Daily Ruleset Update Summary
Daily Ruleset Update Summary 2020/12/14

[***]            Summary:            [***]

10 new OPEN, 33 new PRO (10 + 23). MICROPSIA, Various APT32/OceanLotus, Android/Hiddad.KN, Win32/Packed.BlackMoon.A Variant, MSIL/PSW.Agent.NHM, Coinminers, VARIOUS PHISH.

Earlier today, we published an Out-of-Band rule update containing optimized rules for both Snort and Suricata directly related to the FireEye SUNBURST report IOCs. The sid range for these is 2031321 - 2031370. More information on that release can be found here:
http://lists.emergingthreats.net/pipermail/emerging-sigs/2020-December/030156.html

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2031329 - ET TROJAN [Fireeye] SUNBURST Related DNS Lookup to highdatabase
.com (trojan.rules)
  2031371 - ET TROJAN MICROPSIA CnC Checkin (trojan.rules)
  2031372 - ET TROJAN APT32/OceanLotus Associated Domain in DNS Lookup
(tocaoonline .com) (trojan.rules)
  2031373 - ET TROJAN APT32/OceanLotus Associated Domain in DNS Lookup
(qh2020 .org) (trojan.rules)
  2031374 - ET TROJAN APT32/OceanLotus Associated Domain in DNS Lookup
(tinmoivietnam .com) (trojan.rules)
  2031375 - ET TROJAN APT32/OceanLotus Associated Domain in DNS Lookup
(tocaoonline .org) (trojan.rules)
  2031376 - ET TROJAN APT32/OceanLotus Associated Domain in DNS Lookup
(facebookdeck .com) (trojan.rules)
  2031377 - ET TROJAN APT32/OceanLotus Associated Domain in DNS Lookup
(nhansudaihoi13 .org) (trojan.rules)
  2031378 - ET TROJAN APT32/OceanLotus Associated Domain in DNS Lookup
(thundernews .org) (trojan.rules)
  2031379 - ET INFO Doc Requesting Remote Template (.dotm) (info.rules)

Pro:

  2846003 - ETPRO MOBILE_MALWARE  Android/Hiddad.KN Checkin
(mobile_malware.rules)
  2846004 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.FakeCop.j Checkin
(mobile_malware.rules)
  2846005 - ETPRO MOBILE_MALWARE TianaSquare Reporting Location
(mobile_malware.rules)
  2846006 - ETPRO TROJAN MSIL/PSW.Agent.NHM Variant CnC Acvitity
(trojan.rules)
  2846007 - ETPRO TROJAN MICROPSIA Screenshot Upload (trojan.rules)
  2846008 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-12 1) (trojan.rules)
  2846009 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-12 2) (trojan.rules)
  2846010 - ETPRO CURRENT_EVENTS Successful Amazon Jobs Phish 2020-12-14
(current_events.rules)
  2846011 - ETPRO TROJAN Win32/Packed.BlackMoon.A Variant CnC Acvitity
(trojan.rules)
  2846012 - ETPRO CURRENT_EVENTS Successful Generic Webmail Phish
2020-12-14 (current_events.rules)
  2846013 - ETPRO CURRENT_EVENTS Successful WeTransfer Phish 2020-12-14
(current_events.rules)
  2846014 - ETPRO CURRENT_EVENTS Successful Netease 163 Phish 2020-12-14
(current_events.rules)
  2846015 - ETPRO CURRENT_EVENTS Successful Keybank Phish 2020-12-14
(current_events.rules)
  2846016 - ETPRO CURRENT_EVENTS Successful Whatsapp Phish 2020-12-14
(current_events.rules)
  2846017 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2020-12-14
(current_events.rules)
  2846018 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2020-12-14 (current_events.rules)
  2846019 - ETPRO TROJAN Win32/Remcos RAT Checkin 629 (trojan.rules)
  2846020 - ETPRO TROJAN Observed Get2 Domain in TLS SNI (trojan.rules)
  2846021 - ETPRO TROJAN Get2 CnC Domain in DNS Lookup (trojan.rules)
  2846022 - ETPRO INFO Remote Template Retrieving Doc with VBA Project
(info.rules)
  2846023 - ETPRO CURRENT_EVENTS Successful Santander (UK) Phish 2020-12-14
(current_events.rules)
  2846024 - ETPRO CURRENT_EVENTS Successful Metrobank Credential Phish
2020-12-14 (current_events.rules)
  2846025 - ETPRO CURRENT_EVENTS Successful Pentagon Federal Credit Union
Phish 2020-12-14 (current_events.rules)

[///]     Modified active rules:     [///]

  2030599 - ET TROJAN IP Grabber CnC Activity (trojan.rules)
  2031279 - ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle
MSOffice Server] (current_events.rules)
 2839949 - ETPRO TROJAN Bandook v0.5FM TCP CnC Beacon (trojan.rules)
  2845646 - ETPRO CURRENT_EVENTS Successful Orange FR Phish 2020-11-24
(current_events.rules)
  2845653 - ETPRO INFO Clickmeter Tracking Pixel (info.rules)
  2845672 - ETPRO TROJAN MSIL/Bucaspys.A CnC Host Checkin (trojan.rules)
  2845766 - ETPRO CURRENT_EVENTS Successful Xfinity Credential Phish
2020-12-02 (current_events.rules)
  2845786 - ETPRO CURRENT_EVENTS Successful My3 Phish 2020-12-03
(current_events.rules)
  2845836 - ETPRO MOBILE_MALWARE Android Spy LuckyLeader Checkin
(mobile_malware.rules)
  2845837 - ETPRO MOBILE_MALWARE Android.SmsSend.1359.origin Checkin
(mobile_malware.rules)
  2845838 - ETPRO MOBILE_MALWARE Android.Agent.GEN24784 Checkin
(mobile_malware.rules)
  2845839 - ETPRO MOBILE_MALWARE Android.fyben.a Checkin
(mobile_malware.rules)
  2845879 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Agent.nz
<http://trojan-dropper.androidos.agent.nz/> Checkin (mobile_malware.rules)
  2845882 - ETPRO MOBILE_MALWARE Downloader.AndroidOS.Agent.ar
<http://downloader.androidos.agent.ar/> Checkin (mobile_malware.rules)
  2845955 - ETPRO MOBILE_MALWARE Android LoadBlast Checkin
(mobile_malware.rules)
  2845956 - ETPRO MOBILE_MALWARE Android/Monitor.Reptilicus.F CnC Beacon
(mobile_malware.rules)
  2845957 - ETPRO MOBILE_MALWARE Android/Monitor.Reptilicus.F CnC Beacon 2
(mobile_malware.rules)
  2845958 - ETPRO MOBILE_MALWARE Trojan.Android.Spy.fhcalt CnC Beacon
(mobile_malware.rules)
  2845959 - ETPRO MOBILE_MALWARE Android/Monitor.PanSpy.C Reporting
Location (mobile_malware.rules)
  2845960 - ETPRO MOBILE_MALWARE Android/Monitor.PanSpy.C Reporting Wifi
Logs (mobile_malware.rules)
  2845961 - ETPRO MOBILE_MALWARE Android/Monitor.PanSpy.C Reporting Device
Info (mobile_malware.rules)
  2845962 - ETPRO MOBILE_MALWARE Android Sangria Checkin
(mobile_malware.rules)

Date:
Summary title:
10 new OPEN, 33 new PRO (10 + 23). MICROPSIA, Various APT32/OceanLotus, Android/Hiddad.KN, Win32/Packed.BlackMoon.A Variant, MSIL/PSW.Agent.NHM, Coinminers, VARIOUS PHISH.