Daily Ruleset Update Summary 2020/10/20

[***] Summary: [***]

4 new OPEN, 44 new PRO (4 + 40). Various DNS over HTTPS, Fire-Cloud, GravityRAT, Various others.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2031062 - ET CURRENT_EVENTS Suntrust Captcha Phishing Landing
(current_events.rules)
2031063 - ET CURRENT_EVENTS Apple Phishing Panel Accessed on
Internal Server (current_events.rules)
2031064 - ET CURRENT_EVENTS Apple Phishing Panel Accessed on
External Server (current_events.rules)
2031065 - ET USER_AGENTS Suspicious User-Agent (Fire-Cloud)
(user_agents.rules)

Pro:

2845025 - ETPRO MOBILE_MALWARE Android/GravityRAT CnC Beacon
(mobile_malware.rules)
2845026 - ETPRO MOBILE_MALWARE AndroidOS/Trojan.OJNF-2 Checkin
(mobile_malware.rules)
2845027 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI
(doh .cleanbrowsing .org) (policy.rules)
2845028 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI
(dns .dnsoverhttps .net) (policy.rules)
2845029 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI
(doh .crypto .sx) (policy.rules)
2845030 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI
(doh .powerdns .org) (policy.rules)
2845031 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI
(doh-jp .blahdns .com) (policy.rules)
2845032 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI
(dns .dns-over-https .com) (policy.rules)
2845033 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI
(dns9 .quad9 .net) (policy.rules)
2845034 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI
(dns10 .quad9 .net) (policy.rules)
2845035 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI
(doh .dnswarden .com) (policy.rules)
2845036 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI
(doh .captnemo .in) (policy.rules)
2845037 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI
(doh .tiar .app) (policy.rules)
2845038 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI
(doh .xfinity .com) (policy.rules)
2845039 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-10-20 (current_events.rules)
2845040 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish
2020-10-20 (current_events.rules)
2845041 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish
2020-10-20 (current_events.rules)
2845042 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-10-20 (current_events.rules)
2845043 - ETPRO CURRENT_EVENTS Successful Office 365 Phish
2020-10-20 (current_events.rules)
2845044 - ETPRO CURRENT_EVENTS Successful Scotiabank Phish
2020-10-20 (current_events.rules)
2845045 - ETPRO CURRENT_EVENTS Successful WeTransfer Phish
2020-10-20 (current_events.rules)
2845046 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2020-10-20
(current_events.rules)
2845047 - ETPRO TROJAN Win32/Delf.BLT Variant CnC Activity (trojan.rules)
2845048 - ETPRO TROJAN VBS/Dojos Downloader Activity M1 (trojan.rules)
2845049 - ETPRO TROJAN VBS/Dojos Downloader Activity M2 (trojan.rules)
2845050 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-20 1) (trojan.rules)
2845051 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-20 2) (trojan.rules)
2845052 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-20 3) (trojan.rules)
2845053 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-20 4) (trojan.rules)
2845054 - ETPRO TROJAN MSIL/Spy.Agent.CYF Variant CnC Exfil (trojan.rules)
2845055 - ETPRO TROJAN Fire-Cloud Checkin (trojan.rules)
2845056 - ETPRO TROJAN Fire-Cloud Server Response (trojan.rules)
2845057 - ETPRO TROJAN Win32/Remcos RAT Checkin 571 (trojan.rules)
2845058 - ETPRO TROJAN Win32/Remcos RAT Checkin 572 (trojan.rules)
2845059 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
2845060 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
2845061 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
2845062 - ETPRO POLICY Observed DNS Query to Dynamic DNS Service
(policy.rules)
2845063 - ETPRO MALWARE Teleperformance BYOD Installer Activity
(malware.rules)
2845064 - ETPRO TROJAN Possible DNSCat2 Powershell Client Activity
(trojan.rules)

[///] Modified active rules: [///]

2003505 - ET MALWARE Toplist.cz Related Spyware Checkin (malware.rules)
2013504 - ET POLICY GNU/Linux APT User-Agent Outbound likely related
to package management (policy.rules)
2019946 - ET TROJAN W32/Farfli.BHQ!tr Dropper CnC Beacon (trojan.rules)
2020897 - ET TROJAN Possible APT30 or Win32/Nuclear HTTP Framework
(trojan.rules)
2025518 - ET POLICY Vulnerable Java Version 10.0.x Detected (policy.rules)
2027364 - ET TROJAN BlackTech Plead Encrypted Payload Inbound (trojan.rules)
2027886 - ET TROJAN Win32/DarkRAT CnC Activity (trojan.rules)
2028650 - ET USER_AGENTS Steam HTTP Client User-Agent (user_agents.rules)
2028835 - ET TROJAN Observed Malicious SSL Cert (MageCart Staging
Domain) (trojan.rules)
2028836 - ET TROJAN Observed Malicious SSL Cert (MageCart Staging
Domain) (trojan.rules)
2028843 - ET TROJAN PolyglotDuke Domain Observed (trojan.rules)
2028844 - ET TROJAN PolyglotDuke Domain Observed (trojan.rules)
2028845 - ET TROJAN PolyglotDuke Domain Observed (trojan.rules)
2028846 - ET TROJAN PolyglotDuke Domain Observed (trojan.rules)
2028847 - ET TROJAN PolyglotDuke Domain Observed (trojan.rules)
2028848 - ET TROJAN PolyglotDuke Domain Observed (trojan.rules)
2028849 - ET TROJAN PolyglotDuke Domain Observed (trojan.rules)
2028850 - ET TROJAN PolyglotDuke Domain Observed (trojan.rules)
2028851 - ET TROJAN PolyglotDuke Domain Observed (trojan.rules)
2028852 - ET TROJAN PolyglotDuke Domain Observed (trojan.rules)
2028853 - ET TROJAN PolyglotDuke Domain Observed (trojan.rules)
2028854 - ET TROJAN PolyglotDuke Domain Observed (trojan.rules)
2028855 - ET TROJAN MiniDuke Domain Observed (trojan.rules)
2028856 - ET TROJAN MiniDuke Domain Observed (trojan.rules)
2028857 - ET TROJAN FatDuke Domain Observed (trojan.rules)
2028858 - ET TROJAN FatDuke Domain Observed (trojan.rules)
2028859 - ET TROJAN FatDuke Domain Observed (trojan.rules)
2028860 - ET TROJAN FatDuke Domain Observed (trojan.rules)
2028861 - ET TROJAN FatDuke Domain Observed (trojan.rules)
2028862 - ET TROJAN LiteDuke Domain Observed (trojan.rules)
2028868 - ET POLICY Vulnerable Java Version 12.0.x Detected (policy.rules)
2028870 - ET TROJAN APT-C-27 CnC Domain Observed in DNS Query (trojan.rules)
2028871 - ET TROJAN APT-C-27 CnC Domain Observed in DNS Query (trojan.rules)
2028872 - ET TROJAN APT-C-27 CnC Domain Observed in DNS Query (trojan.rules)
2028873 - ET TROJAN APT-C-27 CnC Domain Observed in DNS Query (trojan.rules)
2028874 - ET TROJAN APT-C-27 CnC Domain Observed in DNS Query (trojan.rules)
2028875 - ET TROJAN APT-C-27 CnC Domain Observed in DNS Query (trojan.rules)
2028876 - ET TROJAN Steganographic Encoded WAV File Inbound via HTTP
M1 (trojan.rules)
2028877 - ET TROJAN Steganographic Encoded WAV File Inbound via HTTP
M2 (trojan.rules)
2028893 - ET TROJAN Observed Malicious SSL Cert (DonotGroup CnC)
(trojan.rules)
2028895 - ET WEB_SERVER Possible PHP Remote Code Execution
CVE-2019-11043 PoC (Inbound) (web_server.rules)
2028898 - ET TROJAN Observed Malicious SSL Cert (APT32 CnC) (trojan.rules)
2028899 - ET TROJAN Lazarus CnC Domain Observed in DNS Query (trojan.rules)
2028900 - ET TROJAN Lazarus CnC Domain Observed in DNS Query (trojan.rules)
2028901 - ET TROJAN Lazarus CnC Domain Observed in DNS Query (trojan.rules)
2028902 - ET TROJAN Lazarus CnC Domain Observed in DNS Query (trojan.rules)
2028903 - ET TROJAN Lazarus CnC Domain Observed in DNS Query (trojan.rules)
2028904 - ET TROJAN Lazarus CnC Domain Observed in DNS Query (trojan.rules)
2028909 - ET TROJAN Diezen/Sakabota CnC Domain Observed in DNS Query
(trojan.rules)
2028910 - ET TROJAN Diezen/Sakabota CnC Domain Observed in DNS Query
(trojan.rules)
2028921 - ET TROJAN Kimsuky CnC Domain Observed in DNS Query (trojan.rules)
2807931 - ETPRO MOBILE_MALWARE Android/Badao.A Checkin 2
(mobile_malware.rules)
2808335 - ETPRO POLICY Win32/RemoteAdmin.RemoteUtilities.C Checkin
(policy.rules)
2809587 - ETPRO TROJAN Win32/Spy.Agent.OLV Checkin (trojan.rules)
2809677 - ETPRO TROJAN HackTool/Win32.Dohuk Downloading Files (trojan.rules)
2809715 - ETPRO TROJAN Win32/Kilim.D Checkin (trojan.rules)
2810720 - ETPRO TROJAN BAT/Autorun.FN Variant Dropping Files (trojan.rules)
2815201 - ETPRO TROJAN Win32/Agent.XSF Variant CnC Beacon (trojan.rules)
2815356 - ETPRO TROJAN Win32/Votwup.D/Derkziel Checkin 2 (trojan.rules)
2815400 - ETPRO TROJAN Linux/Fysbis CnC Beacon Fake UA (trojan.rules)
2815444 - ETPRO TROJAN Win32/TrojanDownloader.Banload Variant
Checkin (trojan.rules)
2822031 - ETPRO TROJAN Win32/Wadereh.B Variant Updateinfo Command
(trojan.rules)
2825026 - ETPRO TROJAN Win32.Abnores.R Checkin (trojan.rules)
2837691 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Boogr.gsh CnC Beacon
17 (mobile_malware.rules)
2838978 - ETPRO CURRENT_EVENTS Successful Simplii Phish 2019-10-17
(current_events.rules)
2838979 - ETPRO CURRENT_EVENTS Successful BBVA Phish 2019-10-17
(current_events.rules)
2838980 - ETPRO CURRENT_EVENTS Successful National Bank Phish
2019-10-17 (current_events.rules)
2838981 - ETPRO CURRENT_EVENTS Successful Woodforest National Bank
Phish 2019-10-17 (current_events.rules)
2838982 - ETPRO CURRENT_EVENTS Successful Simplii Phish 2019-10-17
(current_events.rules)
2838983 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2019-10-17
(current_events.rules)
2838984 - ETPRO CURRENT_EVENTS Successful Naver Phish 2019-10-17
(current_events.rules)
2838985 - ETPRO CURRENT_EVENTS Successful Caja Madrid Phish
2019-10-17 (current_events.rules)
2838986 - ETPRO CURRENT_EVENTS Successful Simplii Phish 2019-10-17
(current_events.rules)
2838996 - ETPRO CURRENT_EVENTS Successful Charles Schwab Phish
2019-10-18 (current_events.rules)
2838998 - ETPRO CURRENT_EVENTS Successful Generic Personalized Phish
2019-10-18 (current_events.rules)
2838999 - ETPRO CURRENT_EVENTS Successful Posteitaliane Phish
2019-10-18 (current_events.rules)
2839000 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2019-10-18 (current_events.rules)
2839001 - ETPRO CURRENT_EVENTS Successful Simplii Phish 2019-10-18
(current_events.rules)
2839002 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2019-10-18 (current_events.rules)
2839003 - ETPRO CURRENT_EVENTS Successful Paypal FR Phish 2019-10-18
(current_events.rules)
2839004 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2019-10-18
(current_events.rules)
2839005 - ETPRO CURRENT_EVENTS Successful CIBC Phish 2019-10-18
(current_events.rules)
2839006 - ETPRO CURRENT_EVENTS Successful Generic Phish 2019-10-18
(current_events.rules)
2839007 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2019-10-18 (current_events.rules)
2839008 - ETPRO CURRENT_EVENTS Successful Google Account Phish
2019-10-18 (current_events.rules)
2839009 - ETPRO CURRENT_EVENTS Successful Facebook Pages Copyright
Content Phish 2019-10-18 (current_events.rules)
2839010 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2019-10-18
(current_events.rules)
2839011 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2019-10-18 (current_events.rules)
2839012 - ETPRO TROJAN Possible APT-C-27 Payload CnC Checkin (trojan.rules)
2839013 - ETPRO TROJAN Upatre CnC Domain in DNS Lookup (trojan.rules)
2839024 - ETPRO CURRENT_EVENTS Successful OneDrive Phish 2019-10-21
(current_events.rules)
2839025 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2019-10-21 (current_events.rules)
2839026 - ETPRO CURRENT_EVENTS Successful Sekerbank Phish 2019-10-21
(current_events.rules)
2839027 - ETPRO CURRENT_EVENTS Successful Sekerbank Phish 2019-10-21
(current_events.rules)
2839028 - ETPRO CURRENT_EVENTS Successful Adobe Phish 2019-10-21
(current_events.rules)
2839029 - ETPRO CURRENT_EVENTS Successful Adobe Document Cloud Phish
2019-10-21 (current_events.rules)
2839030 - ETPRO CURRENT_EVENTS Successful Desjardins Phish
2019-10-21 (current_events.rules)
2839031 - ETPRO CURRENT_EVENTS Successful American Express Phish
2019-10-21 (current_events.rules)
2839032 - ETPRO CURRENT_EVENTS Successful American Express Phish
2019-10-21 (current_events.rules)
2839033 - ETPRO CURRENT_EVENTS Successful Amazon Phish 2019-10-21
(current_events.rules)
2839034 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2019-10-21 (current_events.rules)
2839035 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2019-10-21 (current_events.rules)
2839036 - ETPRO CURRENT_EVENTS Successful Generic Email Web App
Phish 2019-10-21 (current_events.rules)
2839037 - ETPRO CURRENT_EVENTS Successful ING Phish 2019-10-21
(current_events.rules)
2839038 - ETPRO CURRENT_EVENTS Successful Caixa Phish 2019-10-21
(current_events.rules)
2839039 - ETPRO CURRENT_EVENTS Successful Generic Webmail Mini Phish
2019-10-21 (current_events.rules)
2839040 - ETPRO CURRENT_EVENTS Successful Generic Mailbox Phish
2019-10-21 (current_events.rules)
2839041 - ETPRO TROJAN Gh0stNoxy CnC Activity (trojan.rules)
2839058 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2019-10-22 (current_events.rules)
2839059 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2019-10-22 (current_events.rules)
2839060 - ETPRO CURRENT_EVENTS Successful American Express Phish
2019-10-22 (current_events.rules)
2839061 - ETPRO CURRENT_EVENTS Successful Telekom/Tmobile Phish
2019-10-22 (current_events.rules)
2839062 - ETPRO CURRENT_EVENTS Successful Generic Credit Card
Information Phish 2019-10-22 (current_events.rules)
2839063 - ETPRO CURRENT_EVENTS Successful Generic Mailbox Validation
Phish 2019-10-22 (current_events.rules)
2839064 - ETPRO CURRENT_EVENTS Successful RBC Royal Bank Phish
2019-10-22 (current_events.rules)
2839065 - ETPRO CURRENT_EVENTS Successful Google Account Phish
2019-10-22 (current_events.rules)
2839066 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2019-10-22 (current_events.rules)
2839067 - ETPRO CURRENT_EVENTS Successful WeTransfer Phish
2019-10-22 (current_events.rules)
2839068 - ETPRO TROJAN PowerShell XOR Encoded In Memory Shellcode
Loader Inbound (trojan.rules)
2839069 - ETPRO TROJAN PowerShell Base64 Encoded Concat Inbound (trojan.rules)
2839090 - ETPRO TROJAN Observed Malicious SSL Certificate (IcedID
CnC) (trojan.rules)
2839091 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2019-10-23 (current_events.rules)
2839092 - ETPRO CURRENT_EVENTS Successful Generic Verify Email Phish
2019-10-23 (current_events.rules)
2839093 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2019-10-23
(current_events.rules)
2839094 - ETPRO CURRENT_EVENTS Successful M&T Bank Phish 2019-10-23
(current_events.rules)
2839095 - ETPRO CURRENT_EVENTS Successful OneDrive Phish 2019-10-23
(current_events.rules)
2839096 - ETPRO CURRENT_EVENTS Successful Postbank Phish 2019-10-23
(current_events.rules)
2839097 - ETPRO CURRENT_EVENTS Successful Postbank Phish 2019-10-23
(current_events.rules)
2839098 - ETPRO CURRENT_EVENTS Successful Postbank Phish 2019-10-23
(current_events.rules)
2839099 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2019-10-23
(current_events.rules)
2839100 - ETPRO CURRENT_EVENTS Successful Aruba IT Phish 2019-10-23
(current_events.rules)
2839101 - ETPRO CURRENT_EVENTS Successful MWeb Webmail Phish
2019-10-23 (current_events.rules)
2839102 - ETPRO CURRENT_EVENTS Successful Adobe PDF Online Phish
2019-10-23 (current_events.rules)
2839103 - ETPRO CURRENT_EVENTS Successful Banco Itau Phish
2019-10-23 (current_events.rules)
2839110 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.p CnC
Beacon (mobile_malware.rules)
2839111 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.acl
Checkin (mobile_malware.rules)
2839115 - ETPRO CURRENT_EVENTS Successful Naver Phish 2019-10-24
(current_events.rules)
2839116 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2019-10-24 (current_events.rules)
2839117 - ETPRO CURRENT_EVENTS Successful Softbank JP Phish
2019-10-24 (current_events.rules)
2839118 - ETPRO CURRENT_EVENTS Successful OneDrive Phish 2019-10-24
(current_events.rules)
2839129 - ETPRO CURRENT_EVENTS Successful Citibank Loan Phish
2019-10-28 (current_events.rules)
2839130 - ETPRO CURRENT_EVENTS Successful CIBC Phish 2019-10-28
(current_events.rules)
2839131 - ETPRO CURRENT_EVENTS Successful Generic Email Account
Update Phish 2019-10-28 (current_events.rules)
2839132 - ETPRO CURRENT_EVENTS Successful AT&T Phish 2019-10-28
(current_events.rules)
2839133 - ETPRO TROJAN Win32/Presenoker Requesting Batch File M6
(trojan.rules)
2839134 - ETPRO TROJAN Win32/Presenoker UA Observed (trojan.rules)
2839148 - ETPRO TROJAN Iobon Ichi Bot CnC Checkin (trojan.rules)

[---] Disabled and modified rules: [---]

2023085 - ET TROJAN R980/CRYPBEE.A Ransomware Activity (trojan.rules)

Date:

Tuesday, October 20, 2020

Summary title:

4 new OPEN, 44 new PRO (4 + 40). Various DNS over HTTPS, Fire-Cloud, GravityRAT, Various others.