[***]            Summary:            [***]

5 new OPEN, 32 new PRO (5 + 27). RedDelta Poison Ivy, Win32/BackstageStealer, VARIOUS PHISH, Win64/Agent.FM, HttpRat, Various Coinminers.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2030890 - ET INFO Suspicious HTTP POST to Free Web Host Atwebpages
(info.rules)
  2030891 - ET TROJAN RedDelta Poison Ivy Domain in DNS Lookup
(trojan.rules)
  2030892 - ET TROJAN RedDelta Poison Ivy Domain in DNS Lookup
(trojan.rules)
  2030893 - ET TROJAN RedDelta Poison Ivy Domain in DNS Lookup
(trojan.rules)
  2030894 - ET TROJAN Win32/Ymacco.AAF9 Stealer Activity (POST)
(trojan.rules)

Pro:

  2844536 - ETPRO TROJAN Win32/BackstageStealer CnC Activity (trojan.rules)
  2844537 - ETPRO CURRENT_EVENTS Successful Amazon JP Phish to IP Address
2020-09-18 (current_events.rules)
  2844538 - ETPRO CURRENT_EVENTS Successful Amazon JP Phish to Suspicious
TLD 2020-09-18 (current_events.rules)
  2844539 - ETPRO CURRENT_EVENTS Possible Successful Amazon JP Phish
Redirect 2020-09-18 (current_events.rules)
  2844540 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-09-19 1) (trojan.rules)
  2844541 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-09-19 2) (trojan.rules)
  2844542 - ETPRO CURRENT_EVENTS Successful ABSA Phish 2020-09-21
(current_events.rules)
  2844543 - ETPRO CURRENT_EVENTS Successful Banco Itau Phish 2020-09-21
(current_events.rules)
  2844544 - ETPRO CURRENT_EVENTS Successful ATT Phish 2020-09-21
(current_events.rules)
  2844545 - ETPRO CURRENT_EVENTS Successful Protonmail Phish 2020-09-21
(current_events.rules)
  2844546 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2020-09-21
(current_events.rules)
  2844547 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-09-21
(current_events.rules)
  2844548 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-09-21
(current_events.rules)
  2844549 - ETPRO TROJAN VBA/TrojanDownloader Powershell MalDoc
(trojan.rules)
  2844550 - ETPRO CURRENT_EVENTS Successful Sendgrid Phish 2020-09-21
(current_events.rules)
  2844551 - ETPRO TROJAN Poison Ivy Variant HTTP Handshake Request
(trojan.rules)
  2844552 - ETPRO TROJAN Win64/Agent.FM Variant CnC Activity (trojan.rules)
  2844553 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2844554 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2844555 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2844556 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2844557 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2844558 - ETPRO TROJAN Win32/Remcos RAT Checkin 542 (trojan.rules)
  2844559 - ETPRO TROJAN Win32/Remcos RAT Checkin 543 (trojan.rules)
  2844560 - ETPRO TROJAN Observed Cobalt Strike CnC Domain in TLS SNI
(trojan.rules)
  2844561 - ETPRO TROJAN HttpRat Heartbeat (POST) (trojan.rules)
  2844562 - ETPRO USER_AGENTS Observed Malicious User-Agent (HttpRat)
(user_agents.rules)

[///]     Modified active rules:     [///]

  2014310 - ET TROJAN RegSubsDat Checkin (trojan.rules)
  2016507 - ET TROJAN W32/Caphaw Requesting Additional Modules From CnC
(trojan.rules)
  2016690 - ET TROJAN Kovter Ransomware Check-in (trojan.rules)
  2016799 - ET CURRENT_EVENTS Magnitude EK (formerly Popads) Flash Exploit
Requested (current_events.rules)
  2017269 - ET TROJAN CBReplay.P Ransomware (trojan.rules)
  2017274 - ET TROJAN W32/StealRat.SpamBot Configuration File Request
(trojan.rules)
  2017276 - ET TROJAN W32/StealRat.SpamBot Email Template Request
(trojan.rules)
  2017277 - ET WEB_SERVER Possible Apache Struts OGNL in Dynamic Action
(web_server.rules)
  2017311 - ET TROJAN Possible FortDisco Reporting Hacked Accounts
(trojan.rules)
  2017327 - ET WEB_SERVER Joomla Upload File Filter Bypass
(web_server.rules)
  2017344 - ET TROJAN Proxychecker Lookup (trojan.rules)
  2017349 - ET TROJAN Win32.Troj.Cidox Checkin (trojan.rules)
  2017366 - ET WEB_SERVER Coldfusion 9 Auth Bypass CVE-2013-0632
(web_server.rules)
  2017369 - ET TROJAN Bitcoin variant Checkin (trojan.rules)
  2017377 - ET TROJAN Win64/Vabushky.A Malicious driver download
(trojan.rules)
  2017436 - ET WEB_SERVER PHP SERVER SuperGlobal in URI (web_server.rules)
  2017437 - ET WEB_SERVER PHP GET SuperGlobal in URI (web_server.rules)
  2017438 - ET WEB_SERVER PHP POST SuperGlobal in URI (web_server.rules)
  2017439 - ET WEB_SERVER PHP COOKIE SuperGlobal in URI (web_server.rules)
  2017440 - ET WEB_SERVER PHP SESSION SuperGlobal in URI (web_server.rules)
  2017441 - ET WEB_SERVER PHP REQUEST SuperGlobal in URI (web_server.rules)
  2017442 - ET WEB_SERVER PHP ENV SuperGlobal in URI (web_server.rules)
  2017443 - ET WEB_SERVER PHP SERVER SuperGlobal in POST (web_server.rules)
  2017444 - ET WEB_SERVER PHP GET SuperGlobal in POST (web_server.rules)
  2017445 - ET WEB_SERVER PHP POST SuperGlobal in POST (web_server.rules)
  2017446 - ET WEB_SERVER PHP COOKIE SuperGlobal in POST (web_server.rules)
  2017447 - ET WEB_SERVER PHP SESSION SuperGlobal in POST (web_server.rules)
  2017448 - ET WEB_SERVER PHP REQUEST SuperGlobal in POST (web_server.rules)
  2017449 - ET WEB_SERVER PHP ENV SuperGlobal in POST (web_server.rules)
  2017455 - ET TROJAN Waledac FACEPUNCH Traffic Detected (trojan.rules)
  2017475 - ET TROJAN Win32/Dipverdle.A Activity (trojan.rules)
  2017519 - ET TROJAN Worm.VBS.ayr CnC command (is-enum-driver)
(trojan.rules)
  2017521 - ET TROJAN Worm.VBS.ayr CnC command (is-enum-process)
(trojan.rules)
  2017522 - ET TROJAN Worm.VBS.ayr CnC command (is-cmd-shell) (trojan.rules)
  2017524 - ET TROJAN DATA-BROKER BOT Activity (trojan.rules)
  2017544 - ET CURRENT_EVENTS LightsOut EK POST Compromise POST
(current_events.rules)
  2017554 - ET CURRENT_EVENTS BHEK Payload Download (java only alternate
method may overlap with 2017454) (current_events.rules)
  2017555 - ET CURRENT_EVENTS DotkaChef EK initial landing from Oct 02 2013
mass-site compromise EK campaign (current_events.rules)
  2017575 - ET WEB_SPECIFIC_APPS Possible VBulletin Unauthorized Admin
Account Creation (web_specific_apps.rules)
  2017585 - ET TROJAN Possible W32/KanKan tools.ini Request (trojan.rules)
  2017600 - ET TROJAN Backdoor.Egobot Checkin (trojan.rules)
  2017611 - ET WEB_SPECIFIC_APPS Oracle JSF2 Path Traversal Attempt
(web_specific_apps.rules)
  2017647 - ET TROJAN FakeAV Install (trojan.rules)
  2017672 - ET CURRENT_EVENTS SUSPICIOUS msctcd.exe in URI Probable Process
Dump/Trojan Download (current_events.rules)
  2017673 - ET CURRENT_EVENTS SUSPICIOUS taskmgr.exe in URI Probable
Process Dump/Trojan Download (current_events.rules)
  2017674 - ET CURRENT_EVENTS SUSPICIOUS wsqmocn.exe in URI Probable
Process Dump/Trojan Download (current_events.rules)
  2017675 - ET CURRENT_EVENTS SUSPICIOUS connhost.exe in URI Probable
Process Dump/Trojan Download (current_events.rules)
  2026047 - ET CURRENT_EVENTS Generic Multi-Email Phishing Landing
2018-08-30 (current_events.rules)
 2803509 - ETPRO TROJAN Win32/Dogrobot.D Checkin (trojan.rules)
  2804918 - ETPRO TROJAN Backdoor/MSIL.adv Checkin (trojan.rules)
  2805004 - ETPRO TROJAN Trojan-Ransom.Win32.Rannoh.b Checkin (trojan.rules)
  2805658 - ETPRO TROJAN Win32/Karagany.L Checkin (trojan.rules)
  2806149 - ETPRO MOBILE_MALWARE AndroidOS.Ansaca.A Checkin
(mobile_malware.rules)
  2806181 - ETPRO TROJAN W32/Jorik_Vobfus.KMJ!tr Checkin (trojan.rules)
  2806189 - ETPRO TROJAN Win32/Kelihos.F exe Download (trojan.rules)
  2806309 - ETPRO TROJAN Win32/Injector.Autoit.IN Checkin (trojan.rules)
  2806537 - ETPRO TROJAN Win32/Xolondox.A Checkin 3 (trojan.rules)
  2806759 - ETPRO TROJAN Virus.Win32.Kate.a .exe Request (trojan.rules)
  2806764 - ETPRO TROJAN Trojan.Win32.Weelsof.pnn Checkin (trojan.rules)
  2806765 - ETPRO TROJAN Win32/Agent.BC Checkin (trojan.rules)
  2806766 - ETPRO TROJAN Win32/Sincom.Y Checkin (trojan.rules)
  2806768 - ETPRO TROJAN Win32/BestaFera Variant Checkin (trojan.rules)
  2806769 - ETPRO TROJAN Trojan-Ransom.Win32.CryFile.zc /
Win32/Filecoder.BF Checkin (trojan.rules)
  2806771 - ETPRO TROJAN Trojan-Proxy.Win32.Agent.co Checkin (trojan.rules)
  2806772 - ETPRO TROJAN Packer.Win32.Agent.bk Checkin (trojan.rules)
  2806782 - ETPRO TROJAN Trojan/Win32.KorAd Checkin (trojan.rules)
  2806784 - ETPRO TROJAN Backdoor.Win32.Bancodor.dy Checkin (trojan.rules)
  2806811 - ETPRO TROJAN Trojan.Generic.9379252 Checkin (trojan.rules)
  2806814 - ETPRO TROJAN Backdoor.Win32.Agent.ju Checkin (trojan.rules)
  2806815 - ETPRO TROJAN Backdoor.Win32.Beastdoor.j Checkin (trojan.rules)
  2806831 - ETPRO TROJAN Trojan-Dropper.Win32.Dapato.czwn Checkin
(trojan.rules)
  2806833 - ETPRO TROJAN W32/VBTrojan.Downloader.1D!Maxi Checkin
(trojan.rules)
  2806837 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.k Checkin 1
(mobile_malware.rules)
  2806840 - ETPRO MOBILE_MALWARE Android.Trojan.InfoStealer.BJ Checkin
(mobile_malware.rules)
  2806843 - ETPRO TROJAN Trojan.PWS.Qip.105 Checkin (trojan.rules)
  2806848 - ETPRO TROJAN Trojan.Win32.VB.alto Checkin (trojan.rules)
  2806853 - ETPRO TROJAN Trojan-PWS.Win32.Nilage Checkin (trojan.rules)
  2806854 - ETPRO TROJAN Worm.Win32/Bagle.gen!C Request (trojan.rules)
  2806858 - ETPRO TROJAN TrojanSpy.Win32/Mafod!rts Checkin (trojan.rules)
  2806861 - ETPRO TROJAN Worm.Win32/VB.JN Checkin (trojan.rules)
  2806885 - ETPRO TROJAN TROJ_VUNDO.SMG Checkin (trojan.rules)
  2806890 - ETPRO TROJAN Win32/Qhost.HZ Dowloading .exe file (trojan.rules)
  2806893 - ETPRO TROJAN Trojan-Downloader.Win32.FraudLoad.wzpv Checkin
(trojan.rules)
  2806903 - ETPRO TROJAN Worm/Win32.WhiteIce.gen Checkin 1 (trojan.rules)
  2806904 - ETPRO TROJAN Worm/Win32.WhiteIce.gen Checkin 2 (trojan.rules)
  2806905 - ETPRO TROJAN Trojan-Banker.Win32.Delf.arb (trojan.rules)
  2806909 - ETPRO TROJAN Win32/Sisron Checkin (trojan.rules)
  2806911 - ETPRO TROJAN Trojan.MSIL.Agent.ccfy Checkin (trojan.rules)
  2806916 - ETPRO TROJAN Win32/DDoS.Orbiter.A Fetching DoS targets
(trojan.rules)
  2806917 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.FakeInst.ef Checkin
(mobile_malware.rules)
  2806925 - ETPRO TROJAN Muldrop Fetching Data (trojan.rules)
  2806935 - ETPRO TROJAN Win32/Otwycal.A Checkin (trojan.rules)
  2806937 - ETPRO MOBILE_MALWARE Android.Trojan.FakeInst.BL Checkin
(mobile_malware.rules)
  2806938 - ETPRO TROJAN Trojan-Spy.Win32.Zbot.bopd Checkin (trojan.rules)
  2806939 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.c Checkin
(mobile_malware.rules)
  2806944 - ETPRO MOBILE_MALWARE Android/CruseWind.B Checkin
(mobile_malware.rules)
  2806945 - ETPRO MOBILE_MALWARE Android/YZHCSMS.B Checkin
(mobile_malware.rules)
  2806946 - ETPRO TROJAN Trojan-Dropper.Win32.Dapato.cvia Checkin 1
(trojan.rules)
  2806947 - ETPRO TROJAN Variant.Zusy.24405 Checkin (trojan.rules)
  2806949 - ETPRO TROJAN Worm.Win32.AutoRun.bzxw Checkin 1 (trojan.rules)
  2806950 - ETPRO TROJAN Win32/Bicololo.T Checkin (trojan.rules)
  2806953 - ETPRO TROJAN Worm.Win32.AutoRun.bzxw Checkin 2 (trojan.rules)
  2806957 - ETPRO TROJAN Variant.Graftor.39462 Checkin (trojan.rules)
  2806958 - ETPRO TROJAN MSIL/Spy.Agent.GT Checkin (trojan.rules)
  2806970 - ETPRO WEB_SERVER Microsoft SharePoint DoS 1 CVE-2013-0081
(web_server.rules)
  2806971 - ETPRO WEB_SERVER Microsoft SharePoint DoS 2 CVE-2013-0081
(web_server.rules)
  2806972 - ETPRO WEB_SERVER Microsoft SharePoint XSS attempt CVE-2013-3180
(web_server.rules)
  2806998 - ETPRO TROJAN RANSOM.WIN32.BLOCKER.BUOH Checkin (trojan.rules)
  2807006 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Updtbot.b Checkin
(mobile_malware.rules)
  2807007 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Updtbot.b Checkin 2
(mobile_malware.rules)
  2807008 - ETPRO MOBILE_MALWARE Android/Adware.BatteryDoctor.E Checkin
(mobile_malware.rules)
  2807009 - ETPRO MOBILE_MALWARE Android/Adware.BatteryDoctor.E Checkin 2
(mobile_malware.rules)
  2807015 - ETPRO TROJAN Win32/Agent.NLG Checkin (trojan.rules)
  2807033 - ETPRO TROJAN Win32.BKDR_DELF.QBZ (trojan.rules)
  2807034 - ETPRO TROJAN Begseabug variant Checkin (trojan.rules)
  2807038 - ETPRO TROJAN Win32/Genome.I Checkin (trojan.rules)
  2807039 - ETPRO TROJAN Win32/Agent.UPL Checkin (trojan.rules)
  2807044 - ETPRO TROJAN Win32/Banker.AKE Checkin (trojan.rules)
  2807046 - ETPRO TROJAN Worm.Win32/Chiviper.C Checkin (trojan.rules)
  2807048 - ETPRO TROJAN Trojan-GameThief.Win32.WOW Checkin (trojan.rules)
  2807054 - ETPRO TROJAN Win32/Ransom.FL Checkin (trojan.rules)
  2807070 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.SMSreg.cw Checkin
(mobile_malware.rules)
  2807072 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.SMSreg.cu Checkin
(mobile_malware.rules)
  2807073 - ETPRO MOBILE_MALWARE Android/JSmsHider.L Checkin
(mobile_malware.rules)
  2807074 - ETPRO MOBILE_MALWARE Android/SMSreg.AV Checkin
(mobile_malware.rules)
  2807081 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.FakeInst.ej Checkin
(mobile_malware.rules)
  2807082 - ETPRO MOBILE_MALWARE Android/TrojanSMS.Agent.PS Checkin 2
(mobile_malware.rules)
  2807088 - ETPRO MOBILE_MALWARE AdWare.AndroidOS.Uuser.a Checkin
(mobile_malware.rules)
  2807092 - ETPRO TROJAN Win32/Delf.QDL Checkin (trojan.rules)
  2807095 - ETPRO TROJAN Trojan-Banker.Win32.Banbra.aztd Checkin
(trojan.rules)
  2807096 - ETPRO TROJAN Trojan-Notifier.Win32.Delf.g Infection Report via
ICQ WWW script (trojan.rules)
  2807112 - ETPRO TROJAN Win32/Kryptik.BGAN Checkin (trojan.rules)
  2807124 - ETPRO TROJAN Win32/Linfo.A Checkin (trojan.rules)
  2807137 - ETPRO TROJAN Worm.Win32.VBNA.b Checkin (trojan.rules)
  2807146 - ETPRO TROJAN Worm.Win32.Pinit.ri Checkin 1 (trojan.rules)
  2807147 - ETPRO TROJAN Worm.Win32.Pinit.ri Checkin 2 (trojan.rules)
  2807149 - ETPRO TROJAN Dropper.Generic3.AZFS Checkin (trojan.rules)
  2807152 - ETPRO TROJAN Trojan.Banker.Delf.ZOJ Checkin (trojan.rules)
  2807153 - ETPRO TROJAN Backdoor/Win32.ZAccess Checkin (trojan.rules)
  2807158 - ETPRO TROJAN Trojan-Ransom.Win32.Blocker.brxp Download
(trojan.rules)
  2807159 - ETPRO TROJAN Win32/SystemHijack.gen Checkin (trojan.rules)
  2807161 - ETPRO TROJAN Win32/Autorun.ZM Checkin (trojan.rules)
  2807162 - ETPRO TROJAN Trojan.Generic.1908467 Checkin (trojan.rules)
  2807164 - ETPRO TROJAN W32/Sluegot.B!tr Checkin (trojan.rules)
  2807175 - ETPRO TROJAN Trojan-Dropper.Win32.Sysn.xmg Checkin
(trojan.rules)
  2807177 - ETPRO TROJAN W32/OnlineGames.H.gen Checkin (trojan.rules)
  2807178 - ETPRO POLICY PUP DomainIQ 2 (policy.rules)
  2828312 - ETPRO TROJAN HttpRAT POST to CnC (trojan.rules)

[---]  Disabled and modified rules:  [---]

  2017453 - ET CURRENT_EVENTS DRIVEBY Redirection - Forum Injection
(current_events.rules)
  2017567 - ET CURRENT_EVENTS FiestaEK js-redirect (current_events.rules)

Date:
Summary title:
5 new OPEN, 32 new PRO (5 + 27). RedDelta Poison Ivy, Win32/BackstageStealer, VARIOUS PHISH, Win64/Agent.FM, HttpRat, Various Coinminers.