[***] Summary: [***]
8 new OPEN, 27 new PRO (8 + 19). StormKitty, Cobalt Strike, IcedID, Various Phishing.
Many rules in the Suricata 5 ruleset have been updated with Suricata 5 rule syntax/keywords. A complete list of rules that were changed can be found via the changelog here:
https://rules.emergingthreats.net/changelogs/suricata-5.0-enhanced.open-nogpl.2020-10-13T23:18:30.txt
Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2031003 - ET CURRENT_EVENTS Instagram Phishing Landing 2020-10-13
(current_events.rules)
2031004 - ET CURRENT_EVENTS Instagram Phishing Landing 2020-10-13
(current_events.rules)
2031005 - ET CURRENT_EVENTS Possible Instagram Phishing Domain
(current_events.rules)
2031006 - ET CURRENT_EVENTS Microsoft Account Login Hosted on
Firebasestorage (current_events.rules)
2031007 - ET TROJAN PoetRAT CnC Domain in DNS Lookup (trojan.rules)
2031008 - ET POLICY BSSID Location Lookup via api .mylnikov .org
(policy.rules)
2031009 - ET TROJAN StormKitty Data Exfil via Telegram (trojan.rules)
2031010 - ET CURRENT_EVENTS Chase Phish Landing 2020-10-13
(current_events.rules)
Pro:
2844905 - ETPRO TROJAN Cobalt Strike Malleable C2 (MSDN Query
Profile) (trojan.rules)
2844906 - ETPRO POLICY External IP Lookup via ifconfig. io (policy.rules)
2844907 - ETPRO POLICY External IP Lookup via whatismyip. akamai.
com (policy.rules)
2844908 - ETPRO POLICY External IP Lookup via diagnostic. opendns.
com (policy.rules)
2844909 - ETPRO POLICY External IP Lookup via tnx. nl (policy.rules)
2844910 - ETPRO TROJAN Possible FlowCloud Dependency Download (trojan.rules)
2844911 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-11 1) (trojan.rules)
2844912 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-11 2) (trojan.rules)
2844913 - ETPRO TROJAN Haskell Downloader CnC Activity (trojan.rules)
2844914 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-10-13 (current_events.rules)
2844915 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
2844916 - ETPRO TROJAN Observed AZORult CnC Domain in TLS SNI (trojan.rules)
2844917 - ETPRO TROJAN Observed Malicious SSL Cert (AZORult CnC)
(trojan.rules)
2844918 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
2844919 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
2844920 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
2844921 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
2844922 - ETPRO CURRENT_EVENTS Successful Huntington Bank Phish
2020-10-13 (current_events.rules)
2844923 - ETPRO MALWARE Win32/Spigot Activity (malware.rules)
[///] Modified active rules: [///]
2003527 - ET MALWARE WinSoftware.com Spyware User-Agent
(WinSoftware) (malware.rules)
2003528 - ET MALWARE WinSoftware.com Spyware User-Agent
(NetInstaller) (malware.rules)
2003590 - ET TROJAN Downloader-5265/Torpig/Anserin/Sinowal Unique UA
(MSID) (trojan.rules)
2003647 - ET TROJAN Backdoor.Irc.MFV User Agent Detected (IRC-U)
(trojan.rules)
2007689 - ET TROJAN Hupigon User Agent Detected (??) (trojan.rules)
[---] Disabled and modified rules: [---]
2006418 - ET MALWARE Vaccineprogram.co.kr Related Spyware User-Agent
(Museon) (malware.rules)
2010838 - ET TROJAN WScript/VBScript XMLHTTP downloader likely
malicious get?src= (trojan.rules)
2023232 - ET WEB_SERVER HTTP Request to a *.9507c4e8.com domain -
Anuna Checkin - Compromised PHP Site (web_server.rules)
2023233 - ET WEB_SERVER HTTP Request to a *.e5b57288.com domain -
Anuna Checkin - Compromised PHP Site (web_server.rules)
2800867 - ETPRO MALWARE RogueAntiSpyware Spyware User Agent (malware.rules)
2800952 - ETPRO MALWARE Adware.Win32.Favoclick UA Activity (malware.rules)
2801436 - ETPRO USER_AGENTS Synopsis1.com Related Trojan Checkin
(user_agents.rules)
2801866 - ETPRO TROJAN Emogen.H User-Agent Detected (trojan.rules)
2802105 - ETPRO POLICY MOBILE iPhone Data Access User-Agent Detected
(policy.rules)
2802191 - ETPRO USER_AGENTS Suspicious User-Agent SameAgent
(user_agents.rules)
2802192 - ETPRO USER_AGENTS Suspicious User-Agent UserLM (user_agents.rules)
2802842 - ETPRO USER_AGENTS Suspicious User-Agent walcome - Likely
Malware (user_agents.rules)
2803200 - ETPRO TROJAN Suspicious User-Agent (uk-) (trojan.rules)
2803363 - ETPRO TROJAN Suspicious User-Agent (HiJackThis) (trojan.rules)
2803440 - ETPRO TROJAN Suspicious User-Agent (Update Checker Client)
(trojan.rules)
2803466 - ETPRO USER_AGENTS Suspicious User-Agent (webdate)
(user_agents.rules)
2803559 - ETPRO TROJAN Suspicious User-Agent (msdrMozil) (trojan.rules)
2803621 - ETPRO POLICY Rapidshare Manager User-Agent (RapidUploader)
(policy.rules)
2803649 - ETPRO TROJAN Suspicious User-Agent (InsCnt) (trojan.rules)
2803829 - ETPRO POLICY Bitcoin Cash Guild Bot Work Request (policy.rules)
2803863 - ETPRO TROJAN Win32/Yabinder.2_0 User-Agent (Sekreter) (trojan.rules)
2803907 - ETPRO MOBILE_MALWARE LeNa Android Malware Checkin
(mobile_malware.rules)
2803909 - ETPRO MOBILE_MALWARE LeNa Android CnC Command (DownOk)
(mobile_malware.rules)
2803910 - ETPRO MOBILE_MALWARE LeNa Android CnC Command (INSTOK)
(mobile_malware.rules)
2803911 - ETPRO MOBILE_MALWARE LeNa Android CnC Command (RUNOK)
(mobile_malware.rules)
2806104 - ETPRO TROJAN TROJ_AGENT.EVF checkin (trojan.rules)
2809206 - ETPRO TROJAN FakeMS.abms Checkin (trojan.rules)
2811054 - ETPRO MALWARE Adware/OptimizerMonitor CnC Beacon 2 (malware.rules)
2811690 - ETPRO MALWARE Unknown Checkin (malware.rules)
2811786 - ETPRO MALWARE ADWARE/MultiPlug.Gen4 Checkin (malware.rules)
2812073 - ETPRO MALWARE Win32/ExpressDownloader.K Checkin (malware.rules)
2814272 - ETPRO MALWARE NetFilter PUA Installation Beacon (malware.rules)
2815023 - ETPRO MALWARE Win32/Adware.RVplatform PUP Checkin (malware.rules)
2820961 - ETPRO MOBILE_MALWARE Trojan-Downloader.AndroidOS.Boqx.a
Checkin 2 (mobile_malware.rules)
2821620 - ETPRO TROJAN OwaAuth/Soybalek Backdoor Magic String
(INBOUND) 1 (trojan.rules)
2821621 - ETPRO TROJAN OwaAuth/Soybalek Backdoor Magic String
(INBOUND) 2 (trojan.rules)
2825777 - ETPRO TROJAN Torrentlocker Ransom Page HTTP Request (trojan.rules)