Daily Ruleset Update Summary
Daily Ruleset Update Summary 2020/12/11

[***]            Summary:            [***]

5 new OPEN, 30 new PRO (5 + 25). MALWARE Android/Spy.SmsSpy.IT, Joomla RCE, LuckyMouse, and Various Phishing

Thanks: @travisbgreen.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2031316 - ET TROJAN Suspected APT LuckyMouse BlueTraveller CnC
(trojan.rules)
  2031317 - ET INFO McAfee AV Download (set) (info.rules)
  2031318 - ET CURRENT_EVENTS 401TRG Liferay RCE (CVE-2020-7961)
(current_events.rules)
  2031319 - ET EXPLOIT Joomla RCE (JDatabaseDriverMysqli) M2 (exploit.rules)
  2031320 - ET TROJAN APT LuckyMouse Polpo Malware CnC (trojan.rules)

Pro:

  2845912 - ETPRO CURRENT_EVENTS Successful T-Mobile Phish 2020-12-08
(current_events.rules)
  2845979 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.fh Contact
List Exfiltration via SMTP (mobile_malware.rules)
  2845980 - ETPRO MOBILE_MALWARE Android/Spy.SmsSpy.IT Contact List
Exfiltration via SMTP (mobile_malware.rules)
  2845981 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.ka Reporting
Infection via SMTP (mobile_malware.rules)
  2845982 - ETPRO INFO Suspicious Zipped Filename in Outbound POST Request
(Windows.txt) (info.rules)
  2845983 - ETPRO INFO Suspicious Zipped Filename in Outbound POST Request
(ProductKey.txt) (info.rules)
  2845984 - ETPRO INFO Suspicious Zipped Filename in Outbound POST Request
(Process.txt) (info.rules)
  2845985 - ETPRO INFO Suspicious Zipped Filename in Outbound POST Request
(WebCam.png) (info.rules)
  2845986 - ETPRO INFO Suspicious Zipped Filename in Outbound POST Request
(Downloads.txt) (info.rules)
  2845987 - ETPRO INFO Suspicious Zipped Filename in Outbound POST Request
(Startup.txt) (info.rules)
  2845988 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-11 1) (trojan.rules)
  2845989 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-11 2) (trojan.rules)
  2845990 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-11 3) (trojan.rules)
  2845991 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-12-11 (current_events.rules)
  2845992 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-12-11 (current_events.rules)
  2845993 - ETPRO CURRENT_EVENTS Successful OneDrive Phish 2020-12-11
(current_events.rules)
  2845994 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-12-11 (current_events.rules)
  2845995 - ETPRO TROJAN Win32/Datper Variant CnC Host Checkin
(trojan.rules)
  2845996 - ETPRO CURRENT_EVENTS Successful Interbank Phish 2020-12-11
(current_events.rules)
  2845997 - ETPRO CURRENT_EVENTS Successful OneDrive Shared Link Phish
2020-12-11 (current_events.rules)
  2845998 - ETPRO CURRENT_EVENTS Successful Volksbanken Phish 2020-12-11
(current_events.rules)
  2845999 - ETPRO CURRENT_EVENTS Successful Huntington Bank Phish 2020-12-11
(current_events.rules)
  2846000 - ETPRO CURRENT_EVENTS Successful Square Phish 2020-12-11
(current_events.rules)
  2846001 - ETPRO CURRENT_EVENTS Successful American Express Phish
2020-12-11 (current_events.rules)
  2846002 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-12-11
(current_events.rules)

[///]     Modified active rules:     [///]

  2006381 - ET MALWARE Ask.com Toolbar/Spyware User-Agent (AskPBar)
(malware.rules)
  2011108 - ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter
SELECT FROM SQL Injection Attempt (web_specific_apps.rules)
  2011109 - ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter
DELETE FROM SQL Injection Attempt (web_specific_apps.rules)
  2011110 - ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter UNION
SELECT SQL Injection Attempt (web_specific_apps.rules)
  2011111 - ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter
INSERT INTO SQL Injection Attempt (web_specific_apps.rules)
  2011112 - ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter
UPDATE SET SQL Injection Attempt (web_specific_apps.rules)
  2015985 - ET TROJAN Win32/Kuluoz.B Request (trojan.rules)
  2016528 - ET TROJAN W32/Asprox CnC Beacon (trojan.rules)
  2017702 - ET TROJAN Possible Trojan.APT.9002 POST (trojan.rules)
  2017714 - ET TROJAN PlugX Checkin (trojan.rules)
  2019176 - ET CURRENT_EVENTS Possible Astrum EK URI Struct
(current_events.rules)
  2020656 - ET TROJAN Banker Boleto Fraud JS_BROBAN.SM Checkin 3
(trojan.rules)
  2021631 - ET TROJAN Sharik/Smoke CnC Beacon 2 (trojan.rules)
  2021829 - ET TROJAN Ursnif Variant CnC Beacon 4 (trojan.rules)
  2021991 - ET WEB_CLIENT Fake Java Installer Landing Page Oct 21
(web_client.rules)
  2022261 - ET EXPLOIT Joomla RCE (JDatabaseDriverMysqli) (exploit.rules)
  2023551 - ET TROJAN Locky CnC checkin Nov 21 (trojan.rules)
  2023679 - ET TROJAN JS/WSF Downloader Dec 08 2016 M6 (trojan.rules)
  2023711 - ET TROJAN JS/WSF Downloader Dec 08 2016 M7 (trojan.rules)
  2024617 - ET CURRENT_EVENTS Successful Poloniex Cryptocurrency Exchange
Phish Aug 28 2017 (current_events.rules)
  2024618 - ET CURRENT_EVENTS Successful Exmo Cryptocurrency Exchange Phish
Aug 28 2017 (current_events.rules)
  2024621 - ET CURRENT_EVENTS Successful Paxful Cryptocurrency Wallet Phish
Aug 30 2017 (current_events.rules)
  2024640 - ET CURRENT_EVENTS Successful LocalBitcoins Cryptocurrency
Exchange Phish Aug 30 2017 (current_events.rules)
  2029193 - ET TROJAN Win32/Valak <v9 - Stage 2 - Request (trojan.rules)
  2029499 - ET TROJAN PHPs Labyrinth Backdoor Stage1 CnC Activity
(trojan.rules)
  2029662 - ET CURRENT_EVENTS Successful Generic .EDU Phish Aug 17 2017
(current_events.rules)
  2029669 - ET CURRENT_EVENTS Successful Generic Personalized Phish
2019-02-13 (current_events.rules)
  2029846 - ET TROJAN Suspicious Zipped Filename in Outbound POST Request
(Passwords.txt) (trojan.rules)
  2030339 - ET DOS CallStranger - Attempted UPnP Reflected Amplified TCP
with Multiple Callbacks (CVE-2020-12695) (dos.rules)
  2030594 - ET INFO Generic 302 Redirect to Google (info.rules)
  2030652 - ET TROJAN Suspected APT32/Oceanlotus Maldoc CnC (trojan.rules)
  2030695 - ET CURRENT_EVENTS Successful Paxful Cryptocurrency Wallet Phish
2020-08-17 (current_events.rules)
  2030994 - ET TROJAN MontysThree HTTPTransport Module Activity
(trojan.rules)
  2031083 - ET POLICY File Downloaded from Discord (policy.rules)
  2031298 - ET TROJAN Win32/IcedID Requesting Encoded Binary M5
(trojan.rules)
  2802171 - ETPRO WORM Worm.Win32.Nokpuda.A Checkin (worm.rules)
  2803402 - ETPRO TROJAN Backdoor.Win32.Reppserv.A Checkin 2 (trojan.rules)
  2803714 - ETPRO TROJAN Trojan.Win32.Scapzilla.A Checkin (trojan.rules)
  2809065 - ETPRO TROJAN Backdoor.Kivars Checkin (trojan.rules)
  2809433 - ETPRO EXPLOIT tnftp_savefile CVE-2014-8517 Exploit Attempt
Response (exploit.rules)
  2811402 - ETPRO TROJAN Emotet CnC Beacon (trojan.rules)
  2812432 - ETPRO TROJAN Garveep CnC Beacon Fake Headers (trojan.rules)
  2815849 - ETPRO TROJAN MegalodonHTTP Traffic to Panel (trojan.rules)
  2815926 - ETPRO CURRENT_EVENTS Successful IRS Phish Jan 22 2016
(current_events.rules)
  2820099 - ETPRO MALWARE Fake Software Update Redirect (malware.rules)
  2820350 - ETPRO WEB_CLIENT Suspicious Redirect - Possible Phishing May 25
2016 (web_client.rules)
  2822364 - ETPRO CURRENT_EVENTS Unknown MalDoc Requesting Remote Template
M2 (current_events.rules)
  2825163 - ETPRO CURRENT_EVENTS Successful Generic Phish (Redirect to
Download PDF) Feb 28 2017 (current_events.rules)
  2826432 - ETPRO TROJAN TR/Agent.ybjxp Backdoor Request May 17 2017
(trojan.rules)
  2827198 - ETPRO CURRENT_EVENTS Successful Generic Phish - Redirect to
Google Jul 18 2017 (current_events.rules)
  2827384 - ETPRO CURRENT_EVENTS Possible Successful Generic Multi Step
Phish Aug 03 2017 (current_events.rules)
  2827598 - ETPRO CURRENT_EVENTS Successful Bittrex Exchange Phish Aug 21
2017 (current_events.rules)
  2828083 - ETPRO CURRENT_EVENTS Possible Successful Chase Phish Sept 28
2017 (current_events.rules)
  2828217 - ETPRO CURRENT_EVENTS Successful Personalized Phish Oct 10 2017
(current_events.rules)
  2828404 - ETPRO CURRENT_EVENTS Successful Chase Phish M4 Oct 24 2017
(current_events.rules)
  2828545 - ETPRO CURRENT_EVENTS Successful Netflix Phish Nov 06 2017
(current_events.rules)
  2828759 - ETPRO CURRENT_EVENTS Successful Gmail Phish 2017-12-03
(current_events.rules)
  2828846 - ETPRO CURRENT_EVENTS Possible Successful Mailbox Shutdown Phish
2017-12-11 (current_events.rules)
  2829082 - ETPRO CURRENT_EVENTS Successful Docusign Phish 2017-12-27
(current_events.rules)
  2829096 - ETPRO CURRENT_EVENTS Possible Successful Generic Multi Step
Phish 2017-12-27 (current_events.rules)
  2829223 - ETPRO TROJAN Win32/CoinMiner.AQL Checkin Observed (trojan.rules)
  2829298 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2018-01-16
(current_events.rules)
  2829325 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2018-01-17 M1
(current_events.rules)
  2829353 - ETPRO CURRENT_EVENTS Successful ATT Phish 2018-01-19
(current_events.rules)
  2829366 - ETPRO CURRENT_EVENTS Successful GoDaddy Phish 2018-01-22
(current_events.rules)
  2830048 - ETPRO CURRENT_EVENTS Successful Apple ID Phish 2018-03-19
(current_events.rules)
  2830185 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2018-03-29 (current_events.rules)
  2830215 - ETPRO CURRENT_EVENTS Successful MWeb Phish 2018-04-02
(current_events.rules)
  2830269 - ETPRO CURRENT_EVENTS Successful Office 365 Phish 2018-04-05 M1
(current_events.rules)
  2830282 - ETPRO CURRENT_EVENTS Successful Generic Phish - 302 to Google
Redirect 2018-04-05 (current_events.rules)
  2830288 - ETPRO CURRENT_EVENTS Successful WeTransfer Phish 2018-04-06
(current_events.rules)
  2830295 - ETPRO CURRENT_EVENTS Successful AT&T Phish 2018-04-06
(current_events.rules)
  2830404 - ETPRO CURRENT_EVENTS Successful Generic Phish 2018-04-16
(current_events.rules)
  2830467 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2018-04-18
(current_events.rules)
  2830540 - ETPRO CURRENT_EVENTS Successful Generic Phish (Chase/Paypal)
2018-04-24 (current_events.rules)
  2831094 - ETPRO TROJAN Win32/Finderbot Checkin (trojan.rules)
  2831190 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2018-06-07 (current_events.rules)
  2831223 - ETPRO CURRENT_EVENTS Successful Generic Phish - Observed in
OneDrive Phishing 2018-06-11 (current_events.rules)
  2831773 - ETPRO CURRENT_EVENTS Successful Generic Phish - Redirect to PDF
2018-07-16 (current_events.rules)
  2831778 - ETPRO CURRENT_EVENTS Successful Generic Phish - Redirect to
Voicemail 2018-07-16 (current_events.rules)
  2831781 - ETPRO CURRENT_EVENTS Successful Generic Phish - Redirect to FTP
2018-07-16 (current_events.rules)
  2831868 - ETPRO CURRENT_EVENTS Successful Netflix Phish 2018-07-18
(current_events.rules)
  2831869 - ETPRO CURRENT_EVENTS Successful Bank of America Phish 2018-07-18
(current_events.rules)
  2831892 - ETPRO CURRENT_EVENTS Successful Netflix Phish 2018-07-19
(current_events.rules)
  2832043 - ETPRO CURRENT_EVENTS Successful Personalized Phish 2017-08-01
(current_events.rules)
  2832690 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish
2018-09-19 (current_events.rules)
  2832724 - ETPRO CURRENT_EVENTS Successful Excel Online Phish 2018-09-21
(current_events.rules)
  2834832 - ETPRO CURRENT_EVENTS Successful Personalized Generic Phish
2019-02-11 (current_events.rules)
  2838038 - ETPRO CURRENT_EVENTS Generic 302 Redirect to Phishing Landing
(current_events.rules)
  2840144 - ETPRO CURRENT_EVENTS MalDoc Retrieving Evil exe/msi/doc M2
(current_events.rules)
  2840169 - ETPRO TROJAN Win32/Various Ransomware CnC Activity
(trojan.rules)
  2840765 - ETPRO MALWARE Win32/FlyStudio Variant CnC (malware.rules)
  2840831 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-02-03
(current_events.rules)
  2840832 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-02-03
(current_events.rules)
  2840969 - ETPRO TROJAN Win32/Occamy.C Activity M4 (trojan.rules)
  2841024 - ETPRO TROJAN Possible Inception/CloudAtlas GET Request via
Document M1 (trojan.rules)
  2841198 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-02-25
(current_events.rules)
  2841224 - ETPRO CURRENT_EVENTS Successful Adobe Document Cloud Phish
2020-02-26 (current_events.rules)
  2841394 - ETPRO CURRENT_EVENTS Successful Mweb Mailbox Phish 2020-03-05
(current_events.rules)
  2841687 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-03-24
(current_events.rules)
  2841822 - ETPRO TROJAN MSIL/Poulight Stealer - Fool System Redirect
(trojan.rules)
  2841832 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-04-01
(current_events.rules)
  2841842 - ETPRO CURRENT_EVENTS Successful Verizon Phish 2020-04-02
(current_events.rules)
  2842065 - ETPRO CURRENT_EVENTS Successful Coinbase Phish 2020-04-16
(current_events.rules)
  2842073 - ETPRO TROJAN BazaBackdoor Variant CnC (Checkin) (trojan.rules)
  2842107 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-04-20
(current_events.rules)
  2842297 - ETPRO CURRENT_EVENTS Successful Cogenco Phish 2020-04-30
(current_events.rules)
  2842298 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-04-30
(current_events.rules)
  2842764 - ETPRO CURRENT_EVENTS Successful Mimecast Phish 2020-05-28
(current_events.rules)
  2842765 - ETPRO CURRENT_EVENTS Successful Mimecast Phish 2020-05-28
(current_events.rules)
  2842766 - ETPRO CURRENT_EVENTS Successful Mimecast Phish 2020-05-28
(current_events.rules)
  2842809 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-06-01
(current_events.rules)
  2842881 - ETPRO CURRENT_EVENTS Successful Netflix Phish 2020-06-04
(current_events.rules)
  2842963 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-06-10
(current_events.rules)
  2842977 - ETPRO CURRENT_EVENTS Successful Generic Credential Phish
2020-06-10 (current_events.rules)
  2843009 - ETPRO CURRENT_EVENTS Successful Shaw Webmail Phish 2020-06-12
(current_events.rules)
  2843035 - ETPRO TROJAN BazaBackdoor Variant CnC Activity M3 (trojan.rules)
  2843224 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-06-26
(current_events.rules)
  2843273 - ETPRO CURRENT_EVENTS Succcesful Generic Phish 2020-06-30
(current_events.rules)
  2843458 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-07-10
(current_events.rules)
  2843510 - ETPRO CURRENT_EVENTS Successful University of Alberta Phish
2018-04-06 (current_events.rules)
  2843542 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-07-15
(current_events.rules)
  2843566 - ETPRO CURRENT_EVENTS Successful Tmobile Phish 2020-07-17
(current_events.rules)
  2843646 - ETPRO CURRENT_EVENTS Successful Orange Phish 2020-07-23
(current_events.rules)
  2844002 - ETPRO CURRENT_EVENTS Successful Proofpoint Phish 2020-08-13
(current_events.rules)
  2844861 - ETPRO TROJAN XDSPY .dll Download Request (trojan.rules)
  2844991 - ETPRO TROJAN Bazaloader Variant CnC Activity (trojan.rules)
  2844992 - ETPRO TROJAN Bazaloader Variant CnC Activity (trojan.rules)
  2844993 - ETPRO TROJAN Bazaloader Variant CnC Activity (trojan.rules)
  2845128 - ETPRO CURRENT_EVENTS Successful Generic Phish (302) 2020-10-23
(current_events.rules)
  2845129 - ETPRO CURRENT_EVENTS Successful Generic Phish (302) 2020-10-23
(current_events.rules)
  2845130 - ETPRO CURRENT_EVENTS Successful Generic Phish (302) 2020-10-23
(current_events.rules)
  2845131 - ETPRO CURRENT_EVENTS Successful Generic Phish (302) 2020-10-23
(current_events.rules)
  2845132 - ETPRO CURRENT_EVENTS Successful Generic Phish (302) 2020-10-23
(current_events.rules)
  2845255 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Fakenocam.d Checkin
(mobile_malware.rules)
  2845877 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Knobot.g Checkin
(mobile_malware.rules)

[---]  Disabled and modified rules:  [---]

  2024133 - ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in
RIG EK Redirects M1 (current_events.rules)
  2024134 - ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in
RIG EK Redirects M2 (current_events.rules)
  2024135 - ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in
RIG EK Redirects M3 (current_events.rules)
  2024136 - ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in
RIG EK Redirects M4 (current_events.rules)
  2024137 - ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in
RIG EK Redirects M5 (current_events.rules)
  2024138 - ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in
RIG EK Redirects M6 (current_events.rules)
  2024139 - ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in
RIG EK Redirects M7 (current_events.rules)
  2024140 - ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in
RIG EK Redirects M8 (current_events.rules)
  2024141 - ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in
RIG EK Redirects M9 (current_events.rules)
  2024142 - ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in
RIG EK Redirects M10 (current_events.rules)
  2829971 - ETPRO CURRENT_EVENTS Successful Google Docs Phish 2018-03-12
(current_events.rules)

[---]         Removed rules:         [---]

  2845912 - ETPRO CHAT Successful T-Mobile Phish 2020-12-08 (chat.rules)

Date:
Summary title:
5 new OPEN, 30 new PRO (5 + 25). MALWARE Android/Spy.SmsSpy.IT, Joomla RCE, LuckyMouse, and Various Phishing