[***] Summary: [***]
20 new OPEN, 39 new PRO (20 + 19). AridViper CnC, Foudre, Formbook (GET/POST) moved to OPEN, Generic Webshell Access, Win32/Wacatac.D0!ml, W32/Deltacomp CnC, MSIL/Crimson, MSIL/VexioPL, Coinminers, VARIOUS PHISH.
Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2031399 - ET TROJAN Observed AridViper CnC Domain in TLS SNI
(trojan.rules)
2031400 - ET TROJAN Observed AridViper CnC Domain in TLS SNI
(trojan.rules)
2031401 - ET TROJAN Observed AridViper CnC Domain in TLS SNI
(trojan.rules)
2031402 - ET TROJAN Observed AridViper CnC Domain in TLS SNI
(trojan.rules)
2031403 - ET TROJAN Observed AridViper CnC Domain in TLS SNI
(trojan.rules)
2031404 - ET TROJAN Observed AridViper CnC Domain in TLS SNI
(trojan.rules)
2031405 - ET TROJAN Observed AridViper CnC Domain in TLS SNI
(trojan.rules)
2031406 - ET TROJAN Observed AridViper CnC Domain in TLS SNI
(trojan.rules)
2031407 - ET TROJAN Observed AridViper CnC Domain in TLS SNI
(trojan.rules)
2031408 - ET TROJAN Observed AridViper CnC Domain in TLS SNI
(trojan.rules)
2031409 - ET TROJAN Observed AridViper CnC Domain in TLS SNI
(trojan.rules)
2031410 - ET TROJAN Foudre Checkin M2 (trojan.rules)
2031411 - ET TROJAN Foudre Checkin M1 (trojan.rules)
2031412 - ET TROJAN FormBook CnC Checkin (GET) (trojan.rules)
2031413 - ET TROJAN FormBook CnC Checkin (POST) M2 (trojan.rules)
2031414 - ET CURRENT_EVENTS Generic Tombol Microsoft Account Phishing
Landing 2020-12-16 (current_events.rules)
2031415 - ET WEB_SERVER Generic Webshell Accessed on Internal Compromised
Server (web_server.rules)
2031416 - ET WEB_CLIENT Generic Webshell Accessed on External Compromised
Server (web_client.rules)
2031417 - ET TROJAN Foudre Checkin M3 (trojan.rules)
2031418 - ET TROJAN Foudre Checkin M4 (trojan.rules)
Pro:
2846054 - ETPRO CURRENT_EVENTS Terse DLL Download from .casa Likely
MalDoc Payload Inbound (current_events.rules)
2846055 - ETPRO TROJAN Win32/Wacatac.D0!ml CnC Exfil (trojan.rules)
2846056 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-16 1) (trojan.rules)
2846057 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-12-16 (current_events.rules)
2846058 - ETPRO CURRENT_EVENTS Successful Winbank Phish 2020-12-16
(current_events.rules)
2846059 - ETPRO CURRENT_EVENTS Successful ABN AMRO Phish 2020-12-16
(current_events.rules)
2846060 - ETPRO CURRENT_EVENTS Successful ABN AMRO Phish 2020-12-16
(current_events.rules)
2846061 - ETPRO CURRENT_EVENTS Successful Caixa Phish 2020-12-16
(current_events.rules)
2846062 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-12-16
(current_events.rules)
2846063 - ETPRO CURRENT_EVENTS Successful SF Express CN Phish 2020-12-16
(current_events.rules)
2846064 - ETPRO CURRENT_EVENTS Successful ANZ Bank Phish 2020-12-16
(current_events.rules)
2846065 - ETPRO CURRENT_EVENTS Successful AOL Phish 2020-12-16
(current_events.rules)
2846066 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-12-16 (current_events.rules)
2846067 - ETPRO CURRENT_EVENTS Successful SunTrust Phish 2020-12-16
(current_events.rules)
2846068 - ETPRO CURRENT_EVENTS Successful Paxful Phish 2020-12-16
(current_events.rules)
2846069 - ETPRO TROJAN W32/Deltacomp CnC Activity (trojan.rules)
2846070 - ETPRO TROJAN MSIL/Crimson CnC Server Command (info) M2
(trojan.rules)
2846071 - ETPRO TROJAN MSIL/Crimson Receiving Command (ping) M2
(trojan.rules)
2846072 - ETPRO TROJAN MSIL/VexioPL InfoStealer Checkin via Discord
(trojan.rules)
[///] Modified active rules: [///]
2031359 - ET TROJAN [Fireeye] Observed SUNBURST DGA Request (trojan.rules)
2814263 - ETPRO TROJAN MSIL/Crimson CnC Server Command (info) M1
(trojan.rules)
2816280 - ETPRO TROJAN MSIL/Crimson Receiving Command (ping) M1
(trojan.rules)
[---] Disabled and modified rules: [---]
2021702 - ET GAMES MINECRAFT Server response outbound (games.rules)
[---] Removed rules: [---]
2827375 - ETPRO TROJAN Foudre Checkin 2 (trojan.rules)
2827376 - ETPRO TROJAN Foudre Checkin 1 (trojan.rules)
2829000 - ETPRO TROJAN FormBook CnC Checkin (GET) (trojan.rules)