[Emerging-Sigs] Daily Ruleset Update Summary 2018/01/25

Travis Green tgreen at emergingthreats.net
Thu Jan 25 11:58:34 HST 2018


[***]            Summary:            [***]

5 new Open, 24 new Pro (5 + 19). ELF/TooEasy, W32.Sverki,
MSIL/Plumb3rMiner, Various Mobile, Various Phishing.


[+++]          Added rules:          [+++]

Open:

 2025247 - ET CURRENT_EVENTS Paypal Phishing Landing 2018-01-25
(current_events.rules)
 2025248 - ET CURRENT_EVENTS Generic Multi-Email Popupwnd Phishing Landing
2018-01-25 (current_events.rules)
 2025249 - ET CURRENT_EVENTS Generic Multi-Email Phishing Landing
2018-01-25 (current_events.rules)
 2025250 - ET CURRENT_EVENTS Office 365 Phishing Landing 2018-01-25
(current_events.rules)
 2025251 - ET TROJAN ELF/TooEasy Miner CnC Checkin (trojan.rules)

Pro:

 2829430 - ETPRO CURRENT_EVENTS Successful Docusign Phish 2018-01-25
(current_events.rules)
 2829431 - ETPRO CURRENT_EVENTS Successful Linkedin Phish 2018-01-25
(current_events.rules)
 2829432 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2018-01-25 M1
(current_events.rules)
 2829433 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2018-01-25 M2
(current_events.rules)
 2829434 - ETPRO MOBILE_MALWARE Android.Trojan.SmsSpy.O CnC Beacon
(mobile_malware.rules)
 2829435 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2018-01-25
(current_events.rules)
 2829436 - ETPRO TROJAN W32.Sverki Domain Observed (teredo-update .com in
DNS Lookup) (trojan.rules)
 2829437 - ETPRO TROJAN W32.Sverki Domain Observed (teredo-update .com in
TLS SNI) (trojan.rules)
 2829438 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.ic SMS/Contact
Exfil via SMTP 26 (mobile_malware.rules)
 2829439 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-01-25 1) (trojan.rules)
 2829440 - ETPRO TROJAN Andariel Andarat CnC Beacon (trojan.rules)
 2829441 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-01-25 2) (trojan.rules)
 2829442 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.ij SMS/Contact
Exfil via SMTP (mobile_malware.rules)
 2829443 - ETPRO TROJAN MSIL/Plumb3rMiner CnC Checkin (trojan.rules)
 2829444 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2018-01-25
(current_events.rules)
 2829445 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc Payload
2018-01-25) (current_events.rules)
 2829446 - ETPRO CURRENT_EVENTS Receive Secure Cloud Files Phishing Landing
2017-12-12 (current_events.rules)
 2829447 - ETPRO CURRENT_EVENTS Successful Banque Populaire (FR) Phish
2018-01-25 M1 (current_events.rules)
 2829448 - ETPRO CURRENT_EVENTS Successful Banque Populaire (FR) Phish
2018-01-25 M2 (current_events.rules)


[///]     Modified active rules:     [///]

 2827642 - ETPRO CURRENT_EVENTS Successful Banco do Brasil Phish M1 Aug 24
2017 (current_events.rules)
 2828790 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.gen CnC
Beacon (mobile_malware.rules)
 2828810 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin
250 (mobile_malware.rules)
 2828811 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin
251 (mobile_malware.rules)
 2828812 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin
252 (mobile_malware.rules)
 2828841 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin
253 (mobile_malware.rules)
 2828856 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin
254 (mobile_malware.rules)
 2828875 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.a Checkin 2
(mobile_malware.rules)
 2828883 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin
255 (mobile_malware.rules)
 2828893 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.i Checkin
(mobile_malware.rules)
 2828894 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.i CnC Beacon
(mobile_malware.rules)
 2828959 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin
256 (mobile_malware.rules)
 2828967 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin
257 (mobile_malware.rules)
 2828988 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin
258 (mobile_malware.rules)
 2829302 - ETPRO CURRENT_EVENTS Successful Optus Webmail Phish 2018-01-16
(current_events.rules)
 2829338 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Skygofree.a Checkin
(mobile_malware.rules)
 2829339 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Skygofree.a Checkin 2
(mobile_malware.rules)
 2829340 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Skygofree.a Checkin 3
(mobile_malware.rules)


[---]  Disabled and modified rules:  [---]

 2023873 - ET POLICY DNS Query to Hamas Terrorist Propaganda TV Channel
(aqsatv .ps) (policy.rules)


[---]         Removed rules:         [---]

 2012401 - ET CURRENT_EVENTS Likely Blackhole Exploit Kit Driveby Download
Secondary Request (current_events.rules)
 2013077 - ET CURRENT_EVENTS Blackhole Exploit Pack HCP overflow Media
Player lt 10 (current_events.rules)
 2013313 - ET TROJAN Obfuscated Javascript Often Used in the Blackhole
Exploit Kit 3 (trojan.rules)
 2013548 - ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit
(current_events.rules)
 2013549 - ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit 2
(current_events.rules)
 2013550 - ET TROJAN Potential Blackhole Exploit Pack Binary Load Request 2
(trojan.rules)
 2013553 - ET CURRENT_EVENTS Blackhole landing page with malicious Java
applet (current_events.rules)
 2013554 - ET CURRENT_EVENTS Blackhole MapYandex.class malicious jar
(current_events.rules)
 2013652 - ET CURRENT_EVENTS Blackhole Exploit Kit Landing Reporting
Successful Java Compromise (current_events.rules)
 2013664 - ET CURRENT_EVENTS Likely Blackhole Exploit Kit Driveby ?b
Download Secondary Request (current_events.rules)
 2013665 - ET CURRENT_EVENTS Likely Blackhole Exploit Kit Driveby ?n
Download Secondary Request (current_events.rules)
 2013666 - ET CURRENT_EVENTS Likely Blackhole Exploit Kit Driveby ?page
Download Secondary Request (current_events.rules)
 2013700 - ET CURRENT_EVENTS Blackhole landing page with malicious Java
applet (current_events.rules)
 2013746 - ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit 3
(current_events.rules)
 2013786 - ET CURRENT_EVENTS Blackhole Acrobat 8/9.3 PDF exploit download
request 2 (current_events.rules)
 2013787 - ET CURRENT_EVENTS Blackhole Acrobat 1-7 PDF exploit download
request 2 (current_events.rules)
 2013788 - ET CURRENT_EVENTS Likely Blackhole Exploit Kit Driveby ?doit
Download Secondary Request (current_events.rules)
 2013950 - ET CURRENT_EVENTS Blackhole obfuscated Javascript padded
charcodes 25 (current_events.rules)
 2013960 - ET CURRENT_EVENTS Blackhole Exploit Kit Delivering PDF Exploit
to Client (current_events.rules)
 2013972 - ET CURRENT_EVENTS Initial Blackhole Landing Loading... Wait
Please (current_events.rules)
 2013990 - ET CURRENT_EVENTS Blackhole Exploit Kit hostile PDF qwe123
(current_events.rules)
 2013991 - ET CURRENT_EVENTS Blackhole hostile PDF v1 (current_events.rules)
 2013992 - ET CURRENT_EVENTS Blackhole hostile PDF v2 (current_events.rules)
 2014035 - ET CURRENT_EVENTS DRIVEBY Blackhole PDF Exploit Request
/fdp2.php (current_events.rules)
 2014048 - ET CURRENT_EVENTS Blackhole Exploit Kit Java Rhino Script Engine
Remote Code Execution Attempt (current_events.rules)
 2014053 - ET CURRENT_EVENTS Blackhole Likely Flash exploit download
request score.swf (current_events.rules)
 2014094 - ET CURRENT_EVENTS Blackhole-like Java Exploit request to .jar?t=
(current_events.rules)
 2014125 - ET CURRENT_EVENTS DRIVEBY Blackhole - Help and Control Panel
Exploit Request (current_events.rules)
 2014126 - ET CURRENT_EVENTS DRIVEBY Blackhole Likely Flash Exploit Request
/field.swf (current_events.rules)
 2014157 - ET CURRENT_EVENTS Blackhole Acrobat 8/9.3 PDF exploit download
request 4 (current_events.rules)
 2014158 - ET CURRENT_EVENTS Blackhole Acrobat 1-7 PDF exploit download
request 4 (current_events.rules)
 2014195 - ET CURRENT_EVENTS Blackhole Acrobat 8/9.3 PDF exploit download
request 5 (current_events.rules)
 2014235 - ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download -
info.exe (current_events.rules)
 2014236 - ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download -
contacts.exe (current_events.rules)
 2014237 - ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download -
calc.exe (current_events.rules)
 2014238 - ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download -
about.exe (current_events.rules)
 2014274 - ET CURRENT_EVENTS Blackhole Tax Landing Page with JavaScript
Attack (current_events.rules)
 2014279 - ET CURRENT_EVENTS Blackhole Acrobat 8/9.3 PDF exploit download
request 6 (current_events.rules)
 2014280 - ET CURRENT_EVENTS Blackhole Acrobat 1-7 PDF exploit download
request 6 (current_events.rules)
 2014281 - ET CURRENT_EVENTS Blackhole Java Applet with Obfuscated URL 2
(current_events.rules)
 2014282 - ET CURRENT_EVENTS Blackhole Download Secondary Request ?pagpag
(current_events.rules)
 2014284 - ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit 4
(current_events.rules)
 2014298 - ET CURRENT_EVENTS Blackhole obfuscated Javascript 171 charcodes
>= 48 (current_events.rules)
 2014301 - ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download -
readme.exe (current_events.rules)
 2014346 - ET CURRENT_EVENTS INBOUND Blackhole Java Exploit request similar
to /content/jav.jar (current_events.rules)
 2014368 - ET CURRENT_EVENTS Blackhole qwe123 PDF (current_events.rules)
 2014378 - ET CURRENT_EVENTS Blackhole/Cutwail Redirection Page 1
(current_events.rules)
 2014412 - ET CURRENT_EVENTS DRIVEBY Blackhole client=done Cookie Set
(current_events.rules)
 2014413 - ET CURRENT_EVENTS DRIVEBY Blackhole client=done Cookie Present
(current_events.rules)
 2014414 - ET CURRENT_EVENTS DRIVEBY Blackhole Landing Page applet param
window.document (current_events.rules)
 2014415 - ET CURRENT_EVENTS Blackhole Exploit Kit JavaScript dotted quad
hostile applet (current_events.rules)
 2014440 - ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download -
scandsk.exe (current_events.rules)
 2014441 - ET CURRENT_EVENTS DRIVEBY Blackhole - Landing Page Requested -
/Home/index.php (current_events.rules)
 2014442 - ET CURRENT_EVENTS DRIVEBY Blackhole - Landing Page Requested -
*.php?*=16HexCharacters in http_uri (current_events.rules)
 2014444 - ET CURRENT_EVENTS DRIVEBY Blackhole - Page redirecting to
driveby (current_events.rules)
 2014470 - ET CURRENT_EVENTS Likely Blackhole PDF served from iframe
(current_events.rules)
 2014537 - ET CURRENT_EVENTS Initial Blackhole Landing .prototype.q catch
with split (current_events.rules)
 2014538 - ET CURRENT_EVENTS Initial Blackhole Landing Loading... Please
Wait (current_events.rules)
 2014540 - ET CURRENT_EVENTS Blackhole Landing for Loading prototype catch
(current_events.rules)
 2014644 - ET CURRENT_EVENTS Blackhole - Landing Page Recieved - applet
PluginDetect and 10hexchar title (current_events.rules)
 2014659 - ET CURRENT_EVENTS Blackhole Landing Page Obfuscated Please wait
Message (current_events.rules)
 2014661 - ET CURRENT_EVENTS Blackhole Landing for prototype catch substr
(current_events.rules)
 2014664 - ET CURRENT_EVENTS Blackhole - Jar File Naming Algorithm
(current_events.rules)
 2014666 - ET CURRENT_EVENTS DRIVEBY Blackhole - Injected Page Leading To
Driveby (current_events.rules)
 2014725 - ET CURRENT_EVENTS Possible Request for Blackhole Exploit Kit
Landing Page - src.php?case= (current_events.rules)
 2014773 - ET CURRENT_EVENTS Blackhole Landing Page JavaScript Split String
Obfuscation of CharCode (current_events.rules)
 2014774 - ET CURRENT_EVENTS Blackhole Malicious PDF qweqwe=
(current_events.rules)
 2014775 - ET CURRENT_EVENTS Blackhole PDF Payload Request
(current_events.rules)
 2014776 - ET CURRENT_EVENTS Blackhole PDF Payload Request With Double
Colon (current_events.rules)
 2014801 - ET CURRENT_EVENTS Blackhole Try App.title Catch - May 22nd 2012
(current_events.rules)
 2014820 - ET CURRENT_EVENTS Blackhole Landing Page Obfuscated Javascript
Blob (current_events.rules)
 2014821 - ET CURRENT_EVENTS Blackhole RawValue Specific Exploit PDF
(current_events.rules)
 2014823 - ET CURRENT_EVENTS Blackhole Malicious PDF asdvsa
(current_events.rules)
 2014825 - ET CURRENT_EVENTS Blackhole Landing Page Script Profile ASD
(current_events.rules)
 2014843 - ET TROJAN Blackhole Exploit Kit Request tkr (trojan.rules)
 2014858 - ET CURRENT_EVENTS Blackhole Fraudulent Paypal Mailing Server
Response June 04 2012 (current_events.rules)
 2014873 - ET CURRENT_EVENTS Obfuscated Javascript redirecting to Blackhole
June 7 2012 (current_events.rules)
 2014885 - ET CURRENT_EVENTS SutraTDS (enema) used in Blackhole campaigns
(current_events.rules)
 2014888 - ET CURRENT_EVENTS Blackhole Try Prototype Catch June 11 2012
(current_events.rules)
 2014907 - ET CURRENT_EVENTS Initial Blackhole Landing - UPS Number
Loading.. Jun 15 2012 (current_events.rules)
 2014908 - ET CURRENT_EVENTS Initial Blackhole Landing - Verizon Balance
Due Jun 15 2012 (current_events.rules)
 2014909 - ET CURRENT_EVENTS Blackhole obfuscated Java EXE Download by
Vulnerable Version - Likely Driveby (current_events.rules)
 2014921 - ET CURRENT_EVENTS Blackhole Landing Try Prototype Catch Jun 18
2012 (current_events.rules)
 2014931 - ET CURRENT_EVENTS Blackhole Landing Please wait a moment Jun 20
2012 (current_events.rules)
 2014940 - ET CURRENT_EVENTS Blackhole RawValue Exploit PDF
(current_events.rules)
 2014981 - ET CURRENT_EVENTS Blackhole Exploit Kit Landing Page Try Renamed
Prototype Catch - June 28th 2012 (current_events.rules)
 2015005 - ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL 3
(current_events.rules)
 2015012 - ET CURRENT_EVENTS Blackhole Split String Obfuscation of Eval 1
(current_events.rules)
 2015013 - ET CURRENT_EVENTS Blackhole Split String Obfuscation of Eval 2
(current_events.rules)
 2015014 - ET CURRENT_EVENTS Blackhole Split String Obfuscation of Eval 3
(current_events.rules)
 2015025 - ET CURRENT_EVENTS Blackhole Landing Page Eval Variable
Obfuscation 1 (current_events.rules)
 2015026 - ET CURRENT_EVENTS Blackhole Landing Page Eval Variable
Obfuscation 2 (current_events.rules)
 2015048 - ET CURRENT_EVENTS 09 July 2012 Blackhole Landing Page - Please
Wait Loading (current_events.rules)
 2015056 - ET CURRENT_EVENTS Blackhole Exploit Kit Landing Page Structure
(current_events.rules)
 2015475 - ET CURRENT_EVENTS BlackHole TKR Landing Page /last/index.php
(current_events.rules)
 2015486 - ET CURRENT_EVENTS Blackhole Java Exploit Recent Jar (1)
(current_events.rules)
 2015487 - ET CURRENT_EVENTS Blackhole Java Exploit Recent Jar (2)
(current_events.rules)
 2015488 - ET CURRENT_EVENTS Blackhole Java Exploit Recent Jar (3)
(current_events.rules)
 2015586 - ET CURRENT_EVENTS Blackhole Redirection Page Try Math.Round
Catch - 7th August 2012 (current_events.rules)
 2015619 - ET CURRENT_EVENTS Blackhole/Cool jnlp URI Struct
(current_events.rules)
 2015622 - ET CURRENT_EVENTS Blackhole Landing Page Hwehes String - August
13th 2012 (current_events.rules)
 2015659 - ET CURRENT_EVENTS Blackhole Admin bhadmin.php access Outbound
(current_events.rules)
 2015660 - ET CURRENT_EVENTS - Blackhole Admin Login Outbound
(current_events.rules)
 2015661 - ET CURRENT_EVENTS Blackhole Admin bhadmin.php access Inbound
(current_events.rules)
 2015662 - ET CURRENT_EVENTS - Blackhole Admin Login Inbound
(current_events.rules)
 2015670 - ET CURRENT_EVENTS Unknown Exploit Kit suspected Blackhole
(current_events.rules)
 2015680 - ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL Nov
09 2012 (current_events.rules)
 2015700 - ET CURRENT_EVENTS Blackhole2 - URI Structure
(current_events.rules)
 2015710 - ET CURRENT_EVENTS DRIVEBY Blackhole2 - Landing Page Received
(current_events.rules)
 2015740 - ET CURRENT_EVENTS MALVERTISING - Redirect To Blackhole - Push
JavaScript (current_events.rules)
 2015759 - ET CURRENT_EVENTS Blackhole Java Exploit Recent Jar (4)
(current_events.rules)
 2015787 - ET CURRENT_EVENTS Blackhole/Cool eot URI Struct
(current_events.rules)
 2015796 - ET CURRENT_EVENTS Blackhole/Cool Jar URI Struct
(current_events.rules)
 2015797 - ET CURRENT_EVENTS Blackhole 2 Landing Page (3)
(current_events.rules)
 2015798 - ET CURRENT_EVENTS Blackhole/Cool EXE URI Struct
(current_events.rules)
 2015802 - ET CURRENT_EVENTS Blackhole 2 Landing Page (5)
(current_events.rules)
 2015803 - ET CURRENT_EVENTS Possible Blackhole/Cool Landing URI Struct
(current_events.rules)
 2015804 - ET CURRENT_EVENTS BlackHole 2 PDF Exploit (current_events.rules)
 2015817 - ET CURRENT_EVENTS Blackhole2 Non-Vulnerable Client Fed Fake
Flash Executable (current_events.rules)
 2015836 - ET CURRENT_EVENTS Blackhole 2.0 Binary Get Request
(current_events.rules)
 2015863 - ET CURRENT_EVENTS Blackhole request for file containing Java
payload URIs (2) (current_events.rules)
 2015871 - ET CURRENT_EVENTS Blackhole request for file containing Java
payload URIs (3) (current_events.rules)
 2015877 - ET CURRENT_EVENTS Blackhole 16/32-hex/a-z.php Landing Page URI
(current_events.rules)
 2015932 - ET CURRENT_EVENTS Blackhole 2 Landing Page (7)
(current_events.rules)
 2015933 - ET CURRENT_EVENTS Blackhole/Cool txt URI Struct
(current_events.rules)
 2015978 - ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL Dec
03 2012 (current_events.rules)
 2016024 - ET CURRENT_EVENTS Blackhole - TDS Redirection To Exploit Kit -
Loading (current_events.rules)
 2016166 - ET CURRENT_EVENTS Blackhole Exploit Kit PluginDetect
FromCharCode Jan 04 2013 (current_events.rules)
 2016229 - ET CURRENT_EVENTS Blackhole 16/32-hex/a-z.php Jar Download
(current_events.rules)
 2016242 - ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL Jan
21 2012 (current_events.rules)
 2016341 - ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL Feb
04 2012 (current_events.rules)
 2016524 - ET CURRENT_EVENTS Blackhole V2 Exploit Kit Landing Page Try
Catch Body Specific -  4/3/2013 (current_events.rules)
 2016525 - ET CURRENT_EVENTS Blackhole V2 Exploit Kit Landing Page Try
Catch Body Style 2 Specific -  4/3/2013 (current_events.rules)
 2016526 - ET CURRENT_EVENTS Blackhole V2 Exploit Kit Landing Page Try
Catch False Specific -  4/3/2013 (current_events.rules)
 2016563 - ET CURRENT_EVENTS Blackhole 16-hex/q.php Landing Page/Java
exploit URI (current_events.rules)
 2016564 - ET CURRENT_EVENTS Blackhole 16-hex/q.php Jar Download
(current_events.rules)
 2016722 - ET CURRENT_EVENTS Blackhole 32-hex/ff.php Landing Page/Java
exploit URI (current_events.rules)
 2016723 - ET CURRENT_EVENTS Blackhole 32-hex/ff.php Jar Download
(current_events.rules)
 2016724 - ET CURRENT_EVENTS Blackhole 16-hex/ff.php Landing Page/Java
exploit URI (current_events.rules)
 2016725 - ET CURRENT_EVENTS Blackhole 16-hex/ff.php Jar Download
(current_events.rules)
 2016729 - ET CURRENT_EVENTS Reversed Applet Observed in Sakura/Blackhole
Landing (current_events.rules)
 2016755 - ET CURRENT_EVENTS Blackhole 2 Landing Page (9)
(current_events.rules)
 2016813 - ET CURRENT_EVENTS - Possible BlackHole request with decryption
Base  (current_events.rules)
 2016848 - ET CURRENT_EVENTS BlackHole Java Exploit Artifact
(current_events.rules)
 2016931 - ET CURRENT_EVENTS BlackHole EK JNLP request
(current_events.rules)
 2016971 - ET CURRENT_EVENTS Blackhole 32-hex/a.php Landing Page/Java
exploit URI (current_events.rules)
 2016972 - ET CURRENT_EVENTS Blackhole 32-hex/a.php Jar Download
(current_events.rules)
 2016973 - ET CURRENT_EVENTS Blackhole 16-hex/a.php Landing Page/Java
exploit URI (current_events.rules)
 2016974 - ET CURRENT_EVENTS Blackhole 16-hex/a.php Jar Download
(current_events.rules)
 2016984 - ET CURRENT_EVENTS BlackHole EK Initial Gate from Linked-In
Mailing Campaign (current_events.rules)
 2017076 - ET CURRENT_EVENTS BlackHole EK Variant Payload Download
(current_events.rules)
 2017140 - ET CURRENT_EVENTS Possible Blackhole EK Jar Download URI Struct
(current_events.rules)
 2017141 - ET CURRENT_EVENTS Blackhole EK Plugin-Detect July 12 2013
(current_events.rules)
 2017198 - ET CURRENT_EVENTS Reversed Embedded JNLP Observed in
Sakura/Blackhole Landing (current_events.rules)
 2017265 - ET CURRENT_EVENTS BlackHole EK Non-standard base64 Key
(current_events.rules)
 2017340 - ET CURRENT_EVENTS Blackhole Exploit Kit Shrift.php Microsoft
OpenType Font Exploit Request (current_events.rules)
 2017341 - ET CURRENT_EVENTS Blackhole Exploit Kit Microsoft OpenType Font
Exploit (current_events.rules)
 2017346 - ET CURRENT_EVENTS Blackhole/Cool obfuscated plugindetect in
charcodes w/o sep Jul 10 2013 (current_events.rules)
 2017416 - ET CURRENT_EVENTS BlackHole EK Variant PDF Download
(current_events.rules)
 2017454 - ET CURRENT_EVENTS BlackHole EK Payload Download Sep 11 2013
(current_events.rules)
 2017456 - ET CURRENT_EVENTS BlackHole EK Variant PDF Download Sep 11 2013
(current_events.rules)
 2017461 - ET CURRENT_EVENTS Blackhole obfuscated base64 decoder Sep 12
2013 (current_events.rules)
 2017481 - ET CURRENT_EVENTS BlackHole initial landing/gate
(current_events.rules)
 2017556 - ET CURRENT_EVENTS BlackHole EK Variant PDF Download
(current_events.rules)
 2020604 - ET CURRENT_EVENTS Likely Blackhole eval haha
(current_events.rules)
 2022113 - ET CURRENT_EVENTS BlackHole EK Landing Nov 17 2015
(current_events.rules)
 2803166 - ETPRO TROJAN BlackHole.aotp Checkin (trojan.rules)
 2803244 - ETPRO TROJAN Backdoor.BlackHole.hfy Checkin (trojan.rules)
 2806569 - ETPRO TROJAN Backdoor/Blackhole.bkg Checkin (trojan.rules)


-- 
PGP: 0xBED7B297
<https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20180125/ef5b5eac/attachment-0001.html>


More information about the Emerging-sigs mailing list