Daily Ruleset Update Summary
Daily Ruleset Update Summary 2020/12/03

[***]            Summary:            [***]

8 new OPEN, 37 new PRO (8 + 29). Turla, SombRAT, DeathStalker, AsyncRAT, Various Phishing.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2031251 - ET TROJAN Possible SombRAT Initial DNS Lookup (trojan.rules)
  2031252 - ET TROJAN Turla/Crutch CnC Domain in DNS Lookup (hotspot
.accesscam .org) (trojan.rules)
  2031253 - ET TROJAN Turla/Crutch CnC Domain in DNS Lookup (highcolumn
.webredirect .org) (trojan.rules)
  2031254 - ET TROJAN Turla/Crutch CnC Domain in DNS Lookup (ethdns .mywire
.org) (trojan.rules)
  2031255 - ET TROJAN Turla/Crutch CnC Domain in DNS Lookup (theguardian
.webredirect .org) (trojan.rules)
  2031256 - ET TROJAN DeathStalker/PowerPepper CnC Domain in DNS Lookup
(allmedicalpro .com) (trojan.rules)
  2031257 - ET TROJAN DeathStalker/PowerPepper CnC Domain in DNS Lookup
(mediqhealthcare .com) (trojan.rules)
  2031258 - ET TROJAN DeathStalker/PowerPepper CnC Domain in DNS Lookup
(gofinancesolutions .com) (trojan.rules)

Pro:

  2845769 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT)
(trojan.rules)
  2845770 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT)
(trojan.rules)
  2845771 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT)
(trojan.rules)
  2845772 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT)
(trojan.rules)
  2845773 - ETPRO POLICY External IP Lookup via ip ipwhois .app
(policy.rules)
  2845774 - ETPRO INFO User-Agent Containing Common Delimiter Pattern
(info.rules)
  2845775 - ETPRO TROJAN Win32/Unk.CoinSteal CnC Exfil (trojan.rules)
  2845776 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-03 1) (trojan.rules)
  2845777 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-03 2) (trojan.rules)
  2845778 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-03 3) (trojan.rules)
  2845779 - ETPRO MALWARE Win32/Vigram.A Activity (malware.rules)
  2845780 - ETPRO CURRENT_EVENTS Successful Banca en Linea Phish 2020-12-03
(current_events.rules)
  2845781 - ETPRO CURRENT_EVENTS Successful Netflix Phish 2020-12-03
(current_events.rules)
  2845782 - ETPRO CURRENT_EVENTS Successful Apple Phish 2020-12-03
(current_events.rules)
  2845783 - ETPRO CURRENT_EVENTS Successful Apple Phish 2020-12-03
(current_events.rules)
  2845784 - ETPRO CURRENT_EVENTS Successful Office 365 Phish 2020-12-03
(current_events.rules)
  2845785 - ETPRO CURRENT_EVENTS Successful Outlook Phish 2020-12-03
(current_events.rules)
  2845786 - ETPRO CURRENT_EVENTS Successful My3 Phish 2020-12-03
(current_events.rules)
  2845787 - ETPRO CURRENT_EVENTS Successful Roundcube Phish 2020-12-03
(current_events.rules)
  2845788 - ETPRO CURRENT_EVENTS Successful Generic CF Phish 2020-12-03
(current_events.rules)
  2845789 - ETPRO CURRENT_EVENTS Successful PNC Phish 2020-12-03
(current_events.rules)
  2845790 - ETPRO CURRENT_EVENTS Successful Raiffeisen Bank Phish
2020-12-03 (current_events.rules)
  2845791 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-12-03 (current_events.rules)
  2845792 - ETPRO CURRENT_EVENTS Successful DHL Phish 2020-12-03
(current_events.rules)
  2845793 - ETPRO TROJAN Suspected Bandook CnC M2 (trojan.rules)
  2845794 - ETPRO TROJAN Observed Win32.Raccoon Stealer CnC Domain in TLS
SNI (trojan.rules)
  2845795 - ETPRO TROJAN Win32/Remcos RAT Checkin 625 (trojan.rules)
  2845796 - ETPRO TROJAN Win32/Remcos RAT Checkin 626 (trojan.rules)
  2845797 - ETPRO CURRENT_EVENTS Successful Berkshire Bank Credential Phish
2020-12-03 (current_events.rules)

[///]     Modified active rules:     [///]

  2841802 - ETPRO TROJAN Suspected Bandook CnC M1 (trojan.rules)
  2844070 - ETPRO CURRENT_EVENTS Successful Deutsche Bank Credential Phish
2020-08-18 (current_events.rules)

[---]         Disabled rules:        [---]

  2024613 - ET TROJAN OSX.Pwnet.A Certificate Observed (trojan.rules)
  2024682 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
Certificate Detected (Adwind) (trojan.rules)
  2024683 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
Certificate Detected (ZeusPanda MITM) (trojan.rules)
  2024684 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
Certificate Detected (ZeusPanda MITM) (trojan.rules)
  2024685 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
Certificate Detected (ZeusPanda MITM) (trojan.rules)
  2024757 - ET TROJAN Observed Malicious SSL Cert (MalDoc DL) (trojan.rules)
  2024896 - ET MOBILE_MALWARE Android JadeRAT CnC Beacon 2
(mobile_malware.rules)
  2827495 - ETPRO TROJAN Possibly Malicious Base64 Compressed PowerShell
Download 3 (trojan.rules)
  2827544 - ETPRO MOBILE_MALWARE Android/Spy.SmsSpy.IT SMS Exfil via MySQL
(mobile_malware.rules)
  2827548 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.ey Contact
Exfil via SMTP 4 (mobile_malware.rules)
  2827549 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.ey SMS Exfil
via SMTP 4 (mobile_malware.rules)
  2827562 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.ij / SmsThief
SMS/Contact Exfil via SMTP (mobile_malware.rules)
  2827563 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.ij / SmsThief
SMS/Contact Exfil via SMTP 2 (mobile_malware.rules)
  2827639 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(Linux.BtcMine.26) (trojan.rules)
  2827764 - ETPRO TROJAN Observed Malicious SSL Cert (MalDoc DL)
(trojan.rules)
  2827891 - ETPRO TROJAN Malicious SSL Certificate Detected (NetSupport
Manager RAT) (trojan.rules)
  2828078 - ETPRO MOBILE_MALWARE Android-Trojan/Marcher.5ad46 SSL CnC Cert
(mobile_malware.rules)
  2828125 - ETPRO TROJAN Observed Ovidiy/Reborn Stealer in SNI via SSL
(trojan.rules)
  2828399 - ETPRO TROJAN NanoCore RAT Keepalive Response 5 (trojan.rules)
  2828441 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.aa SMS/Contact
Exfil via SMTP 2 (mobile_malware.rules)
  2828513 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher Domain
Request in SNI (mobile_malware.rules)
  2828514 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher Domain
Request in SNI 2 (mobile_malware.rules)
  2828515 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher Domain
Request in SNI 3 (mobile_malware.rules)
  2828516 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher Domain
Request in SNI 4 (mobile_malware.rules)
  2828517 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher Domain
Request in SNI 5 (mobile_malware.rules)
  2828518 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher Domain
Request in SNI 6 (mobile_malware.rules)
  2828519 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher Domain
Request in SNI 7 (mobile_malware.rules)
  2828520 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher Domain
Request in SNI 8 (mobile_malware.rules)
  2828630 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.iz SMS Exfil
via SMTP 30 (mobile_malware.rules)
  2828631 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.iz Contact
Exfil via SMTP 31 (mobile_malware.rules)
  2828663 - ETPRO TROJAN Gootkit Domain (sslsecure256 .com in SNI)
(trojan.rules)
  2828664 - ETPRO TROJAN Gootkit Domain (ssl256cert .com in SNI)
(trojan.rules)
  2828822 - ETPRO TROJAN VBS/BoletoMestre IRC Checkin (trojan.rules)

Date:
Summary title:
8 new OPEN, 37 new PRO (8 + 29). Turla, SombRAT, DeathStalker, AsyncRAT, Various Phishing.