Daily Ruleset Update Summary
Daily Ruleset Update Summary 2020/12/16

[***]            Summary:            [***]

20 new OPEN, 39 new PRO (20 + 19). AridViper CnC, Foudre, Formbook (GET/POST) moved to OPEN, Generic Webshell Access, Win32/Wacatac.D0!ml, W32/Deltacomp CnC, MSIL/Crimson, MSIL/VexioPL, Coinminers, VARIOUS PHISH.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2031399 - ET TROJAN Observed AridViper CnC Domain in TLS SNI
(trojan.rules)
  2031400 - ET TROJAN Observed AridViper CnC Domain in TLS SNI
(trojan.rules)
  2031401 - ET TROJAN Observed AridViper CnC Domain in TLS SNI
(trojan.rules)
  2031402 - ET TROJAN Observed AridViper CnC Domain in TLS SNI
(trojan.rules)
  2031403 - ET TROJAN Observed AridViper CnC Domain in TLS SNI
(trojan.rules)
  2031404 - ET TROJAN Observed AridViper CnC Domain in TLS SNI
(trojan.rules)
  2031405 - ET TROJAN Observed AridViper CnC Domain in TLS SNI
(trojan.rules)
  2031406 - ET TROJAN Observed AridViper CnC Domain in TLS SNI
(trojan.rules)
  2031407 - ET TROJAN Observed AridViper CnC Domain in TLS SNI
(trojan.rules)
  2031408 - ET TROJAN Observed AridViper CnC Domain in TLS SNI
(trojan.rules)
  2031409 - ET TROJAN Observed AridViper CnC Domain in TLS SNI
(trojan.rules)
  2031410 - ET TROJAN Foudre Checkin M2 (trojan.rules)
  2031411 - ET TROJAN Foudre Checkin M1 (trojan.rules)
  2031412 - ET TROJAN FormBook CnC Checkin (GET) (trojan.rules)
  2031413 - ET TROJAN FormBook CnC Checkin (POST) M2 (trojan.rules)
  2031414 - ET CURRENT_EVENTS Generic Tombol Microsoft Account Phishing
Landing 2020-12-16 (current_events.rules)
  2031415 - ET WEB_SERVER Generic Webshell Accessed on Internal Compromised
Server (web_server.rules)
  2031416 - ET WEB_CLIENT Generic Webshell Accessed on External Compromised
Server (web_client.rules)
  2031417 - ET TROJAN Foudre Checkin M3 (trojan.rules)
  2031418 - ET TROJAN Foudre Checkin M4 (trojan.rules)

Pro:

  2846054 - ETPRO CURRENT_EVENTS Terse DLL Download from .casa Likely
MalDoc Payload Inbound (current_events.rules)
  2846055 - ETPRO TROJAN Win32/Wacatac.D0!ml CnC Exfil (trojan.rules)
  2846056 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-16 1) (trojan.rules)
  2846057 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-12-16 (current_events.rules)
  2846058 - ETPRO CURRENT_EVENTS Successful Winbank Phish 2020-12-16
(current_events.rules)
  2846059 - ETPRO CURRENT_EVENTS Successful ABN AMRO Phish 2020-12-16
(current_events.rules)
  2846060 - ETPRO CURRENT_EVENTS Successful ABN AMRO Phish 2020-12-16
(current_events.rules)
  2846061 - ETPRO CURRENT_EVENTS Successful Caixa Phish 2020-12-16
(current_events.rules)
  2846062 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-12-16
(current_events.rules)
  2846063 - ETPRO CURRENT_EVENTS Successful SF Express CN Phish 2020-12-16
(current_events.rules)
  2846064 - ETPRO CURRENT_EVENTS Successful ANZ Bank Phish 2020-12-16
(current_events.rules)
  2846065 - ETPRO CURRENT_EVENTS Successful AOL Phish 2020-12-16
(current_events.rules)
  2846066 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-12-16 (current_events.rules)
  2846067 - ETPRO CURRENT_EVENTS Successful SunTrust Phish 2020-12-16
(current_events.rules)
  2846068 - ETPRO CURRENT_EVENTS Successful Paxful Phish 2020-12-16
(current_events.rules)
  2846069 - ETPRO TROJAN W32/Deltacomp CnC Activity (trojan.rules)
  2846070 - ETPRO TROJAN MSIL/Crimson CnC Server Command (info) M2
(trojan.rules)
  2846071 - ETPRO TROJAN MSIL/Crimson Receiving Command (ping) M2
(trojan.rules)
  2846072 - ETPRO TROJAN MSIL/VexioPL InfoStealer Checkin via Discord
(trojan.rules)

[///]     Modified active rules:     [///]

  2031359 - ET TROJAN [Fireeye] Observed SUNBURST DGA Request (trojan.rules)
  2814263 - ETPRO TROJAN MSIL/Crimson CnC Server Command (info) M1
(trojan.rules)
  2816280 - ETPRO TROJAN MSIL/Crimson Receiving Command (ping) M1
(trojan.rules)

[---]  Disabled and modified rules:  [---]

  2021702 - ET GAMES MINECRAFT Server response outbound (games.rules)

[---]         Removed rules:         [---]

  2827375 - ETPRO TROJAN Foudre Checkin 2 (trojan.rules)
  2827376 - ETPRO TROJAN Foudre Checkin 1 (trojan.rules)
  2829000 - ETPRO TROJAN FormBook CnC Checkin (GET) (trojan.rules)

Date:
Summary title:
20 new OPEN, 39 new PRO (20 + 19). AridViper CnC, Foudre, Formbook (GET/POST) moved to OPEN, Generic Webshell Access, Win32/Wacatac.D0!ml, W32/Deltacomp CnC, MSIL/Crimson, MSIL/VexioPL, Coinminers, VARIOUS PHISH.