[***] Summary: [***]
9 new OPEN, 31 new PRO (9 + 22). Cobalt Strike, Magecart, TAIDOOR, Remcos, Various Phishing.
Many rules in the Suricata 5 ruleset have been updated with Suricata 5 rule syntax/keywords. A complete list of rules that were changed can be found via the changelog here: https://rules.emergingthreats.net/changelogs/suricata-5.0-enhanced.etpro.2020-08-03T22:07:21.txt
Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2030635 - ET TROJAN Observed Malicious SSL Cert (Cobalt Strike CnC)
(trojan.rules)
2030636 - ET TROJAN Magecart/Skimmer Domain in DNS Lookup
(cloud-sources .com) (trojan.rules)
2030637 - ET TROJAN Magecart/Skimmer Domain in DNS Lookup
(cdn-filestorm .com) (trojan.rules)
2030638 - ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup
(chretiendaujoudhui .com) (mobile_malware.rules)
2030639 - ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup
(leprotestant .com) (mobile_malware.rules)
2030640 - ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup
(vie-en-islam .com) (mobile_malware.rules)
2030641 - ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup
(viedechretien .org) (mobile_malware.rules)
2030642 - ET TROJAN TAIDOOR CnC Domain in DNS Lookup
(www.cnaweb.mrslove .com) (trojan.rules)
2030643 - ET TROJAN TAIDOOR CnC Domain in DNS Lookup
(www.infonew.dubya .net) (trojan.rules)
Pro:
2843772 - ETPRO USER_AGENTS Observed Suspicious UA (PC SOFT)
(user_agents.rules)
2843773 - ETPRO USER_AGENTS Observed Suspicious UA (Download)
(user_agents.rules)
2843774 - ETPRO TROJAN Win32/Unk.BR Downloader CnC Checkin (trojan.rules)
2843775 - ETPRO CURRENT_EVENTS Successful Santander Phish 2020-08-03
(current_events.rules)
2843776 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-08-03
(current_events.rules)
2843777 - ETPRO CURRENT_EVENTS Successful Ebay Phish 2020-08-03
(current_events.rules)
2843778 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-08-03 (current_events.rules)
2843779 - ETPRO CURRENT_EVENTS Successful Blockchain Phish
2020-08-03 (current_events.rules)
2843780 - ETPRO CURRENT_EVENTS Successful Banco Itau Phish
2020-08-03 (current_events.rules)
2843781 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-08-03
(current_events.rules)
2843782 - ETPRO CURRENT_EVENTS Successful Gov UK Tax Refund Phish
2020-08-03 (current_events.rules)
2843783 - ETPRO CURRENT_EVENTS Successful Apple iCloud Phish
2020-08-03 (current_events.rules)
2843784 - ETPRO CURRENT_EVENTS Successful La Banque Postale Phish
2020-08-03 (current_events.rules)
2843785 - ETPRO TROJAN Win32/Injector.DGXX Variant CnC Host Checkin
(trojan.rules)
2843786 - ETPRO TROJAN Win32/TrojanDownloader.Agent.FGY Variant CnC
Host Checkin (trojan.rules)
2843787 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-08-01 1) (trojan.rules)
2843788 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-08-01 2) (trojan.rules)
2843789 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-08-01 3) (trojan.rules)
2843790 - ETPRO TROJAN MSIL/Injector.CCM Variant CnC Activity (trojan.rules)
2843791 - ETPRO TROJAN Win32/Remcos RAT Checkin 508 (trojan.rules)
2843792 - ETPRO TROJAN Win32/Remcos RAT Checkin 509 (trojan.rules)
2843793 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
[///] Modified active rules: [///]
2008433 - ET TROJAN Razy Variant Checkin (trojan.rules)
2013808 - ET TROJAN Dooptroop Dropper Checkin (trojan.rules)
2014313 - ET POLICY Executable Download From DropBox (policy.rules)
2014519 - ET INFO EXE - Served Inline HTTP (info.rules)
2016935 - ET WEB_SERVER SQL Injection Select Sleep Time Delay
(web_server.rules)
2018677 - ET TROJAN Sharik/Smoke Loader Microsoft Connectivity check
(trojan.rules)
2019680 - ET TROJAN Possible Archie EK Payload Checkin GET (trojan.rules)
2020899 - ET EXPLOIT D-Link Devices Home Network Administration
Protocol Command Execution (exploit.rules)
2022025 - ET TROJAN Sharik/Smoke Loader Adobe Connectivity Check 2
(trojan.rules)
2022026 - ET TROJAN Sharik/Smoke Loader Java Connectivity Check (trojan.rules)
2022027 - ET TROJAN Sharik/Smoke Loader Adobe Connectivity Check 3
(trojan.rules)
2022683 - ET TROJAN Win32/CryptFile2 Ransomware Checkin (trojan.rules)