[Emerging-Sigs] Daily Ruleset Update Summary 2017/12/22

Travis Green tgreen at emergingthreats.net
Fri Dec 22 10:56:42 HST 2017


[***]            Summary:            [***]

3 new Open, 42 new Pro (3 + 39). Win32/Backdoor.Agent.qweydh, APT28 XAgent
Domains, DreamSmasher CnC,  Various Phishing.

Thanks: Arvind Kumar


[+++]          Added rules:          [+++]

Open:

 2025170 - ET TROJAN Win32/Backdoor.Agent.qweydh CnC Checkin M1
(trojan.rules)
 2025171 - ET TROJAN Win32/Backdoor.Agent.qweydh CnC Checkin M2
(trojan.rules)
 2025172 - ET TROJAN Win32/Backdoor.Agent.qweydh CnC Activity (trojan.rules)

Pro:

 2829021 - ETPRO CURRENT_EVENTS Successful PlayStation Phish 2017-12-22
(current_events.rules)
 2829022 - ETPRO USER_AGENTS Observed Known CryptoMining UA (Miner)
(user_agents.rules)
 2829023 - ETPRO CURRENT_EVENTS Successful CIBC Phish 2017-12-22
(current_events.rules)
 2829024 - ETPRO TROJAN APT28 XAgent Domain (fsportal .net in DNS Lookup)
(trojan.rules)
 2829025 - ETPRO TROJAN APT28 XAgent Domain (meteost .com in DNS Lookup)
(trojan.rules)
 2829026 - ETPRO TROJAN APT28 XAgent Domain (movieultimate .com in DNS
Lookup) (trojan.rules)
 2829027 - ETPRO TROJAN APT28 XAgent Domain (fastdataexchange .org in DNS
Lookup) (trojan.rules)
 2829028 - ETPRO TROJAN APT28 XAgent Domain (newfilmts .com in DNS Lookup)
(trojan.rules)
 2829029 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2017-12-22 1) (trojan.rules)
 2829030 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2017-12-22 2) (trojan.rules)
 2829031 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2017-12-22 3) (trojan.rules)
 2829032 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2017-12-22 4) (trojan.rules)
 2829033 - ETPRO TROJAN DreamSmasher CnC DeleteFile Request (trojan.rules)
 2829034 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2017-12-22 5) (trojan.rules)
 2829035 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2017-12-22 6) (trojan.rules)
 2829036 - ETPRO TROJAN DreamSmasher CnC Download File Request
(trojan.rules)
 2829037 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2017-12-22 7) (trojan.rules)
 2829038 - ETPRO TROJAN Bitcoin Miner Known Malicious Basic Auth
(NDF5eWJUWEZnYk4yeGJSTWlyaWE3R0puM2pnSENaOERwSnpXYVJMZ0FOTnVFZExuR2tFU2prdUdFOFZrakdvM29UV2syOTVpaFJYTnkxQUNmdXNCdjl4ejRwZEpMOEQ6eA==)
(trojan.rules)
 2829039 - ETPRO TROJAN DreamSmasher CnC EditFileProperty Request
(trojan.rules)
 2829040 - ETPRO TROJAN DreamSmasher CnC GetDate Request (trojan.rules)
 2829041 - ETPRO TROJAN DreamSmasher CnC GetIPAddress Request (trojan.rules)
 2829042 - ETPRO TROJAN DreamSmasher CnC GetManufacturer Request
(trojan.rules)
 2829043 - ETPRO TROJAN DreamSmasher CnC GetModel Request (trojan.rules)
 2829044 - ETPRO TROJAN DreamSmasher CnC GetPowershellVersion Request
(trojan.rules)
 2829045 - ETPRO TROJAN DreamSmasher CnC GetProcessorArch Request
(trojan.rules)
 2829046 - ETPRO TROJAN DreamSmasher CnC GetSyslang Request (trojan.rules)
 2829047 - ETPRO TROJAN DreamSmasher CnC GetTotalMemory Request
(trojan.rules)
 2829048 - ETPRO TROJAN DreamSmasher CnC GetWorkingDirectory Request
(trojan.rules)
 2829049 - ETPRO TROJAN DreamSmasher CnC Screenshot Request (trojan.rules)
 2829050 - ETPRO TROJAN DreamSmasher CnC StartProcess Request (trojan.rules)
 2829051 - ETPRO TROJAN DreamSmasher CnC WriteFile Request (trojan.rules)
 2829052 - ETPRO TROJAN DreamSmasher CnC GetCurrentUser Request
(trojan.rules)
 2829053 - ETPRO TROJAN DreamSmasher CnC GetOSVersion Request (trojan.rules)
 2829054 - ETPRO TROJAN DreamSmasher CnC GetUsername Request (trojan.rules)
 2829055 - ETPRO CURRENT_EVENTS Successful Dropbox Phish 2017-12-22
(current_events.rules)
 2829056 - ETPRO TROJAN Observed Request for xmrig.exe in - Coinminer
Download (trojan.rules)
 2829057 - ETPRO CURRENT_EVENTS Successful Orange (FR) Phish 2017-12-22
(current_events.rules)
 2829058 - ETPRO CURRENT_EVENTS Successful Maersk Phish 2017-12-22
(current_events.rules)
 2829059 - ETPRO CURRENT_EVENTS Possible Successful Banco Pichincha Phish
2017-12-22 (current_events.rules)


-- 
PGP: 0xBED7B297
<https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20171222/899e5c26/attachment.html>


More information about the Emerging-sigs mailing list