[***] Summary: [***]
8 Open, 35 Pro (8 + 27). BazarLoader, Callstranger, CVE-2020-1214, Various Mobile, Various Phishing, Suri5 updates.
Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2030267 - ET TROJAN Observed Malicious DNS Query (BazarLoader/Team9
Backdoor CnC Domain) (trojan.rules)
2030268 - ET TROJAN Observed Malicious DNS Query (BazarLoader/Team9
Backdoor CnC Domain) (trojan.rules)
2030269 - ET TROJAN Observed Malicious DNS Query (BazarLoader/Team9
Backdoor CnC Domain) (trojan.rules)
2030270 - ET TROJAN Observed Malicious DNS Query (BazarLoader/Team9
Backdoor CnC Domain) (trojan.rules)
2030271 - ET SCAN Observed Suspicious UA (Callstranger Vulnerability
Checker) (scan.rules)
2030272 - ET SCAN UPnP SUBSCRIBE Inbound - Possible CallStranger Scan
(CVE-2020-12695) (scan.rules)
2030273 - ET SCAN ELF/Mirai Variant User-Agent (Inbound) (scan.rules)
2030274 - ET TROJAN ELF/Mirai Variant User-Agent (Outbound) (trojan.rules)
Pro:
2842927 - ETPRO MOBILE_MALWARE Android/FakeApp.QL!tr CnC Beacon
(mobile_malware.rules)
2842928 - ETPRO MOBILE_MALWARE Android/FakeApp.QL!tr CnC Beacon 2
(mobile_malware.rules)
2842929 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.Resharer.l CnC Beacon
(mobile_malware.rules)
2842930 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.Resharer.o CnC Beacon
(mobile_malware.rules)
2842931 - ETPRO MOBILE_MALWARE Android Wyzpy Reporting App List
(mobile_malware.rules)
2842932 - ETPRO MALWARE Observed KuaiZip User-Agent (malware.rules)
2842933 - ETPRO TROJAN Observed Malicious SSL Cert (Zloader CnC)
(trojan.rules)
2842934 - ETPRO TROJAN Observed Malicious SSL Cert (MalDoc DL 2020-06-09)
(trojan.rules)
2842935 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-06-09 1) (trojan.rules)
2842936 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-06-09 2) (trojan.rules)
2842937 - ETPRO EXPLOIT Possible IE UAF Attempt (CVE-2020-1214)
(exploit.rules)
2842938 - ETPRO EXPLOIT Possible SMBv1 Denial of Service (CVE-2020-1301)
(exploit.rules)
2842939 - ETPRO TROJAN Win32/Spy.Agent.PRG Variant File Upload
(trojan.rules)
2842940 - ETPRO TROJAN Win32/Remcos RAT Checkin 452 (trojan.rules)
2842941 - ETPRO TROJAN Win32/Remcos RAT Checkin 453 (trojan.rules)
2842942 - ETPRO TROJAN Win32/Remcos RAT Checkin 454 (trojan.rules)
2842943 - ETPRO TROJAN Win32/Remcos RAT Checkin 455 (trojan.rules)
2842944 - ETPRO TROJAN Win32/Remcos RAT Checkin 456 (trojan.rules)
2842945 - ETPRO TROJAN SSL/TLS Certificate Observed
(MSIL/TrojanDownloader.Agent.GCD Variant) (trojan.rules)
2842946 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
2842947 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
2842948 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2020-06-09 (current_events.rules)
2842949 - ETPRO CURRENT_EVENTS Successful Generic Credential Phish
2020-06-09 (current_events.rules)
2842950 - ETPRO CURRENT_EVENTS Successful Ebay Phish 2020-06-09
(current_events.rules)
2842951 - ETPRO CURRENT_EVENTS Successful WeTransfer Phish 2020-06-09
(current_events.rules)
2842952 - ETPRO CURRENT_EVENTS Successful HSBC (UK) Phish 2020-06-09
(current_events.rules)
2842953 - ETPRO CURRENT_EVENTS Successful Yahoo Phish 2020-06-09
(current_events.rules)
[///] Modified active rules: [///]
2014006 - ET TROJAN Backdoor.Win32.Sykipot Checkin (trojan.rules)
2014314 - ET CURRENT_EVENTS DRIVEBY Incognito Payload Download /load/*exe
(current_events.rules)
2014778 - ET TROJAN Bebloh connectivity check (trojan.rules)
2014869 - ET SCAN Arachni Scanner Web Scan (scan.rules)
2016067 - ET POLICY Possible BitCoin Miner User-Agent (miner)
(policy.rules)
2017389 - ET WEB_SERVER WebShell - ASPyder - Auth Creds (web_server.rules)
2019534 - ET TROJAN Sednit/AZZY Checkin (trojan.rules)
2022034 - ET TROJAN Silent Miner Changelog Checkin (trojan.rules)
2022037 - ET TROJAN JS/Nemucod.M.gen requesting EXE payload 2015-11-02
(trojan.rules)
2022038 - ET TROJAN JS/Nemucod.M.gen requesting PDF payload 2015-11-02
(trojan.rules)
2022039 - ET CURRENT_EVENTS Possible vBulletin object injection
vulnerability Attempt (current_events.rules)
2022073 - ET TROJAN Bookworm CnC Beacon (trojan.rules)
2022074 - ET TROJAN Bookworm CnC Beacon 2 (trojan.rules)
2022081 - ET MOBILE_MALWARE Android Trojan Cloudsota HTTP Host
(mobile_malware.rules)
2022105 - ET TROJAN r0 CnC Check (trojan.rules)
2022106 - ET TROJAN r0 CnC Architecture GET 1 (trojan.rules)
2022107 - ET TROJAN r0 CnC Architecture GET 2 (trojan.rules)
2022108 - ET TROJAN r0 CnC Architecture GET 3 (trojan.rules)
2022109 - ET TROJAN r0 CnC Architecture GET 4 (trojan.rules)
2022110 - ET TROJAN r0 CnC Report GET (trojan.rules)
2022111 - ET TROJAN r0 CnC GET (trojan.rules)
2022119 - ET TROJAN Nymaim.BA CnC M1 (trojan.rules)
2022120 - ET TROJAN Nymaim.BA CnC M2 (trojan.rules)
2022126 - ET TROJAN MegalodonHTTP CnC Checkin (trojan.rules)
2022128 - ET TROJAN MegalodonHTTP CoinMiner Activity (trojan.rules)
2022135 - ET CURRENT_EVENTS Possible Spartan/Nuclear EK Payload
(current_events.rules)
2022186 - ET TROJAN Win32/Swrort.A Checkin 3 (trojan.rules)
2022192 - ET TROJAN VBKlip/ClipBanker.P Status Update (trojan.rules)
2022207 - ET TROJAN JS/Nemucod requesting EXE payload 2015-12-01
(trojan.rules)
2022220 - ET INFO possible .jpg download by VBA macro (info.rules)
2022224 - ET TROJAN Linux/MayhemBruter Inbound Ping From CnC
(trojan.rules)
2022240 - ET SCAN Possible Scanning for Vulnerable JBoss (scan.rules)
2806289 - ETPRO POLICY RemoteAdmin Win32.Ammyy.z Checkin (policy.rules)
2807822 - ETPRO TROJAN Win32/Paramis.A Checkin 2 (trojan.rules)
2808977 - ETPRO POLICY howtofindmyipaddress.com IP Check (policy.rules)
2812942 - ETPRO POLICY External IP Address Lookup - ipmonkey.com
(policy.rules)
2813008 - ETPRO TROJAN Win32/CMSBrute/Pifagor Attempted Bruteforcing
(trojan.rules)
2814492 - ETPRO CURRENT_EVENTS Nuclear EK Landing Oct 20 2015 M1
(current_events.rules)
2814493 - ETPRO CURRENT_EVENTS Nuclear EK Landing Oct 20 2015 M2
(current_events.rules)
2814724 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2015-11-03 M3
(current_events.rules)
2814725 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2015-11-03 M4
(current_events.rules)
2814729 - ETPRO TROJAN Bmdoor Variant CnC Beacon 3 (trojan.rules)
2814731 - ETPRO TROJAN Likely Evil Binary Sent (.pdf.scr) (trojan.rules)
2814734 - ETPRO TROJAN Win32/Banload.WQI Retrieving File (trojan.rules)
2814735 - ETPRO TROJAN Win32.Nanobot/Libix Checkin (trojan.rules)
2814754 - ETPRO TROJAN W32/Nymaim Checkin (trojan.rules)
2814775 - ETPRO TROJAN Win32.Trojan.Yxjtips.Svrd Config File Download
(trojan.rules)
2814796 - ETPRO MOBILE_MALWARE Android/TrojanSMS.Agent.BMT Checkin
(mobile_malware.rules)
2814797 - ETPRO TROJAN Win32.Maica.A Checkin (trojan.rules)
2814819 - ETPRO TROJAN Ransomware/Poshcoder CnC Checkin (trojan.rules)
2814846 - ETPRO MOBILE_MALWARE Android/Fobus.X Checkin
(mobile_malware.rules)
2814850 - ETPRO INFO Data Submitted to Weebly.com - Possible Phishing
(info.rules)
2814851 - ETPRO CURRENT_EVENTS Weebly Phishing Landing Observed Nov 10
(current_events.rules)
2814854 - ETPRO TROJAN Win32.PerfectBN.A Checkin (trojan.rules)
2814855 - ETPRO TROJAN Win32.PerfectBN.A Checkin 2 (trojan.rules)
2814862 - ETPRO TROJAN Sosinf CnC Beacon (trojan.rules)
2814882 - ETPRO TROJAN Gippers Connectivity Check (trojan.rules)
2814884 - ETPRO TROJAN Gippers CnC Beacon 2 (trojan.rules)
2814901 - ETPRO MOBILE_MALWARE InstaAgent Password Harvester Cred Upload
(mobile_malware.rules)
2814907 - ETPRO TROJAN Farfli.aaot User-Agent (Xxiaoxu) (trojan.rules)
2814909 - ETPRO TROJAN CryptoBrazzer Ransomware File Upload (trojan.rules)
2814914 - ETPRO TROJAN Linux.IptabLes/IptabLex Retreiving Processes to
Kill (trojan.rules)
2814932 - ETPRO TROJAN CherryPickerPOS HTTP POST Exfiltration
(trojan.rules)
2814938 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Agent.dm Checkin 2
(mobile_malware.rules)
2814939 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Agent.dm Checkin 3
(mobile_malware.rules)
2814942 - ETPRO MOBILE_MALWARE Android.Riskware.SMSSend.AY Checkin 2
(mobile_malware.rules)
2814951 - ETPRO POLICY Screenleap Download Executable M1 (policy.rules)
2814952 - ETPRO POLICY Screenleap Application Version Check (policy.rules)
2814953 - ETPRO POLICY Screenleap Download Executable M2 (policy.rules)
2814954 - ETPRO POLICY Screenleap Application Downloading CrashSender
(policy.rules)
2814955 - ETPRO POLICY Screenleap Session Active (policy.rules)
2814957 - ETPRO POLICY Screenleap Screen Viewing In Progress
(policy.rules)
2814958 - ETPRO POLICY Screenleap Download Executable M3 (policy.rules)
2814960 - ETPRO TROJAN Kraken Stresser Pastebin Checkin (trojan.rules)
2814963 - ETPRO MOBILE_MALWARE Android/TrojanSMS.Agent.BMT Checkin 2
(mobile_malware.rules)
2814969 - ETPRO CURRENT_EVENTS Google Drive Phishing Landing 2015-11-17
(current_events.rules)
2814975 - ETPRO TROJAN Unknown CnC Checkin (trojan.rules)
2815049 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.SMSreg.cu Checkin 2
(mobile_malware.rules)
2815051 - ETPRO INFO Bitcoin Address QR Download (info.rules)
2815060 - ETPRO TROJAN Reveton.ScreenLocker Checkin (trojan.rules)
2815076 - ETPRO TROJAN Project Silent Backdoor Checkin (trojan.rules)
2815077 - ETPRO TROJAN Project Silent Backdoor Update Check (trojan.rules)
2815078 - ETPRO TROJAN Cyborg Keylogger v4.0 Reporting via HTTP
(trojan.rules)
2815088 - ETPRO CURRENT_EVENTS Successful SFR Phishing 2015-11-24
(current_events.rules)
2815091 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.ff Checkin 2
(mobile_malware.rules)
2815096 - ETPRO TROJAN Limitless Keylogger Reporting Sending Data
(trojan.rules)
2815097 - ETPRO TROJAN Win32/Pinguin Checkin (trojan.rules)
2815099 - ETPRO TROJAN Steam Filestealer Extreme Sending Compressed
Credentials (trojan.rules)
2815100 - ETPRO TROJAN Steam Filestealer Extreme Stolen Password
(trojan.rules)
2815104 - ETPRO TROJAN Prism HTTP Bot Checkin (trojan.rules)
2815105 - ETPRO TROJAN Prism HTTP Bot Geo Check (trojan.rules)
2815106 - ETPRO TROJAN Prism HTTP Bot Downloading Assets (trojan.rules)
2815126 - ETPRO TROJAN Andromeda CnC (trojan.rules)
2815127 - ETPRO TROJAN Win32/Denisca.A CnC (clickfraud) (trojan.rules)
2815131 - ETPRO TROJAN Win32/Spy.Banker Variant Checkin (trojan.rules)
2815134 - ETPRO USER_AGENTS Zmap User-Agent (zgrab) (user_agents.rules)
2815141 - ETPRO POLICY UserBenchmark Reporting Computer Details
(policy.rules)
2815156 - ETPRO TROJAN Bergard.A Checkin (trojan.rules)
2815170 - ETPRO TROJAN Win32/Kapahyku.A Activity 2 (trojan.rules)
2815224 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Agent.ef Checkin
(mobile_malware.rules)
2815226 - ETPRO TROJAN Win32/XSpider Spam Bot CnC Checkin (trojan.rules)
2815227 - ETPRO TROJAN Win32/XSpider Spam Bot Getting Command
(trojan.rules)
2815228 - ETPRO TROJAN Win32/XSpider Spam Bot Executing Command
(trojan.rules)
2815229 - ETPRO TROJAN Win32/TrojanDownloader.Banload Variant Checkin
(trojan.rules)
2815230 - ETPRO MOBILE_MALWARE Monitor.AndroidOS.Norex.a Checkin
(mobile_malware.rules)
2815233 - ETPRO TROJAN Trojan/KillProc.l Checkin (trojan.rules)
2815236 - ETPRO MOBILE_MALWARE Android/Spy.SmsSpy.CB Checkin
(mobile_malware.rules)
2815250 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2015-12-05
(current_events.rules)
2815260 - ETPRO EXPLOIT MS15-134 Media Center Library Parsing RCE
Vulnerability (CVE-2015-6131) MCL File Download (exploit.rules)
2815283 - ETPRO TROJAN Win32/Downloader.Banload.WTK CnC Checkin
(trojan.rules)
2815286 - ETPRO TROJAN BKDR_GRABBOT.A Checkin (trojan.rules)
2815289 - ETPRO TROJAN Backdoor.Cadelspy Checkin 1 (trojan.rules)
2815293 - ETPRO CURRENT_EVENTS Successful Google Docs Phish 2015-12-09
(current_events.rules)
2815312 - ETPRO MOBILE_MALWARE Android.Riskware.Cheica.A Checkin
(mobile_malware.rules)
2815321 - ETPRO TROJAN Meterpreter/Swrort CnC Beacon (trojan.rules)
2815322 - ETPRO TROJAN Win32/Kivars.B Checkin (trojan.rules)
2815323 - ETPRO TROJAN Andromeda CnC Beacon (trojan.rules)
[---] Disabled and modified rules: [---]
2012460 - ET TROJAN Possible JKDDOS download wm.exe (trojan.rules)