[***] Summary: [***]
10 new OPEN, 33 new PRO (10 + 23). UNC1878 Cobalt Strike Certs, HeavenWard Keylogger, Parallax, Various Phishing, Suri5 Updates.
Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2031133 - ET TROJAN Possible UNC1878 Cobalt Strike CnC SSL Cert Inbound
(lol) (trojan.rules)
2031134 - ET TROJAN Possible UNC1878 Cobalt Strike CnC SSL Cert Inbound
(office) (trojan.rules)
2031135 - ET TROJAN Possible UNC1878 Cobalt Strike CnC SSL Cert Inbound
(Texsa) (trojan.rules)
2031136 - ET TROJAN Possible UNC1878 Cobalt Strike CnC SSL Cert Inbound
(Mountainvew) (trojan.rules)
2031137 - ET TROJAN ComRAT CnC Domain in DNS Lookup (trojan.rules)
2031138 - ET TROJAN ComRAT CnC Domain in DNS Lookup (trojan.rules)
2031139 - ET TROJAN ComRAT CnC Domain in DNS Lookup (trojan.rules)
2031140 - ET TROJAN ComRAT CnC Domain in DNS Lookup (trojan.rules)
2031141 - ET TROJAN ComRAT CnC Domain in DNS Lookup (trojan.rules)
2031142 - ET TROJAN ComRAT CnC Domain in DNS Lookup (trojan.rules)
Pro:
2845223 - ETPRO MOBILE_MALWARE Android/Clicker.KN Checkin
(mobile_malware.rules)
2845224 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.DQW Checkin
(mobile_malware.rules)
2845225 - ETPRO POLICY Observed External IP Lookup Domain in TLS SNI (api
.myip .com) (policy.rules)
2845226 - ETPRO TROJAN Win32/Ymacco.AAD1 CnC Activity (trojan.rules)
2845227 - ETPRO TROJAN HeavenWard Keylogger Install Activity
(trojan.rules)
2845228 - ETPRO USER_AGENTS non-standard wget User-Agent
(user_agents.rules)
2845229 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-29 1) (trojan.rules)
2845230 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-29 2) (trojan.rules)
2845231 - ETPRO TROJAN Win32/GoDeep6 CnC Host Checkin (trojan.rules)
2845232 - ETPRO CURRENT_EVENTS Successful NatWest Phish 2020-10-29
(current_events.rules)
2845233 - ETPRO CURRENT_EVENTS Successful Swisscom Phish 2020-10-29
(current_events.rules)
2845234 - ETPRO CURRENT_EVENTS Successful Microsoft Voicemail Phish
2020-10-29 (current_events.rules)
2845235 - ETPRO TROJAN Parallax CnC Activity (set) M13 (trojan.rules)
2845236 - ETPRO TROJAN Parallax CnC Response Activity M13 (trojan.rules)
2845237 - ETPRO TROJAN Parallax CnC Activity (set) M12 (trojan.rules)
2845238 - ETPRO TROJAN Parallax CnC Response Activity M12 (trojan.rules)
2845239 - ETPRO TROJAN Win32/Remcos RAT Checkin 583 (trojan.rules)
2845240 - ETPRO TROJAN Win32/Remcos RAT Checkin 584 (trojan.rules)
2845241 - ETPRO TROJAN Win32/Remcos RAT Checkin 585 (trojan.rules)
2845242 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2845243 - ETPRO TROJAN Netwire Variant Activity (trojan.rules)
2845244 - ETPRO TROJAN Win32/Occamy.C17 Activity (trojan.rules)
2845245 - ETPRO TROJAN Bazaloader CnC Activity M4 (trojan.rules)
[///] Modified active rules: [///]
2010217 - ET TROJAN DownloaderExchanger/Cbeplay Variant Checkin
(trojan.rules)
2020345 - ET TROJAN ArcDoor Intial Checkin (trojan.rules)
2020944 - ET TROJAN Chthonic CnC Beacon 5 (trojan.rules)
2020946 - ET TROJAN Chthonic CnC Beacon 6 (trojan.rules)
2021030 - ET TROJAN BePush/Kilim CnC Beacon (trojan.rules)
2021052 - ET TROJAN Linux.Mumblehard Command Status CnC (trojan.rules)
2021229 - ET TROJAN Scanbox Sending Host Data (trojan.rules)
2021275 - ET TROJAN Backdoor.Elise CnC Beacon 1 M2 (trojan.rules)
2021554 - ET TROJAN Potao CnC (trojan.rules)
2022469 - ET TROJAN CenterPOS CnC (trojan.rules)
2022472 - ET TROJAN CenterPOS CnC 2 (trojan.rules)
2022985 - ET TROJAN Trojan Generic - POST To gate.php with no accept
headers (trojan.rules)
2022990 - ET CURRENT_EVENTS Evil Redirect Leading to EK Jul 28 2016
(current_events.rules)
2023766 - ET TROJAN Sage Ransomware Checkin Primer (trojan.rules)
2024028 - ET TROJAN Infostealer.Bancos ProxyChanger Checkin (trojan.rules)
2025001 - ET CURRENT_EVENTS Possible Successful Websocket Credential
Phish Sep 15 2017 (current_events.rules)
2029022 - ET SCAN Mirai Variant User-Agent (Inbound) (scan.rules)
2029034 - ET TROJAN Mirai Variant User-Agent (Outbound) (trojan.rules)
2029338 - ET CURRENT_EVENTS Successful Generic Phish 2020-01-29 (set)
(current_events.rules)
2029426 - ET TROJAN DNS Query to MINEBRIDGE CnC Domain (123faster .top)
(trojan.rules)
2029427 - ET TROJAN DNS Query to MINEBRIDGE CnC Domain (conversia91 .top)
(trojan.rules)
2029428 - ET TROJAN DNS Query to MINEBRIDGE CnC Domain (fatoftheland
.top) (trojan.rules)
2029429 - ET TROJAN DNS Query to MINEBRIDGE CnC Domain (creatorz123 .top)
(trojan.rules)
2029430 - ET TROJAN DNS Query to MINEBRIDGE CnC Domain (compilator333
.top) (trojan.rules)
2029431 - ET TROJAN MoleRAT/Pierogi Backdoor Activity (trojan.rules)
2029436 - ET TROJAN Win32/AZORult V3.2 Client Checkin M4 (trojan.rules)
2029437 - ET TROJAN Win32/AZORult V3.2 Client Checkin M5 (trojan.rules)
2029438 - ET TROJAN Win32/AZORult V3.2 Client Checkin M6 (trojan.rules)
2029442 - ET TROJAN Win32/AZORult V3.2 Client Checkin M7 (trojan.rules)
2029443 - ET TROJAN Win32/AZORult V3.2 Client Checkin M8 (trojan.rules)
2029444 - ET TROJAN Win32/AZORult V3.2 Client Checkin M9 (trojan.rules)
2029448 - ET TROJAN POWERTON CnC Domain in DNS Lookup (trojan.rules)
2029457 - ET TROJAN Win32/AZORult V3.2 Client Checkin M10 (trojan.rules)
2029458 - ET TROJAN Win32/AZORult V3.2 Client Checkin M11 (trojan.rules)
2029459 - ET TROJAN Win32/AZORult V3.2 Client Checkin M12 (trojan.rules)
2029463 - ET TROJAN Win32/AZORult V3.2 Client Checkin M13 (trojan.rules)
2029464 - ET TROJAN Win32/AZORult V3.2 Client Checkin M14 (trojan.rules)
2029465 - ET TROJAN Win32/AZORult V3.2 Client Checkin M15 (trojan.rules)
2029655 - ET CURRENT_EVENTS Successful Mailbox Update Phish 2016-02-17
(current_events.rules)
2029676 - ET CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2019-08-02 (current_events.rules)
2031100 - ET CURRENT_EVENTS Multibank Captcha Phishing Landing
(current_events.rules)
2800850 - ETPRO WEB_SERVER Microsoft ASP.NET PKCS Padding Information
Disclosure via 500 normal oracle response (web_server.rules)
2800851 - ETPRO WEB_SERVER Microsoft ASP.NET PKCS Padding Information
Disclosure via 500 abnormal oracle response (web_server.rules)
2806428 - ETPRO TROJAN MSIL/Dropper.XID!tr Checkin (trojan.rules)
2807363 - ETPRO TROJAN Zeroaccess Variant 1 (trojan.rules)
2807365 - ETPRO TROJAN Zeroaccess Variant 3 (trojan.rules)
2807393 - ETPRO TROJAN W32/Redyms.AF Checkin (trojan.rules)
2807403 - ETPRO MALWARE Win32.InstallMonetizer Download (malware.rules)
2808017 - ETPRO TROJAN Win32/Injector.BBHJ Checkin (trojan.rules)
2808079 - ETPRO EXPLOIT Advantech WebAccess SQL Injection (exploit.rules)
2808248 - ETPRO TROJAN Win32/Poweliks.A Checkin (trojan.rules)
2808355 - ETPRO TROJAN Win32/Vflooder.B Checkin (trojan.rules)
2808718 - ETPRO TROJAN Backdoor.Win32/Turla.A Checkin (trojan.rules)
2808719 - ETPRO TROJAN Win32.Virut.ua Dropping Files (trojan.rules)
2809235 - ETPRO TROJAN Blaknight.A/HawkEye Connectivity Check
(trojan.rules)
2811966 - ETPRO TROJAN Win32/Zlader.J Checkin (trojan.rules)
2811970 - ETPRO MALWARE Adware.Gigaclicks.3 Checkin (malware.rules)
2811984 - ETPRO TROJAN Win32/Plugx.L Variant Checkin (trojan.rules)
2812414 - ETPRO TROJAN Win32.Diztakun.zsg Infostealer M1 (trojan.rules)
2812416 - ETPRO TROJAN Win32.Diztakun.zsg Infostealer M3 (trojan.rules)
2814937 - ETPRO TROJAN Trojan/Win32.Scar Conn Check (trojan.rules)
2814996 - ETPRO TROJAN Win32/Spy.VB.OBX Checkin (trojan.rules)
2815039 - ETPRO TROJAN NewCT2 CnC Beacon (trojan.rules)
2815180 - ETPRO CURRENT_EVENTS Nuclear EK Landing URI struct Dec 03 2015
M1 (current_events.rules)
2815198 - ETPRO CURRENT_EVENTS Possible Evil Redirector Leading to EK Dec
03 2015 M2 (current_events.rules)
2815640 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phishing Jan 6
(current_events.rules)
2815666 - ETPRO CURRENT_EVENTS Successful PNC Bank Phish Jan 8
(current_events.rules)
2815960 - ETPRO MALWARE OSX/Adware.InstallCore Install Activity
(malware.rules)
2816034 - ETPRO TROJAN MiniDuke Variant HTTP Request to Google
(trojan.rules)
2816343 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phishing Feb 23
2016 (current_events.rules)
2816768 - ETPRO TROJAN Possible Dridex Executable Download Request (set)
(trojan.rules)
2816788 - ETPRO TROJAN Ransomware.Hidden-Tear Variant CnC Checkin
(trojan.rules)
2816810 - ETPRO TROJAN Godzilla Loader Set Cookie from Server
(trojan.rules)
2819826 - ETPRO TROJAN MSIL/BrLock Screenlocker Activity (trojan.rules)
2819842 - ETPRO TROJAN Possible APT Win32/Chinema HTTP CnC Beacon 1
(trojan.rules)
2819858 - ETPRO TROJAN OfficeDownloader Requesting Payload (trojan.rules)
2819955 - ETPRO MOBILE_MALWARE PUP Android/NagaProtect.A Checkin
(mobile_malware.rules)
2819959 - ETPRO TROJAN Vawtrak Dropper Checkin (trojan.rules)
2820008 - ETPRO TROJAN Emissary CnC Beacon Response 2 (trojan.rules)
2820023 - ETPRO TROJAN W32/Infy Config Download (trojan.rules)
2820025 - ETPRO MALWARE Kuping Config Download (malware.rules)
2820035 - ETPRO MALWARE Win32.Adware.FlyStudio.O Checkin (malware.rules)
2820681 - ETPRO TROJAN W32/XPCSpyPro/RemoteManipulator RAT Checkin
(trojan.rules)
2820775 - ETPRO CURRENT_EVENTS Evil Redirector Leading to EK Keitaro Jun
21 2016 T1 (current_events.rules)
2820803 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish Jun 22
(current_events.rules)
2821475 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Hiddapp.l Checkin
(mobile_malware.rules)
2821476 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Hiddapp.l Checkin 2
(mobile_malware.rules)
2821753 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish Aug 16
2016 (current_events.rules)
2822458 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phishing Oct 06
2016 (current_events.rules)
2822459 - ETPRO CURRENT_EVENTS Successful Dynamic Folder FreeMobile (FR)
Phishing Oct 07 2016 (current_events.rules)
2822485 - ETPRO TROJAN Automated Tor EXE Download Possibly Raum Trojan
(trojan.rules)
2822522 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phish Oct 10
2016 (current_events.rules)
2822647 - ETPRO CURRENT_EVENTS Successful Bank of America Phish Oct 14
2016 (current_events.rules)
2823488 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phish Nov 28
2016 (current_events.rules)
2823577 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phish M1 Dec 02
2016 (current_events.rules)
2823578 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phish M2 Dec 02
2016 (current_events.rules)
2824472 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phish Jan 17
2017 (current_events.rules)
2825129 - ETPRO TROJAN Carbanak VBS/GGLDR v2 Checkin (trojan.rules)
2825196 - ETPRO TROJAN Win64/Agent.GR CnC Beacon (trojan.rules)
2826000 - ETPRO MOBILE_MALWARE Android/HiddenApp.BF CnC Beacon
(mobile_malware.rules)
2826043 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish Apr 20
2017 (current_events.rules)
2826123 - ETPRO TROJAN MSIL/Unk.CoinMiner CnC Install Activity
(trojan.rules)
2826148 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.o Contact
Exfil (mobile_malware.rules)
2826551 - ETPRO CURRENT_EVENTS Successful Banking Phish M1 May 31 2017
(current_events.rules)
2828540 - ETPRO CURRENT_EVENTS MalDoc Retrieving Payload Nov 6 2017
(current_events.rules)
2828955 - ETPRO TROJAN W32/Nymaim Checkin 8 (trojan.rules)
2829339 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Skygofree.a Checkin 2
(mobile_malware.rules)
2829396 - ETPRO MOBILE_MALWARE Android/Agent.AKX /
Trojan-Spy.AndroidOS.Agent.oe Checkin 3 (mobile_malware.rules)
2829434 - ETPRO MOBILE_MALWARE Android.Trojan.SmsSpy.O CnC Beacon
(mobile_malware.rules)
2829563 - ETPRO CURRENT_EVENTS Successful Ebay Phish 2018-02-06 (DE)
(current_events.rules)
2829738 - ETPRO MOBILE_MALWARE Android/Coinminer.V Checkin
(mobile_malware.rules)
2829757 - ETPRO MOBILE_MALWARE Android/Agent.ATW Checkin
(mobile_malware.rules)
2829823 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.DroidSpy.a Checkin
(mobile_malware.rules)
2829906 - ETPRO TROJAN Win32/Onliner Spam Bot Requesting Additional
Modules (trojan.rules)
2830046 - ETPRO MOBILE_MALWARE Android/LockScreen.Jisut.AP Checkin
(mobile_malware.rules)
2830049 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Shedun.V Checkin 4
(mobile_malware.rules)
2830111 - ETPRO MOBILE_MALWARE Android/Spy.Agent.ALE / ArmedRocket
Checkin (mobile_malware.rules)
2830123 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Mwiam.e Checkin
(mobile_malware.rules)
2830125 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Triada.bh Checkin 3
(mobile_malware.rules)
2830308 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Triada.dm Checkin 3
(mobile_malware.rules)
2830483 - ETPRO TROJAN Observed Malicious User-Agent (WinInetGet/)
(trojan.rules)
2830520 - ETPRO TROJAN MSIL/TBR Screenshot Upload (trojan.rules)
2830685 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.ZooPark CnC Beacon 2
(mobile_malware.rules)
2830765 - ETPRO MOBILE_MALWARE Android/Clicker.JV CnC Beacon
(mobile_malware.rules)
2830813 - ETPRO CURRENT_EVENTS Evil Redirector Leading to TechSupport
Scam (current_events.rules)
2830914 - ETPRO CURRENT_EVENTS Malicious Redirect Leading to SocEng May
18 2018 (current_events.rules)
2830924 - ETPRO WEB_CLIENT Tech Support Phone Scam - Redirection to
Landing Inbound (web_client.rules)
2833623 - ETPRO TROJAN W32.HTTP.Stager Checkin M1 (trojan.rules)
2834335 - ETPRO TROJAN AZORult CnC Beacon M3 (trojan.rules)
2835751 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Agent.ms Checkin
(mobile_malware.rules)
2837686 - ETPRO MALWARE Win32/Adware.Zzinfor.U Retrieving Payload Details
(malware.rules)
2837751 - ETPRO MALWARE Win32/Adposhel Adware Activity (malware.rules)
2837863 - ETPRO CURRENT_EVENTS Successful TalkTalk Phish 2019-08-05
(current_events.rules)
2838096 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2019-08-20 (current_events.rules)
2838314 - ETPRO TROJAN Trickbot CnC Activity - Account (trojan.rules)
2838315 - ETPRO TROJAN Trickbot CnC Activity - Executable Path
(trojan.rules)
2838316 - ETPRO TROJAN Trickbot CnC Activity - NAT Status (trojan.rules)
2838342 - ETPRO CURRENT_EVENTS Successful Netflix Phish 2019-09-06
(current_events.rules)
2839211 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2019-11-04 (current_events.rules)
2839649 - ETPRO TROJAN Win32/Chapak Downloader Activity (trojan.rules)
2839701 - ETPRO MOBILE_MALWARE Android/TrojanSMS.FakeInst.RA Checkin
(mobile_malware.rules)
2840014 - ETPRO CURRENT_EVENTS Successful Chase Phish 2019-12-19
(current_events.rules)
2840072 - ETPRO TROJAN Docxer CnC Initial Checkin (trojan.rules)
2840073 - ETPRO TROJAN Docxer CnC Heartbeat (trojan.rules)
2840081 - ETPRO MOBILE_MALWARE Android/Spy.Agent.BAK Checkin
(mobile_malware.rules)
2840082 - ETPRO MOBILE_MALWARE Android/Spy.Agent.BAK Contact Exfil
(mobile_malware.rules)
2840212 - ETPRO CURRENT_EVENTS Successful TD Bank Phish 2020-01-02
(current_events.rules)
2840608 - ETPRO CURRENT_EVENTS Successful Indeed Phish 2020-01-23
(current_events.rules)
2840876 - ETPRO TROJAN ELF/Mirai User-Agent Observed (Outbound)
(trojan.rules)
2840877 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)
2841026 - ETPRO TROJAN Possible Inception/CloudAtlas GET Request via
Document M2 (trojan.rules)
2844765 - ETPRO TROJAN Possible Bazaloader CnC Activity M1 (trojan.rules)
2844766 - ETPRO TROJAN Bazaloader CnC Activity M2 (trojan.rules)
2844794 - ETPRO TROJAN Bazaloader CnC Activity M3 (trojan.rules)
2844993 - ETPRO TROJAN Bazaloader Variant CnC Activity (trojan.rules)
[---] Disabled and modified rules: [---]
2805967 - ETPRO TROJAN Trojan.Larhife.A reporting via ICQ WWW script
(trojan.rules)
2808958 - ETPRO TROJAN Backdoor.Cakwerd Dropping Files (trojan.rules)
[---] Removed rules: [---]
2845076 - ETPRO TROJAN Observed Possible Cobalt Strike CnC SSL Cert
Inbound (trojan.rules)