[***]            Summary:            [***]

2 new OPEN, 20 new PRO (2 + 18). IceRAT, Raccoon Stealer, XMRStak, Various Phishing, Ruleset cleanup.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2031243 - ET WEB_SERVER Generic Webshell Accessed on Internal Compromised
Server (web_server.rules)
  2031244 - ET WEB_CLIENT Generic Webshell Accessed on External Compromised
Server (web_client.rules)

Pro:

  2845733 - ETPRO TROJAN Win32/IceRAT CnC Activity (trojan.rules)
  2845734 - ETPRO TROJAN Observed Malicious SSL Cert (IceRAT) (trojan.rules)
  2845735 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-01 1) (trojan.rules)
  2845736 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-01 2) (trojan.rules)
  2845737 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-01 3) (trojan.rules)
  2845738 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-01 4) (trojan.rules)
  2845739 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-01 5) (trojan.rules)
  2845740 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-01 6) (trojan.rules)
  2845741 - ETPRO CURRENT_EVENTS Successful Outlook Web App Phish
2020-12-01 (current_events.rules)
  2845742 - ETPRO CURRENT_EVENTS Successful Optus Phish 2020-12-01
(current_events.rules)
  2845743 - ETPRO CURRENT_EVENTS Successful Outlook Voicemail Phish
2020-12-01 (current_events.rules)
  2845744 - ETPRO TROJAN Win32/XMRStak-A Miner Activity (trojan.rules)
  2845745 - ETPRO CURRENT_EVENTS Successful Outlook Web App Phish
2020-12-01 (current_events.rules)
  2845746 - ETPRO CURRENT_EVENTS Successful DBS Ibanking Phish 2020-12-01
(current_events.rules)
  2845747 - ETPRO TROJAN Observed Win32.Raccoon Stealer CnC Domain in TLS
SNI (trojan.rules)
  2845748 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2845749 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2845750 - ETPRO TROJAN Win32/Remcos RAT Checkin 623 (trojan.rules)

[///]     Modified active rules:     [///]

  2838496 - ETPRO TROJAN Win32/Qbot CnC Activity (trojan.rules)
  2844362 - ETPRO TROJAN Win32/Dynamer Variant Checkin (trojan.rules)

[---]         Disabled rules:        [---]

  2021527 - ET TROJAN Zberp/ZeusVM receiving config via image file
(steganography) 3 (trojan.rules)
  2023812 - ET TROJAN Possible DustySky PoisonIvy CnC Beacon (trojan.rules)
  2023813 - ET TROJAN DustySky QuasarRAT CnC Beacon (trojan.rules)
  2803537 - ETPRO TROJAN Backdoor.DsBot.dov/Win32.Morto.A Checkin
(trojan.rules)
  2822220 - ETPRO TROJAN PoisonIvy Keepalive to CnC 546 (trojan.rules)
  2822221 - ETPRO TROJAN PoisonIvy Keepalive to CnC 547 (trojan.rules)
  2822258 - ETPRO TROJAN NanoCore RAT CnC 18 (trojan.rules)
  2822300 - ETPRO TROJAN PoisonIvy Keepalive to CnC 548 (trojan.rules)
  2822301 - ETPRO TROJAN PoisonIvy Keepalive to CnC 549 (trojan.rules)
  2822302 - ETPRO TROJAN PoisonIvy Keepalive to CnC 550 (trojan.rules)
  2822356 - ETPRO TROJAN PoisonIvy Keepalive to CnC 551 (trojan.rules)
  2822357 - ETPRO TROJAN PoisonIvy Keepalive to CnC 552 (trojan.rules)
  2822358 - ETPRO TROJAN PoisonIvy Keepalive to CnC 553 (trojan.rules)
  2822359 - ETPRO TROJAN PoisonIvy Keepalive to CnC 554 (trojan.rules)
  2822438 - ETPRO TROJAN PoisonIvy Keepalive to CnC 555 (trojan.rules)
  2822439 - ETPRO TROJAN PoisonIvy Keepalive to CnC 556 (trojan.rules)
  2822440 - ETPRO TROJAN PoisonIvy Keepalive to CnC 557 (trojan.rules)
  2822441 - ETPRO TROJAN PoisonIvy Keepalive to CnC 558 (trojan.rules)
  2822518 - ETPRO TROJAN PoisonIvy Keepalive to CnC 559 (trojan.rules)
  2822553 - ETPRO TROJAN PoisonIvy Keepalive to CnC 560 (trojan.rules)
  2822554 - ETPRO TROJAN PoisonIvy Keepalive to CnC 561 (trojan.rules)
  2822581 - ETPRO TROJAN PoisonIvy Keepalive to CnC 562 (trojan.rules)
  2822582 - ETPRO TROJAN PoisonIvy Keepalive to CnC 563 (trojan.rules)
  2822583 - ETPRO TROJAN PoisonIvy Keepalive to CnC 564 (trojan.rules)
  2822628 - ETPRO TROJAN PoisonIvy Keepalive to CnC 565 (trojan.rules)
  2822629 - ETPRO TROJAN PoisonIvy Keepalive to CnC 566 (trojan.rules)
  2822630 - ETPRO TROJAN PoisonIvy Keepalive to CnC 567 (trojan.rules)
  2822631 - ETPRO TROJAN PoisonIvy Keepalive to CnC 568 (trojan.rules)
  2822686 - ETPRO TROJAN Win32/Etumbot.G CnC SSL Certificate Detected
(trojan.rules)
  2822691 - ETPRO TROJAN Unknown Potentially Malicious Traffic 1
(trojan.rules)
  2822692 - ETPRO TROJAN Potentially Malicious Traffic 2 (trojan.rules)
  2822693 - ETPRO TROJAN Potentially Malicious Traffic 3 (trojan.rules)
  2822829 - ETPRO TROJAN PoisonIvy Keepalive to CnC 569 (trojan.rules)
  2822830 - ETPRO TROJAN PoisonIvy Keepalive to CnC 570 (trojan.rules)
  2822831 - ETPRO TROJAN PoisonIvy Keepalive to CnC 571 (trojan.rules)
  2822832 - ETPRO TROJAN PoisonIvy Keepalive to CnC 572 (trojan.rules)
  2822833 - ETPRO TROJAN PoisonIvy Keepalive to CnC 573 (trojan.rules)
  2822834 - ETPRO TROJAN PoisonIvy Keepalive to CnC 574 (trojan.rules)
  2822835 - ETPRO TROJAN PoisonIvy Keepalive to CnC 575 (trojan.rules)
  2822836 - ETPRO TROJAN PoisonIvy Keepalive to CnC 576 (trojan.rules)
  2822837 - ETPRO TROJAN PoisonIvy Keepalive to CnC 577 (trojan.rules)
  2822861 - ETPRO TROJAN JS/CardSkimming SSL Certificate Detected
(trojan.rules)
  2822909 - ETPRO TROJAN PoisonIvy Keepalive to CnC 578 (trojan.rules)
  2822910 - ETPRO TROJAN PoisonIvy Keepalive to CnC 579 (trojan.rules)
  2822911 - ETPRO TROJAN PoisonIvy Keepalive to CnC 580 (trojan.rules)
  2823018 - ETPRO TROJAN NanoCore RAT CnC 21 (trojan.rules)
  2823043 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.ke Checkin
(mobile_malware.rules)
  2823116 - ETPRO TROJAN PoisonIvy Keepalive to CnC 581 (trojan.rules)
  2823129 - ETPRO TROJAN PoisonIvy Keepalive to CnC 582 (trojan.rules)
  2823130 - ETPRO TROJAN PoisonIvy Keepalive to CnC 583 (trojan.rules)
  2823132 - ETPRO TROJAN Known Malicious PNG HTTP Download (Hancitor)
(trojan.rules)
  2823200 - ETPRO TROJAN PoisonIvy Keepalive to CnC 584 (trojan.rules)
  2823201 - ETPRO TROJAN PoisonIvy Keepalive to CnC 585 (trojan.rules)
  2823257 - ETPRO TROJAN PoisonIvy Keepalive to CnC 586 (trojan.rules)
  2823258 - ETPRO TROJAN PoisonIvy Keepalive to CnC 587 (trojan.rules)
  2823259 - ETPRO TROJAN PoisonIvy Keepalive to CnC 588 (trojan.rules)
  2823260 - ETPRO TROJAN PoisonIvy Keepalive to CnC 589 (trojan.rules)
  2823261 - ETPRO TROJAN PoisonIvy Keepalive to CnC 590 (trojan.rules)
  2823262 - ETPRO TROJAN PoisonIvy Keepalive to CnC 591 (trojan.rules)
  2823299 - ETPRO TROJAN PoisonIvy Keepalive to CnC 592 (trojan.rules)
  2823456 - ETPRO TROJAN PoisonIvy Keepalive to CnC 593 (trojan.rules)
  2823472 - ETPRO TROJAN PoisonIvy Keepalive to CnC 594 (trojan.rules)
  2823473 - ETPRO TROJAN PoisonIvy Keepalive to CnC 595 (trojan.rules)
  2823918 - ETPRO TROJAN NanoCore RAT CnC 22 (trojan.rules)
  2823936 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.bh Checkin
(mobile_malware.rules)
  2823990 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.cg Checkin
(mobile_malware.rules)
  2824194 - ETPRO MOBILE_MALWARE Android/Spy.NickiSpy.C Checkin
(mobile_malware.rules)
  2824254 - ETPRO TROJAN MSIL/Peppy Retrieving Payload (trojan.rules)
  2824273 - ETPRO TROJAN Zeus Panda Banker Malicious SSL Certificate
Detected (trojan.rules)
  2824396 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Dalik.a Checkin
(mobile_malware.rules)
  2824484 - ETPRO TROJAN GhostAdmin Bot Keylogger FTP Upload (trojan.rules)
  2824721 - ETPRO TROJAN Ursnif JS Downloader Payload Response
(trojan.rules)
  2824869 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.aa Contacts
Exfil via SMTP (mobile_malware.rules)
  2824870 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.ac Contacts
Exfil (mobile_malware.rules)
  2824879 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.dj Contacts
Exfil via SMTP 4 (mobile_malware.rules)
  2824945 - ETPRO MOBILE_MALWARE Android/Styricka.A Checkin 2
(mobile_malware.rules)
  2824984 - ETPRO TROJAN Zeus Panda Banker Injects SSL Certificate Detected
(trojan.rules)