Daily Ruleset Update Summary 2020/11/12

[***] Summary: [***]

8 new OPEN, 25 new PRO (8 + 17). Generic Webshell / Mailer Access, Win32/Unk.ZIOBA, TrochilusRAT, Win32/Remcos, Coinminers, VARIOUS PHISH.

Please be advised: we will NOT have a new release of rules tomorrow, Friday, November 13th, 2020. We will continue with our normal release schedule starting again on Monday, November 16th, 2020.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2031199 - ET WEB_SERVER Generic Webshell Accessed on Internal Compromised
Server (web_server.rules)
2031200 - ET WEB_CLIENT Generic Webshell Accessed on External Compromised
Server (web_client.rules)
2031201 - ET WEB_SERVER Generic Webshell Accessed on Internal Compromised
Server (web_server.rules)
2031202 - ET WEB_SERVER Generic Mailer Accessed on Internal Compromised
Server (web_server.rules)
2031203 - ET WEB_CLIENT Generic Mailer Accessed on External Compromised
Server (web_client.rules)
2031204 - ET WEB_CLIENT Generic Webshell Accessed on External Compromised
Server (web_client.rules)
2031205 - ET TROJAN Observed Card Skimmer CnC Domain in TLS SNI
(trojan.rules)
2031206 - ET TROJAN CCleaner Backdoor DGA Domain in DNS Lookup
(trojan.rules)

Pro:

2845458 - ETPRO TROJAN Win32/Unk.ZIOBA SystemProfiler Exfil (trojan.rules)
2845459 - ETPRO MALWARE Observed TGBDownloader User-Agent (malware.rules)
2845460 - ETPRO MALWARE Win32/Hacktool.GABB Checkin (malware.rules)
2845461 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-12 1) (trojan.rules)
2845462 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-12 2) (trojan.rules)
2845463 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-12 3) (trojan.rules)
2845464 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-12 4) (trojan.rules)
2845465 - ETPRO CURRENT_EVENTS Successful Mercado Livre Phish 2020-11-12
(current_events.rules)
2845466 - ETPRO CURRENT_EVENTS Successful UBI Banca Phish 2020-11-12
(current_events.rules)
2845467 - ETPRO CURRENT_EVENTS Successful Luno Phish 2020-11-12
(current_events.rules)
2845468 - ETPRO TROJAN Win32/Remcos RAT Checkin 605 (trojan.rules)
2845469 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2845470 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2845471 - ETPRO TROJAN TrochilusRAT DNS Lookup (trojan.rules)
2845472 - ETPRO TROJAN TrochilusRAT DNS Lookup (trojan.rules)
2845473 - ETPRO CURRENT_EVENTS Successful Netbank Phish 2020-11-12
(current_events.rules)
2845474 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2020-11-12 (current_events.rules)

[///] Modified active rules: [///]

2021245 - ET TROJAN Possible Dridex Download URI Struct with no referer
(trojan.rules)
2024004 - ET TROJAN APT29 Implant8 - MAL_REFERER (trojan.rules)
2029381 - ET TROJAN Cobalt Strike Malleable C2 Request (Stackoverflow
Profile) (trojan.rules)
2029399 - ET TROJAN Possible Satan Cryptor GeoIP Lookup (trojan.rules)
2029432 - ET TROJAN MoleRAT/Pierogi CnC Response (Command) (trojan.rules)
2029433 - ET TROJAN MoleRAT/Pierogi CnC Response (Download) (trojan.rules)
2029434 - ET TROJAN MoleRAT/Pierogi CnC Response (Screenshot)
(trojan.rules)
2029476 - ET EXPLOIT Possible Microsoft SQL RCE Attempt (CVE-2020-0618)
(exploit.rules)
2029636 - ET WEB_SPECIFIC_APPS Possible CVE-2020-8518 (Horde Groupware
RCE) (web_specific_apps.rules)
2029644 - ET TROJAN [PTsecurity] MZRevenge Ransomware Server Response
(trojan.rules)
2029696 - ET TROJAN MSIL/Modi RAT CnC Command Inbound (info)
(trojan.rules)
2029697 - ET TROJAN MSIL/Modi RAT CnC Command Inbound (aw) (trojan.rules)
2029802 - ET TROJAN FTCode Stealer Init Activity (trojan.rules)
2029813 - ET TROJAN Win32/MOOZ.THCCABO CoinMiner CnC Checkin
(trojan.rules)
2029839 - ET TROJAN ELF Linux/Dnsamp.AB Variant CnC (trojan.rules)
2029849 - ET CURRENT_EVENTS GOV UK Possible COVID-19 Phish 2020-04-06
(current_events.rules)
2029910 - ET TROJAN Suspected SPECULOOS Backdoor CnC Init Packet
Masquerading as SNI Request to live .com (trojan.rules)
2029976 - ET EXPLOIT Netlink GPON Remote Code Execution Attempt (Inbound)
(exploit.rules)
2030110 - ET TROJAN nspps Backdoor - Task Response (trojan.rules)
2030140 - ET TROJAN MSIL/Modi RAT CnC Command Outbound (aw) (trojan.rules)
2030141 - ET TROJAN MSIL/Modi RAT CnC Command Inbound (in) (trojan.rules)
2030142 - ET TROJAN MSIL/Modi RAT CnC Command Outbound (ds) (trojan.rules)
2030143 - ET TROJAN MSIL/Modi RAT CnC Screenshot Outbound (trojan.rules)
2030144 - ET TROJAN M3RAT CnC Checkin Outbound (trojan.rules)
2030193 - ET WEB_SPECIFIC_APPS Attempted Symantec Secure Web Gateway RCE
(web_specific_apps.rules)
2030265 - ET TROJAN Higaisa CnC (ipconfig) (trojan.rules)
2030504 - ET POLICY HTTP POST to MEGA Userstorage (policy.rules)
2030516 - ET TROJAN Supercharge Component Download (ps1) (trojan.rules)
2030530 - ET TROJAN EvilNum CnC Client Data Exfil (trojan.rules)
2030650 - ET WEB_SERVER Generic Webshell Accessed (web_server.rules)
2030651 - ET WEB_SERVER Generic Webshell Activity (web_server.rules)
2030819 - ET INFO Suspicious HTTP POST to 404.php (info.rules)
2030878 - ET TROJAN MassLogger Client Exfil (POST) M3 (trojan.rules)
2030884 - ET TROJAN MageCart JS Retrieval (trojan.rules)
2030885 - ET TROJAN MageCart Exfil URI (trojan.rules)
2030913 - ET TROJAN FinSpy Related WinRAR Activity (trojan.rules)
2030914 - ET TROJAN FinSpy Related Flash Installer Activity (trojan.rules)
2030966 - ET TROJAN Observed Malicious SSL Cert (Fullz House CC Skimmer)
(trojan.rules)
2030967 - ET TROJAN Observed Malicious SSL Cert (Fullz House CC Skimmer)
(trojan.rules)
2030968 - ET TROJAN Observed Malicious SSL Cert (Fullz House CC Skimmer)
(trojan.rules)
2030970 - ET TROJAN Observed Malicious SSL Cert (Fullz House CC Skimmer)
(trojan.rules)
2030971 - ET TROJAN Observed Malicious SSL Cert (Fullz House CC Skimmer)
(trojan.rules)
2030972 - ET TROJAN Observed Malicious SSL Cert (Fullz House CC Skimmer)
(trojan.rules)
2030973 - ET TROJAN Observed Malicious SSL Cert (Fullz House CC Skimmer)
(trojan.rules)
2030974 - ET TROJAN Observed Malicious SSL Cert (Fullz House CC Skimmer)
(trojan.rules)
2030975 - ET TROJAN Observed Malicious SSL Cert (Fullz House CC Skimmer)
(trojan.rules)
2030976 - ET TROJAN Observed Malicious SSL Cert (Fullz House CC Skimmer)
(trojan.rules)
2030977 - ET TROJAN Observed Malicious SSL Cert (Fullz House CC Skimmer)
(trojan.rules)
2030978 - ET TROJAN Observed Malicious SSL Cert (Fullz House CC Skimmer)
(trojan.rules)
2031117 - ET TROJAN Amarula IRC Botnet Connection Request (trojan.rules)
2031189 - ET INFO HTTP POST to XYZ TLD Containing Pass - Possible
Phishing (info.rules)
2100977 - GPL EXPLOIT .cnf access (exploit.rules)
2808288 - ETPRO TROJAN W32/Agent.NML!worm Checkin (trojan.rules)
2809309 - ETPRO WEB_CLIENT IE Double Encoding Reflected XSS Vulnerability
CVE-2014-6365 (web_client.rules)
2809315 - ETPRO WEB_CLIENT Exchange URL Redirection Vulnerability GET
request (CVE-2014-6336) (web_client.rules)
2810421 - ETPRO CURRENT_EVENTS Inbound cmd.exe Base64 Encoded (ASCII) 3
(current_events.rules)
2810578 - ETPRO MALWARE PUP.OptimizerPro Google Connectivity Check
(malware.rules)
2811686 - ETPRO CURRENT_EVENTS SUSPICIOUS Encoded Plugin Detect
(Previously observed in ScanBox) (current_events.rules)
2814213 - ETPRO TROJAN LatentBot/GrayBird CnC Checkin (trojan.rules)
2815080 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.DD Checkin
(mobile_malware.rules)
2815081 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.DD Checkin 2
(mobile_malware.rules)
2815102 - ETPRO TROJAN W32/Nymaim Checkin 2 (trojan.rules)
2815177 - ETPRO CURRENT_EVENTS PowerShell Empire Session via Excel Macro
(current_events.rules)
2815181 - ETPRO CURRENT_EVENTS Nuclear EK Landing URI struct Dec 03 2015
M2 (current_events.rules)
2815182 - ETPRO CURRENT_EVENTS Nuclear EK Landing URI struct Dec 03 2015
M3 (current_events.rules)
2815183 - ETPRO CURRENT_EVENTS Nuclear EK Flash Exploit IE Dec 03 2015 M1
(current_events.rules)
2815199 - ETPRO CURRENT_EVENTS Possible Evil Redirector Leading to EK Dec
03 2015 M3 (current_events.rules)
2815200 - ETPRO CURRENT_EVENTS Possible Evil Redirector Leading to EK Dec
03 2015 M3 (current_events.rules)
2815281 - ETPRO MALWARE W32/BrowseFox Checkin (malware.rules)
2815326 - ETPRO TROJAN Andromeda Downloading Payload Fake UA
(trojan.rules)
2815548 - ETPRO CURRENT_EVENTS Possible CryptoWall JS Dropper GET Request
(current_events.rules)
2816110 - ETPRO TROJAN Sylavriu.A/TorCT RAT CnC Checkin (trojan.rules)
2816144 - ETPRO TROJAN Win32/VertexNet CnC Checkin (trojan.rules)
2816180 - ETPRO TROJAN Backdoor.Mizzmo CnC Beacon 3 (trojan.rules)
2816433 - ETPRO MOBILE_MALWARE Trojan.Android.AndroRAT.D Checkin
(mobile_malware.rules)
2816441 - ETPRO TROJAN MSIL/Datsup.A Activity (trojan.rules)
2820263 - ETPRO TROJAN Gozi ISFB CnC Checkin (trojan.rules)
2820364 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish
2016-05-26 (current_events.rules)
2820514 - ETPRO TROJAN Suspicious Terse Request to hastebin.com -
Possible Download (trojan.rules)
2820703 - ETPRO MOBILE_MALWARE Android Unknown Trojan Checkin
(mobile_malware.rules)
2821424 - ETPRO TROJAN Win32/Daserf CnC Beacon 1 (trojan.rules)
2822231 - ETPRO TROJAN ORK/ARIK Keylogger Download Request - Obsevered
Dropped from Macro (trojan.rules)
2822387 - ETPRO CURRENT_EVENTS Possible Evil Redirector Leading to EK Oct
04 2016 (BossTDS) M3 (current_events.rules)
2822393 - ETPRO TROJAN MSIL/Pony Stealer Variant CnC Checkin
(trojan.rules)
2822697 - ETPRO CURRENT_EVENTS MalDoc Downloader Retrieving Payload Oct
14 (current_events.rules)
2838303 - ETPRO EXPLOIT Cisco UCS Director - Attempted Authenticated
Command Injection (CVE-2019-1936) (exploit.rules)
2838367 - ETPRO TROJAN Possible Grandsteal RAT Websocket Usage
(trojan.rules)
2839384 - ETPRO CURRENT_EVENTS Successful Prima Banka Phish 2019-11-12
(current_events.rules)
2840212 - ETPRO CURRENT_EVENTS Successful TD Bank Phish 2020-01-02
(current_events.rules)
2840400 - ETPRO CURRENT_EVENTS Successful Generic Email Deactivation
Phish 2020-01-13 (current_events.rules)
2840450 - ETPRO CURRENT_EVENTS Successful MKB Bank Phish 2020-01-15
(current_events.rules)
2840715 - ETPRO TROJAN Pterodo Variant Host Checkin M1 (trojan.rules)
2840720 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-01-28
(current_events.rules)
2840932 - ETPRO CURRENT_EVENTS Successful Generic Account Verification
Phish 2020-02-07 (current_events.rules)
2840970 - ETPRO TROJAN Win32/Occamy.C Activity M5 (trojan.rules)
2840971 - ETPRO TROJAN Win32/Occamy.C Activity M6 (trojan.rules)
2840972 - ETPRO TROJAN Win32/Occamy.C Activity M7 (trojan.rules)
2841009 - ETPRO CURRENT_EVENTS Successful My3 Phish 2020-02-12
(current_events.rules)
2841029 - ETPRO CURRENT_EVENTS Successful WeTransfer Phish 2020-02-13
(current_events.rules)
2841064 - ETPRO CURRENT_EVENTS Successful Office 365 Phish 2020-02-17
(current_events.rules)
2841092 - ETPRO CURRENT_EVENTS Successful Apple Phish 2020-02-18
(current_events.rules)
2841202 - ETPRO CURRENT_EVENTS Successful Adobe PDF Online Phish
2020-02-25 (current_events.rules)
2841244 - ETPRO CURRENT_EVENTS Successful Verizon Phish 2020-02-27
(current_events.rules)
2841258 - ETPRO TROJAN LotusBlossom APT Sagerunex CnC Activity
(trojan.rules)
2841272 - ETPRO TROJAN Metamorfo CnC Activity (trojan.rules)
2841290 - ETPRO TROJAN XAE Rat CnC Requesting Command (trojan.rules)
2841376 - ETPRO TROJAN Win32/Black.Gen2 CnC Activity (trojan.rules)
2841553 - ETPRO TROJAN MSIL/Poulight Stealer CnC Activity (trojan.rules)
2841585 - ETPRO CURRENT_EVENTS Successful NAB Phish 2020-03-18
(current_events.rules)
2841598 - ETPRO CURRENT_EVENTS Successful Alimail Enterprise Phish
2020-03-19 (current_events.rules)
2841802 - ETPRO TROJAN Suspected Bandook CnC (trojan.rules)
2841853 - ETPRO TROJAN Win32/Kapers.a CnC Init Checkin (trojan.rules)
2841854 - ETPRO TROJAN Win32/Kapers.a FileZilla Password Exfil
(trojan.rules)
2841855 - ETPRO TROJAN Win32/Kapers.a CnC Checkin Process List Exfil
(trojan.rules)
2841866 - ETPRO CURRENT_EVENTS Successful Dropbox Phish 2020-04-03
(current_events.rules)
2841878 - ETPRO TROJAN Observed Office Doc with Reversed Strings Inbound
(trojan.rules)
2841879 - ETPRO TROJAN MalDoc Reporting Infection (trojan.rules)
2841892 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-04-06 (current_events.rules)
2841964 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-04-09 (current_events.rules)
2842091 - ETPRO TROJAN VBS/Agent.OHV Downloader Activity (trojan.rules)
2842198 - ETPRO TROJAN MUDDYWATER DNS CnC Response (trojan.rules)
2842411 - ETPRO TROJAN Suspected MEDUSA RAT CnC Response (trojan.rules)
2842417 - ETPRO CURRENT_EVENTS Successful AT&T Phish 2020-05-06
(current_events.rules)
2842820 - ETPRO TROJAN SLUB Variant CnC (trojan.rules)
2842870 - ETPRO CURRENT_EVENTS Successful Netflix Phish 2020-06-04
(current_events.rules)
2842904 - ETPRO GAMES League of Angels Heaven's Fury Browser Plugin
Checkin (games.rules)
2842908 - ETPRO TROJAN GhostBot IRC Checkin (trojan.rules)
2843023 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-06-15
(current_events.rules)
2843058 - ETPRO TROJAN FRat Powershell Loader CnC Activity M2
(trojan.rules)
2843142 - ETPRO CURRENT_EVENTS Successful DHL Phish 2020-06-22
(current_events.rules)
2843187 - ETPRO TROJAN Win32/Spy.Vlogger.AA Variant CnC Activity
(trojan.rules)
2843299 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-07-01
(current_events.rules)
2843328 - ETPRO TROJAN Win64/TrojanDownloader.Agent.FY CnC Activity M2
(trojan.rules)
2843372 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-07-07
(current_events.rules)
2843376 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-07-07
(current_events.rules)
2843416 - ETPRO CURRENT_EVENTS Successful Generic Compromised Wordpress
Phish 2020-07-08 (current_events.rules)
2843421 - ETPRO TROJAN MSIL/Agent.BTK CnC Activity (trojan.rules)
2843425 - ETPRO CURRENT_EVENTS Successful Microsoft Credential Phish
2020-07-08 (current_events.rules)
2843723 - ETPRO TROJAN MassLogger Client Exfil via FTP M1 (trojan.rules)
2843740 - ETPRO CURRENT_EVENTS Possible Successful Firebase Hosted Phish
2020-07-29 (current_events.rules)
2843910 - ETPRO CURRENT_EVENTS Possible Successful Generic Need Phish
2020-08-07 (current_events.rules)
2844127 - ETPRO TROJAN Win32/Pterodo.ADA CnC Host Checkin (trojan.rules)
2844132 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2020-08-24
(current_events.rules)
2844327 - ETPRO TROJAN PSWORM CnC Activity (trojan.rules)
2844438 - ETPRO CURRENT_EVENTS Successful Adobe PDF Viewer Phish
2020-09-15 (current_events.rules)
2844472 - ETPRO CURRENT_EVENTS Successful My3 Phish 2020-09-16
(current_events.rules)
2844548 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-09-21
(current_events.rules)
2844652 - ETPRO TROJAN Win32/Korplug Init CnC Activity (trojan.rules)
2844786 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-10-06
(current_events.rules)
2844845 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2020-10-08 (current_events.rules)
2844846 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2020-10-08 (current_events.rules)
2845093 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-10-22
(current_events.rules)
2845250 - ETPRO TROJAN MSIL/Spy.Agent.BLR Variant CnC Host Checkin
(trojan.rules)
2845275 - ETPRO TROJAN Win32/MailsChecker Activity (trojan.rules)
2845315 - ETPRO TROJAN Win32/Agent.empi Rootkit CnC Host Checkin
(trojan.rules)
2845316 - ETPRO TROJAN Win32/Agent.empi Rootkit CnC Activity
(trojan.rules)
2845365 - ETPRO MALWARE CareUEyes Checkin (malware.rules)

[---] Disabled rules: [---]

2812710 - ETPRO TROJAN Linopid HTTP CnC Beacon (trojan.rules)

[---] Removed rules: [---]

2844799 - ETPRO TROJAN Observed Card Skimmer CnC Domain in TLS SNI
(trojan.rules)

Date:

Thursday, November 12, 2020

Summary title:

8 new OPEN, 25 new PRO (8 + 17). Generic Webshell / Mailer Access, Win32/Unk.ZIOBA, TrochilusRAT, Win32/Remcos, Coinminers, VARIOUS PHISH.