[***]            Summary:            [***]

1 new OPEN, 24 new PRO (1 + 23). MSIL/Spy.Agent.GN, Win32/ProxyChanger.WU, AsyncRAT and Ursnif TLS sigs and VARIOUS PHISHING

Many Remcos rules were updated to reduce false negatives.  These rules have been omitted from this summary for brevity.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2031188 - ET POLICY IP Check (myip .com) (policy.rules)

Pro:

  2845366 - ETPRO CURRENT_EVENTS Successful Barclays Phish 2020-11-06
(current_events.rules)
  2845367 - ETPRO CURRENT_EVENTS Successful Godaddy Phish 2020-11-06
(current_events.rules)
  2845368 - ETPRO CURRENT_EVENTS Successful American Express Phish
2020-11-06 (current_events.rules)
  2845369 - ETPRO CURRENT_EVENTS Successful ICS Phish 2020-11-06
(current_events.rules)
  2845370 - ETPRO TROJAN MSIL/Spy.Agent.GN Variant CnC Host Checkin
(trojan.rules)
  2845371 - ETPRO CURRENT_EVENTS Successful Banco Itau Phish 2020-11-06
(current_events.rules)
  2845372 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-11-06
(current_events.rules)
  2845373 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-06 1) (trojan.rules)
  2845374 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-06 2) (trojan.rules)
  2845375 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-06 3) (trojan.rules)
  2845376 - ETPRO TROJAN Win32/ProxyChanger.WU Variant Checkin Activity
(trojan.rules)
  2845377 - ETPRO TROJAN Win32/Remcos RAT Checkin 596 (trojan.rules)
  2845378 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT CnC)
(trojan.rules)
  2845379 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT CnC)
(trojan.rules)
  2845380 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT CnC)
(trojan.rules)
  2845381 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT CnC)
(trojan.rules)
  2845382 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT CnC)
(trojan.rules)
  2845383 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT CnC)
(trojan.rules)
  2845384 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT CnC)
(trojan.rules)
  2845385 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT CnC)
(trojan.rules)
  2845386 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
  2845389 - ETPRO CURRENT_EVENTS Successful Twitter Phish 2020-11-06
(current_events.rules)

[///]     Modified active rules:     [///]

  2012657 - ET WEB_SPECIFIC_APPS eyeOS file Parameter Local File Inclusion
Attempt (web_specific_apps.rules)
  2012979 - ET WEB_SPECIFIC_APPS Possible ZOHO ManageEngine ADSelfService
Captcha Bypass Attempt (web_specific_apps.rules)
  2012981 - ET TROJAN Possible FakeAV Binary Download (Security)
(trojan.rules)
  2013416 - ET SCAN libwww-perl GET to // with specific HTTP header ordering
without libwww-perl User-Agent (scan.rules)
  2013757 - ET WEB_SPECIFIC_APPS iBrowser Plugin dir Parameter Cross Site
Scripting Attempt-1 (web_specific_apps.rules)
  2013792 - ET SCAN Apache mod_proxy Reverse Proxy Exposure 2 (scan.rules)
  2013870 - ET WEB_SPECIFIC_APPS Joomla component Simple File Lister sflDir
Parameter directory traversal attempt (web_specific_apps.rules)
  2013984 - ET WEB_SPECIFIC_APPS Zabbix popup.php  SELECT FROM SQL Injection
Vulnerability (web_specific_apps.rules)
  2014081 - ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter INSERT INTO
SQL Injection Vulnerability (web_specific_apps.rules)
  2014153 - ET DOS High Orbit Ion Cannon (HOIC) Attack Inbound Generic
Detection Double Spaced UA (dos.rules)
  2023349 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 106
(trojan.rules)
  2822289 - ETPRO CURRENT_EVENTS Unknown MalDoc Requesting Remote Template
M1 (current_events.rules)
  2822346 - ETPRO CURRENT_EVENTS 2014-6332 Exploit (Kniaz Variant)
(current_events.rules)
  2822364 - ETPRO CURRENT_EVENTS Unknown MalDoc Requesting Remote Template
M2 (current_events.rules)
  2822697 - ETPRO CURRENT_EVENTS MalDoc Downloader Retrieving Payload Oct 14
(current_events.rules)
  2823060 - ETPRO CURRENT_EVENTS MalDoc Retrieving Inbound PowerShell
Payload (current_events.rules)
  2823171 - ETPRO CURRENT_EVENTS MalDoc Payload Inbound Nov 08
(current_events.rules)
  2823251 - ETPRO CURRENT_EVENTS Malicious JS to PS Dropping PE Nov 14
(current_events.rules)
  2823415 - ETPRO CURRENT_EVENTS MalDoc Callout Nov 22 2016
(current_events.rules)
  2823416 - ETPRO CURRENT_EVENTS MalDoc Activity Nov 22 2016
(current_events.rules)
  2823417 - ETPRO CURRENT_EVENTS MalDoc Reporting Plugins Nov 22 2016
(current_events.rules)
  2824408 - ETPRO CURRENT_EVENTS PowerShell Empire Session Initial Activity
(current_events.rules)
  2826720 - ETPRO MOBILE_MALWARE Anubis Android Loader / BankBot Checkin 11
(mobile_malware.rules)
  2826748 - ETPRO MOBILE_MALWARE Android.Trojan.FakeApp.AS CnC Beacon
(mobile_malware.rules)
  2826803 - ETPRO MOBILE_MALWARE Android/Triada.DZ Checkin
(mobile_malware.rules)
  2826804 - ETPRO MOBILE_MALWARE Android/Triada.DZ Checkin 2
(mobile_malware.rules)
  2826806 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Triada.d Checkin 3
(mobile_malware.rules)
  2826807 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Triada.d Checkin 4
(mobile_malware.rules)
  2826808 - ETPRO MOBILE_MALWARE Android.Trojan.Triada.EY Checkin
(mobile_malware.rules)
  2826809 - ETPRO MOBILE_MALWARE Android.Trojan.Triada.EY Checkin 2
(mobile_malware.rules)
  2826823 - ETPRO MOBILE_MALWARE Android.Trojan.Downloader.IJ CnC Beacon
(mobile_malware.rules)
  2826836 - ETPRO MOBILE_MALWARE Android/Clicker.HA Checkin 2
(mobile_malware.rules)

[///]    Modified inactive rules:    [///]

  2024698 - ET TROJAN [PTsecurity] Backdoor.Win32/Remcos RAT pkt checker 4
(trojan.rules)

[---]  Disabled and modified rules:  [---]

  2824762 - ETPRO CURRENT_EVENTS Evil Flash/Silverlight Common Name Feb 02
2017 (current_events.rules)

[---]         Disabled rules:        [---]

  2826049 - ETPRO CURRENT_EVENTS Successful Nemucod Zipped JS Download -
Possible Miuref/Kovter/Panda Banker Apr 20 2017 (current_events.rules)
  2826087 - ETPRO CURRENT_EVENTS Evil Redirector Leading to Malicious
Download Apr 19 2017 (current_events.rules)

Date:
Summary title:
1 new OPEN, 24 new PRO (1 + 23). MSIL/Spy.Agent.GN, Win32/ProxyChanger.WU, AsyncRAT and Ursnif TLS sigs and VARIOUS PHISHING