Daily Ruleset Update Summary
Daily Ruleset Update Summary 2020/08/06

[***]            Summary:            [***]

4 new OPEN, 52 new PRO (4 + 48). Trojan-Spy.AndroidOS.SpyNote.f / Spymax, AutoIT, Remcos, IcedID, Various Phishing.

Many rules in the Suricata 5 ruleset have been updated with Suricata 5 rule syntax/keywords. A complete list of rules that were  changed can be found via the changelog here: https://rules.emergingthreats.net/changelogs/suricata-5.0-enhanced.etpro.2020-08-06T22:20:01.txt

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2030659 - ET WEB_SERVER Generic Webshell Accessed on Internal
Compromised Server (web_server.rules)
  2030660 - ET WEB_CLIENT Generic Webshell Accessed on External
Compromised Server (web_client.rules)
  2030661 - ET WEB_SERVER Generic Webshell Accessed on Internal
Compromised Server (web_server.rules)
  2030662 - ET WEB_CLIENT Generic Webshell Accessed on External
Compromised Server (web_client.rules)

Pro:

  2843823 - ETPRO INFO Observed HTTP POST with panel in URI (info.rules)
  2843848 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SpyNote.f /
Spymax Checkin (mobile_malware.rules)
  2843849 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Banbra.m DNS
Lookup (mobile_malware.rules)
  2843850 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Banbra.m TLS
SNI (mobile_malware.rules)
  2843851 - ETPRO INFO Suspicious Zipped Filename in Outbound POST
Request (Cookies.log) M2 (info.rules)
  2843852 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (passwords.log) M2 (trojan.rules)
  2843853 - ETPRO INFO Suspicious Zipped Filename in Outbound POST
Request (cookies.txt) M2 (info.rules)
  2843854 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (passwords.txt) M2 (trojan.rules)
  2843855 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (wallet.dat) M2 (trojan.rules)
  2843856 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (screenshot.) M2 (trojan.rules)
  2843857 - ETPRO INFO Suspicious Zipped Filename in Outbound POST
Request (cookie.txt) M2 (info.rules)
  2843858 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (ccdata.txt) M2 (trojan.rules)
  2843859 - ETPRO INFO Suspicious Zipped Filename in Outbound POST
Request (google_chrome_default_) M2 (info.rules)
  2843860 - ETPRO INFO Suspicious Zipped Filename in Outbound POST
Request (Mozilla_Firefox_Cookies) M2 (info.rules)
  2843861 - ETPRO INFO Suspicious Zipped Filename in Outbound POST
Request (Filezilla/sitemanager.xml) M2 (info.rules)
  2843862 - ETPRO INFO Suspicious Zipped Filename in Outbound POST
Request (Browsers.txt) M2 (info.rules)
  2843863 - ETPRO INFO Suspicious Zipped Filename in Outbound POST
Request (Domains.txt) M2 (info.rules)
  2843864 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (screen.) M2 (trojan.rules)
  2843865 - ETPRO TROJAN Observed Malicious SSL Cert (Get2 CnC) (trojan.rules)
  2843866 - ETPRO TROJAN Observed Malicious SSL Cert (Cobalt Strike
CnC) (trojan.rules)
  2843867 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-08-06 1) (trojan.rules)
  2843868 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-08-06 2) (trojan.rules)
  2843869 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-08-06 3) (trojan.rules)
  2843870 - ETPRO CURRENT_EVENTS Successful Deutsche Kreditbank AG
Phish 2020-08-06 (current_events.rules)
  2843871 - ETPRO CURRENT_EVENTS Successful Bancolumbia Phish
2020-08-06 (current_events.rules)
  2843872 - ETPRO CURRENT_EVENTS Successful Global Sources Phish
2020-08-06 (current_events.rules)
  2843873 - ETPRO CURRENT_EVENTS Successful Generic Credit Card
Information Phish 2020-08-06 (current_events.rules)
  2843874 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-08-06
(current_events.rules)
  2843875 - ETPRO CURRENT_EVENTS Successful Generic Webmail
Verification Phish 2020-08-06 (current_events.rules)
  2843876 - ETPRO CURRENT_EVENTS Successful IRS Phish 2020-08-06
(current_events.rules)
  2843877 - ETPRO CURRENT_EVENTS Successful Facebook Verification
Phish 2020-08-06 (current_events.rules)
  2843878 - ETPRO CURRENT_EVENTS Successful Outlook Web App Phish
2020-08-06 (current_events.rules)
  2843879 - ETPRO POLICY Outbound UDT Control DATA Packet Observed
(policy.rules)
  2843884 - ETPRO TROJAN Unknown AutoIT Bot - Client Checkin M1 (trojan.rules)
  2843885 - ETPRO TROJAN Unknown AutoIT Bot - Client Checkin M2 (trojan.rules)
  2843886 - ETPRO TROJAN Win32/Remcos RAT Checkin 515 (trojan.rules)
  2843887 - ETPRO TROJAN Win32/Remcos RAT Checkin 516 (trojan.rules)
  2843888 - ETPRO TROJAN Win32/Remcos RAT Checkin 517 (trojan.rules)
  2843889 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
  2843890 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
  2843891 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
  2843892 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
  2843893 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)

[///]     Modified active rules:     [///]

  2008738 - ET TROJAN Suspicious Accept-Language HTTP Header zh-cn
likely Kernelbot/Conficker Trojan Related (trojan.rules)
  2010087 - ET SCAN Suspicious User-Agent Containing SQL Inject/ion
Likely SQL Injection Scanner (scan.rules)
  2010088 - ET SCAN Suspicious User-Agent Containing Web Scan/er
Likely Web Scanner (scan.rules)
  2010089 - ET SCAN Suspicious User-Agent Containing Security Scan/ner
Likely Scan (scan.rules)

Date:
Summary title:
4 new OPEN, 52 new PRO (4 + 48). Trojan-Spy.AndroidOS.SpyNote.f / Spymax, AutoIT, Remcos, IcedID, Various Phishing.