Daily Ruleset Update Summary
Daily Ruleset Update Summary 2020/10/13

[***]            Summary:            [***]

8 new OPEN, 27 new PRO (8 + 19). StormKitty, Cobalt Strike, IcedID, Various Phishing.

Many rules in the Suricata 5 ruleset have been updated with Suricata 5 rule syntax/keywords. A complete list of rules that were  changed can be found via the changelog here:
https://rules.emergingthreats.net/changelogs/suricata-5.0-enhanced.open-nogpl.2020-10-13T23:18:30.txt

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2031003 - ET CURRENT_EVENTS Instagram Phishing Landing 2020-10-13
(current_events.rules)
  2031004 - ET CURRENT_EVENTS Instagram Phishing Landing 2020-10-13
(current_events.rules)
  2031005 - ET CURRENT_EVENTS Possible Instagram Phishing Domain
(current_events.rules)
  2031006 - ET CURRENT_EVENTS Microsoft Account Login Hosted on
Firebasestorage (current_events.rules)
  2031007 - ET TROJAN PoetRAT CnC Domain in DNS Lookup (trojan.rules)
  2031008 - ET POLICY BSSID Location Lookup via api .mylnikov .org
(policy.rules)
  2031009 - ET TROJAN StormKitty Data Exfil via Telegram (trojan.rules)
  2031010 - ET CURRENT_EVENTS Chase Phish Landing 2020-10-13
(current_events.rules)

Pro:

  2844905 - ETPRO TROJAN Cobalt Strike Malleable C2 (MSDN Query
Profile) (trojan.rules)
  2844906 - ETPRO POLICY External IP Lookup via ifconfig. io (policy.rules)
  2844907 - ETPRO POLICY External IP Lookup via whatismyip. akamai.
com (policy.rules)
  2844908 - ETPRO POLICY External IP Lookup via diagnostic. opendns.
com (policy.rules)
  2844909 - ETPRO POLICY External IP Lookup via tnx. nl (policy.rules)
  2844910 - ETPRO TROJAN Possible FlowCloud Dependency Download (trojan.rules)
  2844911 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-11 1) (trojan.rules)
  2844912 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-11 2) (trojan.rules)
  2844913 - ETPRO TROJAN Haskell Downloader CnC Activity (trojan.rules)
  2844914 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-10-13 (current_events.rules)
  2844915 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
  2844916 - ETPRO TROJAN Observed AZORult CnC Domain in TLS SNI (trojan.rules)
  2844917 - ETPRO TROJAN Observed Malicious SSL Cert (AZORult CnC)
(trojan.rules)
  2844918 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
  2844919 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
  2844920 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
  2844921 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
  2844922 - ETPRO CURRENT_EVENTS Successful Huntington Bank Phish
2020-10-13 (current_events.rules)
  2844923 - ETPRO MALWARE Win32/Spigot Activity (malware.rules)

[///]     Modified active rules:     [///]

  2003527 - ET MALWARE WinSoftware.com Spyware User-Agent
(WinSoftware) (malware.rules)
  2003528 - ET MALWARE WinSoftware.com Spyware User-Agent
(NetInstaller) (malware.rules)
  2003590 - ET TROJAN Downloader-5265/Torpig/Anserin/Sinowal Unique UA
(MSID) (trojan.rules)
  2003647 - ET TROJAN Backdoor.Irc.MFV User Agent Detected (IRC-U)
(trojan.rules)
  2007689 - ET TROJAN Hupigon User Agent Detected (??) (trojan.rules)

[---]  Disabled and modified rules:  [---]

  2006418 - ET MALWARE Vaccineprogram.co.kr Related Spyware User-Agent
(Museon) (malware.rules)
  2010838 - ET TROJAN WScript/VBScript XMLHTTP downloader likely
malicious get?src= (trojan.rules)
  2023232 - ET WEB_SERVER HTTP Request to a *.9507c4e8.com domain -
Anuna Checkin - Compromised PHP Site (web_server.rules)
  2023233 - ET WEB_SERVER HTTP Request to a *.e5b57288.com domain -
Anuna Checkin - Compromised PHP Site (web_server.rules)
  2800867 - ETPRO MALWARE RogueAntiSpyware Spyware User Agent (malware.rules)
  2800952 - ETPRO MALWARE Adware.Win32.Favoclick UA Activity (malware.rules)
  2801436 - ETPRO USER_AGENTS Synopsis1.com Related Trojan Checkin
(user_agents.rules)
  2801866 - ETPRO TROJAN Emogen.H User-Agent Detected (trojan.rules)
  2802105 - ETPRO POLICY MOBILE iPhone Data Access User-Agent Detected
(policy.rules)
  2802191 - ETPRO USER_AGENTS Suspicious User-Agent SameAgent
(user_agents.rules)
  2802192 - ETPRO USER_AGENTS Suspicious User-Agent UserLM (user_agents.rules)
  2802842 - ETPRO USER_AGENTS Suspicious User-Agent walcome - Likely
Malware (user_agents.rules)
  2803200 - ETPRO TROJAN Suspicious User-Agent (uk-) (trojan.rules)
  2803363 - ETPRO TROJAN Suspicious User-Agent (HiJackThis) (trojan.rules)
  2803440 - ETPRO TROJAN Suspicious User-Agent (Update Checker Client)
(trojan.rules)
  2803466 - ETPRO USER_AGENTS Suspicious User-Agent (webdate)
(user_agents.rules)
  2803559 - ETPRO TROJAN Suspicious User-Agent (msdrMozil) (trojan.rules)
  2803621 - ETPRO POLICY Rapidshare Manager User-Agent (RapidUploader)
(policy.rules)
  2803649 - ETPRO TROJAN Suspicious User-Agent (InsCnt) (trojan.rules)
  2803829 - ETPRO POLICY Bitcoin Cash Guild Bot Work Request (policy.rules)
  2803863 - ETPRO TROJAN Win32/Yabinder.2_0 User-Agent (Sekreter) (trojan.rules)
  2803907 - ETPRO MOBILE_MALWARE LeNa Android Malware Checkin
(mobile_malware.rules)
  2803909 - ETPRO MOBILE_MALWARE LeNa Android CnC Command (DownOk)
(mobile_malware.rules)
  2803910 - ETPRO MOBILE_MALWARE LeNa Android CnC Command (INSTOK)
(mobile_malware.rules)
  2803911 - ETPRO MOBILE_MALWARE LeNa Android CnC Command (RUNOK)
(mobile_malware.rules)
  2806104 - ETPRO TROJAN TROJ_AGENT.EVF checkin (trojan.rules)
  2809206 - ETPRO TROJAN FakeMS.abms Checkin (trojan.rules)
  2811054 - ETPRO MALWARE Adware/OptimizerMonitor CnC Beacon 2 (malware.rules)
  2811690 - ETPRO MALWARE Unknown Checkin (malware.rules)
  2811786 - ETPRO MALWARE ADWARE/MultiPlug.Gen4 Checkin (malware.rules)
  2812073 - ETPRO MALWARE Win32/ExpressDownloader.K Checkin (malware.rules)
  2814272 - ETPRO MALWARE NetFilter PUA Installation Beacon (malware.rules)
  2815023 - ETPRO MALWARE Win32/Adware.RVplatform PUP Checkin (malware.rules)
  2820961 - ETPRO MOBILE_MALWARE Trojan-Downloader.AndroidOS.Boqx.a
Checkin 2 (mobile_malware.rules)
  2821620 - ETPRO TROJAN OwaAuth/Soybalek Backdoor Magic String
(INBOUND) 1 (trojan.rules)
  2821621 - ETPRO TROJAN OwaAuth/Soybalek Backdoor Magic String
(INBOUND) 2 (trojan.rules)
  2825777 - ETPRO TROJAN Torrentlocker Ransom Page HTTP Request (trojan.rules)

Date:
Summary title:
8 new OPEN, 27 new PRO (8 + 19). StormKitty, Cobalt Strike, IcedID, Various Phishing.