Daily Ruleset Update Summary
Daily Ruleset Update Summary 2020/10/30

[***]            Summary:            [***]

16 new OPEN, 25 new PRO (16 + 9). CVE-2020-14882, Python/PBot, Win32/Ymacco.AA67, Various BazarLoader, Coinminers, MSIL/Spy.Agent.BLR, AsyncRAT.

Thanks: @malwrhunterteam, Jason Reaves.

Happy Halloween.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2031143 - ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Inbound
(CVE-2020-14882) (web_specific_apps.rules)
  2031144 - ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Fuzzing
Inbound M1 (web_specific_apps.rules)
  2031145 - ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Fuzzing
Inbound M2 (web_specific_apps.rules)
  2031147 - ET EXPLOIT Oracle WebLogic RCE Shell Inbound (CVE-2020-14882)
M2 (exploit.rules)
  2031146 - ET TROJAN Win32/Ymacco.AA67 CnC Activity (trojan.rules)
  2031148 - ET TROJAN Python/PBot Browser Hijacker Activity (trojan.rules)
  2031149 - ET CURRENT_EVENTS Suspected Appspot Hosted Phishing Domain
(current_events.rules)
  2031150 - ET TROJAN Observed BazarLoader Domain (vighik .xyz in TLS SNI)
(trojan.rules)
  2031151 - ET TROJAN Observed BazarLoader Domain (cntrhum .xyz in TLS SNI)
(trojan.rules)
  2031152 - ET TROJAN Observed BazarLoader Domain (doldig .xyz in TLS SNI)
(trojan.rules)
  2031153 - ET TROJAN Observed BazarLoader Domain (sh78bug .xyz in TLS SNI)
(trojan.rules)
  2031154 - ET TROJAN Observed BazarLoader Domain (dghns .xyz in TLS SNI)
(trojan.rules)
  2031155 - ET TROJAN Observed BazarLoader Domain (bigjamg .xyz in TLS SNI)
(trojan.rules)
  2031156 - ET TROJAN Observed BazarLoader Domain (numklo .xyz in TLS SNI)
(trojan.rules)
  2031157 - ET TROJAN Observed BazarLoader Domain (gut45bg .xyz in TLS SNI)
(trojan.rules)
  2031158 - ET TROJAN Observed BazarLoader Domain (moig .xyz in TLS SNI)
(trojan.rules)

Pro:

  2845246 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-30 1) (trojan.rules)
  2845247 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-30 2) (trojan.rules)
  2845248 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-30 3) (trojan.rules)
  2845249 - ETPRO CURRENT_EVENTS Successful Square Phish 2020-10-30
(current_events.rules)
  2845250 - ETPRO TROJAN MSIL/Spy.Agent.BLR Variant CnC Host Checkin
(trojan.rules)
  2845251 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT CnC)
(trojan.rules)
  2845252 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT CnC)
(trojan.rules)
  2845253 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT CnC)
(trojan.rules)
  2845254 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT CnC)
(trojan.rules)

[+++]         Enabled rules:         [+++]

  2845069 - ETPRO CURRENT_EVENTS Successful Halifax Phish 2020-10-21
(current_events.rules)

[///]     Modified active rules:     [///]

  2002001 - ET MALWARE 180solutions Spyware Keywords Download
(malware.rules)
  2002402 - ET MALWARE Spyware Related User-Agent (UtilMind HTTPGet)
(malware.rules)
  2022503 - ET TROJAN Various Malicious AlphaNum DL Feb 10 2016
(trojan.rules)
  2022803 - ET INFO Flowbit set for POST to Quicken Updater (info.rules)
  2022841 - ET CURRENT_EVENTS Possible ReactorBot .bin Download
(current_events.rules)
  2022952 - ET TROJAN Ransomware Locky CnC Beacon 21 May (trojan.rules)
  2023966 - ET TROJAN CozyCar V2 CnC Beacon (trojan.rules)
  2024015 - ET CURRENT_EVENTS Successful Orderlink (IN) Phish Feb 24 2017
(current_events.rules)
  2024306 - ET TROJAN MWI Maldoc Load Payload (trojan.rules)
  2024307 - ET TROJAN MWI Maldoc Posting Host Data (trojan.rules)
  2024338 - ET TROJAN Observed GET Request to Jaff Domain (orhangazitur .
com) (trojan.rules)
  2024340 - ET TROJAN Jaff Ransomware Checkin (trojan.rules)
  2025892 - ET TROJAN Observed Malicious SSL Cert (OilRig QUADAGENT CnC)
(trojan.rules)
  2025918 - ET TROJAN Observed Malicious SSL Cert (MICROPSIA CnC Domain)
(trojan.rules)
  2026946 - ET TROJAN GanDownloader CnC Checkin (trojan.rules)
  2027144 - ET TROJAN Xwo CnC Activity (trojan.rules)
  2027417 - ET GAMES Wolfteam HileYapak Server Response (games.rules)
  2027425 - ET MALWARE LNKR landing page (possible compromised site) M1
(malware.rules)
  2027426 - ET MALWARE LNKR landing page (possible compromised site) M2
(malware.rules)
  2027427 - ET MALWARE LNKR landing page (possible compromised site) M3
(malware.rules)
  2027429 - ET MALWARE LNKR landing page (possible compromised site) M5
(malware.rules)
  2027810 - ET TROJAN Win32/Onliner Mailer Module Communicating with CnC
(trojan.rules)
  2028869 - ET POLICY Vulnerable Java Version 13.0.x Detected (policy.rules)
  2028913 - ET TROJAN BadPatch CnC Activity (trojan.rules)
  2028941 - ET CURRENT_EVENTS Powershell Download Command Observed within
Flash File - Probable EK Activity (current_events.rules)
  2029380 - ET TROJAN Win32/Emotet CnC Activity (POST) M8 (trojan.rules)
  2029454 - ET TROJAN Parallax RAT CnC Domain Observed in DNS Query
(trojan.rules)
  2029479 - ET TROJAN Win32/AZORult V3.2 Client Checkin M16 (trojan.rules)
  2029480 - ET TROJAN Win32/AZORult V3.2 Client Checkin M17 (trojan.rules)
  2029481 - ET TROJAN Win32/AZORult V3.2 Client Checkin M18 (trojan.rules)
  2029485 - ET TROJAN Win32/AZORult V3.2 Client Checkin M19 (trojan.rules)
  2029486 - ET TROJAN Win32/AZORult V3.2 Client Checkin M20 (trojan.rules)
  2029487 - ET TROJAN Win32/AZORult V3.2 Client Checkin M21 (trojan.rules)
  2029492 - ET TROJAN Spark Backdoor CnC Domain Query (trojan.rules)
  2029501 - ET TROJAN Observed Malicious SSL Cert (MageCart CnC)
(trojan.rules)
  2029502 - ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)
(trojan.rules)
  2029503 - ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)
(trojan.rules)
  2029504 - ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)
(trojan.rules)
  2029505 - ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)
(trojan.rules)
  2029506 - ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)
(trojan.rules)
  2029507 - ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)
(trojan.rules)
  2029508 - ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)
(trojan.rules)
  2029509 - ET POLICY Observed DNS Query for Suspicious TLD (.management)
(policy.rules)
  2029523 - ET TROJAN Fake ProtonVPN/AZORult CnC Domain Query (trojan.rules)
  2802952 - ETPRO TROJAN Herpbot.B Checkin (trojan.rules)
  2805970 - ETPRO TROJAN Backdoor.Win32.MoSucker.23 reporting via ICQ WWW
script (trojan.rules)
  2806376 - ETPRO TROJAN Trojan-Spy.Win32.Ambler Checkin (trojan.rules)
  2806668 - ETPRO TROJAN Win32.Jorik.Agent.mi 3 (trojan.rules)
  2806776 - ETPRO TROJAN Win32/Ghodow.NAS .exe Download (trojan.rules)
  2806809 - ETPRO TROJAN Win32/Agent.URS Checkin (trojan.rules)
  2806864 - ETPRO TROJAN Win32/Alureon.GD Checkin (trojan.rules)
  2806896 - ETPRO TROJAN Backdoor.Graybird Checkin (trojan.rules)
  2807440 - ETPRO TROJAN Win32/Ranbyus Check-in (trojan.rules)
  2811014 - ETPRO CURRENT_EVENTS Fiesta Java Exploit/Payload
(current_events.rules)
  2811035 - ETPRO INFO Application Installer Prompt via Smart Installer
(info.rules)
  2811221 - ETPRO TROJAN ReactorBot CnC Observed (trojan.rules)
  2811238 - ETPRO WEB_SPECIFIC_APPS WP Landing Pages Plugin 1.8.4 SQLi
Attempt (web_specific_apps.rules)
  2811402 - ETPRO TROJAN Emotet CnC Beacon (trojan.rules)
  2811429 - ETPRO TROJAN Downeks CnC Beacon (trojan.rules)
  2811433 - ETPRO TROJAN Win32/Dishigy CnC Beacon (trojan.rules)
  2811472 - ETPRO TROJAN NSIS/TrojanDownloader.Agent.NRQ Downloader Checkin
(trojan.rules)
  2811842 - ETPRO TROJAN Win32/Sifre.A Checkin (trojan.rules)
  2812016 - ETPRO TROJAN Win32.YY Generic Checkin 1 (trojan.rules)
  2812025 - ETPRO MALWARE Win32/Adware.Kraddare.LA Variant PUP Activity
(malware.rules)
  2812029 - ETPRO EXPLOIT TOTOLINK Possible RCE HTTP Request (exploit.rules)
  2812039 - ETPRO TROJAN Win32/Parite.B Connectivity Check (trojan.rules)
  2812040 - ETPRO TROJAN Win32/Parite.B Checkin 2 (trojan.rules)
  2812117 - ETPRO TROJAN Win32/VB.RZM Checkin (trojan.rules)
  2812125 - ETPRO TROJAN Win32/Renocide.gen!H Checkin (trojan.rules)
  2812126 - ETPRO TROJAN Win32/Poindampa.A Geolocate Request (trojan.rules)
  2812138 - ETPRO MALWARE Win32/VK.SerfingBot PUP Activity (malware.rules)
  2812178 - ETPRO TROJAN Win32/Bagsu.A Checkin (trojan.rules)
  2812188 - ETPRO TROJAN Win32/Huhk.7005 CnC Checkin (trojan.rules)
  2812205 - ETPRO TROJAN Win32/Bagsu.A Connectivity Check (trojan.rules)
  2812206 - ETPRO TROJAN Win32/Bagsu.A Connectivity Check 2 (trojan.rules)
  2812316 - ETPRO TROJAN SeaDuke CnC Beacon (trojan.rules)
  2812415 - ETPRO TROJAN Win32.Diztakun.zsg Infostealer M2 (trojan.rules)
  2812417 - ETPRO TROJAN Win32.Diztakun.zsg Infostealer M4 (trojan.rules)
  2816568 - ETPRO TROJAN Win32/Pottieq.A Ransomware CnC Checkin M2
(trojan.rules)
  2816614 - ETPRO TROJAN OnionDog/TrosmAgent CnC Beacon (trojan.rules)
  2816619 - ETPRO CURRENT_EVENTS Ursnif Payload via Document Macro Mar 10
(current_events.rules)
  2820973 - ETPRO EXPLOIT Possible Wget Arbitrary File Write Exploit
Attempt (CVE-2016-4971) (exploit.rules)
  2821167 - ETPRO TROJAN W32/Unknown Dropper Downloading Cobalt Strike
Beacon (trojan.rules)
  2821343 - ETPRO TROJAN Win32.Swizzor Checkin (trojan.rules)
  2821344 - ETPRO TROJAN Cerber Ransomware Macro EXE Download (trojan.rules)
  2821347 - ETPRO CURRENT_EVENTS Document Macro Downloading Ursnif Jul 25
(current_events.rules)
  2821827 - ETPRO WEB_SPECIFIC_APPS Navis WebAccess SQLi Attempt
(web_specific_apps.rules)
  2821839 - ETPRO TROJAN Panda Banker CnC (trojan.rules)
  2822055 - ETPRO TROJAN Likely APT29 Retrieving Payload Embedded In PNG 2
(trojan.rules)
  2822080 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phishing Sept 12
2016 (current_events.rules)
  2822235 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phishing M1 Sept
26 2016 (current_events.rules)
  2822240 - ETPRO CURRENT_EVENTS MalDoc Retrieving Payload Sep 26 2016
(current_events.rules)
  2822241 - ETPRO TROJAN Sharik/Smoke Loader Connectivity Check M3
(trojan.rules)
  2822242 - ETPRO TROJAN MSIL.ShopBot.avf Downloader Checkin (trojan.rules)
  2822250 - ETPRO MALWARE Win32/ZonaInstaller PUP Install Beacon
(malware.rules)
  2822483 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish Oct 07
2016 (current_events.rules)
  2823197 - ETPRO TROJAN Possible APT29 Compressed Payload Download Request
(trojan.rules)
  2823671 - ETPRO TROJAN LatentBot HTTP POST Checkin 2 (trojan.rules)
  2823965 - ETPRO CURRENT_EVENTS Successful Paypal (DE) Phish Dec 19 2016
(current_events.rules)
  2824209 - ETPRO TROJAN MSIL/Downloader.Agent.CUL Checkin (trojan.rules)
  2824777 - ETPRO CURRENT_EVENTS EITest SocEng Chrome Fonts DL Feb 06 M1
(current_events.rules)
  2824807 - ETPRO CURRENT_EVENTS Evil Redirector Leading to EK Feb 07 2017
(current_events.rules)
  2824916 - ETPRO MOBILE_MALWARE PUA Android/Odpa.A Checkin
(mobile_malware.rules)
  2824975 - ETPRO TROJAN JS/Nemucod Retrieving Payload (trojan.rules)
  2825236 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish Mar 03
2017 (current_events.rules)
  2825585 - ETPRO TROJAN Misdat/Poldat Variant CnC Beacon (trojan.rules)
  2826356 - ETPRO MOBILE_MALWARE Anubis Android Loader / BankBot Checkin 5
(mobile_malware.rules)
  2827624 - ETPRO TROJAN Possible APT.9002 Fileless Variant CnC Beacon 1
(trojan.rules)
  2829235 - ETPRO CURRENT_EVENTS Successful Secure Cloud Files Phish
2018-01-10 M2 (current_events.rules)
  2830309 - ETPRO MOBILE_MALWARE Anubis Android Loader / BankBot Checkin 16
(mobile_malware.rules)
  2830555 - ETPRO TROJAN Observed Malicious SSL Cert (MSIL/Vinstrok.Stealer
CnC) (trojan.rules)
  2830927 - ETPRO TROJAN Observed Malicious SSL Cert (Bateleur CnC Domain)
(trojan.rules)
  2830985 - ETPRO TROJAN Observed Malicious SSL Cert (Cobalt Group Loader
CnC Domain) (trojan.rules)
  2830986 - ETPRO TROJAN Observed Malicious SSL Cert (Cobalt Group Loader
CnC Domain) (trojan.rules)
  2831027 - ETPRO TROJAN Observed Malicious SSL Cert (Bateleur CnC Domain)
(trojan.rules)
  2831335 - ETPRO TROJAN W32.1ms0rry Variant Generic Checkin (trojan.rules)
  2831491 - ETPRO TROJAN Win32/Agent.QGZR CnC Checkin (trojan.rules)
  2831494 - ETPRO TROJAN Observed Malicious SSL Cert (Zeus Panda CnC
Domain) (trojan.rules)
  2831896 - ETPRO TROJAN Trojan.Redaman CnC Beacon (trojan.rules)
  2832026 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif Loader CnC
Domain) (trojan.rules)
  2832027 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC Domain)
(trojan.rules)
  2832122 - ETPRO TROJAN Win32.Pavica Checkin (trojan.rules)
  2832154 - ETPRO TROJAN MSIL/Haunted Miner CnC Checkin (trojan.rules)
  2833467 - ETPRO TROJAN Observed Malicious SSL Cert (Zeus Panda CnC)
(trojan.rules)
  2833468 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
  2833471 - ETPRO TROJAN Observed Malicious SSL Cert (BrushaLoader CnC)
(trojan.rules)
  2835109 - ETPRO TROJAN Observed Malicious JScript Downloader Inbound
(trojan.rules)
  2835275 - ETPRO CURRENT_EVENTS Successful Apple Phish 2019-03-11
(current_events.rules)
  2836198 - ETPRO TROJAN Segrev Stealer FakeZip Conn Check (trojan.rules)
  2838349 - ETPRO TROJAN Win32/TrickBot CnC Initial Checkin (trojan.rules)
  2840831 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-02-03
(current_events.rules)
  2840832 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-02-03
(current_events.rules)
  2841073 - ETPRO TROJAN Win32/Spy.KeyLogger.QKA CnC Exfil (trojan.rules)
  2841074 - ETPRO TROJAN Unrecom Style External IP Check (trojan.rules)
  2841075 - ETPRO TROJAN Terse Request to paste .ee - Possible Download
(trojan.rules)
  2841077 - ETPRO TROJAN Kimsuky Related CnC Beacon (trojan.rules)
  2841224 - ETPRO CURRENT_EVENTS Successful Adobe Document Cloud Phish
2020-02-26 (current_events.rules)
  2841423 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-03-09
(current_events.rules)
  2841425 - ETPRO CURRENT_EVENTS Successful Generic Phish Redirect to
Google Drive 2020-03-09 (current_events.rules)
  2842207 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-04-27
(current_events.rules)
  2842588 - ETPRO INFO Windows BITS UA Retrieving EXE M2 (info.rules)
  2842764 - ETPRO CURRENT_EVENTS Successful Mimecast Phish 2020-05-28
(current_events.rules)
  2842765 - ETPRO CURRENT_EVENTS Successful Mimecast Phish 2020-05-28
(current_events.rules)
  2842766 - ETPRO CURRENT_EVENTS Successful Mimecast Phish 2020-05-28
(current_events.rules)
  2844643 - ETPRO CURRENT_EVENTS Successful Lloyds Bank Phish 2020-09-25
(current_events.rules)

[///]    Modified inactive rules:    [///]

  2019697 - ET CURRENT_EVENTS Possible Dridex Campaign Download Nov 11 2014
(current_events.rules)
  2019877 - ET CURRENT_EVENTS MS Office Macro Dridex Download URI Dec 5
2014 (current_events.rules)
  2019977 - ET CURRENT_EVENTS W32/Dridex Distribution Campaign Dec 19 2014
(current_events.rules)
  2814712 - ETPRO CURRENT_EVENTS Ursnif Payload via Document Macro
(current_events.rules)
  2814756 - ETPRO CURRENT_EVENTS Ursnif Payload via Document Macro Nov 4
(current_events.rules)
  2814804 - ETPRO CURRENT_EVENTS Ursnif Payload via Document Macro Nov 5
(current_events.rules)

[---]  Disabled and modified rules:  [---]

  2021621 - ET TROJAN Possible Dridex SSL Cert Aug 12 2015 (trojan.rules)
  2802861 - ETPRO TROJAN Trojan.Win32.Dalgan.A Activity (trojan.rules)
  2811243 - ETPRO EXPLOIT DLink DNS/DNR 320 check_login Authentication
Bypass HTTP Request (exploit.rules)
  2822246 - ETPRO TROJAN MSIL.ShopBot.avf Downloader Execute Command
Request (trojan.rules)

Date:
Summary title:
16 new OPEN, 25 new PRO (16 + 9). CVE-2020-14882, Python/PBot, Win32/Ymacco.AA67, Various BazarLoader, Coinminers, MSIL/Spy.Agent.BLR, AsyncRAT.