[***]            Summary:            [***]

3 new OPEN, 37 new PRO (3 + 34). Lazarus, AsyncRAT, TrickBot, Mirai, Various Phishing.

Many rules in the Suricata 5 ruleset have been updated with Suricata 5 rule syntax/keywords. A complete list of rules that were changed can be found via the changelog here:
https://rules.emergingthreats.net/changelogs/suricata-5.0-enhanced.open-nogpl.2020-11-16T23:48:06.txt

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2031207 - ET TROJAN APT Lazarus Nukesped Downloader (trojan.rules)
  2031208 - ET TROJAN ModPipe CnC Activity (POST) (trojan.rules)
  2031209 - ET TROJAN ModPipe CnC Activity (Response) (trojan.rules)

Pro:

  2845475 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
  2845476 - ETPRO TROJAN Reversed Base64 Encoded EXE Inbound (trojan.rules)
  2845477 - ETPRO USER_AGENTS Observed Suspicious User-Agent
(HTTPDownloader) (user_agents.rules)
  2845478 - ETPRO USER_AGENTS Observed Suspicious User-Agent
(JWrapperDownloader) (user_agents.rules)
  2845479 - ETPRO TROJAN Win32/TrickBot Anchor Variant Style External
IP Check (trojan.rules)
  2845480 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-13 1) (trojan.rules)
  2845481 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-13 2) (trojan.rules)
  2845482 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-13 3) (trojan.rules)
  2845483 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-15 1) (trojan.rules)
  2845484 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-15 2) (trojan.rules)
  2845485 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-15 3) (trojan.rules)
  2845486 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-15 4) (trojan.rules)
  2845487 - ETPRO CURRENT_EVENTS Successful Generic Credit Card
Information Phish 2020-11-16 (current_events.rules)
  2845488 - ETPRO TROJAN ELF/Mirai User-Agent Observed (Outbound) (trojan.rules)
  2845489 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)
  2845490 - ETPRO TROJAN ELF/Mirai User-Agent Observed (Outbound) (trojan.rules)
  2845491 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)
  2845492 - ETPRO CURRENT_EVENTS Successful Peoples United Bank Phish
2020-11-16 (current_events.rules)
  2845493 - ETPRO CURRENT_EVENTS Successful IRS Phish 2020-11-16
(current_events.rules)
  2845494 - ETPRO CURRENT_EVENTS Successful BMO Phish 2020-11-16
(current_events.rules)
  2845495 - ETPRO CURRENT_EVENTS Successful Generic Banking Phish
2020-11-16 (current_events.rules)
  2845496 - ETPRO CURRENT_EVENTS Successful Generic Banking Phish
2020-11-16 (current_events.rules)
  2845497 - ETPRO CURRENT_EVENTS Successful Adobe PDF Online Phish
2020-11-16 (current_events.rules)
  2845498 - ETPRO CURRENT_EVENTS Successful Generic Credit Card
Information Phish 2020-11-16 (current_events.rules)
  2845499 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-11-16
(current_events.rules)
  2845500 - ETPRO CURRENT_EVENTS Successful WeTransfer Phish
2020-11-16 (current_events.rules)
  2845501 - ETPRO TROJAN Win32/IRCBot.AVP Variant CnC Activity (trojan.rules)
  2845502 - ETPRO TROJAN Win32/Remcos RAT Checkin 606 (trojan.rules)
  2845503 - ETPRO TROJAN Win32/Remcos RAT Checkin 607 (trojan.rules)
  2845504 - ETPRO TROJAN Win32/Remcos RAT Checkin 608 (trojan.rules)
  2845505 - ETPRO TROJAN Win32/Remcos RAT Checkin 609 (trojan.rules)
  2845506 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
  2845507 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
  2845508 - ETPRO CURRENT_EVENTS Successful Wells Fargo Credential
Phish 2020-11-16 (current_events.rules)

[///]     Modified active rules:     [///]

  2009375 - ET CHAT General MSN Chat Activity (chat.rules)
  2015483 - ET INFO Java .jar request to dotted-quad domain (info.rules)
  2018421 - ET TROJAN Zbot downloader Installing Zeus (trojan.rules)
  2025455 - ET TROJAN Win32/GandCrab Ransomware CnC Activity M2 (trojan.rules)
  2025530 - ET TROJAN [PTsecurity] Trojan.JS.Agent.dwz Checkin 2 (trojan.rules)
  2025558 - ET CURRENT_EVENTS [PTsecurity] Possible Malicious
(HTA-VBS-PowerShell) obfuscated command (current_events.rules)
  2027762 - ET USER_AGENTS AnyDesk Remote Desktop Software User-Agent
(user_agents.rules)

[///]    Modified inactive rules:    [///]

  2844482 - ETPRO INFO DNS Query Response (0.0.0.0) (info.rules)

[---]  Disabled and modified rules:  [---]

  2029834 - ET CURRENT_EVENTS Observed DNS Query to Knowb4 Simulated
Phish Domain (current_events.rules)
  2808018 - ETPRO TROJAN Win32.LockScreen.BHI checkin (trojan.rules)

Date:
Summary title:
3 new OPEN, 37 new PRO (3 + 34). Lazarus, AsyncRAT, TrickBot, Mirai, Various Phishing.