[***] Summary: [***]
3 new OPEN, 37 new PRO (3 + 34). Lazarus, AsyncRAT, TrickBot, Mirai, Various Phishing.
Many rules in the Suricata 5 ruleset have been updated with Suricata 5 rule syntax/keywords. A complete list of rules that were changed can be found via the changelog here:
https://rules.emergingthreats.net/changelogs/suricata-5.0-enhanced.open-nogpl.2020-11-16T23:48:06.txt
Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2031207 - ET TROJAN APT Lazarus Nukesped Downloader (trojan.rules)
2031208 - ET TROJAN ModPipe CnC Activity (POST) (trojan.rules)
2031209 - ET TROJAN ModPipe CnC Activity (Response) (trojan.rules)
Pro:
2845475 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2845476 - ETPRO TROJAN Reversed Base64 Encoded EXE Inbound (trojan.rules)
2845477 - ETPRO USER_AGENTS Observed Suspicious User-Agent
(HTTPDownloader) (user_agents.rules)
2845478 - ETPRO USER_AGENTS Observed Suspicious User-Agent
(JWrapperDownloader) (user_agents.rules)
2845479 - ETPRO TROJAN Win32/TrickBot Anchor Variant Style External
IP Check (trojan.rules)
2845480 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-13 1) (trojan.rules)
2845481 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-13 2) (trojan.rules)
2845482 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-13 3) (trojan.rules)
2845483 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-15 1) (trojan.rules)
2845484 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-15 2) (trojan.rules)
2845485 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-15 3) (trojan.rules)
2845486 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-15 4) (trojan.rules)
2845487 - ETPRO CURRENT_EVENTS Successful Generic Credit Card
Information Phish 2020-11-16 (current_events.rules)
2845488 - ETPRO TROJAN ELF/Mirai User-Agent Observed (Outbound) (trojan.rules)
2845489 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)
2845490 - ETPRO TROJAN ELF/Mirai User-Agent Observed (Outbound) (trojan.rules)
2845491 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)
2845492 - ETPRO CURRENT_EVENTS Successful Peoples United Bank Phish
2020-11-16 (current_events.rules)
2845493 - ETPRO CURRENT_EVENTS Successful IRS Phish 2020-11-16
(current_events.rules)
2845494 - ETPRO CURRENT_EVENTS Successful BMO Phish 2020-11-16
(current_events.rules)
2845495 - ETPRO CURRENT_EVENTS Successful Generic Banking Phish
2020-11-16 (current_events.rules)
2845496 - ETPRO CURRENT_EVENTS Successful Generic Banking Phish
2020-11-16 (current_events.rules)
2845497 - ETPRO CURRENT_EVENTS Successful Adobe PDF Online Phish
2020-11-16 (current_events.rules)
2845498 - ETPRO CURRENT_EVENTS Successful Generic Credit Card
Information Phish 2020-11-16 (current_events.rules)
2845499 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-11-16
(current_events.rules)
2845500 - ETPRO CURRENT_EVENTS Successful WeTransfer Phish
2020-11-16 (current_events.rules)
2845501 - ETPRO TROJAN Win32/IRCBot.AVP Variant CnC Activity (trojan.rules)
2845502 - ETPRO TROJAN Win32/Remcos RAT Checkin 606 (trojan.rules)
2845503 - ETPRO TROJAN Win32/Remcos RAT Checkin 607 (trojan.rules)
2845504 - ETPRO TROJAN Win32/Remcos RAT Checkin 608 (trojan.rules)
2845505 - ETPRO TROJAN Win32/Remcos RAT Checkin 609 (trojan.rules)
2845506 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
2845507 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
2845508 - ETPRO CURRENT_EVENTS Successful Wells Fargo Credential
Phish 2020-11-16 (current_events.rules)
[///] Modified active rules: [///]
2009375 - ET CHAT General MSN Chat Activity (chat.rules)
2015483 - ET INFO Java .jar request to dotted-quad domain (info.rules)
2018421 - ET TROJAN Zbot downloader Installing Zeus (trojan.rules)
2025455 - ET TROJAN Win32/GandCrab Ransomware CnC Activity M2 (trojan.rules)
2025530 - ET TROJAN [PTsecurity] Trojan.JS.Agent.dwz Checkin 2 (trojan.rules)
2025558 - ET CURRENT_EVENTS [PTsecurity] Possible Malicious
(HTA-VBS-PowerShell) obfuscated command (current_events.rules)
2027762 - ET USER_AGENTS AnyDesk Remote Desktop Software User-Agent
(user_agents.rules)
[///] Modified inactive rules: [///]
2844482 - ETPRO INFO DNS Query Response (0.0.0.0) (info.rules)
[---] Disabled and modified rules: [---]
2029834 - ET CURRENT_EVENTS Observed DNS Query to Knowb4 Simulated
Phish Domain (current_events.rules)
2808018 - ETPRO TROJAN Win32.LockScreen.BHI checkin (trojan.rules)