Daily Ruleset Update Summary
Daily Ruleset Update Summary 2020/05/26

[***]            Summary:            [***]

11 new OPEN, 34 new PRO (11 + 23). Generic PHP Uploader/Webshell Access, Konni, Various MalDoc Downloads, Vidar/Arkei/Oski Variant Stealer, Remcos, Ursnif, Various CoinMiner and Phish.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2030212 - ET WEB_CLIENT Generic PHP Uploader Accessed on External Server
(web_client.rules)
  2030213 - ET WEB_SERVER Generic PHP Uploader Accessed on Internal Server
(web_server.rules)
  2030214 - ET CURRENT_EVENTS Lucy Security Phishing Landing Page
 (current_events.rules)
  2030215 - ET POLICY DNS Query to .onion proxy Domain (onion . ly)
(policy.rules)
  2030216 - ET POLICY .onion.ly Proxy domain in SNI (policy.rules)
  2030217 - ET WEB_SERVER Generic Webshell Accessed on Internal Server
(web_server.rules)
  2030218 - ET WEB_CLIENT Generic Webshell Accessed on External Server
(web_client.rules)
  2030219 - ET TROJAN Konni Stage 2 Payload Exfiltrating Data (trojan.rules)
  2030220 - ET TROJAN Possible Konni Encrypted Stage 2 Payload Inbound via
HTTP (trojan.rules)
  2030221 - ET EXPLOIT Possible DNS BIND TSIG Denial of Service Attempt
(CVE-2020-8617) (exploit.rules)
  2030222 - ET MALWARE Win32/Adware.Qjwmonkey.H Variant CnC Activity
(malware.rules)

Pro:

  2842706 - ETPRO TROJAN Observed Malicious SSL Cert (MalDoc DL 2020-05-26)
(trojan.rules)
  2842707 - ETPRO TROJAN MalDoc Retrieving Payload 2020-05-26 (trojan.rules)
  2842708 - ETPRO TROJAN Vidar/Arkei/Oski Variant Stealer POSTing Data to
CnC (trojan.rules)
  2842709 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-23 1) (trojan.rules)
  2842710 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-23 2) (trojan.rules)
  2842712 - ETPRO CURRENT_EVENTS Successful Generic Webmail Phish
2020-05-26 (current_events.rules)
  2842713 - ETPRO CURRENT_EVENTS Successful Xfinity/Comcast Phish
2020-05-26 (current_events.rules)
  2842714 - ETPRO CURRENT_EVENTS Successful Generic Mail Settings Phish
2020-05-26 (current_events.rules)
  2842715 - ETPRO CURRENT_EVENTS Successful DHL Phish 2020-05-26
(current_events.rules)
  2842716 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-05-26 (current_events.rules)
  2842717 - ETPRO CURRENT_EVENTS Successful Sparkasse Phish 2020-05-26
(current_events.rules)
  2842718 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2020-05-26 (current_events.rules)
  2842719 - ETPRO TROJAN Win32/Remcos RAT Checkin 435 (trojan.rules)
  2842720 - ETPRO TROJAN Win32/Remcos RAT Checkin 436 (trojan.rules)
  2842721 - ETPRO TROJAN Win32/Remcos RAT Checkin 437 (trojan.rules)
  2842722 - ETPRO TROJAN Win32/Remcos RAT Checkin 438 (trojan.rules)
  2842723 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
  2842725 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
  2842726 - ETPRO TROJAN Observed Malicious SSL Cert (AZORult CnC)
(trojan.rules)
  2842727 - ETPRO USER_AGENTS Suspicious User-Agent (MyApp)
(user_agents.rules)
  2842728 - ETPRO TROJAN Win32/Unk.Stealer.BR Variant Checkin (trojan.rules)
  2842729 - ETPRO CURRENT_EVENTS Malicious Redirector Cookie Set 2020-05-26
(current_events.rules)
  2842730 - ETPRO TROJAN MalDoc Retrieving Payload 2020-05-26 (trojan.rules)

[///]     Modified active rules:     [///]

  2831993 - ETPRO POLICY Possible Coin Miner Downloader Retrieving EXE
Payload (cpu32) (policy.rules)
  2831994 - ETPRO POLICY Possible Coin Miner Downloader Retrieving Payload
(cpu64) (policy.rules)
  2835102 - ETPRO TROJAN CrazyCrypt/FUnicorn Ransomware CnC Activity
(trojan.rules)

Date:
Summary title:
11 new OPEN, 34 new PRO (11 + 23). Generic PHP Uploader/Webshell Access, Konni, Various MalDoc Downloads, Vidar/Arkei/Oski Variant Stealer, Remcos, Ursnif, Various CoinMiner and Phish.