Daily Ruleset Update Summary
Daily Ruleset Update Summary 2020/10/08

[***]            Summary:            [***]

2 new OPEN, 29 new PRO (2 + 27). Tonto_SPM Backdoor, AsyncRAT, XDSpy, Various Miners, VARIOUS PHISH.

With today's release of Suricata 6.0 (congrats!), the Emerging Threats Team would like to announce supplemental rule download support for this new version. Users attempting to retrieve a 6.0.0 fork of the rules will be pulling the current 5.0 ruleset which has been performance tested for 6.0.0.

ET Suricata 6.0 ruleset:
https://rules.emergingthreatspro.com/open/suricata-6.0/rules/
Suricata Release info:
https://suricata-ids.org/2020/10/08/suricata-6-0-0-released/

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2030990 - ET TROJAN Tonto_SPM Backdoor CnC Activity (trojan.rules)
  2030991 - ET TROJAN Observed PoetRAT Domain (slimip .accesscam .org in
TLS SNI) (trojan.rules)

Pro:

  2844829 - ETPRO TROJAN LiteHTTP Variant CnC Activity (trojan.rules)
  2844836 - ETPRO TROJAN Win32/BR.UnkLoader CnC Checkin (trojan.rules)
  2844837 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT CnC)
(trojan.rules)
  2844838 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT CnC)
(trojan.rules)
  2844839 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT CnC)
(trojan.rules)
  2844840 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT CnC)
(trojan.rules)
  2844841 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT CnC)
(trojan.rules)
  2844842 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-08 1) (trojan.rules)
  2844843 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-08 2) (trojan.rules)
  2844844 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-08 3) (trojan.rules)
  2844845 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2020-10-08 (current_events.rules)
  2844846 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2020-10-08 (current_events.rules)
  2844847 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2020-10-08 (current_events.rules)
  2844848 - ETPRO CURRENT_EVENTS Successful Credit Agricole Phish
2020-10-08 (current_events.rules)
  2844849 - ETPRO CURRENT_EVENTS Successful Maersk Phish 2020-10-08
(current_events.rules)
  2844850 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2020-10-08
(current_events.rules)
  2844851 - ETPRO TROJAN Silence Downloader Initial Checkin (trojan.rules)
  2844852 - ETPRO CURRENT_EVENTS Successful Ebay Phish 2020-10-08
(current_events.rules)
  2844853 - ETPRO CURRENT_EVENTS Successful Banco Itau Phish 2020-10-08
(current_events.rules)
  2844854 - ETPRO CURRENT_EVENTS Successful Banco Itau Phish 2020-10-08
(current_events.rules)
  2844855 - ETPRO CURRENT_EVENTS Successful CIBC Phish 2020-10-08
(current_events.rules)
  2844856 - ETPRO CURRENT_EVENTS Successful Huntington Bank Phish
2020-10-08 (current_events.rules)
  2844857 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2844858 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2844859 - ETPRO TROJAN Malicious SSL Certificate detected (AZORult CnC)
(trojan.rules)
  2844860 - ETPRO TROJAN XDSPY Activity (trojan.rules)
  2844861 - ETPRO TROJAN XDSPY .dll Download Request (trojan.rules)

[///]     Modified active rules:     [///]

  2002078 - ET USER_AGENTS SideStep User-Agent (user_agents.rules)
  2010875 - ET TROJAN Blackenergy Bot Checkin to C&C (2) (trojan.rules)
  2015015 - ET POLICY Download Request to Hotfile.com (policy.rules)
  2016773 - ET TROJAN Mutter Backdoor Checkin (trojan.rules)
  2016912 - ET TROJAN W32/KeyLogger.ACQH!tr Checkin (trojan.rules)
  2016932 - ET TROJAN Spy/Infostealer.Win32.Embed.A Client Traffic
(trojan.rules)
  2017927 - ET POLICY check.torproject.org IP lookup/Tor Usage check over
HTTP (policy.rules)
  2022271 - ET INFO SUSPICIOUS Possible Evil Download wsf Double Ext No
Referer (info.rules)
  2023240 - ET MOBILE_MALWARE iOS DualToy Checkin (mobile_malware.rules)
  2023520 - ET POLICY External IP Lookup (tinytools.nu) (policy.rules)
  2023754 - ET CURRENT_EVENTS Malicious JS.Nemucod to PS Dropping PE Nov 14
M2 (current_events.rules)
  2023756 - ET WEB_CLIENT Possible Chrome WebEx Extension RCE Attempt
(web_client.rules)
  2023817 - ET CURRENT_EVENTS EITest SocEng Inject Jan 15 2017 EXE Download
(current_events.rules)
  2023871 - ET TROJAN Ursnif Variant Retrieving Payload (x32) (trojan.rules)
  2023872 - ET TROJAN Ursnif Variant Retrieving Payload (x64) (trojan.rules)
  2023917 - ET TROJAN APT28 Uploader Variant Fake Request to Google
(trojan.rules)
  2023930 - ET TROJAN Miniduke Variant CnC Beacon via WebDAV (trojan.rules)
  2023933 - ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b CnC Beacon
(mobile_malware.rules)
  2023934 - ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b Apps List Exfil
(mobile_malware.rules)
  2023948 - ET TROJAN MAGICHOUND.FETCH Retrieving Malicious PowerShell
(trojan.rules)
  2023967 - ET TROJAN APT29 Implant8 - Evil Twitter Callback (trojan.rules)
  2024039 - ET WEB_SPECIFIC_APPS Possible Drupal Object Unserialize Exploit
Attempt (web_specific_apps.rules)
  2024055 - ET CURRENT_EVENTS Terror EK Payload RC4 Key M1 Mar 14 2017
(current_events.rules)
  2024064 - ET TROJAN MagikPOS Downloader Retrieving Payload (trojan.rules)
  2024067 - ET TROJAN MagikPOS CnC Beacon (trojan.rules)
  2030955 - ET TROJAN XDUpload Uploading Directory Listting (trojan.rules)
  2805434 - ETPRO TROJAN Trojan-Downloader.Win32.SpyAgent.r Checkin
(trojan.rules)
  2805865 - ETPRO TROJAN TROJ_MOTMOT.CI Checkin (trojan.rules)
  2806422 - ETPRO TROJAN Trojan-Dropper.Win32.Dapato.bfjn Download
(trojan.rules)
  2808044 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.ao / Cardbuyer
Checkin 2 (mobile_malware.rules)
  2808510 - ETPRO TROJAN StoneDrill Wiper Checkin 2 (trojan.rules)
  2810737 - ETPRO TROJAN Simda CnC Beacon (trojan.rules)
  2811866 - ETPRO MOBILE_MALWARE Android/SMSreg.TD Checkin
(mobile_malware.rules)
  2815026 - ETPRO MOBILE_MALWARE AdWare.AndroidOS.MobiDash.c Checkin
(mobile_malware.rules)
  2815531 - ETPRO TROJAN MSIL/Zyklon CnC (get plugin) (trojan.rules)
  2815653 - ETPRO MOBILE_MALWARE AdWare.AndroidOS.Ewind.ao Checkin
(mobile_malware.rules)
  2819866 - ETPRO MOBILE_MALWARE Android.Trojan.Downloader.CI Checkin
(mobile_malware.rules)
  2821479 - ETPRO MOBILE_MALWARE Android/Agent.YF Checkin
(mobile_malware.rules)
  2821840 - ETPRO MOBILE_MALWARE Android/SMForw.MV Checkin
(mobile_malware.rules)
  2823251 - ETPRO CURRENT_EVENTS Malicious JS to PS Dropping PE Nov 14
(current_events.rules)
  2824464 - ETPRO TROJAN Possible Rocket Kitten CnC Checkin (trojan.rules)
  2824507 - ETPRO TROJAN Unknown MalDoc CnC Beacon (trojan.rules)
  2824547 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.g Contact
Exfil (mobile_malware.rules)
  2824557 - ETPRO TROJAN Go/Ransomware Variant CnC Beacon (trojan.rules)
  2824584 - ETPRO TROJAN Linux.Rex.b Retrieving C2 Address (trojan.rules)
  2824591 - ETPRO TROJAN Gorynych CnC Checkin (trojan.rules)
  2824624 - ETPRO TROJAN JS.Downloader.HLD CnC Reporting Dropped PE
(trojan.rules)
  2824638 - ETPRO TROJAN Win32/CryptFile2 Ransomware OS Check (trojan.rules)
  2824720 - ETPRO TROJAN Ursnif JS Downloader Payload Request - Set
(trojan.rules)
  2824740 - ETPRO WEB_SERVER Possible WP REST API Type Juggling Vuln
Exploit Attempt (web_server.rules)
  2824769 - ETPRO TROJAN MSIL/TrojanDownloader.Small.ASE Downloading DLL
(trojan.rules)
  2824770 - ETPRO WEB_SERVER Possible WP REST API Type Juggling Vuln
Exploit Attempt 2 (web_server.rules)
  2824780 - ETPRO TROJAN Possible Win32/KeyLogger.HomeKeyLogger Retrieving
Netcat (trojan.rules)
  2824804 - ETPRO MOBILE_MALWARE Android/Agent.EB Checkin
(mobile_malware.rules)
  2824846 - ETPRO TROJAN Win32/Spy.Banker.ACVB CnC Beacon (trojan.rules)
  2824853 - ETPRO TROJAN RocketKitten Win32.Diple.gtyj CnC Beacon
(trojan.rules)
  2824866 - ETPRO TROJAN MSIL/Injector.PER Variant CnC Beacon (trojan.rules)
  2824867 - ETPRO TROJAN Win32.Laqma.c Checkin (trojan.rules)
  2824868 - ETPRO MOBILE_MALWARE Android/SmsSpy.AS CnC Beacon
(mobile_malware.rules)
  2824877 - ETPRO MOBILE_MALWARE PUA Android/Secapk.E Checkin
(mobile_malware.rules)
  2824915 - ETPRO POLICY Possible GameVance HTTP Request (policy.rules)
  2824920 - ETPRO MOBILE_MALWARE Android/Monitor.Mytrackp.C Checkin
(mobile_malware.rules)
  2824979 - ETPRO MOBILE_MALWARE Trojan-FakeAV.AndroidOS.Provar.a File
Download (mobile_malware.rules)
  2824981 - ETPRO MOBILE_MALWARE PUA Android/Skymobi.I Checkin
(mobile_malware.rules)
  2824990 - ETPRO TROJAN Win32/TrojanDownloader.Agent.SCQ CnC Beacon
(trojan.rules)
  2824998 - ETPRO MOBILE_MALWARE PUA RiskTool.AndroidOS.Dnotua.oe Checkin
(mobile_malware.rules)
  2824999 - ETPRO MOBILE_MALWARE PUA RiskTool.AndroidOS.Dnotua.oe Checkin 2
(mobile_malware.rules)
  2825015 - ETPRO MOBILE_MALWARE Android.Trojan.Ogel.AU CnC Beacon
(mobile_malware.rules)
  2825017 - ETPRO MOBILE_MALWARE Android.Adware.Mulad.AD Checkin
(mobile_malware.rules)
  2825028 - ETPRO CURRENT_EVENTS Possible SunDown EK Payload T2 Feb 17 2017
(current_events.rules)
  2825045 - ETPRO MOBILE_MALWARE Android/SmsSpy.AS CnC Beacon 2
(mobile_malware.rules)
  2825047 - ETPRO MOBILE_MALWARE Android.Trojan.HiddenAds.BK Checkin
(mobile_malware.rules)
  2825066 - ETPRO TROJAN W32/VenusLocker Ransomware Desktop Background
Image GET Request 2 (trojan.rules)
  2825093 - ETPRO TROJAN Unknown CMSBrute Checkin / Retrieving Targets
(trojan.rules)
  2825139 - ETPRO TROJAN Possible Ursnif Tor Module Download M2
(trojan.rules)
  2825140 - ETPRO TROJAN Possible Ursnif Tor Module Download M2
(trojan.rules)
  2825142 - ETPRO MOBILE_MALWARE AdWare.AndroidOS.Dowgin.d CnC Beacon
(mobile_malware.rules)
  2825154 - ETPRO MOBILE_MALWARE Android/Mseg.B CnC Beacon
(mobile_malware.rules)
  2825164 - ETPRO MOBILE_MALWARE AdWare.AndroidOS.Dowgin.d CnC Beacon 2
(mobile_malware.rules)
  2825165 - ETPRO MOBILE_MALWARE PUA Android/KyView.E Checkin
(mobile_malware.rules)
  2825170 - ETPRO MOBILE_MALWARE Android/DocaP.B Checkin
(mobile_malware.rules)
  2825171 - ETPRO MOBILE_MALWARE Android.Adware.NoiconAds.A CnC Beacon
(mobile_malware.rules)
  2825172 - ETPRO MOBILE_MALWARE Android.Adware.NoiconAds.A CnC Beacon 2
(mobile_malware.rules)
  2825180 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Iop.d CnC Beacon
(mobile_malware.rules)
  2825189 - ETPRO TROJAN Win32.Orsam/Cosmo Checkin 3 (trojan.rules)
  2825197 - ETPRO MOBILE_MALWARE Trojan-Clicker.AndroidOS.Simpo.bo Checkin
(mobile_malware.rules)
  2825208 - ETPRO CURRENT_EVENTS SunDown EK T2 Flash Exploit URI Struct
March 02 2017 (current_events.rules)
  2825225 - ETPRO MOBILE_MALWARE Android/SMSreg.RA Checkin 2
(mobile_malware.rules)
  2825230 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Shedun.E CnC Beacon
(mobile_malware.rules)
  2825241 - ETPRO MOBILE_MALWARE Monitoring-Tool Android/MobileSpy.C SMS
Exfil (mobile_malware.rules)
  2825274 - ETPRO TROJAN MSIL.EngWUltimate Stealer Checkin (trojan.rules)
  2825341 - ETPRO TROJAN Bancos Variant CnC Beacon (trojan.rules)
  2825350 - ETPRO MOBILE_MALWARE Monitor.AndroidOS.PhoneSpy.b Checkin
(mobile_malware.rules)
  2825362 - ETPRO TROJAN Bancos Variant CnC Beacon (trojan.rules)
  2825371 - ETPRO MOBILE_MALWARE Android.Adware.Adwo.A CNC Beacon
(mobile_malware.rules)
  2825372 - ETPRO MOBILE_MALWARE Android.KorBanker CnC Beacon 2
(mobile_malware.rules)
  2825373 - ETPRO MOBILE_MALWARE Android.KorBanker CnC Beacon 3
(mobile_malware.rules)
  2825458 - ETPRO TROJAN Banload Variant Checkin (trojan.rules)
  2825471 - ETPRO MOBILE_MALWARE AdWare.AndroidOS.Ewind.bc Checkin
(mobile_malware.rules)
  2825479 - ETPRO MOBILE_MALWARE Android/AdDisplay.Clevernet.A Checkin
(mobile_malware.rules)
  2825512 - ETPRO TROJAN Ursnif Module Download (trojan.rules)
  2825514 - ETPRO MOBILE_MALWARE Android.Trojan.Triada.J Checkin
(mobile_malware.rules)

[---]  Disabled and modified rules:  [---]

  2024040 - ET CURRENT_EVENTS EITest SocEng Fake Font DL March 09 2017
(current_events.rules)
  2807287 - ETPRO TROJAN Trojan-Dropper.Win32.Agent.iish Checkin
(trojan.rules)
  2808754 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Krosec.a Checkin
(mobile_malware.rules)
  2810766 - ETPRO MOBILE_MALWARE Unknown Checkin (mobile_malware.rules)
  2812790 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.fj Checkin
(mobile_malware.rules)
  2820935 - ETPRO MOBILE_MALWARE Android/Agent.UH Checkin
(mobile_malware.rules)
  2824536 - ETPRO MOBILE_MALWARE Android.Trojan.FakeInst.TP Checkin
(mobile_malware.rules)
  2824582 - ETPRO MOBILE_MALWARE Android/TrojanSMS.Agent.AAT File Download
(mobile_malware.rules)
  2824583 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Geinimi.a Checkin
(mobile_malware.rules)
  2824606 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.hn CnC Beacon
(mobile_malware.rules)
  2824679 - ETPRO MOBILE_MALWARE Android/TrojanSMS.Feejar.H Checkin
(mobile_malware.rules)
  2824718 - ETPRO MOBILE_MALWARE Android.Trojan.InfoStealer.BS Checkin
(mobile_malware.rules)
  2824730 - ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.NE Checkin
(mobile_malware.rules)
  2824743 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Sadpor.f Checkin
(mobile_malware.rules)
  2824805 - ETPRO MOBILE_MALWARE Android.Trojan.FakeInst.AR Checkin
(mobile_malware.rules)
  2824880 - ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.QA CnC Beacon
(mobile_malware.rules)
  2824949 - ETPRO TROJAN W32/Dragon BR Banker v1.x Checkin M2 (trojan.rules)
  2824991 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Iop.x CnC Beacon
(mobile_malware.rules)
  2825206 - ETPRO MOBILE_MALWARE Android.Trojan.InfoStealer.EZ Checkin
(mobile_malware.rules)
  2825228 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.em CnC Beacon
(mobile_malware.rules)
  2825238 - ETPRO MOBILE_MALWARE Android/SMSreg.FR CnC Beacon
(mobile_malware.rules)
  2825257 - ETPRO MOBILE_MALWARE Android.Riskware.SMSReg.AZ Checkin
(mobile_malware.rules)
  2825300 - ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.IC File Download
(mobile_malware.rules)
  2825308 - ETPRO MOBILE_MALWARE AndroidOS/Secapk.A Checkin
(mobile_malware.rules)
  2825319 - ETPRO MOBILE_MALWARE Android.Trojan.Downloader.N CnC Beacon
(mobile_malware.rules)
  2825331 - ETPRO MOBILE_MALWARE Android.Riskware.SMSReg.FS CnC Beacon
(mobile_malware.rules)
  2825335 - ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.BH Checkin
(mobile_malware.rules)
  2825480 - ETPRO MOBILE_MALWARE Android.Trojan.SMSBot.C CnC Beacon
(mobile_malware.rules)
  2825482 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Stiniter.a Checkin
(mobile_malware.rules)
  2825508 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Triada.e CnC Beacon
(mobile_malware.rules)
  2825509 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Triada.e CnC Beacon 2
(mobile_malware.rules)
  2825522 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.SO Checkin
(mobile_malware.rules)
  2825523 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.SO Checkin 2
(mobile_malware.rules)
  2825524 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.SO Checkin 3
(mobile_malware.rules)

[---]         Removed rules:         [---]

  2844829 - ETPRO MALWARE LiteHTTP Variant CnC Activity (malware.rules)

Date:
Summary title:
2 new OPEN, 29 new PRO (2 + 27). Tonto_SPM Backdoor, AsyncRAT, XDSpy, Various Miners, VARIOUS PHISH.