[***] Summary: [***]
3 new OPEN, 12 new PRO (3 + 9). Reimageplus Ransomware, Win32/Valak, Cobalt Strike, IcedID
Thanks: @malwrhunterteam.
Many rules in the Suricata 5 ruleset have been updated with Suricata 5 rule syntax/keywords. A complete list of rules that were changed can be found via the changelog here:
https://rules.emergingthreats.net/changelogs/suricata-5.0-enhanced.open-nogpl.2020-09-11T22:35:57.txt
Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2030851 - ET TROJAN Observed Reimageplus Ransomware Domain in TLS
SNI (trojan.rules)
2030852 - ET TROJAN Reimageplus Ransomware Checkin (trojan.rules)
2030853 - ET TROJAN Win32/Valak Variant CnC (trojan.rules)
Pro:
2844365 - ETPRO MOBILE_MALWARE Android/KCPro Spyware CnC Activity
(mobile_malware.rules)
2844366 - ETPRO TROJAN APT/TontoTeam Dropper Activity (trojan.rules)
2844367 - ETPRO TROJAN Observed Malicious SSL Cert (Get2 CnC) (trojan.rules)
2844368 - ETPRO TROJAN Cobalt Strike Malleable C2 (QiHoo Profile)
(trojan.rules)
2844369 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-09-11 1) (trojan.rules)
2844370 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
2844371 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
2844372 - ETPRO TROJAN Observed Win64/Kryptik.BTT Domain in TLS SNI
(trojan.rules)
2844373 - ETPRO MALWARE Win32/Agent.xxcydg CnC (malware.rules)
[///] Modified active rules: [///]
2004000 - ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection
Attempt -- down_indir.asp id UNION SELECT (web_specific_apps.rules)
2004001 - ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection
Attempt -- down_indir.asp id INSERT (web_specific_apps.rules)
2004002 - ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection
Attempt -- down_indir.asp id DELETE (web_specific_apps.rules)