[***] Summary: [***]
19 new OPEN, 47 new PRO (19 + 28). Dark Halo/SUNBURST, Trojan.AndroidOS.Triada.fxjp Checkin, Win32/PStealer CnC Exfil, W32/Agent.NEZKLG Variant, W32/SysChecker CnC, AsyncRAT, Ursnif, Coinminers, VARIOUS PHISH.
Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2031380 - ET TROJAN Dark Halo/SUNBURST SSL Cert Inbound
(solartrackingsystem .net) (trojan.rules)
2031381 - ET TROJAN Dark Halo/SUNBURST SSL Cert Inbound (webcodez .com)
(trojan.rules)
2031382 - ET TROJAN Dark Halo/SUNBURST SSL Cert Inbound (lcomputers .com)
(trojan.rules)
2031383 - ET TROJAN Dark Halo/SUNBURST SSL Cert Inbound (seobundlekit
.com) (trojan.rules)
2031384 - ET TROJAN Dark Halo/SUNBURST SSL Cert Inbound (kubecloud .com)
(trojan.rules)
2031385 - ET TROJAN Dark Halo/SUNBURST SSL Cert Inbound
(globalnetworkissues .com) (trojan.rules)
2031387 - ET TROJAN Dark Halo/SUNBURST Related DNS Lookup to
solartrackingsystem .net (trojan.rules)
2031388 - ET TROJAN Dark Halo/SUNBURST Related DNS Lookup to webcodez
.com (trojan.rules)
2031389 - ET TROJAN Dark Halo/SUNBURST Related DNS Lookup to lcomputers
.com (trojan.rules)
2031390 - ET TROJAN Dark Halo/SUNBURST Related DNS Lookup to seobundlekit
.com (trojan.rules)
2031391 - ET TROJAN Dark Halo/SUNBURST Related DNS Lookup to kubecloud
.com (trojan.rules)
2031392 - ET TROJAN Dark Halo/SUNBURST Related DNS Lookup to
globalnetworkissues .com (trojan.rules)
2031393 - ET TROJAN Dark Halo/SUNBURST CnC Domain (solartrackingsystem
.net in TLS SNI) (trojan.rules)
2031394 - ET TROJAN Dark Halo/SUNBURST CnC Domain (webcodez .com in TLS
SNI) (trojan.rules)
2031395 - ET TROJAN Dark Halo/SUNBURST CnC Domain (lcomputers .com in TLS
SNI) (trojan.rules)
2031396 - ET TROJAN Dark Halo/SUNBURST CnC Domain (seobundlekit .com in
TLS SNI) (trojan.rules)
2031397 - ET TROJAN Dark Halo/SUNBURST CnC Domain (kubecloud .com in TLS
SNI) (trojan.rules)
2031398 - ET TROJAN Dark Halo/SUNBURST CnC Domain (globalnetworkissues
.com in TLS SNI) (trojan.rules)
2031386 - ET MALWARE Windows Explorer Tab Add-on Post Install Checkin
(malware.rules)
Pro:
2846026 - ETPRO MOBILE_MALWARE Android NanoDati Checkin
(mobile_malware.rules)
2846027 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Triada.fxjp Checkin
(mobile_malware.rules)
2846028 - ETPRO MOBILE_MALWARE AndroidOS/Hiddad.XJPF Checkin
(mobile_malware.rules)
2846029 - ETPRO MOBILE_MALWARE Android Acraco Reporting Device Info
(mobile_malware.rules)
2846030 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Wroba.aw Reporting
Battery Level (mobile_malware.rules)
2846031 - ETPRO INFO Observed EXE Inbound with Content-Type Mismatch
(application/zip) (info.rules)
2846032 - ETPRO TROJAN Ardamax Variant Sending App Command via FTP
(trojan.rules)
2846033 - ETPRO TROJAN Ardamax Variant Screenshot Exfil via FTP
(trojan.rules)
2846034 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT)
(trojan.rules)
2846035 - ETPRO TROJAN Win32/PStealer CnC Exfil (trojan.rules)
2846036 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-15 1) (trojan.rules)
2846037 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-15 2) (trojan.rules)
2846038 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-15 3) (trojan.rules)
2846039 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-15 4) (trojan.rules)
2846040 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-15 5) (trojan.rules)
2846041 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-15 6) (trojan.rules)
2846042 - ETPRO CURRENT_EVENTS Successful Santander Phish 2020-12-15
(current_events.rules)
2846043 - ETPRO CURRENT_EVENTS Successful Generic Webmail Phish
2020-12-15 (current_events.rules)
2846044 - ETPRO CURRENT_EVENTS Successful Apple iTunes Phish 2020-12-15
(current_events.rules)
2846045 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-12-15 (current_events.rules)
2846046 - ETPRO CURRENT_EVENTS Successful Netzero Phish 2020-12-15
(current_events.rules)
2846047 - ETPRO TROJAN W32/Agent.NEZKLG Variant CnC Host Checkin
(trojan.rules)
2846048 - ETPRO TROJAN W32/SysChecker CnC Host Checkin (trojan.rules)
2846049 - ETPRO INFO Incorrect Spacing of UA Variable M3 (info.rules)
2846050 - ETPRO INFO Incorrect Spacing of UA Variable M4 (info.rules)
2846051 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
2846052 - ETPRO CURRENT_EVENTS Successful Keybank Phish 2020-12-15
(current_events.rules)
2846053 - ETPRO CURRENT_EVENTS Successful Primabanka Phish 2020-12-15
(current_events.rules)
[+++] Enabled and modified rules: [+++]
2020170 - ET TROJAN Possible Office Doc with Embedded VBA containing
Reverse Meterpreter Shell (trojan.rules)
[///] Modified active rules: [///]
2031324 - ET TROJAN [Fireeye] SUNBURST Related DNS Lookup to avsvmcloud
.com (trojan.rules)
2031338 - ET TROJAN [Fireeye] Backdoor.SUNBURST HTTP Request to
avsvmcloud .com (trojan.rules)
2031341 - ET TROJAN [Fireeye] Backdoor.SUNBURST SSL Cert Inbound
(avsvmcloud .com) (trojan.rules)
2031342 - ET TROJAN [Fireeye] Backdoor.SUNBURST SSL Cert Inbound
(digitalcollege .org) (trojan.rules)
2031343 - ET TROJAN [Fireeye] Backdoor.SUNBURST SSL Cert Inbound
(freescanonline .com) (trojan.rules)
2031344 - ET TROJAN [Fireeye] Backdoor.SUNBURST SSL Cert Inbound
(deftsecurity .com) (trojan.rules)
2031345 - ET TROJAN [Fireeye] Backdoor.SUNBURST SSL Cert Inbound
(thedoccloud .com) (trojan.rules)
2031346 - ET TROJAN [Fireeye] Backdoor.SUNBURST SSL Cert Inbound
(virtualdataserver .com) (trojan.rules)
2031352 - ET TROJAN [Fireeye] Backdoor.BEACON SSL Cert Inbound
(incomeupdate .com) (trojan.rules)
2031353 - ET TROJAN [Fireeye] Backdoor.BEACON SSL Cert Inbound (zupertech
.com) (trojan.rules)
2031354 - ET TROJAN [Fireeye] Backdoor.BEACON SSL Cert Inbound
(databasegalore .com) (trojan.rules)
2031355 - ET TROJAN [Fireeye] Backdoor.BEACON SSL Cert Inbound
(panhardware .com) (trojan.rules)
2031360 - ET TROJAN [Fireeye] Backdoor.SUNBURST SSL Cert Inbound
(websitetheme .com) (trojan.rules)
2031361 - ET TROJAN [Fireeye] Backdoor.SUNBURST SSL Cert Inbound
(highdatabase .com) (trojan.rules)
2837550 - ETPRO TROJAN Observed Trickbot Style SSL Cert (Internet Widgets
Pty Ltd) (trojan.rules)