[***] Summary: [***]
4 new OPEN, 32 new PRO (4 + 28). Upatre, IDDRAT, IcedID, Various Phishing.
Many rules in the Suricata 5 ruleset have been updated with Suricata 5 rule syntax/keywords. A complete list of rules that were changed can be found via the changelog here:
https://rules.emergingthreats.net/changelogs/suricata-5.0-enhanced.open.2020-08-31T22:01:39.txt
Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2030815 - ET CURRENT_EVENTS Generic Phishing Panel Accessed on External
Server (current_events.rules)
2030816 - ET CURRENT_EVENTS Generic Phishing Panel Accessed on Internal
Server (current_events.rules)
2030817 - ET CURRENT_EVENTS Caixa Phishing Landing (current_events.rules)
2030818 - ET TROJAN Upatre User-Agent (trojan.rules)
Pro:
2844199 - ETPRO CURRENT_EVENTS MalDoc Retrieving Payload 2020-08-31
(current_events.rules)
2844200 - ETPRO TROJAN Win32/IDDRAT CnC Server Command Inbound (GETID)
(trojan.rules)
2844201 - ETPRO TROJAN Win32/IDDRAT CnC Checkin (trojan.rules)
2844202 - ETPRO TROJAN Win32/IDDRAT CnC Server Command Inbound (SRDV)
(trojan.rules)
2844203 - ETPRO TROJAN Observed Malicious SSL Cert (MalDoc DL 2020-08-31)
(trojan.rules)
2844204 - ETPRO CURRENT_EVENTS Successful Navy Federal Credit Union Phish
2020-08-28 (current_events.rules)
2844205 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-08-29 1) (trojan.rules)
2844206 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-08-29 2) (trojan.rules)
2844207 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-08-29 3) (trojan.rules)
2844208 - ETPRO TROJAN Win32/VB.NVR CnC Host Checkin (trojan.rules)
2844209 - ETPRO TROJAN Win32/Spy.Agent.PVI Variant CnC Host Checkin
(trojan.rules)
2844210 - ETPRO CURRENT_EVENTS Successful Bank of Guam Phish 2020-08-31
(current_events.rules)
2844211 - ETPRO CURRENT_EVENTS Successful Caixa Phish 2020-08-31
(current_events.rules)
2844212 - ETPRO CURRENT_EVENTS Successful Caixa Phish 2020-08-31
(current_events.rules)
2844213 - ETPRO CURRENT_EVENTS Successful Generic Multibank Phish
2020-08-31 (current_events.rules)
2844214 - ETPRO CURRENT_EVENTS Successful Generic Multibank Phish
2020-08-31 (current_events.rules)
2844215 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-08-31
(current_events.rules)
2844216 - ETPRO CURRENT_EVENTS Successful Dynamic DNS Hosted Generic
Phish 2020-08-31 (sytes.net) (current_events.rules)
2844217 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-08-31
(current_events.rules)
2844218 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2020-08-31 (current_events.rules)
2844219 - ETPRO TROJAN Win32/Agent.ZJL CnC Activity (trojan.rules)
2844220 - ETPRO TROJAN Win32/Remcos RAT Checkin 530 (trojan.rules)
2844221 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2844222 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2844223 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2844224 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2844225 - ETPRO WEB_CLIENT Malicious WebInject Panel Accesssed on
Internally Compromised Server (web_client.rules)
2844226 - ETPRO WEB_CLIENT Malicious Webinject Panel Accesssed on
Externally Compromised Server (web_client.rules)
[///] Modified inactive rules: [///]
2017250 - ET CURRENT_EVENTS %Hex Encoded jnlp_embedded (Observed in
Sakura) (current_events.rules)