[***] Summary: [***]
2 new OPEN, 20 new PRO (2 + 18). IceRAT, Raccoon Stealer, XMRStak, Various Phishing, Ruleset cleanup.
Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2031243 - ET WEB_SERVER Generic Webshell Accessed on Internal Compromised
Server (web_server.rules)
2031244 - ET WEB_CLIENT Generic Webshell Accessed on External Compromised
Server (web_client.rules)
Pro:
2845733 - ETPRO TROJAN Win32/IceRAT CnC Activity (trojan.rules)
2845734 - ETPRO TROJAN Observed Malicious SSL Cert (IceRAT) (trojan.rules)
2845735 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-01 1) (trojan.rules)
2845736 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-01 2) (trojan.rules)
2845737 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-01 3) (trojan.rules)
2845738 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-01 4) (trojan.rules)
2845739 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-01 5) (trojan.rules)
2845740 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-01 6) (trojan.rules)
2845741 - ETPRO CURRENT_EVENTS Successful Outlook Web App Phish
2020-12-01 (current_events.rules)
2845742 - ETPRO CURRENT_EVENTS Successful Optus Phish 2020-12-01
(current_events.rules)
2845743 - ETPRO CURRENT_EVENTS Successful Outlook Voicemail Phish
2020-12-01 (current_events.rules)
2845744 - ETPRO TROJAN Win32/XMRStak-A Miner Activity (trojan.rules)
2845745 - ETPRO CURRENT_EVENTS Successful Outlook Web App Phish
2020-12-01 (current_events.rules)
2845746 - ETPRO CURRENT_EVENTS Successful DBS Ibanking Phish 2020-12-01
(current_events.rules)
2845747 - ETPRO TROJAN Observed Win32.Raccoon Stealer CnC Domain in TLS
SNI (trojan.rules)
2845748 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2845749 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2845750 - ETPRO TROJAN Win32/Remcos RAT Checkin 623 (trojan.rules)
[///] Modified active rules: [///]
2838496 - ETPRO TROJAN Win32/Qbot CnC Activity (trojan.rules)
2844362 - ETPRO TROJAN Win32/Dynamer Variant Checkin (trojan.rules)
[---] Disabled rules: [---]
2021527 - ET TROJAN Zberp/ZeusVM receiving config via image file
(steganography) 3 (trojan.rules)
2023812 - ET TROJAN Possible DustySky PoisonIvy CnC Beacon (trojan.rules)
2023813 - ET TROJAN DustySky QuasarRAT CnC Beacon (trojan.rules)
2803537 - ETPRO TROJAN Backdoor.DsBot.dov/Win32.Morto.A Checkin
(trojan.rules)
2822220 - ETPRO TROJAN PoisonIvy Keepalive to CnC 546 (trojan.rules)
2822221 - ETPRO TROJAN PoisonIvy Keepalive to CnC 547 (trojan.rules)
2822258 - ETPRO TROJAN NanoCore RAT CnC 18 (trojan.rules)
2822300 - ETPRO TROJAN PoisonIvy Keepalive to CnC 548 (trojan.rules)
2822301 - ETPRO TROJAN PoisonIvy Keepalive to CnC 549 (trojan.rules)
2822302 - ETPRO TROJAN PoisonIvy Keepalive to CnC 550 (trojan.rules)
2822356 - ETPRO TROJAN PoisonIvy Keepalive to CnC 551 (trojan.rules)
2822357 - ETPRO TROJAN PoisonIvy Keepalive to CnC 552 (trojan.rules)
2822358 - ETPRO TROJAN PoisonIvy Keepalive to CnC 553 (trojan.rules)
2822359 - ETPRO TROJAN PoisonIvy Keepalive to CnC 554 (trojan.rules)
2822438 - ETPRO TROJAN PoisonIvy Keepalive to CnC 555 (trojan.rules)
2822439 - ETPRO TROJAN PoisonIvy Keepalive to CnC 556 (trojan.rules)
2822440 - ETPRO TROJAN PoisonIvy Keepalive to CnC 557 (trojan.rules)
2822441 - ETPRO TROJAN PoisonIvy Keepalive to CnC 558 (trojan.rules)
2822518 - ETPRO TROJAN PoisonIvy Keepalive to CnC 559 (trojan.rules)
2822553 - ETPRO TROJAN PoisonIvy Keepalive to CnC 560 (trojan.rules)
2822554 - ETPRO TROJAN PoisonIvy Keepalive to CnC 561 (trojan.rules)
2822581 - ETPRO TROJAN PoisonIvy Keepalive to CnC 562 (trojan.rules)
2822582 - ETPRO TROJAN PoisonIvy Keepalive to CnC 563 (trojan.rules)
2822583 - ETPRO TROJAN PoisonIvy Keepalive to CnC 564 (trojan.rules)
2822628 - ETPRO TROJAN PoisonIvy Keepalive to CnC 565 (trojan.rules)
2822629 - ETPRO TROJAN PoisonIvy Keepalive to CnC 566 (trojan.rules)
2822630 - ETPRO TROJAN PoisonIvy Keepalive to CnC 567 (trojan.rules)
2822631 - ETPRO TROJAN PoisonIvy Keepalive to CnC 568 (trojan.rules)
2822686 - ETPRO TROJAN Win32/Etumbot.G CnC SSL Certificate Detected
(trojan.rules)
2822691 - ETPRO TROJAN Unknown Potentially Malicious Traffic 1
(trojan.rules)
2822692 - ETPRO TROJAN Potentially Malicious Traffic 2 (trojan.rules)
2822693 - ETPRO TROJAN Potentially Malicious Traffic 3 (trojan.rules)
2822829 - ETPRO TROJAN PoisonIvy Keepalive to CnC 569 (trojan.rules)
2822830 - ETPRO TROJAN PoisonIvy Keepalive to CnC 570 (trojan.rules)
2822831 - ETPRO TROJAN PoisonIvy Keepalive to CnC 571 (trojan.rules)
2822832 - ETPRO TROJAN PoisonIvy Keepalive to CnC 572 (trojan.rules)
2822833 - ETPRO TROJAN PoisonIvy Keepalive to CnC 573 (trojan.rules)
2822834 - ETPRO TROJAN PoisonIvy Keepalive to CnC 574 (trojan.rules)
2822835 - ETPRO TROJAN PoisonIvy Keepalive to CnC 575 (trojan.rules)
2822836 - ETPRO TROJAN PoisonIvy Keepalive to CnC 576 (trojan.rules)
2822837 - ETPRO TROJAN PoisonIvy Keepalive to CnC 577 (trojan.rules)
2822861 - ETPRO TROJAN JS/CardSkimming SSL Certificate Detected
(trojan.rules)
2822909 - ETPRO TROJAN PoisonIvy Keepalive to CnC 578 (trojan.rules)
2822910 - ETPRO TROJAN PoisonIvy Keepalive to CnC 579 (trojan.rules)
2822911 - ETPRO TROJAN PoisonIvy Keepalive to CnC 580 (trojan.rules)
2823018 - ETPRO TROJAN NanoCore RAT CnC 21 (trojan.rules)
2823043 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.ke Checkin
(mobile_malware.rules)
2823116 - ETPRO TROJAN PoisonIvy Keepalive to CnC 581 (trojan.rules)
2823129 - ETPRO TROJAN PoisonIvy Keepalive to CnC 582 (trojan.rules)
2823130 - ETPRO TROJAN PoisonIvy Keepalive to CnC 583 (trojan.rules)
2823132 - ETPRO TROJAN Known Malicious PNG HTTP Download (Hancitor)
(trojan.rules)
2823200 - ETPRO TROJAN PoisonIvy Keepalive to CnC 584 (trojan.rules)
2823201 - ETPRO TROJAN PoisonIvy Keepalive to CnC 585 (trojan.rules)
2823257 - ETPRO TROJAN PoisonIvy Keepalive to CnC 586 (trojan.rules)
2823258 - ETPRO TROJAN PoisonIvy Keepalive to CnC 587 (trojan.rules)
2823259 - ETPRO TROJAN PoisonIvy Keepalive to CnC 588 (trojan.rules)
2823260 - ETPRO TROJAN PoisonIvy Keepalive to CnC 589 (trojan.rules)
2823261 - ETPRO TROJAN PoisonIvy Keepalive to CnC 590 (trojan.rules)
2823262 - ETPRO TROJAN PoisonIvy Keepalive to CnC 591 (trojan.rules)
2823299 - ETPRO TROJAN PoisonIvy Keepalive to CnC 592 (trojan.rules)
2823456 - ETPRO TROJAN PoisonIvy Keepalive to CnC 593 (trojan.rules)
2823472 - ETPRO TROJAN PoisonIvy Keepalive to CnC 594 (trojan.rules)
2823473 - ETPRO TROJAN PoisonIvy Keepalive to CnC 595 (trojan.rules)
2823918 - ETPRO TROJAN NanoCore RAT CnC 22 (trojan.rules)
2823936 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.bh Checkin
(mobile_malware.rules)
2823990 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.cg Checkin
(mobile_malware.rules)
2824194 - ETPRO MOBILE_MALWARE Android/Spy.NickiSpy.C Checkin
(mobile_malware.rules)
2824254 - ETPRO TROJAN MSIL/Peppy Retrieving Payload (trojan.rules)
2824273 - ETPRO TROJAN Zeus Panda Banker Malicious SSL Certificate
Detected (trojan.rules)
2824396 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Dalik.a Checkin
(mobile_malware.rules)
2824484 - ETPRO TROJAN GhostAdmin Bot Keylogger FTP Upload (trojan.rules)
2824721 - ETPRO TROJAN Ursnif JS Downloader Payload Response
(trojan.rules)
2824869 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.aa Contacts
Exfil via SMTP (mobile_malware.rules)
2824870 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.ac Contacts
Exfil (mobile_malware.rules)
2824879 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.dj Contacts
Exfil via SMTP 4 (mobile_malware.rules)
2824945 - ETPRO MOBILE_MALWARE Android/Styricka.A Checkin 2
(mobile_malware.rules)
2824984 - ETPRO TROJAN Zeus Panda Banker Injects SSL Certificate Detected
(trojan.rules)