[***] Summary: [***]
7 new OPEN, 37 new PRO (7 + 30). Trickbot Anchor ICMP, D1onis Stealer, Trojan.AndroidOS.FinSpy Checkin, Down-X CnC, and VARIOUS PHISHING
Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2031159 - ET TROJAN Trickbot Anchor ICMP Request (trojan.rules)
2031160 - ET TROJAN LolliCrypt Ransomware Sending Data to CnC
(trojan.rules)
2031161 - ET TROJAN D1onis Stealer Sending Data to CnC (trojan.rules)
2031162 - ET TROJAN Observed Malicious SSL Cert (DonotGroup FireStarter
CnC) (trojan.rules)
2031163 - ET TROJAN Observed Malicious SSL Cert (DonotGroup FireStarter
CnC) (trojan.rules)
2031164 - ET TROJAN Observed Malicious SSL Cert (DonotGroup FireStarter
CnC) (trojan.rules)
2031165 - ET TROJAN Observed Malicious SSL Cert (DonotGroup FireStarter
CnC) (trojan.rules)
Pro:
2845255 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Fakenocam.d Checkin
(mobile_malware.rules)
2845256 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SpyNote.b Checkin
(mobile_malware.rules)
2845257 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.FinSpy Checkin
(mobile_malware.rules)
2845258 - ETPRO MOBILE_MALWARE Monitor.AndroidOS.PhoneSpy.b TLS SNI
(mobile_malware.rules)
2845259 - ETPRO MOBILE_MALWARE Android/Spy.Banker.AMH CnC Beacon
(mobile_malware.rules)
2845260 - ETPRO MOBILE_MALWARE Android/Spy.Agent.BAZ Checkin
(mobile_malware.rules)
2845261 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Malban.b Checkin
(mobile_malware.rules)
2845262 - ETPRO MOBILE_MALWARE Monitor.AndroidOS.FreeSpy TLS SNI
(mobile_malware.rules)
2845263 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin
(mobile_malware.rules)
2845264 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-11-02 (current_events.rules)
2845265 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-11-02 (current_events.rules)
2845266 - ETPRO CURRENT_EVENTS Successful PrimaBanka Phish 2020-11-02
(current_events.rules)
2845267 - ETPRO CURRENT_EVENTS Successful Spotify Phish 2020-11-02
(current_events.rules)
2845268 - ETPRO CURRENT_EVENTS Successful Blockchain Phish 2020-11-02
(current_events.rules)
2845269 - ETPRO CURRENT_EVENTS Successful Generic Mobile Game Phish
2020-11-02 (current_events.rules)
2845270 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-11-02
(current_events.rules)
2845271 - ETPRO CURRENT_EVENTS Successful American Express Phish
2020-11-02 (current_events.rules)
2845272 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-31 1) (trojan.rules)
2845273 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-31 2) (trojan.rules)
2845274 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-10-31 3) (trojan.rules)
2845275 - ETPRO TROJAN Win32/MailsChecker Activity (trojan.rules)
2845276 - ETPRO MALWARE QJWMonkey Activity (malware.rules)
2845277 - ETPRO TROJAN Down-X CnC Activity (trojan.rules)
2845278 - ETPRO TROJAN Win32/Remcos RAT Checkin 586 (trojan.rules)
2845279 - ETPRO TROJAN Win32/Remcos RAT Checkin 587 (trojan.rules)
2845280 - ETPRO TROJAN Win32/Remcos RAT Checkin 588 (trojan.rules)
2845281 - ETPRO TROJAN Observed AZORult CnC Domain in TLS SNI
(trojan.rules)
2845282 - ETPRO CURRENT_EVENTS Successful Virgin Mobile Phish 2020-11-02
(current_events.rules)
2845283 - ETPRO CURRENT_EVENTS Successful Netflix Phish 2020-11-02
(current_events.rules)
2845284 - ETPRO MALWARE Win32/Unruy.C Activity (malware.rules)
[///] Modified active rules: [///]
2003337 - ET MALWARE Suspicious User Agent (Autoupdate) (malware.rules)
2004023 - ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt --
account_change.php style SELECT (web_specific_apps.rules)
2005850 - ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection
Attempt -- usermgr.php gid DELETE (web_specific_apps.rules)
2006022 - ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt --
user.php passwordNew UNION SELECT (web_specific_apps.rules)
2006116 - ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection
Attempt -- members.asp sent UPDATE (web_specific_apps.rules)
2006145 - ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection
Attempt -- bus_details.asp ID ASCII (web_specific_apps.rules)
2006357 - ET MALWARE User Agent (TEST) - Likely Webhancer Related Spyware
(malware.rules)
2006829 - ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt --
kullanicilistesi.asp ak ASCII (web_specific_apps.rules)
2006834 - ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt --
aramayap.asp kelimeler DELETE (web_specific_apps.rules)
2006846 - ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt --
mesajkutum.asp mesajno DELETE (web_specific_apps.rules)
2006935 - ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt --
modules.php pid INSERT (web_specific_apps.rules)
2007766 - ET POLICY Logmein.com Update Activity (policy.rules)
2007999 - ET TROJAN Banker Trojan (General) HTTP Checkin (vit)
(trojan.rules)
2008171 - ET WEB_SERVER HP OpenView Network Node Manager CGI Directory
Traversal (web_server.rules)
2008210 - ET MALWARE Misspelled Mozilla User-Agent (Mozila)
(malware.rules)
2008338 - ET TROJAN KLog Nick Keylogger Checkin (trojan.rules)
2009000 - ET WEB_SPECIFIC_APPS RSS Simple News news.php pid parameter
Remote SQL Injection (web_specific_apps.rules)
2009009 - ET WEB_SPECIFIC_APPS ClaSS export.php ftype parameter
Information Disclosure (web_specific_apps.rules)
2009010 - ET WEB_SPECIFIC_APPS Wordpress Plugin Page Flip Image Gallery
getConfig.php book_id parameter Remote File Disclosure
(web_specific_apps.rules)
2009217 - ET SCAN Tomcat admin-admin login credentials (scan.rules)
2009458 - ET TROJAN Win32/Sisron/BackDoor.Cybergate.1 Checkin
(trojan.rules)
2009897 - ET TROJAN Possible Windows executable sent when remote host
claims to send html content (trojan.rules)
2009909 - ET TROJAN Possible Windows executable sent when remote host
claims to send HTML/CSS Content (trojan.rules)
2010129 - ET TROJAN Drop.Agent.bfsv HTTP Activity (UsER-AgENt)
(trojan.rules)
2010513 - ET WEB_SERVER Possible HTTP 401 XSS Attempt (Local Source)
(web_server.rules)
2010698 - ET WEB_SERVER Possible D-Link Router HNAP Protocol Security
Bypass Attempt (web_server.rules)
2010864 - ET WEB_SERVER HP OpenView /OvCgi/Toolbar.exe Accept Language
Heap Buffer Overflow Attempt (web_server.rules)
2011391 - ET MALWARE Win32/Agent.PMS Variant CnC Activity (malware.rules)
2020339 - ET TROJAN f0xy Checkin (trojan.rules)
2020858 - ET EXPLOIT Linksys WRT54GL Router DNS Change POST Request
(exploit.rules)
2021247 - ET TROJAN Possible Duqu 2.0 Request (trojan.rules)
2021259 - ET TROJAN Win32/Agent.WVW CnC Beacon 3 (trojan.rules)
2021293 - ET CURRENT_EVENTS KaiXin Secondary Landing Page
(current_events.rules)
2021407 - ET CURRENT_EVENTS HanJuan EK Current Campaign Landing URI Struct
Jul 10 2015 (current_events.rules)
2021626 - ET TROJAN Hacking Team Elite Windows Implant Exfiltration
(trojan.rules)
2021627 - ET TROJAN Hacking Team Scout Windows Implant Exfiltration
(trojan.rules)
2021628 - ET TROJAN Hacking Team Android Implant Exfiltration
(trojan.rules)
2021629 - ET TROJAN Hacking Team Implant Exfiltration (trojan.rules)
2022070 - ET CURRENT_EVENTS Possible Evil Redirector Leading to EK Nov 09
2015 M1 (current_events.rules)
2022071 - ET CURRENT_EVENTS Possible Evil Redirector Leading to EK Nov 09
2015 M2 (current_events.rules)
2022582 - ET TROJAN jFect HTTP CnC Checkin (trojan.rules)
2022652 - ET INFO Possible WinHttpRequest (no .exe) (info.rules)
2025134 - ET POLICY OnePlus phone data leakage (policy.rules)
2027957 - ET CURRENT_EVENTS Successful My ADP Phish (set) 2017-02-16
(current_events.rules)
2029524 - ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)
(trojan.rules)
2029534 - ET TROJAN Observed Adwind RAT CnC DNS Query (trojan.rules)
2029535 - ET TROJAN Observed Adwind RAT CnC DNS Query (trojan.rules)
2029536 - ET TROJAN Observed Adwind RAT CnC DNS Query (trojan.rules)
2030139 - ET TROJAN Unk.VBSLoader Retrieving Payload (trojan.rules)
2810148 - ETPRO MALWARE Win32/Autoit.HZ Checkin (malware.rules)
2810326 - ETPRO TROJAN PlugX Related Checkin (trojan.rules)
2810454 - ETPRO TROJAN Mal/Banker-AA Conf Download (trojan.rules)
2810581 - ETPRO TROJAN Win32/Vflooder.C CnC Beacon (trojan.rules)
2810615 - ETPRO WEB_SERVER Possible Information Leak Vuln CVE-2015-1648
(web_server.rules)
2810686 - ETPRO TROJAN Win32/Dupzom Retrieving Payload (trojan.rules)
2810703 - ETPRO TROJAN MSIL/Golroted.B or HawkEye External IP Check with
minimal headers (trojan.rules)
2810936 - ETPRO MOBILE_MALWARE Android.Adware.Wapsx.A Checkin 5
(mobile_malware.rules)
2810982 - ETPRO MALWARE Win32.AdLoad CnC Beacon (malware.rules)
2811631 - ETPRO TROJAN BACKDOOR.EMDIVI Checkin 3 (trojan.rules)
2812052 - ETPRO MALWARE PUA.Spyware.XPCSpyPro GeoLocate Request
(malware.rules)
2822181 - ETPRO TROJAN Bolek HTTP Checkin (trojan.rules)
2824863 - ETPRO TROJAN Win32/Fadok.A Checkin (trojan.rules)
2825002 - ETPRO CURRENT_EVENTS Successful My ADP Phish Feb 16 2017
(current_events.rules)
2825767 - ETPRO TROJAN Stolich Gen Ransomware CnC Create Key
(trojan.rules)
2825768 - ETPRO TROJAN Stolich Gen Ransomware CnC Save Key (trojan.rules)
2825789 - ETPRO MOBILE_MALWARE Android.Trojan.InfoStealer.IC CnC Beacon
(mobile_malware.rules)
2825791 - ETPRO MOBILE_MALWARE Android.Trojan.InfoStealer.IC Contacts
Exfil (mobile_malware.rules)
2825926 - ETPRO TROJAN Callisto RCS CnC Beacon 1 (trojan.rules)
2825927 - ETPRO TROJAN RCS Variant CnC Beacon (trojan.rules)
2826404 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Hqwar.jck Checkin
(mobile_malware.rules)
2826433 - ETPRO TROJAN GhostAdmin/KeyTrap/BlakStar Requesting Config M1
(trojan.rules)
2826434 - ETPRO TROJAN GhostAdmin/KeyTrap/BlakStar Requesting Config M2
(trojan.rules)
2826849 - ETPRO TROJAN DNS Query to Cerber Domain (asd3r3 . win)
(trojan.rules)
2826850 - ETPRO TROJAN DNS Query to Cerber Domain (16l1zt . top)
(trojan.rules)
2826852 - ETPRO TROJAN DNS Query to Cerber Domain (1gy9bo . top)
(trojan.rules)
2826853 - ETPRO TROJAN DNS Query to Cerber Domain (17rm9b . top)
(trojan.rules)
2826854 - ETPRO TROJAN DNS Query to Cerber Domain (1apgrn . top)
(trojan.rules)
2826855 - ETPRO TROJAN DNS Query to Cerber Domain (1k6bas . top)
(trojan.rules)
2826859 - ETPRO TROJAN DNS Query to Cerber Domain (179tnk . top)
(trojan.rules)
2828111 - ETPRO MOBILE_MALWARE Android/BinaryBanc CnC Checkin
(mobile_malware.rules)
2828270 - ETPRO CURRENT_EVENTS MalDoc Retrieving Payload Oct 11 2017
(current_events.rules)
2828331 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish Oct 17
2017 (current_events.rules)
2828353 - ETPRO TROJAN Known Malicious Downloader Pattern 20 Oct 2017
(trojan.rules)
2828446 - ETPRO TROJAN MSIL/TrojanDropper.Agent.DHJ Variant Downloader
Activity (trojan.rules)
2829689 - ETPRO MOBILE_MALWARE Anubis Android Loader / BankBot Checkin 15
(mobile_malware.rules)
2829719 - ETPRO CURRENT_EVENTS Successful Apple Phish 2018-02-19
(current_events.rules)
2829878 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Agent.on Checkin
(mobile_malware.rules)
2829880 - ETPRO MOBILE_MALWARE Android/Agent.AMP Checkin
(mobile_malware.rules)
2829915 - ETPRO TROJAN Donot Team YTY Framework Requesting Commands from
CnC (trojan.rules)
2830126 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Triada.bh Checkin 4
(mobile_malware.rules)
2830127 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.ba Checkin
(mobile_malware.rules)
2830151 - ETPRO MOBILE_MALWARE Android.Trojan.HiddenApp.CV Checkin
(mobile_malware.rules)
2830153 - ETPRO CURRENT_EVENTS Successful Blackboard Phish 2018-03-27
(current_events.rules)
2830252 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Triada.dm Checkin
(mobile_malware.rules)
2830267 - ETPRO TROJAN W32/PinoRAT C2 HTTP Pattern (trojan.rules)
2830311 - ETPRO MOBILE_MALWARE Anubis Android Loader / BankBot Checkin 17
(mobile_malware.rules)
2830345 - ETPRO MOBILE_MALWARE Android/Monitor.Humanspy.C CnC Beacon
(mobile_malware.rules)
2830512 - ETPRO MOBILE_MALWARE Android Trojan-Spy EmSeven File Exfil
(mobile_malware.rules)
2830995 - ETPRO TROJAN MSIL/Supreme Miner CnC Checkin (trojan.rules)
2831093 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC Domain)
(trojan.rules)
2835216 - ETPRO TROJAN Win32/Agent.RNS Requesting New Payload CnC Address
(trojan.rules)
2836887 - ETPRO POLICY TrustViewer Remote Access Request (policy.rules)
2841138 - ETPRO MALWARE Win32/Adload Retrieving EXE (malware.rules)
2841166 - ETPRO TROJAN MalDoc Retrieving RTF Payload (trojan.rules)
2841181 - ETPRO TROJAN Observed Malicious SSL Cert (Unk/Targeted CnC)
(trojan.rules)
2841189 - ETPRO TROJAN Terse Request for .bat - Likely Hostile
(trojan.rules)
[///] Modified inactive rules: [///]
2826848 - ETPRO TROJAN DNS Query to Cerber Domain (15qq4s . top)
(trojan.rules)
2826856 - ETPRO TROJAN DNS Query to Cerber Domain (o8hpwj . top)
(trojan.rules)
2826857 - ETPRO TROJAN DNS Query to Cerber Domain (1azkux . top)
(trojan.rules)
2826858 - ETPRO TROJAN DNS Query to Cerber Domain (12uzfa . top)
(trojan.rules)