[***]            Summary:            [***]

4 new OPEN, 44 new PRO (4 + 40). Various DNS over HTTPS, Fire-Cloud, GravityRAT, Various others.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2031062 - ET CURRENT_EVENTS Suntrust Captcha Phishing Landing
(current_events.rules)
  2031063 - ET CURRENT_EVENTS Apple Phishing Panel Accessed on
Internal Server (current_events.rules)
  2031064 - ET CURRENT_EVENTS Apple Phishing Panel Accessed on
External Server (current_events.rules)
  2031065 - ET USER_AGENTS Suspicious User-Agent (Fire-Cloud)
(user_agents.rules)

Pro:

  2845025 - ETPRO MOBILE_MALWARE Android/GravityRAT CnC Beacon
(mobile_malware.rules)
  2845026 - ETPRO MOBILE_MALWARE AndroidOS/Trojan.OJNF-2 Checkin
(mobile_malware.rules)
  2845027 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI
(doh .cleanbrowsing .org) (policy.rules)
  2845028 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI
(dns .dnsoverhttps .net) (policy.rules)
  2845029 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI
(doh .crypto .sx) (policy.rules)
  2845030 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI
(doh .powerdns .org) (policy.rules)
  2845031 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI
(doh-jp .blahdns .com) (policy.rules)
  2845032 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI
(dns .dns-over-https .com) (policy.rules)
  2845033 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI
(dns9 .quad9 .net) (policy.rules)
  2845034 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI
(dns10 .quad9 .net) (policy.rules)
  2845035 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI
(doh .dnswarden .com) (policy.rules)
  2845036 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI
(doh .captnemo .in) (policy.rules)
  2845037 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI
(doh .tiar .app) (policy.rules)
  2845038 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI
(doh .xfinity .com) (policy.rules)
  2845039 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-10-20 (current_events.rules)
  2845040 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish
2020-10-20 (current_events.rules)
  2845041 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish
2020-10-20 (current_events.rules)
  2845042 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-10-20 (current_events.rules)
  2845043 - ETPRO CURRENT_EVENTS Successful Office 365 Phish
2020-10-20 (current_events.rules)
  2845044 - ETPRO CURRENT_EVENTS Successful Scotiabank Phish
2020-10-20 (current_events.rules)
  2845045 - ETPRO CURRENT_EVENTS Successful WeTransfer Phish
2020-10-20 (current_events.rules)
  2845046 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2020-10-20
(current_events.rules)
  2845047 - ETPRO TROJAN Win32/Delf.BLT Variant CnC Activity (trojan.rules)
  2845048 - ETPRO TROJAN VBS/Dojos Downloader Activity M1 (trojan.rules)
  2845049 - ETPRO TROJAN VBS/Dojos Downloader Activity M2 (trojan.rules)
  2845050 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-20 1) (trojan.rules)
  2845051 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-20 2) (trojan.rules)
  2845052 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-20 3) (trojan.rules)
  2845053 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-20 4) (trojan.rules)
  2845054 - ETPRO TROJAN MSIL/Spy.Agent.CYF Variant CnC Exfil (trojan.rules)
  2845055 - ETPRO TROJAN Fire-Cloud Checkin (trojan.rules)
  2845056 - ETPRO TROJAN Fire-Cloud Server Response (trojan.rules)
  2845057 - ETPRO TROJAN Win32/Remcos RAT Checkin 571 (trojan.rules)
  2845058 - ETPRO TROJAN Win32/Remcos RAT Checkin 572 (trojan.rules)
  2845059 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
  2845060 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
  2845061 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
  2845062 - ETPRO POLICY Observed DNS Query to Dynamic DNS Service
(policy.rules)
  2845063 - ETPRO MALWARE Teleperformance BYOD Installer Activity
(malware.rules)
  2845064 - ETPRO TROJAN Possible DNSCat2 Powershell Client Activity
(trojan.rules)

[///]     Modified active rules:     [///]

  2003505 - ET MALWARE Toplist.cz Related Spyware Checkin (malware.rules)
  2013504 - ET POLICY GNU/Linux APT User-Agent Outbound likely related
to package management (policy.rules)
  2019946 - ET TROJAN W32/Farfli.BHQ!tr Dropper CnC Beacon (trojan.rules)
  2020897 - ET TROJAN Possible APT30 or Win32/Nuclear HTTP Framework
(trojan.rules)
  2025518 - ET POLICY Vulnerable Java Version 10.0.x Detected (policy.rules)
  2027364 - ET TROJAN BlackTech Plead Encrypted Payload Inbound (trojan.rules)
  2027886 - ET TROJAN Win32/DarkRAT CnC Activity (trojan.rules)
  2028650 - ET USER_AGENTS Steam HTTP Client User-Agent (user_agents.rules)
  2028835 - ET TROJAN Observed Malicious SSL Cert (MageCart Staging
Domain) (trojan.rules)
  2028836 - ET TROJAN Observed Malicious SSL Cert (MageCart Staging
Domain) (trojan.rules)
  2028843 - ET TROJAN PolyglotDuke Domain Observed (trojan.rules)
  2028844 - ET TROJAN PolyglotDuke Domain Observed (trojan.rules)
  2028845 - ET TROJAN PolyglotDuke Domain Observed (trojan.rules)
  2028846 - ET TROJAN PolyglotDuke Domain Observed (trojan.rules)
  2028847 - ET TROJAN PolyglotDuke Domain Observed (trojan.rules)
  2028848 - ET TROJAN PolyglotDuke Domain Observed (trojan.rules)
  2028849 - ET TROJAN PolyglotDuke Domain Observed (trojan.rules)
  2028850 - ET TROJAN PolyglotDuke Domain Observed (trojan.rules)
  2028851 - ET TROJAN PolyglotDuke Domain Observed (trojan.rules)
  2028852 - ET TROJAN PolyglotDuke Domain Observed (trojan.rules)
  2028853 - ET TROJAN PolyglotDuke Domain Observed (trojan.rules)
  2028854 - ET TROJAN PolyglotDuke Domain Observed (trojan.rules)
  2028855 - ET TROJAN MiniDuke Domain Observed (trojan.rules)
  2028856 - ET TROJAN MiniDuke Domain Observed (trojan.rules)
  2028857 - ET TROJAN FatDuke Domain Observed (trojan.rules)
  2028858 - ET TROJAN FatDuke Domain Observed (trojan.rules)
  2028859 - ET TROJAN FatDuke Domain Observed (trojan.rules)
  2028860 - ET TROJAN FatDuke Domain Observed (trojan.rules)
  2028861 - ET TROJAN FatDuke Domain Observed (trojan.rules)
  2028862 - ET TROJAN LiteDuke Domain Observed (trojan.rules)
  2028868 - ET POLICY Vulnerable Java Version 12.0.x Detected (policy.rules)
  2028870 - ET TROJAN APT-C-27 CnC Domain Observed in DNS Query (trojan.rules)
  2028871 - ET TROJAN APT-C-27 CnC Domain Observed in DNS Query (trojan.rules)
  2028872 - ET TROJAN APT-C-27 CnC Domain Observed in DNS Query (trojan.rules)
  2028873 - ET TROJAN APT-C-27 CnC Domain Observed in DNS Query (trojan.rules)
  2028874 - ET TROJAN APT-C-27 CnC Domain Observed in DNS Query (trojan.rules)
  2028875 - ET TROJAN APT-C-27 CnC Domain Observed in DNS Query (trojan.rules)
  2028876 - ET TROJAN Steganographic Encoded WAV File Inbound via HTTP
M1 (trojan.rules)
  2028877 - ET TROJAN Steganographic Encoded WAV File Inbound via HTTP
M2 (trojan.rules)
  2028893 - ET TROJAN Observed Malicious SSL Cert (DonotGroup CnC)
(trojan.rules)
  2028895 - ET WEB_SERVER Possible PHP Remote Code Execution
CVE-2019-11043 PoC (Inbound) (web_server.rules)
  2028898 - ET TROJAN Observed Malicious SSL Cert (APT32 CnC) (trojan.rules)
  2028899 - ET TROJAN Lazarus CnC Domain Observed in DNS Query (trojan.rules)
  2028900 - ET TROJAN Lazarus CnC Domain Observed in DNS Query (trojan.rules)
  2028901 - ET TROJAN Lazarus CnC Domain Observed in DNS Query (trojan.rules)
  2028902 - ET TROJAN Lazarus CnC Domain Observed in DNS Query (trojan.rules)
  2028903 - ET TROJAN Lazarus CnC Domain Observed in DNS Query (trojan.rules)
  2028904 - ET TROJAN Lazarus CnC Domain Observed in DNS Query (trojan.rules)
  2028909 - ET TROJAN Diezen/Sakabota CnC Domain Observed in DNS Query
(trojan.rules)
  2028910 - ET TROJAN Diezen/Sakabota CnC Domain Observed in DNS Query
(trojan.rules)
  2028921 - ET TROJAN Kimsuky CnC Domain Observed in DNS Query (trojan.rules)
  2807931 - ETPRO MOBILE_MALWARE Android/Badao.A Checkin 2
(mobile_malware.rules)
  2808335 - ETPRO POLICY Win32/RemoteAdmin.RemoteUtilities.C Checkin
(policy.rules)
  2809587 - ETPRO TROJAN Win32/Spy.Agent.OLV Checkin (trojan.rules)
  2809677 - ETPRO TROJAN HackTool/Win32.Dohuk Downloading Files (trojan.rules)
  2809715 - ETPRO TROJAN Win32/Kilim.D Checkin (trojan.rules)
  2810720 - ETPRO TROJAN BAT/Autorun.FN Variant Dropping Files (trojan.rules)
  2815201 - ETPRO TROJAN Win32/Agent.XSF Variant CnC Beacon (trojan.rules)
  2815356 - ETPRO TROJAN Win32/Votwup.D/Derkziel Checkin 2 (trojan.rules)
  2815400 - ETPRO TROJAN Linux/Fysbis CnC Beacon Fake UA (trojan.rules)
  2815444 - ETPRO TROJAN Win32/TrojanDownloader.Banload Variant
Checkin (trojan.rules)
  2822031 - ETPRO TROJAN Win32/Wadereh.B Variant Updateinfo Command
(trojan.rules)
  2825026 - ETPRO TROJAN Win32.Abnores.R Checkin (trojan.rules)
  2837691 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Boogr.gsh CnC Beacon
17 (mobile_malware.rules)
  2838978 - ETPRO CURRENT_EVENTS Successful Simplii Phish 2019-10-17
(current_events.rules)
  2838979 - ETPRO CURRENT_EVENTS Successful BBVA Phish 2019-10-17
(current_events.rules)
  2838980 - ETPRO CURRENT_EVENTS Successful National Bank Phish
2019-10-17 (current_events.rules)
  2838981 - ETPRO CURRENT_EVENTS Successful Woodforest National Bank
Phish 2019-10-17 (current_events.rules)
  2838982 - ETPRO CURRENT_EVENTS Successful Simplii Phish 2019-10-17
(current_events.rules)
  2838983 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2019-10-17
(current_events.rules)
  2838984 - ETPRO CURRENT_EVENTS Successful Naver Phish 2019-10-17
(current_events.rules)
  2838985 - ETPRO CURRENT_EVENTS Successful Caja Madrid Phish
2019-10-17 (current_events.rules)
  2838986 - ETPRO CURRENT_EVENTS Successful Simplii Phish 2019-10-17
(current_events.rules)
  2838996 - ETPRO CURRENT_EVENTS Successful Charles Schwab Phish
2019-10-18 (current_events.rules)
  2838998 - ETPRO CURRENT_EVENTS Successful Generic Personalized Phish
2019-10-18 (current_events.rules)
  2838999 - ETPRO CURRENT_EVENTS Successful Posteitaliane Phish
2019-10-18 (current_events.rules)
  2839000 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2019-10-18 (current_events.rules)
  2839001 - ETPRO CURRENT_EVENTS Successful Simplii Phish 2019-10-18
(current_events.rules)
  2839002 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2019-10-18 (current_events.rules)
  2839003 - ETPRO CURRENT_EVENTS Successful Paypal FR Phish 2019-10-18
(current_events.rules)
  2839004 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2019-10-18
(current_events.rules)
  2839005 - ETPRO CURRENT_EVENTS Successful CIBC Phish 2019-10-18
(current_events.rules)
  2839006 - ETPRO CURRENT_EVENTS Successful Generic Phish 2019-10-18
(current_events.rules)
  2839007 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2019-10-18 (current_events.rules)
  2839008 - ETPRO CURRENT_EVENTS Successful Google Account Phish
2019-10-18 (current_events.rules)
  2839009 - ETPRO CURRENT_EVENTS Successful Facebook Pages Copyright
Content Phish 2019-10-18 (current_events.rules)
  2839010 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2019-10-18
(current_events.rules)
  2839011 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2019-10-18 (current_events.rules)
  2839012 - ETPRO TROJAN Possible APT-C-27 Payload CnC Checkin (trojan.rules)
  2839013 - ETPRO TROJAN Upatre CnC Domain in DNS Lookup (trojan.rules)
  2839024 - ETPRO CURRENT_EVENTS Successful OneDrive Phish 2019-10-21
(current_events.rules)
  2839025 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2019-10-21 (current_events.rules)
  2839026 - ETPRO CURRENT_EVENTS Successful Sekerbank Phish 2019-10-21
(current_events.rules)
  2839027 - ETPRO CURRENT_EVENTS Successful Sekerbank Phish 2019-10-21
(current_events.rules)
  2839028 - ETPRO CURRENT_EVENTS Successful Adobe Phish 2019-10-21
(current_events.rules)
  2839029 - ETPRO CURRENT_EVENTS Successful Adobe Document Cloud Phish
2019-10-21 (current_events.rules)
  2839030 - ETPRO CURRENT_EVENTS Successful Desjardins Phish
2019-10-21 (current_events.rules)
  2839031 - ETPRO CURRENT_EVENTS Successful American Express Phish
2019-10-21 (current_events.rules)
  2839032 - ETPRO CURRENT_EVENTS Successful American Express Phish
2019-10-21 (current_events.rules)
  2839033 - ETPRO CURRENT_EVENTS Successful Amazon Phish 2019-10-21
(current_events.rules)
  2839034 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2019-10-21 (current_events.rules)
  2839035 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2019-10-21 (current_events.rules)
  2839036 - ETPRO CURRENT_EVENTS Successful Generic Email Web App
Phish 2019-10-21 (current_events.rules)
  2839037 - ETPRO CURRENT_EVENTS Successful ING Phish 2019-10-21
(current_events.rules)
  2839038 - ETPRO CURRENT_EVENTS Successful Caixa Phish 2019-10-21
(current_events.rules)
  2839039 - ETPRO CURRENT_EVENTS Successful Generic Webmail Mini Phish
2019-10-21 (current_events.rules)
  2839040 - ETPRO CURRENT_EVENTS Successful Generic Mailbox Phish
2019-10-21 (current_events.rules)
  2839041 - ETPRO TROJAN Gh0stNoxy CnC Activity (trojan.rules)
  2839058 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2019-10-22 (current_events.rules)
  2839059 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2019-10-22 (current_events.rules)
  2839060 - ETPRO CURRENT_EVENTS Successful American Express Phish
2019-10-22 (current_events.rules)
  2839061 - ETPRO CURRENT_EVENTS Successful Telekom/Tmobile Phish
2019-10-22 (current_events.rules)
  2839062 - ETPRO CURRENT_EVENTS Successful Generic Credit Card
Information Phish 2019-10-22 (current_events.rules)
  2839063 - ETPRO CURRENT_EVENTS Successful Generic Mailbox Validation
Phish 2019-10-22 (current_events.rules)
  2839064 - ETPRO CURRENT_EVENTS Successful RBC Royal Bank Phish
2019-10-22 (current_events.rules)
  2839065 - ETPRO CURRENT_EVENTS Successful Google Account Phish
2019-10-22 (current_events.rules)
  2839066 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2019-10-22 (current_events.rules)
  2839067 - ETPRO CURRENT_EVENTS Successful WeTransfer Phish
2019-10-22 (current_events.rules)
  2839068 - ETPRO TROJAN PowerShell XOR Encoded In Memory Shellcode
Loader Inbound (trojan.rules)
  2839069 - ETPRO TROJAN PowerShell Base64 Encoded Concat Inbound (trojan.rules)
  2839090 - ETPRO TROJAN Observed Malicious SSL Certificate (IcedID
CnC) (trojan.rules)
  2839091 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2019-10-23 (current_events.rules)
  2839092 - ETPRO CURRENT_EVENTS Successful Generic Verify Email Phish
2019-10-23 (current_events.rules)
  2839093 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2019-10-23
(current_events.rules)
  2839094 - ETPRO CURRENT_EVENTS Successful M&T Bank Phish 2019-10-23
(current_events.rules)
  2839095 - ETPRO CURRENT_EVENTS Successful OneDrive Phish 2019-10-23
(current_events.rules)
  2839096 - ETPRO CURRENT_EVENTS Successful Postbank Phish 2019-10-23
(current_events.rules)
  2839097 - ETPRO CURRENT_EVENTS Successful Postbank Phish 2019-10-23
(current_events.rules)
  2839098 - ETPRO CURRENT_EVENTS Successful Postbank Phish 2019-10-23
(current_events.rules)
  2839099 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2019-10-23
(current_events.rules)
  2839100 - ETPRO CURRENT_EVENTS Successful Aruba IT Phish 2019-10-23
(current_events.rules)
  2839101 - ETPRO CURRENT_EVENTS Successful MWeb Webmail Phish
2019-10-23 (current_events.rules)
  2839102 - ETPRO CURRENT_EVENTS Successful Adobe PDF Online Phish
2019-10-23 (current_events.rules)
  2839103 - ETPRO CURRENT_EVENTS Successful Banco Itau Phish
2019-10-23 (current_events.rules)
  2839110 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.p CnC
Beacon (mobile_malware.rules)
  2839111 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.acl
Checkin (mobile_malware.rules)
  2839115 - ETPRO CURRENT_EVENTS Successful Naver Phish 2019-10-24
(current_events.rules)
  2839116 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2019-10-24 (current_events.rules)
  2839117 - ETPRO CURRENT_EVENTS Successful Softbank JP Phish
2019-10-24 (current_events.rules)
  2839118 - ETPRO CURRENT_EVENTS Successful OneDrive Phish 2019-10-24
(current_events.rules)
  2839129 - ETPRO CURRENT_EVENTS Successful Citibank Loan Phish
2019-10-28 (current_events.rules)
  2839130 - ETPRO CURRENT_EVENTS Successful CIBC Phish 2019-10-28
(current_events.rules)
  2839131 - ETPRO CURRENT_EVENTS Successful Generic Email Account
Update Phish 2019-10-28 (current_events.rules)
  2839132 - ETPRO CURRENT_EVENTS Successful AT&T Phish 2019-10-28
(current_events.rules)
  2839133 - ETPRO TROJAN Win32/Presenoker Requesting Batch File M6
(trojan.rules)
  2839134 - ETPRO TROJAN Win32/Presenoker UA Observed (trojan.rules)
  2839148 - ETPRO TROJAN Iobon Ichi Bot CnC Checkin (trojan.rules)

[---]  Disabled and modified rules:  [---]

  2023085 - ET TROJAN R980/CRYPBEE.A Ransomware Activity (trojan.rules)

Date:
Summary title:
4 new OPEN, 44 new PRO (4 + 40). Various DNS over HTTPS, Fire-Cloud, GravityRAT, Various others.