Daily Ruleset Update Summary
Daily Ruleset Update Summary 2020/11/04

[***]            Summary:            [***]

8 new OPEN, 28 new PRO (8 + 20). Win32/IRCbot.DL, Kimsuky KGH Backdoor, CVE-2020-17087 and VARIOUS PHISHING.
  
Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2031173 - ET INFO Redirect to Joom AG Hosted Document - Potential Phishing
(info.rules)
  2031174 - ET WEB_SERVER Generic Webshell Accessed on Internal Compromised
Server (web_server.rules)
  2031175 - ET WEB_CLIENT Generic Webshell Accessed on External Compromised
Server (web_client.rules)
  2031176 - ET WEB_CLIENT Generic Mailer Accessed on External Compromised
Server (web_client.rules)
  2031177 - ET WEB_SERVER Generic Mailer Accessed on Internal Compromised
Server (web_server.rules)
  2031178 - ET TROJAN W32/Kimsuky Sending Encrypted System Information to
CnC (trojan.rules)
  2031179 - ET TROJAN Kimsuky KGH Backdoor CnC Activity M2 (trojan.rules)
  2031180 - ET TROJAN Kimsuky WildCommand CnC Activity (trojan.rules)

Pro:

  2838401 - ETPRO INFO Generic Credit Card Information Observed - Possible
Phishing (info.rules)
  2845322 - ETPRO TROJAN Win32/IRCbot.DL CnC Activity (trojan.rules)
  2845323 - ETPRO TROJAN MSIL/Remcos RAT CnC Keep-Alive (Outbound)
(trojan.rules)
  2845324 - ETPRO TROJAN MSIL/Remcos RAT CnC Keep-Alive (Inbound)
(trojan.rules)
  2845325 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2020-11-04
(current_events.rules)
  2845326 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-04 1) (trojan.rules)
  2845327 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-04 2) (trojan.rules)
  2845328 - ETPRO CURRENT_EVENTS Successful Microsoft Live Phish 2020-11-04
(current_events.rules)
  2845329 - ETPRO CURRENT_EVENTS Successful Generic BR Banking XYZ Hosted
Phish 2020-11-04 (current_events.rules)
  2845330 - ETPRO CURRENT_EVENTS Successful ING Phish 2020-11-04
(current_events.rules)
  2845331 - ETPRO TROJAN Possible CVE-2020-17087 Executable Payload Inbound
(trojan.rules)
  2845332 - ETPRO TROJAN Win32/Remcos RAT Checkin 592 (trojan.rules)
  2845333 - ETPRO TROJAN Win32/Remcos RAT Checkin 593 (trojan.rules)
  2845334 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2845335 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2845336 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2845337 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2845338 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2845339 - ETPRO CURRENT_EVENTS Successful Banco BPM Phish 2020-11-04
(current_events.rules)
  2845340 - ETPRO CURRENT_EVENTS Successful ING Phish (NL) 2020-11-04
(current_events.rules)

[///]     Modified active rules:     [///]

  2023576 - ET TROJAN Locky CnC Checkin Dec 5 M1 (trojan.rules)
  2023595 - ET TROJAN Trojan.Kwampirs Outbound GET request (trojan.rules)
  2023670 - ET INFO IE7UA No Cookie No Referer (info.rules)
  2023740 - ET TROJAN Possible Pony Payload DL (trojan.rules)
  2023816 - ET TROJAN WSF/JS Downloader Jan 30 2017 M1 (trojan.rules)
  2023916 - ET TROJAN APT28 Uploader Variant CnC Beacon (trojan.rules)
  2023951 - ET TROJAN MAGICHOUND.FETCH CnC Beacon (trojan.rules)
  2024041 - ET TROJAN Spora Ransomware Checkin (trojan.rules)
  2024048 - ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017
(current_events.rules)
  2024049 - ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017 M2
(current_events.rules)
  2024123 - ET MOBILE_MALWARE Android.C2P.Qd!c Ransomware CnC Beacon
(mobile_malware.rules)
  2025465 - ET TROJAN OSX/OceanLotus.D Requesting Commands from CnC
(trojan.rules)
  2025545 - ET WEB_SPECIFIC_APPS DNN DNNPersonalization Cookie RCE Attempt
(CVE-2017-9822) (web_specific_apps.rules)
  2025671 - ET CURRENT_EVENTS Suspicious Wordpress Redirect - Possible
Phishing Landing Jan 7 2016 (current_events.rules)
  2025747 - ET WEB_SPECIFIC_APPS WordPress Plugin Pie Register SQL Injection
(web_specific_apps.rules)
  2025820 - ET WEB_SPECIFIC_APPS GitList Argument Injection
(web_specific_apps.rules)
  2026002 - ET TROJAN [PTsecurity] Tinba (Banking Trojan) Check-in
(trojan.rules)
  2026435 - ET TROJAN Win32.YordanyanActiveAgent CnC Reporting
(trojan.rules)
  2026517 - ET TROJAN Locky CnC Checkin (trojan.rules)
  2026882 - ET POLICY Observed External IP Lookup SSL Cert (policy.rules)
  2027075 - ET CURRENT_EVENTS Spelevo EK Post-Compromise Data Dump
(current_events.rules)
  2027273 - ET TROJAN Baldr Stealer Checkin M2 (trojan.rules)
  2027380 - ET CURRENT_EVENTS Possible Router EK Landing Page Inbound
2019-05-24 (current_events.rules)
  2029009 - ET INFO Generic IOT Downloader Malware in POST (Outbound)
(info.rules)
  2029011 - ET INFO Generic IOT Downloader Malware in POST (Inbound)
(info.rules)
  2029571 - ET TROJAN Observed Malicious SSL Cert (MageCart) (trojan.rules)
  2029572 - ET TROJAN Observed Malicious SSL Cert (MageCart) (trojan.rules)
  2808035 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.fe Checkin
(mobile_malware.rules)
  2808174 - ETPRO TROJAN Win32/Itsproc!gmb DLL Retrieval (trojan.rules)
  2808329 - ETPRO TROJAN Win32/SpamTool.Tedroo.BC Downloading
CryptoWall/Malex (trojan.rules)
  2808483 - ETPRO TROJAN Backdoor.APT.Lurid Checkin via POST (trojan.rules)
  2808550 - ETPRO TROJAN Win32/Tofsee.av Loader Checkin (trojan.rules)
  2810099 - ETPRO TROJAN Chthonic CnC Beacon 7 (trojan.rules)
  2814068 - ETPRO TROJAN XCodeGhost Beacon (trojan.rules)
  2814103 - ETPRO TROJAN Spammer MSIL/Misnt.A GetList (trojan.rules)
  2814104 - ETPRO TROJAN Spammer MSIL/Misnt.A Get MX (trojan.rules)
  2814106 - ETPRO TROJAN Spammer MSIL/Misnt.A Fetching Spam List
(trojan.rules)
  2814167 - ETPRO CURRENT_EVENTS Possible Nuclear EK Flash Exploit M2
(current_events.rules)
  2814203 - ETPRO MALWARE Adware.Win32/Bayads Activity (malware.rules)
  2814364 - ETPRO TROJAN Possible IIS Backdoor Receiving Commands via URI
(trojan.rules)
  2814384 - ETPRO WEB_CLIENT APT SWC PluginDetect Landing Cookie Oct 14 2015
(web_client.rules)
  2815025 - ETPRO TROJAN Win32/Kitkiot.A Checkin (trojan.rules)
  2841378 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)
  2843101 - ETPRO TROJAN Kimsuky Related Host Data Exfil M3 (trojan.rules)
  2844577 - ETPRO TROJAN MSIL/Remcos RAT CnC Checkin M2 (trojan.rules)

[---]  Disabled and modified rules:  [---]

  2810370 - ETPRO CURRENT_EVENTS Darkleech Iframe Injection Detected
(current_events.rules)
  2814105 - ETPRO TROJAN Spammer MSIL/Misnt.A Spam Payload Download
(trojan.rules)

[---]         Disabled rules:        [---]

  2811724 - ETPRO CURRENT_EVENTS APT SWC Redirected PluginDetect Landing
June 29 2015 (current_events.rules)
  2811906 - ETPRO CURRENT_EVENTS Targeted Attack from APT Actor 2 Delivering
HT SWF Exploit RIP (current_events.rules)
  2811907 - ETPRO CURRENT_EVENTS Possible Targeted Attack from APT Actor 2
Delivering HT SWF Exploit RIP (current_events.rules)

[---]         Removed rules:         [---]

  2829548 - ETPRO TROJAN W32/Kimsuky Sending Encrypted System Information to
CnC (trojan.rules)
  2838401 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2019-09-10 (current_events.rules)

Date:
Summary title:
8 new OPEN, 28 new PRO (8 + 20). Win32/IRCbot.DL, Kimsuky KGH Backdoor, CVE-2020-17087 and VARIOUS PHISHING.