[***] Summary: [***]
16 new OPEN, 25 new PRO (16 + 9). CVE-2020-14882, Python/PBot, Win32/Ymacco.AA67, Various BazarLoader, Coinminers, MSIL/Spy.Agent.BLR, AsyncRAT.
Thanks: @malwrhunterteam, Jason Reaves.
Happy Halloween.
Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2031143 - ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Inbound
(CVE-2020-14882) (web_specific_apps.rules)
2031144 - ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Fuzzing
Inbound M1 (web_specific_apps.rules)
2031145 - ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Fuzzing
Inbound M2 (web_specific_apps.rules)
2031147 - ET EXPLOIT Oracle WebLogic RCE Shell Inbound (CVE-2020-14882)
M2 (exploit.rules)
2031146 - ET TROJAN Win32/Ymacco.AA67 CnC Activity (trojan.rules)
2031148 - ET TROJAN Python/PBot Browser Hijacker Activity (trojan.rules)
2031149 - ET CURRENT_EVENTS Suspected Appspot Hosted Phishing Domain
(current_events.rules)
2031150 - ET TROJAN Observed BazarLoader Domain (vighik .xyz in TLS SNI)
(trojan.rules)
2031151 - ET TROJAN Observed BazarLoader Domain (cntrhum .xyz in TLS SNI)
(trojan.rules)
2031152 - ET TROJAN Observed BazarLoader Domain (doldig .xyz in TLS SNI)
(trojan.rules)
2031153 - ET TROJAN Observed BazarLoader Domain (sh78bug .xyz in TLS SNI)
(trojan.rules)
2031154 - ET TROJAN Observed BazarLoader Domain (dghns .xyz in TLS SNI)
(trojan.rules)
2031155 - ET TROJAN Observed BazarLoader Domain (bigjamg .xyz in TLS SNI)
(trojan.rules)
2031156 - ET TROJAN Observed BazarLoader Domain (numklo .xyz in TLS SNI)
(trojan.rules)
2031157 - ET TROJAN Observed BazarLoader Domain (gut45bg .xyz in TLS SNI)
(trojan.rules)
2031158 - ET TROJAN Observed BazarLoader Domain (moig .xyz in TLS SNI)
(trojan.rules)
Pro:
2845246 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-30 1) (trojan.rules)
2845247 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-30 2) (trojan.rules)
2845248 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-30 3) (trojan.rules)
2845249 - ETPRO CURRENT_EVENTS Successful Square Phish 2020-10-30
(current_events.rules)
2845250 - ETPRO TROJAN MSIL/Spy.Agent.BLR Variant CnC Host Checkin
(trojan.rules)
2845251 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT CnC)
(trojan.rules)
2845252 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT CnC)
(trojan.rules)
2845253 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT CnC)
(trojan.rules)
2845254 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT CnC)
(trojan.rules)
[+++] Enabled rules: [+++]
2845069 - ETPRO CURRENT_EVENTS Successful Halifax Phish 2020-10-21
(current_events.rules)
[///] Modified active rules: [///]
2002001 - ET MALWARE 180solutions Spyware Keywords Download
(malware.rules)
2002402 - ET MALWARE Spyware Related User-Agent (UtilMind HTTPGet)
(malware.rules)
2022503 - ET TROJAN Various Malicious AlphaNum DL Feb 10 2016
(trojan.rules)
2022803 - ET INFO Flowbit set for POST to Quicken Updater (info.rules)
2022841 - ET CURRENT_EVENTS Possible ReactorBot .bin Download
(current_events.rules)
2022952 - ET TROJAN Ransomware Locky CnC Beacon 21 May (trojan.rules)
2023966 - ET TROJAN CozyCar V2 CnC Beacon (trojan.rules)
2024015 - ET CURRENT_EVENTS Successful Orderlink (IN) Phish Feb 24 2017
(current_events.rules)
2024306 - ET TROJAN MWI Maldoc Load Payload (trojan.rules)
2024307 - ET TROJAN MWI Maldoc Posting Host Data (trojan.rules)
2024338 - ET TROJAN Observed GET Request to Jaff Domain (orhangazitur .
com) (trojan.rules)
2024340 - ET TROJAN Jaff Ransomware Checkin (trojan.rules)
2025892 - ET TROJAN Observed Malicious SSL Cert (OilRig QUADAGENT CnC)
(trojan.rules)
2025918 - ET TROJAN Observed Malicious SSL Cert (MICROPSIA CnC Domain)
(trojan.rules)
2026946 - ET TROJAN GanDownloader CnC Checkin (trojan.rules)
2027144 - ET TROJAN Xwo CnC Activity (trojan.rules)
2027417 - ET GAMES Wolfteam HileYapak Server Response (games.rules)
2027425 - ET MALWARE LNKR landing page (possible compromised site) M1
(malware.rules)
2027426 - ET MALWARE LNKR landing page (possible compromised site) M2
(malware.rules)
2027427 - ET MALWARE LNKR landing page (possible compromised site) M3
(malware.rules)
2027429 - ET MALWARE LNKR landing page (possible compromised site) M5
(malware.rules)
2027810 - ET TROJAN Win32/Onliner Mailer Module Communicating with CnC
(trojan.rules)
2028869 - ET POLICY Vulnerable Java Version 13.0.x Detected (policy.rules)
2028913 - ET TROJAN BadPatch CnC Activity (trojan.rules)
2028941 - ET CURRENT_EVENTS Powershell Download Command Observed within
Flash File - Probable EK Activity (current_events.rules)
2029380 - ET TROJAN Win32/Emotet CnC Activity (POST) M8 (trojan.rules)
2029454 - ET TROJAN Parallax RAT CnC Domain Observed in DNS Query
(trojan.rules)
2029479 - ET TROJAN Win32/AZORult V3.2 Client Checkin M16 (trojan.rules)
2029480 - ET TROJAN Win32/AZORult V3.2 Client Checkin M17 (trojan.rules)
2029481 - ET TROJAN Win32/AZORult V3.2 Client Checkin M18 (trojan.rules)
2029485 - ET TROJAN Win32/AZORult V3.2 Client Checkin M19 (trojan.rules)
2029486 - ET TROJAN Win32/AZORult V3.2 Client Checkin M20 (trojan.rules)
2029487 - ET TROJAN Win32/AZORult V3.2 Client Checkin M21 (trojan.rules)
2029492 - ET TROJAN Spark Backdoor CnC Domain Query (trojan.rules)
2029501 - ET TROJAN Observed Malicious SSL Cert (MageCart CnC)
(trojan.rules)
2029502 - ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)
(trojan.rules)
2029503 - ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)
(trojan.rules)
2029504 - ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)
(trojan.rules)
2029505 - ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)
(trojan.rules)
2029506 - ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)
(trojan.rules)
2029507 - ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)
(trojan.rules)
2029508 - ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)
(trojan.rules)
2029509 - ET POLICY Observed DNS Query for Suspicious TLD (.management)
(policy.rules)
2029523 - ET TROJAN Fake ProtonVPN/AZORult CnC Domain Query (trojan.rules)
2802952 - ETPRO TROJAN Herpbot.B Checkin (trojan.rules)
2805970 - ETPRO TROJAN Backdoor.Win32.MoSucker.23 reporting via ICQ WWW
script (trojan.rules)
2806376 - ETPRO TROJAN Trojan-Spy.Win32.Ambler Checkin (trojan.rules)
2806668 - ETPRO TROJAN Win32.Jorik.Agent.mi 3 (trojan.rules)
2806776 - ETPRO TROJAN Win32/Ghodow.NAS .exe Download (trojan.rules)
2806809 - ETPRO TROJAN Win32/Agent.URS Checkin (trojan.rules)
2806864 - ETPRO TROJAN Win32/Alureon.GD Checkin (trojan.rules)
2806896 - ETPRO TROJAN Backdoor.Graybird Checkin (trojan.rules)
2807440 - ETPRO TROJAN Win32/Ranbyus Check-in (trojan.rules)
2811014 - ETPRO CURRENT_EVENTS Fiesta Java Exploit/Payload
(current_events.rules)
2811035 - ETPRO INFO Application Installer Prompt via Smart Installer
(info.rules)
2811221 - ETPRO TROJAN ReactorBot CnC Observed (trojan.rules)
2811238 - ETPRO WEB_SPECIFIC_APPS WP Landing Pages Plugin 1.8.4 SQLi
Attempt (web_specific_apps.rules)
2811402 - ETPRO TROJAN Emotet CnC Beacon (trojan.rules)
2811429 - ETPRO TROJAN Downeks CnC Beacon (trojan.rules)
2811433 - ETPRO TROJAN Win32/Dishigy CnC Beacon (trojan.rules)
2811472 - ETPRO TROJAN NSIS/TrojanDownloader.Agent.NRQ Downloader Checkin
(trojan.rules)
2811842 - ETPRO TROJAN Win32/Sifre.A Checkin (trojan.rules)
2812016 - ETPRO TROJAN Win32.YY Generic Checkin 1 (trojan.rules)
2812025 - ETPRO MALWARE Win32/Adware.Kraddare.LA Variant PUP Activity
(malware.rules)
2812029 - ETPRO EXPLOIT TOTOLINK Possible RCE HTTP Request (exploit.rules)
2812039 - ETPRO TROJAN Win32/Parite.B Connectivity Check (trojan.rules)
2812040 - ETPRO TROJAN Win32/Parite.B Checkin 2 (trojan.rules)
2812117 - ETPRO TROJAN Win32/VB.RZM Checkin (trojan.rules)
2812125 - ETPRO TROJAN Win32/Renocide.gen!H Checkin (trojan.rules)
2812126 - ETPRO TROJAN Win32/Poindampa.A Geolocate Request (trojan.rules)
2812138 - ETPRO MALWARE Win32/VK.SerfingBot PUP Activity (malware.rules)
2812178 - ETPRO TROJAN Win32/Bagsu.A Checkin (trojan.rules)
2812188 - ETPRO TROJAN Win32/Huhk.7005 CnC Checkin (trojan.rules)
2812205 - ETPRO TROJAN Win32/Bagsu.A Connectivity Check (trojan.rules)
2812206 - ETPRO TROJAN Win32/Bagsu.A Connectivity Check 2 (trojan.rules)
2812316 - ETPRO TROJAN SeaDuke CnC Beacon (trojan.rules)
2812415 - ETPRO TROJAN Win32.Diztakun.zsg Infostealer M2 (trojan.rules)
2812417 - ETPRO TROJAN Win32.Diztakun.zsg Infostealer M4 (trojan.rules)
2816568 - ETPRO TROJAN Win32/Pottieq.A Ransomware CnC Checkin M2
(trojan.rules)
2816614 - ETPRO TROJAN OnionDog/TrosmAgent CnC Beacon (trojan.rules)
2816619 - ETPRO CURRENT_EVENTS Ursnif Payload via Document Macro Mar 10
(current_events.rules)
2820973 - ETPRO EXPLOIT Possible Wget Arbitrary File Write Exploit
Attempt (CVE-2016-4971) (exploit.rules)
2821167 - ETPRO TROJAN W32/Unknown Dropper Downloading Cobalt Strike
Beacon (trojan.rules)
2821343 - ETPRO TROJAN Win32.Swizzor Checkin (trojan.rules)
2821344 - ETPRO TROJAN Cerber Ransomware Macro EXE Download (trojan.rules)
2821347 - ETPRO CURRENT_EVENTS Document Macro Downloading Ursnif Jul 25
(current_events.rules)
2821827 - ETPRO WEB_SPECIFIC_APPS Navis WebAccess SQLi Attempt
(web_specific_apps.rules)
2821839 - ETPRO TROJAN Panda Banker CnC (trojan.rules)
2822055 - ETPRO TROJAN Likely APT29 Retrieving Payload Embedded In PNG 2
(trojan.rules)
2822080 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phishing Sept 12
2016 (current_events.rules)
2822235 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phishing M1 Sept
26 2016 (current_events.rules)
2822240 - ETPRO CURRENT_EVENTS MalDoc Retrieving Payload Sep 26 2016
(current_events.rules)
2822241 - ETPRO TROJAN Sharik/Smoke Loader Connectivity Check M3
(trojan.rules)
2822242 - ETPRO TROJAN MSIL.ShopBot.avf Downloader Checkin (trojan.rules)
2822250 - ETPRO MALWARE Win32/ZonaInstaller PUP Install Beacon
(malware.rules)
2822483 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish Oct 07
2016 (current_events.rules)
2823197 - ETPRO TROJAN Possible APT29 Compressed Payload Download Request
(trojan.rules)
2823671 - ETPRO TROJAN LatentBot HTTP POST Checkin 2 (trojan.rules)
2823965 - ETPRO CURRENT_EVENTS Successful Paypal (DE) Phish Dec 19 2016
(current_events.rules)
2824209 - ETPRO TROJAN MSIL/Downloader.Agent.CUL Checkin (trojan.rules)
2824777 - ETPRO CURRENT_EVENTS EITest SocEng Chrome Fonts DL Feb 06 M1
(current_events.rules)
2824807 - ETPRO CURRENT_EVENTS Evil Redirector Leading to EK Feb 07 2017
(current_events.rules)
2824916 - ETPRO MOBILE_MALWARE PUA Android/Odpa.A Checkin
(mobile_malware.rules)
2824975 - ETPRO TROJAN JS/Nemucod Retrieving Payload (trojan.rules)
2825236 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish Mar 03
2017 (current_events.rules)
2825585 - ETPRO TROJAN Misdat/Poldat Variant CnC Beacon (trojan.rules)
2826356 - ETPRO MOBILE_MALWARE Anubis Android Loader / BankBot Checkin 5
(mobile_malware.rules)
2827624 - ETPRO TROJAN Possible APT.9002 Fileless Variant CnC Beacon 1
(trojan.rules)
2829235 - ETPRO CURRENT_EVENTS Successful Secure Cloud Files Phish
2018-01-10 M2 (current_events.rules)
2830309 - ETPRO MOBILE_MALWARE Anubis Android Loader / BankBot Checkin 16
(mobile_malware.rules)
2830555 - ETPRO TROJAN Observed Malicious SSL Cert (MSIL/Vinstrok.Stealer
CnC) (trojan.rules)
2830927 - ETPRO TROJAN Observed Malicious SSL Cert (Bateleur CnC Domain)
(trojan.rules)
2830985 - ETPRO TROJAN Observed Malicious SSL Cert (Cobalt Group Loader
CnC Domain) (trojan.rules)
2830986 - ETPRO TROJAN Observed Malicious SSL Cert (Cobalt Group Loader
CnC Domain) (trojan.rules)
2831027 - ETPRO TROJAN Observed Malicious SSL Cert (Bateleur CnC Domain)
(trojan.rules)
2831335 - ETPRO TROJAN W32.1ms0rry Variant Generic Checkin (trojan.rules)
2831491 - ETPRO TROJAN Win32/Agent.QGZR CnC Checkin (trojan.rules)
2831494 - ETPRO TROJAN Observed Malicious SSL Cert (Zeus Panda CnC
Domain) (trojan.rules)
2831896 - ETPRO TROJAN Trojan.Redaman CnC Beacon (trojan.rules)
2832026 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif Loader CnC
Domain) (trojan.rules)
2832027 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC Domain)
(trojan.rules)
2832122 - ETPRO TROJAN Win32.Pavica Checkin (trojan.rules)
2832154 - ETPRO TROJAN MSIL/Haunted Miner CnC Checkin (trojan.rules)
2833467 - ETPRO TROJAN Observed Malicious SSL Cert (Zeus Panda CnC)
(trojan.rules)
2833468 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
2833471 - ETPRO TROJAN Observed Malicious SSL Cert (BrushaLoader CnC)
(trojan.rules)
2835109 - ETPRO TROJAN Observed Malicious JScript Downloader Inbound
(trojan.rules)
2835275 - ETPRO CURRENT_EVENTS Successful Apple Phish 2019-03-11
(current_events.rules)
2836198 - ETPRO TROJAN Segrev Stealer FakeZip Conn Check (trojan.rules)
2838349 - ETPRO TROJAN Win32/TrickBot CnC Initial Checkin (trojan.rules)
2840831 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-02-03
(current_events.rules)
2840832 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-02-03
(current_events.rules)
2841073 - ETPRO TROJAN Win32/Spy.KeyLogger.QKA CnC Exfil (trojan.rules)
2841074 - ETPRO TROJAN Unrecom Style External IP Check (trojan.rules)
2841075 - ETPRO TROJAN Terse Request to paste .ee - Possible Download
(trojan.rules)
2841077 - ETPRO TROJAN Kimsuky Related CnC Beacon (trojan.rules)
2841224 - ETPRO CURRENT_EVENTS Successful Adobe Document Cloud Phish
2020-02-26 (current_events.rules)
2841423 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-03-09
(current_events.rules)
2841425 - ETPRO CURRENT_EVENTS Successful Generic Phish Redirect to
Google Drive 2020-03-09 (current_events.rules)
2842207 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-04-27
(current_events.rules)
2842588 - ETPRO INFO Windows BITS UA Retrieving EXE M2 (info.rules)
2842764 - ETPRO CURRENT_EVENTS Successful Mimecast Phish 2020-05-28
(current_events.rules)
2842765 - ETPRO CURRENT_EVENTS Successful Mimecast Phish 2020-05-28
(current_events.rules)
2842766 - ETPRO CURRENT_EVENTS Successful Mimecast Phish 2020-05-28
(current_events.rules)
2844643 - ETPRO CURRENT_EVENTS Successful Lloyds Bank Phish 2020-09-25
(current_events.rules)
[///] Modified inactive rules: [///]
2019697 - ET CURRENT_EVENTS Possible Dridex Campaign Download Nov 11 2014
(current_events.rules)
2019877 - ET CURRENT_EVENTS MS Office Macro Dridex Download URI Dec 5
2014 (current_events.rules)
2019977 - ET CURRENT_EVENTS W32/Dridex Distribution Campaign Dec 19 2014
(current_events.rules)
2814712 - ETPRO CURRENT_EVENTS Ursnif Payload via Document Macro
(current_events.rules)
2814756 - ETPRO CURRENT_EVENTS Ursnif Payload via Document Macro Nov 4
(current_events.rules)
2814804 - ETPRO CURRENT_EVENTS Ursnif Payload via Document Macro Nov 5
(current_events.rules)
[---] Disabled and modified rules: [---]
2021621 - ET TROJAN Possible Dridex SSL Cert Aug 12 2015 (trojan.rules)
2802861 - ETPRO TROJAN Trojan.Win32.Dalgan.A Activity (trojan.rules)
2811243 - ETPRO EXPLOIT DLink DNS/DNR 320 check_login Authentication
Bypass HTTP Request (exploit.rules)
2822246 - ETPRO TROJAN MSIL.ShopBot.avf Downloader Execute Command
Request (trojan.rules)