENT_EVENTS Successful Ionos Phish 2020-05-12
(current_events.rules)
  2842523 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2020-05-12
(current_events.rules)
  2842524 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-05-12
(current_events.rules)
  2842525 - ETPRO CURRENT_EVENTS Successful ABSA Phish 2020-05-12
(current_events.rules)
  2842526 - ETPRO CURRENT_EVENTS Successful Yahoo Phish 2020-05-12
(current_events.rules)
  2842527 - ETPRO POLICY Outbound AEScrypt V2 File Structure via TCP M1
(policy.rules)
  2842528 - ETPRO POLICY Outbound AEScrypt V2 File Structure via TCP M2
(policy.rules)
  2842529 - ETPRO POLICY Inbound AEScrypt V2 File Structure via HTTP M1
(policy.rules)
  2842530 - ETPRO POLICY Inbound AEScrypt V2 File Structure via HTTP M2
(policy.rules)
  2842531 - ETPRO POLICY Inbound AEScrypt V1 File Structure via HTTP
(policy.rules)
  2842532 - ETPRO POLICY Suspicious Inbound Cmd - LockWorkStation
(policy.rules)
  2842533 - ETPRO TROJAN Sobinokibi CnC Activity (trojan.rules)

[///]     Modified active rules:     [///]

  2013926 - ET POLICY HTTP traffic on port 443 (POST) (policy.rules)
  2013927 - ET POLICY HTTP traffic on port 443 (HEAD) (policy.rules)
  2013928 - ET POLICY HTTP traffic on port 443 (PROPFIND) (policy.rules)
  2013931 - ET POLICY HTTP traffic on port 443 (DELETE) (policy.rules)
  2018772 - ET TROJAN Dridex/Bugat/Feodo GET Checkin (trojan.rules)
  2019239 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Cookie
(web_server.rules)
  2019283 - ET TROJAN BlackEnergy POST Request (trojan.rules)
  2019331 - ET MOBILE_MALWARE iOS/Xsser Checkin (mobile_malware.rules)
  2019332 - ET MOBILE_MALWARE iOS/Xsser sending GPS info
(mobile_malware.rules)
  2019333 - ET MOBILE_MALWARE iOS/Xsser sending files (mobile_malware.rules)
  2019334 - ET MOBILE_MALWARE iOS/Xsser checking library version
(mobile_malware.rules)
  2019341 - ET TROJAN Cryptowall 2.0 DL URI Struct Oct 2 2014 (trojan.rules)
  2019366 - ET POLICY 2Downloadz.com File Sharing User-Agent (policy.rules)
  2019379 - ET TROJAN Win32/PSW.Papras.CK file upload (trojan.rules)
  2019381 - ET TROJAN Win32/Ursnif Connectivity Check (trojan.rules)
  2019478 - ET TROJAN Dridex POST Checkin (trojan.rules)
  2019498 - ET TROJAN W32/24x7Help.ScareWare CnC Beacon (trojan.rules)
  2019500 - ET TROJAN Vawtrak/NeverQuest Posting Data (trojan.rules)
  2030135 - ET POLICY MAZE Ransomware Victim Publishing Site DNS Lookup
(mazenews .top) (policy.rules)
  2030136 - ET POLICY MAZE Ransomware Victim Publishing Site DNS Lookup
(newsmaze .top) (policy.rules)
  2808896 - ETPRO EXPLOIT All In One WP Security WordPress Plugin Possible
SQL Injection Attempt (exploit.rules)
  2808903 - ETPRO EXPLOIT Nucom ADSL ADSLR5000UN ISP Credential Disclosure
Attempt (exploit.rules)
  2808904 - ETPRO EXPLOIT ZyXEL Prestig P-660HNU-T1v2 Credential Disclosure
Attempt (exploit.rules)
  2808905 - ETPRO TROJAN Win32/Xorer.O Checkin (trojan.rules)
  2808909 - ETPRO TROJAN W32/Virtumonde.OQ HTTP Client Headers
(trojan.rules)
  2808926 - ETPRO TROJAN Trojan.Win32.LaSta Checkin (trojan.rules)
  2808928 - ETPRO TROJAN Win32/Yektel.B Checkin (trojan.rules)
  2808929 - ETPRO TROJAN Win32.VirusDoctor Checkin (trojan.rules)
  2808936 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Gomal.a Checkin 2
(mobile_malware.rules)
  2808942 - ETPRO TROJAN Win32/Clisbot.A Checkin (trojan.rules)
  2808943 - ETPRO TROJAN Win32.Juched Checkin (trojan.rules)
  2808949 - ETPRO EXPLOIT Easy MailChimp Forms Plugin XSS Attempt
(exploit.rules)
  2808960 - ETPRO MOBILE_MALWARE Android.Monitor.Pdaspy.A Checkin
(mobile_malware.rules)
  2809009 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Cova.a Checkin
(mobile_malware.rules)
  2809017 - ETPRO TROJAN Win32.Pasta Variant Checkin (trojan.rules)
  2809019 - ETPRO POLICY IP Tracker online service (policy.rules)
  2809032 - ETPRO MOBILE_MALWARE Android/LoveTrap.A Checkin 3
(mobile_malware.rules)
  2809039 - ETPRO WEB_SPECIFIC_APPS Rejetto HttpFileServer RCE Check
(web_specific_apps.rules)
  2809040 - ETPRO TROJAN Win32/Vasdek Checkin (trojan.rules)
  2809048 - ETPRO MOBILE_MALWARE Android/OpFakeCL.A Checkin
(mobile_malware.rules)
  2809049 - ETPRO MOBILE_MALWARE Android.Trojan.FakeBank.G Checkin
(mobile_malware.rules)
  2809055 - ETPRO MOBILE_MALWARE Checkin to Rogue App Host
(mobile_malware.rules)
  2809064 - ETPRO MOBILE_MALWARE DroidKungFu Checkin 6
(mobile_malware.rules)
  2832193 - ETPRO TROJAN Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
(trojan.rules)
  2838432 - ETPRO TROJAN Absent/Himera Loader CnC Checkin (trojan.rules)
  2841407 - ETPRO TROJAN Win32/Vidar/Arkei/Oski Variant Retrieving Payload
(trojan.rules)

[---]  Disabled and modified rules:  [---]

  2808805 - ETPRO TROJAN Win32/Cendelf.gen!A checkin (trojan.rules)

Date:
Summary title:
8 Open, 35 Pro (8 + 27). Hakbit Ransomware, Taurus Stealer, Qbot, Sobinokibi, VaRiOuS Phishing