[***] Summary: [***]
19 new OPEN, 18 new PRO (19 + 9). WellMess, MassLogger, CVE-2020-6286, TaurusStealer, Various Phish.
Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2030534 - ET TROJAN APT29/WellMess CnC Activity (trojan.rules)
2030535 - ET WEB_CLIENT Generic Webshell Accessed on External Server
(web_client.rules)
2030536 - ET WEB_SERVER Generic Webshell Accessed on Internal Server
(web_server.rules)
2030537 - ET WEB_CLIENT Generic Webshell Password Prompt Accessed on
External Compromised Server (web_client.rules)
2030538 - ET WEB_SERVER Generic Webshell Password Prompt Accessed on
Internal Compromised Server (web_server.rules)
2030539 - ET WEB_CLIENT Generic Webshell Password Prompt Accessed on
External Compromised Server (web_client.rules)
2030540 - ET WEB_SERVER Generic Webshell Password Prompt Accessed on
Internal Compromised Server (web_server.rules)
2030541 - ET WEB_CLIENT Generic Webshell Password Prompt Accessed on
External Compromised Server (web_client.rules)
2030542 - ET WEB_SERVER Generic Webshell Password Prompt Accessed on
Internal Compromised Server (web_server.rules)
2030543 - ET WEB_CLIENT Generic Mailer Accessed on External Server
(web_client.rules)
2030544 - ET WEB_SERVER Generic Mailer Accessed on Internal Server
(web_server.rules)
2030545 - ET WEB_CLIENT Generic Mailer Accessed on External Server
(web_client.rules)
2030546 - ET WEB_SERVER Generic Mailer Accessed on Internal Server
(web_server.rules)
2030547 - ET INFO Suspicious Outbound SIG DNS Query (info.rules)
2030548 - ET USER_AGENTS SAP CVE-2020-6287 PoC UA Observed
(user_agents.rules)
2030549 - ET EXPLOIT SAP NetWeaver AS Directory Traversal Attempt Inbound
(CVE-2020-6286) (exploit.rules)
2030550 - ET MALWARE MASSLOGGER Client Data Exfil (POST) M2
(malware.rules)
2030551 - ET TROJAN BYOB - Python Backdoor Stager Download (trojan.rules)
2030552 - ET TROJAN BYOB - Python Backdoor Loader Download (trojan.rules)
Pro:
2843552 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-07-16 1) (trojan.rules)
2843553 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-07-16 2) (trojan.rules)
2843554 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-07-16 (current_events.rules)
2843555 - ETPRO CURRENT_EVENTS Successful Apple Phish 2020-07-16
(current_events.rules)
2843556 - ETPRO TROJAN MSIL/UBGBot.H Variant CnC Host Checkin
(trojan.rules)
2843557 - ETPRO TROJAN Observed Malicious SSL Cert (TaurusStealer CnC)
(trojan.rules)
2843558 - ETPRO TROJAN Observed TaurusStealer CnC Domain in TLS SNI
(trojan.rules)
2843559 - ETPRO TROJAN Win32.Raccoon Stealer Checkin Error Response M2
(trojan.rules)
2843560 - ETPRO TROJAN Win32/Remcos RAT Checkin 489 (trojan.rules)
[///] Modified active rules: [///]
2026576 - ET TROJAN APT33/CharmingKitten Shellcode Communicating with CnC
(trojan.rules)
2030532 - ET EXPLOIT Possible Windows DNS Integer Overflow Attempt M2
(CVE-2020-1350) (exploit.rules)
2030533 - ET EXPLOIT Possible Windows DNS Integer Overflow Attempt M1
(CVE-2020-1350) (exploit.rules)
2836357 - ETPRO TROJAN Win32.Raccoon Stealer Checkin Response
(trojan.rules)
2836358 - ETPRO TROJAN Win32.Raccoon Stealer Checkin Error Response M1
(trojan.rules)