Daily Ruleset Update Summary
Daily Ruleset Update Summary 2020/08/20

[***]            Summary:            [***]

1 new OPEN, 19 new PRO (1 + 18).  Venom, FreakJPG, HiddenCobra APT, Various Phishing, Various Suri 5 syntax updates.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2030707 - ET INFO Possible Phishing - Form submitted to submit-form Form
Hosting (info.rules)

Pro:

  2844081 - ETPRO TROJAN Win32/APT.HiddenCobra BLINDINGCAN RAT CnC Activity
(trojan.rules)
  2844082 - ETPRO TROJAN Win32/APT.HiddenCobra BLINDINGCAN RAT Retrieving
Payload (trojan.rules)
  2844083 - ETPRO USER_AGENTS Observed Suspicious UA (MSIE7.0)
(user_agents.rules)
  2844084 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-08-20 1) (trojan.rules)
  2844085 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-08-20 2) (trojan.rules)
  2844086 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-08-20 (current_events.rules)
  2844087 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
to XYZ Domain Phish 2020-08-20 (current_events.rules)
  2844088 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
to XYZ Domain Phish 2020-08-20 (current_events.rules)
  2844089 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-08-20
(current_events.rules)
  2844090 - ETPRO CURRENT_EVENTS Successful Alibaba Phish 2020-08-20
(current_events.rules)
  2844091 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-08-20
(current_events.rules)
  2844092 - ETPRO TROJAN Venom Client CnC Activity (trojan.rules)
  2844093 - ETPRO TROJAN Win32/FreakJPG Stealer CnC Activity (trojan.rules)
  2844096 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2844097 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2844098 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2844099 - ETPRO CURRENT_EVENTS Successful La Banque Postale Phish (FR)
2020-08-20 (current_events.rules)
  2844100 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)

[///]     Modified active rules:     [///]

  2007866 - ET CHAT Gadu-Gadu Chat Client Checkin via HTTP (chat.rules)
  2008295 - ET CHAT Gadu-Gadu IM Login Server Request (chat.rules)
  2008538 - ET SCAN Sqlmap SQL Injection Scan (scan.rules)
  2008570 - ET POLICY External Unencrypted Connection to BASE Console
(policy.rules)
  2009362 - ET WEB_SERVER /system32/ in Uri - Possible Protected Directory
Access Attempt (web_server.rules)
  2009714 - ET WEB_SERVER Script tag in URI Possible Cross Site Scripting
Attempt (web_server.rules)
  2010592 - ET WEB_SERVER Possible Microsoft Internet Information Services
(IIS) .asp Filename Extension Parsing File Upload Security Bypass Attempt
(asp) (web_server.rules)
  2010963 - ET WEB_SERVER SELECT USER SQL Injection Attempt in URI
(web_server.rules)
  2011037 - ET WEB_SERVER Possible Attempt to Get SQL Server Version in URI
using SELECT VERSION (web_server.rules)
  2011141 - ET WEB_SERVER PHP Easteregg Information-Disclosure (phpinfo)
(web_server.rules)
  2012870 - ET POLICY HTTP Outbound Request contains pw (policy.rules)
  2013030 - ET POLICY libwww-perl User-Agent (policy.rules)
  2013256 - ET POLICY Majestic12 User-Agent Request Outbound (policy.rules)
  2013290 - ET POLICY MOBILE Apple device leaking UDID from SpringBoard via
GET (policy.rules)
  2016810 - ET CURRENT_EVENTS Tor2Web .onion Proxy Service SSL Cert (2)
(current_events.rules)
  2017639 - ET INFO JAR Size Under 30K Size - Potentially Hostile
(info.rules)
  2017928 - ET POLICY check.torproject.org IP lookup/Tor Usage check over
TLS with SNI (policy.rules)
  2017933 - ET POLICY TraceMyIP IP lookup (policy.rules)
  2018359 - ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake
Browser 2 (info.rules)
  2018919 - ET POLICY possible Xiaomi phone data leakage HTTP (policy.rules)
  2019512 - ET POLICY Possible IP Check api.ipify.org (policy.rules)
  2020083 - ET TROJAN Win64/Havex Checkin (trojan.rules)
  2020882 - ET TROJAN Win32/Teslacrypt Ransomware .onion domain
(epmhyca5ol6plmx3) (trojan.rules)
  2022538 - ET TROJAN Ransomware Locky CnC Beacon (trojan.rules)
  2022551 - ET POLICY Logmein.com/Join.me SSL Remote Control Access
(policy.rules)
  2022816 - ET WEB_SERVER Possible SQLi Attempt in User Agent (Inbound)
(web_server.rules)
  2023475 - ET MOBILE_MALWARE Adware.Adwo.A (mobile_malware.rules)
  2023882 - ET INFO HTTP Request to a *.top domain (info.rules)
  2024038 - ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression
Injection (CVE-2017-5638) (web_specific_apps.rules)
  2024044 - ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression
Injection (CVE-2017-5638) M2 (web_specific_apps.rules)
  2024106 - ET TROJAN Win32/Teslacrypt Ransomware .onion domain
(7tno4hib47vlep5o) (trojan.rules)
  2024227 - ET INFO Lets Encrypt Free SSL Cert Observed with IDN/Punycode
Domain - Possible Phishing (info.rules)
  2024291 - ET TROJAN Possible WannaCry DNS Lookup 1 (trojan.rules)
  2024786 - ET POLICY Request for Coinhive Browser Monero Miner M2
(policy.rules)
  2024788 - ET POLICY Request for Jsecoin Browser Miner M2 (policy.rules)
  2024814 - ET EXPLOIT Likely Struts S2-053-CVE-2017-12611 Exploit Attempt
M1 (exploit.rules)
  2024833 - ET POLICY Observed IP Lookup Domain (l2 .io in TLS SNI)
(policy.rules)
  2802103 - ETPRO POLICY MOBILE iPhone locationd User-Agent Detected
(policy.rules)
  2805897 - ETPRO TROJAN Bifrose.IQ requesting setup.exe (trojan.rules)
  2812739 - ETPRO POLICY NetSupport Remote Admin Checkin (policy.rules)
  2816032 - ETPRO POLICY OSX/Potential Vulnerable Application using Sparkle
Updater (policy.rules)
  2816855 - ETPRO TROJAN Downloader Possibly Retrieving Locky (trojan.rules)
  2821001 - ETPRO CURRENT_EVENTS PowerShell Empire Session via MSOffice Doc
Macro (current_events.rules)
  2821200 - ETPRO POLICY Observed External IP (wtfismyip) Lookup SSL Cert
(Server Hello) (policy.rules)
  2825353 - ETPRO TROJAN Zeus Panda Banker Malicious SSL Certificate
Detected (trojan.rules)
  2825610 - ETPRO TROJAN Lets Encrypt Free SSL Cert Observed in Possible
Apple Phishing (trojan.rules)
  2826486 - ETPRO TROJAN RTM Banker TCP Domain Lookup (trojan.rules)
  2826824 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.AZQ /
Android.Triada Checkin (mobile_malware.rules)
  2826896 - ETPRO TROJAN Win32/InstallCore CnC Activity (trojan.rules)
  2827774 - ETPRO TROJAN Backdoor.Ratenjay POST with System Information
(trojan.rules)
  2828735 - ETPRO TROJAN Sidewinder.A C2 (trojan.rules)
  2828744 - ETPRO TROJAN Sigma Ransomware Decryptor/Payment Domain
(6uhryhsrr577vykz in DNS Lookup) (trojan.rules)
  2828745 - ETPRO TROJAN Sigma Ransomware Decryptor/Payment Domain
(yowl2ugopitfzzwb in DNS Lookup) (trojan.rules)
  2828746 - ETPRO TROJAN Sigma Ransomware Decryptor/Payment Domain
(ypg7rfjvfywj7jhp in DNS Lookup) (trojan.rules)
  2843634 - ETPRO TROJAN Jacard Banker Variant CnC Host Checkin
(trojan.rules)

Date:
Summary title:
1 new OPEN, 19 new PRO (1 + 18). Venom, FreakJPG, HiddenCobra APT, Various Phishing, Various Suri 5 syntax updates.