Daily Ruleset Update Summary
Daily Ruleset Update Summary 2020/11/18

[***]            Summary:            [***]

6 new OPEN, 37 new PRO (6 + 31). AsyncRAT, Win32/TriumphLoader, Remcos, IcedID, Various Phish.

Many rules in the Suricata 5 ruleset have been updated with Suricata 5 rule syntax/keywords. A complete list of rules that were changed can be found via the changelog here:
https://rules.emergingthreats.net/changelogs/suricata-5.0-enhanced.open-nogpl.2020-11-18T23:15:04.txt

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2031211 - ET CURRENT_EVENTS Generic Google Firebase Hosted Phishing
Landing (current_events.rules)
  2031212 - ET CURRENT_EVENTS Generic Personalized Google Firebase
Hosted Phishing Landing (current_events.rules)
  2031213 - ET CURRENT_EVENTS Generic Personalized Google Firebase
Hosted Phishing Landing (current_events.rules)
  2031214 - ET CURRENT_EVENTS Generic Personalized Google Firebase
Hosted Phishing Landing (current_events.rules)
  2031215 - ET TROJAN Observed Malicious SSL Cert (DonotGroup CnC)
(trojan.rules)
  2031216 - ET TROJAN Observed DonotGroup CnC in DNS Query (trojan.rules)

Pro:

  2845539 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
  2845540 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
  2845541 - ETPRO TROJAN Win32/TriumphLoader CnC Checkin (trojan.rules)
  2845542 - ETPRO TROJAN Win32/TriumphLoader CnC Activity (trojan.rules)
  2845543 - ETPRO TROJAN MalDoc Requesting TriumphLoader Payload (trojan.rules)
  2845544 - ETPRO TROJAN Observed Possible Malicious SSL Cert
(AsyncRAT) (trojan.rules)
  2845545 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-18 1) (trojan.rules)
  2845546 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-18 2) (trojan.rules)
  2845547 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-18 3) (trojan.rules)
  2845548 - ETPRO CURRENT_EVENTS Successful Generic Credit Card
Information Phish 2020-11-18 (current_events.rules)
  2845549 - ETPRO CURRENT_EVENTS Successful ING Phish 2020-11-18
(current_events.rules)
  2845550 - ETPRO CURRENT_EVENTS Successful Raiffeisen Bank Phish
2020-11-18 (current_events.rules)
  2845551 - ETPRO CURRENT_EVENTS Successful Charles Schwab Phish
2020-11-18 (current_events.rules)
  2845552 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-11-18
(current_events.rules)
  2845553 - ETPRO CURRENT_EVENTS Suspected GoPhish Phishing Landing
(current_events.rules)
  2845554 - ETPRO CURRENT_EVENTS Successful Zimbra Phish 2020-11-18
(current_events.rules)
  2845561 - ETPRO TROJAN Maldoc Retrieving Maldoc via png (set) (trojan.rules)
  2845562 - ETPRO TROJAN Maldoc Retrieving Maldoc from png URI (trojan.rules)
  2845563 - ETPRO CURRENT_EVENTS Successful Fifth Third Bank
Credential Phish 2020-11-18 (current_events.rules)
  2845564 - ETPRO CURRENT_EVENTS Successful Scotiabank Credential
Phish 2020-11-18 (current_events.rules)
  2845565 - ETPRO CURRENT_EVENTS Successful Metrobank Credential Phish
2020-11-18 (current_events.rules)
  2845566 - ETPRO TROJAN Win32/Remcos RAT Checkin 612 (trojan.rules)
  2845567 - ETPRO TROJAN Win32/Remcos RAT Checkin 613 (trojan.rules)
  2845568 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
  2845569 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)

[///]     Modified active rules:     [///]

  2025598 - ET TROJAN Win32/AutoIt.NU Miner Dropper CnC Checkin (trojan.rules)
  2025872 - ET CURRENT_EVENTS Fake 404 With Hidden Login Form
(current_events.rules)
  2026113 - ET TROJAN [PTsecurity] Win32/Ramnit Stage 0 Communicating
with CnC (trojan.rules)
  2026427 - ET INFO Possibly Malicious VBS Writing to Persistence
Registry Location (info.rules)
  2026563 - ET TROJAN MSIL/KeyRedirEx Banker Receiving Redirect/Inject
List (trojan.rules)
  2026677 - ET CURRENT_EVENTS Inbound PowerShell Executing Base64
Decoded VBE from Temp 2018-11-29 (current_events.rules)
  2026823 - ET TROJAN OSX/LamePyre Screenshot Upload (trojan.rules)
  2027099 - ET EXPLOIT Possible Linksys E1500/E2500 apply.cgi RCE
Attempt (exploit.rules)

[---]  Disabled and modified rules:  [---]

  2803663 - ETPRO WEB_CLIENT Adobe PDF Multiple APPO Marker
Vulnerability Attempt (web_client.rules)

Date:
Summary title:
6 new OPEN, 37 new PRO (6 + 31). AsyncRAT, Win32/TriumphLoader, Remcos, IcedID, Various Phish.