[Emerging-Sigs] Daily Ruleset Update Summary 2017/12/04

Travis Green tgreen at emergingthreats.net
Mon Dec 4 13:49:54 HST 2017


[***]            Summary:            [***]

21 new Open, 60 new Pro (21 + 39). New TLDs, MSIL/Kryptik.LRA,
Win32/MewsSpy.AE, Various Mobile, Various Phishing.

Thanks: @CraneHassold


[+++]          Added rules:          [+++]

Open:

 2025097 - ET INFO HTTP POST Request to Suspicious *.gdn Domain (info.rules)
 2025098 - ET INFO DNS Query for Suspicious .gdn Domain (info.rules)
 2025099 - ET CURRENT_EVENTS Possible Successful Generic Phish (set)
2017-12-03 (current_events.rules)
 2025100 - ET INFO HTTP POST Request to Suspicious *.gq domain (info.rules)
 2025101 - ET INFO HTTP POST Request to Suspicious *.ga Domain (info.rules)
 2025102 - ET INFO HTTP POST Request to Suspicious *.ml Domain (info.rules)
 2025103 - ET INFO HTTP POST Request to Suspicious *.cf Domain (info.rules)
 2025104 - ET INFO DNS Query for Suspicious .gq Domain (info.rules)
 2025105 - ET INFO DNS Query for Suspicious .ga Domain (info.rules)
 2025106 - ET INFO DNS Query for Suspicious .ml Domain (info.rules)
 2025107 - ET INFO DNS Query for Suspicious .cf Domain (info.rules)
 2025108 - ET INFO Suspicious Domain (*.gq) in TLS SNI (info.rules)
 2025109 - ET INFO Suspicious Domain (*.ga) in TLS SNI (info.rules)
 2025110 - ET INFO Suspicious Domain (*.ml) in TLS SNI (info.rules)
 2025111 - ET INFO Suspicious Domain (*.cf) in TLS SNI (info.rules)
 2025112 - ET INFO Suspicious Domain (*.gdn) in TLS SNI (info.rules)
 2025113 - ET CURRENT_EVENTS Possible Credentials Sent to Suspicious TLD
via HTTP GET (current_events.rules)
 2025114 - ET CURRENT_EVENTS Successful EDU Phish 2017-12-04
(current_events.rules)
 2025115 - ET CURRENT_EVENTS Possible Successful Generic Phish (set)
2017-12-04 (current_events.rules)
 2025116 - ET POLICY localtunnel Connection Setup Attempt (policy.rules)
 2025117 - ET POLICY localtunnel Sucessful Connection Setup (policy.rules)

Pro:

 2828750 - ETPRO CURRENT_EVENTS Successful Visa Home Phish 2017-12-02
(current_events.rules)
 2828751 - ETPRO CURRENT_EVENTS Successful Mastercard Securecode Phish
2017-12-02 (current_events.rules)
 2828752 - ETPRO CURRENT_EVENTS Successful ANZ Internet Banking Phish
2017-12-02 (current_events.rules)
 2828753 - ETPRO CURRENT_EVENTS Successful TD Bank Phish 2017-12-02
(current_events.rules)
 2828754 - ETPRO CURRENT_EVENTS Successful Alibaba Phish 2017-12-02
(current_events.rules)
 2828755 - ETPRO CURRENT_EVENTS Successful Excel Online Phish 2017-12-02
(current_events.rules)
 2828756 - ETPRO CURRENT_EVENTS Successful Orange (FR) Phish 2017-12-02
(current_events.rules)
 2828757 - ETPRO CURRENT_EVENTS Successful Santander Phish 2017-12-03
(current_events.rules)
 2828758 - ETPRO CURRENT_EVENTS Successful ADP Mobile Phish 2017-12-03
(current_events.rules)
 2828759 - ETPRO CURRENT_EVENTS Successful Gmail Phish 2017-12-03
(current_events.rules)
 2828760 - ETPRO CURRENT_EVENTS Successful Canada Revenue Agency Phish
2017-12-03 (current_events.rules)
 2828761 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin
249 (mobile_malware.rules)
 2828762 - ETPRO MOBILE_MALWARE Android/Agent.ARZ CnC Beacon
(mobile_malware.rules)
 2828763 - ETPRO TROJAN GlobeImposter Payment Domain (ugf57wl6uexcj7fu in
DNS Lookup) (trojan.rules)
 2828764 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Agent.ix Checkin
(mobile_malware.rules)
 2828765 - ETPRO TROJAN MSIL/Kryptik.LRA Checkin via Google-Analytics
(trojan.rules)
 2828766 - ETPRO CURRENT_EVENTS Successful Netflix Phish 2017-12-04 M1
(current_events.rules)
 2828767 - ETPRO CURRENT_EVENTS Successful Netflix Phish 2017-12-04 M2
(current_events.rules)
 2828768 - ETPRO CURRENT_EVENTS Successful Netflix Phish 2017-12-04 M3
(current_events.rules)
 2828769 - ETPRO CURRENT_EVENTS Successful Netflix Phish 2017-12-04 M4
(current_events.rules)
 2828770 - ETPRO CURRENT_EVENTS Successful Netflix Phish 2017-12-04 M5
(current_events.rules)
 2828771 - ETPRO CURRENT_EVENTS Successful Netflix Phish 2017-12-04 M6
(current_events.rules)
 2828772 - ETPRO CURRENT_EVENTS Successful Netflix Phish 2017-12-04 M7
(current_events.rules)
 2828773 - ETPRO CURRENT_EVENTS Successful Netflix Phish 2017-12-04 M8
(current_events.rules)
 2828774 - ETPRO CURRENT_EVENTS Successful Netflix Phish 2017-12-04 M9
(current_events.rules)
 2828775 - ETPRO TROJAN NSIS/Unk.Dropper Dropping EXE (trojan.rules)
 2828776 - ETPRO CURRENT_EVENTS Successful Caisse d'Epargne Phish
2017-12-04 M1 (current_events.rules)
 2828777 - ETPRO CURRENT_EVENTS Successful Caisse d'Epargne Phish
2017-12-04 M2 (current_events.rules)
 2828778 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.iz Contact
Exfil via SMTP 32 (mobile_malware.rules)
 2828779 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.iz SMS Exfil
via SMTP 33 (mobile_malware.rules)
 2828780 - ETPRO CURRENT_EVENTS Successful Halkbank (TK) Phish 2017-12-04
(current_events.rules)
 2828781 - ETPRO TROJAN Observed Malicious SSL Cert (Zeus Panda)
(trojan.rules)
 2828782 - ETPRO TROJAN Zeus Panda Domain (89D9B687AC98 .date in DNS
Lookup) (trojan.rules)
 2828783 - ETPRO TROJAN Zeus Panda Domain (89d9b687ac10 .faith in DNS
Lookup) (trojan.rules)
 2828784 - ETPRO TROJAN Win32/MewsSpy.AE CnC Checkin (trojan.rules)
 2828785 - ETPRO CURRENT_EVENTS Successful OneDrive Phish 2017-12-04
(current_events.rules)
 2828786 - ETPRO CURRENT_EVENTS Successful Adobe Phish 2017-12-04
(current_events.rules)
 2828787 - ETPRO TROJAN Bladabindi/njRAT CnC Check-in (7738424408T2ZmaWNl)
(trojan.rules)
 2828788 - ETPRO TROJAN Win32/Banload.Downloader Requesting Payload
(trojan.rules)


[///]     Modified active rules:     [///]

 2018045 - ET CURRENT_EVENTS Visa Phishing Landing Jan 30 2014
(current_events.rules)
 2019876 - ET SCAN SSH BruteForce Tool with fake PUTTY version (scan.rules)
 2023458 - ET INFO Possible EXE Download From Suspicious TLD (.gdn) - set
(info.rules)
 2815659 - ETPRO CURRENT_EVENTS Suspicious Wordpress Redirect - Possible
Phishing Landing (set) Jan 7 (current_events.rules)
 2824134 - ETPRO CURRENT_EVENTS Successful Generic Phish (Meta HTTP-Equiv
Refresh) Dec 29 2016 (current_events.rules)
 2826114 - ETPRO CURRENT_EVENTS Successful Netflix Payment Information
Phish Apr 26 2017 (current_events.rules)


[---]  Disabled and modified rules:  [---]

 2812881 - ETPRO CURRENT_EVENTS Successful Paypal Phish Sept 3 M3
(current_events.rules)


-- 
PGP: 0xBED7B297
<https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20171204/d465f036/attachment.html>


More information about the Emerging-sigs mailing list