Daily Ruleset Update Summary
Daily Ruleset Update Summary 2020/10/23

[***]            Summary:            [***]

11 new OPEN, 40 new PRO (11 + 29).  MSIL/SilentHunter, Osno, Various Phish, Others.

Thanks: @jstrosch, @travisbgreen.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2031086 - ET CURRENT_EVENTS Outlook Phishing Landing 2020-10-23
(current_events.rules)
  2031087 - ET POLICY PCHunter Download Observed (policy.rules)
  2031088 - ET INFO Request to .XYZ Domain with Minimal Headers (info.rules)
  2031089 - ET INFO Request to .TOP Domain with Minimal Headers (info.rules)
  2031090 - ET INFO Request to 000webhostapp Domain with Minimal
Headers (info.rules)
  2031091 - ET INFO Request to .ML Domain with Minimal Headers (info.rules)
  2031092 - ET INFO Request to .CF Domain with Minimal Headers (info.rules)
  2031093 - ET INFO Request to .GQ Domain with Minimal Headers (info.rules)
  2031094 - ET INFO Request to .TK Domain with Minimal Headers (info.rules)
  2031095 - ET INFO Request to .GA Domain with Minimal Headers (info.rules)
  2031096 - ET TROJAN Win32/Spy.Pavica.FH Variant CnC Activity (trojan.rules)

Pro:

  2845109 - ETPRO MOBILE_MALWARE Android/Spy.Agent.BJD Checkin
(mobile_malware.rules)
  2845110 - ETPRO CURRENT_EVENTS Successful Generic Credit Card
Information Phish 2020-10-23 (current_events.rules)
  2845111 - ETPRO CURRENT_EVENTS Successful Generic Credit Card
Information Phish 2020-10-23 (current_events.rules)
  2845112 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish
2020-10-23 (current_events.rules)
  2845113 - ETPRO CURRENT_EVENTS Successful Navy Federal Credit Union
Phish 2020-10-23 (current_events.rules)
  2845114 - ETPRO CURRENT_EVENTS Successful Yodobashi Phish 2020-10-23
(current_events.rules)
  2845115 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2020-10-23
(current_events.rules)
  2845116 - ETPRO CURRENT_EVENTS Successful Generic Multibrand Phish
2020-10-23 (current_events.rules)
  2845117 - ETPRO CURRENT_EVENTS Successful Made in China Phish
2020-10-23 (current_events.rules)
  2845118 - ETPRO TROJAN MSIL/SilentHunter CnC Activity (trojan.rules)
  2845119 - ETPRO TROJAN MSIL/SilentHunter CnC Exfil Activity (trojan.rules)
  2845120 - ETPRO TROJAN MSIL/SilentHunter Data Exfil (trojan.rules)
  2845121 - ETPRO CURRENT_EVENTS Successful Microsoft Voicemail Phish
2020-10-23 (current_events.rules)
  2845122 - ETPRO CURRENT_EVENTS Successful Generic Webmail Phish
2020-10-23 (current_events.rules)
  2845123 - ETPRO CURRENT_EVENTS Successful Ionos Phish 2020-10-23
(current_events.rules)
  2845124 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-23 1) (trojan.rules)
  2845125 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-23 2) (trojan.rules)
  2845126 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-23 3) (trojan.rules)
  2845127 - ETPRO CURRENT_EVENTS Successful Generic Phish (302)
2020-10-23 (current_events.rules)
  2845128 - ETPRO CURRENT_EVENTS Successful Generic Phish (302)
2020-10-23 (current_events.rules)
  2845129 - ETPRO CURRENT_EVENTS Successful Generic Phish (302)
2020-10-23 (current_events.rules)
  2845130 - ETPRO CURRENT_EVENTS Successful Generic Phish (302)
2020-10-23 (current_events.rules)
  2845131 - ETPRO CURRENT_EVENTS Successful Generic Phish (302)
2020-10-23 (current_events.rules)
  2845132 - ETPRO CURRENT_EVENTS Successful Generic Phish (302)
2020-10-23 (current_events.rules)
  2845133 - ETPRO TROJAN Osno CnC Exfil Activity (trojan.rules)
  2845134 - ETPRO TROJAN Osno CnC Activity (trojan.rules)
  2845135 - ETPRO TROJAN Revil Ransomware .onion Proxy Domain (trojan.rules)
  2845136 - ETPRO TROJAN Win32/Agent.65CA!tr Checkin Activity (trojan.rules)
  2845137 - ETPRO CURRENT_EVENTS Successful Royal Bank of Canada Phish
2020-10-23 (current_events.rules)

[///]     Modified active rules:     [///]

  2011588 - ET TROJAN Zeus Bot Connectivity Check (trojan.rules)
  2018886 - ET TROJAN Windows TaskList Microsoft Windows DOS prompt
command exit OUTBOUND (trojan.rules)
  2027120 - ET TROJAN ELF/Mirai Variant UA Inbound (Rift) (trojan.rules)
  2027122 - ET TROJAN ELF/Mirai Variant UA Inbound (Tsunami) (trojan.rules)
  2027124 - ET TROJAN ELF/Mirai Variant UA Inbound (Yowai) (trojan.rules)
  2027126 - ET TROJAN ELF/Mirai Variant UA Inbound (Yakuza) (trojan.rules)
  2027128 - ET TROJAN ELF/Mirai Variant UA Inbound (Hentai) (trojan.rules)
  2027130 - ET TROJAN ELF/Mirai Variant UA Inbound (lessie) (trojan.rules)
  2027132 - ET TROJAN ELF/Mirai Variant UA Inbound (Cakle) (trojan.rules)
  2027134 - ET TROJAN ELF/Mirai Variant UA Inbound (Damien) (trojan.rules)
  2027136 - ET TROJAN ELF/Mirai Variant UA Inbound (Solar) (trojan.rules)
  2027138 - ET TROJAN ELF/Mirai Variant UA Inbound (muhstik) (trojan.rules)
  2027140 - ET TROJAN ELF/Mirai Variant UA Inbound (Shaolin) (trojan.rules)
  2028989 - ET TROJAN ELF/Mirai Variant UA Outbound (ph0ne) (trojan.rules)
  2029015 - ET SCAN Mirai Variant User-Agent (Inbound) (scan.rules)
  2029016 - ET SCAN Mirai Variant User-Agent (Inbound) (scan.rules)
  2029017 - ET SCAN Mirai Variant User-Agent (Inbound) (scan.rules)
  2029018 - ET SCAN Mirai Variant User-Agent (Inbound) (scan.rules)
  2029019 - ET SCAN Mirai Variant User-Agent (Inbound) (scan.rules)
  2029020 - ET SCAN Mirai Variant User-Agent (Inbound) (scan.rules)
  2029021 - ET SCAN Mirai Variant User-Agent (Inbound) (scan.rules)
  2029023 - ET SCAN Mirai Variant User-Agent (Inbound) (scan.rules)
  2029024 - ET SCAN Mirai Variant User-Agent (Inbound) (scan.rules)
  2029026 - ET SCAN Mirai Variant User-Agent (Inbound) (scan.rules)
  2029027 - ET TROJAN Mirai Variant User-Agent (Outbound) (trojan.rules)
  2029028 - ET TROJAN Mirai Variant User-Agent (Outbound) (trojan.rules)
  2029029 - ET TROJAN Mirai Variant User-Agent (Outbound) (trojan.rules)
  2029030 - ET TROJAN Mirai Variant User-Agent (Outbound) (trojan.rules)
  2029031 - ET TROJAN Mirai Variant User-Agent (Outbound) (trojan.rules)
  2029032 - ET TROJAN Mirai Variant User-Agent (Outbound) (trojan.rules)
  2029033 - ET TROJAN Mirai Variant User-Agent (Outbound) (trojan.rules)
  2029035 - ET TROJAN Mirai Variant User-Agent (Outbound) (trojan.rules)
  2029036 - ET TROJAN Mirai Variant User-Agent (Outbound) (trojan.rules)
  2029038 - ET TROJAN Mirai Variant User-Agent (Outbound) (trojan.rules)
  2029047 - ET TROJAN Observed Malicious SSL Cert (Ursnif CnC) (trojan.rules)
  2029048 - ET TROJAN Observed Malicious SSL Cert (ACBackdoor CnC)
(trojan.rules)
  2029049 - ET TROJAN Observed Malicious SSL Cert (ACBackdoor CnC)
(trojan.rules)
  2029050 - ET TROJAN Observed Malicious SSL Cert (Possible Godlua
CnC) (trojan.rules)
  2029051 - ET POLICY Observed SSL Cert (DoH Service) (policy.rules)
  2029053 - ET TROJAN SSL/TLS Certificate Observed (Various Crimeware)
(trojan.rules)
  2029054 - ET SCAN Zmap User-Agent (Inbound) (scan.rules)
  2029061 - ET TROJAN Legion Loader Activity Observed (Mylegion666)
(trojan.rules)
  2029062 - ET TROJAN Legion Loader Activity Observed (YourUserAgent)
(trojan.rules)
  2029063 - ET TROJAN Legion Loader Activity Observed
(salmonella-symptome) (trojan.rules)
  2029064 - ET TROJAN Legion Loader Activity Observed (suspira) (trojan.rules)
  2029065 - ET TROJAN Legion Loader Activity Observed (lilith) (trojan.rules)
  2029066 - ET TROJAN Legion Loader Activity Observed (legion) (trojan.rules)
  2029067 - ET TROJAN Legion Loader Activity Observed (the devil) (trojan.rules)
  2029068 - ET TROJAN Legion Loader Activity Observed (trojan.rules)
  2029069 - ET TROJAN Legion Loader Activity Observed (Amen) (trojan.rules)
  2029070 - ET TROJAN Legion Loader Activity Observed (satan) (trojan.rules)
  2029071 - ET TROJAN Legion Loader Activity Observed (neva-project)
(trojan.rules)
  2029072 - ET TROJAN SSL/TLS Certificate Observed (Magecart) (trojan.rules)
  2029073 - ET WEB_CLIENT Possible Magecart Credit Card Information JS
Script (web_client.rules)
  2029074 - ET TROJAN Magecart CnC Domain Observed in DNS Query (trojan.rules)
  2834242 - ETPRO MOBILE_MALWARE Android.Trojan.FakeApp.EV Checkin
(mobile_malware.rules)
  2839239 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)
  2839240 - ETPRO TROJAN ELF/Mirai User-Agent Observed (Outbound) (trojan.rules)
  2839468 - ETPRO TROJAN Observed ELF/Mirai Variant UA Inbound (ph0ne)
(trojan.rules)
  2839514 - ETPRO TROJAN W32/Kanatara CnC Activity (trojan.rules)
  2839542 - ETPRO CURRENT_EVENTS Successful SMBC Phish 2019-11-21
(current_events.rules)
  2839543 - ETPRO CURRENT_EVENTS Successful Office 365 Phish
2019-11-21 (current_events.rules)
  2839544 - ETPRO CURRENT_EVENTS Successful Binance Phish 2019-11-21
(current_events.rules)
  2839545 - ETPRO CURRENT_EVENTS Successful Caixa Bank Phish
2019-11-21 (current_events.rules)
  2839546 - ETPRO CURRENT_EVENTS Successful Caixa Bank Phish
2019-11-21 (current_events.rules)
  2839547 - ETPRO CURRENT_EVENTS Successful Caixa Bank Phish
2019-11-21 (current_events.rules)
  2839548 - ETPRO CURRENT_EVENTS Successful Adobe PDF Cloud Phish
2019-11-21 (current_events.rules)
  2839549 - ETPRO CURRENT_EVENTS Evil Keitaro Set-Cookie Inbound
(aef4f) (current_events.rules)
  2839560 - ETPRO TROJAN Observed Malicious SSL Cert (ServHelper CnC)
(trojan.rules)
  2839561 - ETPRO TROJAN Observed Malicious SSL Cert (ServHelper CnC)
(trojan.rules)
  2839562 - ETPRO TROJAN Observed Malicious SSL Cert (SmokeLoader CnC)
(trojan.rules)
  2839572 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.MobOk.pac Checkin
(mobile_malware.rules)
  2839573 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.MobOk.pac CnC Beacon
(mobile_malware.rules)
  2839574 - ETPRO MOBILE_MALWARE Andr/PornClk-AR Checkin (mobile_malware.rules)
  2839575 - ETPRO MOBILE_MALWARE AndroidOS.Bookoloid Geo
Location/Device Info Exfil (mobile_malware.rules)
  2839576 - ETPRO MOBILE_MALWARE Riskware.AndroidOS.Hamiraca
Device/Debug Info Exfil (mobile_malware.rules)
  2839577 - ETPRO MOBILE_MALWARE
Trojan-Downloader.AndroidOS.Guerrila.j Checkin (mobile_malware.rules)
  2839583 - ETPRO CURRENT_EVENTS Successful GMX Phish 2019-11-22
(current_events.rules)
  2839584 - ETPRO CURRENT_EVENTS Successful Chase Phish 2019-11-22
(current_events.rules)
  2839585 - ETPRO CURRENT_EVENTS Successful Chase Phish 2019-11-22
(current_events.rules)
  2839586 - ETPRO CURRENT_EVENTS Successful Banco Inter Phish
2019-11-22 (current_events.rules)
  2839587 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish
2019-11-22 (current_events.rules)
  2839588 - ETPRO CURRENT_EVENTS Successful Generic Credit Card
Information Phish 2019-11-22 (current_events.rules)
  2839589 - ETPRO CURRENT_EVENTS Successful Amazon Phish 2019-11-22
(current_events.rules)
  2839590 - ETPRO CURRENT_EVENTS Successful Rabobank Phish 2019-11-22
(current_events.rules)
  2839591 - ETPRO CURRENT_EVENTS Successful Banco Itau Phish
2019-11-22 (current_events.rules)
  2839592 - ETPRO CURRENT_EVENTS Successful Banco Itau Phish
2019-11-22 (current_events.rules)
  2839601 - ETPRO CURRENT_EVENTS Evil Keitaro Set-Cookie Inbound
(eccc8) (current_events.rules)
  2839602 - ETPRO CURRENT_EVENTS Successful Plenty of Fish Phish
2019-11-25 (current_events.rules)
  2839603 - ETPRO CURRENT_EVENTS Successful Office 365 Phish
2019-11-25 (current_events.rules)
  2839604 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2019-11-25 (current_events.rules)
  2839605 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2019-11-25 (current_events.rules)
  2839606 - ETPRO CURRENT_EVENTS Successful BECU Phish 2019-11-25
(current_events.rules)
  2839607 - ETPRO CURRENT_EVENTS Successful WeTransfer Phish
2019-11-25 (current_events.rules)
  2839608 - ETPRO CURRENT_EVENTS Successful EMS High Speed Mail Phish
2019-11-25 (current_events.rules)
  2839609 - ETPRO CURRENT_EVENTS Successful Generic Account Recovery
Phish 2019-11-25 (current_events.rules)
  2839610 - ETPRO CURRENT_EVENTS Successful Commonwealth Bank Phish
2019-11-25 (current_events.rules)
  2839611 - ETPRO CURRENT_EVENTS Successful Commonwealth Bank Phish
2019-11-25 (current_events.rules)
  2839612 - ETPRO CURRENT_EVENTS Successful Commonwealth Bank Phish
2019-11-25 (current_events.rules)
  2839613 - ETPRO TROJAN DustSquad/Octopus CnC Initial Check M1 (trojan.rules)
  2839614 - ETPRO TROJAN DustSquad/Octopus CnC Initial Check M2 (trojan.rules)
  2839615 - ETPRO TROJAN DustSquad/Octopus CnC Initial Server Request
M1 (trojan.rules)
  2839616 - ETPRO TROJAN DustSquad/Octopus CnC Initial Server Request
M2 (trojan.rules)
  2839617 - ETPRO TROJAN DustSquad/Octopus CnC Host Checkin M2 (trojan.rules)
  2839618 - ETPRO TROJAN DustSquad/Octopus CnC Host Checkin M1 (trojan.rules)
  2839620 - ETPRO TROJAN DustSquad/Octopus CnC Activity (trojan.rules)
  2839637 - ETPRO CURRENT_EVENTS Successful Excel Online Phish
2019-11-26 (current_events.rules)
  2839639 - ETPRO CURRENT_EVENTS Successful Pagseguro UOL Phish
2019-11-26 (current_events.rules)
  2839640 - ETPRO CURRENT_EVENTS Successful Pagseguro UOL Phish
2019-11-26 (current_events.rules)
  2839641 - ETPRO CURRENT_EVENTS Successful BCP Phish 2019-11-26
(current_events.rules)
  2839642 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2019-11-26
(current_events.rules)
  2839643 - ETPRO CURRENT_EVENTS Successful Snapchat Phish 2019-11-26
(current_events.rules)
  2839644 - ETPRO CURRENT_EVENTS Successful Santander Phish 2019-11-26
(current_events.rules)
  2839645 - ETPRO TROJAN ELF/Mirai User-Agent Observed (Outbound) (trojan.rules)
  2839646 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)
  2839647 - ETPRO TROJAN ELF/Mirai User-Agent Observed (Outbound) (trojan.rules)
  2839648 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)
  2839654 - ETPRO MOBILE_MALWARE Android/Agent.BNX Checkin
(mobile_malware.rules)
  2839659 - ETPRO CURRENT_EVENTS Successful Minha BV Phish 2019-11-27
(current_events.rules)
  2839660 - ETPRO CURRENT_EVENTS Successful Minha BV Phish 2019-11-27
(current_events.rules)
  2839661 - ETPRO CURRENT_EVENTS Successful Caixa Phish 2019-11-27
(current_events.rules)
  2839662 - ETPRO CURRENT_EVENTS Successful Microsoft OneCall Phish
2019-11-27 (current_events.rules)
  2839663 - ETPRO CURRENT_EVENTS Successful 1&1 Hosting Phish
2019-11-27 (current_events.rules)
  2839664 - ETPRO CURRENT_EVENTS Successful State Employees Credit
Union Phish 2019-11-27 (current_events.rules)
  2839665 - ETPRO CURRENT_EVENTS Successful Generic Session Expired
Phish 2019-11-27 (current_events.rules)
  2839666 - ETPRO TROJAN Win32/Chapak Payload Request (trojan.rules)
  2839667 - ETPRO TROJAN Win32/Chapak Initial Response (trojan.rules)
  2839668 - ETPRO TROJAN Win32/Chapak Payload Downloaded (trojan.rules)
  2839669 - ETPRO TROJAN HorseHours Powershell Request (trojan.rules)
  2839670 - ETPRO TROJAN ELF/Mirai User-Agent Observed (Outbound) (trojan.rules)
  2839671 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)
  2839676 - ETPRO TROJAN Observed Malicious SSL Cert (ServHelper CnC)
(trojan.rules)
  2839677 - ETPRO TROJAN Observed Malicious SSL Cert (Delf.BJP CnC)
(trojan.rules)
  2839678 - ETPRO TROJAN Observed Malicious SSL Cert (Delf.BJP CnC)
(trojan.rules)
  2839679 - ETPRO TROJAN Observed Malicious SSL Cert (Delf.BJP CnC)
(trojan.rules)
  2839681 - ETPRO TROJAN Observed Malicious SSL Cert (SmokeLoader CnC)
(trojan.rules)
  2839682 - ETPRO TROJAN Observed Malicious SSL Cert (Unk CnC -
Targeted Phishing) (trojan.rules)
  2839685 - ETPRO MOBILE_MALWARE Android/Spy.Agent.APG CnC Beacon
(mobile_malware.rules)
  2839686 - ETPRO MOBILE_MALWARE Monitor.AndroidOS.Bulgok.a CnC Beacon
(mobile_malware.rules)
  2839687 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Erop.a CnC
Beacon (mobile_malware.rules)
  2839688 - ETPRO MOBILE_MALWARE Android.Trojan.FakeTelegram-6736160-2
CnC Beacon (mobile_malware.rules)
  2839691 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC) (trojan.rules)
  2839700 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Rootnik.k CnC Beacon
(mobile_malware.rules)
  2839702 - ETPRO MOBILE_MALWARE Android Gustuff Header (mobile_malware.rules)
  2839714 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2019-12-03 (current_events.rules)
  2839715 - ETPRO CURRENT_EVENTS Successful Generic Credit Card
Information Phish 2019-12-03 (current_events.rules)
  2839716 - ETPRO CURRENT_EVENTS Successful Banco do Brasil Phish
2019-12-03 (current_events.rules)
  2839717 - ETPRO CURRENT_EVENTS Successful Adobe Reader Phish
2019-12-03 (current_events.rules)
  2839718 - ETPRO CURRENT_EVENTS Successful Microsoft File Received
Phish 2019-12-03 (current_events.rules)
  2845011 - ETPRO CURRENT_EVENTS Successful Office 365 Phish
2020-10-19 (current_events.rules)

[---]  Disabled and modified rules:  [---]

  2806297 - ETPRO POLICY InnoTools Downloader User-Agent (InnoTools
Downloader) (policy.rules)

Date:
Summary title:
11 new OPEN, 40 new PRO (11 + 29). MSIL/SilentHunter, Osno, Various Phish, Others.