[***] Summary: [***]

13 new OPEN, 18 new PRO (13 + 5) Fini7 JSSLoader, Kimsuky,
SodaMaster, Keitaro TDS, TrojanDownloader.Agent.GEM.

Thanks @morphisec, @s1ckb017, @unmaskparasites

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2035608 - ET MALWARE FIN7 JSSLoader Activity (GET) (malware.rules)
2035609 - ET MALWARE FIN7 JSSLoader Activity (POST) (malware.rules)
2035610 - ET MALWARE FIN7 JSSLoader Related Domain in DNS Lookup
(malware.rules)
2035611 - ET MALWARE Kimsuky APT Related Host Data Exfil M5 (malware.rules)
2035612 - ET WEB_SERVER Webserver Resolving Known Webshell CnC
Domain (anonymousfox) (web_server.rules)
2035613 - ET INFO Observed DNS Query to BaitAndPhish Domain (info.rules)
2035614 - ET MALWARE Win32/SodaMaster domain observed in DNS query
(www. rare-coisns. com) (malware.rules)
2035615 - ET MALWARE Win32/SodaMaster domain observed in TLS SNI
(www. rare-coisns. com) (malware.rules)
2035616 - ET MALWARE Win32/SodaMaster CnC HTTPS Checkin M1 (malware.rules)
2035617 - ET MALWARE Win32/SodaMaster CnC HTTPS Checkin M2 (malware.rules)
2035618 - ET PHISHING Generic Phishing Domain in DNS Lookup
(info-getting-eu. com) (phishing.rules)
2035619 - ET PHISHING Generic Phishing domain observed in TLS SNI
(info-getting-eu. com) (phishing.rules)
2035620 - ET WEB_CLIENT Evil Keitaro Set-Cookie Inbound (85937)
(web_client.rules)

Pro:

2851336 - ETPRO MALWARE Win32/TrojanDownloader.Agent.GEM Maldoc
Payload Request (malware.rules)
2851337 - ETPRO MALWARE User32.dll Download via Powershell (malware.rules)

[///] Modified active rules: [///]

2013300 - ET POLICY DivX Client SSL Connection via Self-Signed SSL
Cert (policy.rules)
2014617 - ET POLICY Cisco IOS Self Signed Certificate Served to
External Host (policy.rules)
2018878 - ET POLICY tor4u tor2web .onion Proxy domain in SNI (policy.rules)
2020974 - ET MALWARE CozyDuke APT Possible SSL Cert 8 (malware.rules)
2024832 - ET POLICY Observed IP Lookup Domain (formyip .com in TLS
SNI) (policy.rules)
2031614 - ET WEB_CLIENT Evil Keitaro Set-Cookie Inbound (9487d)
(web_client.rules)
2035568 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI)
(mobile_malware.rules)
2035569 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 2
(mobile_malware.rules)
2035570 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 3
(mobile_malware.rules)
2035571 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 4
(mobile_malware.rules)
2035572 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 5
(mobile_malware.rules)
2035573 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 6
(mobile_malware.rules)
2035574 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 7
(mobile_malware.rules)
2035575 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 8
(mobile_malware.rules)
2035576 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 9
(mobile_malware.rules)
2035577 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 10
(mobile_malware.rules)
2035578 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 11
(mobile_malware.rules)
2035579 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 12
(mobile_malware.rules)
2035580 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 20
(mobile_malware.rules)
2035581 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 13
(mobile_malware.rules)
2035582 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 14
(mobile_malware.rules)
2035583 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 15
(mobile_malware.rules)
2035584 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 16
(mobile_malware.rules)
2035585 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 17
(mobile_malware.rules)
2035586 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 18
(mobile_malware.rules)
2035587 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 19
(mobile_malware.rules)
2035588 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 21
(mobile_malware.rules)
2035589 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 22
(mobile_malware.rules)
2035590 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 23
(mobile_malware.rules)
2035591 - ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 24
(mobile_malware.rules)

[///] Modified inactive rules: [///]

2018877 - ET MALWARE Tor based locker knowledgewiki.info in SNI July
31 2014 (malware.rules)

Date:
Summary title:
13 new OPEN, 18 new PRO (13 + 5) Fini7 JSSLoader, Kimsuky, SodaMaster, Keitaro TDS, TrojanDownloader.Agent.GEM.