Daily Ruleset Update Summary
Daily Ruleset Update Summary 2020/05/15

[***]            Summary:            [***]

3 Open, 26 Pro (3 + 23). Zerocrat, Babulya, USBFERRY, Various Phishing, Suri5 Updates.

Please be aware that after the deprecation of our Suricata 2/3 support (April 15th 2020), the path for downloading the last pushed production Suricata 2/3 rulesets have changed.  Deprecated rulesets are available at https://rules.emergingthreatspro.com/OINK/old for ETPro and https://rules.emergingthreatspro.com/open/old/ for ETOpen.  All requests for the Suricata 2/3 at their previous locations will now lead to the Suricata 4.0 production rules for ETPro and the rule download instructions for ETOpen.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2030168 - ET TROJAN GandCrab Style External IP Check (Spoofed Yahoo Host)
(trojan.rules)
  2030169 - ET TROJAN Suspected USBFERRY CnC (trojan.rules)
  2030170 - ET USER_AGENTS Suspicious User-Agent (MSIE) (user_agents.rules)

Pro:

  2842587 - ETPRO TROJAN MalDoc Retrieving Payload 2020-05-14 (trojan.rules)
  2842588 - ETPRO INFO Windows BITS UA Retrieving EXE M2 (info.rules)
  2842589 - ETPRO TROJAN Observed Win32/Babulya User-Agent (trojan.rules)
  2842590 - ETPRO INFO Request for Office Doc DL to DuckDNS DynDNS Domain
(info.rules)
  2842591 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-15 1) (trojan.rules)
  2842592 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-15 2) (trojan.rules)
  2842593 - ETPRO TROJAN SSL/TLS Certificate Observed (Griffon)
(trojan.rules)
  2842594 - ETPRO TROJAN SSL/TLS Certificate Observed (Unk/VBS Loader)
(trojan.rules)
  2842595 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-05-15
(current_events.rules)
  2842596 - ETPRO CURRENT_EVENTS Successful Deutsche Bank Phish 2020-05-15
(current_events.rules)
  2842597 - ETPRO CURRENT_EVENTS Successful UBI Banca Phish 2020-05-15
(current_events.rules)
  2842598 - ETPRO CURRENT_EVENTS Successful Caixa Phish 2020-05-15
(current_events.rules)
  2842599 - ETPRO CURRENT_EVENTS Successful Caixa Phish 2020-05-15
(current_events.rules)
  2842600 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2020-05-15
(current_events.rules)
  2842601 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2020-05-15
(current_events.rules)
  2842602 - ETPRO CURRENT_EVENTS Successful Mimecast Phish 2020-05-15
(current_events.rules)
  2842603 - ETPRO CURRENT_EVENTS Successful Banco de Chile Phish 2020-05-15
(current_events.rules)
  2842604 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-05-15 (current_events.rules)
  2842605 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-05-15
(current_events.rules)
  2842606 - ETPRO CURRENT_EVENTS Successful OTP Group Bank Phish 2020-05-15
(current_events.rules)
  2842607 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-05-15
(current_events.rules)
  2842608 - ETPRO USER_AGENTS Suspicious User-Agent (OldAssBrowser)
(user_agents.rules)
  2842609 - ETPRO TROJAN ZEROCRAT Client Info Post (trojan.rules)

[///]     Modified active rules:     [///]

  2014997 - ET POLICY Pandora Usage (policy.rules)
  2017633 - ET TROJAN Athena DDoS Bot Checkin (trojan.rules)
  2019693 - ET TROJAN Emotet Checkin (trojan.rules)
  2019898 - ET POLICY I2P Retrieving reseed info (policy.rules)
  2020338 - ET WEB_SERVER WPScan User Agent (web_server.rules)
  2020343 - ET MOBILE_MALWARE Android Syria-Twitter Checkin
(mobile_malware.rules)
  2020344 - ET TROJAN ArcDoor User-Agent (ALIZER) (trojan.rules)
  2020353 - ET MOBILE_MALWARE Android/SMSThief.F Banker CnC Beacon
(mobile_malware.rules)
  2020363 - ET MOBILE_MALWARE Operation Pawn Storm IOS_XAGENT Checkin
(mobile_malware.rules)
  2020364 - ET MOBILE_MALWARE IOS_XAGENT UA (mobile_malware.rules)
  2020373 - ET TROJAN Possible DEEP PANDA C2 Activity (trojan.rules)
  2020396 - ET TROJAN Win32/Rovnix.J Checkin 2 (trojan.rules)
  2020431 - ET TROJAN Arid Viper APT Advtravel Campaign GET Request
(trojan.rules)
  2020433 - ET TROJAN Likely Arid Viper APT Advtravel Campaign POST
(trojan.rules)
  2020471 - ET TROJAN Babar POST Request (trojan.rules)
  2020474 - ET TROJAN Possible Babar POST Request (trojan.rules)
  2020476 - ET CURRENT_EVENTS KaiXin EK Jar URI Struct
(current_events.rules)
  2020489 - ET TROJAN SuperFish CnC Beacon 1 (trojan.rules)
  2020500 - ET CURRENT_EVENTS DRIVEBY Likely Evil EXE with no referer from
HFS webserver (used by Unknown EK) (current_events.rules)
  2020556 - ET WEB_SERVER ATTACKER WebShell - Weevely - POSTed
(web_server.rules)
  2020557 - ET WEB_SERVER ATTACKER WebShell - Weevely - Cookie
(web_server.rules)
  2020572 - ET WEB_SERVER WebShell - ASPyder - File Create - POST Structure
(web_server.rules)
  2020578 - ET POLICY Privdog Activation (policy.rules)
  2020579 - ET POLICY Privdog Checkin (policy.rules)
  2020602 - ET TROJAN LogPOS Sending Data (trojan.rules)
  2020622 - ET CURRENT_EVENTS rechnung zip file download
(current_events.rules)
  2809650 - ETPRO WEB_SERVER SQLMap Scan Tool User Agent (web_server.rules)
  2809662 - ETPRO TROJAN Win32/Tnega.CeVIOZB Checkin (trojan.rules)
  2809673 - ETPRO TROJAN Win32.Banload.bUZH Checkin (trojan.rules)
  2809674 - ETPRO TROJAN Win32/Spy.Banker.aahf Checkin (trojan.rules)
  2809675 - ETPRO TROJAN Trojan.Win32.Scar Checkin (trojan.rules)
  2809676 - ETPRO TROJAN Win32/Gastig.A Sending Passwords via HTTP POST
(trojan.rules)
  2809690 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Pmixi.a Checkin
(mobile_malware.rules)
  2809709 - ETPRO TROJAN Win32/Paskod.M HTTP Checkin (trojan.rules)
  2809712 - ETPRO WEB_SPECIFIC_APPS WP Theme Platform/Pagelines RCE Attempt
(web_specific_apps.rules)
  2809714 - ETPRO WEB_SPECIFIC_APPS WP Pixabay Images RFI/RCE Attempt
(web_specific_apps.rules)
  2809748 - ETPRO WEB_CLIENT Possible IE XSS filter bypass (CVE-2015-0070)
(web_client.rules)
  2809749 - ETPRO POLICY WebDAV request for SysVol Outbound (policy.rules)
  2809751 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.SmsPay.k Checkin
(mobile_malware.rules)
  2809754 - ETPRO TROJAN Win32/Murlo.E Checkin (trojan.rules)
  2809777 - ETPRO WEB_SERVER MetaSploit PHP Shell Code Inbound
(web_server.rules)
  2809780 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.SMSreg.ke Checkin
(mobile_malware.rules)
  2809806 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Opfake.a Checkin 12
(mobile_malware.rules)
  2809828 - ETPRO MOBILE_MALWARE Android/UUPAY.F Checkin
(mobile_malware.rules)
  2809831 - ETPRO MOBILE_MALWARE Android.Riskware.SMSReg.R Checkin
(mobile_malware.rules)
  2809837 - ETPRO MOBILE_MALWARE Android/Glooken.A Checkin
(mobile_malware.rules)
  2809845 - ETPRO TROJAN Win32/Neshta.A Checkin 5 (trojan.rules)
  2809853 - ETPRO TROJAN Win32/Spy.Banker.PTM Checkin (trojan.rules)
  2809860 - ETPRO WEB_SPECIFIC_APPS Unsafe PHP Method in HTTP POST
(web_specific_apps.rules)
  2809876 - ETPRO TROJAN Win32/Agent.WPN CnC Beacon User-Agent
(trojan.rules)
  2809877 - ETPRO TROJAN Win32/Agent.WPN CnC Beacon (trojan.rules)
  2809878 - ETPRO TROJAN Win32/Necurs Checkin 2 (trojan.rules)
  2809890 - ETPRO TROJAN Win32/Spy.VB.NPR Checkin via HTTP (trojan.rules)
  2809926 - ETPRO TROJAN Win32/TrojanProxy.Agent.AU Checkin (trojan.rules)
  2809980 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.SMSreg.eg Checkin
(mobile_malware.rules)
  2809983 - ETPRO TROJAN Win32.Vobfus HTTP Request (trojan.rules)
  2842586 - ETPRO TROJAN Observed Unknown Doc Dropper Retrieval Domain in
TLS SNI (trojan.rules)

Date:
Summary title:
3 Open, 26 Pro (3 + 23). Zerocrat, Babulya, USBFERRY, Various Phishing, Suri5 Updates.