Daily Ruleset Update Summary
Daily Ruleset Update Summary 2020/12/21

[***]            Summary:            [***]

10 new OPEN, 32 new PRO (10 + 22). SUPERNOVA, AsyncRAT, Remcos, Various Phish.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2031436 - ET TROJAN Possible MSIL/Solorigate.G!dha/SUPERNOVA
Webshell Access Request (trojan.rules)
  2031437 - ET WEB_SERVER Generic Mailer Accessed on Internal
Compromised Server (web_server.rules)
  2031438 - ET WEB_CLIENT Generic Mailer Accessed on External
Compromised Server (web_client.rules)
  2031439 - ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI
(img565vv6 .holdmydoor .com) (mobile_malware.rules)
  2031440 - ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI
(crashparadox .net) (mobile_malware.rules)
  2031441 - ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI
(f15fwd322 .regularhours .net) (mobile_malware.rules)
  2031442 - ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI
(bananakick .net) (mobile_malware.rules)
  2031443 - ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI
(stilloak .net) (mobile_malware.rules)
  2031444 - ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI
(flowersarrows .com) (mobile_malware.rules)
  2031445 - ET MOBILE_MALWARE LIKEACHARM Stealer Exfil (POST)
(mobile_malware.rules)

Pro:

  2846184 - ETPRO POLICY Observed Go Tunnel HTTP CONNECT Proxy
Outbound (policy.rules)
  2846185 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
  2846186 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
  2846187 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
  2846188 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-18 1) (trojan.rules)
  2846189 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-18 2) (trojan.rules)
  2846190 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-12-18 3) (trojan.rules)
  2846191 - ETPRO CURRENT_EVENTS Successful Intesa Sanpaolo Phish
2020-12-21 (current_events.rules)
  2846192 - ETPRO CURRENT_EVENTS Successful Gov UK Tax Phish
2020-12-21 (current_events.rules)
  2846193 - ETPRO CURRENT_EVENTS Successful Gov UK Tax Phish
2020-12-21 (current_events.rules)
  2846194 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-12-21
(current_events.rules)
  2846195 - ETPRO CURRENT_EVENTS Successful Generic Credit Card
Information Phish 2020-12-21 (current_events.rules)
  2846196 - ETPRO CURRENT_EVENTS Successful Cash App Phish 2020-12-21
(current_events.rules)
  2846197 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-12-21
(current_events.rules)
  2846198 - ETPRO TROJAN W32/Unk.Powershell Downloader via Document
Reporting Host Information (trojan.rules)
  2846199 - ETPRO CURRENT_EVENTS Successful Gov UK Tax Phish
2020-12-21 (current_events.rules)
  2846200 - ETPRO TROJAN Win32/Agent.ABYS Variant CnC Activity (trojan.rules)
  2846202 - ETPRO TROJAN Win32/Remcos RAT Checkin 630 (trojan.rules)
  2846203 - ETPRO TROJAN Win32/Remcos RAT Checkin 631 (trojan.rules)
  2846204 - ETPRO TROJAN Win32/Remcos RAT Checkin 632 (trojan.rules)
  2846205 - ETPRO TROJAN Win32/Remcos RAT Checkin 633 (trojan.rules)

[///]     Modified active rules:     [///]

  2031298 - ET TROJAN Win32/IcedID Requesting Encoded Binary M5 (trojan.rules)
  2842317 - ETPRO TROJAN Win32/Emotet CnC Activity (POST) M9 (trojan.rules)

[---]         Removed rules:         [---]

  2846128 - ETPRO MOBILE_MALWARE Android.Trojan.FakeInst.YB (TLS SNI)
1 (mobile_malware.rules)
  2846129 - ETPRO MOBILE_MALWARE Android.Trojan.FakeInst.YB (TLS SNI)
2 (mobile_malware.rules)
  2846130 - ETPRO MOBILE_MALWARE Android.Trojan.FakeInst.YB (TLS SNI)
3 (mobile_malware.rules)
  2846131 - ETPRO MOBILE_MALWARE Android.Trojan.FakeInst.YB (TLS SNI)
4 (mobile_malware.rules)

Date:
Summary title:
10 new OPEN, 32 new PRO (10 + 22). SUPERNOVA, AsyncRAT, Remcos, Various Phish.