[***]            Summary:            [***]

6 new OPEN, 24 new PRO (6 + 18). CVE-2020-14882, Blackmoon, Remcos, Various Phishing, Ruleset cleanup.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2031245 - ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Inbound M6
(CVE-2020-14882) (web_specific_apps.rules)
  2031246 - ET TROJAN Observed DNS Query to WHO Themed Malware Delivery
Domain (trojan.rules)
  2031247 - ET TROJAN Observed DNS Query to WHO Themed Malware Delivery
Domain (trojan.rules)
  2031248 - ET TROJAN Observed DNS Query to WHO Themed Malware Delivery
Domain (trojan.rules)
  2031249 - ET TROJAN Observed DNS Query to WHO Themed Malware Delivery
Domain (trojan.rules)
  2031250 - ET TROJAN Observed DNS Query to WHO Themed Malware Delivery
Domain (trojan.rules)

Pro:

  2845751 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-02 1) (trojan.rules)
  2845752 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-02 2) (trojan.rules)
  2845753 - ETPRO TROJAN Win32/Chorme Variant CnC Activity (trojan.rules)
  2845754 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-12-02 (current_events.rules)
  2845755 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
BR Phish 2020-12-02 (current_events.rules)
  2845756 - ETPRO CURRENT_EVENTS Successful ICS International Card Services
Phish 2020-12-02 (current_events.rules)
  2845757 - ETPRO CURRENT_EVENTS Successful Excel Online Phish 2020-12-02
(current_events.rules)
  2845758 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2020-12-02
(current_events.rules)
  2845759 - ETPRO CURRENT_EVENTS Successful WeTransfer Phish 2020-12-02
(current_events.rules)
  2845760 - ETPRO TROJAN Win32/Flooder.Agent.NAS Activity (trojan.rules)
  2845761 - ETPRO INFO Suspicious Request to VBS on Cloudflare (info.rules)
  2845762 - ETPRO TROJAN Win32/Packed.BlackMoon.A Variant Checkin
(trojan.rules)
  2845763 - ETPRO TROJAN Win32/Remcos RAT Checkin 624 (trojan.rules)
  2845764 - ETPRO CURRENT_EVENTS Successful Citi Credential Phish
2020-12-02 (current_events.rules)
  2845765 - ETPRO CURRENT_EVENTS Successful Facebook (VN) Credential Phish
2020-12-02 (current_events.rules)
  2845766 - ETPRO CURRENT_EVENTS Successful Xfinity Credential Phish
2020-12-02 (current_events.rules)
  2845767 - ETPRO CURRENT_EVENTS Successful Facebook Credential Phish
2020-12-02 (current_events.rules)
  2845768 - ETPRO CURRENT_EVENTS Successful Netflix Credential Phish
2020-12-02 (current_events.rules)

[///]     Modified active rules:     [///]

  2026047 - ET CURRENT_EVENTS Generic Multi-Email Phishing Landing
2018-08-30 (current_events.rules)
  2839715 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2019-12-03 (current_events.rules)

[---]  Disabled and modified rules:  [---]

  2812688 - ETPRO CURRENT_EVENTS Successful Navy Credit Union Account Phish
Aug 25 2015 (current_events.rules)

[---]         Disabled rules:        [---]

  2024423 - ET TROJAN x0Proto File Contents Exfil Request (trojan.rules)
  2024433 - ET TROJAN Observed Malicious SSL Cert (HiddenTear Variant CnC)
(trojan.rules)
  2825041 - ETPRO TROJAN Zeus Panda Banker Malicious SSL Certificate
Detected (trojan.rules)
  2825074 - ETPRO TROJAN Kovter Soceng SSL Certificate Detected
(trojan.rules)
  2825095 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.ff Checkin via
FTP 2 (mobile_malware.rules)
  2825134 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.ac Contact
Exfil via SMTP 2 (mobile_malware.rules)
  2825203 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.SmsThief.ac SMS/Contact
Exfil via SMTP (mobile_malware.rules)
  2825204 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.SmsThief.ac SMS/Contact
Exfil via SMTP 2 (mobile_malware.rules)
  2825224 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.eo
SMS/Contacts Exfil via SMTP 2 (mobile_malware.rules)
  2825568 - ETPRO TROJAN Powershell Downloader Domain in SNI (trojan.rules)
  2825589 - ETPRO TROJAN Samsam Ransomware Domain in SSL Client Hello
(trojan.rules)
  2825590 - ETPRO TROJAN Samsam Ransomware Domain in SSL Client Hello
(trojan.rules)
  2825683 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.gd SMS Exfil
via SMTP (mobile_malware.rules)
  2826052 - ETPRO TROJAN Zeus Panda Banker Malicious SSL Certificate
Detected (trojan.rules)
  2826073 - ETPRO TROJAN ZLoader Malicious SSL Cert Observed (trojan.rules)
  2826074 - ETPRO TROJAN ZLoader Malicious SSL Cert Observed (trojan.rules)
  2826083 - ETPRO TROJAN Docm File Autolaunching from PDF via JS - Possible
Locky/Dridex M1 (trojan.rules)
  2826084 - ETPRO TROJAN Docm File Autolaunching from PDF via JS - Possible
Locky/Dridex M2 (trojan.rules)
  2826085 - ETPRO TROJAN Docm File Autolaunching from PDF via JS - Possible
Locky/Dridex M3 (trojan.rules)
  2826145 - ETPRO TROJAN Malicious SSL Certificate Detected (CobaltStrike
Dropper) (trojan.rules)
  2826207 - ETPRO TROJAN SMSDocu SSL Cert (trojan.rules)
  2826539 - ETPRO TROJAN Core Bot Injects SSL Certificate Detected
(trojan.rules)
  2826540 - ETPRO TROJAN Core Bot Injects SSL Certificate Detected
(trojan.rules)
  2826643 - ETPRO TROJAN Win32/IRCBot.AVI Command (Keylog) (trojan.rules)
  2826644 - ETPRO TROJAN Win32/IRCBot.AVI Command Complete (Flood)
(trojan.rules)
  2826645 - ETPRO TROJAN Win32/IRCBot.AVI Command Complete (Keylog)
(trojan.rules)
  2826646 - ETPRO TROJAN Win32/IRCBot.AVI Command Complete (HTTP DoS)
(trojan.rules)
  2826647 - ETPRO TROJAN Win32/IRCBot.AVI Command Complete (DDoS)
(trojan.rules)
  2826648 - ETPRO TROJAN Win32/IRCBot.AVI Joinning IRC Channel
(trojan.rules)
  2826821 - ETPRO TROJAN Malicious SSL certificate detected (Ursnif
Injects) (trojan.rules)
  2826955 - ETPRO TROJAN TTIger Tech Keylogger Reporting Infection via SMTP
(trojan.rules)
  2827230 - ETPRO TROJAN Win32.Reconyc.iddk Receiving Payload (trojan.rules)
  2827490 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.kk
SMS/Contact Exfil via SMTP (mobile_malware.rules)