[***] Summary: [***]
12 new OPEN, 24 new PRO (12 + 12). NORTHSTAR C2 Framework, BigLock Ransomware, Various CoinMiner and Phish.
Thanks: Hasan.
Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2030182 - ET TROJAN BigLock Ransomware CnC Activity (info) (trojan.rules)
2030183 - ET TROJAN BigLock Ransomware CnC Activity (gen) (trojan.rules)
2030184 - ET TROJAN BigLock Ransomware CnC Activity (id) (trojan.rules)
2030185 - ET TROJAN BigLock Ransomware CnC Activity (ext) (trojan.rules)
2030186 - ET TROJAN BigLock Ransomware CnC Activity (name) (trojan.rules)
2030187 - ET POLICY External IP Lookup (www. netikus .net) (policy.rules)
2030188 - ET TROJAN NORTHSTAR Client CnC Checkin (trojan.rules)
2030189 - ET TROJAN NORTHSTAR Client Data POST (trojan.rules)
2030190 - ET TROJAN NORTHSTAR Interactive Client CnC (trojan.rules)
2030191 - ET TROJAN NORTHSTAR Command Sent to Client (trojan.rules)
2030192 - ET TROJAN NORTHSTAR Command Response (trojan.rules)
2030193 - ET WEB_SPECIFIC_APPS Attempted Symantec Secure Web Gateway RCE
(web_specific_apps.rules)
Pro:
2842636 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-19 1) (trojan.rules)
2842637 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-19 2) (trojan.rules)
2842638 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-19 3) (trojan.rules)
2842639 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-19 4) (trojan.rules)
2842640 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-19 5) (trojan.rules)
2842641 - ETPRO TROJAN Win32/Neshta.A CnC Host Checkin (trojan.rules)
2842642 - ETPRO CURRENT_EVENTS Successful Fidelity Phish 2020-05-19
(current_events.rules)
2842643 - ETPRO CURRENT_EVENTS Successful Caixa Phish 2020-05-19
(current_events.rules)
2842644 - ETPRO CURRENT_EVENTS Successful Deutsche Bank Phish 2020-05-19
(current_events.rules)
2842645 - ETPRO CURRENT_EVENTS Successful Ebay Phish 2020-05-19
(current_events.rules)
2842648 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
2842649 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
[///] Modified active rules: [///]
2010920 - ET WEB_SERVER Exploit Suspected PHP Injection Attack (cmd=)
(web_server.rules)
2011996 - ET TROJAN Darkness DDoS Bot Checkin (trojan.rules)
2018341 - ET TROJAN Kazy Checkin (trojan.rules)
2019457 - ET TROJAN Vawtrak/NeverQuest Posting Data (trojan.rules)
2020078 - ET TROJAN RocketKitten APT Checkin (trojan.rules)
2020683 - ET TROJAN Gamarue/Andromeda Downloading Payload (trojan.rules)
2020708 - ET TROJAN Win32/Agent.WMN CnC Beacon (trojan.rules)
2020718 - ET TROJAN Win32/Teslacrypt Ransomware HTTP CnC Beacon M2
(trojan.rules)
2020720 - ET CURRENT_EVENTS RIG Payload URI Struct March 20 2015
(current_events.rules)
2020724 - ET TROJAN KeyLogger related to FindPOS CnC Beacon (trojan.rules)
2020729 - ET MOBILE_MALWARE Android.Trojan.SMSSend.Y (mobile_malware.rules)
2020737 - ET TROJAN Win32/TrojanProxy.JpiProx.B CnC Beacon 1 (trojan.rules)
2020750 - ET TROJAN Win32.Chroject.B ClickFraud Request (trojan.rules)
2020751 - ET EXPLOIT Metasploit Plugin-Detect Posting Data 4 (exploit.rules)
2020752 - ET EXPLOIT Metasploit Plugin-Detect Posting Data 5 (exploit.rules)
2020753 - ET EXPLOIT Metasploit Plugin-Detect Posting Data 6 (exploit.rules)
2020754 - ET EXPLOIT Metasploit Plugin-Detect Posting Data 7 (exploit.rules)
2809997 - ETPRO TROJAN Win32/TrojanDownloader.Agent.AWM Variant Checkin
(trojan.rules)
2810005 - ETPRO TROJAN Malicious Obfuscator Clickfraud Activity
(trojan.rules)
2810068 - ETPRO TROJAN Win32/HideProcess Retrieving config for likely click
fraud (trojan.rules)
2810085 - ETPRO MOBILE_MALWARE Android/SMSreg.RA Checkin
(mobile_malware.rules)
2810090 - ETPRO TROJAN Win32.VeeBee Checkin (trojan.rules)
2810095 - ETPRO TROJAN Win32.Skillis Checkin (trojan.rules)
2810098 - ETPRO TROJAN Darkshell CnC Beacon (trojan.rules)
2810102 - ETPRO TROJAN Win32.CryptDoma.vc Variant Checkin via HTTP
(trojan.rules)
2810105 - ETPRO TROJAN Likely Geodo/Emotet Downloading PE - /mss[0-9]+.exe
(trojan.rules)
2810106 - ETPRO TROJAN Likely Geodo/Emotet Downloading PE - Fake UA
(trojan.rules)
2810153 - ETPRO MOBILE_MALWARE Android/AdDisplay.Wooboo.C Checkin
(mobile_malware.rules)
2810175 - ETPRO MOBILE_MALWARE Riskware Android/Secapk.F Checkin
(mobile_malware.rules)
2810191 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.em Checkin
(mobile_malware.rules)
2810266 - ETPRO WEB_SPECIFIC_APPS WP Marketplace 2.4.0 Add Admin RCE
Attempt (web_specific_apps.rules)
2810293 - ETPRO TROJAN Win32/Spy.Ranbyus.J CnC Beacon (trojan.rules)
2842247 - ETPRO TROJAN MSIL/Spy.Agent.QN Variant CnC Account Exfil
(trojan.rules)
2842634 - ETPRO TROJAN MalDoc Retrieving Payload 2020-05-18 (trojan.rules)
[---] Disabled and modified rules: [---]
2020690 - ET TROJAN Vicepass CnC Beacon (trojan.rules)