[***] Summary: [***]
6 new OPEN, 41 new PRO (6 + 35). Possible Zoho ManageEngine ServiceDesk CVE-2019-8394 , LuckyMouse, Win32/FileCrypter Variant, Various Android and Phishing sigs
Updates to many of the FireEye Red Team Tool Countermeasure signatures have been included with this release. We do not anticipate additional updates at this time.
Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2031309 - ET MOBILE_MALWARE Android.Trojan.Rana.A (wherisdomaintv .com in
DNS Lookup) (mobile_malware.rules)
2031310 - ET MOBILE_MALWARE Android.Trojan.Rana.A (whoisdomainpc .com in
DNS Lookup) (mobile_malware.rules)
2031311 - ET MOBILE_MALWARE Android.Trojan.Rana.A (fullplayersoftware .com
in DNS Lookup) (mobile_malware.rules)
2031312 - ET MOBILE_MALWARE Android.Trojan.Rana.A (softwareplayertop .com
in DNS Lookup) (mobile_malware.rules)
2031313 - ET TROJAN APT LuckyMouse Polpo Malware CnC (trojan.rules)
2031314 - ET TROJAN APT LuckyMouse Polpo Malware CnC (trojan.rules)
Pro:
2845916 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Wroba.aw Checkin
(mobile_malware.rules)
2845917 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Wroba.aw Checkin 2
(mobile_malware.rules)
2845918 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Hiddad.pac Checkin
(mobile_malware.rules)
2845919 - ETPRO MOBILE_MALWARE Android RepairLoser Checkin
(mobile_malware.rules)
2845920 - ETPRO MOBILE_MALWARE Android OperationLog Checkin
(mobile_malware.rules)
2845921 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.cf Checkin
(mobile_malware.rules)
2845922 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.cf Checkin 2
(mobile_malware.rules)
2845923 - ETPRO MOBILE_MALWARE Trojan.Ewind.Android.846 Reporting Device
Info (mobile_malware.rules)
2845924 - ETPRO MOBILE_MALWARE Monitor.AndroidOS.Sakezon.a Checkin
(mobile_malware.rules)
2845925 - ETPRO INFO Observed Abused File Hosting Domain SSL Cert (zz .ht)
(info.rules)
2845926 - ETPRO INFO Observed Abused File Hosting Domain in TLS SNI (z .zz
.ht) (info.rules)
2845927 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT)
(trojan.rules)
2845928 - ETPRO CURRENT_EVENTS Successful Meridian Credit Union Phish
2020-12-09 (current_events.rules)
2845929 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-09 1) (trojan.rules)
2845930 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-09 2) (trojan.rules)
2845931 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-09 3) (trojan.rules)
2845932 - ETPRO CURRENT_EVENTS Successful Pocketcard JP Phish 2020-12-09
(current_events.rules)
2845933 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-12-09
(current_events.rules)
2845934 - ETPRO CURRENT_EVENTS Successful M&T Phish 2020-12-09
(current_events.rules)
2845935 - ETPRO CURRENT_EVENTS Successful M&T Phish 2020-12-09
(current_events.rules)
2845936 - ETPRO CURRENT_EVENTS Successful M&T Phish 2020-12-09
(current_events.rules)
2845937 - ETPRO CURRENT_EVENTS Successful Volksbanken Phish 2020-12-09
(current_events.rules)
2845938 - ETPRO CURRENT_EVENTS Successful Made in China Phish 2020-12-09
(current_events.rules)
2845939 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-12-09 (current_events.rules)
2845940 - ETPRO CURRENT_EVENTS Successful Paxful Phish 2020-12-09
(current_events.rules)
2845941 - ETPRO CURRENT_EVENTS Successful Rakuten Phish 2020-12-09
(current_events.rules)
2845942 - ETPRO TROJAN Win32/FileCrypter Variant CnC Activity
(trojan.rules)
2845943 - ETPRO TROJAN MSIL/Spammer.H Variant Activity (trojan.rules)
2845944 - ETPRO WEB_SPECIFIC_APPS Possible Zoho ManageEngine ServiceDesk
Plus Arbitrary File Upload Inbound (CVE-2019-8394) (web_specific_apps.rules)
2845945 - ETPRO TROJAN Win32/Qbot CnC Activity M2 (trojan.rules)
2845946 - ETPRO TROJAN Win32/Qbot CnC Activity M3 (trojan.rules)
2845947 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
2845948 - ETPRO TROJAN Win32/Remcos RAT Checkin 628 (trojan.rules)
2845949 - ETPRO CURRENT_EVENTS Successful Google (NL) Phish 2020-12-09
(current_events.rules)
2845950 - ETPRO CURRENT_EVENTS Successful Santander Phish 2020-12-09
(current_events.rules)
[///] Modified active rules: [///]
2031264 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle
Original GET] (current_events.rules)
2031265 - ET CURRENT_EVENTS [Fireeye] Backdoor.DNS.BEACON.[CSBundle DNS]
(current_events.rules)
2031267 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle
NYTIMES Server] (current_events.rules)
2031268 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle
Original Server 3] (current_events.rules)
2031270 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.GORAT.[POST]
(current_events.rules)
2031273 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle
USAToday Server] (current_events.rules)
2031274 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle
USAToday Server] (current_events.rules)
2031275 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle
Original Server] (current_events.rules)
2031276 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle
NYTIMES GET] (current_events.rules)
2031277 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle
Original Stager] (current_events.rules)
2031278 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.GORAT.[SID1]
(current_events.rules)
2031279 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle
MSOffice Server] (current_events.rules)
2031280 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[Yelp GET]
(current_events.rules)
2031282 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle CDN
GET] (current_events.rules)
2031283 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle
USAToday GET] (current_events.rules)
2031284 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle
Original POST] (current_events.rules)
2031285 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle
MSOffice POST] (current_events.rules)
2031286 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle
Original Stager 2] (current_events.rules)
2031287 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle
NYTIMES POST] (current_events.rules)
2031289 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[Yelp Request]
(current_events.rules)
2031290 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle
MSOffice GET] (current_events.rules)
2031291 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle
Original Server 2] (current_events.rules)
2031292 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle
MSOffice POST] (current_events.rules)
2031293 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle
MSOffice Server] (current_events.rules)
2031294 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle
NYTIMES Server] (current_events.rules)