Daily Ruleset Update Summary
Daily Ruleset Update Summary 2020/11/11

[***]            Summary:            [***]

2 new OPEN, 22 new PRO (2 + 20). DNS Reply Sinkhole - Anubis/BitSight, Cobalt Strike, Win32/Agent.NML, Win32/Remcos RAT, Coiminers, VARIOUS PHISH.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2031197 - ET TROJAN DNS Reply Sinkhole - Anubis/BitSight - 35.205.61.67
(trojan.rules)
  2031198 - ET TROJAN Win32/HunterStealer CnC Exfil (trojan.rules)

Pro:

  2845437 - ETPRO TROJAN Observed CobaltStrike Style SSL Cert (Amazon
Profile) (trojan.rules)
  2845438 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-11 1) (trojan.rules)
  2845439 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-11 2) (trojan.rules)
  2845440 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-11-11
(current_events.rules)
  2845441 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-11-11 (current_events.rules)
  2845442 - ETPRO CURRENT_EVENTS Successful Google Drive Phish 2020-11-11
(current_events.rules)
  2845443 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-11-11 (current_events.rules)
  2845444 - ETPRO CURRENT_EVENTS Successful ING Phish 2020-11-11
(current_events.rules)
  2845445 - ETPRO CURRENT_EVENTS Successful Outlook Web App Phish
2020-11-11 (current_events.rules)
  2845446 - ETPRO CURRENT_EVENTS Successful Orange Phish 2020-11-11
(current_events.rules)
  2845447 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-11-11 (current_events.rules)
  2845448 - ETPRO CURRENT_EVENTS Successful Office 365 Phish 2020-11-11
(current_events.rules)
  2845449 - ETPRO TROJAN Win32/Agent.NML CnC Activity M1 (trojan.rules)
  2845451 - ETPRO TROJAN Observed FinderBot CnC Domain in TLS SNI
(trojan.rules)
  2845452 - ETPRO TROJAN Win32/Remcos RAT Checkin 603 (trojan.rules)
  2845453 - ETPRO TROJAN Win32/Remcos RAT Checkin 604 (trojan.rules)
  2845454 - ETPRO CURRENT_EVENTS Successful Bancorp Phish 2020-11-11
(current_events.rules)
  2845455 - ETPRO CURRENT_EVENTS Successful OneDrive Phish 2020-11-11
(current_events.rules)
  2845456 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-11-11
(current_events.rules)
  2845457 - ETPRO MALWARE FCleaner Activity (malware.rules)

[///]     Modified active rules:     [///]

  2027076 - ET INFO Wget Request for Executable (info.rules)
  2027079 - ET TROJAN Win32/Retadup Success Response from CnC (trojan.rules)
  2027090 - ET EXPLOIT Possible WePresent WIPG1000 OS Command Injection
(exploit.rules)
  2027092 - ET EXPLOIT Possible ZyXEL P660HN-T v1 RCE (exploit.rules)
  2027506 - ET TROJAN Win32/Plurox Backdoor CnC Checkin (trojan.rules)
  2027707 - ET TROJAN Possible APT Sarhurst/Husar/Hussarini/Hassar CnC
Check Response (trojan.rules)
  2027723 - ET EXPLOIT Possible Palo Alto SSL VPN sslmgr Format String
Vulnerability (Inbound) (exploit.rules)
  2027802 - ET TROJAN Win32/Eris Ransomware CnC Checkin (trojan.rules)
  2028573 - ET TROJAN Suspected Tunna Proxy M2 (trojan.rules)
  2028579 - ET TROJAN Suspected Tunna Proxy M2 (Outbound) (trojan.rules)
  2028932 - ET TROJAN Win32/CryptInject.BE!MTB Stealer CnC Checkin
(trojan.rules)
  2028964 - ET TROJAN DADJOKE/Rail Tycoon Payload Extraction (trojan.rules)
  2029711 - ET INFO Suspicious GET Request with Possible COVID-19 Domain M1
(info.rules)
  2029712 - ET INFO Suspicious GET Request with Possible COVID-19 Domain M2
(info.rules)
  2029713 - ET INFO Suspicious POST Request with Possible COVID-19 Domain
M1 (info.rules)
  2029714 - ET INFO Suspicious POST Request with Possible COVID-19 Domain
M2 (info.rules)
  2029753 - ET INFO Suspicious GET Request with Possible COVID-19 URI M1
(info.rules)
  2029754 - ET INFO Suspicious GET Request with Possible COVID-19 URI M2
(info.rules)
  2029755 - ET INFO Suspicious POST Request with Possible COVID-19 URI M1
(info.rules)
  2029756 - ET INFO Suspicious POST Request with Possible COVID-19 URI M2
(info.rules)
  2029766 - ET TROJAN Observed DNS Query to Stitch C2 Domain (trojan.rules)
  2029767 - ET TROJAN Observed DNS Query to Stitch C2 Domain (trojan.rules)
  2808251 - ETPRO TROJAN Win32/Spy.Banker.AAYY CnC (OUTBOUND) (trojan.rules)
  2809086 - ETPRO WEB_SPECIFIC_APPS CreativeContact Plugin Arbitrary File
Upload (web_specific_apps.rules)
  2809167 - ETPRO TROJAN Gozi Downloader Checkin (trojan.rules)
  2809240 - ETPRO MOBILE_MALWARE Android.Trojan.FakeInst.IS Checkin
(mobile_malware.rules)
  2809269 - ETPRO TROJAN Rovnix CnC Beacon (trojan.rules)
  2810416 - ETPRO CURRENT_EVENTS Inbound cmd.exe Base64 Encoded (Unicode) 1
(current_events.rules)
  2810420 - ETPRO CURRENT_EVENTS Inbound cmd.exe Base64 Encoded (ASCII) 2
(current_events.rules)
  2816365 - ETPRO TROJAN W32.SOCKSBOT CnC Request (trojan.rules)
  2816366 - ETPRO TROJAN W32.SOCKSBOT CnC Response (trojan.rules)
  2816367 - ETPRO POLICY Suspicious 404 OK Response (policy.rules)
  2816739 - ETPRO TROJAN Rexpot Retrieving Payload - set 1 (trojan.rules)
  2816808 - ETPRO CURRENT_EVENTS RIG EK Flash Exploit Mar 29 2016
(current_events.rules)
  2816860 - ETPRO TROJAN Salam Ransomware CnC Checkin (trojan.rules)
  2816901 - ETPRO MALWARE Win32/Shouqu Checkin (malware.rules)
  2819648 - ETPRO CURRENT_EVENTS SunDown/Xer Payload (URL Primer)
(current_events.rules)
  2822801 - ETPRO TROJAN DiamondFox HTTP POST CnC Checkin M1 (trojan.rules)
  2822967 - ETPRO TROJAN PlugX Variant CnC Beacon (trojan.rules)
  2823169 - ETPRO TROJAN Mocker Retrieving Payload (trojan.rules)
  2823365 - ETPRO TROJAN Godzilla Loader Retrieving Payload (trojan.rules)
  2823420 - ETPRO POLICY External IP Address Lookup - myip.ch (policy.rules)
  2823534 - ETPRO CURRENT_EVENTS Likely Magnitude EK Flash Exploit Struct
Nov 30 2016 (current_events.rules)
  2823676 - ETPRO TROJAN Win32 QuasarRAT 1.3/VenomRAT/CinaRAT Connectivity
Check (trojan.rules)
  2824087 - ETPRO TROJAN MSIL/DeriaLock Ransomware CnC Activity
(trojan.rules)
  2824449 - ETPRO CURRENT_EVENTS GreenFlash SunDown EK Flash Exploit
2017-01-17 (current_events.rules)
  2824567 - ETPRO CURRENT_EVENTS Successful Paypal Phish M1 Jan 20 2017
(current_events.rules)
  2824637 - ETPRO TROJAN Troj/Agent-APJC CnC Beacon (trojan.rules)
  2824669 - ETPRO TROJAN APT.ChChes CnC Beacon 1 (trojan.rules)
  2824670 - ETPRO TROJAN APT.ChChes CnC Beacon 2 (trojan.rules)
  2824761 - ETPRO TROJAN MSIL/Agent.RZW CoinMiner CnC Activity
(trojan.rules)
  2825027 - ETPRO CURRENT_EVENTS Possible SunDown EK Landing URI Struct T2
Feb 17 2017 (current_events.rules)
  2826697 - ETPRO TROJAN Possible Win32/Jeefo.B Config DL (trojan.rules)
  2827391 - ETPRO TROJAN MSIL/FriendlyBot CnC Checkin (trojan.rules)
  2827456 - ETPRO MOBILE_MALWARE Android.Trojan.DDLight.E Checkin
(mobile_malware.rules)
  2827509 - ETPRO TROJAN Win32/Downloader.Banload.YAZ CnC Activity
(trojan.rules)
  2827605 - ETPRO TROJAN Win32/1ms0rry CoinMiner Botnet CnC Checkin
(trojan.rules)
  2827607 - ETPRO TROJAN MSIL/HookUp Bot CnC Checkin (trojan.rules)
  2827629 - ETPRO MOBILE_MALWARE Anubis Android Loader / BankBot Checkin 13
(mobile_malware.rules)
  2827630 - ETPRO MOBILE_MALWARE Anubis Android Loader / BankBot Checkin 14
(mobile_malware.rules)
  2827633 - ETPRO MOBILE_MALWARE Android.Trojan.InfoStealer.GV CnC Beacon
(mobile_malware.rules)
  2827695 - ETPRO TROJAN Win32/Banload.Downloader POST request CnC Checkin
(trojan.rules)
  2827718 - ETPRO TROJAN W32.PooLen Coinminer Requesting Commands
(trojan.rules)
  2827762 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Triada.am CnC Beacon
(mobile_malware.rules)
  2827809 - ETPRO MOBILE_MALWARE Android.Riskware.SmsPay.IT CnC Beacon
(mobile_malware.rules)
  2827913 - ETPRO TROJAN Win32/Virut.NBP Checkin (trojan.rules)
  2829709 - ETPRO MALWARE MSIL/Linkury Toolbar Style External IP Check
(malware.rules)
  2835307 - ETPRO CURRENT_EVENTS Successful Docusign Phish 2019-03-12
(current_events.rules)
  2835359 - ETPRO TROJAN ELF/Tsunami.NCF IRC Checkin (trojan.rules)
  2835401 - ETPRO SCAN Ololosher SQL Injection Scanning with URI Constant
(scan.rules)
  2835447 - ETPRO CURRENT_EVENTS Successful Banco Itau Phish 2019-03-19
(current_events.rules)
  2835577 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2019-03-27
(current_events.rules)
  2835585 - ETPRO TROJAN Win64/Vabushky.A Checkin 1 (trojan.rules)
  2835586 - ETPRO TROJAN Win64/Vabushky.A Checkin 2 (trojan.rules)
  2835645 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2019-03-29
(current_events.rules)
  2835647 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2019-03-29
(current_events.rules)
  2835761 - ETPRO TROJAN Win32/Robit CnC Checkin M1 (trojan.rules)
  2835782 - ETPRO TROJAN Win32/Win32.Invader FTP C2 2 (trojan.rules)
  2835823 - ETPRO TROJAN Kaprav Related FTP Implant (trojan.rules)
  2835924 - ETPRO CURRENT_EVENTS Successful Volksbank DE Phish 2019-03-29
(current_events.rules)
  2835987 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2019-04-22
(current_events.rules)
  2835988 - ETPRO CURRENT_EVENTS Successful USAA Phish 2019-04-22
(current_events.rules)
  2836122 - ETPRO TROJAN Win32.Mokes Backdoor CnC Activity (trojan.rules)
  2836305 - ETPRO CURRENT_EVENTS Successful Generic Phish 2019-05-14
(current_events.rules)
  2836369 - ETPRO TROJAN Win64/Agent.OF Variant CnC Report Checkin
(trojan.rules)
  2836406 - ETPRO TROJAN MSIL/Agent.BSY Variant Initial Check-in
(trojan.rules)
  2836423 - ETPRO CURRENT_EVENTS Successful Personalized Windows Account
Phish 2019-05-21 (current_events.rules)
  2836466 - ETPRO CURRENT_EVENTS Successful CIBC Phish 2019-05-23
(current_events.rules)
  2836467 - ETPRO CURRENT_EVENTS Successful AT&T Phish 2019-05-23
(current_events.rules)
  2836722 - ETPRO CURRENT_EVENTS Successful Banque Populaire Phish
2019-06-07 (current_events.rules)
  2836921 - ETPRO CURRENT_EVENTS Successful Generic Need Phish 2019-06-19
(current_events.rules)
  2837021 - ETPRO TROJAN ELF/Various IoT Botnet CnC Checkin M2
(trojan.rules)
  2837467 - ETPRO CURRENT_EVENTS Successful Generic Phish 2019-07-11
(current_events.rules)
  2837486 - ETPRO CURRENT_EVENTS Successful Chase Phish 2019-07-12
(current_events.rules)
  2837501 - ETPRO CURRENT_EVENTS Successful Microsoft Account Voicemail
Phish 2019-07-15 (current_events.rules)
  2837607 - ETPRO CURRENT_EVENTS Successful Chase Phish 2019-07-19
(current_events.rules)
  2837672 - ETPRO CURRENT_EVENTS Successful Generic Mail Error Report Phish
2019-07-24 (current_events.rules)
  2837675 - ETPRO CURRENT_EVENTS Successful LCL Banque et Assurance Phish
2019-07-24 (current_events.rules)
  2837699 - ETPRO CURRENT_EVENTS Successful Postbank Phish 2019-07-25
(current_events.rules)
  2837710 - ETPRO CURRENT_EVENTS Successful Excel Online Phish 2019-07-26
(current_events.rules)
  2837711 - ETPRO CURRENT_EVENTS Successful Suncoast Credit Union Phish
2019-07-26 (current_events.rules)
  2837712 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2019-07-26
(current_events.rules)
  2837806 - ETPRO CURRENT_EVENTS Successful Banca Sella Phish 2019-08-01
(current_events.rules)
  2837807 - ETPRO CURRENT_EVENTS Successful Generic Email Settings Phish
2019-08-01 (current_events.rules)
  2838023 - ETPRO TROJAN Win32/SafeNewTab Acticity (trojan.rules)
  2838311 - ETPRO TROJAN Win32/Predator The Thief Initial CnC Checkin
Request (trojan.rules)
  2838367 - ETPRO TROJAN Possible Grandsteal RAT Websocket Usage
(trojan.rules)
  2838369 - ETPRO CURRENT_EVENTS Successful RBC Royal Bank Phish 2019-09-09
(current_events.rules)
  2838370 - ETPRO CURRENT_EVENTS Successful BMO Phish 2019-09-09
(current_events.rules)
  2838402 - ETPRO CURRENT_EVENTS Successful FNB First National Bank Phish
2019-09-10 (current_events.rules)
  2838511 - ETPRO TROJAN Win32/Bobik CnC Activity (trojan.rules)
  2838580 - ETPRO TROJAN DonotGroup YTY Framework CnC Checkin (trojan.rules)
  2838792 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2019-10-07 (current_events.rules)
  2838823 - ETPRO CURRENT_EVENTS Successful Microsoft Teams Phish
2019-10-08 (current_events.rules)
  2838870 - ETPRO CURRENT_EVENTS Successful Dropbox Phish 2019-10-10
(current_events.rules)
  2839041 - ETPRO TROJAN Gh0stNoxy CnC Activity (trojan.rules)
  2839058 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2019-10-22 (current_events.rules)
  2839067 - ETPRO CURRENT_EVENTS Successful WeTransfer Phish 2019-10-22
(current_events.rules)
  2839100 - ETPRO CURRENT_EVENTS Successful Aruba IT Phish 2019-10-23
(current_events.rules)
  2839101 - ETPRO CURRENT_EVENTS Successful MWeb Webmail Phish 2019-10-23
(current_events.rules)
  2839252 - ETPRO CURRENT_EVENTS Successful Fidelity Phish 2019-11-06
(current_events.rules)
  2839269 - ETPRO CURRENT_EVENTS Successful Generic Compromised Wordpress
Phish 2019-11-06 (current_events.rules)
  2839326 - ETPRO CURRENT_EVENTS Successful AlaskaUSA Federal Credit Union
Phish 2019-11-08 (current_events.rules)
  2839351 - ETPRO CURRENT_EVENTS Successful Netflix Phish 2019-11-11
(current_events.rules)
  2839409 - ETPRO CURRENT_EVENTS Successful Trademe NZ Phish 2019-11-13
(current_events.rules)
  2839429 - ETPRO CURRENT_EVENTS Successful Chase Phish 2019-11-14
(current_events.rules)
  2839606 - ETPRO CURRENT_EVENTS Successful BECU Phish 2019-11-25
(current_events.rules)
  2839885 - ETPRO CURRENT_EVENTS Successful Adobe PDF Online Phish
2019-12-12 (current_events.rules)
  2839949 - ETPRO TROJAN Bandook v0.5FM TCP CnC Beacon (trojan.rules)
  2839971 - ETPRO TROJAN Win32/njRAT Variant CnC Checkin (INF)
(trojan.rules)
  2839972 - ETPRO TROJAN Win32/njRAT Variant CnC Activity (GPL)
(trojan.rules)
  2839975 - ETPRO TROJAN Win32/njRAT Variant CnC Response (IE)
(trojan.rules)
  2839978 - ETPRO TROJAN Win32/njRAT Variant CnC Activity (OpenPasswords)
(trojan.rules)
  2839979 - ETPRO TROJAN Win32/njRAT Variant CnC Activity (PasswordsResult)
(trojan.rules)
  2839980 - ETPRO TROJAN Win32/njRAT Variant CnC Activity (KE)
(trojan.rules)
  2839981 - ETPRO TROJAN Win32/njRAT Variant CnC Activity (KE Logs)
(trojan.rules)
  2839985 - ETPRO CURRENT_EVENTS Successful SF Express CN Phish 2019-12-18
(current_events.rules)
  2839986 - ETPRO CURRENT_EVENTS Successful Godaddy Phish 2019-12-18
(current_events.rules)
  2839997 - ETPRO CURRENT_EVENTS Successful MKB Bank Phish 2019-12-18
(current_events.rules)
  2839998 - ETPRO CURRENT_EVENTS Successful MKB Bank Phish 2019-12-18
(current_events.rules)
  2840040 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2019-12-20
(current_events.rules)
  2840059 - ETPRO CURRENT_EVENTS Successful Chase Phish 2019-12-23
(current_events.rules)
  2840061 - ETPRO CURRENT_EVENTS Successful SunTrust Phish 2019-12-23
(current_events.rules)
  2840062 - ETPRO CURRENT_EVENTS Successful BMO Phish 2019-12-23
(current_events.rules)
  2840150 - ETPRO TROJAN Possible Win32/Namoo CnC Activity Response
(trojan.rules)
  2840153 - ETPRO CURRENT_EVENTS Successful AT&T Phish 2019-12-30
(current_events.rules)
  2840156 - ETPRO CURRENT_EVENTS Successful Adobe PDF Online Phish
2019-12-30 (current_events.rules)
  2840176 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2019-12-31
(current_events.rules)
  2840213 - ETPRO CURRENT_EVENTS Successful Nedbank Phish 2020-01-02
(current_events.rules)
  2840264 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-01-06
(current_events.rules)
  2840315 - ETPRO POLICY Observed HTTP Request to *.pythonanywhere .com
Domain (policy.rules)
  2840336 - ETPRO CURRENT_EVENTS Successful Microsoft Shared Document Phish
2020-01-09 (current_events.rules)
  2840337 - ETPRO CURRENT_EVENTS Successful Microsoft Shared Document Phish
2020-01-09 (current_events.rules)
  2840353 - ETPRO TROJAN Win32/Agent.AAON Variant CnC Activity
(trojan.rules)
  2840358 - ETPRO TROJAN Win32/Agent.UAF Variant CnC M1 (trojan.rules)
  2840399 - ETPRO CURRENT_EVENTS Successful DHL Phish 2020-01-13
(current_events.rules)
  2841779 - ETPRO TROJAN Cobalt Strike Malleable C2 (jquery Profile)
(trojan.rules)
  2845411 - ETPRO TROJAN Unk.MSI.Loader CnC Activity (trojan.rules)

Date:
Summary title:
2 new OPEN, 22 new PRO (2 + 20). DNS Reply Sinkhole - Anubis/BitSight, Cobalt Strike, Win32/Agent.NML, Win32/Remcos RAT, Coiminers, VARIOUS PHISH.