[Emerging-Sigs] Daily Ruleset Update Summary 2018/02/26

Travis Green tgreen at emergingthreats.net
Mon Feb 26 11:44:38 HST 2018


[***]            Summary:            [***]

14 new Open, 35 new Pro (14 + 21). SteamStealer, QRat.Java.RAT, OilRig,
Various Phishing.

Try the new feedback tool: https://feedback.emergingthreats.net/feedback

Thanks: @TedDorosheff


[+++]          Added rules:          [+++]

Open:

 2025386 - ET TROJAN SteamStealer DNS Lookup (steamdesktopauthenticator)
(trojan.rules)
 2025387 - ET TROJAN SteamStealer Domain in SNI (trojan.rules)
 2025388 - ET TROJAN SteamStealer Malicious SSL Certificate Detected
(trojan.rules)
 2025389 - ET TROJAN SteamStealer DNS Lookup (lightalex) (trojan.rules)
 2025390 - ET TROJAN SteamStealer DNS Lookup (steamdesktop) (trojan.rules)
 2025391 - ET TROJAN [PTsecurity] QRat.Java.RAT (state_alive) (trojan.rules)
 2025392 - ET TROJAN QRat.Java.RAT Checkin Response (trojan.rules)
 2025393 - ET TROJAN QRat.Java.RAT Post-Checkin Request (trojan.rules)
 2025394 - ET CURRENT_EVENTS Craigslist Phishing Landing 2018-02-26
(current_events.rules)
 2025395 - ET CURRENT_EVENTS Credit Mutuel de Bretagne (FR) Phishing
Landing 2018-02-26 (current_events.rules)
 2025396 - ET CURRENT_EVENTS Facebook Mobile Phishing Landing 2018-02-26
(current_events.rules)
 2025397 - ET CURRENT_EVENTS Mailbox Update Phishing Landing 2018-02-26
(current_events.rules)
 2025398 - ET CURRENT_EVENTS Amazon Phishing Landing (DE) 2018-02-26
(current_events.rules)
 2025399 - ET INFO Suspicious Browser Plugin Detect - Observed in Phish
Landings (info.rules)

Pro:

 2829790 - ETPRO TROJAN Sality.AE Checkin (trojan.rules)
 2829791 - ETPRO TROJAN Sality.AE Checkin 2 (trojan.rules)
 2829792 - ETPRO EXPLOIT Adobe Reader docID RCE (CVE-2018-4901)
(exploit.rules)
 2829793 - ETPRO TROJAN OilRig OopsIE CnC DNS Lookup (trojan.rules)
 2829794 - ETPRO TROJAN OilRig Infrastructure DNS Lookup M1 (trojan.rules)
 2829795 - ETPRO TROJAN OilRig Infrastructure DNS Lookup M2 (trojan.rules)
 2829796 - ETPRO TROJAN OilRig OopsIE CnC Checkin (trojan.rules)
 2829797 - ETPRO TROJAN OilRig OopsIE Sending Data to CnC (trojan.rules)
 2829798 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2018-02-25
(current_events.rules)
 2829799 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc Payload
2018-02-26) (current_events.rules)
 2829800 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin
291 (mobile_malware.rules)
 2829801 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2018-02-26
(current_events.rules)
 2829802 - ETPRO CURRENT_EVENTS Successful Generic Phish 2018-02-26 (set)
(current_events.rules)
 2829803 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2018-02-26
(current_events.rules)
 2829804 - ETPRO CURRENT_EVENTS Successful MyBell.ca Phish 2018-02-26
(current_events.rules)
 2829805 - ETPRO CURRENT_EVENTS Successful Craigslist Phish 2018-02-26
(current_events.rules)
 2829806 - ETPRO TROJAN Icefog Domain Observed (uzwatersource .dynamic-dns
.net in DNS Lookup) (trojan.rules)
 2829807 - ETPRO TROJAN Icefog Domain Observed (uzwatersource .dynamic-dns
.net in TLS SNI) (trojan.rules)
 2829808 - ETPRO POLICY CoinMiner Mining Pool DNS Lookup (policy.rules)
 2829809 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-02-26 1) (trojan.rules)
 2829810 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-02-26 2) (trojan.rules)


[///]     Modified active rules:     [///]

 2012801 - ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup
(trojan.rules)
 2803218 - ETPRO TROJAN W32/UFR_Stealer User-Agent (Trololo) (trojan.rules)
 2804324 - ETPRO TROJAN W32/UFR_Stealer sending stolen data via FTP
(trojan.rules)
 2805133 - ETPRO TROJAN Win32/Zegost.Z CnC Traffic (trojan.rules)
 2811695 - ETPRO TROJAN Win32/Onliner Spam Bot CnC Beacon (trojan.rules)
 2811697 - ETPRO TROJAN Win32/Onliner Spam Bot CnC Beacon Response
(trojan.rules)
 2811698 - ETPRO TROJAN Win32/Onliner Spam Bot CnC (trojan.rules)


-- 
PGP: 0xBED7B297
<https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20180226/b4836b6d/attachment.html>


More information about the Emerging-sigs mailing list