[Emerging-Sigs] Daily Ruleset Update Summary 2018/02/01

Travis Green tgreen at emergingthreats.net
Thu Feb 1 12:26:55 HST 2018


[***]            Summary:            [***]

7 new Open, 24 new Pro (7 + 17). Backdoor.Elise, Operation EvilTraffic
Redirect, Win32/Ghost419, Various Mobile, Various Phishing.

Thanks: MS-ISAC (@CISecurity)


[+++]          Added rules:          [+++]

Open:

 2025282 - ET CURRENT_EVENTS Cloned Website Phishing Landing - Mirrored
Website Comment Observed (current_events.rules)
 2025283 - ET TROJAN Trojan-Dropper.Delf Checkin (trojan.rules)
 2025284 - ET CURRENT_EVENTS Microsoft Live Login Phishing Landing
2018-02-01 (current_events.rules)
 2025285 - ET CURRENT_EVENTS TSB Bank / Lloyds Bank Phishing Landing
2018-02-01 (current_events.rules)
 2025286 - ET CURRENT_EVENTS Wells Fargo Phishing Landing 2018-02-01
(current_events.rules)
 2025287 - ET TROJAN Operation EvilTraffic Initial Redirect M1
(trojan.rules)
 2025288 - ET TROJAN Operation EvilTraffic Initial Redirect M2
(trojan.rules)
 2025289 - ET TROJAN Backdoor.Elise Style IP Check (trojan.rules)

Pro:

 2829515 - ETPRO INFO LaZagne EXE Download (info.rules)
 2829516 - ETPRO TROJAN Observed Malicious SSL Cert (APT32 Cobalt Strike
Beacon) (trojan.rules)
 2829517 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin
271 (mobile_malware.rules)
 2829518 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin
272 (mobile_malware.rules)
 2829519 - ETPRO TROJAN AU3/Axtrit.BR Domain Detected (rhcobrancasfd .com
.br in DNS Lookup) (trojan.rules)
 2829520 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin
273 (mobile_malware.rules)
 2829521 - ETPRO TROJAN AU3/Axtrit.BR Domain Detected (rhcobrancasfd .com
.br in TLS SNI) (trojan.rules)
 2829522 - ETPRO TROJAN DDoS Win32/Nitol.A Checkin (trojan.rules)
 2829523 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin
274 (mobile_malware.rules)
 2829526 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-02-01 1) (trojan.rules)
 2829527 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-02-01 2) (trojan.rules)
 2829528 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-02-01 3) (trojan.rules)
 2829529 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-02-01 4) (trojan.rules)
 2829530 - ETPRO TROJAN MSIL/Kuqa CnC Checkin (trojan.rules)
 2829531 - ETPRO TROJAN Win32/Ghost419 CnC Data Exfil (trojan.rules)
 2829532 - ETPRO TROJAN SSL/TLS Certificate Observed (Dreamsmasher)
(trojan.rules)


[///]     Modified active rules:     [///]

 2025135 - ET TROJAN [PTsecurity] Botnet Nitol.B Checkin (trojan.rules)
 2025244 - ET CURRENT_EVENTS AT&T Phishing Landing 2018-01-23
(current_events.rules)
 2811446 - ETPRO TROJAN uWarrior RAT CnC Beacon (trojan.rules)
 2819671 - ETPRO TROJAN W32/Overflow Stealer Lazagne DL (trojan.rules)
 2828853 - ETPRO CURRENT_EVENTS Successful TSB Bank / Lloyds Bank Phish
2017-12-12 M3 (current_events.rules)
 2829216 - ETPRO TROJAN APT32 DNS Tunneling Domain 2 (trojan.rules)


[---]         Disabled rules:        [---]

 2003641 - ET TROJAN Downloader.Small User Agent Detected (NetScafe)
(trojan.rules)
 2003648 - ET TROJAN Clicker.BC User Agent Detected (linkrunner)
(trojan.rules)
 2006377 - ET TROJAN Downloader.Win32.Agent.bwr CnC Beacon (trojan.rules)
 2006401 - ET TROJAN Downloader.26001 Url Pattern Detected (lunch_id)
(trojan.rules)
 2007284 - ET TROJAN Downloader.Win32.Agent.cav Url Pattern Detected (ping)
(trojan.rules)
 2007587 - ET TROJAN General Downloader or Virut C&C Ack (trojan.rules)
 2007595 - ET TROJAN Downloader.Dluca HTTP Checkin (trojan.rules)
 2007644 - ET TROJAN Win32.Agent.cah Checkin Request (trojan.rules)
 2007646 - ET TROJAN Farfli User Agent Detected (trojan.rules)
 2007700 - ET TROJAN ExplorerHijack Trojan HTTP Checkin (trojan.rules)
 2007838 - ET TROJAN Delf HTTP Checkin (1) (trojan.rules)
 2007858 - ET TROJAN Delf Keylog FTP Upload (trojan.rules)
 2007918 - ET TROJAN Dropper-497 (Yumato) System Stats Report (trojan.rules)
 2007919 - ET TROJAN Dropper-497 Yumato Reply from server (trojan.rules)
 2007939 - ET TROJAN Delf Checkin via HTTP (up) (trojan.rules)
 2007952 - ET TROJAN Downloader.49651 Checkin (trojan.rules)
 2007953 - ET TROJAN Downloader.49651 Install Report (trojan.rules)
 2007954 - ET TROJAN Downloader.49651 Online Report (trojan.rules)
 2007955 - ET TROJAN Cygo Checkin (trojan.rules)
 2007986 - ET TROJAN Emogen Reporting via HTTP (trojan.rules)
 2007987 - ET TROJAN Dropper.Win32.VB.on Keylog/System Info Report via HTTP
(trojan.rules)
 2008031 - ET TROJAN Dorf/Win32.Inject.adt C&C Communication Outbound
(trojan.rules)
 2008032 - ET TROJAN Dorf/Win32.Inject.adt C&C Communication Inbound
(trojan.rules)
 2008047 - ET TROJAN Egspy Infection Report via HTTP (trojan.rules)
 2008071 - ET TROJAN Delf Checkin via HTTP (6) (trojan.rules)
 2008087 - ET TROJAN Downloader.VB.CEJ HTTP Checkin (trojan.rules)
 2008090 - ET TROJAN Delf Checkin via HTTP (7) (trojan.rules)
 2008136 - ET TROJAN Egspy Install Report via HTTP (trojan.rules)
 2008144 - ET TROJAN Proxy.Corpes.j Infection Report (trojan.rules)
 2008195 - ET TROJAN Dropper mdodo.com Related Trojan (trojan.rules)
 2008196 - ET TROJAN Dropper 6dzone.com Related Trojan (trojan.rules)
 2008237 - ET TROJAN Pass Stealer FTP Upload (trojan.rules)
 2008397 - ET TROJAN Fullspace.cc or Related Checkin (1) (trojan.rules)
 2008430 - ET TROJAN Win32.Dialer.buv Sending Information Home
(trojan.rules)
 2008431 - ET TROJAN PWS.Gamania Checkin (trojan.rules)
 2008451 - ET TROJAN Donbot Report to CnC (trojan.rules)
 2008490 - ET TROJAN Dialer.Win32.E-Group.n Checkin (trojan.rules)
 2008523 - ET TROJAN Proxy.Win32.Fackemo.g/Katusha/FakeAlert Checkin
(trojan.rules)
 2008674 - ET TROJAN Likely eCard Malware Laden Email Inbound (trojan.rules)
 2008807 - ET TROJAN DNS Changer.bnm/Downloader.bnm Second CnC Channel
Start (trojan.rules)
 2008808 - ET TROJAN DNS Changer.bnm/Downloader.bnm Second CnC Channel
Traffic (trojan.rules)
 2008906 - ET TROJAN Trojan.Delf-5496 Egg Request (trojan.rules)
 2008907 - ET TROJAN Trojan.Delf-5496 File Manager Access Report
(trojan.rules)
 2008940 - ET TROJAN DNSChanger.AT or related Infection Checkin Post
(trojan.rules)
 2008984 - ET TROJAN Trojan-GameThief.Win32.OnLineGames infection report
(trojan.rules)
 2009204 - ET TROJAN Crypt.CFI.Gen Checkin (trojan.rules)
 2009209 - ET TROJAN Rogue A/V Win32/FakeXPA GET Request (trojan.rules)
 2009470 - ET TROJAN Generic Info Stealer - HTTP POST (trojan.rules)
 2009514 - ET TROJAN FAKE/ROGUE AV HTTP Post (trojan.rules)
 2009539 - ET TROJAN Downloader Infostealer - GET Checkin (trojan.rules)
 2009824 - ET TROJAN Downloader.Win32.Delf followon POST Data PUSH Packet
(trojan.rules)
 2010007 - ET TROJAN Potential Gemini Malware Download (trojan.rules)
 2010138 - ET TROJAN Possible Win32/Agent.QBY CnC Post (trojan.rules)
 2010164 - ET TROJAN Daonol C&C Communication (trojan.rules)
 2010221 - ET TROJAN Possible Fake-Rean Installer Activity (Malwareurl.com
Top 30) (trojan.rules)
 2010248 - ET TROJAN Eleonore Exploit Pack activity (trojan.rules)
 2010347 - ET TROJAN Fake/Rogue AV Landing Page Encountered (trojan.rules)
 2010450 - ET TROJAN Potential Gemini/Fake AV Download URL Detected
(trojan.rules)
 2011086 - ET TROJAN Trojan-Dropper.Win32.Flystud (trojan.rules)
 2011128 - ET TROJAN Eleonore Exploit Pack activity variant May 2010
(trojan.rules)
 2011234 - ET TROJAN Cosmu Process Dump Report (trojan.rules)
 2011693 - ET TROJAN Fragus Exploit Kit Landing (trojan.rules)


-- 
PGP: 0xBED7B297
<https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20180201/31c19aff/attachment.html>


More information about the Emerging-sigs mailing list