Daily Ruleset Update Summary
Daily Ruleset Update Summary 2020/07/15

[***]            Summary:            [***]

16 new OPEN, 42 new PRO (16 + 26). EvilNum, Elysium Stealer, LogPole, Filecoder, Various Phish, Suri 5 Updates.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

Open:

  2030518 - ET CURRENT_EVENTS HTTP POST Request to Suspicious *.ma Domain
(current_events.rules)
  2030519 - ET CURRENT_EVENTS Possible Successful Generic Phish to .ma
Domain 2020-07-15 (current_events.rules)
  2030520 - ET INFO Suspicious HTTP GET Request on Port 53 Outbound
(info.rules)
  2030521 - ET INFO Suspicious HTTP GET Request on Port 53 Inbound
(info.rules)
  2030522 - ET INFO Suspicious HTTP POST Request on Port 53 Outbound
(info.rules)
  2030523 - ET INFO Suspicious HTTP POST Request on Port 53 Inbound
(info.rules)
  2030524 - ET INFO Possible NOP Sled Observed in Large DNS over TCP Packet
M1 (info.rules)
  2030525 - ET INFO Possible NOP Sled Observed in Large DNS over TCP Packet
M2 (info.rules)
  2030526 - ET TROJAN EvilNum CnC Checkin (trojan.rules)
  2030527 - ET TROJAN EvilNum CnC Checkin Response (trojan.rules)
  2030528 - ET TROJAN EvilNum CnC Client Data Exfil (trojan.rules)
  2030529 - ET TROJAN EvilNum CnC Client Data Exfil (trojan.rules)
  2030530 - ET TROJAN EvilNum CnC Client Data Exfil (trojan.rules)
  2030531 - ET TROJAN EvilNum CnC Error Report (trojan.rules)
  2030532 - ET EXPLOIT Possible Windows DNS Integer Overflow Attempt M2
(CVE-2020-1350) (exploit.rules)
  2030533 - ET EXPLOIT Possible Windows DNS Integer Overflow Attempt M1
(CVE-2020-1350) (exploit.rules)

Pro:

  2843527 - ETPRO MOBILE_MALWARE Android BogoXing Checkin
(mobile_malware.rules)
  2843528 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.FakeInst.gn Checkin
(mobile_malware.rules)
  2843529 - ETPRO MOBILE_MALWARE Android/Clicker.KN CnC Beacon
(mobile_malware.rules)
  2843530 - ETPRO TROJAN Observed Malicious SSL Cert (Elysium Stealer CnC)
(trojan.rules)
  2843531 - ETPRO TROJAN Observed Elysium Stealer CnC Domain in TLS SNI
(trojan.rules)
  2843532 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-07-15 1) (trojan.rules)
  2843533 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-07-15 2) (trojan.rules)
  2843534 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-07-15 3) (trojan.rules)
  2843535 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-07-15 4) (trojan.rules)
  2843536 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-07-15 5) (trojan.rules)
  2843537 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-07-15 6) (trojan.rules)
  2843538 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-07-15 7) (trojan.rules)
  2843539 - ETPRO CURRENT_EVENTS Successful Banco Itau Phish 2020-07-15
(current_events.rules)
  2843540 - ETPRO CURRENT_EVENTS Successful Lloyds Bank Phish 2020-07-15
(current_events.rules)
  2843541 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-07-15
(current_events.rules)
  2843542 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-07-15
(current_events.rules)
  2843543 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-07-15 (current_events.rules)
  2843544 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-07-15 (current_events.rules)
  2843545 - ETPRO TROJAN Win32/Filecoder Philadelphia Variant Host Checkin
(trojan.rules)
  2843546 - ETPRO TROJAN Win32/Logpole Variant CnC Host Checkin
(trojan.rules)
  2843547 - ETPRO TROJAN MSIL/Injector.P CnC Host Checkin (trojan.rules)
  2843548 - ETPRO TROJAN Win32/Remcos RAT Checkin 487 (trojan.rules)
  2843549 - ETPRO TROJAN Win32/Remcos RAT Checkin 488 (trojan.rules)
  2843550 - ETPRO TROJAN Observed Malicious SSL Cert (AZORult CnC)
(trojan.rules)
  2843551 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2843552 - ETPRO CURRENT_EVENTS Successful First American Mortgage Phish
2020-07-15 (current_events.rules)

[///]     Modified active rules:     [///]

  2022811 - ET TROJAN MSIL/Spy.Banker.DH Checkin (trojan.rules)
  2022897 - ET TROJAN Win32.Crypren/Zcrypt Ransomware Checkin (trojan.rules)
  2022899 - ET TROJAN JS/RAA Ransomware check-in (trojan.rules)
  2026532 - ET CURRENT_EVENTS Possible Successful Generic Phish to .ml
Domain 2018-10-23 (current_events.rules)
  2026533 - ET CURRENT_EVENTS Possible Successful Generic Phish to .cf
Domain 2018-10-23 (current_events.rules)
  2026534 - ET CURRENT_EVENTS Possible Successful Generic Phish to .ga
Domain 2018-10-23 (current_events.rules)
  2026535 - ET CURRENT_EVENTS Possible Successful Generic Phish to .gq
Domain 2018-10-23 (current_events.rules)
  2026536 - ET CURRENT_EVENTS Possible Successful Generic Phish to .gqn
Domain 2018-10-23 (current_events.rules)
  2026886 - ET CURRENT_EVENTS Possible Successful Generic Phish to .icu
Domain 2019-02-06 (current_events.rules)
  2814126 - ETPRO CURRENT_EVENTS Successful Vmware/Zimbra Phish 2015-09-28
(current_events.rules)
  2815244 - ETPRO CURRENT_EVENTS Successful Wildblue/CenturyLink Phish
2015-12-08 (current_events.rules)
  2815469 - ETPRO CURRENT_EVENTS Terse POST to Wordpress Folder - Probable
Successful Phishing (current_events.rules)
  2820557 - ETPRO WEB_CLIENT Suspicious Compound Refresh - Possible
Phishing Redirect 2016-06-09 (web_client.rules)
  2820581 - ETPRO TROJAN Inexsmar/Darkhotel/Dubnium CnC POST (trojan.rules)
  2820586 - ETPRO TROJAN Win32/TrojanDownloader.IndigoRose.R Checkin
(trojan.rules)
  2820616 - ETPRO MOBILE_MALWARE Android/Hiddad.J Checkin
(mobile_malware.rules)
  2820675 - ETPRO TROJAN Goopic Ransomware User Agent (trojan.rules)
  2820679 - ETPRO TROJAN Unknown Banker Checkin (trojan.rules)
  2820696 - ETPRO CURRENT_EVENTS Terse POST to Wordpress Folder - Probable
Successful Phishing M3 (current_events.rules)
  2820702 - ETPRO TROJAN PhotoMiner Connectivity Check 2 (trojan.rules)
  2820713 - ETPRO TROJAN Operation Daybreak ScarCruft APT Landing Page
(trojan.rules)
  2820749 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.kb Checkin
(mobile_malware.rules)
  2820763 - ETPRO TROJAN Known Malicious Ethereum Traffic (trojan.rules)
  2820764 - ETPRO TROJAN Known Malicious Ethereum Traffic (trojan.rules)
  2820765 - ETPRO TROJAN Known Malicious Ethereum Traffic (trojan.rules)
  2820766 - ETPRO TROJAN Known Malicious Ethereum Traffic (trojan.rules)
  2820767 - ETPRO TROJAN Known Malicious Ethereum Traffic (trojan.rules)
  2820768 - ETPRO TROJAN Known Malicious Ethereum Traffic (trojan.rules)
  2820769 - ETPRO TROJAN Known Malicious Ethereum Traffic (trojan.rules)
  2820770 - ETPRO TROJAN Known Malicious Ethereum Traffic (trojan.rules)
  2820771 - ETPRO TROJAN Known Malicious Ethereum Traffic (trojan.rules)
  2820772 - ETPRO TROJAN Known Malicious Ethereum Traffic (trojan.rules)
  2820773 - ETPRO TROJAN Known Malicious Ethereum Traffic (trojan.rules)
  2820774 - ETPRO TROJAN Known Malicious Ethereum Traffic (trojan.rules)
  2820777 - ETPRO TROJAN W32/Trojan.Offend Checkin (trojan.rules)
  2820785 - ETPRO TROJAN Syscan Tool Results Upload (trojan.rules)
  2820786 - ETPRO TROJAN DiamondFox HTTP POST CnC Beacon 5 (trojan.rules)
  2820805 - ETPRO CURRENT_EVENTS Email Termination Phishing Landing
2016-06-22 (current_events.rules)
  2820832 - ETPRO CURRENT_EVENTS Webmail Phishing Landing 2016-06-22
(current_events.rules)
  2820835 - ETPRO INFO Suspicious Redirect to Recursive PHP - Possible
Phishing (info.rules)
  2820842 - ETPRO INFO HTML-Encoder HTML Obfuscation (info.rules)
  2820846 - ETPRO CURRENT_EVENTS Microsoft Encrypted Email Phishing Landing
2016-06-23 (current_events.rules)
  2820848 - ETPRO TROJAN Win32/TrojanDownloader.IndigoRose.R Downloading
EXE (trojan.rules)
  2820861 - ETPRO WEB_CLIENT Possible Phishing Data Submitted to
yolasite.com (web_client.rules)
  2820875 - ETPRO TROJAN Win32/QQpass.A Checkin (trojan.rules)
  2820879 - ETPRO CURRENT_EVENTS Mailbox Upgrade Phishing Landing
2016-06-27 (current_events.rules)
  2820880 - ETPRO CURRENT_EVENTS Successful Mailbox Upgrade Phish
2016-06-27 M1 (current_events.rules)
  2820881 - ETPRO CURRENT_EVENTS Successful Mailbox Upgrade Phish
2016-06-27 M2 (current_events.rules)
  2820894 - ETPRO TROJAN Suspicious Encoded MZ Downloaded from Pastebin
(trojan.rules)
  2820901 - ETPRO TROJAN TowerWeb/Anonpop Ransomware Image Download
(trojan.rules)
  2820905 - ETPRO INFO Data Submitted to MyFreeSites.com - Possible
Phishing (info.rules)
  2842546 - ETPRO TROJAN SamoRAT CnC Host Checkin (trojan.rules)
  2843261 - ETPRO TROJAN Win32/Wacapew.C!ml Stealer CnC Checkin
(trojan.rules)

[---]         Removed rules:         [---]

  2843525 - ETPRO EXPLOIT Possible Windows DNS Integer Overflow Attempt M2
(CVE-2020-1350) (exploit.rules)
  2843526 - ETPRO EXPLOIT Possible Windows DNS Integer Overflow Attempt M1
(CVE-2020-1350) (exploit.rules)

Date:
Summary title:
16 new OPEN, 42 new PRO (16 + 26). EvilNum, Elysium Stealer, LogPole, Filecoder, Various Phish, Suri 5 Updates.