[***] Summary: [***]
44 new OPEN, 86 new PRO (44 + 42). FireEye Red Team Tool Countermeasures, AsyncRAT, StormKitty and Various Android Malware.
FireEye Red Team Tool Countermeasure signatures are included in this release. They have gone through our quality assurance process, but updates to optimize the rules will be pushed before (out of band) or with tomorrow's normal release.
Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2031264 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle
Original GET] (current_events.rules)
2031265 - ET CURRENT_EVENTS [Fireeye] Backdoor.DNS.BEACON.[CSBundle DNS]
(current_events.rules)
2031266 - ET CURRENT_EVENTS [Fireeye] HackTool.TCP.Rubeus.[nonce]
(current_events.rules)
2031267 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle
NYTIMES Server] (current_events.rules)
2031268 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle
Original Server 3] (current_events.rules)
2031269 - ET CURRENT_EVENTS [Fireeye] HackTool.UDP.Rubeus.[nonce]
(current_events.rules)
2031270 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.GORAT.[POST]
(current_events.rules)
2031271 - ET WEB_SERVER Generic Webshell Accessed on Internal Compromised
Server (web_server.rules)
2031272 - ET WEB_CLIENT Generic Webshell Accessed on External Compromised
Server (web_client.rules)
2031273 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle
USAToday Server] (current_events.rules)
2031274 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle
USAToday Server] (current_events.rules)
2031275 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle
Original Server] (current_events.rules)
2031276 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle
NYTIMES GET] (current_events.rules)
2031277 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle
Original Stager] (current_events.rules)
2031278 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.GORAT.[SID1]
(current_events.rules)
2031279 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle
MSOffice Server] (current_events.rules)
2031280 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[Yelp GET]
(current_events.rules)
2031281 - ET CURRENT_EVENTS [Fireeye] Backdoor.DNS.BEACON.[CSBundle DNS]
(current_events.rules)
2031282 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle CDN
GET] (current_events.rules)
2031283 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle
USAToday GET] (current_events.rules)
2031284 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle
Original POST] (current_events.rules)
2031285 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle
MSOffice POST] (current_events.rules)
2031286 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle
Original Stager 2] (current_events.rules)
2031287 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle
NYTIMES POST] (current_events.rules)
2031288 - ET CURRENT_EVENTS [Fireeye] HackTool.TCP.Rubeus.[nonce 2]
(current_events.rules)
2031289 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[Yelp Request]
(current_events.rules)
2031290 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle
MSOffice GET] (current_events.rules)
2031291 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle
Original Server 2] (current_events.rules)
2031292 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle
MSOffice POST] (current_events.rules)
2031293 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle
MSOffice Server] (current_events.rules)
2031294 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle
NYTIMES Server] (current_events.rules)
2031295 - ET CURRENT_EVENTS [Fireeye] HackTool.UDP.Rubeus.[nonce 2]
(current_events.rules)
2031296 - ET CURRENT_EVENTS [Fireeye] POSSIBLE
HackTool.TCP.Rubeus.[User32LogonProcesss] (current_events.rules)
2031297 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.GORAT.[Build ID]
(current_events.rules)
2031299 - ET CURRENT_EVENTS [Fireeye] Backdoor.SSL.BEACON.[CSBundle Ajax]
(current_events.rules)
2031300 - ET CURRENT_EVENTS [Fireeye]
M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M1
(current_events.rules)
2031301 - ET CURRENT_EVENTS [Fireeye]
M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M2
(current_events.rules)
2031302 - ET CURRENT_EVENTS [Fireeye]
M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M3
(current_events.rules)
2031303 - ET CURRENT_EVENTS [Fireeye]
M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M4
(current_events.rules)
2031304 - ET CURRENT_EVENTS [Fireeye]
M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M5
(current_events.rules)
2031305 - ET CURRENT_EVENTS [Fireeye]
M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M6
(current_events.rules)
2031306 - ET CURRENT_EVENTS [Fireeye]
M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M7
(current_events.rules)
2031307 - ET CURRENT_EVENTS [Fireeye]
M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M8
(current_events.rules)
2031308 - ET CURRENT_EVENTS [Fireeye]
M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M9
(current_events.rules)
Pro:
2845874 - ETPRO MOBILE_MALWARE Trojan-Downloader.AndroidOS.Cloput.a
Checkin (mobile_malware.rules)
2845875 - ETPRO MOBILE_MALWARE Android AdvertPop Checkin
(mobile_malware.rules)
2845876 - ETPRO MOBILE_MALWARE Android/Hiddad.ARD Checkin
(mobile_malware.rules)
2845877 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Knobot.g Checkin
(mobile_malware.rules)
2845878 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Hiddapp.cf Checkin
(mobile_malware.rules)
2845879 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Agent.nz Checkin
(mobile_malware.rules)
2845880 - ETPRO MOBILE_MALWARE Android.Smsthief.A96a Checkin
(mobile_malware.rules)
2845881 - ETPRO MOBILE_MALWARE Downloader.AndroidOS.Agent.a Checkin
(mobile_malware.rules)
2845882 - ETPRO MOBILE_MALWARE Downloader.AndroidOS.Agent.ar Checkin
(mobile_malware.rules)
2845883 - ETPRO MOBILE_MALWARE Android.Trojan.SmsSpy.QI Contact
Exfiltration via SMTP (mobile_malware.rules)
2845884 - ETPRO MOBILE_MALWARE Android/Spy.SmsSpy.QB Reporting Infection
via SMTP (mobile_malware.rules)
2845885 - ETPRO MOBILE_MALWARE Trojan/Android.SmsSpy.105521 Reporting
Infection via SMTP (mobile_malware.rules)
2845886 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Boogr.gsh Reporting
Infection via SMTP (mobile_malware.rules)
2845887 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT)
(trojan.rules)
2845888 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT)
(trojan.rules)
2845889 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT)
(trojan.rules)
2845890 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT)
(trojan.rules)
2845891 - ETPRO TROJAN MSIL/StormKitty CnC Exfil (trojan.rules)
2845892 - ETPRO TROJAN Win32/Unk.SteamStealer CnC Exfil (trojan.rules)
2845893 - ETPRO TROJAN MSIL/Apocalypse Stealer CnC Exfil (trojan.rules)
2845894 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-08 1) (trojan.rules)
2845895 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-08 2) (trojan.rules)
2845896 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-08 3) (trojan.rules)
2845897 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-08 4) (trojan.rules)
2845898 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-08 5) (trojan.rules)
2845899 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-08 6) (trojan.rules)
2845900 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-08 7) (trojan.rules)
2845901 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-08 8) (trojan.rules)
2845902 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-08 9) (trojan.rules)
2845903 - ETPRO CURRENT_EVENTS Successful Banca MPS IT Phish 2020-12-08
(current_events.rules)
2845904 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-12-08 (current_events.rules)
2845905 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2020-12-08
(current_events.rules)
2845906 - ETPRO CURRENT_EVENTS Successful Fedex Phish 2020-12-08
(current_events.rules)
2845907 - ETPRO TROJAN ELF/Kerbynet Activity (Outbound) (trojan.rules)
2845908 - ETPRO SCAN ELF/Kerbynet Activity (Inbound) (scan.rules)
2845909 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2845910 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2845911 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
2845912 - ETPRO CHAT Successful T-Mobile Phish 2020-12-08 (chat.rules)
2845913 - ETPRO CURRENT_EVENTS Successful Halifax Phish 2020-12-08
(current_events.rules)
2845914 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-12-08
(current_events.rules)
2845915 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
[///] Modified active rules: [///]
2837813 - ETPRO CURRENT_EVENTS Successful United Airlines Phish 2019-08-01
(current_events.rules)