[***]            Summary:            [***]

10 new OPEN, 33 new PRO (10 + 23). UNC1878 Cobalt Strike Certs, HeavenWard Keylogger, Parallax, Various Phishing, Suri5 Updates.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2031133 - ET TROJAN Possible UNC1878 Cobalt Strike CnC SSL Cert Inbound
(lol) (trojan.rules)
  2031134 - ET TROJAN Possible UNC1878 Cobalt Strike CnC SSL Cert Inbound
(office) (trojan.rules)
  2031135 - ET TROJAN Possible UNC1878 Cobalt Strike CnC SSL Cert Inbound
(Texsa) (trojan.rules)
  2031136 - ET TROJAN Possible UNC1878 Cobalt Strike CnC SSL Cert Inbound
(Mountainvew) (trojan.rules)
  2031137 - ET TROJAN ComRAT CnC Domain in DNS Lookup (trojan.rules)
  2031138 - ET TROJAN ComRAT CnC Domain in DNS Lookup (trojan.rules)
  2031139 - ET TROJAN ComRAT CnC Domain in DNS Lookup (trojan.rules)
  2031140 - ET TROJAN ComRAT CnC Domain in DNS Lookup (trojan.rules)
  2031141 - ET TROJAN ComRAT CnC Domain in DNS Lookup (trojan.rules)
  2031142 - ET TROJAN ComRAT CnC Domain in DNS Lookup (trojan.rules)

Pro:

  2845223 - ETPRO MOBILE_MALWARE Android/Clicker.KN Checkin
(mobile_malware.rules)
  2845224 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.DQW Checkin
(mobile_malware.rules)
  2845225 - ETPRO POLICY Observed External IP Lookup Domain in TLS SNI (api
.myip .com) (policy.rules)
  2845226 - ETPRO TROJAN Win32/Ymacco.AAD1 CnC Activity (trojan.rules)
  2845227 - ETPRO TROJAN HeavenWard Keylogger Install Activity
(trojan.rules)
  2845228 - ETPRO USER_AGENTS non-standard wget User-Agent
(user_agents.rules)
  2845229 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-29 1) (trojan.rules)
  2845230 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-29 2) (trojan.rules)
  2845231 - ETPRO TROJAN Win32/GoDeep6 CnC Host Checkin (trojan.rules)
  2845232 - ETPRO CURRENT_EVENTS Successful NatWest Phish 2020-10-29
(current_events.rules)
  2845233 - ETPRO CURRENT_EVENTS Successful Swisscom Phish 2020-10-29
(current_events.rules)
  2845234 - ETPRO CURRENT_EVENTS Successful Microsoft Voicemail Phish
2020-10-29 (current_events.rules)
  2845235 - ETPRO TROJAN Parallax CnC Activity (set) M13 (trojan.rules)
  2845236 - ETPRO TROJAN Parallax CnC Response Activity M13 (trojan.rules)
  2845237 - ETPRO TROJAN Parallax CnC Activity (set) M12 (trojan.rules)
  2845238 - ETPRO TROJAN Parallax CnC Response Activity M12 (trojan.rules)
  2845239 - ETPRO TROJAN Win32/Remcos RAT Checkin 583 (trojan.rules)
  2845240 - ETPRO TROJAN Win32/Remcos RAT Checkin 584 (trojan.rules)
  2845241 - ETPRO TROJAN Win32/Remcos RAT Checkin 585 (trojan.rules)
  2845242 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2845243 - ETPRO TROJAN Netwire Variant Activity (trojan.rules)
  2845244 - ETPRO TROJAN Win32/Occamy.C17 Activity (trojan.rules)
  2845245 - ETPRO TROJAN Bazaloader CnC Activity M4 (trojan.rules)

[///]     Modified active rules:     [///]

  2010217 - ET TROJAN DownloaderExchanger/Cbeplay Variant Checkin
(trojan.rules)
  2020345 - ET TROJAN ArcDoor Intial Checkin (trojan.rules)
  2020944 - ET TROJAN Chthonic CnC Beacon 5 (trojan.rules)
  2020946 - ET TROJAN Chthonic CnC Beacon 6 (trojan.rules)
  2021030 - ET TROJAN BePush/Kilim CnC Beacon (trojan.rules)
  2021052 - ET TROJAN Linux.Mumblehard Command Status CnC (trojan.rules)
  2021229 - ET TROJAN Scanbox Sending Host Data (trojan.rules)
  2021275 - ET TROJAN Backdoor.Elise CnC Beacon 1 M2 (trojan.rules)
  2021554 - ET TROJAN Potao CnC (trojan.rules)
  2022469 - ET TROJAN CenterPOS CnC (trojan.rules)
  2022472 - ET TROJAN CenterPOS CnC 2 (trojan.rules)
  2022985 - ET TROJAN Trojan Generic - POST To gate.php with no accept
headers (trojan.rules)
  2022990 - ET CURRENT_EVENTS Evil Redirect Leading to EK Jul 28 2016
(current_events.rules)
  2023766 - ET TROJAN Sage Ransomware Checkin Primer (trojan.rules)
  2024028 - ET TROJAN Infostealer.Bancos ProxyChanger Checkin (trojan.rules)
  2025001 - ET CURRENT_EVENTS Possible Successful Websocket Credential
Phish Sep 15 2017 (current_events.rules)
  2029022 - ET SCAN Mirai Variant User-Agent (Inbound) (scan.rules)
  2029034 - ET TROJAN Mirai Variant User-Agent (Outbound) (trojan.rules)
  2029338 - ET CURRENT_EVENTS Successful Generic Phish 2020-01-29 (set)
(current_events.rules)
  2029426 - ET TROJAN DNS Query to MINEBRIDGE CnC Domain (123faster .top)
(trojan.rules)
  2029427 - ET TROJAN DNS Query to MINEBRIDGE CnC Domain (conversia91 .top)
(trojan.rules)
  2029428 - ET TROJAN DNS Query to MINEBRIDGE CnC Domain (fatoftheland
.top) (trojan.rules)
  2029429 - ET TROJAN DNS Query to MINEBRIDGE CnC Domain (creatorz123 .top)
(trojan.rules)
  2029430 - ET TROJAN DNS Query to MINEBRIDGE CnC Domain (compilator333
.top) (trojan.rules)
  2029431 - ET TROJAN MoleRAT/Pierogi Backdoor Activity (trojan.rules)
  2029436 - ET TROJAN Win32/AZORult V3.2 Client Checkin M4 (trojan.rules)
  2029437 - ET TROJAN Win32/AZORult V3.2 Client Checkin M5 (trojan.rules)
  2029438 - ET TROJAN Win32/AZORult V3.2 Client Checkin M6 (trojan.rules)
  2029442 - ET TROJAN Win32/AZORult V3.2 Client Checkin M7 (trojan.rules)
  2029443 - ET TROJAN Win32/AZORult V3.2 Client Checkin M8 (trojan.rules)
  2029444 - ET TROJAN Win32/AZORult V3.2 Client Checkin M9 (trojan.rules)
  2029448 - ET TROJAN POWERTON CnC Domain in DNS Lookup (trojan.rules)
  2029457 - ET TROJAN Win32/AZORult V3.2 Client Checkin M10 (trojan.rules)
  2029458 - ET TROJAN Win32/AZORult V3.2 Client Checkin M11 (trojan.rules)
  2029459 - ET TROJAN Win32/AZORult V3.2 Client Checkin M12 (trojan.rules)
  2029463 - ET TROJAN Win32/AZORult V3.2 Client Checkin M13 (trojan.rules)
  2029464 - ET TROJAN Win32/AZORult V3.2 Client Checkin M14 (trojan.rules)
  2029465 - ET TROJAN Win32/AZORult V3.2 Client Checkin M15 (trojan.rules)
  2029655 - ET CURRENT_EVENTS Successful Mailbox Update Phish 2016-02-17
(current_events.rules)
  2029676 - ET CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2019-08-02 (current_events.rules)
  2031100 - ET CURRENT_EVENTS Multibank Captcha Phishing Landing
(current_events.rules)
  2800850 - ETPRO WEB_SERVER Microsoft ASP.NET PKCS Padding Information
Disclosure via 500 normal oracle response (web_server.rules)
  2800851 - ETPRO WEB_SERVER Microsoft ASP.NET PKCS Padding Information
Disclosure via 500 abnormal oracle response (web_server.rules)
  2806428 - ETPRO TROJAN MSIL/Dropper.XID!tr Checkin (trojan.rules)
  2807363 - ETPRO TROJAN Zeroaccess Variant 1 (trojan.rules)
  2807365 - ETPRO TROJAN Zeroaccess Variant 3 (trojan.rules)
  2807393 - ETPRO TROJAN W32/Redyms.AF Checkin (trojan.rules)
  2807403 - ETPRO MALWARE Win32.InstallMonetizer Download (malware.rules)
  2808017 - ETPRO TROJAN Win32/Injector.BBHJ Checkin (trojan.rules)
  2808079 - ETPRO EXPLOIT Advantech WebAccess SQL Injection (exploit.rules)
  2808248 - ETPRO TROJAN Win32/Poweliks.A Checkin (trojan.rules)
  2808355 - ETPRO TROJAN Win32/Vflooder.B Checkin (trojan.rules)
  2808718 - ETPRO TROJAN Backdoor.Win32/Turla.A Checkin (trojan.rules)
  2808719 - ETPRO TROJAN Win32.Virut.ua Dropping Files (trojan.rules)
  2809235 - ETPRO TROJAN Blaknight.A/HawkEye Connectivity Check
(trojan.rules)
  2811966 - ETPRO TROJAN Win32/Zlader.J Checkin (trojan.rules)
  2811970 - ETPRO MALWARE Adware.Gigaclicks.3 Checkin (malware.rules)
  2811984 - ETPRO TROJAN Win32/Plugx.L Variant Checkin (trojan.rules)
  2812414 - ETPRO TROJAN Win32.Diztakun.zsg Infostealer M1 (trojan.rules)
  2812416 - ETPRO TROJAN Win32.Diztakun.zsg Infostealer M3 (trojan.rules)
  2814937 - ETPRO TROJAN Trojan/Win32.Scar Conn Check (trojan.rules)
  2814996 - ETPRO TROJAN Win32/Spy.VB.OBX Checkin (trojan.rules)
  2815039 - ETPRO TROJAN NewCT2 CnC Beacon (trojan.rules)
  2815180 - ETPRO CURRENT_EVENTS Nuclear EK Landing URI struct Dec 03 2015
M1 (current_events.rules)
  2815198 - ETPRO CURRENT_EVENTS Possible Evil Redirector Leading to EK Dec
03 2015 M2 (current_events.rules)
  2815640 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phishing Jan 6
(current_events.rules)
  2815666 - ETPRO CURRENT_EVENTS Successful PNC Bank Phish Jan 8
(current_events.rules)
  2815960 - ETPRO MALWARE OSX/Adware.InstallCore Install Activity
(malware.rules)
  2816034 - ETPRO TROJAN MiniDuke Variant HTTP Request to Google
(trojan.rules)
  2816343 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phishing Feb 23
2016 (current_events.rules)
  2816768 - ETPRO TROJAN Possible Dridex Executable Download Request (set)
(trojan.rules)
  2816788 - ETPRO TROJAN Ransomware.Hidden-Tear Variant CnC Checkin
(trojan.rules)
  2816810 - ETPRO TROJAN Godzilla Loader Set Cookie from Server
(trojan.rules)
  2819826 - ETPRO TROJAN MSIL/BrLock Screenlocker Activity (trojan.rules)
  2819842 - ETPRO TROJAN Possible APT Win32/Chinema HTTP CnC Beacon 1
(trojan.rules)
  2819858 - ETPRO TROJAN OfficeDownloader Requesting Payload (trojan.rules)
  2819955 - ETPRO MOBILE_MALWARE PUP Android/NagaProtect.A Checkin
(mobile_malware.rules)
  2819959 - ETPRO TROJAN Vawtrak Dropper Checkin (trojan.rules)
  2820008 - ETPRO TROJAN Emissary CnC Beacon Response 2 (trojan.rules)
  2820023 - ETPRO TROJAN W32/Infy Config Download (trojan.rules)
  2820025 - ETPRO MALWARE Kuping Config Download (malware.rules)
  2820035 - ETPRO MALWARE Win32.Adware.FlyStudio.O Checkin (malware.rules)
  2820681 - ETPRO TROJAN W32/XPCSpyPro/RemoteManipulator RAT Checkin
(trojan.rules)
  2820775 - ETPRO CURRENT_EVENTS Evil Redirector Leading to EK Keitaro Jun
21 2016 T1 (current_events.rules)
  2820803 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish Jun 22
(current_events.rules)
  2821475 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Hiddapp.l Checkin
(mobile_malware.rules)
  2821476 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Hiddapp.l Checkin 2
(mobile_malware.rules)
  2821753 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish Aug 16
2016 (current_events.rules)
  2822458 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phishing Oct 06
2016 (current_events.rules)
  2822459 - ETPRO CURRENT_EVENTS Successful Dynamic Folder FreeMobile (FR)
Phishing Oct 07 2016 (current_events.rules)
  2822485 - ETPRO TROJAN Automated Tor EXE Download Possibly Raum Trojan
(trojan.rules)
  2822522 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phish Oct 10
2016 (current_events.rules)
  2822647 - ETPRO CURRENT_EVENTS Successful Bank of America Phish Oct 14
2016 (current_events.rules)
  2823488 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phish Nov 28
2016 (current_events.rules)
  2823577 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phish M1 Dec 02
2016 (current_events.rules)
  2823578 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phish M2 Dec 02
2016 (current_events.rules)
  2824472 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phish Jan 17
2017 (current_events.rules)
  2825129 - ETPRO TROJAN Carbanak VBS/GGLDR v2 Checkin (trojan.rules)
  2825196 - ETPRO TROJAN Win64/Agent.GR CnC Beacon (trojan.rules)
  2826000 - ETPRO MOBILE_MALWARE Android/HiddenApp.BF CnC Beacon
(mobile_malware.rules)
  2826043 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish Apr 20
2017 (current_events.rules)
  2826123 - ETPRO TROJAN MSIL/Unk.CoinMiner CnC Install Activity
(trojan.rules)
  2826148 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.o Contact
Exfil (mobile_malware.rules)
  2826551 - ETPRO CURRENT_EVENTS Successful Banking Phish M1 May 31 2017
(current_events.rules)
  2828540 - ETPRO CURRENT_EVENTS MalDoc Retrieving Payload Nov 6 2017
(current_events.rules)
  2828955 - ETPRO TROJAN W32/Nymaim Checkin 8 (trojan.rules)
  2829339 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Skygofree.a Checkin 2
(mobile_malware.rules)
  2829396 - ETPRO MOBILE_MALWARE Android/Agent.AKX /
Trojan-Spy.AndroidOS.Agent.oe Checkin 3 (mobile_malware.rules)
  2829434 - ETPRO MOBILE_MALWARE Android.Trojan.SmsSpy.O CnC Beacon
(mobile_malware.rules)
  2829563 - ETPRO CURRENT_EVENTS Successful Ebay Phish 2018-02-06 (DE)
(current_events.rules)
  2829738 - ETPRO MOBILE_MALWARE Android/Coinminer.V Checkin
(mobile_malware.rules)
  2829757 - ETPRO MOBILE_MALWARE Android/Agent.ATW Checkin
(mobile_malware.rules)
  2829823 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.DroidSpy.a Checkin
(mobile_malware.rules)
  2829906 - ETPRO TROJAN Win32/Onliner Spam Bot Requesting Additional
Modules (trojan.rules)
  2830046 - ETPRO MOBILE_MALWARE Android/LockScreen.Jisut.AP Checkin
(mobile_malware.rules)
  2830049 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Shedun.V Checkin 4
(mobile_malware.rules)
  2830111 - ETPRO MOBILE_MALWARE Android/Spy.Agent.ALE / ArmedRocket
Checkin (mobile_malware.rules)
  2830123 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Mwiam.e Checkin
(mobile_malware.rules)
  2830125 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Triada.bh Checkin 3
(mobile_malware.rules)
  2830308 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Triada.dm Checkin 3
(mobile_malware.rules)
  2830483 - ETPRO TROJAN Observed Malicious User-Agent (WinInetGet/)
(trojan.rules)
  2830520 - ETPRO TROJAN MSIL/TBR Screenshot Upload (trojan.rules)
  2830685 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.ZooPark CnC Beacon 2
(mobile_malware.rules)
  2830765 - ETPRO MOBILE_MALWARE Android/Clicker.JV CnC Beacon
(mobile_malware.rules)
  2830813 - ETPRO CURRENT_EVENTS Evil Redirector Leading to TechSupport
Scam (current_events.rules)
  2830914 - ETPRO CURRENT_EVENTS Malicious Redirect Leading to SocEng May
18 2018 (current_events.rules)
  2830924 - ETPRO WEB_CLIENT Tech Support Phone Scam - Redirection to
Landing Inbound (web_client.rules)
  2833623 - ETPRO TROJAN W32.HTTP.Stager Checkin M1 (trojan.rules)
  2834335 - ETPRO TROJAN AZORult CnC Beacon M3 (trojan.rules)
  2835751 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Agent.ms Checkin
(mobile_malware.rules)
  2837686 - ETPRO MALWARE Win32/Adware.Zzinfor.U Retrieving Payload Details
(malware.rules)
  2837751 - ETPRO MALWARE Win32/Adposhel Adware Activity (malware.rules)
  2837863 - ETPRO CURRENT_EVENTS Successful TalkTalk Phish 2019-08-05
(current_events.rules)
  2838096 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2019-08-20 (current_events.rules)
  2838314 - ETPRO TROJAN Trickbot CnC Activity - Account (trojan.rules)
  2838315 - ETPRO TROJAN Trickbot CnC Activity - Executable Path
(trojan.rules)
  2838316 - ETPRO TROJAN Trickbot CnC Activity - NAT Status (trojan.rules)
  2838342 - ETPRO CURRENT_EVENTS Successful Netflix Phish 2019-09-06
(current_events.rules)
  2839211 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2019-11-04 (current_events.rules)
  2839649 - ETPRO TROJAN Win32/Chapak Downloader Activity (trojan.rules)
  2839701 - ETPRO MOBILE_MALWARE Android/TrojanSMS.FakeInst.RA Checkin
(mobile_malware.rules)
  2840014 - ETPRO CURRENT_EVENTS Successful Chase Phish 2019-12-19
(current_events.rules)
  2840072 - ETPRO TROJAN Docxer CnC Initial Checkin (trojan.rules)
  2840073 - ETPRO TROJAN Docxer CnC Heartbeat (trojan.rules)
  2840081 - ETPRO MOBILE_MALWARE Android/Spy.Agent.BAK Checkin
(mobile_malware.rules)
  2840082 - ETPRO MOBILE_MALWARE Android/Spy.Agent.BAK Contact Exfil
(mobile_malware.rules)
  2840212 - ETPRO CURRENT_EVENTS Successful TD Bank Phish 2020-01-02
(current_events.rules)
  2840608 - ETPRO CURRENT_EVENTS Successful Indeed Phish 2020-01-23
(current_events.rules)
  2840876 - ETPRO TROJAN ELF/Mirai User-Agent Observed (Outbound)
(trojan.rules)
  2840877 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)
  2841026 - ETPRO TROJAN Possible Inception/CloudAtlas GET Request via
Document M2 (trojan.rules)
  2844765 - ETPRO TROJAN Possible Bazaloader CnC Activity M1 (trojan.rules)
  2844766 - ETPRO TROJAN Bazaloader CnC Activity M2 (trojan.rules)
  2844794 - ETPRO TROJAN Bazaloader CnC Activity M3 (trojan.rules)
  2844993 - ETPRO TROJAN Bazaloader Variant CnC Activity (trojan.rules)

[---]  Disabled and modified rules:  [---]

  2805967 - ETPRO TROJAN Trojan.Larhife.A reporting via ICQ WWW script
(trojan.rules)
  2808958 - ETPRO TROJAN Backdoor.Cakwerd Dropping Files (trojan.rules)

[---]         Removed rules:         [---]

  2845076 - ETPRO TROJAN Observed Possible Cobalt Strike CnC SSL Cert
Inbound (trojan.rules)

Date:
Summary title:
10 new OPEN, 33 new PRO (10 + 23). UNC1878 Cobalt Strike Certs, HeavenWard Keylogger, Parallax, Various Phishing, Suri5 Updates.