Daily Ruleset Update Summary
Daily Ruleset Update Summary 2020/11/05

[***]            Summary:            [***]

3 new OPEN, 28 new PRO (3 + 25).  Win32/PurpleWave Stealer, Python/Peppy RAT, CareUEyes Checkin and VARIOUS PHISHING.
  
Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2031181 - ET TROJAN Win32/PurpleWave Stealer CnC Exfil M2 (trojan.rules)
  2031182 - ET MALWARE STOPzilla Download Accelerator Activity
(malware.rules)
  2031183 - ET MALWARE SilverSpeedup Generic PUA Software UA (malware.rules)

Pro:

  2845341 - ETPRO TROJAN Win32/PurpleWave Stealer CnC Activity
(trojan.rules)
  2845342 - ETPRO TROJAN Win32/PurpleWave Stealer CnC Activity M2
(trojan.rules)
  2845343 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-11-05
(current_events.rules)
  2845344 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-11-05
(current_events.rules)
  2845345 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-11-05
(current_events.rules)
  2845346 - ETPRO CURRENT_EVENTS Successful Microsoft Excel Online Phish
2020-11-05 (current_events.rules)
  2845347 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-11-05 (current_events.rules)
  2845348 - ETPRO CURRENT_EVENTS Successful Linkedin Phish 2020-11-05
(current_events.rules)
  2845349 - ETPRO TROJAN Python/Peppy RAT Exfil (trojan.rules)
  2845350 - ETPRO TROJAN Python/Peppy RAT CnC Activity (trojan.rules)
  2845351 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-05 1) (trojan.rules)
  2845352 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-05 2) (trojan.rules)
  2845353 - ETPRO TROJAN W32/Unk.Downloader Activity (trojan.rules)
  2845354 - ETPRO TROJAN Observed Malicious SSL Cert (Fallout EK Landing)
(trojan.rules)
  2845355 - ETPRO TROJAN Observed Malicious SSL Cert (Intermediary Fallout
EK Redirect) (trojan.rules)
  2845356 - ETPRO TROJAN Observed Malicious SSL Cert (EvilKeitaro)
(trojan.rules)
  2845357 - ETPRO INFO Possible Inbound Script containing taskkill execution
(info.rules)
  2845358 - ETPRO TROJAN Win32/Remcos RAT Checkin 594 (trojan.rules)
  2845359 - ETPRO TROJAN Win32/Remcos RAT Checkin 595 (trojan.rules)
  2845360 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2845361 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2845362 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2845363 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2845364 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2845365 - ETPRO MALWARE CareUEyes Checkin (malware.rules)

[///]     Modified active rules:     [///]

  2014297 - ET POLICY Vulnerable Java Version 1.7.x Detected (policy.rules)
  2015471 - ET WEB_SPECIFIC_APPS joomla com_edir controller parameter Local
File Inclusion vulnerability (web_specific_apps.rules)
  2015625 - ET WEB_SERVER Magento XMLRPC-Exploit Attempt (web_server.rules)
  2016175 - ET EXPLOIT Possible CVE-2013-0156 Ruby On Rails XML POST to
Disallowed Type YAML (exploit.rules)
  2016176 - ET EXPLOIT Possible CVE-2013-0156 Ruby On Rails XML POST to
Disallowed Type SYMBOL (exploit.rules)
  2016434 - ET TROJAN Win32/COOKIEBAG Cookie APT1 Related (trojan.rules)
  2016573 - ET TROJAN APT_NGO_wuaclt (trojan.rules)
  2016759 - ET TROJAN Win32/Redyms.A Checkin (trojan.rules)
  2016764 - ET CURRENT_EVENTS GrandSoft PDF Payload Download
(current_events.rules)
  2016869 - ET CURRENT_EVENTS FlimKit Post Exploit Payload Download
(current_events.rules)
  2016939 - ET TROJAN Variant.Kazy.174106 Checkin (trojan.rules)
  2016991 - ET TROJAN Alina Server Response Code (trojan.rules)
  2017074 - ET WEB_SPECIFIC_APPS MoinMoin twikidraw Action Traversal File
Upload (web_specific_apps.rules)
  2017261 - ET TROJAN SmokeLoader Checkin (trojan.rules)
  2017573 - ET WEB_SPECIFIC_APPS Possible JBoss/JMX InvokerServlet RCE Using
Marshalled Object (web_specific_apps.rules)
  2017574 - ET WEB_SPECIFIC_APPS Possible JBoss/JMX EJBInvokerServlet RCE
Using Marshalled Object (web_specific_apps.rules)
  2018052 - ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin
(current_events.rules)
  2018095 - ET MALWARE Potentially Unwanted Application AirInstaller
(malware.rules)
  2018119 - ET TROJAN Banking Trojan HTTP Cookie (trojan.rules)
  2019166 - ET TROJAN Stobox Connectivity Check (trojan.rules)
  2019377 - ET TROJAN Win32/Ursnif Checkin (trojan.rules)
  2019401 - ET POLICY Vulnerable Java Version 1.8.x Detected (policy.rules)
  2019748 - ET WEB_SERVER FOX-SRT - Backdoor - CryptoPHP Shell C2 POST
(web_server.rules)
  2020301 - ET TROJAN Dridex POST CnC Beacon 2 (trojan.rules)
  2020324 - ET POLICY Onion2Web Tor Proxy Cookie (policy.rules)
  2020369 - ET TROJAN Common Upatre URI/Headers Struct (trojan.rules)
  2020746 - ET TROJAN Win32.Chroject.B Retrieving encoded payload
(trojan.rules)
  2020898 - ET TROJAN Possible APT30 or Win32/Nuclear HTTP Framework POST
(trojan.rules)
  2021616 - ET TROJAN PSEmpire Checkin via POST (trojan.rules)
  2022008 - ET TROJAN MWI Maldoc Stats Callout Oct 28 (trojan.rules)
  2022049 - ET INFO Possible MSXMLHTTP Request (no .exe) (info.rules)
  2022281 - ET TROJAN Win32/Nivdort Posting Data 2 (trojan.rules)
  2022295 - ET WEB_SERVER WeBaCoo Web Backdoor Detected (web_server.rules)
  2022357 - ET TROJAN Linux/Torte Downloading Binary (trojan.rules)
  2022466 - ET CURRENT_EVENTS Possible Keitaro TDS Redirect
(current_events.rules)
  2022554 - ET EXPLOIT FireEye Detection Evasion %temp% attempt - Inbound
(exploit.rules)
  2022657 - ET TROJAN IrcBot Downloading .old (trojan.rules)
  2022697 - ET WEB_CLIENT Fake AV Phone Scam Landing Apr 4
(web_client.rules)
  2022723 - ET MALWARE Win32/Adware.Adposhel.A Checkin 4 (malware.rules)
  2022894 - ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD IE Flash request to
set non-standard filename (some overlap with 2021752) (current_events.rules)
  2022900 - ET TROJAN FOX-SRT ShimRat check-in (Data) (trojan.rules)
  2022902 - ET TROJAN FOX-SRT ShimRat check-in (Yuok) (trojan.rules)
  2022939 - ET CURRENT_EVENTS Possible Pony DLL Download
(current_events.rules)
  2022940 - ET CURRENT_EVENTS Possible Malicous Macro DL EXE Jul 01 2016
(userdir dotted quad) (current_events.rules)
  2022941 - ET CURRENT_EVENTS Possible Malicous Macro DL EXE Jul 01 2016
(dll generic custom headers) (current_events.rules)
  2022988 - ET TROJAN Win32/Pottieq.A Check-in (trojan.rules)
  2023075 - ET EXPLOIT Equation Group EGREGIOUSBLUNDER Fortigate Exploit
Attempt (exploit.rules)
  2023138 - ET CURRENT_EVENTS Suspicious Proxifier DL (non-browser observed
in maldoc campaigns) (current_events.rules)
  2023203 - ET TROJAN Quant Loader Download Request (trojan.rules)
  2023583 - ET TROJAN Known Malicious Doc Downloading Payload Dec 06 2016
(trojan.rules)
  2024121 - ET EXPLOIT NETGEAR WNR2000v5 hidden_lang_avi Stack Overflow
(CVE-2016-10174) (exploit.rules)
  2024175 - ET TROJAN Red Leaves HTTP CnC Beacon (APT10 implant)
(trojan.rules)
  2024183 - ET TROJAN Possible Turla Carbon Paper CnC Beacon (Fake
User-Agent) (trojan.rules)
  2024223 - ET TROJAN MSIL/Runsome Ransomware CnC Checkin (trojan.rules)
  2024272 - ET TROJAN W32.Geodo/Emotet Checkin (trojan.rules)
  2024274 - ET TROJAN W32/Emotet CnC Beacon 1 (trojan.rules)
  2024290 - ET TROJAN Jaff Ransomware Checkin M1 (trojan.rules)
  2024367 - ET CURRENT_EVENTS Bingo EK Payload Download
(current_events.rules)
  2024380 - ET CURRENT_EVENTS Nemucod JS Downloader June 12 2017
(current_events.rules)
  2024381 - ET CURRENT_EVENTS RIG EK URI Struct Jun 13 2017
(current_events.rules)
  2024421 - ET ATTACK_RESPONSE Possible BeEF HTTP Headers Inbound
(attack_response.rules)
  2024449 - ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199
IE7/NoCookie/Referer HTA dl (current_events.rules)
  2024452 - ET TROJAN Quant Loader Download Request (trojan.rules)
  2024508 - ET CURRENT_EVENTS Nemucod JS Downloader Aug 01 2017
(current_events.rules)
  2024600 - ET TROJAN Possible Maldoc Downloader Aug 18 2017 (trojan.rules)
  2024678 - ET CURRENT_EVENTS Possible Locky VB/JS Loader Download Sep 08
2017 (current_events.rules)
  2024693 - ET MALWARE Win32/LoadMoney Adware Activity (malware.rules)
  2024765 - ET MOBILE_MALWARE Trojan-Banker.AndroidOS.RedAlert CnC Beacon
(mobile_malware.rules)
  2024901 - ET TROJAN Trickbot Payload Request (trojan.rules)
  2024996 - ET WEB_CLIENT Google Chrome XSS (CVE-2017-5124)
(web_client.rules)
  2025007 - ET TROJAN Powershell commands sent when remote host claims to
send an image  (trojan.rules)
  2025149 - ET POLICY IP Check (rl. ammyy. com) (policy.rules)
  2025283 - ET TROJAN Trojan-Dropper.Delf Checkin (trojan.rules)
  2025432 - ET EXPLOIT Apache CouchDB JSON Remote Privesc Attempt
(CVE-2017-12636) (exploit.rules)
  2025435 - ET EXPLOIT Apache CouchDB JSON Remote Privesc Attempt
(CVE-2017-12635) (exploit.rules)
  2025458 - ET TROJAN [PTsecurity] Win32/SocStealer.Socelars C2 Response
(trojan.rules)
  2025459 - ET WEB_SPECIFIC_APPS Possible CVE-2013-2618 Attempt (PHP
Weathermap Persistent XSS) (web_specific_apps.rules)
  2029580 - ET TROJAN Magniber Ransomware CnC Domain in DNS Lookup
(trojan.rules)
  2029581 - ET TROJAN Magniber Ransomware CnC Domain in DNS Lookup
(trojan.rules)
  2029587 - ET TROJAN BlackTech ELF/TSCookie CnC Observed in DNS Query
(trojan.rules)
  2029594 - ET TROJAN Observed Malicious SSL Cert (MonetizUs/LNKR)
(trojan.rules)
  2029595 - ET TROJAN Observed Malicious SSL Cert (MonetizUs/LNKR)
(trojan.rules)
  2029597 - ET TROJAN Observed JS/Skimmer (likely Magecart) CnC Domain in
DNS Lookup (trojan.rules)
  2029602 - ET TROJAN Observed Malicious SSL Cert (ServHelper CnC)
(trojan.rules)
  2029603 - ET TROJAN Observed Malicious SSL Cert (ServHelper CnC)
(trojan.rules)
  2029604 - ET TROJAN Observed Malicious SSL Cert (ServHelper CnC)
(trojan.rules)
  2029605 - ET TROJAN Observed Malicious SSL Cert (ServHelper CnC)
(trojan.rules)
  2030625 - ET TROJAN Win32/PurpleWave Stealer Requesting Config
(trojan.rules)
  2814416 - ETPRO CURRENT_EVENTS Compromised Magento iframe Inbound
(current_events.rules)
  2815177 - ETPRO CURRENT_EVENTS PowerShell Empire Session via Excel Macro
(current_events.rules)
  2815316 - ETPRO CURRENT_EVENTS malicious doc encrypted payload Dec 09 (1)
(current_events.rules)
  2819815 - ETPRO CURRENT_EVENTS Suspicious Redirector Apr 18 M1
(current_events.rules)
  2819840 - ETPRO CURRENT_EVENTS EXE Downloaded From Known Malicious Path
(current_events.rules)
  2821001 - ETPRO CURRENT_EVENTS PowerShell Empire Session via MSOffice Doc
Macro (current_events.rules)
  2821731 - ETPRO CURRENT_EVENTS MalDoc Request for Payload Aug 17 2016
(current_events.rules)
  2822240 - ETPRO CURRENT_EVENTS MalDoc Retrieving Payload Sep 26 2016
(current_events.rules)
  2825924 - ETPRO MOBILE_MALWARE Android.Trojan.InfoStealer.FY CnC Beacon 2
(mobile_malware.rules)
  2825992 - ETPRO TROJAN MSIL/Possessor Keylogger Reporting External IP
(trojan.rules)
  2825993 - ETPRO TROJAN MSIL/Possessor Keylogger HTTP Logging M2
(trojan.rules)
  2825998 - ETPRO TROJAN Malicious JS Download Request (trojan.rules)
  2826018 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Fyec.bna CnC Beacon
(mobile_malware.rules)
  2826026 - ETPRO TROJAN MSIL/Softmalaria Trojan CnC Checkin (trojan.rules)
  2826033 - ETPRO MOBILE_MALWARE Android/SMSreg.GB Checkin 3
(mobile_malware.rules)
  2826046 - ETPRO MOBILE_MALWARE Android.Trojan.SLocker.TX CnC Beacon
(mobile_malware.rules)
  2826061 - ETPRO MOBILE_MALWARE Android.Trojan.Guerrilla.n Checkin
(mobile_malware.rules)
  2826072 - ETPRO MOBILE_MALWARE Android/Adware.Kuguo.C Checkin 2
(mobile_malware.rules)
  2826098 - ETPRO MOBILE_MALWARE Android/Monitor.Drower.B SMS Exfil
(mobile_malware.rules)
  2826099 - ETPRO TROJAN MSIL/Spy.Agent.AUE Checkin (trojan.rules)
  2826100 - ETPRO MOBILE_MALWARE Android.Adware.Wapsx.A CnC Beacon
(mobile_malware.rules)
  2826103 - ETPRO MOBILE_MALWARE Android.Adware.Dowgin.gQAM Checkin
(mobile_malware.rules)
  2826112 - ETPRO MOBILE_MALWARE Android/SMForw.RL Contact Exfil
(mobile_malware.rules)
  2826154 - ETPRO TROJAN Cobalt Strike Malleable C2 Webbug Profile
(trojan.rules)
  2826176 - ETPRO MOBILE_MALWARE Android Unknown Trojan-Spy CnC Beacon
(mobile_malware.rules)
  2826177 - ETPRO MOBILE_MALWARE Android Unknown Trojan-Spy Contact Exfil
(mobile_malware.rules)
  2826178 - ETPRO TROJAN Cobalt Strike Malleable C2 Amazon Profile
(trojan.rules)
  2826183 - ETPRO TROJAN APT.ChChes CnC Beacon 3 (trojan.rules)
  2826203 - ETPRO TROJAN Trojan/AutoIT RMS Dropper Checkin (trojan.rules)
  2826205 - ETPRO TROJAN Possible Linux.Shishiga HTTP Fake 404 Response
(trojan.rules)
  2826206 - ETPRO TROJAN AZORult Variant.2 Checkin (trojan.rules)
  2826232 - ETPRO TROJAN AZORult Variant.2 Checkin m2 (trojan.rules)
  2826244 - ETPRO CURRENT_EVENTS Astrum EK Landing M1 May 03 2017
(current_events.rules)
  2826245 - ETPRO CURRENT_EVENTS Astrum EK Landing M2 May 03 2017
(current_events.rules)
  2826254 - ETPRO TROJAN Custom Cobalt Strike Beacon UA (trojan.rules)
  2826255 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.pac CnC
Beacon (mobile_malware.rules)
  2826320 - ETPRO MOBILE_MALWARE Anubis Android Loader / BankBot Checkin 2
(mobile_malware.rules)
  2826321 - ETPRO MOBILE_MALWARE Anubis Android Loader / BankBot Checkin 3
(mobile_malware.rules)
  2826323 - ETPRO MOBILE_MALWARE Anubis Android Loader / BankBot Checkin 4
(mobile_malware.rules)
  2826327 - ETPRO TROJAN W32/Emotet Empty CnC Beacon (trojan.rules)
  2826342 - ETPRO TROJAN MSIL/Agent.AUK CnC Checkin (trojan.rules)
  2826362 - ETPRO MOBILE_MALWARE Anubis Android Loader / BankBot Checkin 6
(mobile_malware.rules)
  2826431 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.ay SMS Exfil
3 (mobile_malware.rules)
  2826455 - ETPRO MOBILE_MALWARE Android/Agent.AKX Checkin
(mobile_malware.rules)
  2826456 - ETPRO MOBILE_MALWARE Android/Agent.AKX Checkin 2
(mobile_malware.rules)
  2826461 - ETPRO TROJAN MSIL/ClipBanker.BX CnC Checkin (trojan.rules)
  2826479 - ETPRO MOBILE_MALWARE Android.Trojan.Agent.GE Checkin
(mobile_malware.rules)
  2826484 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.hh SMS Exfil
(mobile_malware.rules)
  2826505 - ETPRO MOBILE_MALWARE Anubis Android Loader / BankBot Checkin 7
(mobile_malware.rules)
  2826506 - ETPRO MOBILE_MALWARE Anubis Android Loader / BankBot Checkin 8
(mobile_malware.rules)
  2826515 - ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.PP CnC Beacon
(mobile_malware.rules)
  2826529 - ETPRO MOBILE_MALWARE Android/Agent.LK CnC Beacon 2
(mobile_malware.rules)
  2826562 - ETPRO TROJAN Hidden-Tear Ransomware Variant CnC Checkin
(trojan.rules)
  2826598 - ETPRO TROJAN ROKRAT Checkin (trojan.rules)
  2826599 - ETPRO TROJAN ROKRAT Checkin 2 (trojan.rules)
  2826620 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Rymner.f CnC Beacon
(mobile_malware.rules)
  2826626 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Boogr.gsh CnC Beacon 3
(mobile_malware.rules)
  2826633 - ETPRO CURRENT_EVENTS Possible ETERNALROCKS .Net Module Download
(current_events.rules)
  2826659 - ETPRO TROJAN APT19 Cobalt Strike Checkin (trojan.rules)
  2826677 - ETPRO MOBILE_MALWARE Anubis Android Loader / BankBot Checkin 9
(mobile_malware.rules)
  2826678 - ETPRO MOBILE_MALWARE Anubis Android Loader / BankBot Checkin 10
(mobile_malware.rules)
  2826716 - ETPRO MOBILE_MALWARE Trojan-Clicker.AndroidOS.Simpo.bq CnC
Beacon (mobile_malware.rules)
  2826718 - ETPRO MOBILE_MALWARE Trojan-Clicker.AndroidOS.Simpo.az CnC
Beacon 2 (mobile_malware.rules)
  2829398 - ETPRO INFO Possibly Malicious VBScript Executing WScript.Shell
Run M1 (info.rules)
  2836197 - ETPRO TROJAN Win32/Troibomb Variant CnC Checkin (trojan.rules)
  2841403 - ETPRO TROJAN More_eggs CnC Activity (trojan.rules)
  2844827 - ETPRO TROJAN MSIL/OrionBot Checkin via Discord (trojan.rules)

[---]  Disabled and modified rules:  [---]

  2017131 - ET EXPLOIT Potential Internet Explorer Use After Free
CVE-2013-3163 Exploit URI Struct 1 (exploit.rules)
  2018247 - ET TROJAN Snake rootkit usermode-centric client request
(trojan.rules)
  2019626 - ET TROJAN Cohhoc RAT CnC Response (trojan.rules)
  2024171 - ET MOBILE_MALWARE Android Trojan Pegasus CnC Beacon
(mobile_malware.rules)
  2024275 - ET TROJAN W32/Emotet CnC Beacon 2 (trojan.rules)
  2024276 - ET TROJAN MSIL/OzazaLocker Ransomware CnC Checkin (trojan.rules)
  2024489 - ET TROJAN Win32/Bitshifter Ransomware CnC Checkin (trojan.rules)
  2024604 - ET CURRENT_EVENTS Hancitor/Tordal Document Request
(current_events.rules)
  2024605 - ET CURRENT_EVENTS Hancitor/Tordal Document Inbound
(current_events.rules)
  2024719 - ET TROJAN Lucifer Loader Requesting Payload (trojan.rules)
  2814514 - ETPRO CURRENT_EVENTS Possible Send-Safe-based Spambot UDP Beacon
(current_events.rules)
  2814609 - ETPRO CURRENT_EVENTS Malicious .doc Encrypted Payload Oct 27 (1)
(current_events.rules)
  2815688 - ETPRO CURRENT_EVENTS DRIVEBY Possible Status Report M2
(current_events.rules)
  2815690 - ETPRO CURRENT_EVENTS DRIVEBY Possible Error Report 1
(current_events.rules)
  2815691 - ETPRO CURRENT_EVENTS DRIVEBY Possible Error Report 2
(current_events.rules)
  2815692 - ETPRO CURRENT_EVENTS DRIVEBY Possible Error Report 3
(current_events.rules)
  2816294 - ETPRO CURRENT_EVENTS Evil HTA (Kovter) (current_events.rules)
  2821201 - ETPRO CURRENT_EVENTS Document Macro Downloading Various Malware
Jul 19 (current_events.rules)
  2821615 - ETPRO CURRENT_EVENTS Possible MalDoc Download Request (set)
(current_events.rules)
  2826717 - ETPRO MOBILE_MALWARE Trojan-Clicker.AndroidOS.Simpo.az CnC
Beacon (mobile_malware.rules)

[---]         Disabled rules:        [---]

  2820782 - ETPRO CURRENT_EVENTS APT SWC Redirected PluginDetect/Evercookie
Landing June 21 2016 (current_events.rules)
  2821616 - ETPRO CURRENT_EVENTS MalDoc Payload Inbound 2016-08-11
(current_events.rules)

Date:
Summary title:
3 new OPEN, 28 new PRO (3 + 25). Win32/PurpleWave Stealer, Python/Peppy RAT, CareUEyes Checkin and VARIOUS PHISHING.