Daily Ruleset Update Summary
Daily Ruleset Update Summary 2020/09/23

[***]            Summary:            [***]

7 new OPEN, 37 new PRO (7 + 30). Various Cobalt Strike, Sehyioa, Android/Triada.JH, IcedID, VARIOUS PHISH.

Thanks: @bryceabdo

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2030899 - ET TROJAN Observed Malicious SSL Cert (Moist Stealer CnC)
(trojan.rules)
  2030900 - ET TROJAN Moist Stealer CnC Exfil (trojan.rules)
  2030901 - ET TROJAN Observed Malicious SSL Cert (Cobalt Strike CnC)
(trojan.rules)
  2030902 - ET TROJAN Observed Malicious SSL Cert (Cobalt Strike CnC)
(trojan.rules)
  2030903 - ET TROJAN Observed Malicious SSL Cert (Cobalt Strike CnC)
(trojan.rules)
  2030904 - ET TROJAN Win32/Sehyioa Variant Activity (POST) (trojan.rules)
  2030905 - ET TROJAN Win32/Sehyioa Variant Activity (Download)
(trojan.rules)

Pro:

  2844585 - ETPRO MOBILE_MALWARE Android/Dianming Reporting Location
(mobile_malware.rules)
  2844586 - ETPRO MOBILE_MALWARE Android/Triada.JH Checkin
(mobile_malware.rules)
  2844587 - ETPRO MOBILE_MALWARE Android/Triada.JH Checkin 2
(mobile_malware.rules)
  2844588 - ETPRO TROJAN Cobalt Strike Malleable C2 JQuery Custom Profile
M2 (trojan.rules)
  2844589 - ETPRO TROJAN Observed Malicious SSL Cert (Cobalt Strike CnC)
(trojan.rules)
  2844590 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (Clipboard.txt) (trojan.rules)
  2844591 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-09-22 1) (trojan.rules)
  2844592 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-09-22 2) (trojan.rules)
  2844593 - ETPRO CURRENT_EVENTS Successful DBS Digibank Phish 2020-09-23
(current_events.rules)
  2844596 - ETPRO CURRENT_EVENTS Successful Generic 000webhostapp Phish
2020-09-23 (current_events.rules)
  2844597 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-09-23
(current_events.rules)
  2844598 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-09-23
(current_events.rules)
  2844599 - ETPRO CURRENT_EVENTS Successful Generic Yolasite Hosted Phish
2020-09-23 (current_events.rules)
  2844600 - ETPRO CURRENT_EVENTS Successful BT Yolasite Hosted Phish
2020-09-23 (current_events.rules)
  2844601 - ETPRO CURRENT_EVENTS Successful Generic Yolasite Hosted Phish
2020-09-23 (current_events.rules)
  2844602 - ETPRO CURRENT_EVENTS Successful Generic TK Hosted Phish
2020-09-23 (current_events.rules)
  2844603 - ETPRO CURRENT_EVENTS Successful Yahoo Phish 2020-09-23
(current_events.rules)
  2844604 - ETPRO CURRENT_EVENTS Successful Outlook Hotmail Phish
2020-09-23 (current_events.rules)
  2844605 - ETPRO TROJAN Cobalt Strike Malleable C2 (Sohu Custom)
(trojan.rules)
  2844606 - ETPRO INFO Suspicious User-Agent IE and Windows Versions With
No Separating Space (info.rules)
  2844607 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2844608 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2844609 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2844610 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
  2844611 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2844612 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2844613 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2844614 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)

[///]     Modified active rules:     [///]

  2015723 - ET TROJAN ZeroAccess Checkin (trojan.rules)
  2015821 - ET INFO Suspicious Windows NT version 8 User-Agent (info.rules)
  2016499 - ET CURRENT_EVENTS Styx Exploit Kit Payload Download
(current_events.rules)
  2017465 - ET TROJAN W32/Hesperus.Banker Nlog.php Variant Sending Data To
CnC (trojan.rules)
  2018202 - ET WEB_SERVER log4jAdmin access from non-local network (can
modify logging levels) (web_server.rules)
  2018205 - ET TROJAN Win32/Kryptik.BSYO Checkin (trojan.rules)
  2018210 - ET POLICY W32/Installiq.Adware Install Information Beacon
(policy.rules)
  2018211 - ET INFO HTTP Connection To DDNS Domain Adultdns.net (info.rules)
  2018212 - ET INFO HTTP Connection To DDNS Domain Servehttp.com
(info.rules)
  2018214 - ET INFO HTTP Connection To DDNS Domain Redirectme.net
(info.rules)
  2018215 - ET INFO HTTP Connection To DDNS Domain Zapto.org (info.rules)
  2018217 - ET INFO HTTP Connection To DDNS Domain serveblog.net
(info.rules)
  2018218 - ET INFO HTTP Connection To DDNS Domain myftp.com (info.rules)
  2018253 - ET TROJAN RDP Brute Force Bot Checkin (trojan.rules)
  2018255 - ET TROJAN Win32/Expiro.CD Check-in (trojan.rules)
  2018285 - ET TROJAN BKDR_SLOTH.A Checkin (trojan.rules)
  2018295 - ET TROJAN Mal/Ransom-CE Connectivity Check (trojan.rules)
  2018296 - ET TROJAN Zeus GameOver Checkin (trojan.rules)
  2018306 - ET MOBILE_MALWARE SMSSend Fake flappy bird APK
(mobile_malware.rules)
  2018343 - ET CURRENT_EVENTS Hikvision DVR  attempted Synology Recon Scan
(current_events.rules)
  2018355 - ET CURRENT_EVENTS Win32.RBrute http server request
(current_events.rules)
  2018365 - ET INFO DYNAMIC_DNS HTTP Request to a *.mrbasic.com Domain
(info.rules)
  2018370 - ET WEB_SERVER ATTACKER WebShell - Zehir4.asp (web_server.rules)
  2024497 - ET TROJAN CopyKittens Cobalt Strike DNS Lookup
(cloudflare-analyse . com) (trojan.rules)
  2024771 - ET TROJAN [PTsecurity] Possible Cobalt Strike payload
(trojan.rules)
  2026040 - ET TROJAN CobaltStrike DNS Beacon Response (trojan.rules)
  2027082 - ET TROJAN Observed Malicious SSL Cert (CobaltStrike CnC)
(trojan.rules)
  2027325 - ET TROJAN CobaltStrike SMB P2P Default Msagent Named Pipe
Interaction (trojan.rules)
  2030117 - ET TROJAN Ragnarok Ransomware CnC Activity M2 (trojan.rules)
  2030448 - ET TROJAN Observed CobaltStrike CnC Domain in TLS SNI
(trojan.rules)
  2030449 - ET TROJAN Observed Malicious SSL Cert (CobaltStrike CnC)
(trojan.rules)
  2030450 - ET TROJAN Observed CobaltStrike CnC Domain in TLS SNI
(trojan.rules)
  2030451 - ET TROJAN Observed Malicious SSL Cert (CobaltStrike CnC)
(trojan.rules)
  2030452 - ET TROJAN Observed CobaltStrike CnC Domain in TLS SNI
(trojan.rules)
  2030453 - ET TROJAN Observed Malicious SSL Cert (CobaltStrike CnC)
(trojan.rules)
  2030454 - ET TROJAN Observed CobaltStrike CnC Domain in TLS SNI
(trojan.rules)
  2030455 - ET TROJAN Observed Malicious SSL Cert (CobaltStrike CnC)
(trojan.rules)
  2030456 - ET TROJAN Observed CobaltStrike CnC Domain in TLS SNI
(trojan.rules)
  2030457 - ET TROJAN Observed Malicious SSL Cert (CobaltStrike CnC)
(trojan.rules)
  2030458 - ET TROJAN Observed Malicious SSL Cert (CobaltStrike CnC)
(trojan.rules)
  2030459 - ET TROJAN Observed CobaltStrike CnC Domain in TLS SNI
(trojan.rules)
  2030460 - ET TROJAN Observed Malicious SSL Cert (CobaltStrike CnC)
(trojan.rules)
  2030461 - ET TROJAN Observed CobaltStrike CnC Domain in TLS SNI
(trojan.rules)
  2030462 - ET TROJAN Observed Malicious SSL Cert (CobaltStrike CnC)
(trojan.rules)
  2030463 - ET TROJAN Observed CobaltStrike CnC Domain in TLS SNI
(trojan.rules)
  2030464 - ET TROJAN Observed Malicious SSL Cert (CobaltStrike CnC)
(trojan.rules)
  2030465 - ET TROJAN Observed CobaltStrike CnC Domain in TLS SNI
(trojan.rules)
  2030466 - ET TROJAN Observed Malicious SSL Cert (CobaltStrike CnC)
(trojan.rules)
  2030467 - ET TROJAN Observed CobaltStrike CnC Domain in TLS SNI
(trojan.rules)
  2030635 - ET TROJAN Observed Malicious SSL Cert (Cobalt Strike CnC)
(trojan.rules)
  2030867 - ET TROJAN Observed Malicious SSL Cert (CobaltStrike CnC)
(trojan.rules)
  2805537 - ETPRO TROJAN Repezor Checkin 1 (trojan.rules)
  2805538 - ETPRO TROJAN Repezor Checkin 2 (trojan.rules)
  2805740 - ETPRO TROJAN BanBra Checkin (trojan.rules)
  2806436 - ETPRO TROJAN TROJ_SASFIS.DA Checkin (trojan.rules)
  2806475 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Obad.a Checkin
(mobile_malware.rules)
  2806600 - ETPRO TROJAN Trojan-Banker.Win32.Banker.akf Checkin
(trojan.rules)
  2806948 - ETPRO TROJAN Trojan-Dropper.Win32.Dapato.cvia Checkin 2
(trojan.rules)
  2806995 - ETPRO TROJAN Trojan.Win32.Swisyn.behb Checkin (trojan.rules)
  2807017 - ETPRO TROJAN  Backdoor.Win32.GF.13x.A Checkin (trojan.rules)
  2807037 - ETPRO TROJAN Trojan.Win32.Swisyn.auua Checkin (trojan.rules)
  2807129 - ETPRO TROJAN Trojan.Win32.Bublik.aexq/Khan Fetching DDoS target
(trojan.rules)
  2807671 - ETPRO TROJAN Trojan-Proxy.Win32.Mediana.i Checkin (trojan.rules)
  2807737 - ETPRO TROJAN W32/Farfli.AQK!tr Checkin (trojan.rules)
  2807763 - ETPRO TROJAN Win32/Hider.G GET .ini Request (trojan.rules)
  2807766 - ETPRO TROJAN Trojan-Downloader.Win32.Genome.egme Checkin
(trojan.rules)
  2807776 - ETPRO TROJAN Win32/PcClient.B Checkin (trojan.rules)
  2807778 - ETPRO TROJAN Win32/Obfuscator.XX Checkin (trojan.rules)
  2807779 - ETPRO TROJAN VBS/Agent.NEX Checkin (trojan.rules)
  2807780 - ETPRO TROJAN Trojan-PSW.Win32.VB.phv Checkin (trojan.rules)
  2807781 - ETPRO TROJAN TrojanProxy.Mediana.q Proxy CnC Checkin
(trojan.rules)
  2807787 - ETPRO TROJAN Trojan.Win32.StartPage.arra Checkin (trojan.rules)
  2807789 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Blocal.a Checkin 2
(mobile_malware.rules)
  2807790 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Blocal.a Checkin 3
(mobile_malware.rules)
  2807794 - ETPRO TROJAN Trojan-Dropper.Win32.Dorifel.aiez Checkin
(trojan.rules)
  2807812 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Opfake.a Checkin 7
(mobile_malware.rules)
  2807815 - ETPRO TROJAN Win32/Agent.DE Checkin (trojan.rules)
  2807818 - ETPRO TROJAN Troj/DwnLdr-LHU Checkin (trojan.rules)
  2807824 - ETPRO MOBILE_MALWARE Android/Agent.BNO Checkin
(mobile_malware.rules)
  2807825 - ETPRO MOBILE_MALWARE Android/Agent.BNO Checkin 2
(mobile_malware.rules)
  2807827 - ETPRO TROJAN Win32/Virut.AG Checkin (trojan.rules)
  2807828 - ETPRO TROJAN Win32/Matcash.F Checkin (trojan.rules)
  2807835 - ETPRO TROJAN Win32/Small.HK Checkin (trojan.rules)
  2807842 - ETPRO TROJAN Win32/Jevafus.A Checkin (trojan.rules)
  2807844 - ETPRO TROJAN Win32/Netins.A Checkin (trojan.rules)
  2807846 - ETPRO MOBILE_MALWARE Android.Trojan.Adaln.A Checkin
(mobile_malware.rules)
  2807847 - ETPRO MOBILE_MALWARE Android.Trojan.Adaln.A Checkin 2
(mobile_malware.rules)
  2807848 - ETPRO MOBILE_MALWARE Android.Trojan.Adaln.A Checkin 3
(mobile_malware.rules)
  2807851 - ETPRO MOBILE_MALWARE Android/Nopoc.A Checkin
(mobile_malware.rules)
  2807853 - ETPRO TROJAN TorLocker Downloading Tor (trojan.rules)
  2807855 - ETPRO TROJAN Variant.Strictor.40297 Checkin (trojan.rules)
  2807860 - ETPRO TROJAN TrojanDownloader.HTML/Adodb.gen!A Download
(trojan.rules)
  2807865 - ETPRO TROJAN W32/Agent.EW.gen Checkin 2 (trojan.rules)
  2807870 - ETPRO TROJAN W32/DelfInject.R Checkin (trojan.rules)
  2807871 - ETPRO TROJAN W32/DelfInject.R Checkin 2 (trojan.rules)
  2807872 - ETPRO TROJAN W32/DelfInject.R Checkin 3 (trojan.rules)
  2807873 - ETPRO TROJAN TrojWare.Win32.Amtar.KNB Checkin (trojan.rules)
  2807874 - ETPRO TROJAN TrojWare.Win32.Amtar.KNB Checkin 2 (trojan.rules)
  2807878 - ETPRO TROJAN Trojan-Dropper.Win32.Dapato.dfmz Checkin
(trojan.rules)
  2807882 - ETPRO TROJAN TrojanSpy.Win32/Tinbanker.A Checkin (trojan.rules)
  2807889 - ETPRO TROJAN Win32/Small.CE Checkin (trojan.rules)
  2807890 - ETPRO MOBILE_MALWARE Android/Spy.Zitmo.B Checkin 3
(mobile_malware.rules)
  2807891 - ETPRO TROJAN Win32/Spy.KeyLogger.NTB Checkin 2 (trojan.rules)
  2807894 - ETPRO TROJAN Trojan.DownLoader9.48256 Checkin (trojan.rules)
  2807895 - ETPRO TROJAN Trojan.DownLoader9.48256 Checkin 2 (trojan.rules)
  2807896 - ETPRO TROJAN Win32/Phrewhid.A Checkin (trojan.rules)
  2807897 - ETPRO TROJAN Win32/Phrewhid.A Checkin 2 (trojan.rules)
  2807899 - ETPRO TROJAN Win32/Spy.KeyLogger.NTB Checkin (trojan.rules)
  2807902 - ETPRO TROJAN Win32/PerfectKeylogger Possible Download
(trojan.rules)
  2807903 - ETPRO TROJAN Win32/Cekar.B CnC activity (trojan.rules)
  2807909 - ETPRO TROJAN Win32/TrojanDownloader.Agent.AJX Checkin
(trojan.rules)
  2807911 - ETPRO TROJAN W32/OnlineGames.HG.gen Checkin (trojan.rules)
  2807912 - ETPRO TROJAN Win32/TrojanDownloader.Agent.ALG Checkin
(trojan.rules)
  2807914 - ETPRO TROJAN Trojan.Win32.Cossta.gns Checkin (trojan.rules)
  2807916 - ETPRO MOBILE_MALWARE Android.Trojan.FakeInst.BL Checkin 2
(mobile_malware.rules)
  2807917 - ETPRO TROJAN Variant.Graftor.136459 Checkin (trojan.rules)
  2807920 - ETPRO POLICY Win32/InstallIQ.A Checkin (policy.rules)
  2807923 - ETPRO TROJAN Win32/Qhost.PGM Checkin (trojan.rules)
  2807927 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.cm Checkin
(mobile_malware.rules)
  2807929 - ETPRO TROJAN Backdoor.Win32.Wallop.bz Request (trojan.rules)
  2823391 - ETPRO TROJAN Possible CobaltStrike Shellcode over HTTP
(trojan.rules)
  2823392 - ETPRO TROJAN Possible CobaltStrike CnC Beacon (HTTP GET)
(trojan.rules)
  2823393 - ETPRO TROJAN Possible CobaltStrike CnC Beacon (HTTP POST)
(trojan.rules)
  2823394 - ETPRO TROJAN Possible CobaltStrike CnC Beacon (fake headers)
(trojan.rules)
  2827476 - ETPRO TROJAN Winnti Possible Meterpreter or Cobalt Strike
Downloader (trojan.rules)
  2827560 - ETPRO TROJAN Cobalt Strike Malleable C2 Custom Profile
(trojan.rules)
  2828268 - ETPRO TROJAN Malicious Domain CStrike C2 (blockbitcoin .com in
DNS Lookup) (trojan.rules)
  2830064 - ETPRO TROJAN Cobalt Group C2 Domain (aws-software .com in DNS
Lookup) (trojan.rules)
  2830066 - ETPRO TROJAN Cobalt Group C2 Domain (aws-software .com in TLS
SNI) (trojan.rules)
  2830943 - ETPRO TROJAN APT10 MenuPass Domain (jadl-or .com in DNS Lookup)
(trojan.rules)
  2830944 - ETPRO TROJAN APT10 MenuPass Domain (jadl-or .com in TLS SNI)
(trojan.rules)
  2831654 - ETPRO TROJAN Observed Cobalt Strike CnC Domain in TLS SNI
(trojan.rules)
  2831655 - ETPRO TROJAN Observed Cobalt Strike CnC M2 Domain (wsus
.azureedge .net in TLS SNI) (trojan.rules)
  2832170 - ETPRO TROJAN Observed Malicious SSL Cert (Cobalt Strike CnC)
(trojan.rules)
  2832206 - ETPRO TROJAN Observed Malicious SSL Cert (Cobalt Strike CnC)
(trojan.rules)
  2832804 - ETPRO TROJAN Observed Malicious SSL Cert (Cobalt Strike CnC)
(trojan.rules)
  2832833 - ETPRO TROJAN Observed Malicious SSL Cert (Cobalt Strike CnC)
(trojan.rules)
  2833199 - ETPRO TROJAN Observed Malicious SSL Cert (Cobalt Strike CnC)
(trojan.rules)
  2833643 - ETPRO TROJAN Cobalt Strike Malleable C2 JQuery Custom Profile
(trojan.rules)
  2833759 - ETPRO TROJAN Observed Malicious SSL Cert (CobaltStrike CnC)
(trojan.rules)
  2834370 - ETPRO TROJAN Cobalt Strike Domain in SNI (trojan.rules)
  2834371 - ETPRO TROJAN Cobalt Strike Domain in SNI (trojan.rules)
  2834372 - ETPRO TROJAN Cobalt Strike Domain in SNI (trojan.rules)
  2834373 - ETPRO TROJAN Cobalt Strike Domain in SNI (trojan.rules)
  2834374 - ETPRO TROJAN Cobalt Strike Domain in SNI (trojan.rules)
  2834375 - ETPRO TROJAN Cobalt Strike Domain in SNI (trojan.rules)
  2834376 - ETPRO TROJAN Cobalt Strike Domain in SNI (trojan.rules)
  2834762 - ETPRO TROJAN Observed Malicious SSL Cert (Cobalt Strike Beacon)
(trojan.rules)
  2835199 - ETPRO TROJAN Observed Malicious SSL Cert (Cobalt Strike CnC)
(trojan.rules)
  2835440 - ETPRO TROJAN Observed Cobalt Strike CnC Domain (omnibelts
.appspot .com in TLS SNI) (trojan.rules)
  2835735 - ETPRO TROJAN Observed Malicious SSL Cert (CobaltStrike CnC)
(trojan.rules)
  2841187 - ETPRO TROJAN Observed Malicious SSL Cert (CobaltStrike CnC)
(trojan.rules)
  2841676 - ETPRO TROJAN Win32/Cobalt Strike CnC Activity (OCSP Spoof)
(trojan.rules)
  2843203 - ETPRO TROJAN Observed Malicious SSL Cert (CobaltStrike CnC)
(trojan.rules)
  2843866 - ETPRO TROJAN Observed Malicious SSL Cert (Cobalt Strike CnC)
(trojan.rules)
  2843937 - ETPRO TROJAN Ragnarok Ransomware CnC Activity M3 (trojan.rules)
  2844368 - ETPRO TROJAN Cobalt Strike Malleable C2 (QiHoo Profile)
(trojan.rules)

Date:
Summary title:
7 new OPEN, 37 new PRO (7 + 30). Various Cobalt Strike, Sehyioa, Android/Triada.JH, IcedID, VARIOUS PHISH.