Daily Ruleset Update Summary
Daily Ruleset Update Summary 2020/05/13

[***]            Summary:            [***]

3 Open, 31 Pro (3 + 28). BACKCONFIG, Valyri, Various Phishing, Suri5 Updates.

Please be aware that after the deprecation of our Suricata 2/3 support (April 15th 2020), the path for downloading the last pushed production Suricata 2/3 rulesets have changed.  Deprecated rulesets are available at https://rules.emergingthreatspro.com/OINK/old for ETPro and https://rules.emergingthreatspro.com/open/old/ for ETOpen.  All requests for the Suricata 2/3 at their previous locations will now lead to the Suricata 4.0 production rules for ETPro and the rule download instructions for ETOpen.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2030163 - ET TROJAN AutoHotkey Downloader Checkin via IPLogger
(trojan.rules)
  2030164 - ET MALWARE Crackswin Downloader Activity (malware.rules)
  2030165 - ET TROJAN BACKCONFIG CnC Downloader Activity (trojan.rules)

Pro:

  2842534 - ETPRO MOBILE_MALWARE Adware.AirPush.Android.227 Reporting
Geolocation (mobile_malware.rules)
  2842535 - ETPRO MOBILE_MALWARE Android/Plankton.I Checkin
(mobile_malware.rules)
  2842536 - ETPRO TROJAN 404 Keylogger Style External IP Check
(trojan.rules)
  2842537 - ETPRO TROJAN Win32/Malex.gen!F Reporting System Info
(trojan.rules)
  2842538 - ETPRO MALWARE Win32/Unk.BoxSensor Checkin (malware.rules)
  2842539 - ETPRO INFO Suspicious Directory in URI String (wpcontent)
(info.rules)
  2842540 - ETPRO TROJAN ELF/Mirai User-Agent Observed (Outbound)
(trojan.rules)
  2842541 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)
  2842542 - ETPRO TROJAN APT Sidewinder SystemApp CnC Host Checkin
(trojan.rules)
  2842543 - ETPRO TROJAN APT Sidewinder SystemApp CnC Document Exfiltration
(trojan.rules)
  2842544 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-13 1) (trojan.rules)
  2842545 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-13 2) (trojan.rules)
  2842546 - ETPRO TROJAN Samohacks CnC Host Checkin (trojan.rules)
  2842547 - ETPRO TROJAN Samohacks CnC Activity (trojan.rules)
  2842548 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-05-13 (current_events.rules)
  2842549 - ETPRO CURRENT_EVENTS Successful Paxful Phish 2020-05-13
(current_events.rules)
  2842550 - ETPRO CURRENT_EVENTS Successful Adobe Shared Document Phish
2020-05-13 (current_events.rules)
  2842551 - ETPRO CURRENT_EVENTS Successful Outlook Web App Phish
2020-05-13 (current_events.rules)
  2842552 - ETPRO CURRENT_EVENTS Successful Banco do Brasil Phish
2020-05-13 (current_events.rules)
  2842553 - ETPRO CURRENT_EVENTS Successful Outlook Web App Phish
2020-05-13 (current_events.rules)
  2842554 - ETPRO CURRENT_EVENTS Successful Halifax Phish 2020-05-13
(current_events.rules)
  2842555 - ETPRO TROJAN VB.Trojan.Valyri CnC Activity M1 (trojan.rules)
  2842556 - ETPRO TROJAN VB.Trojan.Valyri CnC Activity M2 (trojan.rules)
  2842557 - ETPRO TROJAN Win32/TrojanDownloader.Banload.ZIK Variant CnC
Activity (trojan.rules)
  2842558 - ETPRO TROJAN MSIL/Unk.Backdoor get_cmd Request (trojan.rules)
  2842559 - ETPRO TROJAN Win32/Remcos RAT Checkin 424 (trojan.rules)
  2842560 - ETPRO TROJAN Win32/Agent.TRU Variant Client Data Exfil M1
(trojan.rules)
  2842561 - ETPRO TROJAN Win32/Agent.TRU Variant Client Data Exfil M2
(trojan.rules)

[///]     Modified active rules:     [///]

  2008754 - ET TROJAN Possible Rar'd Malware sent when remote host claims
to send an Image (trojan.rules)
  2013181 - ET TROJAN Ponmocup Redirection from infected Website to
Trojan-Downloader (trojan.rules)
  2013816 - ET WEB_SPECIFIC_APPS Joomla YJ Contact Local File Inclusion
Vulnerability (web_specific_apps.rules)
  2014728 - ET TROJAN Smoke Loader Checkin r=gate (trojan.rules)
  2016820 - ET TROJAN DEEP PANDA Checkin 2 (trojan.rules)
  2016821 - ET TROJAN DEEP PANDA Checkin 3 (trojan.rules)
  2018407 - ET CURRENT_EVENTS Fiesta URI Struct (current_events.rules)
  2018495 - ET WEB_SERVER Possible CVE-2014-3120 Elastic Search Remote Code
Execution Attempt (web_server.rules)
  2018964 - ET TROJAN Variant.Strictor Dropper (trojan.rules)
  2019501 - ET TROJAN Vawtrak/NeverQuest Posting Data (trojan.rules)
  2019502 - ET TROJAN Wonton-JH Checkin (trojan.rules)
  2019524 - ET WEB_SPECIFIC_APPS BASE base_stat_common.php remote file
include (web_specific_apps.rules)
  2019526 - ET WEB_SERVER WEB-PHP phpinfo access (web_server.rules)
  2019535 - ET TROJAN OLDBAIT Checkin sptr (trojan.rules)
  2019536 - ET TROJAN OLDBAIT Checkin 2 brvc (trojan.rules)
  2019537 - ET TROJAN Win32/Chopstick Checkin (APT28 Related) (trojan.rules)
  2019539 - ET TROJAN Win32/Coreshell Checkin (APT28 Related) (trojan.rules)
  2019554 - ET TROJAN Sofacy HTTP Request microsof-update.com (trojan.rules)
  2019612 - ET CURRENT_EVENTS Fiesta Flash Exploit URI Struct
(current_events.rules)
  2019624 - ET CURRENT_EVENTS Fiesta SilverLight 5.x Exploit URI Struct
(current_events.rules)
  2019630 - ET TROJAN AnubisNetworks Sinkhole HTTP Response -
195.22.26.192/26 (trojan.rules)
  2019653 - ET TROJAN Win32/Spy.Banker.ABCG Checkin (trojan.rules)
  2019654 - ET TROJAN Trojan.FakeMS Checkin (trojan.rules)
  2019660 - ET TROJAN OSX/WireLurker User-agent (globalupdate)
(trojan.rules)
  2019665 - ET TROJAN OSX/WireLurker checkin (trojan.rules)
  2019666 - ET TROJAN OSX/WireLurker HTTP Request for www.comeinbaby.com
(trojan.rules)
  2019683 - ET TROJAN Miuref/Boaxxe Checkin (trojan.rules)
  2019686 - ET EXPLOIT Belkin N750 Buffer Overflow Attempt (exploit.rules)
  2019713 - ET TROJAN Possible Asprox Pizza (trojan.rules)
  2019717 - ET TROJAN Alureon Checkin (trojan.rules)
  2019731 - ET TROJAN OSX/WireLurker HTTP Request for manhuaba.com.cn
(trojan.rules)
  2019747 - ET TROJAN ELF_BASHLITE.SMB Dropping Files (trojan.rules)
  2019754 - ET TROJAN Bamital Connectivity Check (trojan.rules)
  2019767 - ET TROJAN Rogue.Win32/FakePAV Checkin (trojan.rules)
  2019771 - ET TROJAN W32/AntiBreach Possible Activation Attempt
(trojan.rules)
  2019777 - ET TROJAN CoinVault POST M2 (trojan.rules)
  2019804 - ET WEB_SERVER PHP.//Input in HTTP POST (web_server.rules)
  2019805 - ET MOBILE_MALWARE Android.Stealthgenie Checkin
(mobile_malware.rules)
  2019821 - ET INFO WinHttpRequest (flowbits no alert) (info.rules)
  2100876 - GPL CHAT Google Talk Version Check (chat.rules)
  2101877 - GPL WEB_SERVER printenv access (web_server.rules)
  2805872 - ETPRO WEB_CLIENT RealPlayer RealMedia File Handling Buffer
Overflow (web_client.rules)
  2809071 - ETPRO TROJAN Win32.Sysn.anpg Checkin (trojan.rules)
  2809073 - ETPRO WEB_SPECIFIC_APPS HttpCombiner ASP.NET Remote File
Disclosure Request (web_specific_apps.rules)
  2809075 - ETPRO WEB_SPECIFIC_APPS vBulletin Verify Email SQL Injection
(web_specific_apps.rules)
  2809076 - ETPRO WEB_SPECIFIC_APPS vBulletin Verify Email SQL Injection
(web_specific_apps.rules)
  2809080 - ETPRO EXPLOIT DotNetNuke DNNspot Store 3.0.0 File Upload
(exploit.rules)
  2809082 - ETPRO EXPLOIT Mulesoft ESB Runtime 3.5.1 Privilege Escalation
(exploit.rules)
  2809087 - ETPRO TROJAN Trojan.Alnaddy Checkin (trojan.rules)
  2809092 - ETPRO DOS Possible XMLRPC DoS in Progress (dos.rules)
  2809093 - ETPRO MOBILE_MALWARE Android/TrojanSMS.FakeInst.FO Checkin
(mobile_malware.rules)
  2809096 - ETPRO TROJAN Win32/Derusbi.A Checkin (trojan.rules)
  2809097 - ETPRO POLICY Xunlei P2P Checkin (policy.rules)
  2809106 - ETPRO MOBILE_MALWARE Android.Trojan.Koler.C Checkin 2
(mobile_malware.rules)
  2809111 - ETPRO TROJAN Win32/CashBay Checkin (trojan.rules)
  2809112 - ETPRO USER_AGENTS Kaspersky AntiRootkit TDSSKiller User Agent
(user_agents.rules)
  2809114 - ETPRO MOBILE_MALWARE Android/Spy.Agent.DF Checkin
(mobile_malware.rules)
  2809117 - ETPRO TROJAN Win32.Scar.ibrb Checkin (trojan.rules)
  2809119 - ETPRO WEB_SPECIFIC_APPS Joomla RD Download SQL Injection
Attempt (web_specific_apps.rules)
  2809125 - ETPRO POLICY Meterpreter PHP Relay In Use (hop.php)
(policy.rules)
  2809126 - ETPRO TROJAN Win32.Yakes Variant Checkin (trojan.rules)
  2809130 - ETPRO TROJAN Win32/TrojanDownloader.Banload.UJU Checkin
(trojan.rules)
  2809139 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.cr Checkin
(mobile_malware.rules)
  2809166 - ETPRO TROJAN W32/Ransom.JD Checkin (trojan.rules)
  2809174 - ETPRO WEB_SPECIFIC_APPS Progress OpenEdge 11.2 Directory
Traversal (web_specific_apps.rules)
  2809183 - ETPRO MOBILE_MALWARE AndroidOS/SMSPay.BF Checkin
(mobile_malware.rules)
  2809202 - ETPRO TROJAN Saker Checkin (trojan.rules)
  2809203 - ETPRO TROJAN Rogue.Win32/FakePlus Checkin (trojan.rules)
  2809219 - ETPRO TROJAN Win32/Qhost.Banker.PB Checkin - SET (trojan.rules)
  2809226 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.ak Checkin
(mobile_malware.rules)
  2809233 - ETPRO WEB_SPECIFIC_APPS CM Download Manager WP Plugin Code
Injection (web_specific_apps.rules)
  2809238 - ETPRO TROJAN Win32/Spy.Agent.OLF Retrieving CnC IP - SET
(trojan.rules)
  2809246 - ETPRO TROJAN Backdoor.Preft Checkin (trojan.rules)

[---]  Disabled and modified rules:  [---]

  2019546 - ET TROJAN Sofacy HTTP Request adawareblock.com (trojan.rules)
  2019547 - ET TROJAN Sofacy HTTP Request adobeincorp.com (trojan.rules)
  2019548 - ET TROJAN Sofacy HTTP Request azureon-line.com (trojan.rules)
  2019549 - ET TROJAN Sofacy HTTP Request checkmalware.info (trojan.rules)
  2019550 - ET TROJAN Sofacy HTTP Request checkwinframe.com (trojan.rules)
  2019551 - ET TROJAN Sofacy HTTP Request check-fix.com (trojan.rules)
  2019552 - ET TROJAN Sofacy HTTP Request hotfix-update.com (trojan.rules)
  2019553 - ET TROJAN Sofacy HTTP Request microsofi.org (trojan.rules)
  2019555 - ET TROJAN Sofacy HTTP Request scanmalware.info (trojan.rules)
  2019556 - ET TROJAN Sofacy HTTP Request secnetcontrol.com (trojan.rules)
  2019557 - ET TROJAN Sofacy HTTP Request securitypractic.com (trojan.rules)
  2019558 - ET TROJAN Sofacy HTTP Request testservice24.net (trojan.rules)
  2019559 - ET TROJAN Sofacy HTTP Request testsnetcontrol.com (trojan.rules)
  2019560 - ET TROJAN Sofacy HTTP Request updatepc.org (trojan.rules)
  2019561 - ET TROJAN Sofacy HTTP Request updatesoftware24.com
(trojan.rules)
  2019562 - ET TROJAN Sofacy HTTP Request windows-updater.com (trojan.rules)
  2019563 - ET TROJAN Sofacy HTTP Request checkmalware.org (trojan.rules)
  2019583 - ET TROJAN Sofacy HTTP Request symanttec.org (trojan.rules)
  2019585 - ET TROJAN Sofacy HTTP Request msonlinelive.com (trojan.rules)
  2019641 - ET TROJAN Sofacy HTTP Request malwarecheck.info (trojan.rules)

[---]         Removed rules:         [---]

  2841015 - ETPRO TROJAN ELF/Mirai User-Agent Observed (Outbound)
(trojan.rules)
  2841016 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)

Date:
Summary title:
3 Open, 31 Pro (3 + 28). BACKCONFIG, Valyri, Various Phishing, Suri5 Updates.