[***]            Summary:            [***]

19 new OPEN, 18 new PRO (19 + 9). WellMess, MassLogger, CVE-2020-6286, TaurusStealer, Various Phish.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2030534 - ET TROJAN APT29/WellMess CnC Activity (trojan.rules)
  2030535 - ET WEB_CLIENT Generic Webshell Accessed on External Server
(web_client.rules)
  2030536 - ET WEB_SERVER Generic Webshell Accessed on Internal Server
(web_server.rules)
  2030537 - ET WEB_CLIENT Generic Webshell Password Prompt Accessed on
External Compromised Server (web_client.rules)
  2030538 - ET WEB_SERVER Generic Webshell Password Prompt Accessed on
Internal Compromised Server (web_server.rules)
  2030539 - ET WEB_CLIENT Generic Webshell Password Prompt Accessed on
External Compromised Server (web_client.rules)
  2030540 - ET WEB_SERVER Generic Webshell Password Prompt Accessed on
Internal Compromised Server (web_server.rules)
  2030541 - ET WEB_CLIENT Generic Webshell Password Prompt Accessed on
External Compromised Server (web_client.rules)
  2030542 - ET WEB_SERVER Generic Webshell Password Prompt Accessed on
Internal Compromised Server (web_server.rules)
  2030543 - ET WEB_CLIENT Generic Mailer Accessed on External Server
(web_client.rules)
  2030544 - ET WEB_SERVER Generic Mailer Accessed on Internal Server
(web_server.rules)
  2030545 - ET WEB_CLIENT Generic Mailer Accessed on External Server
(web_client.rules)
  2030546 - ET WEB_SERVER Generic Mailer Accessed on Internal Server
(web_server.rules)
  2030547 - ET INFO Suspicious Outbound SIG DNS Query (info.rules)
  2030548 - ET USER_AGENTS SAP CVE-2020-6287 PoC UA Observed
(user_agents.rules)
  2030549 - ET EXPLOIT SAP NetWeaver AS Directory Traversal Attempt Inbound
(CVE-2020-6286) (exploit.rules)
  2030550 - ET MALWARE MASSLOGGER Client Data Exfil (POST) M2
(malware.rules)
  2030551 - ET TROJAN BYOB - Python Backdoor Stager Download (trojan.rules)
  2030552 - ET TROJAN BYOB - Python Backdoor Loader Download (trojan.rules)

Pro:

  2843552 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-07-16 1) (trojan.rules)
  2843553 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-07-16 2) (trojan.rules)
  2843554 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-07-16 (current_events.rules)
  2843555 - ETPRO CURRENT_EVENTS Successful Apple Phish 2020-07-16
(current_events.rules)
  2843556 - ETPRO TROJAN MSIL/UBGBot.H Variant CnC Host Checkin
(trojan.rules)
  2843557 - ETPRO TROJAN Observed Malicious SSL Cert (TaurusStealer CnC)
(trojan.rules)
  2843558 - ETPRO TROJAN Observed TaurusStealer CnC Domain in TLS SNI
(trojan.rules)
  2843559 - ETPRO TROJAN Win32.Raccoon Stealer Checkin Error Response M2
(trojan.rules)
  2843560 - ETPRO TROJAN Win32/Remcos RAT Checkin 489 (trojan.rules)

[///]     Modified active rules:     [///]

  2026576 - ET TROJAN APT33/CharmingKitten Shellcode Communicating with CnC
(trojan.rules)
  2030532 - ET EXPLOIT Possible Windows DNS Integer Overflow Attempt M2
(CVE-2020-1350) (exploit.rules)
  2030533 - ET EXPLOIT Possible Windows DNS Integer Overflow Attempt M1
(CVE-2020-1350) (exploit.rules)
  2836357 - ETPRO TROJAN Win32.Raccoon Stealer Checkin Response
(trojan.rules)
  2836358 - ETPRO TROJAN Win32.Raccoon Stealer Checkin Error Response M1
(trojan.rules)

Date:
Summary title:
19 new OPEN, 18 new PRO (19 + 9). WellMess, MassLogger, CVE-2020-6286, TaurusStealer, Various Phish.