Daily Ruleset Update Summary
Daily Ruleset Update Summary 2020/11/23

[***]            Summary:            [***]

10 new OPEN, 31 new PRO (10 + 21).  ZeroSSL, Remcos, AsyncRAT, Various Phish, Others.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2031223 - ET INFO Observed ZeroSSL Certificate for Suspicious TLD
(.gdn) (info.rules)
  2031224 - ET INFO Observed ZeroSSL Certificate for Suspicious TLD
(.ml) (info.rules)
  2031225 - ET INFO Observed ZeroSSL Certificate for Suspicious TLD
(.gq) (info.rules)
  2031226 - ET INFO Observed ZeroSSL Certificate for Suspicious TLD
(.ga) (info.rules)
  2031227 - ET INFO Observed ZeroSSL Certificate for Suspicious TLD
(.cf) (info.rules)
  2031228 - ET INFO Observed ZeroSSL Certificate for Suspicious TLD
(.xyz) (info.rules)
  2031229 - ET INFO Observed ZeroSSL Certificate for Suspicious TLD
(.icu) (info.rules)
  2031230 - ET INFO Observed ZeroSSL Certificate for Suspicious TLD
(.top) (info.rules)
  2031231 - ET INFO Observed ZeroSSL SSL/TLS Certificate (info.rules)
  2031232 - ET INFO Observed ZeroSSL Certificate for Suspicious TLD
(.pw) (info.rules)

Pro:

  2845608 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
  2845609 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
  2845610 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
  2845611 - ETPRO POLICY Ammyy Admin 3.x Remote Desktop Install
Activity (policy.rules)
  2845612 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-21 1) (trojan.rules)
  2845613 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-21 2) (trojan.rules)
  2845614 - ETPRO CURRENT_EVENTS Successful Generic Bank Phish
2020-11-23 (current_events.rules)
  2845615 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-11-23
(current_events.rules)
  2845616 - ETPRO CURRENT_EVENTS Successful Interbank Phish 2020-11-23
(current_events.rules)
  2845617 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish
2020-11-23 (current_events.rules)
  2845618 - ETPRO CURRENT_EVENTS Successful Assurance Maladie Phish
2020-11-23 (current_events.rules)
  2845619 - ETPRO CURRENT_EVENTS Successful Santander Phish 2020-11-23
(current_events.rules)
  2845620 - ETPRO CURRENT_EVENTS Successful Lloyds Bank Phish
2020-11-23 (current_events.rules)
  2845621 - ETPRO TROJAN W32/Unknown DotNet.ILYUA M1 (trojan.rules)
  2845622 - ETPRO TROJAN W32/Unknown DotNet.ILYUA M2 (trojan.rules)
  2845623 - ETPRO TROJAN Win32/Remcos RAT Checkin 615 (trojan.rules)
  2845624 - ETPRO TROJAN Win32/Remcos RAT Checkin 616 (trojan.rules)
  2845625 - ETPRO TROJAN Win32/Remcos RAT Checkin 617 (trojan.rules)
  2845626 - ETPRO CURRENT_EVENTS Successful AOL Credential Phish
2020-11-23 (current_events.rules)
  2845627 - ETPRO CURRENT_EVENTS Successful Cooks Credit Union Phish
2020-11-23 (current_events.rules)
  2845628 - ETPRO CURRENT_EVENTS Successful Trustco Bank Phish
2020-11-23 (current_events.rules)

[///]     Modified active rules:     [///]

  2014142 - ET CURRENT_EVENTS Likely Driveby Delivered Malicious PDF
(current_events.rules)
  2014154 - ET CURRENT_EVENTS DRIVEBY PDF Containing Subform with
JavaScript (current_events.rules)
  2014560 - ET CURRENT_EVENTS Modified Metasploit Jar (current_events.rules)
  2015657 - ET CURRENT_EVENTS Possible Metasploit Java Payload
(current_events.rules)
  2016132 - ET CURRENT_EVENTS Escaped Unicode Char in Window Location
CVE-2012-4792 EIP (current_events.rules)
  2016134 - ET CURRENT_EVENTS Escaped Unicode Char in Location
CVE-2012-4792 EIP % Hex Encode (current_events.rules)
  2016228 - ET CURRENT_EVENTS Metasploit CVE-2013-0422 Jar
(current_events.rules)
  2016409 - ET CURRENT_EVENTS Adobe PDF Zero Day Trojan.666 Payload
libarhlp32.dll Second Stage Download POST (current_events.rules)
  2016410 - ET CURRENT_EVENTS Adobe PDF Zero Day Trojan.666 Payload
libarext32.dll Second Stage Download POST (current_events.rules)
  2017310 - ET CURRENT_EVENTS Possible FortDisco Wordpress Brute-force
Site list download 10+ wp-login.php (current_events.rules)
  2017512 - ET CURRENT_EVENTS W32/Caphaw DriveBy Campaign Statistic.js
(current_events.rules)
  2017900 - ET CURRENT_EVENTS Metasploit 2013-3346 (current_events.rules)
  2018179 - ET CURRENT_EVENTS Obfuscation Technique Used in
CVE-2014-0322 Attacks (current_events.rules)
  2018559 - ET CURRENT_EVENTS SUSPICIOUS DTLS Pre 1.0 Fragmented
Client Hello Possible CVE-2014-0195 (current_events.rules)
  2018560 - ET CURRENT_EVENTS SUSPICIOUS DTLS 1.0 Fragmented Client
Hello Possible CVE-2014-0195 (current_events.rules)
  2018561 - ET CURRENT_EVENTS SUSPICIOUS DTLS 1.2 Fragmented Client
Hello Possible CVE-2014-0195 (current_events.rules)
  2019339 - ET CURRENT_EVENTS DRIVEBY Generic URLENCODED
CollectGarbage (current_events.rules)
  2020067 - ET CURRENT_EVENTS Possible CVE-2014-6332 Arrays with
Offset Dec 23 (current_events.rules)
  2020460 - ET CURRENT_EVENTS Possible CVE-2014-6332 DECS2
(current_events.rules)
  2020481 - ET CURRENT_EVENTS DRIVEBY GENERIC CollectGarbage in Hex
String No Seps (current_events.rules)
  2020482 - ET CURRENT_EVENTS DRIVEBY GENERIC ShellExecute in Hex No
Seps (current_events.rules)
  2020483 - ET CURRENT_EVENTS DRIVEBY GENERIC ShellExecute in
URLENCODE (current_events.rules)
  2020893 - ET CURRENT_EVENTS DRIVEBY EXE Embeded in Page Likely Evil
M1 (current_events.rules)
  2020894 - ET CURRENT_EVENTS DRIVEBY EXE Embeded in Page Likely Evil
M2 (current_events.rules)
  2021846 - ET CURRENT_EVENTS Evil JavaScript Injection Sep 29 2015
(current_events.rules)
  2022039 - ET CURRENT_EVENTS Possible vBulletin object injection
vulnerability Attempt (current_events.rules)
  2023145 - ET CURRENT_EVENTS CVE-2014-6332 Sep 01 2016 (HFS Actor) M1
(current_events.rules)
  2023146 - ET CURRENT_EVENTS CVE-2014-6332 Sep 01 2016 (HFS Actor) M2
(current_events.rules)
  2844133 - ETPRO TROJAN DCRat Initial Checkin Server Response (trojan.rules)
  2845553 - ETPRO CURRENT_EVENTS Suspected GoPhish Phishing Landing
(current_events.rules)

[///]    Modified inactive rules:    [///]

  2011223 - ET CURRENT_EVENTS Malvertising drive by kit encountered -
Loading... (current_events.rules)
  2011355 - ET CURRENT_EVENTS Driveby bredolab hidden div served by
nginx (current_events.rules)
  2012333 - ET CURRENT_EVENTS Possible Neosploit Toolkit download
(current_events.rules)
  2012530 - ET CURRENT_EVENTS WindowsLive Imposter Site Landing Page
(current_events.rules)
  2012614 - ET CURRENT_EVENTS Internal WebServer Compromised By
Lizamoon Mass SQL-Injection Attacks (current_events.rules)
  2013010 - ET CURRENT_EVENTS Request to malicious info.php drive-by
landing (current_events.rules)
  2013061 - ET CURRENT_EVENTS Sidename.js Injected Script Served by
Local WebServer (current_events.rules)
  2013192 - ET CURRENT_EVENTS cssminibar.js Injected Script Served by
Local WebServer (current_events.rules)
  2013244 - ET CURRENT_EVENTS Known Injected Credit Card Fraud
Malvertisement Script (current_events.rules)
  2013353 - ET CURRENT_EVENTS Wordpress possible Malicious
DNS-Requests - flickr.com.*  (current_events.rules)
  2013354 - ET CURRENT_EVENTS Wordpress possible Malicious
DNS-Requests - picasa.com.*  (current_events.rules)
  2013355 - ET CURRENT_EVENTS Wordpress possible Malicious
DNS-Requests - blogger.com.*  (current_events.rules)
  2013357 - ET CURRENT_EVENTS Wordpress possible Malicious
DNS-Requests - wordpress.com.*  (current_events.rules)
  2013358 - ET CURRENT_EVENTS Wordpress possible Malicious
DNS-Requests - img.youtube.com.*  (current_events.rules)
  2013359 - ET CURRENT_EVENTS Wordpress possible Malicious
DNS-Requests - upload.wikimedia.com.*  (current_events.rules)
  2013360 - ET CURRENT_EVENTS Wordpress possible Malicious
DNS-Requests - photobucket.com.*  (current_events.rules)
  2013380 - ET CURRENT_EVENTS Malicious 1px iframe related to Mass
Wordpress Injections (current_events.rules)
  2013486 - ET CURRENT_EVENTS Phoenix landing page JAVASMB
(current_events.rules)
  2013978 - ET CURRENT_EVENTS Lilupophilupop Injected Script Being
Served to Client (current_events.rules)
  2013979 - ET CURRENT_EVENTS Lilupophilupop Injected Script Being
Served from Local Server (current_events.rules)
  2014054 - ET CURRENT_EVENTS User-Agent used in Injection Attempts
(current_events.rules)
  2014561 - ET CURRENT_EVENTS landing page with malicious Java applet
(current_events.rules)
  2014607 - ET CURRENT_EVENTS Nikjju Mass Injection Compromised Site
Served To Local Client (current_events.rules)
  2014608 - ET CURRENT_EVENTS Nikjju Mass Injection Internal WebServer
Compromised (current_events.rules)
  2014935 - ET CURRENT_EVENTS FoxxySoftware - Landing Page Received -
foxxysoftware (current_events.rules)
  2014936 - ET CURRENT_EVENTS FoxxySoftware - Landing Page Received -
applet and 0px (current_events.rules)
  2014960 - ET CURRENT_EVENTS Base64 - Landing Page Received -
base64encode(GetOs() (current_events.rules)
  2014998 - ET CURRENT_EVENTS Runforestrun Malware Campaign Infected
Website Landing Page Obfuscated String JavaScript DGA
(current_events.rules)
  2015053 - ET CURRENT_EVENTS Unknown_s=1 - Landing Page - 10HexChar
Title and applet (current_events.rules)
  2015054 - ET CURRENT_EVENTS Unknown_s=1 - Landing Page - 100HexChar
value and applet (current_events.rules)
  2015666 - ET CURRENT_EVENTS NeoSploit - Version Enumerated - Java
(current_events.rules)
  2015667 - ET CURRENT_EVENTS NeoSploit - Version Enumerated - null
(current_events.rules)
  2015668 - ET CURRENT_EVENTS FlimKit/Other - Landing Page -
100HexChar value and applet (current_events.rules)
  2015847 - ET CURRENT_EVENTS SofosFO/NeoSploit possible second stage
landing page (current_events.rules)
  2016098 - ET CURRENT_EVENTS Drupal Mass Injection Campaign Inbound
(current_events.rules)
  2016099 - ET CURRENT_EVENTS Drupal Mass Injection Campaign Outbound
(current_events.rules)
  2016801 - ET CURRENT_EVENTS Nuclear landing with obfuscated
plugindetect Apr 29 2013 (current_events.rules)
  2016830 - ET CURRENT_EVENTS Injection - var j=0 (current_events.rules)
  2017168 - ET CURRENT_EVENTS FlimKit Landing 07/22/13 (current_events.rules)
  2017169 - ET CURRENT_EVENTS FlimKit Landing 07/22/13 2 (current_events.rules)
  2017170 - ET CURRENT_EVENTS FlimKit Landing 07/22/13 3 (current_events.rules)
  2017171 - ET CURRENT_EVENTS FlimKit Landing 07/22/13 4 (current_events.rules)
  2017301 - ET CURRENT_EVENTS Fake Trojan Dropper purporting to be
missing application page landing (current_events.rules)
  2017513 - ET CURRENT_EVENTS W32/Caphaw DriveBy Campaign Ping.html
(current_events.rules)
  2017696 - ET CURRENT_EVENTS FaceBook IM & Web Driven Facebook Trojan
Download (current_events.rules)
  2017847 - ET CURRENT_EVENTS Browlock Landing Page URI Struct
(current_events.rules)
  2018035 - ET CURRENT_EVENTS StyX Landing Jan 29 2014 (current_events.rules)
  2018104 - ET CURRENT_EVENTS EXE Accessing Kaspersky System Driver
(Possible Mask) (current_events.rules)
  2018227 - ET CURRENT_EVENTS Rawin Flash Landing URI Struct March 05
2014 (current_events.rules)
  2019596 - ET CURRENT_EVENTS FlashPack Secondary Landing Oct 29
(current_events.rules)
  2019916 - ET CURRENT_EVENTS HanJuan Landing Dec 10 2014 (current_events.rules)
  2022221 - ET CURRENT_EVENTS Facebook password stealing inject Jan 04
(current_events.rules)

[---]         Disabled rules:        [---]

  2008727 - ET TROJAN Gimmiv Infection Ping Inbound (trojan.rules)
  2019159 - ET TROJAN TSPY_POCARDL.U Possible FTP Login (trojan.rules)
  2808742 - ETPRO TROJAN Win32.Darpa Checkin (trojan.rules)
  2808751 - ETPRO TROJAN Win32.Yakes.fvbs Checkin (trojan.rules)
  2808766 - ETPRO TROJAN Win32.Black.cvdvox Checkin (trojan.rules)
  2808768 - ETPRO TROJAN Win32.Yakes.fpbx Checkin (trojan.rules)
  2808792 - ETPRO TROJAN Win32/FlyAgent variant MYSQL C2 (trojan.rules)
  2808797 - ETPRO TROJAN Trojan-PSW.Reedum FTP password (trojan.rules)

Date:
Summary title:
10 new OPEN, 31 new PRO (10 + 21). ZeroSSL, Remcos, AsyncRAT, Various Phish, Others.