[***] Summary: [***]
3 new OPEN, 28 new PRO (3 + 25). Win32/PurpleWave Stealer, Python/Peppy RAT, CareUEyes Checkin and VARIOUS PHISHING.
Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2031181 - ET TROJAN Win32/PurpleWave Stealer CnC Exfil M2 (trojan.rules)
2031182 - ET MALWARE STOPzilla Download Accelerator Activity
(malware.rules)
2031183 - ET MALWARE SilverSpeedup Generic PUA Software UA (malware.rules)
Pro:
2845341 - ETPRO TROJAN Win32/PurpleWave Stealer CnC Activity
(trojan.rules)
2845342 - ETPRO TROJAN Win32/PurpleWave Stealer CnC Activity M2
(trojan.rules)
2845343 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-11-05
(current_events.rules)
2845344 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-11-05
(current_events.rules)
2845345 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-11-05
(current_events.rules)
2845346 - ETPRO CURRENT_EVENTS Successful Microsoft Excel Online Phish
2020-11-05 (current_events.rules)
2845347 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-11-05 (current_events.rules)
2845348 - ETPRO CURRENT_EVENTS Successful Linkedin Phish 2020-11-05
(current_events.rules)
2845349 - ETPRO TROJAN Python/Peppy RAT Exfil (trojan.rules)
2845350 - ETPRO TROJAN Python/Peppy RAT CnC Activity (trojan.rules)
2845351 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-05 1) (trojan.rules)
2845352 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-05 2) (trojan.rules)
2845353 - ETPRO TROJAN W32/Unk.Downloader Activity (trojan.rules)
2845354 - ETPRO TROJAN Observed Malicious SSL Cert (Fallout EK Landing)
(trojan.rules)
2845355 - ETPRO TROJAN Observed Malicious SSL Cert (Intermediary Fallout
EK Redirect) (trojan.rules)
2845356 - ETPRO TROJAN Observed Malicious SSL Cert (EvilKeitaro)
(trojan.rules)
2845357 - ETPRO INFO Possible Inbound Script containing taskkill execution
(info.rules)
2845358 - ETPRO TROJAN Win32/Remcos RAT Checkin 594 (trojan.rules)
2845359 - ETPRO TROJAN Win32/Remcos RAT Checkin 595 (trojan.rules)
2845360 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2845361 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2845362 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2845363 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2845364 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2845365 - ETPRO MALWARE CareUEyes Checkin (malware.rules)
[///] Modified active rules: [///]
2014297 - ET POLICY Vulnerable Java Version 1.7.x Detected (policy.rules)
2015471 - ET WEB_SPECIFIC_APPS joomla com_edir controller parameter Local
File Inclusion vulnerability (web_specific_apps.rules)
2015625 - ET WEB_SERVER Magento XMLRPC-Exploit Attempt (web_server.rules)
2016175 - ET EXPLOIT Possible CVE-2013-0156 Ruby On Rails XML POST to
Disallowed Type YAML (exploit.rules)
2016176 - ET EXPLOIT Possible CVE-2013-0156 Ruby On Rails XML POST to
Disallowed Type SYMBOL (exploit.rules)
2016434 - ET TROJAN Win32/COOKIEBAG Cookie APT1 Related (trojan.rules)
2016573 - ET TROJAN APT_NGO_wuaclt (trojan.rules)
2016759 - ET TROJAN Win32/Redyms.A Checkin (trojan.rules)
2016764 - ET CURRENT_EVENTS GrandSoft PDF Payload Download
(current_events.rules)
2016869 - ET CURRENT_EVENTS FlimKit Post Exploit Payload Download
(current_events.rules)
2016939 - ET TROJAN Variant.Kazy.174106 Checkin (trojan.rules)
2016991 - ET TROJAN Alina Server Response Code (trojan.rules)
2017074 - ET WEB_SPECIFIC_APPS MoinMoin twikidraw Action Traversal File
Upload (web_specific_apps.rules)
2017261 - ET TROJAN SmokeLoader Checkin (trojan.rules)
2017573 - ET WEB_SPECIFIC_APPS Possible JBoss/JMX InvokerServlet RCE Using
Marshalled Object (web_specific_apps.rules)
2017574 - ET WEB_SPECIFIC_APPS Possible JBoss/JMX EJBInvokerServlet RCE
Using Marshalled Object (web_specific_apps.rules)
2018052 - ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin
(current_events.rules)
2018095 - ET MALWARE Potentially Unwanted Application AirInstaller
(malware.rules)
2018119 - ET TROJAN Banking Trojan HTTP Cookie (trojan.rules)
2019166 - ET TROJAN Stobox Connectivity Check (trojan.rules)
2019377 - ET TROJAN Win32/Ursnif Checkin (trojan.rules)
2019401 - ET POLICY Vulnerable Java Version 1.8.x Detected (policy.rules)
2019748 - ET WEB_SERVER FOX-SRT - Backdoor - CryptoPHP Shell C2 POST
(web_server.rules)
2020301 - ET TROJAN Dridex POST CnC Beacon 2 (trojan.rules)
2020324 - ET POLICY Onion2Web Tor Proxy Cookie (policy.rules)
2020369 - ET TROJAN Common Upatre URI/Headers Struct (trojan.rules)
2020746 - ET TROJAN Win32.Chroject.B Retrieving encoded payload
(trojan.rules)
2020898 - ET TROJAN Possible APT30 or Win32/Nuclear HTTP Framework POST
(trojan.rules)
2021616 - ET TROJAN PSEmpire Checkin via POST (trojan.rules)
2022008 - ET TROJAN MWI Maldoc Stats Callout Oct 28 (trojan.rules)
2022049 - ET INFO Possible MSXMLHTTP Request (no .exe) (info.rules)
2022281 - ET TROJAN Win32/Nivdort Posting Data 2 (trojan.rules)
2022295 - ET WEB_SERVER WeBaCoo Web Backdoor Detected (web_server.rules)
2022357 - ET TROJAN Linux/Torte Downloading Binary (trojan.rules)
2022466 - ET CURRENT_EVENTS Possible Keitaro TDS Redirect
(current_events.rules)
2022554 - ET EXPLOIT FireEye Detection Evasion %temp% attempt - Inbound
(exploit.rules)
2022657 - ET TROJAN IrcBot Downloading .old (trojan.rules)
2022697 - ET WEB_CLIENT Fake AV Phone Scam Landing Apr 4
(web_client.rules)
2022723 - ET MALWARE Win32/Adware.Adposhel.A Checkin 4 (malware.rules)
2022894 - ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD IE Flash request to
set non-standard filename (some overlap with 2021752) (current_events.rules)
2022900 - ET TROJAN FOX-SRT ShimRat check-in (Data) (trojan.rules)
2022902 - ET TROJAN FOX-SRT ShimRat check-in (Yuok) (trojan.rules)
2022939 - ET CURRENT_EVENTS Possible Pony DLL Download
(current_events.rules)
2022940 - ET CURRENT_EVENTS Possible Malicous Macro DL EXE Jul 01 2016
(userdir dotted quad) (current_events.rules)
2022941 - ET CURRENT_EVENTS Possible Malicous Macro DL EXE Jul 01 2016
(dll generic custom headers) (current_events.rules)
2022988 - ET TROJAN Win32/Pottieq.A Check-in (trojan.rules)
2023075 - ET EXPLOIT Equation Group EGREGIOUSBLUNDER Fortigate Exploit
Attempt (exploit.rules)
2023138 - ET CURRENT_EVENTS Suspicious Proxifier DL (non-browser observed
in maldoc campaigns) (current_events.rules)
2023203 - ET TROJAN Quant Loader Download Request (trojan.rules)
2023583 - ET TROJAN Known Malicious Doc Downloading Payload Dec 06 2016
(trojan.rules)
2024121 - ET EXPLOIT NETGEAR WNR2000v5 hidden_lang_avi Stack Overflow
(CVE-2016-10174) (exploit.rules)
2024175 - ET TROJAN Red Leaves HTTP CnC Beacon (APT10 implant)
(trojan.rules)
2024183 - ET TROJAN Possible Turla Carbon Paper CnC Beacon (Fake
User-Agent) (trojan.rules)
2024223 - ET TROJAN MSIL/Runsome Ransomware CnC Checkin (trojan.rules)
2024272 - ET TROJAN W32.Geodo/Emotet Checkin (trojan.rules)
2024274 - ET TROJAN W32/Emotet CnC Beacon 1 (trojan.rules)
2024290 - ET TROJAN Jaff Ransomware Checkin M1 (trojan.rules)
2024367 - ET CURRENT_EVENTS Bingo EK Payload Download
(current_events.rules)
2024380 - ET CURRENT_EVENTS Nemucod JS Downloader June 12 2017
(current_events.rules)
2024381 - ET CURRENT_EVENTS RIG EK URI Struct Jun 13 2017
(current_events.rules)
2024421 - ET ATTACK_RESPONSE Possible BeEF HTTP Headers Inbound
(attack_response.rules)
2024449 - ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199
IE7/NoCookie/Referer HTA dl (current_events.rules)
2024452 - ET TROJAN Quant Loader Download Request (trojan.rules)
2024508 - ET CURRENT_EVENTS Nemucod JS Downloader Aug 01 2017
(current_events.rules)
2024600 - ET TROJAN Possible Maldoc Downloader Aug 18 2017 (trojan.rules)
2024678 - ET CURRENT_EVENTS Possible Locky VB/JS Loader Download Sep 08
2017 (current_events.rules)
2024693 - ET MALWARE Win32/LoadMoney Adware Activity (malware.rules)
2024765 - ET MOBILE_MALWARE Trojan-Banker.AndroidOS.RedAlert CnC Beacon
(mobile_malware.rules)
2024901 - ET TROJAN Trickbot Payload Request (trojan.rules)
2024996 - ET WEB_CLIENT Google Chrome XSS (CVE-2017-5124)
(web_client.rules)
2025007 - ET TROJAN Powershell commands sent when remote host claims to
send an image (trojan.rules)
2025149 - ET POLICY IP Check (rl. ammyy. com) (policy.rules)
2025283 - ET TROJAN Trojan-Dropper.Delf Checkin (trojan.rules)
2025432 - ET EXPLOIT Apache CouchDB JSON Remote Privesc Attempt
(CVE-2017-12636) (exploit.rules)
2025435 - ET EXPLOIT Apache CouchDB JSON Remote Privesc Attempt
(CVE-2017-12635) (exploit.rules)
2025458 - ET TROJAN [PTsecurity] Win32/SocStealer.Socelars C2 Response
(trojan.rules)
2025459 - ET WEB_SPECIFIC_APPS Possible CVE-2013-2618 Attempt (PHP
Weathermap Persistent XSS) (web_specific_apps.rules)
2029580 - ET TROJAN Magniber Ransomware CnC Domain in DNS Lookup
(trojan.rules)
2029581 - ET TROJAN Magniber Ransomware CnC Domain in DNS Lookup
(trojan.rules)
2029587 - ET TROJAN BlackTech ELF/TSCookie CnC Observed in DNS Query
(trojan.rules)
2029594 - ET TROJAN Observed Malicious SSL Cert (MonetizUs/LNKR)
(trojan.rules)
2029595 - ET TROJAN Observed Malicious SSL Cert (MonetizUs/LNKR)
(trojan.rules)
2029597 - ET TROJAN Observed JS/Skimmer (likely Magecart) CnC Domain in
DNS Lookup (trojan.rules)
2029602 - ET TROJAN Observed Malicious SSL Cert (ServHelper CnC)
(trojan.rules)
2029603 - ET TROJAN Observed Malicious SSL Cert (ServHelper CnC)
(trojan.rules)
2029604 - ET TROJAN Observed Malicious SSL Cert (ServHelper CnC)
(trojan.rules)
2029605 - ET TROJAN Observed Malicious SSL Cert (ServHelper CnC)
(trojan.rules)
2030625 - ET TROJAN Win32/PurpleWave Stealer Requesting Config
(trojan.rules)
2814416 - ETPRO CURRENT_EVENTS Compromised Magento iframe Inbound
(current_events.rules)
2815177 - ETPRO CURRENT_EVENTS PowerShell Empire Session via Excel Macro
(current_events.rules)
2815316 - ETPRO CURRENT_EVENTS malicious doc encrypted payload Dec 09 (1)
(current_events.rules)
2819815 - ETPRO CURRENT_EVENTS Suspicious Redirector Apr 18 M1
(current_events.rules)
2819840 - ETPRO CURRENT_EVENTS EXE Downloaded From Known Malicious Path
(current_events.rules)
2821001 - ETPRO CURRENT_EVENTS PowerShell Empire Session via MSOffice Doc
Macro (current_events.rules)
2821731 - ETPRO CURRENT_EVENTS MalDoc Request for Payload Aug 17 2016
(current_events.rules)
2822240 - ETPRO CURRENT_EVENTS MalDoc Retrieving Payload Sep 26 2016
(current_events.rules)
2825924 - ETPRO MOBILE_MALWARE Android.Trojan.InfoStealer.FY CnC Beacon 2
(mobile_malware.rules)
2825992 - ETPRO TROJAN MSIL/Possessor Keylogger Reporting External IP
(trojan.rules)
2825993 - ETPRO TROJAN MSIL/Possessor Keylogger HTTP Logging M2
(trojan.rules)
2825998 - ETPRO TROJAN Malicious JS Download Request (trojan.rules)
2826018 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Fyec.bna CnC Beacon
(mobile_malware.rules)
2826026 - ETPRO TROJAN MSIL/Softmalaria Trojan CnC Checkin (trojan.rules)
2826033 - ETPRO MOBILE_MALWARE Android/SMSreg.GB Checkin 3
(mobile_malware.rules)
2826046 - ETPRO MOBILE_MALWARE Android.Trojan.SLocker.TX CnC Beacon
(mobile_malware.rules)
2826061 - ETPRO MOBILE_MALWARE Android.Trojan.Guerrilla.n Checkin
(mobile_malware.rules)
2826072 - ETPRO MOBILE_MALWARE Android/Adware.Kuguo.C Checkin 2
(mobile_malware.rules)
2826098 - ETPRO MOBILE_MALWARE Android/Monitor.Drower.B SMS Exfil
(mobile_malware.rules)
2826099 - ETPRO TROJAN MSIL/Spy.Agent.AUE Checkin (trojan.rules)
2826100 - ETPRO MOBILE_MALWARE Android.Adware.Wapsx.A CnC Beacon
(mobile_malware.rules)
2826103 - ETPRO MOBILE_MALWARE Android.Adware.Dowgin.gQAM Checkin
(mobile_malware.rules)
2826112 - ETPRO MOBILE_MALWARE Android/SMForw.RL Contact Exfil
(mobile_malware.rules)
2826154 - ETPRO TROJAN Cobalt Strike Malleable C2 Webbug Profile
(trojan.rules)
2826176 - ETPRO MOBILE_MALWARE Android Unknown Trojan-Spy CnC Beacon
(mobile_malware.rules)
2826177 - ETPRO MOBILE_MALWARE Android Unknown Trojan-Spy Contact Exfil
(mobile_malware.rules)
2826178 - ETPRO TROJAN Cobalt Strike Malleable C2 Amazon Profile
(trojan.rules)
2826183 - ETPRO TROJAN APT.ChChes CnC Beacon 3 (trojan.rules)
2826203 - ETPRO TROJAN Trojan/AutoIT RMS Dropper Checkin (trojan.rules)
2826205 - ETPRO TROJAN Possible Linux.Shishiga HTTP Fake 404 Response
(trojan.rules)
2826206 - ETPRO TROJAN AZORult Variant.2 Checkin (trojan.rules)
2826232 - ETPRO TROJAN AZORult Variant.2 Checkin m2 (trojan.rules)
2826244 - ETPRO CURRENT_EVENTS Astrum EK Landing M1 May 03 2017
(current_events.rules)
2826245 - ETPRO CURRENT_EVENTS Astrum EK Landing M2 May 03 2017
(current_events.rules)
2826254 - ETPRO TROJAN Custom Cobalt Strike Beacon UA (trojan.rules)
2826255 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.pac CnC
Beacon (mobile_malware.rules)
2826320 - ETPRO MOBILE_MALWARE Anubis Android Loader / BankBot Checkin 2
(mobile_malware.rules)
2826321 - ETPRO MOBILE_MALWARE Anubis Android Loader / BankBot Checkin 3
(mobile_malware.rules)
2826323 - ETPRO MOBILE_MALWARE Anubis Android Loader / BankBot Checkin 4
(mobile_malware.rules)
2826327 - ETPRO TROJAN W32/Emotet Empty CnC Beacon (trojan.rules)
2826342 - ETPRO TROJAN MSIL/Agent.AUK CnC Checkin (trojan.rules)
2826362 - ETPRO MOBILE_MALWARE Anubis Android Loader / BankBot Checkin 6
(mobile_malware.rules)
2826431 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.ay SMS Exfil
3 (mobile_malware.rules)
2826455 - ETPRO MOBILE_MALWARE Android/Agent.AKX Checkin
(mobile_malware.rules)
2826456 - ETPRO MOBILE_MALWARE Android/Agent.AKX Checkin 2
(mobile_malware.rules)
2826461 - ETPRO TROJAN MSIL/ClipBanker.BX CnC Checkin (trojan.rules)
2826479 - ETPRO MOBILE_MALWARE Android.Trojan.Agent.GE Checkin
(mobile_malware.rules)
2826484 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.hh SMS Exfil
(mobile_malware.rules)
2826505 - ETPRO MOBILE_MALWARE Anubis Android Loader / BankBot Checkin 7
(mobile_malware.rules)
2826506 - ETPRO MOBILE_MALWARE Anubis Android Loader / BankBot Checkin 8
(mobile_malware.rules)
2826515 - ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.PP CnC Beacon
(mobile_malware.rules)
2826529 - ETPRO MOBILE_MALWARE Android/Agent.LK CnC Beacon 2
(mobile_malware.rules)
2826562 - ETPRO TROJAN Hidden-Tear Ransomware Variant CnC Checkin
(trojan.rules)
2826598 - ETPRO TROJAN ROKRAT Checkin (trojan.rules)
2826599 - ETPRO TROJAN ROKRAT Checkin 2 (trojan.rules)
2826620 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Rymner.f CnC Beacon
(mobile_malware.rules)
2826626 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Boogr.gsh CnC Beacon 3
(mobile_malware.rules)
2826633 - ETPRO CURRENT_EVENTS Possible ETERNALROCKS .Net Module Download
(current_events.rules)
2826659 - ETPRO TROJAN APT19 Cobalt Strike Checkin (trojan.rules)
2826677 - ETPRO MOBILE_MALWARE Anubis Android Loader / BankBot Checkin 9
(mobile_malware.rules)
2826678 - ETPRO MOBILE_MALWARE Anubis Android Loader / BankBot Checkin 10
(mobile_malware.rules)
2826716 - ETPRO MOBILE_MALWARE Trojan-Clicker.AndroidOS.Simpo.bq CnC
Beacon (mobile_malware.rules)
2826718 - ETPRO MOBILE_MALWARE Trojan-Clicker.AndroidOS.Simpo.az CnC
Beacon 2 (mobile_malware.rules)
2829398 - ETPRO INFO Possibly Malicious VBScript Executing WScript.Shell
Run M1 (info.rules)
2836197 - ETPRO TROJAN Win32/Troibomb Variant CnC Checkin (trojan.rules)
2841403 - ETPRO TROJAN More_eggs CnC Activity (trojan.rules)
2844827 - ETPRO TROJAN MSIL/OrionBot Checkin via Discord (trojan.rules)
[---] Disabled and modified rules: [---]
2017131 - ET EXPLOIT Potential Internet Explorer Use After Free
CVE-2013-3163 Exploit URI Struct 1 (exploit.rules)
2018247 - ET TROJAN Snake rootkit usermode-centric client request
(trojan.rules)
2019626 - ET TROJAN Cohhoc RAT CnC Response (trojan.rules)
2024171 - ET MOBILE_MALWARE Android Trojan Pegasus CnC Beacon
(mobile_malware.rules)
2024275 - ET TROJAN W32/Emotet CnC Beacon 2 (trojan.rules)
2024276 - ET TROJAN MSIL/OzazaLocker Ransomware CnC Checkin (trojan.rules)
2024489 - ET TROJAN Win32/Bitshifter Ransomware CnC Checkin (trojan.rules)
2024604 - ET CURRENT_EVENTS Hancitor/Tordal Document Request
(current_events.rules)
2024605 - ET CURRENT_EVENTS Hancitor/Tordal Document Inbound
(current_events.rules)
2024719 - ET TROJAN Lucifer Loader Requesting Payload (trojan.rules)
2814514 - ETPRO CURRENT_EVENTS Possible Send-Safe-based Spambot UDP Beacon
(current_events.rules)
2814609 - ETPRO CURRENT_EVENTS Malicious .doc Encrypted Payload Oct 27 (1)
(current_events.rules)
2815688 - ETPRO CURRENT_EVENTS DRIVEBY Possible Status Report M2
(current_events.rules)
2815690 - ETPRO CURRENT_EVENTS DRIVEBY Possible Error Report 1
(current_events.rules)
2815691 - ETPRO CURRENT_EVENTS DRIVEBY Possible Error Report 2
(current_events.rules)
2815692 - ETPRO CURRENT_EVENTS DRIVEBY Possible Error Report 3
(current_events.rules)
2816294 - ETPRO CURRENT_EVENTS Evil HTA (Kovter) (current_events.rules)
2821201 - ETPRO CURRENT_EVENTS Document Macro Downloading Various Malware
Jul 19 (current_events.rules)
2821615 - ETPRO CURRENT_EVENTS Possible MalDoc Download Request (set)
(current_events.rules)
2826717 - ETPRO MOBILE_MALWARE Trojan-Clicker.AndroidOS.Simpo.az CnC
Beacon (mobile_malware.rules)
[---] Disabled rules: [---]
2820782 - ETPRO CURRENT_EVENTS APT SWC Redirected PluginDetect/Evercookie
Landing June 21 2016 (current_events.rules)
2821616 - ETPRO CURRENT_EVENTS MalDoc Payload Inbound 2016-08-11
(current_events.rules)