[Emerging-Sigs] Daily Ruleset Update Summary 2018/02/21

Travis Green tgreen at emergingthreats.net
Wed Feb 21 12:35:31 HST 2018


[***]            Summary:            [***]

3 new Open, 18 new Pro (3 + 15). BestaBid, Evrial Stealer, Jenkins RCE,
Various Mobile, Various Phishing.

Thanks: @deependresearch


[+++]          Added rules:          [+++]

Open:

 2025374 - ET CURRENT_EVENTS [Deepend Research] BestaBid FakeFlash Redirect
(current_events.rules)
 2025375 - ET TROJAN Evrial Stealer CnC Activity M2 (trojan.rules)
 2025376 - ET WEB_SPECIFIC_APPS Possible Jenkins CLI RCE (CVE-2017-1000353)
(web_specific_apps.rules)

Pro:

 2829750 - ETPRO TROJAN APT37 ZUMKONG CnC Beacon (trojan.rules)
 2829751 - ETPRO TROJAN APT37 ZUMKONG Fake User-Agent (trojan.rules)
 2829752 - ETPRO CURRENT_EVENTS Successful Apple Phish 2018-02-21
(current_events.rules)
 2829753 - ETPRO CURRENT_EVENTS Successful ING Phish 2018-02-21
(current_events.rules)
 2829754 - ETPRO CURRENT_EVENTS Successful Banco Bradesco Phish 2018-02-21
(current_events.rules)
 2829755 - ETPRO CURRENT_EVENTS Successful Caixa Phish 2018-02-21
(current_events.rules)
 2829756 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.jz Reporting
Infection via SMTP (mobile_malware.rules)
 2829757 - ETPRO MOBILE_MALWARE Android/Agent.ATW Checkin
(mobile_malware.rules)
 2829758 - ETPRO TROJAN Shifr/Shurl0cker Ransomware Onion Domain in SNI
(u4hp32ms2u6s4x7q) (trojan.rules)
 2829759 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin
287 (mobile_malware.rules)
 2829760 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin
288 (mobile_malware.rules)
 2829761 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-02-21 1) (trojan.rules)
 2829762 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-02-21 2) (trojan.rules)
 2829763 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-02-21 3) (trojan.rules)
 2829764 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-02-21 4) (trojan.rules)


[///]     Modified active rules:     [///]

 2809907 - ETPRO TROJAN Win32/Jinupd.B Cnc Beacon (trojan.rules)
 2821692 - ETPRO TROJAN ZeusPOS Payload M2 (trojan.rules)
 2828212 - ETPRO TROJAN AgentTesla Communicating with CnC Server
(trojan.rules)
 2828641 - ETPRO TROJAN Reypston Ransomware Onion Domain in SNI
(dphux5xrwuaf4yey) (trojan.rules)
 2829626 - ETPRO TROJAN NameCoin .bit DNS Sinkhole Response (trojan.rules)
 2829732 - ETPRO TROJAN Shifr/Shurl0cker Ransomware CnC DNS Lookup
(trojan.rules)
 2829737 - ETPRO TROJAN MSIL/CrabbMiner CnC Activity (trojan.rules)


[---]         Disabled rules:        [---]

 2003180 - ET TROJAN Possible Warezov/Stration Data Post to Controller
(trojan.rules)
 2003436 - ET TROJAN Warezov/Stration Communicating with Controller 2
(trojan.rules)
 2006448 - ET TROJAN Win32.Agent.ajx Trojan Reporting to Server
(trojan.rules)
 2007573 - ET TROJAN Vundo.dam http Update (trojan.rules)
 2007608 - ET TROJAN Win32.Agent.bea C&C connection (trojan.rules)
 2007610 - ET TROJAN Win32.Small.qh/xSock Checkin URL Detected
(trojan.rules)
 2007620 - ET TROJAN Zlob Updating via HTTP (v2) (trojan.rules)
 2007769 - ET TROJAN Zhelatin Update Detected (trojan.rules)
 2007989 - ET TROJAN Vundo HTTP Pre-Install Checkin (trojan.rules)
 2007990 - ET TROJAN Vundo HTTP Post-Install Checkin (trojan.rules)
 2008004 - ET TROJAN Win32.Agent.cyt (Or variant) HTTP POST Checkin (2)
(trojan.rules)
 2008082 - ET TROJAN Vundo HTTP Post-Install Checkin (2) (trojan.rules)
 2008250 - ET TROJAN Winspywareprotect.com Fake AV/Anti-Spyware Install
Checkin (trojan.rules)
 2008319 - ET TROJAN Win32.Small.wpx or Related Downloader Posting Data
(trojan.rules)
 2008386 - ET TROJAN Zlob HTTP Checkin (trojan.rules)
 2008396 - ET TROJAN Zlob Initial Check-in Version 2 (confirm.php?sid=)
(trojan.rules)
 2008482 - ET TROJAN thespybot.com installation download detected
(trojan.rules)
 2008573 - ET TROJAN Viruscatch.co.kr/Win32.Small.hvd Mysql Command and
Control Connection (user viruscatch) (trojan.rules)
 2008949 - ET TROJAN Win32.Small.yml or Related HTTP Checkin (trojan.rules)
 2008950 - ET TROJAN Trojan.Win32.Small.yml client registration
(trojan.rules)
 2008951 - ET TROJAN Trojan.Win32.Small.yml client command (trojan.rules)
 2008952 - ET TROJAN Win32.Small.yml or Related HTTP Command (trojan.rules)
 2008976 - ET TROJAN Vundo Variant reporting to Controller via HTTP (1)
(trojan.rules)
 2008977 - ET TROJAN Vundo Variant reporting to Controller via HTTP (2)
(trojan.rules)
 2009174 - ET TROJAN Possible Vundo EXE Download Attempt (trojan.rules)
 2009457 - ET TROJAN Virut Counter/Check-in  (trojan.rules)
 2009518 - ET TROJAN s4t4n1c Trojan Check-in (trojan.rules)
 2009829 - ET TROJAN Virut/Virutas/Virtob/QQHelper Dropper Family - HTTP
GET (trojan.rules)
 2009896 - ET TROJAN Win32/Winwebsec User-Agent Detected (trojan.rules)
 2010240 - ET TROJAN WindowsEnterpriseSuite FakeAV check-in HEAD
(trojan.rules)
 2010246 - ET TROJAN WindowsEnterpriseSuite FakeAV Reporting via POST
initial check-in (trojan.rules)
 2011294 - ET TROJAN Trojan.Win32.FraudPack.aweo (trojan.rules)
 2011357 - ET TROJAN FakeAV SetupSecure Download Attempt SetupSecure
(trojan.rules)
 2011370 - ET TROJAN Stupid Stealer C&C Communication (1) (trojan.rules)
 2011371 - ET TROJAN Stupid Stealer C&C Communication (2) (trojan.rules)
 2011395 - ET TROJAN wisp backdoor detected reporting (trojan.rules)
 2011397 - ET TROJAN FakeYak or Related Infection Checkin 2 (trojan.rules)
 2011398 - ET TROJAN Yoyo-DDoS Bot Execute DDoS Command From CnC Server
(trojan.rules)
 2011399 - ET TROJAN Yoyo-DDoS Bot Download and Launch Executable Message
>From CnC Server (trojan.rules)
 2011402 - ET TROJAN Yoyo-DDoS Bot HTTP Flood Attack Inbound (trojan.rules)
 2011403 - ET TROJAN Yoyo-DDoS Bot HTTP Flood Attack Outbound (trojan.rules)
 2011414 - ET TROJAN Win32/Small.gen!AQ Communication with Controller
(trojan.rules)
 2011419 - ET TROJAN FAKEAV landing page - sector.hdd.png no-repeat
(trojan.rules)
 2011470 - ET TROJAN Daurso FTP Credential Theft Reported (trojan.rules)
 2011471 - ET TROJAN Daurso Checkin (trojan.rules)
 2011473 - ET TROJAN Antivirus2010 Checkin port 8082 (trojan.rules)
 2011490 - ET TROJAN Downloader.Win32.Zlob.bgs Checkin(1) (trojan.rules)
 2011491 - ET TROJAN Downloader.Win32.Zlob.bgs Checkin(2) (trojan.rules)
 2011591 - ET TROJAN Potential-Hiloti/FakeAV site access (trojan.rules)
 2011592 - ET TROJAN Yoyo-DDoS Bot Download and Launch Executable Message
>From CnC Server (trojan.rules)
 2011767 - ET TROJAN Avzhan DDOS Bot Inbound Hardcoded Malformed GET
Request Denial Of Service Attack Detected (trojan.rules)
 2011769 - ET TROJAN Shiz/Rohimafo Binary Download Request (trojan.rules)
 2011820 - ET TROJAN Fake AV CnC Checkin cycle_report (trojan.rules)
 2011849 - ET TROJAN Win32/Comotor.A!dll Reporting 2 (trojan.rules)
 2011851 - ET TROJAN Carberp CnC Reply no tasks (trojan.rules)
 2011862 - ET TROJAN Feodo Banking Trojan Account Details Post
(trojan.rules)
 2800809 - ETPRO TROJAN Backdoor.Win32.VBKrypt.dxe Bong (trojan.rules)
 2800810 - ETPRO TROJAN Trojan.Win32.Chif.A Checkin (trojan.rules)
 2800811 - ETPRO TROJAN Trojan.Win32.Infostealer.Nimkey (load)
(trojan.rules)
 2800812 - ETPRO TROJAN Trojan.Win32.Infostealer.Nimkey (upload)
(trojan.rules)
 2800815 - ETPRO TROJAN Trojan.Win32.Slagent Checkin (trojan.rules)
 2800817 - ETPRO TROJAN Win32.Banker.QO Checkin (trojan.rules)
 2800824 - ETPRO TROJAN Backdoor.Win32.Mexbank.A Response (trojan.rules)
 2800830 - ETPRO TROJAN Backdoor.Win32.Omexo.C Checkin (trojan.rules)


[---]         Removed rules:         [---]

 2022246 - ET TROJAN Backdoor User-Agent (InstallCapital) (trojan.rules)
 2829749 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-02-20 9) (trojan.rules)


-- 
PGP: 0xBED7B297
<https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20180221/0dea8fcd/attachment.html>


More information about the Emerging-sigs mailing list