[***]            Summary:            [***]

15 new OPEN, 47 new PRO (15 + 32). StormKitty, IcedID, AsyncRAT, Win32/Lmir, Various Phish.

Many rules in the Suricata 5 ruleset have been updated with Suricata 5 rule syntax/keywords. A complete list of rules that were changed can be found via the changelog here:
https://rules.emergingthreats.net/changelogs/suricata-5.0-enhanced.open-nogpl.2020-10-15T00:41:10.txt

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2031011 - ET CURRENT_EVENTS Possible Successful Generic Web.App
Hosted Phish 2020-10-14 (current_events.rules)
  2031012 - ET CURRENT_EVENTS Possible Successful Generic Windows.net
Hosted Phish 2020-10-14 (current_events.rules)
  2031013 - ET TROJAN Likely Malware CnC Hosted on 000webhostapp -
POST to gate.php (trojan.rules)
  2031014 - ET WEB_SERVER Generic Webshell Accessed on Internal
Compromised Server (web_server.rules)
  2031015 - ET WEB_CLIENT Generic Webshell Accessed on External
Compromised Server (web_client.rules)
  2031016 - ET WEB_SERVER Generic Webshell Accessed on Internal
Compromised Server (web_server.rules)
  2031017 - ET WEB_CLIENT Generic Webshell Accessed on External
Compromised Server (web_client.rules)
  2031018 - ET POLICY SSL/TLS Certificate Observed (Free File Hosting
Service (uplovd .com)) (policy.rules)
  2031019 - ET POLICY SSL/TLS Certificate Observed (Free File Hosting
Service (api .anonfiles .com)) (policy.rules)
  2031020 - ET TROJAN StormKitty Exfil via AnonFiles (trojan.rules)
  2031021 - ET TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
  2031022 - ET TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
  2031023 - ET TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
  2031024 - ET TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
  2031025 - ET TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)

Pro:

  2844924 - ETPRO POLICY Observed Litecoin Activity (policy.rules)
  2844925 - ETPRO MALWARE Observed Suspicious UA (HaxRebornLoader)
(malware.rules)
  2844926 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT CnC)
(trojan.rules)
  2844927 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT CnC)
(trojan.rules)
  2844928 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT CnC)
(trojan.rules)
  2844929 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT CnC)
(trojan.rules)
  2844930 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT CnC)
(trojan.rules)
  2844931 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT CnC)
(trojan.rules)
  2844932 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT CnC)
(trojan.rules)
  2844933 - ETPRO TROJAN VBS/Agent.apf CnC Checkin (trojan.rules)
  2844934 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-14 1) (trojan.rules)
  2844935 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-14 2) (trojan.rules)
  2844936 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-14 3) (trojan.rules)
  2844937 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-14 4) (trojan.rules)
  2844938 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-14 5) (trojan.rules)
  2844939 - ETPRO CURRENT_EVENTS Successful Generic Credit Card
Information Phish 2020-10-14 (current_events.rules)
  2844940 - ETPRO CURRENT_EVENTS Successful Zimbra Phish 2020-10-14
(current_events.rules)
  2844941 - ETPRO TROJAN Win32/Lmir Variant CnC Activity (trojan.rules)
  2844942 - ETPRO TROJAN Win32/Unk.MSS CnC Host Checkin (trojan.rules)
  2844943 - ETPRO CURRENT_EVENTS Successful Made in China Phish
2020-10-14 (current_events.rules)
  2844944 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-10-14
(current_events.rules)
  2844945 - ETPRO CURRENT_EVENTS Successful Docusign Phish 2020-10-14
(current_events.rules)
  2844946 - ETPRO CURRENT_EVENTS Successful Fidelity Phish 2020-10-14
(current_events.rules)
  2844947 - ETPRO CURRENT_EVENTS Successful Generic Mobile Gaming
Phish 2020-10-14 (current_events.rules)
  2844948 - ETPRO TROJAN Win32/Agent.ACBZ Variant CnC Activity (trojan.rules)
  2844949 - ETPRO TROJAN Win32/SpyEyes.bktk CnC Activity (trojan.rules)
  2844950 - ETPRO CURRENT_EVENTS Successful Intuit Turbotax Phish
2020-10-14 (current_events.rules)
  2844951 - ETPRO TROJAN VBS/Agent.AT Checkin (trojan.rules)
  2844952 - ETPRO TROJAN Win32/Remcos RAT Checkin 560 (trojan.rules)
  2844953 - ETPRO TROJAN Win32/Remcos RAT Checkin 561 (trojan.rules)
  2844954 - ETPRO TROJAN Win32/Remcos RAT Checkin 562 (trojan.rules)
  2844955 - ETPRO TROJAN Win32/Emotet CnC Activity (POST) M11 (trojan.rules)

[///]     Modified active rules:     [///]

  2006391 - ET TROJAN Poebot Related User Agent (SPM_ID=) (trojan.rules)
  2008322 - ET TROJAN FraudLoad.aww HTTP CnC Post (trojan.rules)
  2008340 - ET TROJAN Lost Door Checkin (trojan.rules)

[---]  Disabled and modified rules:  [---]

  2014818 - ET TROJAN Possible SKyWIper/Win32.Flame UA (trojan.rules)
  2014953 - ET TROJAN Capfire4 Checkin (update machine status) (trojan.rules)
  2015632 - ET TROJAN Shamoon/Wiper/DistTrack Checkin (trojan.rules)
  2016344 - ET MOBILE_MALWARE Android/Fakelash.A!tr.spy Checkin
(mobile_malware.rules)
  2018548 - ET TROJAN EtumBot Command Status Message (trojan.rules)
  2018549 - ET TROJAN EtumBot PUT File Response (trojan.rules)
  2018550 - ET TROJAN EtumBot GET File Initial Response (trojan.rules)
  2018551 - ET TROJAN EtumBot GET File Data Upload (trojan.rules)
  2020829 - ET TROJAN Win32/LockScreen.BW Checkin (trojan.rules)
  2020901 - ET TROJAN Possible APT30 Fake Mozilla UA (trojan.rules)
  2020926 - ET TROJAN FormerFirstRAT HTTP POST CnC Beacon (trojan.rules)
  2803545 - ETPRO TROJAN Suspicious User-Agent (SqUeEzEr) (trojan.rules)
  2804877 - ETPRO MOBILE_MALWARE Android MALWARE Sending info
(mobile_malware.rules)
  2804880 - ETPRO MOBILE_MALWARE ANDROIDOS_TIGERBOT.EVL CNC
(mobile_malware.rules)