[***] Summary: [***]
7 new OPEN, 37 new PRO (7 + 30). Various Cobalt Strike, Sehyioa, Android/Triada.JH, IcedID, VARIOUS PHISH.
Thanks: @bryceabdo
Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2030899 - ET TROJAN Observed Malicious SSL Cert (Moist Stealer CnC)
(trojan.rules)
2030900 - ET TROJAN Moist Stealer CnC Exfil (trojan.rules)
2030901 - ET TROJAN Observed Malicious SSL Cert (Cobalt Strike CnC)
(trojan.rules)
2030902 - ET TROJAN Observed Malicious SSL Cert (Cobalt Strike CnC)
(trojan.rules)
2030903 - ET TROJAN Observed Malicious SSL Cert (Cobalt Strike CnC)
(trojan.rules)
2030904 - ET TROJAN Win32/Sehyioa Variant Activity (POST) (trojan.rules)
2030905 - ET TROJAN Win32/Sehyioa Variant Activity (Download)
(trojan.rules)
Pro:
2844585 - ETPRO MOBILE_MALWARE Android/Dianming Reporting Location
(mobile_malware.rules)
2844586 - ETPRO MOBILE_MALWARE Android/Triada.JH Checkin
(mobile_malware.rules)
2844587 - ETPRO MOBILE_MALWARE Android/Triada.JH Checkin 2
(mobile_malware.rules)
2844588 - ETPRO TROJAN Cobalt Strike Malleable C2 JQuery Custom Profile
M2 (trojan.rules)
2844589 - ETPRO TROJAN Observed Malicious SSL Cert (Cobalt Strike CnC)
(trojan.rules)
2844590 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (Clipboard.txt) (trojan.rules)
2844591 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-09-22 1) (trojan.rules)
2844592 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-09-22 2) (trojan.rules)
2844593 - ETPRO CURRENT_EVENTS Successful DBS Digibank Phish 2020-09-23
(current_events.rules)
2844596 - ETPRO CURRENT_EVENTS Successful Generic 000webhostapp Phish
2020-09-23 (current_events.rules)
2844597 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-09-23
(current_events.rules)
2844598 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-09-23
(current_events.rules)
2844599 - ETPRO CURRENT_EVENTS Successful Generic Yolasite Hosted Phish
2020-09-23 (current_events.rules)
2844600 - ETPRO CURRENT_EVENTS Successful BT Yolasite Hosted Phish
2020-09-23 (current_events.rules)
2844601 - ETPRO CURRENT_EVENTS Successful Generic Yolasite Hosted Phish
2020-09-23 (current_events.rules)
2844602 - ETPRO CURRENT_EVENTS Successful Generic TK Hosted Phish
2020-09-23 (current_events.rules)
2844603 - ETPRO CURRENT_EVENTS Successful Yahoo Phish 2020-09-23
(current_events.rules)
2844604 - ETPRO CURRENT_EVENTS Successful Outlook Hotmail Phish
2020-09-23 (current_events.rules)
2844605 - ETPRO TROJAN Cobalt Strike Malleable C2 (Sohu Custom)
(trojan.rules)
2844606 - ETPRO INFO Suspicious User-Agent IE and Windows Versions With
No Separating Space (info.rules)
2844607 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2844608 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2844609 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2844610 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
2844611 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2844612 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2844613 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2844614 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
[///] Modified active rules: [///]
2015723 - ET TROJAN ZeroAccess Checkin (trojan.rules)
2015821 - ET INFO Suspicious Windows NT version 8 User-Agent (info.rules)
2016499 - ET CURRENT_EVENTS Styx Exploit Kit Payload Download
(current_events.rules)
2017465 - ET TROJAN W32/Hesperus.Banker Nlog.php Variant Sending Data To
CnC (trojan.rules)
2018202 - ET WEB_SERVER log4jAdmin access from non-local network (can
modify logging levels) (web_server.rules)
2018205 - ET TROJAN Win32/Kryptik.BSYO Checkin (trojan.rules)
2018210 - ET POLICY W32/Installiq.Adware Install Information Beacon
(policy.rules)
2018211 - ET INFO HTTP Connection To DDNS Domain Adultdns.net (info.rules)
2018212 - ET INFO HTTP Connection To DDNS Domain Servehttp.com
(info.rules)
2018214 - ET INFO HTTP Connection To DDNS Domain Redirectme.net
(info.rules)
2018215 - ET INFO HTTP Connection To DDNS Domain Zapto.org (info.rules)
2018217 - ET INFO HTTP Connection To DDNS Domain serveblog.net
(info.rules)
2018218 - ET INFO HTTP Connection To DDNS Domain myftp.com (info.rules)
2018253 - ET TROJAN RDP Brute Force Bot Checkin (trojan.rules)
2018255 - ET TROJAN Win32/Expiro.CD Check-in (trojan.rules)
2018285 - ET TROJAN BKDR_SLOTH.A Checkin (trojan.rules)
2018295 - ET TROJAN Mal/Ransom-CE Connectivity Check (trojan.rules)
2018296 - ET TROJAN Zeus GameOver Checkin (trojan.rules)
2018306 - ET MOBILE_MALWARE SMSSend Fake flappy bird APK
(mobile_malware.rules)
2018343 - ET CURRENT_EVENTS Hikvision DVR attempted Synology Recon Scan
(current_events.rules)
2018355 - ET CURRENT_EVENTS Win32.RBrute http server request
(current_events.rules)
2018365 - ET INFO DYNAMIC_DNS HTTP Request to a *.mrbasic.com Domain
(info.rules)
2018370 - ET WEB_SERVER ATTACKER WebShell - Zehir4.asp (web_server.rules)
2024497 - ET TROJAN CopyKittens Cobalt Strike DNS Lookup
(cloudflare-analyse . com) (trojan.rules)
2024771 - ET TROJAN [PTsecurity] Possible Cobalt Strike payload
(trojan.rules)
2026040 - ET TROJAN CobaltStrike DNS Beacon Response (trojan.rules)
2027082 - ET TROJAN Observed Malicious SSL Cert (CobaltStrike CnC)
(trojan.rules)
2027325 - ET TROJAN CobaltStrike SMB P2P Default Msagent Named Pipe
Interaction (trojan.rules)
2030117 - ET TROJAN Ragnarok Ransomware CnC Activity M2 (trojan.rules)
2030448 - ET TROJAN Observed CobaltStrike CnC Domain in TLS SNI
(trojan.rules)
2030449 - ET TROJAN Observed Malicious SSL Cert (CobaltStrike CnC)
(trojan.rules)
2030450 - ET TROJAN Observed CobaltStrike CnC Domain in TLS SNI
(trojan.rules)
2030451 - ET TROJAN Observed Malicious SSL Cert (CobaltStrike CnC)
(trojan.rules)
2030452 - ET TROJAN Observed CobaltStrike CnC Domain in TLS SNI
(trojan.rules)
2030453 - ET TROJAN Observed Malicious SSL Cert (CobaltStrike CnC)
(trojan.rules)
2030454 - ET TROJAN Observed CobaltStrike CnC Domain in TLS SNI
(trojan.rules)
2030455 - ET TROJAN Observed Malicious SSL Cert (CobaltStrike CnC)
(trojan.rules)
2030456 - ET TROJAN Observed CobaltStrike CnC Domain in TLS SNI
(trojan.rules)
2030457 - ET TROJAN Observed Malicious SSL Cert (CobaltStrike CnC)
(trojan.rules)
2030458 - ET TROJAN Observed Malicious SSL Cert (CobaltStrike CnC)
(trojan.rules)
2030459 - ET TROJAN Observed CobaltStrike CnC Domain in TLS SNI
(trojan.rules)
2030460 - ET TROJAN Observed Malicious SSL Cert (CobaltStrike CnC)
(trojan.rules)
2030461 - ET TROJAN Observed CobaltStrike CnC Domain in TLS SNI
(trojan.rules)
2030462 - ET TROJAN Observed Malicious SSL Cert (CobaltStrike CnC)
(trojan.rules)
2030463 - ET TROJAN Observed CobaltStrike CnC Domain in TLS SNI
(trojan.rules)
2030464 - ET TROJAN Observed Malicious SSL Cert (CobaltStrike CnC)
(trojan.rules)
2030465 - ET TROJAN Observed CobaltStrike CnC Domain in TLS SNI
(trojan.rules)
2030466 - ET TROJAN Observed Malicious SSL Cert (CobaltStrike CnC)
(trojan.rules)
2030467 - ET TROJAN Observed CobaltStrike CnC Domain in TLS SNI
(trojan.rules)
2030635 - ET TROJAN Observed Malicious SSL Cert (Cobalt Strike CnC)
(trojan.rules)
2030867 - ET TROJAN Observed Malicious SSL Cert (CobaltStrike CnC)
(trojan.rules)
2805537 - ETPRO TROJAN Repezor Checkin 1 (trojan.rules)
2805538 - ETPRO TROJAN Repezor Checkin 2 (trojan.rules)
2805740 - ETPRO TROJAN BanBra Checkin (trojan.rules)
2806436 - ETPRO TROJAN TROJ_SASFIS.DA Checkin (trojan.rules)
2806475 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Obad.a Checkin
(mobile_malware.rules)
2806600 - ETPRO TROJAN Trojan-Banker.Win32.Banker.akf Checkin
(trojan.rules)
2806948 - ETPRO TROJAN Trojan-Dropper.Win32.Dapato.cvia Checkin 2
(trojan.rules)
2806995 - ETPRO TROJAN Trojan.Win32.Swisyn.behb Checkin (trojan.rules)
2807017 - ETPRO TROJAN Backdoor.Win32.GF.13x.A Checkin (trojan.rules)
2807037 - ETPRO TROJAN Trojan.Win32.Swisyn.auua Checkin (trojan.rules)
2807129 - ETPRO TROJAN Trojan.Win32.Bublik.aexq/Khan Fetching DDoS target
(trojan.rules)
2807671 - ETPRO TROJAN Trojan-Proxy.Win32.Mediana.i Checkin (trojan.rules)
2807737 - ETPRO TROJAN W32/Farfli.AQK!tr Checkin (trojan.rules)
2807763 - ETPRO TROJAN Win32/Hider.G GET .ini Request (trojan.rules)
2807766 - ETPRO TROJAN Trojan-Downloader.Win32.Genome.egme Checkin
(trojan.rules)
2807776 - ETPRO TROJAN Win32/PcClient.B Checkin (trojan.rules)
2807778 - ETPRO TROJAN Win32/Obfuscator.XX Checkin (trojan.rules)
2807779 - ETPRO TROJAN VBS/Agent.NEX Checkin (trojan.rules)
2807780 - ETPRO TROJAN Trojan-PSW.Win32.VB.phv Checkin (trojan.rules)
2807781 - ETPRO TROJAN TrojanProxy.Mediana.q Proxy CnC Checkin
(trojan.rules)
2807787 - ETPRO TROJAN Trojan.Win32.StartPage.arra Checkin (trojan.rules)
2807789 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Blocal.a Checkin 2
(mobile_malware.rules)
2807790 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Blocal.a Checkin 3
(mobile_malware.rules)
2807794 - ETPRO TROJAN Trojan-Dropper.Win32.Dorifel.aiez Checkin
(trojan.rules)
2807812 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Opfake.a Checkin 7
(mobile_malware.rules)
2807815 - ETPRO TROJAN Win32/Agent.DE Checkin (trojan.rules)
2807818 - ETPRO TROJAN Troj/DwnLdr-LHU Checkin (trojan.rules)
2807824 - ETPRO MOBILE_MALWARE Android/Agent.BNO Checkin
(mobile_malware.rules)
2807825 - ETPRO MOBILE_MALWARE Android/Agent.BNO Checkin 2
(mobile_malware.rules)
2807827 - ETPRO TROJAN Win32/Virut.AG Checkin (trojan.rules)
2807828 - ETPRO TROJAN Win32/Matcash.F Checkin (trojan.rules)
2807835 - ETPRO TROJAN Win32/Small.HK Checkin (trojan.rules)
2807842 - ETPRO TROJAN Win32/Jevafus.A Checkin (trojan.rules)
2807844 - ETPRO TROJAN Win32/Netins.A Checkin (trojan.rules)
2807846 - ETPRO MOBILE_MALWARE Android.Trojan.Adaln.A Checkin
(mobile_malware.rules)
2807847 - ETPRO MOBILE_MALWARE Android.Trojan.Adaln.A Checkin 2
(mobile_malware.rules)
2807848 - ETPRO MOBILE_MALWARE Android.Trojan.Adaln.A Checkin 3
(mobile_malware.rules)
2807851 - ETPRO MOBILE_MALWARE Android/Nopoc.A Checkin
(mobile_malware.rules)
2807853 - ETPRO TROJAN TorLocker Downloading Tor (trojan.rules)
2807855 - ETPRO TROJAN Variant.Strictor.40297 Checkin (trojan.rules)
2807860 - ETPRO TROJAN TrojanDownloader.HTML/Adodb.gen!A Download
(trojan.rules)
2807865 - ETPRO TROJAN W32/Agent.EW.gen Checkin 2 (trojan.rules)
2807870 - ETPRO TROJAN W32/DelfInject.R Checkin (trojan.rules)
2807871 - ETPRO TROJAN W32/DelfInject.R Checkin 2 (trojan.rules)
2807872 - ETPRO TROJAN W32/DelfInject.R Checkin 3 (trojan.rules)
2807873 - ETPRO TROJAN TrojWare.Win32.Amtar.KNB Checkin (trojan.rules)
2807874 - ETPRO TROJAN TrojWare.Win32.Amtar.KNB Checkin 2 (trojan.rules)
2807878 - ETPRO TROJAN Trojan-Dropper.Win32.Dapato.dfmz Checkin
(trojan.rules)
2807882 - ETPRO TROJAN TrojanSpy.Win32/Tinbanker.A Checkin (trojan.rules)
2807889 - ETPRO TROJAN Win32/Small.CE Checkin (trojan.rules)
2807890 - ETPRO MOBILE_MALWARE Android/Spy.Zitmo.B Checkin 3
(mobile_malware.rules)
2807891 - ETPRO TROJAN Win32/Spy.KeyLogger.NTB Checkin 2 (trojan.rules)
2807894 - ETPRO TROJAN Trojan.DownLoader9.48256 Checkin (trojan.rules)
2807895 - ETPRO TROJAN Trojan.DownLoader9.48256 Checkin 2 (trojan.rules)
2807896 - ETPRO TROJAN Win32/Phrewhid.A Checkin (trojan.rules)
2807897 - ETPRO TROJAN Win32/Phrewhid.A Checkin 2 (trojan.rules)
2807899 - ETPRO TROJAN Win32/Spy.KeyLogger.NTB Checkin (trojan.rules)
2807902 - ETPRO TROJAN Win32/PerfectKeylogger Possible Download
(trojan.rules)
2807903 - ETPRO TROJAN Win32/Cekar.B CnC activity (trojan.rules)
2807909 - ETPRO TROJAN Win32/TrojanDownloader.Agent.AJX Checkin
(trojan.rules)
2807911 - ETPRO TROJAN W32/OnlineGames.HG.gen Checkin (trojan.rules)
2807912 - ETPRO TROJAN Win32/TrojanDownloader.Agent.ALG Checkin
(trojan.rules)
2807914 - ETPRO TROJAN Trojan.Win32.Cossta.gns Checkin (trojan.rules)
2807916 - ETPRO MOBILE_MALWARE Android.Trojan.FakeInst.BL Checkin 2
(mobile_malware.rules)
2807917 - ETPRO TROJAN Variant.Graftor.136459 Checkin (trojan.rules)
2807920 - ETPRO POLICY Win32/InstallIQ.A Checkin (policy.rules)
2807923 - ETPRO TROJAN Win32/Qhost.PGM Checkin (trojan.rules)
2807927 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.cm Checkin
(mobile_malware.rules)
2807929 - ETPRO TROJAN Backdoor.Win32.Wallop.bz Request (trojan.rules)
2823391 - ETPRO TROJAN Possible CobaltStrike Shellcode over HTTP
(trojan.rules)
2823392 - ETPRO TROJAN Possible CobaltStrike CnC Beacon (HTTP GET)
(trojan.rules)
2823393 - ETPRO TROJAN Possible CobaltStrike CnC Beacon (HTTP POST)
(trojan.rules)
2823394 - ETPRO TROJAN Possible CobaltStrike CnC Beacon (fake headers)
(trojan.rules)
2827476 - ETPRO TROJAN Winnti Possible Meterpreter or Cobalt Strike
Downloader (trojan.rules)
2827560 - ETPRO TROJAN Cobalt Strike Malleable C2 Custom Profile
(trojan.rules)
2828268 - ETPRO TROJAN Malicious Domain CStrike C2 (blockbitcoin .com in
DNS Lookup) (trojan.rules)
2830064 - ETPRO TROJAN Cobalt Group C2 Domain (aws-software .com in DNS
Lookup) (trojan.rules)
2830066 - ETPRO TROJAN Cobalt Group C2 Domain (aws-software .com in TLS
SNI) (trojan.rules)
2830943 - ETPRO TROJAN APT10 MenuPass Domain (jadl-or .com in DNS Lookup)
(trojan.rules)
2830944 - ETPRO TROJAN APT10 MenuPass Domain (jadl-or .com in TLS SNI)
(trojan.rules)
2831654 - ETPRO TROJAN Observed Cobalt Strike CnC Domain in TLS SNI
(trojan.rules)
2831655 - ETPRO TROJAN Observed Cobalt Strike CnC M2 Domain (wsus
.azureedge .net in TLS SNI) (trojan.rules)
2832170 - ETPRO TROJAN Observed Malicious SSL Cert (Cobalt Strike CnC)
(trojan.rules)
2832206 - ETPRO TROJAN Observed Malicious SSL Cert (Cobalt Strike CnC)
(trojan.rules)
2832804 - ETPRO TROJAN Observed Malicious SSL Cert (Cobalt Strike CnC)
(trojan.rules)
2832833 - ETPRO TROJAN Observed Malicious SSL Cert (Cobalt Strike CnC)
(trojan.rules)
2833199 - ETPRO TROJAN Observed Malicious SSL Cert (Cobalt Strike CnC)
(trojan.rules)
2833643 - ETPRO TROJAN Cobalt Strike Malleable C2 JQuery Custom Profile
(trojan.rules)
2833759 - ETPRO TROJAN Observed Malicious SSL Cert (CobaltStrike CnC)
(trojan.rules)
2834370 - ETPRO TROJAN Cobalt Strike Domain in SNI (trojan.rules)
2834371 - ETPRO TROJAN Cobalt Strike Domain in SNI (trojan.rules)
2834372 - ETPRO TROJAN Cobalt Strike Domain in SNI (trojan.rules)
2834373 - ETPRO TROJAN Cobalt Strike Domain in SNI (trojan.rules)
2834374 - ETPRO TROJAN Cobalt Strike Domain in SNI (trojan.rules)
2834375 - ETPRO TROJAN Cobalt Strike Domain in SNI (trojan.rules)
2834376 - ETPRO TROJAN Cobalt Strike Domain in SNI (trojan.rules)
2834762 - ETPRO TROJAN Observed Malicious SSL Cert (Cobalt Strike Beacon)
(trojan.rules)
2835199 - ETPRO TROJAN Observed Malicious SSL Cert (Cobalt Strike CnC)
(trojan.rules)
2835440 - ETPRO TROJAN Observed Cobalt Strike CnC Domain (omnibelts
.appspot .com in TLS SNI) (trojan.rules)
2835735 - ETPRO TROJAN Observed Malicious SSL Cert (CobaltStrike CnC)
(trojan.rules)
2841187 - ETPRO TROJAN Observed Malicious SSL Cert (CobaltStrike CnC)
(trojan.rules)
2841676 - ETPRO TROJAN Win32/Cobalt Strike CnC Activity (OCSP Spoof)
(trojan.rules)
2843203 - ETPRO TROJAN Observed Malicious SSL Cert (CobaltStrike CnC)
(trojan.rules)
2843866 - ETPRO TROJAN Observed Malicious SSL Cert (Cobalt Strike CnC)
(trojan.rules)
2843937 - ETPRO TROJAN Ragnarok Ransomware CnC Activity M3 (trojan.rules)
2844368 - ETPRO TROJAN Cobalt Strike Malleable C2 (QiHoo Profile)
(trojan.rules)