Daily Ruleset Update Summary 2020/10/23

[***] Summary: [***]

11 new OPEN, 40 new PRO (11 + 29). MSIL/SilentHunter, Osno, Various Phish, Others.

Thanks: @jstrosch, @travisbgreen.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2031086 - ET CURRENT_EVENTS Outlook Phishing Landing 2020-10-23
(current_events.rules)
2031087 - ET POLICY PCHunter Download Observed (policy.rules)
2031088 - ET INFO Request to .XYZ Domain with Minimal Headers (info.rules)
2031089 - ET INFO Request to .TOP Domain with Minimal Headers (info.rules)
2031090 - ET INFO Request to 000webhostapp Domain with Minimal
Headers (info.rules)
2031091 - ET INFO Request to .ML Domain with Minimal Headers (info.rules)
2031092 - ET INFO Request to .CF Domain with Minimal Headers (info.rules)
2031093 - ET INFO Request to .GQ Domain with Minimal Headers (info.rules)
2031094 - ET INFO Request to .TK Domain with Minimal Headers (info.rules)
2031095 - ET INFO Request to .GA Domain with Minimal Headers (info.rules)
2031096 - ET TROJAN Win32/Spy.Pavica.FH Variant CnC Activity (trojan.rules)

Pro:

2845109 - ETPRO MOBILE_MALWARE Android/Spy.Agent.BJD Checkin
(mobile_malware.rules)
2845110 - ETPRO CURRENT_EVENTS Successful Generic Credit Card
Information Phish 2020-10-23 (current_events.rules)
2845111 - ETPRO CURRENT_EVENTS Successful Generic Credit Card
Information Phish 2020-10-23 (current_events.rules)
2845112 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish
2020-10-23 (current_events.rules)
2845113 - ETPRO CURRENT_EVENTS Successful Navy Federal Credit Union
Phish 2020-10-23 (current_events.rules)
2845114 - ETPRO CURRENT_EVENTS Successful Yodobashi Phish 2020-10-23
(current_events.rules)
2845115 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2020-10-23
(current_events.rules)
2845116 - ETPRO CURRENT_EVENTS Successful Generic Multibrand Phish
2020-10-23 (current_events.rules)
2845117 - ETPRO CURRENT_EVENTS Successful Made in China Phish
2020-10-23 (current_events.rules)
2845118 - ETPRO TROJAN MSIL/SilentHunter CnC Activity (trojan.rules)
2845119 - ETPRO TROJAN MSIL/SilentHunter CnC Exfil Activity (trojan.rules)
2845120 - ETPRO TROJAN MSIL/SilentHunter Data Exfil (trojan.rules)
2845121 - ETPRO CURRENT_EVENTS Successful Microsoft Voicemail Phish
2020-10-23 (current_events.rules)
2845122 - ETPRO CURRENT_EVENTS Successful Generic Webmail Phish
2020-10-23 (current_events.rules)
2845123 - ETPRO CURRENT_EVENTS Successful Ionos Phish 2020-10-23
(current_events.rules)
2845124 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-23 1) (trojan.rules)
2845125 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-23 2) (trojan.rules)
2845126 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-23 3) (trojan.rules)
2845127 - ETPRO CURRENT_EVENTS Successful Generic Phish (302)
2020-10-23 (current_events.rules)
2845128 - ETPRO CURRENT_EVENTS Successful Generic Phish (302)
2020-10-23 (current_events.rules)
2845129 - ETPRO CURRENT_EVENTS Successful Generic Phish (302)
2020-10-23 (current_events.rules)
2845130 - ETPRO CURRENT_EVENTS Successful Generic Phish (302)
2020-10-23 (current_events.rules)
2845131 - ETPRO CURRENT_EVENTS Successful Generic Phish (302)
2020-10-23 (current_events.rules)
2845132 - ETPRO CURRENT_EVENTS Successful Generic Phish (302)
2020-10-23 (current_events.rules)
2845133 - ETPRO TROJAN Osno CnC Exfil Activity (trojan.rules)
2845134 - ETPRO TROJAN Osno CnC Activity (trojan.rules)
2845135 - ETPRO TROJAN Revil Ransomware .onion Proxy Domain (trojan.rules)
2845136 - ETPRO TROJAN Win32/Agent.65CA!tr Checkin Activity (trojan.rules)
2845137 - ETPRO CURRENT_EVENTS Successful Royal Bank of Canada Phish
2020-10-23 (current_events.rules)

[///] Modified active rules: [///]

2011588 - ET TROJAN Zeus Bot Connectivity Check (trojan.rules)
2018886 - ET TROJAN Windows TaskList Microsoft Windows DOS prompt
command exit OUTBOUND (trojan.rules)
2027120 - ET TROJAN ELF/Mirai Variant UA Inbound (Rift) (trojan.rules)
2027122 - ET TROJAN ELF/Mirai Variant UA Inbound (Tsunami) (trojan.rules)
2027124 - ET TROJAN ELF/Mirai Variant UA Inbound (Yowai) (trojan.rules)
2027126 - ET TROJAN ELF/Mirai Variant UA Inbound (Yakuza) (trojan.rules)
2027128 - ET TROJAN ELF/Mirai Variant UA Inbound (Hentai) (trojan.rules)
2027130 - ET TROJAN ELF/Mirai Variant UA Inbound (lessie) (trojan.rules)
2027132 - ET TROJAN ELF/Mirai Variant UA Inbound (Cakle) (trojan.rules)
2027134 - ET TROJAN ELF/Mirai Variant UA Inbound (Damien) (trojan.rules)
2027136 - ET TROJAN ELF/Mirai Variant UA Inbound (Solar) (trojan.rules)
2027138 - ET TROJAN ELF/Mirai Variant UA Inbound (muhstik) (trojan.rules)
2027140 - ET TROJAN ELF/Mirai Variant UA Inbound (Shaolin) (trojan.rules)
2028989 - ET TROJAN ELF/Mirai Variant UA Outbound (ph0ne) (trojan.rules)
2029015 - ET SCAN Mirai Variant User-Agent (Inbound) (scan.rules)
2029016 - ET SCAN Mirai Variant User-Agent (Inbound) (scan.rules)
2029017 - ET SCAN Mirai Variant User-Agent (Inbound) (scan.rules)
2029018 - ET SCAN Mirai Variant User-Agent (Inbound) (scan.rules)
2029019 - ET SCAN Mirai Variant User-Agent (Inbound) (scan.rules)
2029020 - ET SCAN Mirai Variant User-Agent (Inbound) (scan.rules)
2029021 - ET SCAN Mirai Variant User-Agent (Inbound) (scan.rules)
2029023 - ET SCAN Mirai Variant User-Agent (Inbound) (scan.rules)
2029024 - ET SCAN Mirai Variant User-Agent (Inbound) (scan.rules)
2029026 - ET SCAN Mirai Variant User-Agent (Inbound) (scan.rules)
2029027 - ET TROJAN Mirai Variant User-Agent (Outbound) (trojan.rules)
2029028 - ET TROJAN Mirai Variant User-Agent (Outbound) (trojan.rules)
2029029 - ET TROJAN Mirai Variant User-Agent (Outbound) (trojan.rules)
2029030 - ET TROJAN Mirai Variant User-Agent (Outbound) (trojan.rules)
2029031 - ET TROJAN Mirai Variant User-Agent (Outbound) (trojan.rules)
2029032 - ET TROJAN Mirai Variant User-Agent (Outbound) (trojan.rules)
2029033 - ET TROJAN Mirai Variant User-Agent (Outbound) (trojan.rules)
2029035 - ET TROJAN Mirai Variant User-Agent (Outbound) (trojan.rules)
2029036 - ET TROJAN Mirai Variant User-Agent (Outbound) (trojan.rules)
2029038 - ET TROJAN Mirai Variant User-Agent (Outbound) (trojan.rules)
2029047 - ET TROJAN Observed Malicious SSL Cert (Ursnif CnC) (trojan.rules)
2029048 - ET TROJAN Observed Malicious SSL Cert (ACBackdoor CnC)
(trojan.rules)
2029049 - ET TROJAN Observed Malicious SSL Cert (ACBackdoor CnC)
(trojan.rules)
2029050 - ET TROJAN Observed Malicious SSL Cert (Possible Godlua
CnC) (trojan.rules)
2029051 - ET POLICY Observed SSL Cert (DoH Service) (policy.rules)
2029053 - ET TROJAN SSL/TLS Certificate Observed (Various Crimeware)
(trojan.rules)
2029054 - ET SCAN Zmap User-Agent (Inbound) (scan.rules)
2029061 - ET TROJAN Legion Loader Activity Observed (Mylegion666)
(trojan.rules)
2029062 - ET TROJAN Legion Loader Activity Observed (YourUserAgent)
(trojan.rules)
2029063 - ET TROJAN Legion Loader Activity Observed
(salmonella-symptome) (trojan.rules)
2029064 - ET TROJAN Legion Loader Activity Observed (suspira) (trojan.rules)
2029065 - ET TROJAN Legion Loader Activity Observed (lilith) (trojan.rules)
2029066 - ET TROJAN Legion Loader Activity Observed (legion) (trojan.rules)
2029067 - ET TROJAN Legion Loader Activity Observed (the devil) (trojan.rules)
2029068 - ET TROJAN Legion Loader Activity Observed (trojan.rules)
2029069 - ET TROJAN Legion Loader Activity Observed (Amen) (trojan.rules)
2029070 - ET TROJAN Legion Loader Activity Observed (satan) (trojan.rules)
2029071 - ET TROJAN Legion Loader Activity Observed (neva-project)
(trojan.rules)
2029072 - ET TROJAN SSL/TLS Certificate Observed (Magecart) (trojan.rules)
2029073 - ET WEB_CLIENT Possible Magecart Credit Card Information JS
Script (web_client.rules)
2029074 - ET TROJAN Magecart CnC Domain Observed in DNS Query (trojan.rules)
2834242 - ETPRO MOBILE_MALWARE Android.Trojan.FakeApp.EV Checkin
(mobile_malware.rules)
2839239 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)
2839240 - ETPRO TROJAN ELF/Mirai User-Agent Observed (Outbound) (trojan.rules)
2839468 - ETPRO TROJAN Observed ELF/Mirai Variant UA Inbound (ph0ne)
(trojan.rules)
2839514 - ETPRO TROJAN W32/Kanatara CnC Activity (trojan.rules)
2839542 - ETPRO CURRENT_EVENTS Successful SMBC Phish 2019-11-21
(current_events.rules)
2839543 - ETPRO CURRENT_EVENTS Successful Office 365 Phish
2019-11-21 (current_events.rules)
2839544 - ETPRO CURRENT_EVENTS Successful Binance Phish 2019-11-21
(current_events.rules)
2839545 - ETPRO CURRENT_EVENTS Successful Caixa Bank Phish
2019-11-21 (current_events.rules)
2839546 - ETPRO CURRENT_EVENTS Successful Caixa Bank Phish
2019-11-21 (current_events.rules)
2839547 - ETPRO CURRENT_EVENTS Successful Caixa Bank Phish
2019-11-21 (current_events.rules)
2839548 - ETPRO CURRENT_EVENTS Successful Adobe PDF Cloud Phish
2019-11-21 (current_events.rules)
2839549 - ETPRO CURRENT_EVENTS Evil Keitaro Set-Cookie Inbound
(aef4f) (current_events.rules)
2839560 - ETPRO TROJAN Observed Malicious SSL Cert (ServHelper CnC)
(trojan.rules)
2839561 - ETPRO TROJAN Observed Malicious SSL Cert (ServHelper CnC)
(trojan.rules)
2839562 - ETPRO TROJAN Observed Malicious SSL Cert (SmokeLoader CnC)
(trojan.rules)
2839572 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.MobOk.pac Checkin
(mobile_malware.rules)
2839573 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.MobOk.pac CnC Beacon
(mobile_malware.rules)
2839574 - ETPRO MOBILE_MALWARE Andr/PornClk-AR Checkin (mobile_malware.rules)
2839575 - ETPRO MOBILE_MALWARE AndroidOS.Bookoloid Geo
Location/Device Info Exfil (mobile_malware.rules)
2839576 - ETPRO MOBILE_MALWARE Riskware.AndroidOS.Hamiraca
Device/Debug Info Exfil (mobile_malware.rules)
2839577 - ETPRO MOBILE_MALWARE
Trojan-Downloader.AndroidOS.Guerrila.j Checkin (mobile_malware.rules)
2839583 - ETPRO CURRENT_EVENTS Successful GMX Phish 2019-11-22
(current_events.rules)
2839584 - ETPRO CURRENT_EVENTS Successful Chase Phish 2019-11-22
(current_events.rules)
2839585 - ETPRO CURRENT_EVENTS Successful Chase Phish 2019-11-22
(current_events.rules)
2839586 - ETPRO CURRENT_EVENTS Successful Banco Inter Phish
2019-11-22 (current_events.rules)
2839587 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish
2019-11-22 (current_events.rules)
2839588 - ETPRO CURRENT_EVENTS Successful Generic Credit Card
Information Phish 2019-11-22 (current_events.rules)
2839589 - ETPRO CURRENT_EVENTS Successful Amazon Phish 2019-11-22
(current_events.rules)
2839590 - ETPRO CURRENT_EVENTS Successful Rabobank Phish 2019-11-22
(current_events.rules)
2839591 - ETPRO CURRENT_EVENTS Successful Banco Itau Phish
2019-11-22 (current_events.rules)
2839592 - ETPRO CURRENT_EVENTS Successful Banco Itau Phish
2019-11-22 (current_events.rules)
2839601 - ETPRO CURRENT_EVENTS Evil Keitaro Set-Cookie Inbound
(eccc8) (current_events.rules)
2839602 - ETPRO CURRENT_EVENTS Successful Plenty of Fish Phish
2019-11-25 (current_events.rules)
2839603 - ETPRO CURRENT_EVENTS Successful Office 365 Phish
2019-11-25 (current_events.rules)
2839604 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2019-11-25 (current_events.rules)
2839605 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2019-11-25 (current_events.rules)
2839606 - ETPRO CURRENT_EVENTS Successful BECU Phish 2019-11-25
(current_events.rules)
2839607 - ETPRO CURRENT_EVENTS Successful WeTransfer Phish
2019-11-25 (current_events.rules)
2839608 - ETPRO CURRENT_EVENTS Successful EMS High Speed Mail Phish
2019-11-25 (current_events.rules)
2839609 - ETPRO CURRENT_EVENTS Successful Generic Account Recovery
Phish 2019-11-25 (current_events.rules)
2839610 - ETPRO CURRENT_EVENTS Successful Commonwealth Bank Phish
2019-11-25 (current_events.rules)
2839611 - ETPRO CURRENT_EVENTS Successful Commonwealth Bank Phish
2019-11-25 (current_events.rules)
2839612 - ETPRO CURRENT_EVENTS Successful Commonwealth Bank Phish
2019-11-25 (current_events.rules)
2839613 - ETPRO TROJAN DustSquad/Octopus CnC Initial Check M1 (trojan.rules)
2839614 - ETPRO TROJAN DustSquad/Octopus CnC Initial Check M2 (trojan.rules)
2839615 - ETPRO TROJAN DustSquad/Octopus CnC Initial Server Request
M1 (trojan.rules)
2839616 - ETPRO TROJAN DustSquad/Octopus CnC Initial Server Request
M2 (trojan.rules)
2839617 - ETPRO TROJAN DustSquad/Octopus CnC Host Checkin M2 (trojan.rules)
2839618 - ETPRO TROJAN DustSquad/Octopus CnC Host Checkin M1 (trojan.rules)
2839620 - ETPRO TROJAN DustSquad/Octopus CnC Activity (trojan.rules)
2839637 - ETPRO CURRENT_EVENTS Successful Excel Online Phish
2019-11-26 (current_events.rules)
2839639 - ETPRO CURRENT_EVENTS Successful Pagseguro UOL Phish
2019-11-26 (current_events.rules)
2839640 - ETPRO CURRENT_EVENTS Successful Pagseguro UOL Phish
2019-11-26 (current_events.rules)
2839641 - ETPRO CURRENT_EVENTS Successful BCP Phish 2019-11-26
(current_events.rules)
2839642 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2019-11-26
(current_events.rules)
2839643 - ETPRO CURRENT_EVENTS Successful Snapchat Phish 2019-11-26
(current_events.rules)
2839644 - ETPRO CURRENT_EVENTS Successful Santander Phish 2019-11-26
(current_events.rules)
2839645 - ETPRO TROJAN ELF/Mirai User-Agent Observed (Outbound) (trojan.rules)
2839646 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)
2839647 - ETPRO TROJAN ELF/Mirai User-Agent Observed (Outbound) (trojan.rules)
2839648 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)
2839654 - ETPRO MOBILE_MALWARE Android/Agent.BNX Checkin
(mobile_malware.rules)
2839659 - ETPRO CURRENT_EVENTS Successful Minha BV Phish 2019-11-27
(current_events.rules)
2839660 - ETPRO CURRENT_EVENTS Successful Minha BV Phish 2019-11-27
(current_events.rules)
2839661 - ETPRO CURRENT_EVENTS Successful Caixa Phish 2019-11-27
(current_events.rules)
2839662 - ETPRO CURRENT_EVENTS Successful Microsoft OneCall Phish
2019-11-27 (current_events.rules)
2839663 - ETPRO CURRENT_EVENTS Successful 1&1 Hosting Phish
2019-11-27 (current_events.rules)
2839664 - ETPRO CURRENT_EVENTS Successful State Employees Credit
Union Phish 2019-11-27 (current_events.rules)
2839665 - ETPRO CURRENT_EVENTS Successful Generic Session Expired
Phish 2019-11-27 (current_events.rules)
2839666 - ETPRO TROJAN Win32/Chapak Payload Request (trojan.rules)
2839667 - ETPRO TROJAN Win32/Chapak Initial Response (trojan.rules)
2839668 - ETPRO TROJAN Win32/Chapak Payload Downloaded (trojan.rules)
2839669 - ETPRO TROJAN HorseHours Powershell Request (trojan.rules)
2839670 - ETPRO TROJAN ELF/Mirai User-Agent Observed (Outbound) (trojan.rules)
2839671 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)
2839676 - ETPRO TROJAN Observed Malicious SSL Cert (ServHelper CnC)
(trojan.rules)
2839677 - ETPRO TROJAN Observed Malicious SSL Cert (Delf.BJP CnC)
(trojan.rules)
2839678 - ETPRO TROJAN Observed Malicious SSL Cert (Delf.BJP CnC)
(trojan.rules)
2839679 - ETPRO TROJAN Observed Malicious SSL Cert (Delf.BJP CnC)
(trojan.rules)
2839681 - ETPRO TROJAN Observed Malicious SSL Cert (SmokeLoader CnC)
(trojan.rules)
2839682 - ETPRO TROJAN Observed Malicious SSL Cert (Unk CnC -
Targeted Phishing) (trojan.rules)
2839685 - ETPRO MOBILE_MALWARE Android/Spy.Agent.APG CnC Beacon
(mobile_malware.rules)
2839686 - ETPRO MOBILE_MALWARE Monitor.AndroidOS.Bulgok.a CnC Beacon
(mobile_malware.rules)
2839687 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Erop.a CnC
Beacon (mobile_malware.rules)
2839688 - ETPRO MOBILE_MALWARE Android.Trojan.FakeTelegram-6736160-2
CnC Beacon (mobile_malware.rules)
2839691 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC) (trojan.rules)
2839700 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Rootnik.k CnC Beacon
(mobile_malware.rules)
2839702 - ETPRO MOBILE_MALWARE Android Gustuff Header (mobile_malware.rules)
2839714 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2019-12-03 (current_events.rules)
2839715 - ETPRO CURRENT_EVENTS Successful Generic Credit Card
Information Phish 2019-12-03 (current_events.rules)
2839716 - ETPRO CURRENT_EVENTS Successful Banco do Brasil Phish
2019-12-03 (current_events.rules)
2839717 - ETPRO CURRENT_EVENTS Successful Adobe Reader Phish
2019-12-03 (current_events.rules)
2839718 - ETPRO CURRENT_EVENTS Successful Microsoft File Received
Phish 2019-12-03 (current_events.rules)
2845011 - ETPRO CURRENT_EVENTS Successful Office 365 Phish
2020-10-19 (current_events.rules)

[---] Disabled and modified rules: [---]

2806297 - ETPRO POLICY InnoTools Downloader User-Agent (InnoTools
Downloader) (policy.rules)

Date:

Friday, October 23, 2020

Summary title:

11 new OPEN, 40 new PRO (11 + 29). MSIL/SilentHunter, Osno, Various Phish, Others.