[***] Summary: [***]
1 new OPEN, 19 new PRO (1 + 18). Venom, FreakJPG, HiddenCobra APT, Various Phishing, Various Suri 5 syntax updates.
Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2030707 - ET INFO Possible Phishing - Form submitted to submit-form Form
Hosting (info.rules)
Pro:
2844081 - ETPRO TROJAN Win32/APT.HiddenCobra BLINDINGCAN RAT CnC Activity
(trojan.rules)
2844082 - ETPRO TROJAN Win32/APT.HiddenCobra BLINDINGCAN RAT Retrieving
Payload (trojan.rules)
2844083 - ETPRO USER_AGENTS Observed Suspicious UA (MSIE7.0)
(user_agents.rules)
2844084 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-08-20 1) (trojan.rules)
2844085 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-08-20 2) (trojan.rules)
2844086 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-08-20 (current_events.rules)
2844087 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
to XYZ Domain Phish 2020-08-20 (current_events.rules)
2844088 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
to XYZ Domain Phish 2020-08-20 (current_events.rules)
2844089 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-08-20
(current_events.rules)
2844090 - ETPRO CURRENT_EVENTS Successful Alibaba Phish 2020-08-20
(current_events.rules)
2844091 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-08-20
(current_events.rules)
2844092 - ETPRO TROJAN Venom Client CnC Activity (trojan.rules)
2844093 - ETPRO TROJAN Win32/FreakJPG Stealer CnC Activity (trojan.rules)
2844096 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2844097 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2844098 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2844099 - ETPRO CURRENT_EVENTS Successful La Banque Postale Phish (FR)
2020-08-20 (current_events.rules)
2844100 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
[///] Modified active rules: [///]
2007866 - ET CHAT Gadu-Gadu Chat Client Checkin via HTTP (chat.rules)
2008295 - ET CHAT Gadu-Gadu IM Login Server Request (chat.rules)
2008538 - ET SCAN Sqlmap SQL Injection Scan (scan.rules)
2008570 - ET POLICY External Unencrypted Connection to BASE Console
(policy.rules)
2009362 - ET WEB_SERVER /system32/ in Uri - Possible Protected Directory
Access Attempt (web_server.rules)
2009714 - ET WEB_SERVER Script tag in URI Possible Cross Site Scripting
Attempt (web_server.rules)
2010592 - ET WEB_SERVER Possible Microsoft Internet Information Services
(IIS) .asp Filename Extension Parsing File Upload Security Bypass Attempt
(asp) (web_server.rules)
2010963 - ET WEB_SERVER SELECT USER SQL Injection Attempt in URI
(web_server.rules)
2011037 - ET WEB_SERVER Possible Attempt to Get SQL Server Version in URI
using SELECT VERSION (web_server.rules)
2011141 - ET WEB_SERVER PHP Easteregg Information-Disclosure (phpinfo)
(web_server.rules)
2012870 - ET POLICY HTTP Outbound Request contains pw (policy.rules)
2013030 - ET POLICY libwww-perl User-Agent (policy.rules)
2013256 - ET POLICY Majestic12 User-Agent Request Outbound (policy.rules)
2013290 - ET POLICY MOBILE Apple device leaking UDID from SpringBoard via
GET (policy.rules)
2016810 - ET CURRENT_EVENTS Tor2Web .onion Proxy Service SSL Cert (2)
(current_events.rules)
2017639 - ET INFO JAR Size Under 30K Size - Potentially Hostile
(info.rules)
2017928 - ET POLICY check.torproject.org IP lookup/Tor Usage check over
TLS with SNI (policy.rules)
2017933 - ET POLICY TraceMyIP IP lookup (policy.rules)
2018359 - ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake
Browser 2 (info.rules)
2018919 - ET POLICY possible Xiaomi phone data leakage HTTP (policy.rules)
2019512 - ET POLICY Possible IP Check api.ipify.org (policy.rules)
2020083 - ET TROJAN Win64/Havex Checkin (trojan.rules)
2020882 - ET TROJAN Win32/Teslacrypt Ransomware .onion domain
(epmhyca5ol6plmx3) (trojan.rules)
2022538 - ET TROJAN Ransomware Locky CnC Beacon (trojan.rules)
2022551 - ET POLICY Logmein.com/Join.me SSL Remote Control Access
(policy.rules)
2022816 - ET WEB_SERVER Possible SQLi Attempt in User Agent (Inbound)
(web_server.rules)
2023475 - ET MOBILE_MALWARE Adware.Adwo.A (mobile_malware.rules)
2023882 - ET INFO HTTP Request to a *.top domain (info.rules)
2024038 - ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression
Injection (CVE-2017-5638) (web_specific_apps.rules)
2024044 - ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression
Injection (CVE-2017-5638) M2 (web_specific_apps.rules)
2024106 - ET TROJAN Win32/Teslacrypt Ransomware .onion domain
(7tno4hib47vlep5o) (trojan.rules)
2024227 - ET INFO Lets Encrypt Free SSL Cert Observed with IDN/Punycode
Domain - Possible Phishing (info.rules)
2024291 - ET TROJAN Possible WannaCry DNS Lookup 1 (trojan.rules)
2024786 - ET POLICY Request for Coinhive Browser Monero Miner M2
(policy.rules)
2024788 - ET POLICY Request for Jsecoin Browser Miner M2 (policy.rules)
2024814 - ET EXPLOIT Likely Struts S2-053-CVE-2017-12611 Exploit Attempt
M1 (exploit.rules)
2024833 - ET POLICY Observed IP Lookup Domain (l2 .io in TLS SNI)
(policy.rules)
2802103 - ETPRO POLICY MOBILE iPhone locationd User-Agent Detected
(policy.rules)
2805897 - ETPRO TROJAN Bifrose.IQ requesting setup.exe (trojan.rules)
2812739 - ETPRO POLICY NetSupport Remote Admin Checkin (policy.rules)
2816032 - ETPRO POLICY OSX/Potential Vulnerable Application using Sparkle
Updater (policy.rules)
2816855 - ETPRO TROJAN Downloader Possibly Retrieving Locky (trojan.rules)
2821001 - ETPRO CURRENT_EVENTS PowerShell Empire Session via MSOffice Doc
Macro (current_events.rules)
2821200 - ETPRO POLICY Observed External IP (wtfismyip) Lookup SSL Cert
(Server Hello) (policy.rules)
2825353 - ETPRO TROJAN Zeus Panda Banker Malicious SSL Certificate
Detected (trojan.rules)
2825610 - ETPRO TROJAN Lets Encrypt Free SSL Cert Observed in Possible
Apple Phishing (trojan.rules)
2826486 - ETPRO TROJAN RTM Banker TCP Domain Lookup (trojan.rules)
2826824 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.AZQ /
Android.Triada Checkin (mobile_malware.rules)
2826896 - ETPRO TROJAN Win32/InstallCore CnC Activity (trojan.rules)
2827774 - ETPRO TROJAN Backdoor.Ratenjay POST with System Information
(trojan.rules)
2828735 - ETPRO TROJAN Sidewinder.A C2 (trojan.rules)
2828744 - ETPRO TROJAN Sigma Ransomware Decryptor/Payment Domain
(6uhryhsrr577vykz in DNS Lookup) (trojan.rules)
2828745 - ETPRO TROJAN Sigma Ransomware Decryptor/Payment Domain
(yowl2ugopitfzzwb in DNS Lookup) (trojan.rules)
2828746 - ETPRO TROJAN Sigma Ransomware Decryptor/Payment Domain
(ypg7rfjvfywj7jhp in DNS Lookup) (trojan.rules)
2843634 - ETPRO TROJAN Jacard Banker Variant CnC Host Checkin
(trojan.rules)