Daily Ruleset Update Summary
Daily Ruleset Update Summary 2020/12/15

[***]            Summary:            [***]

19 new OPEN, 47 new PRO (19 + 28). Dark Halo/SUNBURST, Trojan.AndroidOS.Triada.fxjp Checkin, Win32/PStealer CnC Exfil, W32/Agent.NEZKLG Variant, W32/SysChecker CnC, AsyncRAT, Ursnif, Coinminers, VARIOUS PHISH.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2031380 - ET TROJAN Dark Halo/SUNBURST SSL Cert Inbound
(solartrackingsystem .net) (trojan.rules)
  2031381 - ET TROJAN Dark Halo/SUNBURST SSL Cert Inbound (webcodez .com)
(trojan.rules)
  2031382 - ET TROJAN Dark Halo/SUNBURST SSL Cert Inbound (lcomputers .com)
(trojan.rules)
  2031383 - ET TROJAN Dark Halo/SUNBURST SSL Cert Inbound (seobundlekit
.com) (trojan.rules)
  2031384 - ET TROJAN Dark Halo/SUNBURST SSL Cert Inbound (kubecloud .com)
(trojan.rules)
  2031385 - ET TROJAN Dark Halo/SUNBURST SSL Cert Inbound
(globalnetworkissues .com) (trojan.rules)
  2031387 - ET TROJAN Dark Halo/SUNBURST Related DNS Lookup to
solartrackingsystem .net (trojan.rules)
  2031388 - ET TROJAN Dark Halo/SUNBURST Related DNS Lookup to webcodez
.com (trojan.rules)
  2031389 - ET TROJAN Dark Halo/SUNBURST Related DNS Lookup to lcomputers
.com (trojan.rules)
  2031390 - ET TROJAN Dark Halo/SUNBURST Related DNS Lookup to seobundlekit
.com (trojan.rules)
  2031391 - ET TROJAN Dark Halo/SUNBURST Related DNS Lookup to kubecloud
.com (trojan.rules)
  2031392 - ET TROJAN Dark Halo/SUNBURST Related DNS Lookup to
globalnetworkissues .com (trojan.rules)
  2031393 - ET TROJAN Dark Halo/SUNBURST CnC Domain (solartrackingsystem
.net in TLS SNI) (trojan.rules)
  2031394 - ET TROJAN Dark Halo/SUNBURST CnC Domain (webcodez .com in TLS
SNI) (trojan.rules)
  2031395 - ET TROJAN Dark Halo/SUNBURST CnC Domain (lcomputers .com in TLS
SNI) (trojan.rules)
  2031396 - ET TROJAN Dark Halo/SUNBURST CnC Domain (seobundlekit .com in
TLS SNI) (trojan.rules)
  2031397 - ET TROJAN Dark Halo/SUNBURST CnC Domain (kubecloud .com in TLS
SNI) (trojan.rules)
  2031398 - ET TROJAN Dark Halo/SUNBURST CnC Domain (globalnetworkissues
.com in TLS SNI) (trojan.rules)
  2031386 - ET MALWARE Windows Explorer Tab Add-on Post Install Checkin
(malware.rules)

Pro:

  2846026 - ETPRO MOBILE_MALWARE Android NanoDati Checkin
(mobile_malware.rules)
  2846027 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Triada.fxjp Checkin
(mobile_malware.rules)
  2846028 - ETPRO MOBILE_MALWARE AndroidOS/Hiddad.XJPF Checkin
(mobile_malware.rules)
  2846029 - ETPRO MOBILE_MALWARE Android Acraco Reporting Device Info
(mobile_malware.rules)
  2846030 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Wroba.aw Reporting
Battery Level (mobile_malware.rules)
  2846031 - ETPRO INFO Observed EXE Inbound with Content-Type Mismatch
(application/zip) (info.rules)
  2846032 - ETPRO TROJAN Ardamax Variant Sending App Command via FTP
(trojan.rules)
  2846033 - ETPRO TROJAN Ardamax Variant Screenshot Exfil via FTP
(trojan.rules)
  2846034 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT)
(trojan.rules)
  2846035 - ETPRO TROJAN Win32/PStealer CnC Exfil (trojan.rules)
  2846036 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-15 1) (trojan.rules)
  2846037 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-15 2) (trojan.rules)
  2846038 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-15 3) (trojan.rules)
  2846039 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-15 4) (trojan.rules)
  2846040 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-15 5) (trojan.rules)
  2846041 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-15 6) (trojan.rules)
  2846042 - ETPRO CURRENT_EVENTS Successful Santander Phish 2020-12-15
(current_events.rules)
  2846043 - ETPRO CURRENT_EVENTS Successful Generic Webmail Phish
2020-12-15 (current_events.rules)
  2846044 - ETPRO CURRENT_EVENTS Successful Apple iTunes Phish 2020-12-15
(current_events.rules)
  2846045 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-12-15 (current_events.rules)
  2846046 - ETPRO CURRENT_EVENTS Successful Netzero Phish 2020-12-15
(current_events.rules)
  2846047 - ETPRO TROJAN W32/Agent.NEZKLG Variant CnC Host Checkin
(trojan.rules)
  2846048 - ETPRO TROJAN W32/SysChecker CnC Host Checkin (trojan.rules)
  2846049 - ETPRO INFO Incorrect Spacing of UA Variable M3 (info.rules)
  2846050 - ETPRO INFO Incorrect Spacing of UA Variable M4 (info.rules)
  2846051 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
  2846052 - ETPRO CURRENT_EVENTS Successful Keybank Phish 2020-12-15
(current_events.rules)
  2846053 - ETPRO CURRENT_EVENTS Successful Primabanka Phish 2020-12-15
(current_events.rules)

[+++]   Enabled and modified rules:  [+++]

  2020170 - ET TROJAN Possible Office Doc with Embedded VBA containing
Reverse Meterpreter Shell (trojan.rules)

[///]     Modified active rules:     [///]

  2031324 - ET TROJAN [Fireeye] SUNBURST Related DNS Lookup to avsvmcloud
.com (trojan.rules)
  2031338 - ET TROJAN [Fireeye] Backdoor.SUNBURST HTTP Request to
avsvmcloud .com (trojan.rules)
  2031341 - ET TROJAN [Fireeye] Backdoor.SUNBURST SSL Cert Inbound
(avsvmcloud .com) (trojan.rules)
  2031342 - ET TROJAN [Fireeye] Backdoor.SUNBURST SSL Cert Inbound
(digitalcollege .org) (trojan.rules)
  2031343 - ET TROJAN [Fireeye] Backdoor.SUNBURST SSL Cert Inbound
(freescanonline .com) (trojan.rules)
  2031344 - ET TROJAN [Fireeye] Backdoor.SUNBURST SSL Cert Inbound
(deftsecurity .com) (trojan.rules)
  2031345 - ET TROJAN [Fireeye] Backdoor.SUNBURST SSL Cert Inbound
(thedoccloud .com) (trojan.rules)
  2031346 - ET TROJAN [Fireeye] Backdoor.SUNBURST SSL Cert Inbound
(virtualdataserver .com) (trojan.rules)
  2031352 - ET TROJAN [Fireeye] Backdoor.BEACON SSL Cert Inbound
(incomeupdate .com) (trojan.rules)
  2031353 - ET TROJAN [Fireeye] Backdoor.BEACON SSL Cert Inbound (zupertech
.com) (trojan.rules)
  2031354 - ET TROJAN [Fireeye] Backdoor.BEACON SSL Cert Inbound
(databasegalore .com) (trojan.rules)
  2031355 - ET TROJAN [Fireeye] Backdoor.BEACON SSL Cert Inbound
(panhardware .com) (trojan.rules)
  2031360 - ET TROJAN [Fireeye] Backdoor.SUNBURST SSL Cert Inbound
(websitetheme .com) (trojan.rules)
  2031361 - ET TROJAN [Fireeye] Backdoor.SUNBURST SSL Cert Inbound
(highdatabase .com) (trojan.rules)
  2837550 - ETPRO TROJAN Observed Trickbot Style SSL Cert (Internet Widgets
Pty Ltd) (trojan.rules)

Date:
Summary title:
19 new OPEN, 47 new PRO (19 + 28). Dark Halo/SUNBURST, Trojan.AndroidOS.Triada.fxjp Checkin, Win32/PStealer CnC Exfil, W32/Agent.NEZKLG Variant, W32/SysChecker CnC, AsyncRAT, Ursnif, Coinminers, VARIOUS PHISH.