[***] Summary: [***]
11 new OPEN, 34 new PRO (11 + 23). Generic PHP Uploader/Webshell Access, Konni, Various MalDoc Downloads, Vidar/Arkei/Oski Variant Stealer, Remcos, Ursnif, Various CoinMiner and Phish.
Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2030212 - ET WEB_CLIENT Generic PHP Uploader Accessed on External Server
(web_client.rules)
2030213 - ET WEB_SERVER Generic PHP Uploader Accessed on Internal Server
(web_server.rules)
2030214 - ET CURRENT_EVENTS Lucy Security Phishing Landing Page
(current_events.rules)
2030215 - ET POLICY DNS Query to .onion proxy Domain (onion . ly)
(policy.rules)
2030216 - ET POLICY .onion.ly Proxy domain in SNI (policy.rules)
2030217 - ET WEB_SERVER Generic Webshell Accessed on Internal Server
(web_server.rules)
2030218 - ET WEB_CLIENT Generic Webshell Accessed on External Server
(web_client.rules)
2030219 - ET TROJAN Konni Stage 2 Payload Exfiltrating Data (trojan.rules)
2030220 - ET TROJAN Possible Konni Encrypted Stage 2 Payload Inbound via
HTTP (trojan.rules)
2030221 - ET EXPLOIT Possible DNS BIND TSIG Denial of Service Attempt
(CVE-2020-8617) (exploit.rules)
2030222 - ET MALWARE Win32/Adware.Qjwmonkey.H Variant CnC Activity
(malware.rules)
Pro:
2842706 - ETPRO TROJAN Observed Malicious SSL Cert (MalDoc DL 2020-05-26)
(trojan.rules)
2842707 - ETPRO TROJAN MalDoc Retrieving Payload 2020-05-26 (trojan.rules)
2842708 - ETPRO TROJAN Vidar/Arkei/Oski Variant Stealer POSTing Data to
CnC (trojan.rules)
2842709 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-23 1) (trojan.rules)
2842710 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-23 2) (trojan.rules)
2842712 - ETPRO CURRENT_EVENTS Successful Generic Webmail Phish
2020-05-26 (current_events.rules)
2842713 - ETPRO CURRENT_EVENTS Successful Xfinity/Comcast Phish
2020-05-26 (current_events.rules)
2842714 - ETPRO CURRENT_EVENTS Successful Generic Mail Settings Phish
2020-05-26 (current_events.rules)
2842715 - ETPRO CURRENT_EVENTS Successful DHL Phish 2020-05-26
(current_events.rules)
2842716 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-05-26 (current_events.rules)
2842717 - ETPRO CURRENT_EVENTS Successful Sparkasse Phish 2020-05-26
(current_events.rules)
2842718 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2020-05-26 (current_events.rules)
2842719 - ETPRO TROJAN Win32/Remcos RAT Checkin 435 (trojan.rules)
2842720 - ETPRO TROJAN Win32/Remcos RAT Checkin 436 (trojan.rules)
2842721 - ETPRO TROJAN Win32/Remcos RAT Checkin 437 (trojan.rules)
2842722 - ETPRO TROJAN Win32/Remcos RAT Checkin 438 (trojan.rules)
2842723 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
2842725 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
2842726 - ETPRO TROJAN Observed Malicious SSL Cert (AZORult CnC)
(trojan.rules)
2842727 - ETPRO USER_AGENTS Suspicious User-Agent (MyApp)
(user_agents.rules)
2842728 - ETPRO TROJAN Win32/Unk.Stealer.BR Variant Checkin (trojan.rules)
2842729 - ETPRO CURRENT_EVENTS Malicious Redirector Cookie Set 2020-05-26
(current_events.rules)
2842730 - ETPRO TROJAN MalDoc Retrieving Payload 2020-05-26 (trojan.rules)
[///] Modified active rules: [///]
2831993 - ETPRO POLICY Possible Coin Miner Downloader Retrieving EXE
Payload (cpu32) (policy.rules)
2831994 - ETPRO POLICY Possible Coin Miner Downloader Retrieving Payload
(cpu64) (policy.rules)
2835102 - ETPRO TROJAN CrazyCrypt/FUnicorn Ransomware CnC Activity
(trojan.rules)