[***]            Summary:            [***]

12 new OPEN, 38 new PRO (12 + 26). YAHOOYLO, AutoIT, APT32, IcedID, BleazIT, Various Phishing.

There was a backend code fix today that corrected an issue with multiple metadata fields. As a result of the fix a large part of the ruleset was updated today. For a list of all the rules updated, the full changelog can be viewed here: https://rules.emergingthreats.net/changelogs/suricata-5.0-enhanced.etpro.2020-08-05T22:27:03.txt

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2030647 - ET TROJAN Observed Malicious SSL Cert (Get2 CnC) (trojan.rules)
  2030648 - ET TROJAN YAHOOYLO Stealer CnC Exfil (trojan.rules)
  2030649 - ET TROJAN Unknown AutoIt Bot - Initial Server Response
(trojan.rules)
  2030650 - ET WEB_SERVER Generic Webshell Accessed (web_server.rules)
  2030651 - ET WEB_SERVER Generic Webshell Activity (web_server.rules)
  2030652 - ET TROJAN Suspected APT32/Oceanlotus Maldoc CnC (trojan.rules)
  2030653 - ET TROJAN Observed IcedID Domain (loadfreeman .casa in TLS
SNI) (trojan.rules)
  2030654 - ET TROJAN Observed IcedID Domain (deactivate .best in TLS
SNI) (trojan.rules)
  2030655 - ET TROJAN Observed IcedID Domain (deactivate .pw in TLS
SNI) (trojan.rules)
  2030656 - ET TROJAN Observed IcedID Domain (80frontluzkher .xyz in
TLS SNI) (trojan.rules)
  2030657 - ET TROJAN Observed IcedID Domain (bruzilovv .top in TLS
SNI) (trojan.rules)
  2030658 - ET TROJAN Observed IcedID Domain (ldrtoyota .casa in TLS
SNI) (trojan.rules)

Pro:

  2843822 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Mandrake.a
Checkin (mobile_malware.rules)
  2843823 - ETPRO CURRENT_EVENTS Observed HTTP POST with panel in URI
(current_events.rules)
  2843824 - ETPRO TROJAN Win32/BleazIT CnC Checkin (trojan.rules)
  2843825 - ETPRO TROJAN MSIL/Pontoeb.E CnC Checkin (trojan.rules)
  2843826 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-08-05 1) (trojan.rules)
  2843827 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-08-05 2) (trojan.rules)
  2843828 - ETPRO CURRENT_EVENTS Successful Microsoft Office Voicemail
Phish 2020-08-05 (current_events.rules)
  2843829 - ETPRO CURRENT_EVENTS Successful Generic Credit Card
Information Phish 2020-08-05 (current_events.rules)
  2843830 - ETPRO CURRENT_EVENTS Successful Societe Generale FR Phish
2020-08-05 (current_events.rules)
  2843831 - ETPRO CURRENT_EVENTS Successful Justns.ru Hosted Generic
Phish 2020-08-05 (current_events.rules)
  2843832 - ETPRO CURRENT_EVENTS Successful EMS Webmail Phish
2020-08-05 (current_events.rules)
  2843833 - ETPRO CURRENT_EVENTS Successful Outlook Web App Phish
2020-08-05 (current_events.rules)
  2843834 - ETPRO CURRENT_EVENTS Successful Generic Credit Card
Information Phish 2020-08-05 (current_events.rules)
  2843835 - ETPRO CURRENT_EVENTS Successful Ebay Phish 2020-08-05
(current_events.rules)
  2843836 - ETPRO CURRENT_EVENTS Successful Generic Credit Card
Information Phish 2020-08-05 (current_events.rules)
  2843837 - ETPRO CURRENT_EVENTS Successful Generic Credit Card
Information Phish 2020-08-05 (current_events.rules)
  2843838 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2020-08-05 (current_events.rules)
  2843839 - ETPRO TROJAN Unknown MalDoc Host CnC Checkin (trojan.rules)
  2843840 - ETPRO TROJAN Observed YAHOOYLO Stealer CnC Domain in TLS
SNI (trojan.rules)
  2843841 - ETPRO TROJAN YAHOOYLO Stealer CnC Activity (trojan.rules)
  2843842 - ETPRO TROJAN Observed YAHOOYLO Stealer CnC Domain in TLS
SNI (trojan.rules)
  2843843 - ETPRO TROJAN Win32/Remcos RAT Checkin 510 (trojan.rules)
  2843844 - ETPRO TROJAN Win32/Remcos RAT Checkin 511 (trojan.rules)
  2843845 - ETPRO TROJAN Win32/Remcos RAT Checkin 512 (trojan.rules)
  2843846 - ETPRO TROJAN Win32/Remcos RAT Checkin 513 (trojan.rules)
  2843847 - ETPRO TROJAN Win32/Remcos RAT Checkin 514 (trojan.rules)

[///]     Modified active rules:     [///]

  2000026 - ET MALWARE Gator Agent Traffic (malware.rules)
  2000488 - ET EXPLOIT MS-SQL SQL Injection closing string plus line
comment (exploit.rules)
  2000586 - ET MALWARE Ezula Related User-Agent (mez) (malware.rules)
  2000596 - ET MALWARE Gator/Claria Data Submission (malware.rules)
  2001031 - ET MALWARE Casino on Net Reporting Data (malware.rules)

Date:
Summary title:
12 new OPEN, 38 new PRO (12 + 26). YAHOOYLO, AutoIT, APT32, IcedID, BleazIT, Various Phishing.