Daily Ruleset Update Summary
Daily Ruleset Update Summary 2020/08/24

[***]            Summary:            [***]

6 new OPEN, 28 new PRO (6 + 22). DeathStalker, BitRAT, AsyncRAT, and Various Phish.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2030723 - ET TROJAN Observed APT/SideWinder CnC Domain in TLS SNI
(trojan.rules)
  2030724 - ET TROJAN Observed Malicious SSL Cert (BitRAT CnC)
(trojan.rules)
  2030725 - ET TROJAN DeathStalker/Janicab CnC Checkin (trojan.rules)
  2030726 - ET TROJAN DeathStalker/Powersing CnC Checkin (trojan.rules)
  2030727 - ET TROJAN Win32/Agent.ACBD CnC Activity (trojan.rules)
  2030728 - ET TROJAN Suspected Zebrocy Downloader Traffic (trojan.rules)

Pro:

  2844118 - ETPRO TROJAN MalDoc Retrieving Payload 2020-08-24 (trojan.rules)
  2844119 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT CnC)
(trojan.rules)
  2844120 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT CnC)
(trojan.rules)
  2844121 - ETPRO INFO Observed Suspicious HTTP Header Content Outbound
(Multiple #) (info.rules)
  2844122 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-08-22 1) (trojan.rules)
  2844123 - ETPRO CURRENT_EVENTS Successful ABSA Phish 2020-08-24
(current_events.rules)
  2844124 - ETPRO TROJAN BitRAT External IP Check (trojan.rules)
  2844125 - ETPRO CURRENT_EVENTS Successful Amazon JP Phish 2020-08-24
(current_events.rules)
  2844126 - ETPRO CURRENT_EVENTS Successful e-Devlet Phish 2020-08-24
(current_events.rules)
  2844127 - ETPRO TROJAN Win32/Pterodo.ADA CnC Host Checkin (trojan.rules)
  2844129 - ETPRO CURRENT_EVENTS Successful e-Devlet Phish 2020-08-24
(current_events.rules)
  2844130 - ETPRO CURRENT_EVENTS Successful RBC Royal Bank Phish 2020-08-24
(current_events.rules)
  2844131 - ETPRO TROJAN Win32/Injector.AAD Variant CnC Activity
(trojan.rules)
  2844132 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2020-08-24
(current_events.rules)
  2844133 - ETPRO TROJAN DCRat Initial Checkin Server Response
(trojan.rules)
  2844134 - ETPRO TROJAN Observed DCRat CnC Domain in TLS SNI (trojan.rules)
  2844135 - ETPRO TROJAN Win32/Remcos RAT Checkin 523 (trojan.rules)
  2844136 - ETPRO TROJAN Win32/Remcos RAT Checkin 524 (trojan.rules)
  2844137 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2844138 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2844139 - ETPRO TROJAN Observed Maldoc CnC 2020-08-24 Domain in TLS SNI
(trojan.rules)

[///]     Modified active rules:     [///]

  2021176 - ET TROJAN Bladabindi/njRAT CnC Command (ll) (trojan.rules)
  2021690 - ET TROJAN MWI Maldoc Stats Callout Aug 18 2015 (trojan.rules)
  2022503 - ET TROJAN Various Malicious AlphaNum DL Feb 10 2016
(trojan.rules)
  2023458 - ET INFO Possible EXE Download From Suspicious TLD (.gdn) - set
(info.rules)
  2024946 - ET CURRENT_EVENTS BankAustria Phishing Domain Nov 03 2017
(current_events.rules)
  2024949 - ET CURRENT_EVENTS Successful BankAustria Phish Nov 03 2017
(current_events.rules)
  2025099 - ET CURRENT_EVENTS Possible Successful Generic Phish (set)
2017-12-03 (current_events.rules)
  2025115 - ET CURRENT_EVENTS Possible Successful Generic Phish (set)
2017-12-04 (current_events.rules)
  2025117 - ET POLICY localtunnel Sucessful Connection Setup (policy.rules)
  2025121 - ET TROJAN MewsSpy.AE Onion Domain (cxkefbwo7qcmlelb in DNS
Lookup) (trojan.rules)
  2025132 - ET EXPLOIT Realtek SDK Miniigd UPnP SOAP Command Execution
CVE-2014-8361 (exploit.rules)
  2025696 - ET CURRENT_EVENTS Suspicious Wordpress Redirect - Possible
Phishing Landing (set) Jan 7 (current_events.rules)
  2807216 - ETPRO TROJAN Orbit downloader checkin 3 (trojan.rules)
  2812918 - ETPRO TROJAN Cobalt Strike Beacon Observed (trojan.rules)
  2820991 - ETPRO TROJAN Win32/TrojanDownloader.Agent.CIV Initial CnC
Checkin (trojan.rules)
  2822712 - ETPRO CURRENT_EVENTS Successful Banco de la Nacion Phish Oct 18
2016 (current_events.rules)
  2824134 - ETPRO CURRENT_EVENTS Successful Generic Phish (Meta HTTP-Equiv
Refresh) Dec 29 2016 (current_events.rules)
  2826114 - ETPRO CURRENT_EVENTS Successful Netflix Payment Information
Phish Apr 26 2017 (current_events.rules)
  2828750 - ETPRO CURRENT_EVENTS Successful Visa Home Phish 2017-12-02
(current_events.rules)
  2828751 - ETPRO CURRENT_EVENTS Successful Mastercard Securecode Phish
2017-12-02 (current_events.rules)
  2828752 - ETPRO CURRENT_EVENTS Successful ANZ Internet Banking Phish
2017-12-02 (current_events.rules)
  2828754 - ETPRO CURRENT_EVENTS Successful Alibaba Phish 2017-12-02
(current_events.rules)
  2828755 - ETPRO CURRENT_EVENTS Successful Excel Online Phish 2017-12-02
(current_events.rules)
  2828756 - ETPRO CURRENT_EVENTS Successful Orange (FR) Phish 2017-12-02
(current_events.rules)
  2828757 - ETPRO CURRENT_EVENTS Successful Santander Phish 2017-12-03
(current_events.rules)
  2828758 - ETPRO CURRENT_EVENTS Successful ADP Mobile Phish 2017-12-03
(current_events.rules)
  2828759 - ETPRO CURRENT_EVENTS Successful Gmail Phish 2017-12-03
(current_events.rules)
  2828760 - ETPRO CURRENT_EVENTS Successful Canada Revenue Agency Phish
2017-12-03 (current_events.rules)
  2828761 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin
249 (mobile_malware.rules)
  2828763 - ETPRO TROJAN GlobeImposter Payment Domain (ugf57wl6uexcj7fu in
DNS Lookup) (trojan.rules)
  2828766 - ETPRO CURRENT_EVENTS Successful Netflix Phish 2017-12-04 M1
(current_events.rules)
  2828767 - ETPRO CURRENT_EVENTS Successful Netflix Phish 2017-12-04 M2
(current_events.rules)
  2828768 - ETPRO CURRENT_EVENTS Successful Netflix Phish 2017-12-04 M3
(current_events.rules)
  2828769 - ETPRO CURRENT_EVENTS Successful Netflix Phish 2017-12-04 M4
(current_events.rules)
  2828770 - ETPRO CURRENT_EVENTS Successful Netflix Phish 2017-12-04 M5
(current_events.rules)
  2828771 - ETPRO CURRENT_EVENTS Successful Netflix Phish 2017-12-04 M6
(current_events.rules)
  2828772 - ETPRO CURRENT_EVENTS Successful Netflix Phish 2017-12-04 M7
(current_events.rules)
  2828773 - ETPRO CURRENT_EVENTS Successful Netflix Phish 2017-12-04 M8
(current_events.rules)
  2828780 - ETPRO CURRENT_EVENTS Successful Halkbank (TK) Phish 2017-12-04
(current_events.rules)
  2828785 - ETPRO CURRENT_EVENTS Successful OneDrive Phish 2017-12-04
(current_events.rules)
  2828786 - ETPRO CURRENT_EVENTS Successful Adobe Phish 2017-12-04
(current_events.rules)
  2828788 - ETPRO TROJAN Win32/Banload.Downloader Requesting Payload
(trojan.rules)
  2828796 - ETPRO TROJAN Molerats/GazaHacker Checkin M2 (trojan.rules)
  2828802 - ETPRO CURRENT_EVENTS Successful Chase Phish 2017-12-05
(current_events.rules)
  2828805 - ETPRO CURRENT_EVENTS Successful Banque Postale (FR) Phish
2017-12-06 M2 (current_events.rules)
  2828806 - ETPRO CURRENT_EVENTS Successful Generic Multi Email Account
Phish 2017-12-06 (current_events.rules)
  2828807 - ETPRO CURRENT_EVENTS Successful Banco do Brasil Phish
2017-12-06 (current_events.rules)

Date:
Summary title:
6 new OPEN, 28 new PRO (6 + 22). DeathStalker, BitRAT, AsyncRAT, and Various Phish.