Daily Ruleset Update Summary
Daily Ruleset Update Summary 2020/05/14

[***]            Summary:            [***]

2 Open, 27 Pro (2 + 25). Lockbit Ransomware, Beko-S, Telegram Exfil, Various Phishing, Suri5 Updates.

Please be aware that after the deprecation of our Suricata 2/3 support (April 15th 2020), the path for downloading the last pushed production Suricata 2/3 rulesets have changed.  Deprecated rulesets are available at https://rules.emergingthreatspro.com/OINK/old for ETPro and https://rules.emergingthreatspro.com/open/old/ for ETOpen.  All requests for the Suricata 2/3 at their previous locations will now lead to the Suricata 4.0 production rules for ETPro and the rule download instructions for ETOpen.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2030166 - ET POLICY HTTP Request to Lockbit Ransomware Payment Domain
(policy.rules)
  2030167 - ET EXPLOIT Possible Netlink XPON 1GE Remote Command Execution
Attempt (exploit.rules)

Pro:

  2842562 - ETPRO INFO EXE Request to DuckDNS DynDNS Domain (info.rules)
  2842563 - ETPRO INFO EXE Request to NOIP DynDNS Domain (info.rules)
  2842564 - ETPRO INFO DNS Request to Unusually Long DuckDNS DynDNS Domain
(info.rules)
  2842565 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-14 1) (trojan.rules)
  2842566 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-14 2) (trojan.rules)
  2842567 - ETPRO CURRENT_EVENTS Successful Apple Phish 2020-05-14
(current_events.rules)
  2842568 - ETPRO CURRENT_EVENTS Successful Apple Phish 2020-05-14
(current_events.rules)
  2842569 - ETPRO CURRENT_EVENTS Successful Singapore Airlines Phish
2020-05-14 (current_events.rules)
  2842570 - ETPRO CURRENT_EVENTS Successful Netflix Phish 2020-05-14
(current_events.rules)
  2842571 - ETPRO CURRENT_EVENTS Successful TSB Phish 2020-05-14
(current_events.rules)
  2842572 - ETPRO CURRENT_EVENTS Successful TSB Phish 2020-05-14
(current_events.rules)
  2842573 - ETPRO CURRENT_EVENTS Successful Credit Agricole Phish
2020-05-14 (current_events.rules)
  2842574 - ETPRO TROJAN Observed IXWARE Domain in TLS SNI (trojan.rules)
  2842575 - ETPRO TROJAN Win32/PSW.Agent.OJT Variant Exfil Via Telegram
(trojan.rules)
  2842576 - ETPRO TROJAN Win32/PSW.Agent.OJT Variant Exfil via Telegram
Response (trojan.rules)
  2842577 - ETPRO TROJAN Beko-S Bot Checkin via Discord (trojan.rules)
  2842578 - ETPRO TROJAN Win32/Remcos RAT Checkin 425 (trojan.rules)
  2842579 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842580 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842581 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842582 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842583 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842584 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842585 - ETPRO TROJAN Unknown Doc Dropper Retrieval (trojan.rules)
  2842586 - ETPRO TROJAN Observed unknown Doc Dropper Retrieval Domain in
TLS SNI (trojan.rules)

[///]     Modified active rules:     [///]

  2013937 - ET WEB_SERVER Weevely PHP backdoor detected (system() function
used) (web_server.rules)
  2013939 - ET WEB_SERVER Weevely PHP backdoor detected (shell_exec()
function used) (web_server.rules)
  2013940 - ET WEB_SERVER Weevely PHP backdoor detected (proc_open()
function used) (web_server.rules)
  2013941 - ET WEB_SERVER Weevely PHP backdoor detected (popen() function
used) (web_server.rules)
  2013944 - ET WEB_SERVER Weevely PHP backdoor detected (perl->system()
function used) (web_server.rules)
  2013945 - ET WEB_SERVER Weevely PHP backdoor detected (exec() function
used) (web_server.rules)
  2018277 - ET DOS Possible WordPress Pingback DDoS in Progress (Inbound)
(dos.rules)
  2019201 - ET TROJAN Backdoor.Win32/PcClient.AA Checkin (trojan.rules)
  2019824 - ET TROJAN W32/Hyteod.Downloader CnC Beacon (trojan.rules)
  2019825 - ET POLICY Cryptexplorer API Check - Potential CoinMiner Traffic
(policy.rules)
  2019826 - ET TROJAN W32/Coinminer.Backdoor CnC Beacon (trojan.rules)
  2019827 - ET TROJAN W32/Wadolin.Downloader CnC Beacon (trojan.rules)
  2019830 - ET TROJAN Dridex v2 POST Checkin (trojan.rules)
  2019880 - ET WEB_SERVER Double Encoded Characters in URI (../)
(web_server.rules)
  2019899 - ET WEB_SERVER Insomnia Shell HTTP Request (web_server.rules)
  2019903 - ET WEB_SPECIFIC_APPS Pandora FMS SQLi (web_specific_apps.rules)
  2019947 - ET TROJAN W32/TRCrypt.ULPM Downloader CnC Beacon (trojan.rules)
  2019951 - ET WEB_SERVER MorXploit Shell Command (web_server.rules)
  2019959 - ET MOBILE_MALWARE CoolReaper CnC Beacon 2 (mobile_malware.rules)
  2019960 - ET MOBILE_MALWARE CoolReaper User-Agent (mobile_malware.rules)
  2019961 - ET TROJAN Win32/Spy.Banker.AAXV Retrieving key from Pinterest
(trojan.rules)
  2019963 - ET SCAN Acunetix Accept HTTP Header detected scan in progress
(scan.rules)
  2019985 - ET TROJAN Tendrit CnC Beacon 1 (trojan.rules)
  2019986 - ET TROJAN Tendrit CnC Beacon 2 (trojan.rules)
  2020090 - ET TROJAN Trojan.Generic.5325921 Checkin (trojan.rules)
  2020092 - ET WEB_SPECIFIC_APPS ManageEngine Desktop Central Administrator
Account Creation (web_specific_apps.rules)
  2020097 - ET WEB_SERVER ATTACKER WebShell - 1337w0rm - cPanel Cracker
(web_server.rules)
  2020101 - ET EXPLOIT Possible Misfortune Cookie RomPager Server banner
(exploit.rules)
  2020102 - ET WEB_SERVER PHP System Command in HTTP POST (web_server.rules)
  2020105 - ET POLICY Possible IP Check ip-addr.es (policy.rules)
  2020106 - ET POLICY Possible IP Check curlmyip.com (policy.rules)
  2020156 - ET TROJAN Win32/Emotet.C Checkin (trojan.rules)
  2020157 - ET TROJAN Win32/Emotet.C Variant Checkin (trojan.rules)
  2020172 - ET TROJAN Known Sinkhole Response Header CERT.PL (trojan.rules)
  2020198 - ET TROJAN Filename svchost.exe Download - Common Hostile
Filename (trojan.rules)
  2020199 - ET TROJAN Filename explorer.exe Download - Common Hostile
Filename (trojan.rules)
  2020200 - ET TROJAN Filename hkcmd.exe Download - Common Hostile Filename
(trojan.rules)
  2020201 - ET TROJAN Filename server.exe Download - Common Hostile
Filename (trojan.rules)
  2020202 - ET POLICY Terse Named Filename EXE Download - Possibly Hostile
(policy.rules)
  2020233 - ET TROJAN CryptoWall CryptoWall 3.0 Check-in (trojan.rules)
  2020237 - ET TROJAN Inception APT malware (trojan.rules)
  2020241 - ET TROJAN Backdoor.TurlaCarbon.A C2 HTTP Request (trojan.rules)
  2020294 - ET TROJAN W32/Upatre.Downloader Encoded Binary Download Request
(trojan.rules)
  2020298 - ET TROJAN Win32/Scieron-A UA (HTClient) (trojan.rules)
  2020299 - ET TROJAN Win32/Scieron-A Checkin via HTTP POST (trojan.rules)
  2025087 - ET TROJAN Vawtrak/NeverQuest Posting Data (trojan.rules)
  2025088 - ET TROJAN Vawtrak/NeverQuest Posting Data (trojan.rules)
  2030163 - ET TROJAN AutoHotkey Downloader Checkin via IPLogger
(trojan.rules)
  2803989 - ETPRO TROJAN Win32/Zegost.L Checkin (trojan.rules)
  2806027 - ETPRO TROJAN Win32/Aybo.A Checkin (trojan.rules)
  2807733 - ETPRO MOBILE_MALWARE Android/TrojanSMS.FakeInst.CG Checkin
(mobile_malware.rules)
  2807972 - ETPRO MALWARE Win32/FlyStudio Activity (malware.rules)
  2807995 - ETPRO MOBILE_MALWARE Android.Trojan.SmsSpy.BS Checkin
(mobile_malware.rules)
  2808927 - ETPRO TROJAN Trojan/Banker.Agent.bof Checkin 2 (trojan.rules)
  2808937 - ETPRO EXPLOIT revslider_show_image Plugin Local File Inclusion
Exploit Attempt (exploit.rules)
  2809241 - ETPRO TROJAN Carbanak APT Checkin (trojan.rules)
  2809248 - ETPRO WEB_SPECIFIC_APPS SP Client Document Manager WP Plugin
SQLi (web_specific_apps.rules)
  2809252 - ETPRO TROJAN W32/Tepfer.InfoStealer Dropping Files
(trojan.rules)
  2809253 - ETPRO WEB_SPECIFIC_APPS Centreon 2.5.3 and Below RCE
(web_specific_apps.rules)
  2809259 - ETPRO WEB_SPECIFIC_APPS wpDataTables 1.5.3 Plugin SQLi
(web_specific_apps.rules)
  2809260 - ETPRO WEB_SPECIFIC_APPS wpDataTables 1.5.3 Possible Shell
Upload (web_specific_apps.rules)
  2809264 - ETPRO TROJAN Win32/Kryptik.CPYA Checkin (trojan.rules)
  2809274 - ETPRO TROJAN Win32/Belot Checkin (trojan.rules)
  2809282 - ETPRO TROJAN Wauchos.AO/Andromeda Checkin 2 (trojan.rules)
  2809288 - ETPRO TROJAN Win32/Rethed.B Checkin (trojan.rules)
  2809325 - ETPRO TROJAN Win32/Bagle.L Checkin (trojan.rules)
  2809333 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.FakeInst.a Checkin 9
(mobile_malware.rules)
  2809335 - ETPRO TROJAN Oberon Logger Checkin (trojan.rules)
  2809337 - ETPRO TROJAN Win32/TrojanDownloader.Autoit.NTF Checkin
(trojan.rules)
  2809353 - ETPRO WEB_SPECIFIC_APPS Download Manager WP Plugin RCE Attempt
(web_specific_apps.rules)
  2809354 - ETPRO TROJAN SoakSoak Malware Checkin (trojan.rules)
  2809356 - ETPRO TROJAN Win32/Locker.Nikifer Checkin (trojan.rules)
  2809360 - ETPRO TROJAN Win32.Staser.aqkw Checkin (trojan.rules)
  2809365 - ETPRO WEB_SPECIFIC_APPS E-Journal SQLi Attempt
(web_specific_apps.rules)
  2809366 - ETPRO WEB_SPECIFIC_APPS ProjectSend Shell Upload Exploit
Attempt (web_specific_apps.rules)
  2809369 - ETPRO TROJAN Dyre HTTP Request Headers (trojan.rules)
  2809370 - ETPRO TROJAN Dyre Credentials POST (trojan.rules)
  2809381 - ETPRO WEB_SPECIFIC_APPS Codiad LFI Attempt
(web_specific_apps.rules)
  2809431 - ETPRO EXPLOIT WP DB Backup Plugin Database Backup Download
Exploit Attempt (exploit.rules)
  2809432 - ETPRO EXPLOIT tnftp_savefile CVE-2014-8517 Exploit Attempt
Request (exploit.rules)
  2809433 - ETPRO EXPLOIT tnftp_savefile CVE-2014-8517 Exploit Attempt
Response (exploit.rules)
  2809435 - ETPRO TROJAN Worm.MSIL.Mafusc.A Checkin (trojan.rules)
  2809439 - ETPRO TROJAN KrakenRAT CnC Beacon 1 (trojan.rules)
  2809440 - ETPRO TROJAN KrakenRAT CnC Beacon 2 (trojan.rules)
  2809443 - ETPRO USER_AGENTS NateOn User Agent Likely Hostile
(user_agents.rules)
  2809445 - ETPRO TROJAN Win32/Cuepilini.A Checkin (trojan.rules)
  2809449 - ETPRO TROJAN Win32/Induc.A Checkin 2 (trojan.rules)
  2809451 - ETPRO MOBILE_MALWARE Android/AdDisplay.AirPush.M Checkin
(mobile_malware.rules)
  2809453 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Abmnger.a Checkin
(mobile_malware.rules)
  2809458 - ETPRO TROJAN Backdoor.Locobad.B Checkin (trojan.rules)
  2809518 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.az Checkin 2
(mobile_malware.rules)
  2809528 - ETPRO TROJAN Win32/Lightbulb.A Checkin (trojan.rules)
  2809551 - ETPRO TROJAN WIN.TROJAN.TWERKET Checkin (trojan.rules)
  2809552 - ETPRO MOBILE_MALWARE Android Backdoor PoisonCake Checkin
(mobile_malware.rules)
  2809565 - ETPRO MOBILE_MALWARE Android.Riskware.SmsPay.AO Checkin 4
(mobile_malware.rules)
  2809574 - ETPRO TROJAN Mal/Banker-EV CnC Beacon (trojan.rules)
  2809586 - ETPRO TROJAN Win32/Neshta.A Checkin 4 (trojan.rules)
  2809605 - ETPRO P2P uTorrent Hydra Client (p2p.rules)
  2809626 - ETPRO TROJAN SiR-DoOoM worm User-Agent (trojan.rules)
  2809627 - ETPRO TROJAN KJw0rm User-Agent (trojan.rules)
  2809628 - ETPRO TROJAN SiR-DoOoM worm CnC Beacon (trojan.rules)
  2809629 - ETPRO TROJAN KJw0rm CnC Beacon (trojan.rules)

Date:
Summary title:
2 Open, 27 Pro (2 + 25). Lockbit Ransomware, Beko-S, Telegram Exfil, Various Phishing, Suri5 Updates.