[***] Summary: [***]
3 new OPEN, 22 new PRO (3 + 19). Goof Clipper, IcedID, CVE-2020-15906, Various Phishing, Suri5 Updates.
Thanks: @malware_traffic
Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2031130 - ET EXPLOIT TikiWiki CMS Authentication Bypass (Forced Blank
Admin Pass) Attempt Inbound (CVE-2020-15906) (exploit.rules)
2031131 - ET TROJAN Win32/Ficker Stealer Activity M2 (trojan.rules)
2031132 - ET TROJAN Win32/Ficker Stealer Activity M3 (trojan.rules)
Pro:
2845204 - ETPRO MOBILE_MALWARE Android/TrojanDownloader.Agent.TB Checkin
(mobile_malware.rules)
2845205 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Rotexy.f Checkin
(mobile_malware.rules)
2845206 - ETPRO MALWARE OSX/Geonei.z Search Hijacker Checkin
(malware.rules)
2845207 - ETPRO MALWARE OSX/MediaDownloader Adware Checkin (malware.rules)
2845208 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-10-28 (current_events.rules)
2845209 - ETPRO CURRENT_EVENTS Successful 3D Securecode Phish 2020-10-28
(current_events.rules)
2845210 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-10-28 (current_events.rules)
2845211 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-10-28
(current_events.rules)
2845212 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-10-28
(current_events.rules)
2845213 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2020-10-28
(current_events.rules)
2845214 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2020-10-28
(current_events.rules)
2845215 - ETPRO CURRENT_EVENTS Successful Swisscom Phish 2020-10-28
(current_events.rules)
2845216 - ETPRO CURRENT_EVENTS Successful Fidelity Phish 2020-10-28
(current_events.rules)
2845217 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-28 1) (trojan.rules)
2845218 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-28 2) (trojan.rules)
2845219 - ETPRO TROJAN Goof Clipper Checkin via Telegram (trojan.rules)
2845220 - ETPRO TROJAN Win32/Remcos RAT Checkin 581 (trojan.rules)
2845221 - ETPRO TROJAN Win32/Remcos RAT Checkin 582 (trojan.rules)
2845222 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
[///] Modified active rules: [///]
2009220 - ET SCAN Tomcat upload from external source (scan.rules)
2009516 - ET TROJAN Generic Win32.Autorun HTTP Post (trojan.rules)
2009670 - ET WEB_SERVER Nagios statuswml.cgi Remote Arbitrary Shell
Command Injection attempt (web_server.rules)
2009813 - ET TROJAN Trojan.MyDNS DNSChanger - HTTP POST (trojan.rules)
2010439 - ET TROJAN Generic Trojan Checkin (UA VBTagEdit) (trojan.rules)
2011825 - ET TROJAN MUROFET/Licat Trojan (trojan.rules)
2012139 - ET TROJAN Storm/Waledac 3.0 Checkin 2 (trojan.rules)
2013043 - ET POLICY Android.Plankton/Tonclank Successful Installation
Device Information POST Message Body (policy.rules)
2013047 - ET TROJAN DonBot Checkin (trojan.rules)
2013168 - ET TROJAN Generic Bot Checkin (trojan.rules)
2013327 - ET MOBILE_MALWARE Android.Zitmo Forwarding SMS Message to CnC
Server (mobile_malware.rules)
2013439 - ET TROJAN Dirt Jumper/Russkill3 Checkin (trojan.rules)
2013441 - ET TROJAN EXE Download When Server Claims To Send Audio File -
Must Be Win32 (trojan.rules)
2013488 - ET TROJAN Zeus Bot GET to Bing checking Internet connectivity
(trojan.rules)
2013499 - ET POLICY IncrediMail Install Callback (policy.rules)
2013536 - ET TROJAN BKDR_BTMINE.MNR BitCoin Miner Retrieving Server IP
Addresses (trojan.rules)
2013538 - ET TROJAN BKDR_BTMINE.MNR BitCoin Miner Retrieving New Malware
>From Server (trojan.rules)
2013539 - ET TROJAN BKDR_BTMINE.MNR BitCoin Miner Server Checkin
(trojan.rules)
2013668 - ET TROJAN Win32.Riberow.A (listdir) (trojan.rules)
2013669 - ET TROJAN Win32.Riberow.A (mkdir) (trojan.rules)
2013791 - ET SCAN Apache mod_proxy Reverse Proxy Exposure 1 (scan.rules)
2014119 - ET TROJAN W32/Lici Initial Checkin (trojan.rules)
2014269 - ET TROJAN Backdoor.Win32.RShot HTTP Checkin (trojan.rules)
2014330 - ET TROJAN Kelihos/Hlux GET jucheck.exe from CnC (trojan.rules)
2014542 - ET CURRENT_EVENTS TDS Sutra - redirect received
(current_events.rules)
2014544 - ET CURRENT_EVENTS TDS Sutra - cookie set (current_events.rules)
2014547 - ET CURRENT_EVENTS TDS Sutra - redirect received
(current_events.rules)
2014548 - ET CURRENT_EVENTS TDS Sutra - cookie set (current_events.rules)
2015504 - ET TROJAN ProxyBox - HTTP CnC - POST 1-letter.php (trojan.rules)
2016452 - ET TROJAN WEBC2-CLOVER Checkin APT1 Related (trojan.rules)
2016976 - ET CURRENT_EVENTS CoolEK Payload Download (9)
(current_events.rules)
2017086 - ET WEB_SERVER WebShell - GODSpy - MySQL (web_server.rules)
2017309 - ET TROJAN FortDisco Reporting Status (trojan.rules)
2017520 - ET TROJAN Worm.VBS.ayr CnC command (is-enum-folder)
(trojan.rules)
2017731 - ET CURRENT_EVENTS Possible Styx EK SilverLight Payload
(current_events.rules)
2017787 - ET MOBILE_MALWARE Android.KorBanker Fake Banking App Install
CnC Beacon (mobile_malware.rules)
2018025 - ET MALWARE W32/BettrExperience.Adware POST Checkin
(malware.rules)
2018026 - ET MALWARE W32/BettrExperience.Adware Update Checkin
(malware.rules)
2018245 - ET TROJAN Gamut Spambot Checkin (trojan.rules)
2018257 - ET TROJAN Gamut Spambot Checkin 2 (trojan.rules)
2018640 - ET TROJAN Unknown Trojan with Fake Java User-Agent
(trojan.rules)
2018650 - ET TROJAN Win32.Banload.BTQP Checkin 2 (trojan.rules)
2018775 - ET TROJAN Dyreza RAT Fake Server Header (trojan.rules)
2018793 - ET TROJAN EUPUDS.A Requests for Boleto replacement
(trojan.rules)
2018977 - ET DOS HOIC with booster outbound (dos.rules)
2018978 - ET DOS HOIC with booster inbound (dos.rules)
2019608 - ET TROJAN HB_Banker16 Get (trojan.rules)
2020470 - ET TROJAN Dridex POST Retrieving Second Stage (trojan.rules)
2021051 - ET TROJAN Linux.Mumblehard Initial Checkin (trojan.rules)
2028963 - ET TROJAN DADJOKE/Rail Tycoon Initial Macro Execution
(trojan.rules)
2029347 - ET TROJAN Possible Winnti DNS Lookup (trojan.rules)
2029348 - ET TROJAN DonotGroup CnC Observed in DNS Query (trojan.rules)
2029385 - ET TROJAN Observed Malicious SSL Cert (APT34 CnC) (trojan.rules)
2029386 - ET TROJAN Observed Malicious SSL Cert (BrushaLoader CnC)
(trojan.rules)
2029387 - ET TROJAN Observed Malicious SSL Cert (BrushaLoader CnC)
(trojan.rules)
2029388 - ET TROJAN Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR CnC)
(trojan.rules)
2029389 - ET TROJAN Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR CnC)
(trojan.rules)
2029390 - ET TROJAN Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR CnC)
(trojan.rules)
2029391 - ET TROJAN Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR CnC)
(trojan.rules)
2029392 - ET TROJAN Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR CnC)
(trojan.rules)
2029401 - ET TROJAN Win32/AZORult V3.2 Client Checkin M1 (trojan.rules)
2029402 - ET TROJAN Win32/AZORult V3.2 Client Checkin M2 (trojan.rules)
2029403 - ET TROJAN Win32/AZORult V3.2 Client Checkin M3 (trojan.rules)
2800914 - ETPRO TROJAN Trojan.Win32.Riancon.ae Checkin (trojan.rules)
2800919 - ETPRO TROJAN Backdoor.MSIL.Noszbot Checkin POST (trojan.rules)
2801172 - ETPRO TROJAN Trojan.Win32.Karagany Checkin (trojan.rules)
2801254 - ETPRO TROJAN Backdoor.Win32.Zewit.A Activity (trojan.rules)
2801286 - ETPRO TROJAN Trojan.Win32.Lodelit Checkin (trojan.rules)
2801634 - ETPRO TROJAN Trojan.Win32.PassStealer.wx Checkin (trojan.rules)
2802209 - ETPRO TROJAN Carberp Checkin first.php related (trojan.rules)
2802848 - ETPRO TROJAN Backdoor.Win32.Qakbot.E (Initial Load)
(trojan.rules)
2802863 - ETPRO TROJAN Win32.CashOn!IK Checkin (trojan.rules)
2803201 - ETPRO TROJAN Win32.Antavmu.hsb Checkin (trojan.rules)
2803263 - ETPRO TROJAN Trataps/Spy.win32.gen/CI.a Post Checkin
(trojan.rules)
2803333 - ETPRO TROJAN Downloader.Win32.NSIS.hn Checkin (trojan.rules)
2803338 - ETPRO TROJAN Autorun.ajbk/Alureon.J Checkin (trojan.rules)
2803339 - ETPRO TROJAN Downloader.Win32.BaoFa.cfx checkin (trojan.rules)
2803495 - ETPRO TROJAN Win32.Lexip Checkin (trojan.rules)
2803502 - ETPRO TROJAN Virus.Win32.Sality.k Checkin (trojan.rules)
2803616 - ETPRO TROJAN Trojan.Generic.5778957 Checkin (trojan.rules)
2803619 - ETPRO TROJAN W32/Infostealer.A!Maximus Checkin (trojan.rules)
2803684 - ETPRO WEB_CLIENT MPlayer for Windows Calloc Integer Overflow -
SET .qt (web_client.rules)
2804018 - ETPRO TROJAN Variant.Graftor.1491 requesting exe (trojan.rules)
2804054 - ETPRO TROJAN Tapaoux Initial Checkin (trojan.rules)
2804095 - ETPRO TROJAN Win32/Virut.BN Download Set (trojan.rules)
2804414 - ETPRO TROJAN TrojanDropper.Win32/Agent.KA Checkin (trojan.rules)
2804429 - ETPRO TROJAN Backdoor.Win32/Kanav.A Checkin (trojan.rules)
2804456 - ETPRO TROJAN
Trojan-Downloader.Win32.Adload.noq/Trojan.Win32.StartPage.fwx Checkin
(trojan.rules)
2804482 - ETPRO TROJAN Trojan.PWS.SpySweep.271 Install (trojan.rules)
2804882 - ETPRO TROJAN Win32/Waledac.R Retrieving exe file (trojan.rules)
2805001 - ETPRO TROJAN HackTool.Win32.VKTools.na Checkin 3 (trojan.rules)
2805231 - ETPRO TROJAN Worm.Win32/Taterf.B Checkin (trojan.rules)
2805667 - ETPRO TROJAN Backdoor.Win32.Bredolab.absf Checkin (trojan.rules)
2805969 - ETPRO TROJAN Backdoor.Win32.Oblivion reporting via ICQ WWW
script (trojan.rules)
2806739 - ETPRO TROJAN Win32/Fabucks.A Checkin (trojan.rules)
2806921 - ETPRO TROJAN Win32/Carberp.G Checkin (trojan.rules)
2807392 - ETPRO TROJAN Banload Variant Checkin (trojan.rules)
2808386 - ETPRO TROJAN Trojan.Win32.Generic.AtsI Checkin (trojan.rules)
2808493 - ETPRO TROJAN Win32/Beastdoor.L sending infected IP address via
ICQ (trojan.rules)
2808575 - ETPRO TROJAN Trojan.Graybird IP Check (trojan.rules)
2808804 - ETPRO TROJAN Win32/Cendelf.gen!A www.163.com connectivity check
(trojan.rules)
2808808 - ETPRO TROJAN Win32/ChkBot.A Checkin (trojan.rules)
2808817 - ETPRO TROJAN Win32.Chifrax Variant C2 (trojan.rules)
2809016 - ETPRO TROJAN Win32.Cosmu (trojan.rules)
2809041 - ETPRO TROJAN Win32/CoinMiner.SO .exe download (trojan.rules)
2809091 - ETPRO TROJAN Win32/RpcBrute.A CnC (trojan.rules)
2809204 - ETPRO TROJAN Win32.Trojan.Win32.TravNet HTTP Checkin
(trojan.rules)
2809405 - ETPRO TROJAN Win32.Spy.Banker.UAE Checkin (trojan.rules)
2816665 - ETPRO INFO Fake Doc Request Retrieving MZ Payload (set)
(info.rules)
2816666 - ETPRO INFO Fake Doc Request Retrieving MZ Payload (info.rules)
2822753 - ETPRO CURRENT_EVENTS Successful Google Docs Phish M2 Oct 19
2016 (current_events.rules)
2822893 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phish Oct 26
2016 (current_events.rules)
2823266 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phish Nov 15
2016 (current_events.rules)
2823401 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phish Nov 21 M1
2016 (current_events.rules)
2823403 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phish Nov 21 M3
2016 (current_events.rules)
2828629 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.ff CnC Beacon
(mobile_malware.rules)
2828634 - ETPRO MOBILE_MALWARE Android/SMSFlooder.Agent.BP CnC Beacon
(mobile_malware.rules)
2828644 - ETPRO TROJAN Zebrocy Requesting Stage 2 Payload (trojan.rules)
2828913 - ETPRO TROJAN WIN32/KOVTER.B Checkin 2 M3 (trojan.rules)
2829537 - ETPRO TROJAN VBS.ARS Plugin Report (trojan.rules)
2829538 - ETPRO TROJAN VBS.ARS Password Stealer Plugin Report
(trojan.rules)
2829908 - ETPRO MOBILE_MALWARE Android.Styricka.GEN6254 Checkin
(mobile_malware.rules)
2831402 - ETPRO TROJAN Win32/Predator The Thief CnC Checkin (trojan.rules)
2840663 - ETPRO TROJAN StrongPity Host Checkin (trojan.rules)
2840852 - ETPRO TROJAN ELF/Mirai User-Agent Observed (Outbound)
(trojan.rules)
2840853 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)
2842311 - ETPRO TROJAN W32/TrojanDownloader.Agent.FCD CnC Activity
(trojan.rules)
2843817 - ETPRO TROJAN Win32/Autoit.DZ CnC Activity (trojan.rules)
2845015 - ETPRO EXPLOIT Possible RCE via IPv6 Router Advertisement
(BadNeighbor/CVE-2020-16898) (exploit.rules)
[---] Disabled and modified rules: [---]
2009053 - ET WEB_SPECIFIC_APPS MODx CMS Thumbnail.php base_path Remote
File Inclusion (web_specific_apps.rules)
2010009 - ET WEB_SPECIFIC_APPS Webmin Pre-1.290 Compromise Attempt
(web_specific_apps.rules)
2010379 - ET WEB_SERVER JBOSS/JMX REMOTE WAR deployment attempt (POST)
(web_server.rules)
2010380 - ET WEB_SERVER JBOSS/JMX REMOTE WAR deployment attempt (GET)
(web_server.rules)
2010510 - ET WEB_SPECIFIC_APPS Possible OSSIM uniqueid Parameter Remote
Command Execution Attempt (web_specific_apps.rules)
2013537 - ET TROJAN BKDR_BTMINE.MNR BitCoin Miner Retrieving New IP
Addresses From Server (trojan.rules)
2014113 - ET TROJAN Win32/Injector.MUD Variant Reporting (trojan.rules)
2017368 - ET TROJAN Possible Avatar RootKit Yahoo Group Search
(trojan.rules)
2017869 - ET TROJAN W32/Liftoh.Downloader Final.html Payload Request
(trojan.rules)
2017999 - ET MOBILE_MALWARE Android/HeHe.Spy getLastVersion CnC Beacon
(mobile_malware.rules)
2018123 - ET TROJAN Win32/Almanahe.B Checkin (trojan.rules)
2018143 - ET TROJAN Backdoor.Win32.Popwin Checkin (trojan.rules)
2018463 - ET TROJAN possible OneLouder header structure (trojan.rules)
2018464 - ET TROJAN OneLouder EXE download possibly installing Zeus P2P
(trojan.rules)
2021133 - ET TROJAN JavaScriptBackdoor HTTP POST CnC Beacon (trojan.rules)
2021153 - ET TROJAN Wordpress Errorcontent CnC Beacon (trojan.rules)
2803908 - ETPRO MOBILE_MALWARE LeNa Android CnC Command (StartDown)
(mobile_malware.rules)
2804083 - ETPRO WEB_CLIENT Flash authoring tool Flex XSS attempt
(web_client.rules)
2807401 - ETPRO TROJAN Trojan-Downloader.Win32.Banload.byyi Checkin
(trojan.rules)
2822685 - ETPRO TROJAN TheTrick Banking Trojan Affiliate Download
(trojan.rules)
2822734 - ETPRO TROJAN Win32/DNtoolz0.BR Checkin (trojan.rules)