[***]            Summary:            [***]

9 new OPEN, 31 new PRO (9 + 22). Cobalt Strike, Magecart, TAIDOOR, Remcos, Various Phishing.

Many rules in the Suricata 5 ruleset have been updated with Suricata 5 rule syntax/keywords. A complete list of rules that were  changed can be found via the changelog here: https://rules.emergingthreats.net/changelogs/suricata-5.0-enhanced.etpro.2020-08-03T22:07:21.txt

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2030635 - ET TROJAN Observed Malicious SSL Cert (Cobalt Strike CnC)
(trojan.rules)
  2030636 - ET TROJAN Magecart/Skimmer Domain in DNS Lookup
(cloud-sources .com) (trojan.rules)
  2030637 - ET TROJAN Magecart/Skimmer Domain in DNS Lookup
(cdn-filestorm .com) (trojan.rules)
  2030638 - ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup
(chretiendaujoudhui .com) (mobile_malware.rules)
  2030639 - ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup
(leprotestant .com) (mobile_malware.rules)
  2030640 - ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup
(vie-en-islam .com) (mobile_malware.rules)
  2030641 - ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup
(viedechretien .org) (mobile_malware.rules)
  2030642 - ET TROJAN TAIDOOR CnC Domain in DNS Lookup
(www.cnaweb.mrslove .com) (trojan.rules)
  2030643 - ET TROJAN TAIDOOR CnC Domain in DNS Lookup
(www.infonew.dubya .net) (trojan.rules)

Pro:

  2843772 - ETPRO USER_AGENTS Observed Suspicious UA (PC SOFT)
(user_agents.rules)
  2843773 - ETPRO USER_AGENTS Observed Suspicious UA (Download)
(user_agents.rules)
  2843774 - ETPRO TROJAN Win32/Unk.BR Downloader CnC Checkin (trojan.rules)
  2843775 - ETPRO CURRENT_EVENTS Successful Santander Phish 2020-08-03
(current_events.rules)
  2843776 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-08-03
(current_events.rules)
  2843777 - ETPRO CURRENT_EVENTS Successful Ebay Phish 2020-08-03
(current_events.rules)
  2843778 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-08-03 (current_events.rules)
  2843779 - ETPRO CURRENT_EVENTS Successful Blockchain Phish
2020-08-03 (current_events.rules)
  2843780 - ETPRO CURRENT_EVENTS Successful Banco Itau Phish
2020-08-03 (current_events.rules)
  2843781 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-08-03
(current_events.rules)
  2843782 - ETPRO CURRENT_EVENTS Successful Gov UK Tax Refund Phish
2020-08-03 (current_events.rules)
  2843783 - ETPRO CURRENT_EVENTS Successful Apple iCloud Phish
2020-08-03 (current_events.rules)
  2843784 - ETPRO CURRENT_EVENTS Successful La Banque Postale Phish
2020-08-03 (current_events.rules)
  2843785 - ETPRO TROJAN Win32/Injector.DGXX Variant CnC Host Checkin
(trojan.rules)
  2843786 - ETPRO TROJAN Win32/TrojanDownloader.Agent.FGY Variant CnC
Host Checkin (trojan.rules)
  2843787 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-08-01 1) (trojan.rules)
  2843788 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-08-01 2) (trojan.rules)
  2843789 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-08-01 3) (trojan.rules)
  2843790 - ETPRO TROJAN MSIL/Injector.CCM Variant CnC Activity (trojan.rules)
  2843791 - ETPRO TROJAN Win32/Remcos RAT Checkin 508 (trojan.rules)
  2843792 - ETPRO TROJAN Win32/Remcos RAT Checkin 509 (trojan.rules)
  2843793 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)

[///]     Modified active rules:     [///]

  2008433 - ET TROJAN Razy Variant Checkin (trojan.rules)
  2013808 - ET TROJAN Dooptroop Dropper Checkin (trojan.rules)
  2014313 - ET POLICY Executable Download From DropBox (policy.rules)
  2014519 - ET INFO EXE - Served Inline HTTP (info.rules)
  2016935 - ET WEB_SERVER SQL Injection Select Sleep Time Delay
(web_server.rules)
  2018677 - ET TROJAN Sharik/Smoke Loader Microsoft Connectivity check
(trojan.rules)
  2019680 - ET TROJAN Possible Archie EK Payload Checkin GET (trojan.rules)
  2020899 - ET EXPLOIT D-Link Devices Home Network Administration
Protocol Command Execution (exploit.rules)
  2022025 - ET TROJAN Sharik/Smoke Loader Adobe Connectivity Check 2
(trojan.rules)
  2022026 - ET TROJAN Sharik/Smoke Loader Java Connectivity Check (trojan.rules)
  2022027 - ET TROJAN Sharik/Smoke Loader Adobe Connectivity Check 3
(trojan.rules)
  2022683 - ET TROJAN Win32/CryptFile2 Ransomware Checkin (trojan.rules)

Date:
Summary title:
9 new OPEN, 31 new PRO (9 + 22). Cobalt Strike, Magecart, TAIDOOR, Remcos, Various Phishing.