[***] Summary: [***]
8 new OPEN, 28 new PRO (8 + 20). Win32/IRCbot.DL, Kimsuky KGH Backdoor, CVE-2020-17087 and VARIOUS PHISHING.
Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2031173 - ET INFO Redirect to Joom AG Hosted Document - Potential Phishing
(info.rules)
2031174 - ET WEB_SERVER Generic Webshell Accessed on Internal Compromised
Server (web_server.rules)
2031175 - ET WEB_CLIENT Generic Webshell Accessed on External Compromised
Server (web_client.rules)
2031176 - ET WEB_CLIENT Generic Mailer Accessed on External Compromised
Server (web_client.rules)
2031177 - ET WEB_SERVER Generic Mailer Accessed on Internal Compromised
Server (web_server.rules)
2031178 - ET TROJAN W32/Kimsuky Sending Encrypted System Information to
CnC (trojan.rules)
2031179 - ET TROJAN Kimsuky KGH Backdoor CnC Activity M2 (trojan.rules)
2031180 - ET TROJAN Kimsuky WildCommand CnC Activity (trojan.rules)
Pro:
2838401 - ETPRO INFO Generic Credit Card Information Observed - Possible
Phishing (info.rules)
2845322 - ETPRO TROJAN Win32/IRCbot.DL CnC Activity (trojan.rules)
2845323 - ETPRO TROJAN MSIL/Remcos RAT CnC Keep-Alive (Outbound)
(trojan.rules)
2845324 - ETPRO TROJAN MSIL/Remcos RAT CnC Keep-Alive (Inbound)
(trojan.rules)
2845325 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2020-11-04
(current_events.rules)
2845326 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-04 1) (trojan.rules)
2845327 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-04 2) (trojan.rules)
2845328 - ETPRO CURRENT_EVENTS Successful Microsoft Live Phish 2020-11-04
(current_events.rules)
2845329 - ETPRO CURRENT_EVENTS Successful Generic BR Banking XYZ Hosted
Phish 2020-11-04 (current_events.rules)
2845330 - ETPRO CURRENT_EVENTS Successful ING Phish 2020-11-04
(current_events.rules)
2845331 - ETPRO TROJAN Possible CVE-2020-17087 Executable Payload Inbound
(trojan.rules)
2845332 - ETPRO TROJAN Win32/Remcos RAT Checkin 592 (trojan.rules)
2845333 - ETPRO TROJAN Win32/Remcos RAT Checkin 593 (trojan.rules)
2845334 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2845335 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2845336 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2845337 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2845338 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2845339 - ETPRO CURRENT_EVENTS Successful Banco BPM Phish 2020-11-04
(current_events.rules)
2845340 - ETPRO CURRENT_EVENTS Successful ING Phish (NL) 2020-11-04
(current_events.rules)
[///] Modified active rules: [///]
2023576 - ET TROJAN Locky CnC Checkin Dec 5 M1 (trojan.rules)
2023595 - ET TROJAN Trojan.Kwampirs Outbound GET request (trojan.rules)
2023670 - ET INFO IE7UA No Cookie No Referer (info.rules)
2023740 - ET TROJAN Possible Pony Payload DL (trojan.rules)
2023816 - ET TROJAN WSF/JS Downloader Jan 30 2017 M1 (trojan.rules)
2023916 - ET TROJAN APT28 Uploader Variant CnC Beacon (trojan.rules)
2023951 - ET TROJAN MAGICHOUND.FETCH CnC Beacon (trojan.rules)
2024041 - ET TROJAN Spora Ransomware Checkin (trojan.rules)
2024048 - ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017
(current_events.rules)
2024049 - ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017 M2
(current_events.rules)
2024123 - ET MOBILE_MALWARE Android.C2P.Qd!c Ransomware CnC Beacon
(mobile_malware.rules)
2025465 - ET TROJAN OSX/OceanLotus.D Requesting Commands from CnC
(trojan.rules)
2025545 - ET WEB_SPECIFIC_APPS DNN DNNPersonalization Cookie RCE Attempt
(CVE-2017-9822) (web_specific_apps.rules)
2025671 - ET CURRENT_EVENTS Suspicious Wordpress Redirect - Possible
Phishing Landing Jan 7 2016 (current_events.rules)
2025747 - ET WEB_SPECIFIC_APPS WordPress Plugin Pie Register SQL Injection
(web_specific_apps.rules)
2025820 - ET WEB_SPECIFIC_APPS GitList Argument Injection
(web_specific_apps.rules)
2026002 - ET TROJAN [PTsecurity] Tinba (Banking Trojan) Check-in
(trojan.rules)
2026435 - ET TROJAN Win32.YordanyanActiveAgent CnC Reporting
(trojan.rules)
2026517 - ET TROJAN Locky CnC Checkin (trojan.rules)
2026882 - ET POLICY Observed External IP Lookup SSL Cert (policy.rules)
2027075 - ET CURRENT_EVENTS Spelevo EK Post-Compromise Data Dump
(current_events.rules)
2027273 - ET TROJAN Baldr Stealer Checkin M2 (trojan.rules)
2027380 - ET CURRENT_EVENTS Possible Router EK Landing Page Inbound
2019-05-24 (current_events.rules)
2029009 - ET INFO Generic IOT Downloader Malware in POST (Outbound)
(info.rules)
2029011 - ET INFO Generic IOT Downloader Malware in POST (Inbound)
(info.rules)
2029571 - ET TROJAN Observed Malicious SSL Cert (MageCart) (trojan.rules)
2029572 - ET TROJAN Observed Malicious SSL Cert (MageCart) (trojan.rules)
2808035 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.fe Checkin
(mobile_malware.rules)
2808174 - ETPRO TROJAN Win32/Itsproc!gmb DLL Retrieval (trojan.rules)
2808329 - ETPRO TROJAN Win32/SpamTool.Tedroo.BC Downloading
CryptoWall/Malex (trojan.rules)
2808483 - ETPRO TROJAN Backdoor.APT.Lurid Checkin via POST (trojan.rules)
2808550 - ETPRO TROJAN Win32/Tofsee.av Loader Checkin (trojan.rules)
2810099 - ETPRO TROJAN Chthonic CnC Beacon 7 (trojan.rules)
2814068 - ETPRO TROJAN XCodeGhost Beacon (trojan.rules)
2814103 - ETPRO TROJAN Spammer MSIL/Misnt.A GetList (trojan.rules)
2814104 - ETPRO TROJAN Spammer MSIL/Misnt.A Get MX (trojan.rules)
2814106 - ETPRO TROJAN Spammer MSIL/Misnt.A Fetching Spam List
(trojan.rules)
2814167 - ETPRO CURRENT_EVENTS Possible Nuclear EK Flash Exploit M2
(current_events.rules)
2814203 - ETPRO MALWARE Adware.Win32/Bayads Activity (malware.rules)
2814364 - ETPRO TROJAN Possible IIS Backdoor Receiving Commands via URI
(trojan.rules)
2814384 - ETPRO WEB_CLIENT APT SWC PluginDetect Landing Cookie Oct 14 2015
(web_client.rules)
2815025 - ETPRO TROJAN Win32/Kitkiot.A Checkin (trojan.rules)
2841378 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)
2843101 - ETPRO TROJAN Kimsuky Related Host Data Exfil M3 (trojan.rules)
2844577 - ETPRO TROJAN MSIL/Remcos RAT CnC Checkin M2 (trojan.rules)
[---] Disabled and modified rules: [---]
2810370 - ETPRO CURRENT_EVENTS Darkleech Iframe Injection Detected
(current_events.rules)
2814105 - ETPRO TROJAN Spammer MSIL/Misnt.A Spam Payload Download
(trojan.rules)
[---] Disabled rules: [---]
2811724 - ETPRO CURRENT_EVENTS APT SWC Redirected PluginDetect Landing
June 29 2015 (current_events.rules)
2811906 - ETPRO CURRENT_EVENTS Targeted Attack from APT Actor 2 Delivering
HT SWF Exploit RIP (current_events.rules)
2811907 - ETPRO CURRENT_EVENTS Possible Targeted Attack from APT Actor 2
Delivering HT SWF Exploit RIP (current_events.rules)
[---] Removed rules: [---]
2829548 - ETPRO TROJAN W32/Kimsuky Sending Encrypted System Information to
CnC (trojan.rules)
2838401 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2019-09-10 (current_events.rules)