[Emerging-Sigs] Daily Ruleset Update Summary 2018/01/05

Travis Green tgreen at emergingthreats.net
Fri Jan 5 13:00:33 HST 2018


[***]            Summary:            [***]

1 new Open, 18 new Pro (1 + 17). MSIL.NepaCollector, Weblogic XMLDecoder
RCE (CVE-2017-10271), Various Phishing.


[+++]          Added rules:          [+++]

Open:

 2025187 - ET TROJAN MedusaHTTP CnC Checkin (trojan.rules)

Pro:

 2829177 - ETPRO CURRENT_EVENTS Successful Bank of America Phish 2018-01-05
(current_events.rules)
 2829178 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2018-01-05
(current_events.rules)
 2829179 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2018-01-05
(current_events.rules)
 2829180 - ETPRO TROJAN iSpy Keylogger Reporting Infection via SMTP M3
(trojan.rules)
 2829181 - ETPRO CURRENT_EVENTS Successful Generic Financial Phish (BR)
2018-01-05 (current_events.rules)
 2829182 - ETPRO WEB_CLIENT Weblogic XMLDecoder RCE (CVE-2017-10271)
(web_client.rules)
 2829183 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-01-05 1) (trojan.rules)
 2829184 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-01-05 2) (trojan.rules)
 2829185 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-01-05 3) (trojan.rules)
 2829186 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-01-05 4) (trojan.rules)
 2829187 - ETPRO TROJAN MSIL.NepaCollector CnC M1 (buildInfo) (trojan.rules)
 2829188 - ETPRO TROJAN MSIL.NepaCollector CnC M2 (isMaster) (trojan.rules)
 2829189 - ETPRO TROJAN MSIL.NepaCollector CnC M3 (getLastError)
(trojan.rules)
 2829190 - ETPRO TROJAN MSIL.NepaCollector CnC M4 (saslStart) (trojan.rules)
 2829191 - ETPRO TROJAN MSIL.NepaCollector CnC M5 (saslContinue)
(trojan.rules)
 2829192 - ETPRO TROJAN MSIL.NepaCollector CnC M6 (insert) (trojan.rules)
 2829193 - ETPRO TROJAN MSIL.NepaCollector CnC M7 (count) (trojan.rules)


[///]     Modified active rules:     [///]

 2828647 - ETPRO POLICY Observed XMRig Coinminer json Config Inbound
(policy.rules)
 2829005 - ETPRO CURRENT_EVENTS Successful Generic Phish 2017-12-20
(current_events.rules)


[---]         Disabled rules:        [---]

 2011412 - ET ACTIVEX Apple QuickTime _Marshaled_pUnk Backdoor Param
Arbitrary Code Execution Attempt (activex.rules)
 2012095 - ET ACTIVEX J-Integra Remote Code Execution (activex.rules)
 2012102 - ET ACTIVEX Image Viewer CP Gold Image2PDF Buffer Overflow
(activex.rules)
 2012145 - ET ACTIVEX Netcraft Toolbar Remote Code Execution (activex.rules)
 2012146 - ET ACTIVEX ImageShack Toolbar Remote Code Execution
(activex.rules)
 2012192 - ET ACTIVEX NewV SmartClient NewvCommon.ocx DelFile Method
Arbitrary File Deletion Attempt (activex.rules)
 2012194 - ET ACTIVEX Real Networks RealPlayer SP RecordClip Method Remote
Code Execution Attempt (activex.rules)
 2012218 - ET ACTIVEX Possible UserManager SelectServer method Buffer
Overflow Attempt (activex.rules)
 2012231 - ET ACTIVEX Oracle Document Capture Insecure Read Method File
Access Attempt (activex.rules)
 2012232 - ET ACTIVEX Oracle Document Capture File Deletion Attempt
(activex.rules)
 2012233 - ET ACTIVEX Oracle Document Capture File Overwrite Attempt
(activex.rules)
 2012543 - ET ACTIVEX RealPlayer CDDA URI Overflow Uninitialized Pointer
Attempt (activex.rules)
 2012636 - ET ACTIVEX RealNetworks RealGames StubbyUtil.ProcessMgr.1
InstallerDlg.dll Remote Command Execution Attempt (activex.rules)
 2012637 - ET ACTIVEX RealNetworks RealGames StubbyUtil.ProcessMgr.1
InstallerDlg.dll Remote Command Execution Attempt (activex.rules)
 2012638 - ET ACTIVEX RealNetworks RealGames StubbyUtil.ShellCtl.1
InstallerDlg.dll Remote Command Execution Attempt (activex.rules)
 2012639 - ET ACTIVEX RealNetworks RealGames StubbyUtil.ShellCtl.1
InstallerDlg.dll Remote Command Execution Attempt (activex.rules)
 2012640 - ET ACTIVEX RealNetworks RealGames StubbyUtil.ShellCtl.1
InstallerDlg.dll Remote Command Execution Attempt (activex.rules)
 2012641 - ET ACTIVEX Sun Java Runtime New Plugin Docbase Buffer Overflow
Attempt (activex.rules)
 2012929 - ET ACTIVEX Cisco AnyConnect VPN Secure Mobility Client Arbitrary
Program Execution Attempt (activex.rules)
 2013130 - ET ACTIVEX Black Ice Cover Page SDK DownloadImageFileURL Method
Exploit (activex.rules)
 2013131 - ET ACTIVEX Black Ice Fax Voice SDK GetItemQueue Method Remote
Code Execution Exploit (activex.rules)
 2013132 - ET ACTIVEX Black Ice Fax Voice SDK GetFirstItem Method Remote
Code Execution Exploit (activex.rules)
 2013565 - ET ACTIVEX Tom Sawyer Software Possible Memory Corruption
Attempt (activex.rules)
 2013750 - ET ACTIVEX DivX Plus Web Player DivXPlaybackModule File URL
Buffer Overflow Attempt (activex.rules)
 2014151 - ET CURRENT_EVENTS Known Malicious Link Leading to Exploit Kits
(t.php?id=is1) (current_events.rules)
 2014155 - ET CURRENT_EVENTS JavaScript Obfuscation JSXX Script
(current_events.rules)
 2014197 - ET CURRENT_EVENTS Yang Pack Exploit Kit Landing Page Known
JavaScript Function Detected (current_events.rules)
 2014203 - ET CURRENT_EVENTS CUTE-IE.html CutePack Exploit Kit Landing Page
Request (current_events.rules)
 2014204 - ET CURRENT_EVENTS CutePack Exploit Kit JavaScript Variable
Detected (current_events.rules)
 2014205 - ET CURRENT_EVENTS CUTE-IE.html CutePack Exploit Kit Iframe for
Landing Page Detected (current_events.rules)
 2014206 - ET CURRENT_EVENTS CutePack Exploit Kit Landing Page Detected
(current_events.rules)
 2014308 - ET CURRENT_EVENTS Obfuscated Content Using Dadongs JSXX 0.41 VIP
Obfuscation Script (current_events.rules)
 2014318 - ET CURRENT_EVENTS Clickpayz redirection to *.clickpayz.com
(current_events.rules)
 2014319 - ET CURRENT_EVENTS Dadong Java Exploit Requested
(current_events.rules)
 2014429 - ET CURRENT_EVENTS Java Rhino Exploit Attempt - evilcode.class
(current_events.rules)
 2014458 - ET CURRENT_EVENTS Italian Spam Campaign (current_events.rules)
 2014561 - ET CURRENT_EVENTS landing page with malicious Java applet
(current_events.rules)
 2014565 - ET CURRENT_EVENTS JavaScript Determining OS MAC and Serving Java
Archive File (current_events.rules)
 2014568 - ET CURRENT_EVENTS Unkown exploit kit jar download
(current_events.rules)
 2014569 - ET CURRENT_EVENTS Unkown exploit kit version check
(current_events.rules)
 2014577 - ET CURRENT_EVENTS ET CURRENT_EVENTS Italian Spam Campaign ZIP
with EXE Containing Many Underscores (current_events.rules)
 2014607 - ET CURRENT_EVENTS Nikjju Mass Injection Compromised Site Served
To Local Client (current_events.rules)
 2014608 - ET CURRENT_EVENTS Nikjju Mass Injection Internal WebServer
Compromised (current_events.rules)
 2014615 - ET CURRENT_EVENTS Jembot PHP Webshell (hell.php)
(current_events.rules)
 2014619 - ET ACTIVEX Possible McAfee SaaS MyCioScan ShowReport Method Call
Remote Command Execution (activex.rules)
 2014620 - ET ACTIVEX Possible McAfee SaaS MyCioScan ShowReport Method Call
Remote Command Execution 2 (activex.rules)
 2014710 - ET ACTIVEX Possible Samsung NET-i Viewer Active-X SEH Overwrite
(activex.rules)
 2014805 - ET CURRENT_EVENTS Unknown java_ara Bin Download
(current_events.rules)
 2014827 - ET CURRENT_EVENTS FedEX Spam Inbound (current_events.rules)
 2014829 - ET CURRENT_EVENTS Post Express Spam Inbound
(current_events.rules)
 2014831 - ET ACTIVEX Possible Wireless Manager Sony VAIO
SetTmpProfileOption Method Access Buffer Overflow (activex.rules)
 2014832 - ET ACTIVEX Possible Wireless Manager Sony VAIO ConnectToNetwork
Method Access Buffer Overflow (activex.rules)
 2014848 - ET CURRENT_EVENTS webshell used In timthumb attacks GIF98a
16129xX with PHP (current_events.rules)
 2014891 - ET CURRENT_EVENTS RedKit - Java Exploit Requested - 5 digit jar
(current_events.rules)
 2014892 - ET CURRENT_EVENTS RedKit - Jar File Naming Algorithm
(current_events.rules)
 2014895 - ET CURRENT_EVENTS RedKit - Landing Page Received - applet and
code (current_events.rules)
 2014927 - ET CURRENT_EVENTS Unknown Java Malicious Jar /eeltff.jar
(current_events.rules)
 2014928 - ET CURRENT_EVENTS Unknown - Java Request .jar from dl.dropbox.com
(current_events.rules)
 2014930 - ET CURRENT_EVENTS Obfuscated Javascript redirecting to badness
21 June 2012 (current_events.rules)
 2014935 - ET CURRENT_EVENTS FoxxySoftware - Landing Page Received -
foxxysoftware (current_events.rules)
 2014936 - ET CURRENT_EVENTS FoxxySoftware - Landing Page Received - applet
and 0px (current_events.rules)
 2014959 - ET CURRENT_EVENTS Base64 - Java Exploit Requested - /1Digit
(current_events.rules)
 2014960 - ET CURRENT_EVENTS Base64 - Landing Page Received -
base64encode(GetOs() (current_events.rules)
 2014966 - ET CURRENT_EVENTS Generic - PDF with NEW PDF EXPLOIT
(current_events.rules)
 2014969 - ET CURRENT_EVENTS Unknown - Java Exploit Requested -
13-14Alpha.jar (current_events.rules)
 2014970 - ET CURRENT_EVENTS Runforestrun Malware Campaign Infected Website
(current_events.rules)
 2014971 - ET CURRENT_EVENTS JS.Runfore Malware Campaign Request
(current_events.rules)
 2014972 - ET CURRENT_EVENTS HeapLib JS Library (current_events.rules)
 2014982 - ET CURRENT_EVENTS Googlebot UA POST to /uploadify.php
(current_events.rules)
 2014983 - ET CURRENT_EVENTS Scalaxy Jar file (current_events.rules)
 2014991 - ET ACTIVEX Possible SonciWALL Aventail AuthCredential Format
String Exploit 2 (activex.rules)
 2014992 - ET ACTIVEX Possible SonciWALL Aventail AuthCredential Format
String Exploit (activex.rules)
 2014998 - ET CURRENT_EVENTS Runforestrun Malware Campaign Infected Website
Landing Page Obfuscated String JavaScript DGA (current_events.rules)
 2015024 - ET CURRENT_EVENTS Incognito - Malicious PDF Requested -
/getfile.php (current_events.rules)
 2015030 - ET CURRENT_EVENTS Incognito - Java Exploit Requested -
/gotit.php by Java Client (current_events.rules)
 2015031 - ET CURRENT_EVENTS Incognito - Payload Request - /load.php by
Java Client (current_events.rules)
 2015042 - ET CURRENT_EVENTS g01pack - 32Char.php by Java Client
(current_events.rules)
 2015053 - ET CURRENT_EVENTS Unknown_s=1 - Landing Page - 10HexChar Title
and applet (current_events.rules)
 2015054 - ET CURRENT_EVENTS Unknown_s=1 - Landing Page - 100HexChar value
and applet (current_events.rules)
 2015055 - ET CURRENT_EVENTS Unknown_s=1 - Payload Requested -
32AlphaNum?s=1 Java Request (current_events.rules)
 2015516 - ET CURRENT_EVENTS RedKit PluginDetect Rename Saigon
(current_events.rules)
 2015517 - ET CURRENT_EVENTS .HTM being served from WP 1-flash-gallery
Upload DIR (likely malicious) (current_events.rules)
 2015553 - ET CURRENT_EVENTS Fake-AV Conditional Redirect (Blackmuscats)
(current_events.rules)
 2015578 - ET CURRENT_EVENTS Obfuscated Javascript redirecting to badness
August 6 2012 (current_events.rules)
 2015583 - ET CURRENT_EVENTS FoxxySoftware - Comments (current_events.rules)
 2015584 - ET CURRENT_EVENTS FoxxySoftware - Comments(2)
(current_events.rules)
 2015585 - ET CURRENT_EVENTS FoxxySoftware - Hit Counter Access
(current_events.rules)
 2015646 - ET CURRENT_EVENTS Unknown Exploit Kit seen with O1/O2.class
/form (current_events.rules)
 2015647 - ET CURRENT_EVENTS Unknown Exploit Kit seen with O1/O2.class
/search (current_events.rules)
 2015666 - ET CURRENT_EVENTS NeoSploit - Version Enumerated - Java
(current_events.rules)
 2015667 - ET CURRENT_EVENTS NeoSploit - Version Enumerated - null
(current_events.rules)
 2015668 - ET CURRENT_EVENTS FlimKit/Other - Landing Page - 100HexChar
value and applet (current_events.rules)
 2015669 - ET CURRENT_EVENTS Malicious Redirect n.php h=*&s=*
(current_events.rules)
 2015672 - ET CURRENT_EVENTS Unknown Exploit Kit redirect
(current_events.rules)
 2015676 - ET CURRENT_EVENTS Unknown Java Exploit Kit Payload Download
Request - Sep 04 2012 (current_events.rules)
 2015682 - ET CURRENT_EVENTS Unknown Java Exploit Kit with fast-flux like
behavior static initial landing - Sep 05 2012 (current_events.rules)
 2015683 - ET CURRENT_EVENTS Unknown Java Exploit Kit with fast-flux like
behavior hostile java archive - Sep 05 2012 (current_events.rules)
 2015688 - ET CURRENT_EVENTS Possible Remote PHP Code Execution (php.pjpg)
(current_events.rules)
 2800624 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object
Instantiation Memory Corruption (activex.rules)
 2800625 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object
Instantiation Memory Corruption Imjpcksid.dll (activex.rules)
 2800626 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object
Instantiation Memory Corruption Imjpskdic.dll (activex.rules)
 2800780 - ETPRO ACTIVEX Microsoft Design Tools msdds.dll Memory Corruption
(activex.rules)
 2801179 - ETPRO ACTIVEX Microsoft Internet Explorer HTML Object Memory
Corruption (activex.rules)
 2801256 - ETPRO ACTIVEX Microsoft Windows Data Access Components ADO
Record Code Execution  (activex.rules)
 2801917 - ETPRO ACTIVEX Cisco Secure Desktop CSDWebInstaller Code
Execution 2 (activex.rules)
 2801918 - ETPRO ACTIVEX Cisco Secure Desktop CSDWebInstaller Code
Execution (activex.rules)
 2801964 - ETPRO ACTIVEX Microsoft Office Web Components Remote Code
Execution 1 (activex.rules)
 2801965 - ETPRO ACTIVEX Microsoft Office Web Components Remote Code
Execution 2 (activex.rules)
 2802023 - ETPRO ACTIVEX Vulnerable IE8 Developer Toolkit COM Object Use
(activex.rules)
 2802024 - ETPRO ACTIVEX Vulnerable WBEM.SingleView.1 Object clsid Access
(activex.rules)
 2802030 - ETPRO ACTIVEX Vulnerable Windows Messenger Service clsid Access
(activex.rules)


-- 
PGP: 0xBED7B297
<https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20180105/010d4521/attachment-0001.html>


More information about the Emerging-sigs mailing list