[Emerging-Sigs] Daily Ruleset Update Summary 2018/02/07

Travis Green tgreen at emergingthreats.net
Wed Feb 7 13:32:27 HST 2018


[***]            Summary:            [***]

9 new Open, 19 new Pro (9 + 10). MSIL/mbobbRAT, Sneark, ELF/Lady.G, Various
Mobile, Various Phishing.

Thanks: @illegalfawn


[+++]          Added rules:          [+++]

Open:

 2025321 - ET CURRENT_EVENTS Ebay Phishing Landing 2018-02-07
(current_events.rules)
 2025322 - ET CURRENT_EVENTS Google Drive Phishing Landing 2018-02-07
(current_events.rules)
 2025323 - ET CURRENT_EVENTS Dropbox Business Phishing Landing 2018-02-07
(current_events.rules)
 2025324 - ET CURRENT_EVENTS Apple Phishing Landing 2018-02-07
(current_events.rules)
 2025325 - ET CURRENT_EVENTS Dropbox Business Phishing Landing 2018-02-07
(current_events.rules)
 2025326 - ET CURRENT_EVENTS Outlook Web App Phishing Landing 2018-02-07
(current_events.rules)
 2025327 - ET CURRENT_EVENTS Dropbox/OneDrive Phishing Landing 2018-02-07
(current_events.rules)
 2025328 - ET CURRENT_EVENTS Chase Phishing Landing 2018-02-07
(current_events.rules)
 2025329 - ET CURRENT_EVENTS Mailbox Verification Phishing Landing
2018-02-07 (current_events.rules)

Pro:

 2829582 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-02-07 1) (trojan.rules)
 2829583 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-02-07 2) (trojan.rules)
 2829584 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-02-07 3) (trojan.rules)
 2829585 - ETPRO TROJAN MSIL/mbobbRAT Activity (trojan.rules)
 2829586 - ETPRO TROJAN Trensil.B Checkin (trojan.rules)
 2829587 - ETPRO TROJAN Sneark Checkin (trojan.rules)
 2829588 - ETPRO MOBILE_MALWARE Android.Trojan.SmsSpy.TF Checkin
(mobile_malware.rules)
 2829589 - ETPRO TROJAN ELF/Lady.G Connectivity Check (trojan.rules)
 2829590 - ETPRO CURRENT_EVENTS Generic DZNoob Phishing Landing 2018-02-07
(current_events.rules)
 2829591 - ETPRO TROJAN DanderSpritz Implant Communicating with PeddleCheap
Module (trojan.rules)


[+++]  Enabled and modified rules:   [+++]

 2025319 - ET POLICY [Fidelis] Abnormal x509v3 SubjectKeyIdentifier
extension (policy.rules)
 2025320 - ET POLICY [Fidelis] Abnormal Very Long x509v3
SubjectKeyIdentifier Extension (policy.rules)


[///]     Modified active rules:     [///]

 2013293 - ET TROJAN Win32.Glupteba/ClIEcker CnC Checkin (trojan.rules)
 2025278 - ET CURRENT_EVENTS Mailbox Verification Phishing Landing
2018-01-31 (current_events.rules)
 2025310 - ET CURRENT_EVENTS Mailbox Upgrade Phishing Landing 2018-02-05
(current_events.rules)
 2809682 - ETPRO TROJAN Andromeda/Gamarue Checkin (trojan.rules)
 2827475 - ETPRO TROJAN Win32/Ilomo.I CnC Communications (trojan.rules)
 2828913 - ETPRO TROJAN WIN32/KOVTER.B Checkin 2 M3 (trojan.rules)
 2829548 - ETPRO TROJAN W32/Kimsuky Sending Encrypted System Information to
CnC (trojan.rules)
 2829552 - ETPRO TROJAN W32/Kimsuky Requesting Stage 2 Payload
(trojan.rules)


[---]  Disabled and modified rules:  [---]

 2805875 - ETPRO TROJAN Win32/Reveton.N Checkin (trojan.rules)
 2829200 - ETPRO CURRENT_EVENTS Possible Successful Cyberplus (FR) Phish M1
2018-01-08 (current_events.rules)


[---]         Disabled rules:        [---]

 2002776 - ET TROJAN SickleBot Reporting User Activity (trojan.rules)
 2003296 - ET TROJAN Possible Web-based DDoS-command being issued
(trojan.rules)
 2003431 - ET TROJAN Unnamed Generic.Malware http get (trojan.rules)
 2003932 - ET TROJAN Hupigon User Agent Detected (IE_7.0) (trojan.rules)
 2006399 - ET TROJAN Socks666 Checkin Success Packet (trojan.rules)
 2007142 - ET TROJAN Virtumonde Variant Reporting to Controller via HTTP
(trojan.rules)
 2007285 - ET TROJAN Virtumonde Variant Reporting to Controller via HTTP
(2) (trojan.rules)
 2007566 - ET TROJAN Downloader.MisleadApp Fake Security Product Install
(trojan.rules)
 2007613 - ET TROJAN Possible Infection Report Mail - Indy Mail lib and MAC
Message Body - Priority 1 (trojan.rules)
 2007614 - ET TROJAN Possible Infection Report Mail - Indy Mail lib and MAC
Message Body - Priority 3 (trojan.rules)
 2007618 - ET TROJAN Storm Worm ICMP DDOS Traffic (trojan.rules)
 2007688 - ET TROJAN Prg Trojan HTTP POST v1 (trojan.rules)
 2007698 - ET TROJAN Vanquish Trojan HTTP Checkin (trojan.rules)
 2007724 - ET TROJAN Prg Trojan HTTP POST version 2 (trojan.rules)
 2007752 - ET TROJAN Saturn Proxy Checkin Response (trojan.rules)
 2007753 - ET TROJAN Saturn Proxy C&C Activity (trojan.rules)
 2007780 - ET TROJAN Ssppyy.com Surveillance Agent Reporting via Email
(trojan.rules)
 2007807 - ET TROJAN Rcash.co.kr Bootup Checkin via HTTP (trojan.rules)
 2007811 - ET TROJAN Metajuan trojan checkin (trojan.rules)
 2007834 - ET TROJAN Renos/ssd.com HTTP Checkin (trojan.rules)
 2007898 - ET TROJAN Sohanad Checkin via HTTP (trojan.rules)
 2007949 - ET TROJAN Medbod UDP Phone Home Packet (trojan.rules)
 2007965 - ET TROJAN Goldun Reporting Install (trojan.rules)
 2007974 - ET TROJAN Perfect Keylogger FTP Log Upload (trojan.rules)
 2008025 - ET TROJAN Turkojan C&C Logs Parse Response Response (LOGS1)
(trojan.rules)
 2008028 - ET TROJAN Turkojan C&C Browse Drive Command Response (metin)
(trojan.rules)
 2008030 - ET TROJAN Turkojan C&C nxt Command Response (nxt) (trojan.rules)
 2008130 - ET TROJAN Win32.Lydra.hj HTTP Checkin (trojan.rules)
 2008155 - ET TROJAN Trats.a Post-Infection Checkin (trojan.rules)
 2008236 - ET TROJAN Fake.Googlebar or Softcash.org Related Post-Infection
Checkin (trojan.rules)
 2008261 - ET TROJAN Common Spambot HTTP Checkin (trojan.rules)
 2008277 - ET TROJAN Pakes Winifixer.com Related Checkin URL (trojan.rules)
 2008280 - ET TROJAN 3alupKo/Win32.Socks.n Related Checkin URL
(trojan.rules)
 2008285 - ET TROJAN RLPacked Binary - Likely Hostile (trojan.rules)
 2008324 - ET TROJAN Zalupko/Koceg/Mandaph manda.php Checkin (trojan.rules)
 2008341 - ET TROJAN Themida Packed Binary - Likely Hostile (trojan.rules)
 2008347 - ET TROJAN Swizzor Checkin (trojan.rules)
 2008358 - ET TROJAN Pakes/Cutwail/Kobcka Checkin Detected High Ports
(trojan.rules)
 2008369 - ET TROJAN Keylogger Crack by bahman (trojan.rules)
 2008384 - ET TROJAN Piptea.a Related Trojan Checkin (3) (trojan.rules)
 2008393 - ET TROJAN 3alupKo/Win32.Socks.n Related Checkin URL (2)
(trojan.rules)
 2008395 - ET TROJAN 3alupKo/Win32.Socks.n Related Checkin URL (3)
(trojan.rules)
 2008405 - ET TROJAN Obitel trojan calling home (trojan.rules)
 2008449 - ET TROJAN Keylogger.ane Checkin (trojan.rules)
 2008471 - ET TROJAN HotLan.C Spambot C&C download command (trojan.rules)
 2008473 - ET TROJAN HotLan.C Spambot Trojan Activity (trojan.rules)
 2008481 - ET TROJAN Trojan-PSW.Win32.Nilage.crg Checkin (trojan.rules)
 2008493 - ET TROJAN Pushdo Checkin (trojan.rules)
 2008506 - ET TROJAN Trojan-PWS.Win32.VB.tr Checkin Detected (trojan.rules)
 2008515 - ET TROJAN Hupigon.AZG Checkin (trojan.rules)
 2008521 - ET TROJAN Keylogger Infection Report via POST (trojan.rules)
 2008522 - ET TROJAN Stpage Checkin (nomodem) (trojan.rules)
 2008580 - ET TROJAN Trojan Sinowal/Torpig Phoning Home (trojan.rules)
 2008642 - ET TROJAN Keylogger PRO GOLD Post (trojan.rules)
 2008662 - ET TROJAN Generic PSW Agent server reply (trojan.rules)
 2008689 - ET TROJAN Gimmiv.A.dll Infection (trojan.rules)
 2008733 - ET TROJAN Trojan.Win32.Regrun.ro FTP connection detected
(trojan.rules)
 2008758 - ET TROJAN Mcboo.com/Bundlext.com related Trojan Checkin URL
(trojan.rules)
 2008760 - ET TROJAN Insidebar.co.kr Related Infection Checkin
(trojan.rules)
 2008841 - ET TROJAN Trojan-PWS.Win32.Small.gs Passwords leak over FTP
(trojan.rules)
 2008911 - ET TROJAN Spyguarder.com Fake AV Install Report (trojan.rules)
 2008920 - ET TROJAN Backdoor.Win32/PcClient.ZL Checkin (trojan.rules)
 2008972 - ET TROJAN Pointfree.co.kr Trojan/Spyware Infection Checkin
(trojan.rules)
 2008973 - ET TROJAN onmuz.com Infection Activity (trojan.rules)
 2009003 - ET TROJAN Win32/Korklic.A (trojan.rules)
 2009077 - ET TROJAN TROJ_INJECT.NI Update Request (trojan.rules)
 2009094 - ET TROJAN Password Stealer (PSW.Win32.Magania Family) GET
(trojan.rules)
 2009096 - ET TROJAN Tigger.a/Syzor Control Checkin (trojan.rules)
 2009126 - ET TROJAN Win32/Monkif Downloader Checkin (trojan.rules)
 2009239 - ET TROJAN PcClient Backdoor Checkin (trojan.rules)
 2009242 - ET TROJAN LDPinch Reporting infection via Email (trojan.rules)
 2009300 - ET TROJAN Small.zon checkin (trojan.rules)
 2009347 - ET TROJAN Tigger.a/Syzor Checkin (trojan.rules)
 2009405 - ET TROJAN Personal Defender 2009 - prinimalka.py (trojan.rules)
 2009406 - ET TROJAN Personal Defender 2009 - trash.py (trojan.rules)
 2009443 - ET TROJAN NoBo Downloader Dropper GET (trojan.rules)
 2009517 - ET TROJAN Qhosts Trojan Check-in (trojan.rules)
 2009532 - ET TROJAN BackDoor-EGB Check-in (trojan.rules)
 2009533 - ET TROJAN Keylogger Pro Update Check (trojan.rules)
 2009694 - ET TROJAN Navipromo related update (trojan.rules)
 2009752 - ET TROJAN Monkif/DlKroha Trojan Activity HTTP Outbound
(trojan.rules)
 2009811 - ET TROJAN KillAV/Dropper/Mdrop/Hupigon - HTTP GET (trojan.rules)
 2009830 - ET TROJAN Win32/Wombot.A checkin Possible Bruteforcer for Web
Forms and Accounts - HTTP POST (trojan.rules)
 2010065 - ET TROJAN SafeFighter Fake Scanner Installation in Progress
(trojan.rules)
 2010158 - ET TROJAN Nanspy Bot Checkin (trojan.rules)
 2010163 - ET TROJAN Glacial Dracon C&C Communication (trojan.rules)
 2010201 - ET TROJAN Silon Encrypted Data POST to C&C (trojan.rules)
 2010224 - ET TROJAN Opachki Link Hijacker Traffic Redirection
(trojan.rules)
 2010230 - ET TROJAN W32.Koblu (trojan.rules)
 2010267 - ET TROJAN Sinowal/Torpig Checkin (trojan.rules)
 2010268 - ET TROJAN W32.SillyFDC Checkin (trojan.rules)
 2010282 - ET TROJAN Generic Trojan Checkin (double Content-Type headers)
(trojan.rules)
 2010283 - ET TROJAN Opachki Link Hijacker HTTP Header Injection
(trojan.rules)
 2010441 - ET TROJAN Possible Storm Variant HTTP Post (S) (trojan.rules)
 2010442 - ET TROJAN Possible Storm Variant HTTP Post (U) (trojan.rules)
 2010723 - ET TROJAN Oficla Russian Malware Bundle C&C instruction response
with runurl (trojan.rules)
 2010724 - ET TROJAN Oficla Russian Malware Bundle C&C instruction response
(trojan.rules)
 2010744 - ET TROJAN Oficla Russian Malware Bundle C&C instruction response
(2) (trojan.rules)
 2010822 - ET TROJAN smain?scout=acxc Generic Download landing
(trojan.rules)
 2010823 - ET TROJAN Torpig Related Fake User-Agent (Apache
(compatible...)) (trojan.rules)
 2010872 - ET TROJAN Pragma hack Detected Outbound - Likely Infected Source
(trojan.rules)
 2011104 - ET TROJAN Exploit kit attack activity likely hostile
(trojan.rules)
 2011186 - ET TROJAN Nine Ball Infection ya.ru Post (trojan.rules)
 2011236 - ET TROJAN Trojan-Downloader Win32.Genome.avan (trojan.rules)


[---]         Removed rules:         [---]

 2811272 - ETPRO CURRENT_EVENTS Angler EK Landing June 05 2015 M4
(current_events.rules)
 2816512 - ETPRO CURRENT_EVENTS Angler EK Landing Mar 02 2016 M1 T3
(current_events.rules)


-- 
PGP: 0xBED7B297
<https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20180207/f282d185/attachment-0001.html>


More information about the Emerging-sigs mailing list