[***] Summary: [***]
4 new OPEN, 52 new PRO (4 + 48). Trojan-Spy.AndroidOS.SpyNote.f / Spymax, AutoIT, Remcos, IcedID, Various Phishing.
Many rules in the Suricata 5 ruleset have been updated with Suricata 5 rule syntax/keywords. A complete list of rules that were changed can be found via the changelog here: https://rules.emergingthreats.net/changelogs/suricata-5.0-enhanced.etpro.2020-08-06T22:20:01.txt
Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2030659 - ET WEB_SERVER Generic Webshell Accessed on Internal
Compromised Server (web_server.rules)
2030660 - ET WEB_CLIENT Generic Webshell Accessed on External
Compromised Server (web_client.rules)
2030661 - ET WEB_SERVER Generic Webshell Accessed on Internal
Compromised Server (web_server.rules)
2030662 - ET WEB_CLIENT Generic Webshell Accessed on External
Compromised Server (web_client.rules)
Pro:
2843823 - ETPRO INFO Observed HTTP POST with panel in URI (info.rules)
2843848 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SpyNote.f /
Spymax Checkin (mobile_malware.rules)
2843849 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Banbra.m DNS
Lookup (mobile_malware.rules)
2843850 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Banbra.m TLS
SNI (mobile_malware.rules)
2843851 - ETPRO INFO Suspicious Zipped Filename in Outbound POST
Request (Cookies.log) M2 (info.rules)
2843852 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (passwords.log) M2 (trojan.rules)
2843853 - ETPRO INFO Suspicious Zipped Filename in Outbound POST
Request (cookies.txt) M2 (info.rules)
2843854 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (passwords.txt) M2 (trojan.rules)
2843855 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (wallet.dat) M2 (trojan.rules)
2843856 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (screenshot.) M2 (trojan.rules)
2843857 - ETPRO INFO Suspicious Zipped Filename in Outbound POST
Request (cookie.txt) M2 (info.rules)
2843858 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (ccdata.txt) M2 (trojan.rules)
2843859 - ETPRO INFO Suspicious Zipped Filename in Outbound POST
Request (google_chrome_default_) M2 (info.rules)
2843860 - ETPRO INFO Suspicious Zipped Filename in Outbound POST
Request (Mozilla_Firefox_Cookies) M2 (info.rules)
2843861 - ETPRO INFO Suspicious Zipped Filename in Outbound POST
Request (Filezilla/sitemanager.xml) M2 (info.rules)
2843862 - ETPRO INFO Suspicious Zipped Filename in Outbound POST
Request (Browsers.txt) M2 (info.rules)
2843863 - ETPRO INFO Suspicious Zipped Filename in Outbound POST
Request (Domains.txt) M2 (info.rules)
2843864 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (screen.) M2 (trojan.rules)
2843865 - ETPRO TROJAN Observed Malicious SSL Cert (Get2 CnC) (trojan.rules)
2843866 - ETPRO TROJAN Observed Malicious SSL Cert (Cobalt Strike
CnC) (trojan.rules)
2843867 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-08-06 1) (trojan.rules)
2843868 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-08-06 2) (trojan.rules)
2843869 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-08-06 3) (trojan.rules)
2843870 - ETPRO CURRENT_EVENTS Successful Deutsche Kreditbank AG
Phish 2020-08-06 (current_events.rules)
2843871 - ETPRO CURRENT_EVENTS Successful Bancolumbia Phish
2020-08-06 (current_events.rules)
2843872 - ETPRO CURRENT_EVENTS Successful Global Sources Phish
2020-08-06 (current_events.rules)
2843873 - ETPRO CURRENT_EVENTS Successful Generic Credit Card
Information Phish 2020-08-06 (current_events.rules)
2843874 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-08-06
(current_events.rules)
2843875 - ETPRO CURRENT_EVENTS Successful Generic Webmail
Verification Phish 2020-08-06 (current_events.rules)
2843876 - ETPRO CURRENT_EVENTS Successful IRS Phish 2020-08-06
(current_events.rules)
2843877 - ETPRO CURRENT_EVENTS Successful Facebook Verification
Phish 2020-08-06 (current_events.rules)
2843878 - ETPRO CURRENT_EVENTS Successful Outlook Web App Phish
2020-08-06 (current_events.rules)
2843879 - ETPRO POLICY Outbound UDT Control DATA Packet Observed
(policy.rules)
2843884 - ETPRO TROJAN Unknown AutoIT Bot - Client Checkin M1 (trojan.rules)
2843885 - ETPRO TROJAN Unknown AutoIT Bot - Client Checkin M2 (trojan.rules)
2843886 - ETPRO TROJAN Win32/Remcos RAT Checkin 515 (trojan.rules)
2843887 - ETPRO TROJAN Win32/Remcos RAT Checkin 516 (trojan.rules)
2843888 - ETPRO TROJAN Win32/Remcos RAT Checkin 517 (trojan.rules)
2843889 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
2843890 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
2843891 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
2843892 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
2843893 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
[///] Modified active rules: [///]
2008738 - ET TROJAN Suspicious Accept-Language HTTP Header zh-cn
likely Kernelbot/Conficker Trojan Related (trojan.rules)
2010087 - ET SCAN Suspicious User-Agent Containing SQL Inject/ion
Likely SQL Injection Scanner (scan.rules)
2010088 - ET SCAN Suspicious User-Agent Containing Web Scan/er
Likely Web Scanner (scan.rules)
2010089 - ET SCAN Suspicious User-Agent Containing Security Scan/ner
Likely Scan (scan.rules)