[***]            Summary:            [***]

3 new OPEN, 22 new PRO (3 + 19). Goof Clipper, IcedID, CVE-2020-15906, Various Phishing, Suri5 Updates.

Thanks: @malware_traffic

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2031130 - ET EXPLOIT TikiWiki CMS Authentication Bypass (Forced Blank
Admin Pass) Attempt Inbound (CVE-2020-15906) (exploit.rules)
  2031131 - ET TROJAN Win32/Ficker Stealer Activity M2 (trojan.rules)
  2031132 - ET TROJAN Win32/Ficker Stealer Activity M3 (trojan.rules)

Pro:

  2845204 - ETPRO MOBILE_MALWARE Android/TrojanDownloader.Agent.TB Checkin
(mobile_malware.rules)
  2845205 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Rotexy.f Checkin
(mobile_malware.rules)
  2845206 - ETPRO MALWARE OSX/Geonei.z Search Hijacker Checkin
(malware.rules)
  2845207 - ETPRO MALWARE OSX/MediaDownloader Adware Checkin (malware.rules)
  2845208 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-10-28 (current_events.rules)
  2845209 - ETPRO CURRENT_EVENTS Successful 3D Securecode Phish 2020-10-28
(current_events.rules)
  2845210 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-10-28 (current_events.rules)
  2845211 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-10-28
(current_events.rules)
  2845212 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-10-28
(current_events.rules)
  2845213 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2020-10-28
(current_events.rules)
  2845214 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2020-10-28
(current_events.rules)
  2845215 - ETPRO CURRENT_EVENTS Successful Swisscom Phish 2020-10-28
(current_events.rules)
  2845216 - ETPRO CURRENT_EVENTS Successful Fidelity Phish 2020-10-28
(current_events.rules)
  2845217 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-28 1) (trojan.rules)
  2845218 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-28 2) (trojan.rules)
  2845219 - ETPRO TROJAN Goof Clipper Checkin via Telegram (trojan.rules)
  2845220 - ETPRO TROJAN Win32/Remcos RAT Checkin 581 (trojan.rules)
  2845221 - ETPRO TROJAN Win32/Remcos RAT Checkin 582 (trojan.rules)
  2845222 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)

[///]     Modified active rules:     [///]

  2009220 - ET SCAN Tomcat upload from external source (scan.rules)
  2009516 - ET TROJAN Generic Win32.Autorun HTTP Post (trojan.rules)
  2009670 - ET WEB_SERVER Nagios statuswml.cgi Remote Arbitrary Shell
Command Injection attempt (web_server.rules)
  2009813 - ET TROJAN Trojan.MyDNS DNSChanger - HTTP POST (trojan.rules)
  2010439 - ET TROJAN Generic Trojan Checkin (UA VBTagEdit) (trojan.rules)
  2011825 - ET TROJAN MUROFET/Licat Trojan (trojan.rules)
  2012139 - ET TROJAN Storm/Waledac 3.0 Checkin 2 (trojan.rules)
  2013043 - ET POLICY Android.Plankton/Tonclank Successful Installation
Device Information POST Message Body (policy.rules)
  2013047 - ET TROJAN DonBot Checkin (trojan.rules)
  2013168 - ET TROJAN Generic Bot Checkin (trojan.rules)
  2013327 - ET MOBILE_MALWARE Android.Zitmo Forwarding SMS Message to CnC
Server (mobile_malware.rules)
  2013439 - ET TROJAN Dirt Jumper/Russkill3 Checkin (trojan.rules)
  2013441 - ET TROJAN EXE Download When Server Claims To Send Audio File -
Must Be Win32 (trojan.rules)
  2013488 - ET TROJAN Zeus Bot GET to Bing checking Internet connectivity
(trojan.rules)
  2013499 - ET POLICY IncrediMail Install Callback (policy.rules)
  2013536 - ET TROJAN BKDR_BTMINE.MNR BitCoin Miner Retrieving Server IP
Addresses (trojan.rules)
  2013538 - ET TROJAN BKDR_BTMINE.MNR BitCoin Miner Retrieving New Malware
>From Server (trojan.rules)
  2013539 - ET TROJAN BKDR_BTMINE.MNR BitCoin Miner Server Checkin
(trojan.rules)
  2013668 - ET TROJAN Win32.Riberow.A (listdir) (trojan.rules)
  2013669 - ET TROJAN Win32.Riberow.A (mkdir) (trojan.rules)
  2013791 - ET SCAN Apache mod_proxy Reverse Proxy Exposure 1 (scan.rules)
  2014119 - ET TROJAN W32/Lici Initial Checkin (trojan.rules)
  2014269 - ET TROJAN Backdoor.Win32.RShot HTTP Checkin (trojan.rules)
  2014330 - ET TROJAN Kelihos/Hlux GET jucheck.exe from CnC (trojan.rules)
  2014542 - ET CURRENT_EVENTS TDS Sutra - redirect received
(current_events.rules)
  2014544 - ET CURRENT_EVENTS TDS Sutra - cookie set (current_events.rules)
  2014547 - ET CURRENT_EVENTS TDS Sutra - redirect received
(current_events.rules)
  2014548 - ET CURRENT_EVENTS TDS Sutra - cookie set (current_events.rules)
  2015504 - ET TROJAN ProxyBox - HTTP CnC - POST 1-letter.php (trojan.rules)
  2016452 - ET TROJAN WEBC2-CLOVER Checkin APT1 Related (trojan.rules)
  2016976 - ET CURRENT_EVENTS CoolEK Payload Download (9)
(current_events.rules)
  2017086 - ET WEB_SERVER WebShell - GODSpy - MySQL (web_server.rules)
  2017309 - ET TROJAN FortDisco Reporting Status (trojan.rules)
  2017520 - ET TROJAN Worm.VBS.ayr CnC command (is-enum-folder)
(trojan.rules)
  2017731 - ET CURRENT_EVENTS Possible Styx EK SilverLight Payload
(current_events.rules)
  2017787 - ET MOBILE_MALWARE Android.KorBanker Fake Banking App Install
CnC Beacon (mobile_malware.rules)
  2018025 - ET MALWARE W32/BettrExperience.Adware POST Checkin
(malware.rules)
  2018026 - ET MALWARE W32/BettrExperience.Adware Update Checkin
(malware.rules)
  2018245 - ET TROJAN Gamut Spambot Checkin (trojan.rules)
  2018257 - ET TROJAN Gamut Spambot Checkin 2 (trojan.rules)
  2018640 - ET TROJAN Unknown Trojan with Fake Java User-Agent
(trojan.rules)
  2018650 - ET TROJAN Win32.Banload.BTQP Checkin 2 (trojan.rules)
  2018775 - ET TROJAN Dyreza RAT Fake Server Header (trojan.rules)
  2018793 - ET TROJAN EUPUDS.A Requests for Boleto replacement
 (trojan.rules)
  2018977 - ET DOS HOIC with booster outbound (dos.rules)
  2018978 - ET DOS HOIC with booster inbound (dos.rules)
  2019608 - ET TROJAN HB_Banker16 Get (trojan.rules)
  2020470 - ET TROJAN Dridex POST Retrieving Second Stage (trojan.rules)
  2021051 - ET TROJAN Linux.Mumblehard Initial Checkin (trojan.rules)
  2028963 - ET TROJAN DADJOKE/Rail Tycoon Initial Macro Execution
(trojan.rules)
  2029347 - ET TROJAN Possible Winnti DNS Lookup (trojan.rules)
  2029348 - ET TROJAN DonotGroup CnC Observed in DNS Query (trojan.rules)
  2029385 - ET TROJAN Observed Malicious SSL Cert (APT34 CnC) (trojan.rules)
  2029386 - ET TROJAN Observed Malicious SSL Cert (BrushaLoader CnC)
(trojan.rules)
  2029387 - ET TROJAN Observed Malicious SSL Cert (BrushaLoader CnC)
(trojan.rules)
  2029388 - ET TROJAN Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR CnC)
(trojan.rules)
  2029389 - ET TROJAN Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR CnC)
(trojan.rules)
  2029390 - ET TROJAN Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR CnC)
(trojan.rules)
  2029391 - ET TROJAN Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR CnC)
(trojan.rules)
  2029392 - ET TROJAN Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR CnC)
(trojan.rules)
  2029401 - ET TROJAN Win32/AZORult V3.2 Client Checkin M1 (trojan.rules)
  2029402 - ET TROJAN Win32/AZORult V3.2 Client Checkin M2 (trojan.rules)
  2029403 - ET TROJAN Win32/AZORult V3.2 Client Checkin M3 (trojan.rules)
  2800914 - ETPRO TROJAN Trojan.Win32.Riancon.ae Checkin (trojan.rules)
  2800919 - ETPRO TROJAN Backdoor.MSIL.Noszbot Checkin POST (trojan.rules)
  2801172 - ETPRO TROJAN Trojan.Win32.Karagany Checkin (trojan.rules)
  2801254 - ETPRO TROJAN Backdoor.Win32.Zewit.A Activity (trojan.rules)
  2801286 - ETPRO TROJAN Trojan.Win32.Lodelit Checkin (trojan.rules)
  2801634 - ETPRO TROJAN Trojan.Win32.PassStealer.wx Checkin (trojan.rules)
  2802209 - ETPRO TROJAN Carberp Checkin first.php related (trojan.rules)
  2802848 - ETPRO TROJAN Backdoor.Win32.Qakbot.E (Initial Load)
(trojan.rules)
  2802863 - ETPRO TROJAN Win32.CashOn!IK Checkin (trojan.rules)
  2803201 - ETPRO TROJAN Win32.Antavmu.hsb Checkin (trojan.rules)
  2803263 - ETPRO TROJAN Trataps/Spy.win32.gen/CI.a Post Checkin
(trojan.rules)
  2803333 - ETPRO TROJAN Downloader.Win32.NSIS.hn Checkin (trojan.rules)
  2803338 - ETPRO TROJAN Autorun.ajbk/Alureon.J Checkin (trojan.rules)
  2803339 - ETPRO TROJAN Downloader.Win32.BaoFa.cfx checkin (trojan.rules)
  2803495 - ETPRO TROJAN Win32.Lexip Checkin (trojan.rules)
  2803502 - ETPRO TROJAN Virus.Win32.Sality.k Checkin (trojan.rules)
  2803616 - ETPRO TROJAN Trojan.Generic.5778957 Checkin (trojan.rules)
  2803619 - ETPRO TROJAN W32/Infostealer.A!Maximus Checkin (trojan.rules)
  2803684 - ETPRO WEB_CLIENT MPlayer for Windows Calloc Integer Overflow -
SET .qt (web_client.rules)
  2804018 - ETPRO TROJAN Variant.Graftor.1491 requesting exe (trojan.rules)
  2804054 - ETPRO TROJAN Tapaoux Initial Checkin (trojan.rules)
  2804095 - ETPRO TROJAN Win32/Virut.BN Download Set (trojan.rules)
  2804414 - ETPRO TROJAN TrojanDropper.Win32/Agent.KA Checkin (trojan.rules)
  2804429 - ETPRO TROJAN Backdoor.Win32/Kanav.A Checkin (trojan.rules)
  2804456 - ETPRO TROJAN
Trojan-Downloader.Win32.Adload.noq/Trojan.Win32.StartPage.fwx Checkin
(trojan.rules)
  2804482 - ETPRO TROJAN Trojan.PWS.SpySweep.271 Install (trojan.rules)
  2804882 - ETPRO TROJAN Win32/Waledac.R Retrieving exe file (trojan.rules)
  2805001 - ETPRO TROJAN HackTool.Win32.VKTools.na Checkin 3 (trojan.rules)
  2805231 - ETPRO TROJAN Worm.Win32/Taterf.B Checkin (trojan.rules)
  2805667 - ETPRO TROJAN Backdoor.Win32.Bredolab.absf Checkin (trojan.rules)
  2805969 - ETPRO TROJAN Backdoor.Win32.Oblivion reporting via ICQ WWW
script (trojan.rules)
  2806739 - ETPRO TROJAN Win32/Fabucks.A Checkin (trojan.rules)
  2806921 - ETPRO TROJAN Win32/Carberp.G Checkin (trojan.rules)
  2807392 - ETPRO TROJAN Banload Variant Checkin (trojan.rules)
  2808386 - ETPRO TROJAN Trojan.Win32.Generic.AtsI Checkin (trojan.rules)
  2808493 - ETPRO TROJAN Win32/Beastdoor.L sending infected IP address via
ICQ (trojan.rules)
  2808575 - ETPRO TROJAN Trojan.Graybird IP Check (trojan.rules)
  2808804 - ETPRO TROJAN Win32/Cendelf.gen!A www.163.com connectivity check
(trojan.rules)
  2808808 - ETPRO TROJAN Win32/ChkBot.A Checkin (trojan.rules)
  2808817 - ETPRO TROJAN Win32.Chifrax Variant C2 (trojan.rules)
  2809016 - ETPRO TROJAN Win32.Cosmu (trojan.rules)
  2809041 - ETPRO TROJAN Win32/CoinMiner.SO .exe download (trojan.rules)
  2809091 - ETPRO TROJAN Win32/RpcBrute.A CnC (trojan.rules)
  2809204 - ETPRO TROJAN Win32.Trojan.Win32.TravNet HTTP Checkin
(trojan.rules)
  2809405 - ETPRO TROJAN Win32.Spy.Banker.UAE Checkin (trojan.rules)
  2816665 - ETPRO INFO Fake Doc Request Retrieving MZ Payload (set)
(info.rules)
  2816666 - ETPRO INFO Fake Doc Request Retrieving MZ Payload (info.rules)
  2822753 - ETPRO CURRENT_EVENTS Successful Google Docs Phish M2 Oct 19
2016 (current_events.rules)
  2822893 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phish Oct 26
2016 (current_events.rules)
  2823266 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phish Nov 15
2016 (current_events.rules)
  2823401 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phish Nov 21 M1
2016 (current_events.rules)
  2823403 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phish Nov 21 M3
2016 (current_events.rules)
  2828629 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.ff CnC Beacon
(mobile_malware.rules)
  2828634 - ETPRO MOBILE_MALWARE Android/SMSFlooder.Agent.BP CnC Beacon
(mobile_malware.rules)
  2828644 - ETPRO TROJAN Zebrocy Requesting Stage 2 Payload (trojan.rules)
  2828913 - ETPRO TROJAN WIN32/KOVTER.B Checkin 2 M3 (trojan.rules)
  2829537 - ETPRO TROJAN VBS.ARS Plugin Report (trojan.rules)
  2829538 - ETPRO TROJAN VBS.ARS Password Stealer Plugin Report
(trojan.rules)
  2829908 - ETPRO MOBILE_MALWARE Android.Styricka.GEN6254 Checkin
(mobile_malware.rules)
  2831402 - ETPRO TROJAN Win32/Predator The Thief CnC Checkin (trojan.rules)
  2840663 - ETPRO TROJAN StrongPity Host Checkin (trojan.rules)
  2840852 - ETPRO TROJAN ELF/Mirai User-Agent Observed (Outbound)
(trojan.rules)
  2840853 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)
  2842311 - ETPRO TROJAN W32/TrojanDownloader.Agent.FCD CnC Activity
(trojan.rules)
  2843817 - ETPRO TROJAN Win32/Autoit.DZ CnC Activity (trojan.rules)
  2845015 - ETPRO EXPLOIT Possible RCE via IPv6 Router Advertisement
(BadNeighbor/CVE-2020-16898) (exploit.rules)

[---]  Disabled and modified rules:  [---]

  2009053 - ET WEB_SPECIFIC_APPS MODx CMS Thumbnail.php base_path Remote
File Inclusion (web_specific_apps.rules)
  2010009 - ET WEB_SPECIFIC_APPS Webmin Pre-1.290 Compromise Attempt
(web_specific_apps.rules)
  2010379 - ET WEB_SERVER JBOSS/JMX REMOTE WAR deployment attempt (POST)
(web_server.rules)
  2010380 - ET WEB_SERVER JBOSS/JMX REMOTE WAR deployment attempt (GET)
(web_server.rules)
  2010510 - ET WEB_SPECIFIC_APPS Possible OSSIM uniqueid Parameter Remote
Command Execution Attempt (web_specific_apps.rules)
  2013537 - ET TROJAN BKDR_BTMINE.MNR BitCoin Miner Retrieving New IP
Addresses From Server (trojan.rules)
  2014113 - ET TROJAN Win32/Injector.MUD Variant Reporting (trojan.rules)
  2017368 - ET TROJAN Possible Avatar RootKit Yahoo Group Search
(trojan.rules)
  2017869 - ET TROJAN W32/Liftoh.Downloader Final.html Payload Request
(trojan.rules)
  2017999 - ET MOBILE_MALWARE Android/HeHe.Spy getLastVersion CnC Beacon
(mobile_malware.rules)
  2018123 - ET TROJAN Win32/Almanahe.B Checkin (trojan.rules)
  2018143 - ET TROJAN Backdoor.Win32.Popwin Checkin (trojan.rules)
  2018463 - ET TROJAN possible OneLouder header structure (trojan.rules)
  2018464 - ET TROJAN OneLouder EXE download possibly installing Zeus P2P
(trojan.rules)
  2021133 - ET TROJAN JavaScriptBackdoor HTTP POST CnC Beacon (trojan.rules)
  2021153 - ET TROJAN Wordpress Errorcontent CnC Beacon (trojan.rules)
  2803908 - ETPRO MOBILE_MALWARE LeNa Android CnC Command (StartDown)
(mobile_malware.rules)
  2804083 - ETPRO WEB_CLIENT Flash authoring tool Flex XSS attempt
(web_client.rules)
  2807401 - ETPRO TROJAN Trojan-Downloader.Win32.Banload.byyi Checkin
(trojan.rules)
  2822685 - ETPRO TROJAN TheTrick Banking Trojan Affiliate Download
(trojan.rules)
  2822734 - ETPRO TROJAN Win32/DNtoolz0.BR Checkin (trojan.rules)