[***] Summary: [***]
5 new OPEN, 32 new PRO (5 + 27). RedDelta Poison Ivy, Win32/BackstageStealer, VARIOUS PHISH, Win64/Agent.FM, HttpRat, Various Coinminers.
Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2030890 - ET INFO Suspicious HTTP POST to Free Web Host Atwebpages
(info.rules)
2030891 - ET TROJAN RedDelta Poison Ivy Domain in DNS Lookup
(trojan.rules)
2030892 - ET TROJAN RedDelta Poison Ivy Domain in DNS Lookup
(trojan.rules)
2030893 - ET TROJAN RedDelta Poison Ivy Domain in DNS Lookup
(trojan.rules)
2030894 - ET TROJAN Win32/Ymacco.AAF9 Stealer Activity (POST)
(trojan.rules)
Pro:
2844536 - ETPRO TROJAN Win32/BackstageStealer CnC Activity (trojan.rules)
2844537 - ETPRO CURRENT_EVENTS Successful Amazon JP Phish to IP Address
2020-09-18 (current_events.rules)
2844538 - ETPRO CURRENT_EVENTS Successful Amazon JP Phish to Suspicious
TLD 2020-09-18 (current_events.rules)
2844539 - ETPRO CURRENT_EVENTS Possible Successful Amazon JP Phish
Redirect 2020-09-18 (current_events.rules)
2844540 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-09-19 1) (trojan.rules)
2844541 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-09-19 2) (trojan.rules)
2844542 - ETPRO CURRENT_EVENTS Successful ABSA Phish 2020-09-21
(current_events.rules)
2844543 - ETPRO CURRENT_EVENTS Successful Banco Itau Phish 2020-09-21
(current_events.rules)
2844544 - ETPRO CURRENT_EVENTS Successful ATT Phish 2020-09-21
(current_events.rules)
2844545 - ETPRO CURRENT_EVENTS Successful Protonmail Phish 2020-09-21
(current_events.rules)
2844546 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2020-09-21
(current_events.rules)
2844547 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-09-21
(current_events.rules)
2844548 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-09-21
(current_events.rules)
2844549 - ETPRO TROJAN VBA/TrojanDownloader Powershell MalDoc
(trojan.rules)
2844550 - ETPRO CURRENT_EVENTS Successful Sendgrid Phish 2020-09-21
(current_events.rules)
2844551 - ETPRO TROJAN Poison Ivy Variant HTTP Handshake Request
(trojan.rules)
2844552 - ETPRO TROJAN Win64/Agent.FM Variant CnC Activity (trojan.rules)
2844553 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2844554 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2844555 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2844556 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2844557 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2844558 - ETPRO TROJAN Win32/Remcos RAT Checkin 542 (trojan.rules)
2844559 - ETPRO TROJAN Win32/Remcos RAT Checkin 543 (trojan.rules)
2844560 - ETPRO TROJAN Observed Cobalt Strike CnC Domain in TLS SNI
(trojan.rules)
2844561 - ETPRO TROJAN HttpRat Heartbeat (POST) (trojan.rules)
2844562 - ETPRO USER_AGENTS Observed Malicious User-Agent (HttpRat)
(user_agents.rules)
[///] Modified active rules: [///]
2014310 - ET TROJAN RegSubsDat Checkin (trojan.rules)
2016507 - ET TROJAN W32/Caphaw Requesting Additional Modules From CnC
(trojan.rules)
2016690 - ET TROJAN Kovter Ransomware Check-in (trojan.rules)
2016799 - ET CURRENT_EVENTS Magnitude EK (formerly Popads) Flash Exploit
Requested (current_events.rules)
2017269 - ET TROJAN CBReplay.P Ransomware (trojan.rules)
2017274 - ET TROJAN W32/StealRat.SpamBot Configuration File Request
(trojan.rules)
2017276 - ET TROJAN W32/StealRat.SpamBot Email Template Request
(trojan.rules)
2017277 - ET WEB_SERVER Possible Apache Struts OGNL in Dynamic Action
(web_server.rules)
2017311 - ET TROJAN Possible FortDisco Reporting Hacked Accounts
(trojan.rules)
2017327 - ET WEB_SERVER Joomla Upload File Filter Bypass
(web_server.rules)
2017344 - ET TROJAN Proxychecker Lookup (trojan.rules)
2017349 - ET TROJAN Win32.Troj.Cidox Checkin (trojan.rules)
2017366 - ET WEB_SERVER Coldfusion 9 Auth Bypass CVE-2013-0632
(web_server.rules)
2017369 - ET TROJAN Bitcoin variant Checkin (trojan.rules)
2017377 - ET TROJAN Win64/Vabushky.A Malicious driver download
(trojan.rules)
2017436 - ET WEB_SERVER PHP SERVER SuperGlobal in URI (web_server.rules)
2017437 - ET WEB_SERVER PHP GET SuperGlobal in URI (web_server.rules)
2017438 - ET WEB_SERVER PHP POST SuperGlobal in URI (web_server.rules)
2017439 - ET WEB_SERVER PHP COOKIE SuperGlobal in URI (web_server.rules)
2017440 - ET WEB_SERVER PHP SESSION SuperGlobal in URI (web_server.rules)
2017441 - ET WEB_SERVER PHP REQUEST SuperGlobal in URI (web_server.rules)
2017442 - ET WEB_SERVER PHP ENV SuperGlobal in URI (web_server.rules)
2017443 - ET WEB_SERVER PHP SERVER SuperGlobal in POST (web_server.rules)
2017444 - ET WEB_SERVER PHP GET SuperGlobal in POST (web_server.rules)
2017445 - ET WEB_SERVER PHP POST SuperGlobal in POST (web_server.rules)
2017446 - ET WEB_SERVER PHP COOKIE SuperGlobal in POST (web_server.rules)
2017447 - ET WEB_SERVER PHP SESSION SuperGlobal in POST (web_server.rules)
2017448 - ET WEB_SERVER PHP REQUEST SuperGlobal in POST (web_server.rules)
2017449 - ET WEB_SERVER PHP ENV SuperGlobal in POST (web_server.rules)
2017455 - ET TROJAN Waledac FACEPUNCH Traffic Detected (trojan.rules)
2017475 - ET TROJAN Win32/Dipverdle.A Activity (trojan.rules)
2017519 - ET TROJAN Worm.VBS.ayr CnC command (is-enum-driver)
(trojan.rules)
2017521 - ET TROJAN Worm.VBS.ayr CnC command (is-enum-process)
(trojan.rules)
2017522 - ET TROJAN Worm.VBS.ayr CnC command (is-cmd-shell) (trojan.rules)
2017524 - ET TROJAN DATA-BROKER BOT Activity (trojan.rules)
2017544 - ET CURRENT_EVENTS LightsOut EK POST Compromise POST
(current_events.rules)
2017554 - ET CURRENT_EVENTS BHEK Payload Download (java only alternate
method may overlap with 2017454) (current_events.rules)
2017555 - ET CURRENT_EVENTS DotkaChef EK initial landing from Oct 02 2013
mass-site compromise EK campaign (current_events.rules)
2017575 - ET WEB_SPECIFIC_APPS Possible VBulletin Unauthorized Admin
Account Creation (web_specific_apps.rules)
2017585 - ET TROJAN Possible W32/KanKan tools.ini Request (trojan.rules)
2017600 - ET TROJAN Backdoor.Egobot Checkin (trojan.rules)
2017611 - ET WEB_SPECIFIC_APPS Oracle JSF2 Path Traversal Attempt
(web_specific_apps.rules)
2017647 - ET TROJAN FakeAV Install (trojan.rules)
2017672 - ET CURRENT_EVENTS SUSPICIOUS msctcd.exe in URI Probable Process
Dump/Trojan Download (current_events.rules)
2017673 - ET CURRENT_EVENTS SUSPICIOUS taskmgr.exe in URI Probable
Process Dump/Trojan Download (current_events.rules)
2017674 - ET CURRENT_EVENTS SUSPICIOUS wsqmocn.exe in URI Probable
Process Dump/Trojan Download (current_events.rules)
2017675 - ET CURRENT_EVENTS SUSPICIOUS connhost.exe in URI Probable
Process Dump/Trojan Download (current_events.rules)
2026047 - ET CURRENT_EVENTS Generic Multi-Email Phishing Landing
2018-08-30 (current_events.rules)
2803509 - ETPRO TROJAN Win32/Dogrobot.D Checkin (trojan.rules)
2804918 - ETPRO TROJAN Backdoor/MSIL.adv Checkin (trojan.rules)
2805004 - ETPRO TROJAN Trojan-Ransom.Win32.Rannoh.b Checkin (trojan.rules)
2805658 - ETPRO TROJAN Win32/Karagany.L Checkin (trojan.rules)
2806149 - ETPRO MOBILE_MALWARE AndroidOS.Ansaca.A Checkin
(mobile_malware.rules)
2806181 - ETPRO TROJAN W32/Jorik_Vobfus.KMJ!tr Checkin (trojan.rules)
2806189 - ETPRO TROJAN Win32/Kelihos.F exe Download (trojan.rules)
2806309 - ETPRO TROJAN Win32/Injector.Autoit.IN Checkin (trojan.rules)
2806537 - ETPRO TROJAN Win32/Xolondox.A Checkin 3 (trojan.rules)
2806759 - ETPRO TROJAN Virus.Win32.Kate.a .exe Request (trojan.rules)
2806764 - ETPRO TROJAN Trojan.Win32.Weelsof.pnn Checkin (trojan.rules)
2806765 - ETPRO TROJAN Win32/Agent.BC Checkin (trojan.rules)
2806766 - ETPRO TROJAN Win32/Sincom.Y Checkin (trojan.rules)
2806768 - ETPRO TROJAN Win32/BestaFera Variant Checkin (trojan.rules)
2806769 - ETPRO TROJAN Trojan-Ransom.Win32.CryFile.zc /
Win32/Filecoder.BF Checkin (trojan.rules)
2806771 - ETPRO TROJAN Trojan-Proxy.Win32.Agent.co Checkin (trojan.rules)
2806772 - ETPRO TROJAN Packer.Win32.Agent.bk Checkin (trojan.rules)
2806782 - ETPRO TROJAN Trojan/Win32.KorAd Checkin (trojan.rules)
2806784 - ETPRO TROJAN Backdoor.Win32.Bancodor.dy Checkin (trojan.rules)
2806811 - ETPRO TROJAN Trojan.Generic.9379252 Checkin (trojan.rules)
2806814 - ETPRO TROJAN Backdoor.Win32.Agent.ju Checkin (trojan.rules)
2806815 - ETPRO TROJAN Backdoor.Win32.Beastdoor.j Checkin (trojan.rules)
2806831 - ETPRO TROJAN Trojan-Dropper.Win32.Dapato.czwn Checkin
(trojan.rules)
2806833 - ETPRO TROJAN W32/VBTrojan.Downloader.1D!Maxi Checkin
(trojan.rules)
2806837 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.k Checkin 1
(mobile_malware.rules)
2806840 - ETPRO MOBILE_MALWARE Android.Trojan.InfoStealer.BJ Checkin
(mobile_malware.rules)
2806843 - ETPRO TROJAN Trojan.PWS.Qip.105 Checkin (trojan.rules)
2806848 - ETPRO TROJAN Trojan.Win32.VB.alto Checkin (trojan.rules)
2806853 - ETPRO TROJAN Trojan-PWS.Win32.Nilage Checkin (trojan.rules)
2806854 - ETPRO TROJAN Worm.Win32/Bagle.gen!C Request (trojan.rules)
2806858 - ETPRO TROJAN TrojanSpy.Win32/Mafod!rts Checkin (trojan.rules)
2806861 - ETPRO TROJAN Worm.Win32/VB.JN Checkin (trojan.rules)
2806885 - ETPRO TROJAN TROJ_VUNDO.SMG Checkin (trojan.rules)
2806890 - ETPRO TROJAN Win32/Qhost.HZ Dowloading .exe file (trojan.rules)
2806893 - ETPRO TROJAN Trojan-Downloader.Win32.FraudLoad.wzpv Checkin
(trojan.rules)
2806903 - ETPRO TROJAN Worm/Win32.WhiteIce.gen Checkin 1 (trojan.rules)
2806904 - ETPRO TROJAN Worm/Win32.WhiteIce.gen Checkin 2 (trojan.rules)
2806905 - ETPRO TROJAN Trojan-Banker.Win32.Delf.arb (trojan.rules)
2806909 - ETPRO TROJAN Win32/Sisron Checkin (trojan.rules)
2806911 - ETPRO TROJAN Trojan.MSIL.Agent.ccfy Checkin (trojan.rules)
2806916 - ETPRO TROJAN Win32/DDoS.Orbiter.A Fetching DoS targets
(trojan.rules)
2806917 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.FakeInst.ef Checkin
(mobile_malware.rules)
2806925 - ETPRO TROJAN Muldrop Fetching Data (trojan.rules)
2806935 - ETPRO TROJAN Win32/Otwycal.A Checkin (trojan.rules)
2806937 - ETPRO MOBILE_MALWARE Android.Trojan.FakeInst.BL Checkin
(mobile_malware.rules)
2806938 - ETPRO TROJAN Trojan-Spy.Win32.Zbot.bopd Checkin (trojan.rules)
2806939 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.c Checkin
(mobile_malware.rules)
2806944 - ETPRO MOBILE_MALWARE Android/CruseWind.B Checkin
(mobile_malware.rules)
2806945 - ETPRO MOBILE_MALWARE Android/YZHCSMS.B Checkin
(mobile_malware.rules)
2806946 - ETPRO TROJAN Trojan-Dropper.Win32.Dapato.cvia Checkin 1
(trojan.rules)
2806947 - ETPRO TROJAN Variant.Zusy.24405 Checkin (trojan.rules)
2806949 - ETPRO TROJAN Worm.Win32.AutoRun.bzxw Checkin 1 (trojan.rules)
2806950 - ETPRO TROJAN Win32/Bicololo.T Checkin (trojan.rules)
2806953 - ETPRO TROJAN Worm.Win32.AutoRun.bzxw Checkin 2 (trojan.rules)
2806957 - ETPRO TROJAN Variant.Graftor.39462 Checkin (trojan.rules)
2806958 - ETPRO TROJAN MSIL/Spy.Agent.GT Checkin (trojan.rules)
2806970 - ETPRO WEB_SERVER Microsoft SharePoint DoS 1 CVE-2013-0081
(web_server.rules)
2806971 - ETPRO WEB_SERVER Microsoft SharePoint DoS 2 CVE-2013-0081
(web_server.rules)
2806972 - ETPRO WEB_SERVER Microsoft SharePoint XSS attempt CVE-2013-3180
(web_server.rules)
2806998 - ETPRO TROJAN RANSOM.WIN32.BLOCKER.BUOH Checkin (trojan.rules)
2807006 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Updtbot.b Checkin
(mobile_malware.rules)
2807007 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Updtbot.b Checkin 2
(mobile_malware.rules)
2807008 - ETPRO MOBILE_MALWARE Android/Adware.BatteryDoctor.E Checkin
(mobile_malware.rules)
2807009 - ETPRO MOBILE_MALWARE Android/Adware.BatteryDoctor.E Checkin 2
(mobile_malware.rules)
2807015 - ETPRO TROJAN Win32/Agent.NLG Checkin (trojan.rules)
2807033 - ETPRO TROJAN Win32.BKDR_DELF.QBZ (trojan.rules)
2807034 - ETPRO TROJAN Begseabug variant Checkin (trojan.rules)
2807038 - ETPRO TROJAN Win32/Genome.I Checkin (trojan.rules)
2807039 - ETPRO TROJAN Win32/Agent.UPL Checkin (trojan.rules)
2807044 - ETPRO TROJAN Win32/Banker.AKE Checkin (trojan.rules)
2807046 - ETPRO TROJAN Worm.Win32/Chiviper.C Checkin (trojan.rules)
2807048 - ETPRO TROJAN Trojan-GameThief.Win32.WOW Checkin (trojan.rules)
2807054 - ETPRO TROJAN Win32/Ransom.FL Checkin (trojan.rules)
2807070 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.SMSreg.cw Checkin
(mobile_malware.rules)
2807072 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.SMSreg.cu Checkin
(mobile_malware.rules)
2807073 - ETPRO MOBILE_MALWARE Android/JSmsHider.L Checkin
(mobile_malware.rules)
2807074 - ETPRO MOBILE_MALWARE Android/SMSreg.AV Checkin
(mobile_malware.rules)
2807081 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.FakeInst.ej Checkin
(mobile_malware.rules)
2807082 - ETPRO MOBILE_MALWARE Android/TrojanSMS.Agent.PS Checkin 2
(mobile_malware.rules)
2807088 - ETPRO MOBILE_MALWARE AdWare.AndroidOS.Uuser.a Checkin
(mobile_malware.rules)
2807092 - ETPRO TROJAN Win32/Delf.QDL Checkin (trojan.rules)
2807095 - ETPRO TROJAN Trojan-Banker.Win32.Banbra.aztd Checkin
(trojan.rules)
2807096 - ETPRO TROJAN Trojan-Notifier.Win32.Delf.g Infection Report via
ICQ WWW script (trojan.rules)
2807112 - ETPRO TROJAN Win32/Kryptik.BGAN Checkin (trojan.rules)
2807124 - ETPRO TROJAN Win32/Linfo.A Checkin (trojan.rules)
2807137 - ETPRO TROJAN Worm.Win32.VBNA.b Checkin (trojan.rules)
2807146 - ETPRO TROJAN Worm.Win32.Pinit.ri Checkin 1 (trojan.rules)
2807147 - ETPRO TROJAN Worm.Win32.Pinit.ri Checkin 2 (trojan.rules)
2807149 - ETPRO TROJAN Dropper.Generic3.AZFS Checkin (trojan.rules)
2807152 - ETPRO TROJAN Trojan.Banker.Delf.ZOJ Checkin (trojan.rules)
2807153 - ETPRO TROJAN Backdoor/Win32.ZAccess Checkin (trojan.rules)
2807158 - ETPRO TROJAN Trojan-Ransom.Win32.Blocker.brxp Download
(trojan.rules)
2807159 - ETPRO TROJAN Win32/SystemHijack.gen Checkin (trojan.rules)
2807161 - ETPRO TROJAN Win32/Autorun.ZM Checkin (trojan.rules)
2807162 - ETPRO TROJAN Trojan.Generic.1908467 Checkin (trojan.rules)
2807164 - ETPRO TROJAN W32/Sluegot.B!tr Checkin (trojan.rules)
2807175 - ETPRO TROJAN Trojan-Dropper.Win32.Sysn.xmg Checkin
(trojan.rules)
2807177 - ETPRO TROJAN W32/OnlineGames.H.gen Checkin (trojan.rules)
2807178 - ETPRO POLICY PUP DomainIQ 2 (policy.rules)
2828312 - ETPRO TROJAN HttpRAT POST to CnC (trojan.rules)
[---] Disabled and modified rules: [---]
2017453 - ET CURRENT_EVENTS DRIVEBY Redirection - Forum Injection
(current_events.rules)
2017567 - ET CURRENT_EVENTS FiestaEK js-redirect (current_events.rules)