[Emerging-updates] Daily Ruleset Update Summary 2020/04/20

Brandon Murphy bmurphy at emergingthreats.net
Mon Apr 20 14:44:39 HDT 2020


[***]            Summary:            [***]

 50 new Open, 73 new Pro (50 + 23). Rancour/WatcherDog, PoetRAT,
ELF/Gafgyt, Android/Tabiah, Various PHP Mailer, Webshells, and Phishing.

 Many rules in the Suricata 5 ruleset have been updated with Suricata 5
rule syntax/keywords. A complete list of rules that were changed can be
found via the changelog here:
https://rules.emergingthreats.net/changelogs/suricata-5.0-enhanced.etpro.2020-04-20T23:17:52.txt


 Please be aware that after the deprecation of our Suricata 2/3 support
(April 15th 2020), the path for downloading the last pushed production
Suricata 2/3 rulesets have changed.  Deprecated rulesets are available at
https://rules.emergingthreatspro.com/OINK/old for ETPro and
https://rules.emergingthreatspro.com/open/old/ for ETOpen.  All requests
for the Suricata 2/3 at their previous locations will now lead to the
Suricata 4.0 production rules for ETPro and the rule download instructions
for ETOpen.

 Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2029932 - ET MOBILE_MALWARE Android Trojan MSO.PJApps checkin 1
(mobile_malware.rules)
  2029933 - ET TROJAN SepSys/SepSystem Ransomware Style External IP Address
Check (trojan.rules)
  2029934 - ET WEB_CLIENT WSO 2.6 Webshell Accessed on External Compromised
Server (web_client.rules)
  2029935 - ET WEB_SERVER WSO 2.6 Webshell Accessed on Internal Compromised
Server (web_server.rules)
  2029936 - ET WEB_CLIENT Generic PHP Mailer Accessed on External
Compromised Server (web_client.rules)
  2029937 - ET WEB_SERVER Generic PHP Mailer Accessed on Internal
Compromised Server (web_server.rules)
  2029938 - ET WEB_CLIENT Generic Webshell Accessed on External Compromised
Server (web_client.rules)
  2029939 - ET WEB_SERVER Generic Webshell Accessed on Internal Compromised
Server (web_server.rules)
  2029940 - ET WEB_CLIENT Generic PHP Mailer Accessed on External
Compromised Server (web_client.rules)
  2029941 - ET WEB_SERVER Generic PHP Mailer Accessed on Internal
Compromised Server (web_server.rules)
  2029942 - ET WEB_CLIENT Generic PHP Mailer Accessed on External
Compromised Server (web_client.rules)
  2029943 - ET WEB_SERVER Generic PHP Mailer Accessed on Internal
Compromised Server (web_server.rules)
  2029944 - ET WEB_CLIENT Generic PHP Mailer Accessed on External
Compromised Server (web_client.rules)
  2029945 - ET WEB_SERVER Generic PHP Mailer Accessed on Internal
Compromised Server (web_server.rules)
  2029946 - ET WEB_CLIENT Generic PHP Mailer Accessed on External
Compromised Server (web_client.rules)
  2029947 - ET WEB_SERVER Generic PHP Mailer Accessed on Internal
Compromised Server (web_server.rules)
  2029948 - ET WEB_CLIENT Generic PHP Mailer Accessed on External
Compromised Server (web_client.rules)
  2029949 - ET WEB_SERVER Generic PHP Mailer Accessed on Internal
Compromised Server (web_server.rules)
  2029950 - ET WEB_CLIENT Generic PHP Mailer Accessed on External
Compromised Server (web_client.rules)
  2029951 - ET WEB_SERVER Generic PHP Mailer Accessed on Internal
Compromised Server (web_server.rules)
  2029952 - ET TROJAN Targeted Activity - CnC Domain in SNI (trojan.rules)
  2029953 - ET TROJAN Observed Malicious SSL Cert (AsyncRAT CnC)
(trojan.rules)
  2029954 - ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD
(.parody) (info.rules)
  2029955 - ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD
(.oz) (info.rules)
  2029956 - ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD
(.cyb) (info.rules)
  2029957 - ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD
(.geek) (info.rules)
  2029958 - ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD
(.libre) (info.rules)
  2029959 - ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD
(.dyn) (info.rules)
  2029960 - ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD
(.bbs) (info.rules)
  2029961 - ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD
(.neo) (info.rules)
  2029962 - ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD (.o)
(info.rules)
  2029963 - ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD
(.null) (info.rules)
  2029964 - ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD
(.pirate) (info.rules)
  2029965 - ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD
(.chan) (info.rules)
  2029966 - ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD
(.oss) (info.rules)
  2029967 - ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD
(.epic) (info.rules)
  2029968 - ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD
(.indy) (info.rules)
  2029969 - ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD
(.gopher) (info.rules)
  2029970 - ET INFO Observed DNS Query for EmerDNS TLD (.lib) (info.rules)
  2029971 - ET INFO Observed DNS Query for EmerDNS TLD (.coin) (info.rules)
  2029972 - ET INFO Observed DNS Query for EmerDNS TLD (.emc) (info.rules)
  2029973 - ET INFO Observed DNS Query for EmerDNS TLD (.bazar) (info.rules)
  2029974 - ET INFO Observed DNS Query for FurNIC TLD (.fur) (info.rules)
  2029975 - ET TROJAN Observed PoetRAT Domain (dellgenius .hoptop .org in
TLS SNI) (trojan.rules)
  2029976 - ET EXPLOIT Netlink GPON Remote Code Execution Attempt (Inbound)
(exploit.rules)
  2029977 - ET TROJAN Cobalt Strike Malleable C2 (Custom) (trojan.rules)
  2029978 - ET TROJAN Cobalt Strike Malleable C2 (Custom) (trojan.rules)
  2029979 - ET MOBILE_MALWARE Android PHONEMONITOR RAT CnC (getsettings)
(mobile_malware.rules)
  2029980 - ET USER_AGENTS Observed Suspicious UA (PhoneMonitor)
(user_agents.rules)
  2029981 - ET MOBILE_MALWARE Suspected PROJECTSPY CnC (video)
(mobile_malware.rules)

Pro:

  2842092 - ETPRO MOBILE_MALWARE AndroidOS/Trojan.UUPN-8 Checkin
(mobile_malware.rules)
  2842093 - ETPRO MOBILE_MALWARE Trojan-Proxy.AndroidOS.Youzicheng.a
Checkin (mobile_malware.rules)
  2842094 - ETPRO MOBILE_MALWARE Android/Tabiah Checkin
(mobile_malware.rules)
  2842095 - ETPRO MOBILE_MALWARE Android/Tabiah Checkin 2
(mobile_malware.rules)
  2842096 - ETPRO INFO Possibly Malicious Bash Script Inbound (info.rules)
  2842097 - ETPRO TROJAN Rancour/WatcherDog Payload CnC Activity
(trojan.rules)
  2842098 - ETPRO TROJAN Observed Malicious SSL Cert (MalDoc Payload
2020-04-20) (trojan.rules)
  2842099 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-18 1) (trojan.rules)
  2842100 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-18 2) (trojan.rules)
  2842101 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-18 3) (trojan.rules)
  2842102 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-18 4) (trojan.rules)
  2842103 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-04-20
(current_events.rules)
  2842104 - ETPRO CURRENT_EVENTS Successful Santander Phish 2020-04-20
(current_events.rules)
  2842105 - ETPRO CURRENT_EVENTS Successful Hulu Phish 2020-04-20
(current_events.rules)
  2842106 - ETPRO CURRENT_EVENTS Successful Hulu Phish 2020-04-20
(current_events.rules)
  2842107 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-04-20
(current_events.rules)
  2842108 - ETPRO TROJAN Win32/ChoiceLoader CnC Checkin (trojan.rules)
  2842109 - ETPRO TROJAN ELF/Mirai - Inbound Crontab/Kill Command from CnC
(trojan.rules)
  2842110 - ETPRO TROJAN ELF/Gafgyt CnC Response (trojan.rules)
  2842111 - ETPRO TROJAN Win32/Remcos RAT Checkin 400 (trojan.rules)
  2842112 - ETPRO TROJAN Win32/Remcos RAT Checkin 401 (trojan.rules)
  2842113 - ETPRO TROJAN Win32/Remcos RAT Checkin 402 (trojan.rules)
  2842114 - ETPRO TROJAN Win32/Remcos RAT Checkin 403 (trojan.rules)


 [///]     Modified active rules:     [///]

  2027392 - ET TROJAN Maze/ID Ransomware Activity (trojan.rules)
  2029707 - ET INFO Suspicious TLS SNI Request for Possible COVID-19 Domain
M1 (info.rules)


 [---]  Disabled and modified rules:  [---]

  2013059 - ET POLICY BitCoin (policy.rules)
  2014022 - ET SCAN Gootkit Scanner User-Agent Inbound (scan.rules)
  2014023 - ET TROJAN Gootkit Scanner User-Agent Outbound (trojan.rules)


 [---]         Removed rules:         [---]

  2012451 - ET MOBILE_MALWARE Android Trojan MSO.PJApps checkin 1
(mobile_malware.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20200420/956a9106/attachment.html>


More information about the Emerging-updates mailing list