[***] Summary: [***]
5 new OPEN, 30 new PRO (5 + 25). MALWARE Android/Spy.SmsSpy.IT, Joomla RCE, LuckyMouse, and Various Phishing
Thanks: @travisbgreen.
Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2031316 - ET TROJAN Suspected APT LuckyMouse BlueTraveller CnC
(trojan.rules)
2031317 - ET INFO McAfee AV Download (set) (info.rules)
2031318 - ET CURRENT_EVENTS 401TRG Liferay RCE (CVE-2020-7961)
(current_events.rules)
2031319 - ET EXPLOIT Joomla RCE (JDatabaseDriverMysqli) M2 (exploit.rules)
2031320 - ET TROJAN APT LuckyMouse Polpo Malware CnC (trojan.rules)
Pro:
2845912 - ETPRO CURRENT_EVENTS Successful T-Mobile Phish 2020-12-08
(current_events.rules)
2845979 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.fh Contact
List Exfiltration via SMTP (mobile_malware.rules)
2845980 - ETPRO MOBILE_MALWARE Android/Spy.SmsSpy.IT Contact List
Exfiltration via SMTP (mobile_malware.rules)
2845981 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.ka Reporting
Infection via SMTP (mobile_malware.rules)
2845982 - ETPRO INFO Suspicious Zipped Filename in Outbound POST Request
(Windows.txt) (info.rules)
2845983 - ETPRO INFO Suspicious Zipped Filename in Outbound POST Request
(ProductKey.txt) (info.rules)
2845984 - ETPRO INFO Suspicious Zipped Filename in Outbound POST Request
(Process.txt) (info.rules)
2845985 - ETPRO INFO Suspicious Zipped Filename in Outbound POST Request
(WebCam.png) (info.rules)
2845986 - ETPRO INFO Suspicious Zipped Filename in Outbound POST Request
(Downloads.txt) (info.rules)
2845987 - ETPRO INFO Suspicious Zipped Filename in Outbound POST Request
(Startup.txt) (info.rules)
2845988 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-11 1) (trojan.rules)
2845989 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-11 2) (trojan.rules)
2845990 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-11 3) (trojan.rules)
2845991 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-12-11 (current_events.rules)
2845992 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-12-11 (current_events.rules)
2845993 - ETPRO CURRENT_EVENTS Successful OneDrive Phish 2020-12-11
(current_events.rules)
2845994 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-12-11 (current_events.rules)
2845995 - ETPRO TROJAN Win32/Datper Variant CnC Host Checkin
(trojan.rules)
2845996 - ETPRO CURRENT_EVENTS Successful Interbank Phish 2020-12-11
(current_events.rules)
2845997 - ETPRO CURRENT_EVENTS Successful OneDrive Shared Link Phish
2020-12-11 (current_events.rules)
2845998 - ETPRO CURRENT_EVENTS Successful Volksbanken Phish 2020-12-11
(current_events.rules)
2845999 - ETPRO CURRENT_EVENTS Successful Huntington Bank Phish 2020-12-11
(current_events.rules)
2846000 - ETPRO CURRENT_EVENTS Successful Square Phish 2020-12-11
(current_events.rules)
2846001 - ETPRO CURRENT_EVENTS Successful American Express Phish
2020-12-11 (current_events.rules)
2846002 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-12-11
(current_events.rules)
[///] Modified active rules: [///]
2006381 - ET MALWARE Ask.com Toolbar/Spyware User-Agent (AskPBar)
(malware.rules)
2011108 - ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter
SELECT FROM SQL Injection Attempt (web_specific_apps.rules)
2011109 - ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter
DELETE FROM SQL Injection Attempt (web_specific_apps.rules)
2011110 - ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter UNION
SELECT SQL Injection Attempt (web_specific_apps.rules)
2011111 - ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter
INSERT INTO SQL Injection Attempt (web_specific_apps.rules)
2011112 - ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter
UPDATE SET SQL Injection Attempt (web_specific_apps.rules)
2015985 - ET TROJAN Win32/Kuluoz.B Request (trojan.rules)
2016528 - ET TROJAN W32/Asprox CnC Beacon (trojan.rules)
2017702 - ET TROJAN Possible Trojan.APT.9002 POST (trojan.rules)
2017714 - ET TROJAN PlugX Checkin (trojan.rules)
2019176 - ET CURRENT_EVENTS Possible Astrum EK URI Struct
(current_events.rules)
2020656 - ET TROJAN Banker Boleto Fraud JS_BROBAN.SM Checkin 3
(trojan.rules)
2021631 - ET TROJAN Sharik/Smoke CnC Beacon 2 (trojan.rules)
2021829 - ET TROJAN Ursnif Variant CnC Beacon 4 (trojan.rules)
2021991 - ET WEB_CLIENT Fake Java Installer Landing Page Oct 21
(web_client.rules)
2022261 - ET EXPLOIT Joomla RCE (JDatabaseDriverMysqli) (exploit.rules)
2023551 - ET TROJAN Locky CnC checkin Nov 21 (trojan.rules)
2023679 - ET TROJAN JS/WSF Downloader Dec 08 2016 M6 (trojan.rules)
2023711 - ET TROJAN JS/WSF Downloader Dec 08 2016 M7 (trojan.rules)
2024617 - ET CURRENT_EVENTS Successful Poloniex Cryptocurrency Exchange
Phish Aug 28 2017 (current_events.rules)
2024618 - ET CURRENT_EVENTS Successful Exmo Cryptocurrency Exchange Phish
Aug 28 2017 (current_events.rules)
2024621 - ET CURRENT_EVENTS Successful Paxful Cryptocurrency Wallet Phish
Aug 30 2017 (current_events.rules)
2024640 - ET CURRENT_EVENTS Successful LocalBitcoins Cryptocurrency
Exchange Phish Aug 30 2017 (current_events.rules)
2029193 - ET TROJAN Win32/Valak <v9 - Stage 2 - Request (trojan.rules)
2029499 - ET TROJAN PHPs Labyrinth Backdoor Stage1 CnC Activity
(trojan.rules)
2029662 - ET CURRENT_EVENTS Successful Generic .EDU Phish Aug 17 2017
(current_events.rules)
2029669 - ET CURRENT_EVENTS Successful Generic Personalized Phish
2019-02-13 (current_events.rules)
2029846 - ET TROJAN Suspicious Zipped Filename in Outbound POST Request
(Passwords.txt) (trojan.rules)
2030339 - ET DOS CallStranger - Attempted UPnP Reflected Amplified TCP
with Multiple Callbacks (CVE-2020-12695) (dos.rules)
2030594 - ET INFO Generic 302 Redirect to Google (info.rules)
2030652 - ET TROJAN Suspected APT32/Oceanlotus Maldoc CnC (trojan.rules)
2030695 - ET CURRENT_EVENTS Successful Paxful Cryptocurrency Wallet Phish
2020-08-17 (current_events.rules)
2030994 - ET TROJAN MontysThree HTTPTransport Module Activity
(trojan.rules)
2031083 - ET POLICY File Downloaded from Discord (policy.rules)
2031298 - ET TROJAN Win32/IcedID Requesting Encoded Binary M5
(trojan.rules)
2802171 - ETPRO WORM Worm.Win32.Nokpuda.A Checkin (worm.rules)
2803402 - ETPRO TROJAN Backdoor.Win32.Reppserv.A Checkin 2 (trojan.rules)
2803714 - ETPRO TROJAN Trojan.Win32.Scapzilla.A Checkin (trojan.rules)
2809065 - ETPRO TROJAN Backdoor.Kivars Checkin (trojan.rules)
2809433 - ETPRO EXPLOIT tnftp_savefile CVE-2014-8517 Exploit Attempt
Response (exploit.rules)
2811402 - ETPRO TROJAN Emotet CnC Beacon (trojan.rules)
2812432 - ETPRO TROJAN Garveep CnC Beacon Fake Headers (trojan.rules)
2815849 - ETPRO TROJAN MegalodonHTTP Traffic to Panel (trojan.rules)
2815926 - ETPRO CURRENT_EVENTS Successful IRS Phish Jan 22 2016
(current_events.rules)
2820099 - ETPRO MALWARE Fake Software Update Redirect (malware.rules)
2820350 - ETPRO WEB_CLIENT Suspicious Redirect - Possible Phishing May 25
2016 (web_client.rules)
2822364 - ETPRO CURRENT_EVENTS Unknown MalDoc Requesting Remote Template
M2 (current_events.rules)
2825163 - ETPRO CURRENT_EVENTS Successful Generic Phish (Redirect to
Download PDF) Feb 28 2017 (current_events.rules)
2826432 - ETPRO TROJAN TR/Agent.ybjxp Backdoor Request May 17 2017
(trojan.rules)
2827198 - ETPRO CURRENT_EVENTS Successful Generic Phish - Redirect to
Google Jul 18 2017 (current_events.rules)
2827384 - ETPRO CURRENT_EVENTS Possible Successful Generic Multi Step
Phish Aug 03 2017 (current_events.rules)
2827598 - ETPRO CURRENT_EVENTS Successful Bittrex Exchange Phish Aug 21
2017 (current_events.rules)
2828083 - ETPRO CURRENT_EVENTS Possible Successful Chase Phish Sept 28
2017 (current_events.rules)
2828217 - ETPRO CURRENT_EVENTS Successful Personalized Phish Oct 10 2017
(current_events.rules)
2828404 - ETPRO CURRENT_EVENTS Successful Chase Phish M4 Oct 24 2017
(current_events.rules)
2828545 - ETPRO CURRENT_EVENTS Successful Netflix Phish Nov 06 2017
(current_events.rules)
2828759 - ETPRO CURRENT_EVENTS Successful Gmail Phish 2017-12-03
(current_events.rules)
2828846 - ETPRO CURRENT_EVENTS Possible Successful Mailbox Shutdown Phish
2017-12-11 (current_events.rules)
2829082 - ETPRO CURRENT_EVENTS Successful Docusign Phish 2017-12-27
(current_events.rules)
2829096 - ETPRO CURRENT_EVENTS Possible Successful Generic Multi Step
Phish 2017-12-27 (current_events.rules)
2829223 - ETPRO TROJAN Win32/CoinMiner.AQL Checkin Observed (trojan.rules)
2829298 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2018-01-16
(current_events.rules)
2829325 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2018-01-17 M1
(current_events.rules)
2829353 - ETPRO CURRENT_EVENTS Successful ATT Phish 2018-01-19
(current_events.rules)
2829366 - ETPRO CURRENT_EVENTS Successful GoDaddy Phish 2018-01-22
(current_events.rules)
2830048 - ETPRO CURRENT_EVENTS Successful Apple ID Phish 2018-03-19
(current_events.rules)
2830185 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2018-03-29 (current_events.rules)
2830215 - ETPRO CURRENT_EVENTS Successful MWeb Phish 2018-04-02
(current_events.rules)
2830269 - ETPRO CURRENT_EVENTS Successful Office 365 Phish 2018-04-05 M1
(current_events.rules)
2830282 - ETPRO CURRENT_EVENTS Successful Generic Phish - 302 to Google
Redirect 2018-04-05 (current_events.rules)
2830288 - ETPRO CURRENT_EVENTS Successful WeTransfer Phish 2018-04-06
(current_events.rules)
2830295 - ETPRO CURRENT_EVENTS Successful AT&T Phish 2018-04-06
(current_events.rules)
2830404 - ETPRO CURRENT_EVENTS Successful Generic Phish 2018-04-16
(current_events.rules)
2830467 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2018-04-18
(current_events.rules)
2830540 - ETPRO CURRENT_EVENTS Successful Generic Phish (Chase/Paypal)
2018-04-24 (current_events.rules)
2831094 - ETPRO TROJAN Win32/Finderbot Checkin (trojan.rules)
2831190 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2018-06-07 (current_events.rules)
2831223 - ETPRO CURRENT_EVENTS Successful Generic Phish - Observed in
OneDrive Phishing 2018-06-11 (current_events.rules)
2831773 - ETPRO CURRENT_EVENTS Successful Generic Phish - Redirect to PDF
2018-07-16 (current_events.rules)
2831778 - ETPRO CURRENT_EVENTS Successful Generic Phish - Redirect to
Voicemail 2018-07-16 (current_events.rules)
2831781 - ETPRO CURRENT_EVENTS Successful Generic Phish - Redirect to FTP
2018-07-16 (current_events.rules)
2831868 - ETPRO CURRENT_EVENTS Successful Netflix Phish 2018-07-18
(current_events.rules)
2831869 - ETPRO CURRENT_EVENTS Successful Bank of America Phish 2018-07-18
(current_events.rules)
2831892 - ETPRO CURRENT_EVENTS Successful Netflix Phish 2018-07-19
(current_events.rules)
2832043 - ETPRO CURRENT_EVENTS Successful Personalized Phish 2017-08-01
(current_events.rules)
2832690 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish
2018-09-19 (current_events.rules)
2832724 - ETPRO CURRENT_EVENTS Successful Excel Online Phish 2018-09-21
(current_events.rules)
2834832 - ETPRO CURRENT_EVENTS Successful Personalized Generic Phish
2019-02-11 (current_events.rules)
2838038 - ETPRO CURRENT_EVENTS Generic 302 Redirect to Phishing Landing
(current_events.rules)
2840144 - ETPRO CURRENT_EVENTS MalDoc Retrieving Evil exe/msi/doc M2
(current_events.rules)
2840169 - ETPRO TROJAN Win32/Various Ransomware CnC Activity
(trojan.rules)
2840765 - ETPRO MALWARE Win32/FlyStudio Variant CnC (malware.rules)
2840831 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-02-03
(current_events.rules)
2840832 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-02-03
(current_events.rules)
2840969 - ETPRO TROJAN Win32/Occamy.C Activity M4 (trojan.rules)
2841024 - ETPRO TROJAN Possible Inception/CloudAtlas GET Request via
Document M1 (trojan.rules)
2841198 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-02-25
(current_events.rules)
2841224 - ETPRO CURRENT_EVENTS Successful Adobe Document Cloud Phish
2020-02-26 (current_events.rules)
2841394 - ETPRO CURRENT_EVENTS Successful Mweb Mailbox Phish 2020-03-05
(current_events.rules)
2841687 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-03-24
(current_events.rules)
2841822 - ETPRO TROJAN MSIL/Poulight Stealer - Fool System Redirect
(trojan.rules)
2841832 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-04-01
(current_events.rules)
2841842 - ETPRO CURRENT_EVENTS Successful Verizon Phish 2020-04-02
(current_events.rules)
2842065 - ETPRO CURRENT_EVENTS Successful Coinbase Phish 2020-04-16
(current_events.rules)
2842073 - ETPRO TROJAN BazaBackdoor Variant CnC (Checkin) (trojan.rules)
2842107 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-04-20
(current_events.rules)
2842297 - ETPRO CURRENT_EVENTS Successful Cogenco Phish 2020-04-30
(current_events.rules)
2842298 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-04-30
(current_events.rules)
2842764 - ETPRO CURRENT_EVENTS Successful Mimecast Phish 2020-05-28
(current_events.rules)
2842765 - ETPRO CURRENT_EVENTS Successful Mimecast Phish 2020-05-28
(current_events.rules)
2842766 - ETPRO CURRENT_EVENTS Successful Mimecast Phish 2020-05-28
(current_events.rules)
2842809 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-06-01
(current_events.rules)
2842881 - ETPRO CURRENT_EVENTS Successful Netflix Phish 2020-06-04
(current_events.rules)
2842963 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-06-10
(current_events.rules)
2842977 - ETPRO CURRENT_EVENTS Successful Generic Credential Phish
2020-06-10 (current_events.rules)
2843009 - ETPRO CURRENT_EVENTS Successful Shaw Webmail Phish 2020-06-12
(current_events.rules)
2843035 - ETPRO TROJAN BazaBackdoor Variant CnC Activity M3 (trojan.rules)
2843224 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-06-26
(current_events.rules)
2843273 - ETPRO CURRENT_EVENTS Succcesful Generic Phish 2020-06-30
(current_events.rules)
2843458 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-07-10
(current_events.rules)
2843510 - ETPRO CURRENT_EVENTS Successful University of Alberta Phish
2018-04-06 (current_events.rules)
2843542 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-07-15
(current_events.rules)
2843566 - ETPRO CURRENT_EVENTS Successful Tmobile Phish 2020-07-17
(current_events.rules)
2843646 - ETPRO CURRENT_EVENTS Successful Orange Phish 2020-07-23
(current_events.rules)
2844002 - ETPRO CURRENT_EVENTS Successful Proofpoint Phish 2020-08-13
(current_events.rules)
2844861 - ETPRO TROJAN XDSPY .dll Download Request (trojan.rules)
2844991 - ETPRO TROJAN Bazaloader Variant CnC Activity (trojan.rules)
2844992 - ETPRO TROJAN Bazaloader Variant CnC Activity (trojan.rules)
2844993 - ETPRO TROJAN Bazaloader Variant CnC Activity (trojan.rules)
2845128 - ETPRO CURRENT_EVENTS Successful Generic Phish (302) 2020-10-23
(current_events.rules)
2845129 - ETPRO CURRENT_EVENTS Successful Generic Phish (302) 2020-10-23
(current_events.rules)
2845130 - ETPRO CURRENT_EVENTS Successful Generic Phish (302) 2020-10-23
(current_events.rules)
2845131 - ETPRO CURRENT_EVENTS Successful Generic Phish (302) 2020-10-23
(current_events.rules)
2845132 - ETPRO CURRENT_EVENTS Successful Generic Phish (302) 2020-10-23
(current_events.rules)
2845255 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Fakenocam.d Checkin
(mobile_malware.rules)
2845877 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Knobot.g Checkin
(mobile_malware.rules)
[---] Disabled and modified rules: [---]
2024133 - ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in
RIG EK Redirects M1 (current_events.rules)
2024134 - ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in
RIG EK Redirects M2 (current_events.rules)
2024135 - ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in
RIG EK Redirects M3 (current_events.rules)
2024136 - ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in
RIG EK Redirects M4 (current_events.rules)
2024137 - ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in
RIG EK Redirects M5 (current_events.rules)
2024138 - ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in
RIG EK Redirects M6 (current_events.rules)
2024139 - ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in
RIG EK Redirects M7 (current_events.rules)
2024140 - ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in
RIG EK Redirects M8 (current_events.rules)
2024141 - ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in
RIG EK Redirects M9 (current_events.rules)
2024142 - ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in
RIG EK Redirects M10 (current_events.rules)
2829971 - ETPRO CURRENT_EVENTS Successful Google Docs Phish 2018-03-12
(current_events.rules)
[---] Removed rules: [---]
2845912 - ETPRO CHAT Successful T-Mobile Phish 2020-12-08 (chat.rules)