Daily Ruleset Update Summary
Daily Ruleset Update Summary 2020/09/30

[***]            Summary:            [***]

12 new OPEN, 35 new PRO (12 + 23). Ttint CnC, BLINDINGCAN, Pharynx Downloader and Various Phishing.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2030923 - ET TROJAN Observed Malicious SSL Cert (CoreDn/BLINDINGCAN
Activity) (trojan.rules)
  2030924 - ET TROJAN Ttint XORed CnC Checkin (trojan.rules)
  2030925 - ET TROJAN Observed Ttint CnC Domain in DNS Query (trojan.rules)
  2030926 - ET TROJAN Observed Ttint CnC Domain in DNS Query (trojan.rules)
  2030927 - ET TROJAN Observed Ttint CnC Domain in DNS Query (trojan.rules)
  2030928 - ET TROJAN Observed Ttint Update CnC Domain in DNS Query
(trojan.rules)
  2030929 - ET TROJAN Observed BLINDINGCAN Domain (www .sanlorenzoyacht .com
in TLS SNI) (trojan.rules)
  2030930 - ET TROJAN Observed BLINDINGCAN Domain (www .automercado .co .cr
in TLS SNI) (trojan.rules)
  2030931 - ET TROJAN Observed BLINDINGCAN Domain (www .sanlorenzoyacht .com
in TLS SNI) (trojan.rules)
  2030932 - ET TROJAN BUILDINGCAN CnC Activity (trojan.rules)
  2030933 - ET MALWARE Observed DownloadAssistant User-Agent (malware.rules)
  2030934 - ET MALWARE DownloadAssistant Activity (malware.rules)

Pro:

  2844697 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI (dns
.hostux .net) (policy.rules)
  2844698 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI (dns
.dns-over-https .com) (policy.rules)
  2844699 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI
(uncensored .lux1 .dns .nixnet .xyz) (policy.rules)
  2844700 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI (dns
.rubyfish .cn) (policy.rules)
  2844701 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI (dns
.twnic .tw) (policy.rules)
  2844702 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI (doh
.centraleu .pi-dns .com) (policy.rules)
  2844703 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI (doh .dns
.sb) (policy.rules)
  2844704 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI (doh-fi
.blahdns .com) (policy.rules)
  2844705 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI (fi .doh
.dns .snopyta .org) (policy.rules)
  2844706 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI (dns
.flatuslifir .is) (policy.rules)
  2844707 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI (doh .li)
(policy.rules)
  2844708 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI (dns
.digitale-gesellschaft .ch) (policy.rules)
  2844709 - ETPRO TROJAN ELF/SystemDMiner.C Retrieving Payload
(trojan.rules)
  2844710 - ETPRO TROJAN Observed DNS Query to Java.jSocket.QNS CnC Domain
(trojan.rules)
  2844711 - ETPRO CURRENT_EVENTS Successful Banca Sella Phish 2020-09-30
(current_events.rules)
  2844712 - ETPRO CURRENT_EVENTS Successful Bank of America Phish 2020-09-30
(current_events.rules)
  2844713 - ETPRO CURRENT_EVENTS Successful Bank of America Phish 2020-09-30
(current_events.rules)
  2844714 - ETPRO CURRENT_EVENTS Successful Banco do Brasil Phish 2020-09-30
(current_events.rules)
  2844715 - ETPRO CURRENT_EVENTS Successful Yahoo Phish 2020-09-30
(current_events.rules)
  2844716 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-09-30 1) (trojan.rules)
  2844717 - ETPRO TROJAN MSIL/ChromePasswordDump.A CnC Activity
(trojan.rules)
  2844718 - ETPRO TROJAN Pharynx Downloader (trojan.rules)
  2844719 - ETPRO CURRENT_EVENTS Bank of America Phishing Landing 2020-09-30
(current_events.rules)

[///]     Modified active rules:     [///]

  2009481 - ET SCAN Grendel-Scan Web Application Security Scan Detected
(scan.rules)
  2017190 - ET TROJAN Win32/Kelihos.F exe Download 2 (trojan.rules)
  2020350 - ET TROJAN BePush/Kilim payload retrieval (trojan.rules)
  2020491 - ET TROJAN Possible Bedep Connectivity Check (2) (trojan.rules)
  2020717 - ET TROJAN Win32/Teslacrypt Ransomware HTTP CnC Beacon M1
(trojan.rules)
  2020821 - ET TROJAN Win32/Hyteod CnC Beacon (trojan.rules)
  2020834 - ET TROJAN Mikey Variant HTTP CnC Beacon 2 (trojan.rules)
  2020867 - ET EXPLOIT FritzBox RCE POST Request (exploit.rules)
  2020874 - ET EXPLOIT Netgear DGN1000B Router DNS Change GET Request
(exploit.rules)
  2020876 - ET EXPLOIT Tenda ADSL2/2+ Router DNS Change GET Request
(exploit.rules)
  2020877 - ET EXPLOIT Known Malicious Router DNS Change GET Request
(exploit.rules)
  2020883 - ET TROJAN Kriptovor Checkin (trojan.rules)
  2020907 - ET TROJAN CoinVault CnC Beacon M1 (trojan.rules)
  2020910 - ET TROJAN Win32/Ruckguv.A Requesting Payload (trojan.rules)
  2020916 - ET EXPLOIT Possible Redirect to SMB exploit attempt - 302
(exploit.rules)
  2020917 - ET EXPLOIT Possible Redirect to SMB exploit attempt - 301
(exploit.rules)
  2020918 - ET TROJAN FighterPOS CnC Beacon 1 (trojan.rules)
  2020921 - ET TROJAN Sysget/HelloBridge HTTP GET CnC Beacon (trojan.rules)
  2020928 - ET TROJAN Zacom/NFlog Checkin (trojan.rules)
  2020933 - ET TROJAN Dalexis CnC Beacon (trojan.rules)
  2020963 - ET TROJAN CozyDuke APT HTTP GET CnC Beacon (trojan.rules)
  2020964 - ET TROJAN CozyDuke APT HTTP POST CnC Beacon (trojan.rules)
  2020976 - ET EXPLOIT Possible Redirect to SMB exploit attempt - 307
(exploit.rules)
  2020977 - ET EXPLOIT Possible Redirect to SMB exploit attempt - 303
(exploit.rules)
  2020982 - ET CURRENT_EVENTS Fiesta EK SilverLight Exploit Apr 23 2015
(current_events.rules)
  2020991 - ET CURRENT_EVENTS Possible Sundown EK Payload Struct T2 M1 Apr
24 2015 (current_events.rules)
  2021018 - ET EXPLOIT WNR2000v4 HTTP POST RCE Attempt Via Timestamp
Discovery (exploit.rules)
  2021028 - ET TROJAN Downeks Checkin (trojan.rules)
  2021058 - ET SCAN Xenu Link Sleuth Scanner Outbound (scan.rules)
  2021067 - ET INFO Dotted Quad Host M1 (noalert) (info.rules)
  2021068 - ET INFO Dotted Quad Host M2 (noalert) (info.rules)
  2021069 - ET INFO Dotted Quad Host M3 (noalert) (info.rules)
  2021070 - ET INFO Dotted Quad Host M4 (noalert) (info.rules)
  2021071 - ET INFO Dotted Quad Host M5 (noalert) (info.rules)
  2021072 - ET INFO Dotted Quad Host M6 (noalert) (info.rules)
  2021073 - ET INFO Dotted Quad Host M7 (noalert) (info.rules)
  2021074 - ET INFO Dotted Quad Host M8 (noalert) (info.rules)
  2021075 - ET INFO Dotted Quad Host M9 (noalert) (info.rules)
  2021080 - ET TROJAN Enfal CnC GET (trojan.rules)
  2808445 - ETPRO MOBILE_MALWARE Android.Riskware.SmsPay.C Checkin 3
(mobile_malware.rules)
  2809678 - ETPRO MOBILE_MALWARE Android/Locker.S Checkin
(mobile_malware.rules)
  2809882 - ETPRO TROJAN Dridex Post Checkin Activity 3 (trojan.rules)
  2809936 - ETPRO MOBILE_MALWARE Android.Adware.Wapsx.A Checkin 4
(mobile_malware.rules)
  2810238 - ETPRO TROJAN Win32.Hyteod.acox Conn Check (trojan.rules)
  2810239 - ETPRO TROJAN Win32/Spy.Bizzana.A Checkin (trojan.rules)
  2810267 - ETPRO TROJAN TrojanDownloader.Banload.VHZ Checkin (trojan.rules)
  2810271 - ETPRO MOBILE_MALWARE PUP Android/Igexin.E Checkin 3
(mobile_malware.rules)
  2810275 - ETPRO MOBILE_MALWARE Android/InfoStealer.BT Checkin
(mobile_malware.rules)
  2810294 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.dx Checkin
(mobile_malware.rules)
  2810306 - ETPRO MOBILE_MALWARE Android-Spyware/SmsReg Checkin
(mobile_malware.rules)
  2810340 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.SMSreg.fz Checkin 2
(mobile_malware.rules)
  2810341 - ETPRO MOBILE_MALWARE Android/Monitor.SpyTimetunnel.A Checkin
(mobile_malware.rules)
  2810365 - ETPRO TROJAN Win32/Troldesh.A Ransomware External IP Check
(trojan.rules)
  2810383 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.SMSreg.kh Checkin 2
(mobile_malware.rules)
  2810385 - ETPRO TROJAN Win32/Lacam.A Checkin (trojan.rules)
  2810386 - ETPRO MOBILE_MALWARE Android.Trojan.InfoStealer.EU Checkin
(mobile_malware.rules)
  2810408 - ETPRO TROJAN Win32/Meredrop Checkin 2 (trojan.rules)
  2810411 - ETPRO TROJAN ge.tt file malicious extension download
(trojan.rules)
  2810425 - ETPRO MOBILE_MALWARE Android.Riskware.SmsPay.FO Checkin
(mobile_malware.rules)
  2810436 - ETPRO WEB_SPECIFIC_APPS WP Simple Ads Manager SQLi Attempt
(web_specific_apps.rules)
  2810475 - ETPRO WEB_SPECIFIC_APPS Joomla Spider Random Article SQLi
Attempt (web_specific_apps.rules)
  2810478 - ETPRO TROJAN ScriptKD Checkin (trojan.rules)
  2810479 - ETPRO TROJAN Win32/TPWorm Checkin (trojan.rules)
  2810482 - ETPRO TROJAN Win32/LockDNS.A Checkin (trojan.rules)
  2810484 - ETPRO MOBILE_MALWARE Android/UpdtKiller.F Checkin 2
(mobile_malware.rules)
  2810488 - ETPRO TROJAN KeyBase Keylogger Transmitting Clipboard to CnC
(trojan.rules)
  2810503 - ETPRO TROJAN Win32.Injector.lqfj Checkin (trojan.rules)
  2810506 - ETPRO MOBILE_MALWARE Adware Android/Inmobi.A Checkin
(mobile_malware.rules)
  2810507 - ETPRO TROJAN Likely CoinMiner Variant CnC Beacon (trojan.rules)
  2810542 - ETPRO MOBILE_MALWARE Android.Trojan.Fadeb.B Checkin
(mobile_malware.rules)
  2810576 - ETPRO TROJAN Win.Backdoor.Igliveforg Checkin 1 (trojan.rules)
  2810580 - ETPRO TROJAN Win32/Vflooder.C Flooding VT (trojan.rules)
  2810599 - ETPRO MOBILE_MALWARE Android/SMSreg.HI Checkin
(mobile_malware.rules)
  2810604 - ETPRO MOBILE_MALWARE Android/JSmsHider.B Checkin 2
(mobile_malware.rules)
  2810608 - ETPRO TROJAN Win32.Androm.qxe Checkin (trojan.rules)
  2810613 - ETPRO WEB_SERVER Microsoft Sharepoint XSS attempt
(CVE-2015-1640) (web_server.rules)
  2810633 - ETPRO TROJAN Win32/TrojanDownloader.Banload.VMQ Retrieving
Payload set (trojan.rules)
  2810634 - ETPRO TROJAN Win32/TrojanDownloader.Banload.VMQ Receiving
Payload (trojan.rules)
  2810658 - ETPRO TROJAN Win32/Nosrawec.C CnC Beacon (trojan.rules)
  2810672 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.qh Checkin
(mobile_malware.rules)
  2810675 - ETPRO MOBILE_MALWARE Andr/Fakengry-A Checkin
(mobile_malware.rules)
  2810676 - ETPRO TROJAN Win32/Rovnix CnC Beacon (trojan.rules)
  2810677 - ETPRO TROJAN Win32/TrojanDownloader.Small.AGX CnC Beacon
(trojan.rules)
  2810704 - ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.LA Checkin
(mobile_malware.rules)
  2810726 - ETPRO WEB_SPECIFIC_APPS WP Business Intelligence Lite 1.6.1 SQLi
Attempt (web_specific_apps.rules)
  2810753 - ETPRO TROJAN Win32/Spy.Banbra.HE Fetching Config (trojan.rules)
  2810767 - ETPRO MOBILE_MALWARE Android/SMSreg.HI Checkin 2
(mobile_malware.rules)
  2810775 - ETPRO TROJAN Win32/Dalexis.F Dropping Files (trojan.rules)
  2810808 - ETPRO WEB_SPECIFIC_APPS Possible WP Comments XSS (DOM Event Name
in Comment) (web_specific_apps.rules)
  2810810 - ETPRO MOBILE_MALWARE Android.Adware.Adwo.A Checkin 2
(mobile_malware.rules)
  2810811 - ETPRO MOBILE_MALWARE Android/Igexin.E Checkin 4
(mobile_malware.rules)
  2810813 - ETPRO MOBILE_MALWARE Android PUP SMSreg-XR Checkin
(mobile_malware.rules)
  2810817 - ETPRO MOBILE_MALWARE Monitor.AndroidOS.Mbpel.a Checkin
(mobile_malware.rules)
  2810831 - ETPRO TROJAN Win32/Neshta.A Retrieving GeoIP Information
(trojan.rules)
  2810849 - ETPRO MOBILE_MALWARE Android.Riskware.SMSReg.KK Checkin
(mobile_malware.rules)
  2810850 - ETPRO MOBILE_MALWARE Android/SMSreg.GB Checkin 2
(mobile_malware.rules)
  2810856 - ETPRO MOBILE_MALWARE Android/Igexin.E Checkin 5
(mobile_malware.rules)
  2810886 - ETPRO WEB_SPECIFIC_APPS WP Plugin Ultimate Product Catalogue
SQLi Attempt (web_specific_apps.rules)
  2810896 - ETPRO TROJAN Win32/Zapis.A Stats and Connectivity Check
(trojan.rules)
  2810907 - ETPRO MOBILE_MALWARE Android/AdDisplay.Waptri.A Checkin
(mobile_malware.rules)
  2810908 - ETPRO MOBILE_MALWARE Android/Mseg.B Checkin
(mobile_malware.rules)
  2810911 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.SMSreg.ja Checkin 2
(mobile_malware.rules)
  2810918 - ETPRO TROJAN Spy.KeyLogger.OKT Checkin (trojan.rules)
  2810924 - ETPRO MOBILE_MALWARE Android/SMSreg.GD Checkin
(mobile_malware.rules)
  2810925 - ETPRO MOBILE_MALWARE Android.Riskware.AdFlex.A Download
(mobile_malware.rules)
  2810933 - ETPRO WEB_SPECIFIC_APPS Pimcore v3.0.5 CMS SQLi Attempt
(web_specific_apps.rules)
  2810944 - ETPRO TROJAN Chthonic CnC Beacon 4 (trojan.rules)
  2810945 - ETPRO TROJAN Suspicious RAR Download - Likely Fake (Mozilla/4.0)
(trojan.rules)
  2810947 - ETPRO CURRENT_EVENTS Fiesta EK SilverLight Exploit May 11 2015
(current_events.rules)
  2810955 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.SMSreg.ep Checkin 2
(mobile_malware.rules)
  2844679 - ETPRO TROJAN ELF/SystemDMiner.C CnC Checkin (trojan.rules)

[---]  Disabled and modified rules:  [---]

  2020887 - ET TROJAN Shellshock Worm Checkin (trojan.rules)
  2020890 - ET TROJAN Operation Buhtrap CnC Beacon 1 (trojan.rules)
  2020906 - ET TROJAN CoinVault Mailer CnC Beacon (trojan.rules)
  2020920 - ET TROJAN FighterPOS CnC Beacon 3 (trojan.rules)
  2020922 - ET TROJAN Sysget/HelloBridge HTTP POST CnC Beacon (trojan.rules)
  2020927 - ET TROJAN Bioazih RAT Checkin (trojan.rules)
  2020939 - ET TROJAN PunkeyPOS HTTP CnC Beacon 5 (trojan.rules)
  2020940 - ET TROJAN PunkeyPOS HTTP CnC Beacon 6 (trojan.rules)
  2020960 - ET TROJAN Possible Graftor Downloading Dridex (trojan.rules)
  2021029 - ET TROJAN Downeks Checkin 2 (trojan.rules)
  2021055 - ET TROJAN Carbon FormGrabber/Retgate.A/Rombertik Checkin
(trojan.rules)
  2809819 - ETPRO MOBILE_MALWARE Android/TrojanSMS.Agent.AVF Checkin
(mobile_malware.rules)
  2810235 - ETPRO TROJAN Win32.SysUpdater Config Download (trojan.rules)
  2810302 - ETPRO TROJAN Win32/SkyDll.A Checkin (trojan.rules)
  2810303 - ETPRO TROJAN Backdoor.Insidious Checkin (trojan.rules)
  2810339 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.rc Checkin
(mobile_malware.rules)
  2810410 - ETPRO TROJAN ge.tt file direct download (trojan.rules)
  2810413 - ETPRO MOBILE_MALWARE Android/SMSreg.QA Checkin
(mobile_malware.rules)
  2810483 - ETPRO MOBILE_MALWARE Android/UpdtKiller.F Checkin
(mobile_malware.rules)
  2810486 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Opfake.cc Checkin
(mobile_malware.rules)
  2810577 - ETPRO TROJAN Win.Backdoor.Igliveforg Checkin 2 (trojan.rules)
  2810601 - ETPRO TROJAN Unknown Banker .dat file download 1 (trojan.rules)
  2810603 - ETPRO TROJAN Unknown Banker Checkin (trojan.rules)
  2810631 - ETPRO MOBILE_MALWARE Android/Fujacks.CA Checkin
(mobile_malware.rules)
  2810651 - ETPRO TROJAN Downeks Exfiltrating System Info (trojan.rules)
  2810700 - ETPRO MOBILE_MALWARE AdWare.AndroidOS.Xynyin.a Checkin
(mobile_malware.rules)
  2810715 - ETPRO TROJAN VBS.BackDoor.DuCk.1 Checkin 1 (trojan.rules)
  2810728 - ETPRO MOBILE_MALWARE Android/SMSreg.AV Checkin 2
(mobile_malware.rules)
  2810730 - ETPRO TROJAN Trojan-Downloader.Banload Connectivity Check
(trojan.rules)
  2810765 - ETPRO TROJAN Win32/Rovnix.P Posting stolen data (trojan.rules)
  2810783 - ETPRO TROJAN W32.Badur Executable Download (trojan.rules)
  2810809 - ETPRO MOBILE_MALWARE Riskware Android/Secapk.F Checkin 2
(mobile_malware.rules)
  2810823 - ETPRO TROJAN Win32.Reconyc.dzbc CnC Beacon (trojan.rules)
  2810825 - ETPRO TROJAN Win32/Delf.RMB CnC Beacon (trojan.rules)
  2810843 - ETPRO TROJAN Win32/Ladivyrop.A CnC Beacon 1 (trojan.rules)
  2810844 - ETPRO TROJAN Win32/Ladivyrop.A CnC Beacon 2 (trojan.rules)
  2810846 - ETPRO MOBILE_MALWARE Android.Riskware.SmsPay.C Checkin 8
(mobile_malware.rules)
  2810893 - ETPRO TROJAN W97M.Dropper Downloading EXE (trojan.rules)
  2810920 - ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.ABK Checkin
(mobile_malware.rules)
  2810956 - ETPRO MOBILE_MALWARE Android Riskware SMSreg-CFF Checkin
(mobile_malware.rules)
  2810957 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.bo Checkin
(mobile_malware.rules)

[---]         Removed rules:         [---]

  2835917 - ETPRO TROJAN Observed Malicious SSL Cert (CoreDn Activity)
(trojan.rules)

Date:
Summary title:
12 new OPEN, 35 new PRO (12 + 23). Ttint CnC, BLINDINGCAN, Pharynx Downloader and Various Phishing.