Daily Ruleset Update Summary
Daily Ruleset Update Summary 2020/10/07

[***]            Summary:            [***]

9 new OPEN, 40 new PRO (9 + 31). Strongpity CnC, Aerial Keylogger, Adfraud/BlackSEO Redirector, Win32/Vika Stealer, Ricardo Grabber CnC, MSIL/OrionBot, LiteHTTP Variant, Coinminers, VARIOUS PHISH.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2023471 - ET TROJAN Possible Malicious Tor Module Download (trojan.rules)
  2030982 - ET TROJAN Observed Malicious SSL Cert (Strongpity CnC)
(trojan.rules)
  2030983 - ET TROJAN Aerial Keylogger DNS Request (trojan.rules)
  2030984 - ET CURRENT_EVENTS Docusign Phishing Landing Hosted via Weebly
(current_events.rules)
  2030985 - ET CURRENT_EVENTS Generic Phishing Landing Hosted via Weebly
(current_events.rules)
  2030986 - ET CURRENT_EVENTS Generic Phishing Landing Hosted via Weebly
(current_events.rules)
  2030987 - ET CURRENT_EVENTS Generic Phishing Landing Hosted via Weebly
(current_events.rules)
  2030988 - ET TROJAN Observed Malicious SSL Cert (BazaLoader CnC)
(trojan.rules)
  2030989 - ET EXPLOIT Possible Mida eFramework RCE Attempt Inbound
(CVE-2020-15922) (exploit.rules)

Pro:

  2823302 - ETPRO WEB_CLIENT Unknown Adfraud/BlackSEO Redirector
(web_client.rules)
  2844806 - ETPRO TROJAN Observed Malicious SSL Cert (Strongpity CnC)
(trojan.rules)
  2844807 - ETPRO TROJAN Observed Malicious SSL Cert (Strongpity CnC)
(trojan.rules)
  2844808 - ETPRO TROJAN Observed Malicious SSL Cert (Strongpity CnC)
(trojan.rules)
  2844809 - ETPRO TROJAN Observed Malicious SSL Cert (Strongpity CnC)
(trojan.rules)
  2844810 - ETPRO TROJAN Observed Malicious SSL Cert (Strongpity CnC)
(trojan.rules)
  2844811 - ETPRO TROJAN Observed Malicious SSL Cert (Strongpity CnC)
(trojan.rules)
  2844812 - ETPRO TROJAN Observed Malicious SSL Cert (Strongpity CnC)
(trojan.rules)
  2844813 - ETPRO TROJAN Observed Malicious SSL Cert (Strongpity CnC)
(trojan.rules)
  2844814 - ETPRO TROJAN Win32/Vika Stealer Data Exfil to CnC (trojan.rules)
  2844815 - ETPRO TROJAN Observed Vika Stealer UA (trojan.rules)
  2844816 - ETPRO TROJAN Observed Malicious SSL Cert (GRIFFON CnC)
(trojan.rules)
  2844817 - ETPRO TROJAN Ricardo Grabber CnC Host Checkin (trojan.rules)
  2844818 - ETPRO CURRENT_EVENTS Successful Impots Gouv FR Phish 2020-10-07
(current_events.rules)
  2844819 - ETPRO CURRENT_EVENTS Successful Generic Webmail Settings Phish
2020-10-07 (current_events.rules)
  2844820 - ETPRO CURRENT_EVENTS Successful Suntrust Phish 2020-10-07
(current_events.rules)
  2844821 - ETPRO CURRENT_EVENTS Successful 163 Phish 2020-10-07
(current_events.rules)
  2844822 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-06 1) (trojan.rules)
  2844823 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-06 2) (trojan.rules)
  2844824 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-06 3) (trojan.rules)
  2844825 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-06 4) (trojan.rules)
  2844826 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-06 5) (trojan.rules)
  2844827 - ETPRO TROJAN MSIL/OrionBot Checkin via Discord (trojan.rules)
  2844828 - ETPRO MALWARE Idol Champer Installer Activity (malware.rules)
  2844829 - ETPRO MALWARE LiteHTTP Variant CnC Activity (malware.rules)
  2844830 - ETPRO TROJAN Win32/Remcos RAT Checkin 556 (trojan.rules)
  2844831 - ETPRO TROJAN Observed AZORult CnC Domain in TLS SNI
(trojan.rules)
  2844832 - ETPRO TROJAN Observed Malicious SSL Cert (IcedID) (trojan.rules)
  2844833 - ETPRO TROJAN Observed Malicious SSL Cert (IcedID) (trojan.rules)
  2844834 - ETPRO TROJAN Observed Malicious SSL Cert (IcedID) (trojan.rules)
  2844835 - ETPRO TROJAN Observed Malicious SSL Cert (IcedID) (trojan.rules)

[///]     Modified active rules:     [///]

  2018080 - ET TROJAN Suspicious Request for Pdf.exe Observed in
Zeus/Luminosity Link (trojan.rules)
  2018598 - ET TROJAN Citadel Checkin (trojan.rules)
  2018676 - ET TROJAN Sharik/Smoke Loader Adobe Connectivity check
(trojan.rules)
  2019458 - ET TROJAN Win32/Zemot URI Struct (trojan.rules)
  2020503 - ET TROJAN Win32/HydraCrypt CnC Beacon 3 (trojan.rules)
  2021203 - ET TROJAN Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5
(trojan.rules)
  2022124 - ET TROJAN Sharik/Smoke Loader Microsoft Connectivity Check
(trojan.rules)
  2023305 - ET TROJAN Anuna PHP Backdoor Attempt (trojan.rules)
  2023397 - ET TROJAN Win32/CryptFile2 Ransomware Checkin M2 (trojan.rules)
  2023401 - ET CURRENT_EVENTS RIG EK URI struct Oct 24 2016  (RIG-v)
(current_events.rules)
  2023454 - ET INFO Possible EXE Download From Suspicious TLD (.science) -
set (info.rules)
  2023455 - ET INFO Possible EXE Download From Suspicious TLD (.top) - set
(info.rules)
  2023456 - ET INFO Possible EXE Download From Suspicious TLD (.stream) -
set (info.rules)
  2023457 - ET INFO Possible EXE Download From Suspicious TLD (.download) -
set (info.rules)
  2023459 - ET INFO Possible EXE Download From Suspicious TLD (.biz) - set
(info.rules)
  2023460 - ET INFO Possible EXE Download From Suspicious TLD (.accountant)
- set (info.rules)
  2023461 - ET INFO Possible EXE Download From Suspicious TLD (.click) -
set (info.rules)
  2023462 - ET INFO Possible EXE Download From Suspicious TLD (.link) - set
(info.rules)
  2023463 - ET INFO Possible EXE Download From Suspicious TLD (.win) - set
(info.rules)
  2023477 - ET TROJAN Moose CnC Request M1 (trojan.rules)
  2023478 - ET TROJAN Moose CnC Response (trojan.rules)
  2023486 - ET TROJAN Sednit/APT28/Sofacy Delphocy CnC Beacon (trojan.rules)
  2023548 - ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE  (exploit.rules)
  2023549 - ET EXPLOIT Eir D1000 Modem CWMP Exploit Retrieving Wifi Key
(exploit.rules)
  2023570 - ET TROJAN DistTrack/Shamoon CnC Beacon M1 (trojan.rules)
  2023575 - ET TROJAN User-Agent (Visbot) (trojan.rules)
  2023577 - ET TROJAN Locky CnC Checkin HTTP Pattern (trojan.rules)
  2023669 - ET TROJAN Click Fraud Checkin (trojan.rules)
  2023675 - ET TROJAN Win32/Braincrypt Ransomware CnC Checkin (trojan.rules)
  2023680 - ET MOBILE_MALWARE Android Fancy Bear Checkin
(mobile_malware.rules)
  2023682 - ET MOBILE_MALWARE Android Fancy Bear Checkin 3
(mobile_malware.rules)
  2023683 - ET MOBILE_MALWARE Android Fancy Bear Checkin 4
(mobile_malware.rules)
  2023684 - ET MOBILE_MALWARE Android Fancy Bear Checkin 5
(mobile_malware.rules)
  2023685 - ET MOBILE_MALWARE Android Fancy Bear Checkin 6
(mobile_malware.rules)
  2023687 - ET SCAN Acunetix scan in progress acunetix_wvs_security_test in
http_uri (scan.rules)
  2023688 - ET SCAN Acunetix scan in progress acunetix variable in http_uri
(scan.rules)
  2023739 - ET TROJAN Maldoc Second Stage VBS Downloader with URL Padding
(trojan.rules)
  2806032 - ETPRO TROJAN Win32.Scar.hhrw POST (trojan.rules)
  2807012 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.i Checkin 2
(mobile_malware.rules)
  2807443 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Svpeng.a Checkin
(mobile_malware.rules)
  2809825 - ETPRO TROJAN Sharik/Smoke Loader SourceForge Connectivity Check
(trojan.rules)
  2811807 - ETPRO TROJAN Win32/Agent.NEJ HTTP Request (hi.baidu.com)
(trojan.rules)
  2814022 - ETPRO MOBILE_MALWARE Trojan-Downloader.AndroidOS.Leech.a
Checkin (mobile_malware.rules)
  2814718 - ETPRO TROJAN Sharik Checkin (trojan.rules)
  2816306 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Igamo.a Checkin
(mobile_malware.rules)
  2820495 - ETPRO MOBILE_MALWARE Android/UpdtKiller.M Checkin
(mobile_malware.rules)
  2820982 - ETPRO TROJAN MSIL/AlphaStealer PWS Exfil via HTTP (trojan.rules)
  2820992 - ETPRO MOBILE_MALWARE Trojan-Ransom.AndroidOS.Svpeng.s Checkin
(mobile_malware.rules)
  2821202 - ETPRO TROJAN Sharik/Smoke Loader Microsoft Connectivity Check
M2 (trojan.rules)
  2822183 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Agent.la Checkin
(mobile_malware.rules)
  2822184 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Agent.la Checkin 2
(mobile_malware.rules)
  2822238 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Agent.lp Checkin
(mobile_malware.rules)
  2822299 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Casseb.a Checkin
(mobile_malware.rules)
  2822327 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Rootnik.bz Checkin
(mobile_malware.rules)
  2822328 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Rootnik.bx Checkin
(mobile_malware.rules)
  2822472 - ETPRO MOBILE_MALWARE Android.Adware.Airpush.3D9C Checkin
(mobile_malware.rules)
  2822488 - ETPRO TROJAN W32.Raum Update Config HTTP Request (trojan.rules)
  2822599 - ETPRO TROJAN Win32/CONFUCIUS_B External IP Check to CnC
(trojan.rules)
  2822687 - ETPRO TROJAN Win32/Nagram/Rakhni Dropping RAR (trojan.rules)
  2822730 - ETPRO TROJAN PassCV Win32/TrojanDownloader.VB.NOY CnC Beacon
(trojan.rules)
  2822802 - ETPRO TROJAN DiamondFox HTTP Requesting Module (trojan.rules)
  2822803 - ETPRO TROJAN DiamondFox HTTP POSTing JPEG (trojan.rules)
  2822806 - ETPRO TROJAN W32.Plugx CnC HTTP Request (trojan.rules)
  2822889 - ETPRO TROJAN W32.Cerber Ransomware HTTP Pattern (trojan.rules)
  2822951 - ETPRO WEB_SPECIFIC_APPS Joomla 3.6.4 Add User Exploit
(web_specific_apps.rules)
  2822952 - ETPRO WEB_SPECIFIC_APPS Joomla 3.6.4 Add User Exploit With
PrivEsc (web_specific_apps.rules)
  2823040 - ETPRO MOBILE_MALWARE Android/AdDisplay.Drosel.A Checkin
(mobile_malware.rules)
  2823058 - ETPRO CURRENT_EVENTS Evil 302 Redirect to RIG-v EK Oct 24 2016
(current_events.rules)
  2823061 - ETPRO TROJAN MSIL.NoobCrypt CnC (trojan.rules)
  2823157 - ETPRO WEB_CLIENT Microsoft Internet Explorer 11 Windows 10
Information Disclosure (CVE-2016-7227) (web_client.rules)
  2823234 - ETPRO TROJAN MSIL.Neutron Checkin (trojan.rules)
  2823235 - ETPRO TROJAN HappyLocker Ransomware CnC Checkin (trojan.rules)
  2823264 - ETPRO MOBILE_MALWARE Trojan-Downloader.AndroidOS.Rootnik.f
Checkin (mobile_malware.rules)
  2823389 - ETPRO TROJAN MSIL/Gentromal.A CnC Beacon (trojan.rules)
  2823392 - ETPRO TROJAN Possible CobaltStrike CnC Beacon (HTTP GET)
(trojan.rules)
  2823396 - ETPRO MOBILE_MALWARE Android.Trojan.Maistealer.B Checkin
(mobile_malware.rules)
  2823418 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Qexq.a Checkin
(mobile_malware.rules)
  2823457 - ETPRO CURRENT_EVENTS RIG EK Flash Exploit (set)
(current_events.rules)
  2823460 - ETPRO CURRENT_EVENTS RIG EK Landing Nov 26 (Rig-v)
(current_events.rules)
  2823478 - ETPRO MOBILE_MALWARE Android.Trojan.HiddenApp.HO Checkin
(mobile_malware.rules)
  2823677 - ETPRO TROJAN MSIL.Unknown Reporting Install Error (trojan.rules)
  2823702 - ETPRO TROJAN MSIL/Popcorn Ransomware Requesting Image
(trojan.rules)
  2823859 - ETPRO TROJAN MSIL/Unknown HTTP PWS Exfil (trojan.rules)
  2823863 - ETPRO TROJAN Possible Ursnif Tor Module Download (trojan.rules)
  2823864 - ETPRO TROJAN Possible Ursnif Tor Module Download (trojan.rules)
  2823917 - ETPRO TROJAN APT.Rexpot Variant CnC Beacon (trojan.rules)
  2823951 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.cn SMS Exfil
(mobile_malware.rules)
  2823992 - ETPRO TROJAN Nuclear Bot Checkin (trojan.rules)
  2824185 - ETPRO TROJAN Excrevie Downloading EXE (trojan.rules)
  2824192 - ETPRO TROJAN MSIL/Agent.AMC Variant Backdoor Checkin
(trojan.rules)
  2824195 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Nyleaker.a Checkin
(mobile_malware.rules)
  2824216 - ETPRO TROJAN Rerdom Variant CnC (trojan.rules)
  2824251 - ETPRO TROJAN MSIL/Peppy CnC Beacon (Ping) (trojan.rules)
  2824269 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.w CnC Beacon
(mobile_malware.rules)
  2824275 - ETPRO TROJAN MSIL/Unk.Stealer Sending Screenshots (trojan.rules)
  2824350 - ETPRO TROJAN Maktub Locker TOR Status Check (trojan.rules)
  2824358 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.GlodEagl.a Checkin
(mobile_malware.rules)
  2824370 - ETPRO TROJAN Cerber Blockchain Query (trojan.rules)
  2824387 - ETPRO TROJAN ARIK/Aaron Keylogger Download Request
(trojan.rules)
  2824504 - ETPRO TROJAN PadCrypt Ransomware DGA Checkin (trojan.rules)

[---]  Disabled and modified rules:  [---]

  2023293 - ET TROJAN Win32.Pony Variant FOX Reporting Adfraud Activity
(trojan.rules)
  2023508 - ET MOBILE_MALWARE Android.Trojan.HiddenApp.OU Checkin 2
(mobile_malware.rules)
  2023514 - ET POLICY Android Adups Firmware Checkin (policy.rules)
  2806121 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.MTK.a Checkin
(mobile_malware.rules)
  2809583 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.m Checkin 3
(mobile_malware.rules)
  2814597 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SaveMe.a Checkin
(mobile_malware.rules)
  2822172 - ETPRO MOBILE_MALWARE Android/Niynuy.A Checkin 2
(mobile_malware.rules)
  2822186 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Agent.gz Checkin
(mobile_malware.rules)
  2822209 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.lt Checkin
(mobile_malware.rules)
  2822228 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.Agent.be Checkin
(mobile_malware.rules)
  2822229 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Agent.ll CnC Beacon
(mobile_malware.rules)
  2822230 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Agent.ll CnC Beacon 2
(mobile_malware.rules)
  2822304 - ETPRO TROJAN Aerial Keylogger CnC Activity (trojan.rules)
  2822355 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.jp Checkin
(mobile_malware.rules)
  2822427 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Oversa.a Checkin
(mobile_malware.rules)
  2822486 - ETPRO TROJAN W32.Raum Checkin (trojan.rules)
  2822487 - ETPRO TROJAN W32.Raum Update Config HTTP Request (trojan.rules)
  2822618 - ETPRO MOBILE_MALWARE Trojan-Ransom.AndroidOS.Sugs.a Checkin
(mobile_malware.rules)
  2822956 - ETPRO TROJAN MSIL/Downloader.Agent.WD Retrieving Payload
(trojan.rules)
  2822971 - ETPRO TROJAN W32.Unknown.BR Banker Checkin (trojan.rules)
  2823215 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Ledoden.a Checkin
(mobile_malware.rules)
  2823329 - ETPRO TROJAN Crypton Ransomware Checkin (trojan.rules)
  2823330 - ETPRO TROJAN Crypton Ransomware User Agent Observed
(trojan.rules)
  2823331 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Dadmo.e Checkin
(mobile_malware.rules)
  2823422 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.lr Checkin
(mobile_malware.rules)
  2823449 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Agent.mb Checkin
(mobile_malware.rules)
  2823723 - ETPRO TROJAN W32.Samsa Checkin via Tor2web (trojan.rules)
  2823789 - ETPRO MOBILE_MALWARE Android.Trojan.Uten.AA Checkin
(mobile_malware.rules)
  2823841 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.bt Checkin
(mobile_malware.rules)
  2823842 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.bt Checkin 2
(mobile_malware.rules)
  2824007 - ETPRO TROJAN BACKDOOR.FREELOAD Checkin (trojan.rules)
  2824113 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Opfake.cc Checkin
(mobile_malware.rules)
  2824249 - ETPRO MOBILE_MALWARE Android.Riskware.SmsPay.ED Checkin
(mobile_malware.rules)
  2824426 - ETPRO MOBILE_MALWARE Android.Trojan.FakeInst.DU Checkin 2
(mobile_malware.rules)
  2824489 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Ecobatry.a Checkin
(mobile_malware.rules)
  2824502 - ETPRO MOBILE_MALWARE Trojan-Ransom.AndroidOS.Pletor.b Checkin
(mobile_malware.rules)

[---]         Removed rules:         [---]

  2023471 - ET CURRENT_EVENTS Possible Malicious Tor Module Download
(current_events.rules)
  2823302 - ETPRO CURRENT_EVENTS Unknown Adfraud/BlackSEO Redirector
(current_events.rules)

Date:
Summary title:
9 new OPEN, 40 new PRO (9 + 31). Strongpity CnC, Aerial Keylogger, Adfraud/BlackSEO Redirector, Win32/Vika Stealer, Ricardo Grabber CnC, MSIL/OrionBot, LiteHTTP Variant, Coinminers, VARIOUS PHISH.