[Emerging-Sigs] Daily Ruleset Update Summary 2018/01/26

Travis Green tgreen at emergingthreats.net
Fri Jan 26 12:30:15 HST 2018


[***]            Summary:            [***]

4 new Open, 13 new Pro (4 + 9). Kuriyama Loader, GandCrab Ransomware,
Various Mobile, Various Phishing.

Thanks: @AttackDetection


[+++]          Added rules:          [+++]

Open:

2025252 - ET TROJAN W32/SchwSonne CnC Beacon M2 (trojan.rules)
2025253 - ET TROJAN [PTsecurity] Kuriyama Loader Checkin (trojan.rules)
2025254 - ET TROJAN Win32/GandCrab Ransomware CnC Activity (trojan.rules)
2025255 - ET CURRENT_EVENTS Mailbox Phishing Landing 2018-01-29
(current_events.rules)

Pro:

2829449 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2018-01-26
(current_events.rules)
2829450 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2018-01-26
(current_events.rules)
2829451 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-01-26 1) (trojan.rules)
2829452 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-01-26 2) (trojan.rules)
2829453 - ETPRO TROJAN Observed Malicious SSL Cert (Dridex CnC)
(trojan.rules)
2829454 - ETPRO CURRENT_EVENTS Successful Bank Username/Account Number
Phish 2018-01-26 (current_events.rules)
2829455 - ETPRO MOBILE_MALWARE Android/Agent.IW SMS Exfil
(mobile_malware.rules)
2829456 - ETPRO CURRENT_EVENTS Successful G-Suite Phish 2018-01-26 M1
(current_events.rules)
2829457 - ETPRO CURRENT_EVENTS Successful G-Suite Phish 2018-01-26 M2
(current_events.rules)


[///]     Modified active rules:     [///]

2024555 - ET CURRENT_EVENTS Possible Successful Generic Phish (set) Feb 26
2016 (current_events.rules)
2828145 - ETPRO CURRENT_EVENTS Successful Bank Username/Account Number
Phish Oct 04 2017 (set) (current_events.rules)


[---]         Disabled rules:        [---]

2006403 - ET TROJAN General Trojan Checkin by MAC chkmac.php (trojan.rules)
2006404 - ET TROJAN DownLoader.30525 Checkin (trojan.rules)
2008153 - ET TROJAN Citi-bank.ru Related Trojan Checkin (trojan.rules)
2008283 - ET TROJAN Banload HTTP Checkin Detected (quem=) (trojan.rules)
2008353 - ET TROJAN CoreFlooder.Q C&C Checkin (trojan.rules)
2008442 - ET TROJAN Rootkit.Win32.Clbd.cz Checkin (trojan.rules)
2008443 - ET TROJAN Coreflood/AFcore Trojan Infection (2) (trojan.rules)
2008623 - ET TROJAN Cinmus.Checkin 1 (trojan.rules)
2008624 - ET TROJAN Cinmus.Checkin 2 (trojan.rules)
2009287 - ET TROJAN CoreFlooder C&C Checkin (2) (trojan.rules)
2009351 - ET TROJAN Urlzone/Bebloh Communication with Controller
(trojan.rules)
2010055 - ET TROJAN Likely TDSS Download (pcdef.exe) (trojan.rules)
2010217 - ET TROJAN DownloaderExchanger/Cbeplay Variant Checkin
(trojan.rules)
2010565 - ET TROJAN Bebloh C&C HTTP POST (trojan.rules)
2010973 - ET TROJAN Vobfus/Changeup/Chinky Download Command (trojan.rules)
2012054 - ET SMTP Potential Exim HeaderX with run exploit attempt
(smtp.rules)
2012135 - ET SMTP IBM Lotus Domino iCalendar Email Address Stack Buffer
Overflow Attempt (smtp.rules)
2012782 - ET MOBILE_MALWARE SymbOS SuperFairy.D StartUpdata.ini Missing
File HTTP Request (mobile_malware.rules)
2012783 - ET MOBILE_MALWARE SymbOS SuperFairy.D BackgroundUpdata.ini
Missing File HTTP Request (mobile_malware.rules)
2012784 - ET MOBILE_MALWARE SymbOS SuperFairy.D active.txt Missing File
HTTP Request (mobile_malware.rules)
2012844 - ET MOBILE_MALWARE SymbOS/Yxes.B/E CnC Checkin Request
(mobile_malware.rules)
2012845 - ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Request
(mobile_malware.rules)
2012846 - ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Request 2
(mobile_malware.rules)
2012847 - ET MOBILE_MALWARE SymbOS/Yxes.F CnC Checkin Request 3
(mobile_malware.rules)
2012850 - ET MOBILE_MALWARE SymbOS.Flexispy.a Commercial Spying App Sending
User Information to Server (mobile_malware.rules)
2012851 - ET MOBILE_MALWARE SymbOS/Yxes.I PropertyFile.jsp CnC Server
Communication (mobile_malware.rules)
2012852 - ET MOBILE_MALWARE SymbOS/Yxes.I TipFile.jsp CnC Server
Communication (mobile_malware.rules)
2012853 - ET MOBILE_MALWARE SymbOS/Yxes.I NumberFile.jsp CnC Server
Communication (mobile_malware.rules)
2012854 - ET MOBILE_MALWARE SymbOS/Merogo User Agent (mobile_malware.rules)
2012855 - ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending Geographic
Location Logs To Remote Server (mobile_malware.rules)
2012856 - ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending Call Logs
to Remote Server (mobile_malware.rules)
2012857 - ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending SMS Logs
to Remote Server (mobile_malware.rules)
2012858 - ET MOBILE_MALWARE SymbOS.Sagasi.a Worm Sending Data to Server
(mobile_malware.rules)
2012859 - ET MOBILE_MALWARE SymbOS.Sagasi.a Worm Sending Data to Server
(mobile_malware.rules)
2012861 - ET MOBILE_MALWARE SymbOS.Sagasi.a User Agent LARK/1.3.0
(mobile_malware.rules)
2012862 - ET MOBILE_MALWARE SslCrypt Server Communication
(mobile_malware.rules)
2012864 - ET MOBILE_MALWARE SslCrypt Server Communication
(mobile_malware.rules)
2012904 - ET MOBILE_MALWARE SymbOS/SuperFairy.D Bookmarked Connection to
Server (mobile_malware.rules)
2013019 - ET MOBILE_MALWARE Iphone iKee.B Checkin (mobile_malware.rules)
2013020 - ET MOBILE_MALWARE DroidKungFu Checkin (mobile_malware.rules)
2013022 - ET MOBILE_MALWARE DroidKungFu Checkin 2 (mobile_malware.rules)
2013038 - ET MOBILE_MALWARE DNS Query For Known Mobile Malware Control
Server Waplove.cn (mobile_malware.rules)
2013041 - ET MOBILE_MALWARE DNS Query For Known Mobile Malware Control
Server Searchwebmobile.com (mobile_malware.rules)
2013063 - ET MOBILE_MALWARE DroidKungFu Checkin 3 (mobile_malware.rules)
2013140 - ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Message
(mobile_malware.rules)
2013141 - ET MOBILE_MALWARE SymbOS/Yxes Plugucsrv.sisx File Download
(mobile_malware.rules)
2013142 - ET MOBILE_MALWARE SymbOS/Yxes Jump.jsp CnC Checkin Message
(mobile_malware.rules)
2013143 - ET MOBILE_MALWARE SymbOS/Yxes KernelPara.jsp CnC Checkin Message
(mobile_malware.rules)
2013261 - ET MOBILE_MALWARE SymbOS/CommDN Downloading Second Stage Malware
Binary (mobile_malware.rules)
2013265 - ET MOBILE_MALWARE SymbOS/SymGam CnC Checkin (mobile_malware.rules)
2013266 - ET MOBILE_MALWARE SymbOS/SymGam Receiving SMS Message Template
from CnC Server (mobile_malware.rules)
2014406 - ET MOBILE_MALWARE iOS Keylogger iKeyMonitor access
(mobile_malware.rules)
2014646 - ET MISC RuggedCom factory account backdoor (misc.rules)
2800833 - ETPRO SMTP IBM Lotus Domino nrouter.exe iCalendar MAILTO Stack
Buffer Overflow (smtp.rules)
2800865 - ETPRO SQL IBM Informix Dynamic Server SQLEXEC oninit.exe EXPLAIN
Stack Buffer Overflow (sql.rules)
2800866 - ETPRO SQL IBM Informix Dynamic Server oninit.exe EXPLAIN Stack
Buffer Overflow  (sql.rules)
2800883 - ETPRO POP3 -ERR overflow attempt (pop3.rules)
2800884 - ETPRO POP3 Pegasus Mail error overflow attempt (pop3.rules)
2800933 - ETPRO SMTP Novell GroupWise Internet Agent RRULE Parsing Buffer
Overflow smtp (smtp.rules)
2801262 - ETPRO SQL Objectivity/DB Code Execution Unauthenticated OOAMS
Shutdown (sql.rules)
2801263 - ETPRO SQL Objectivity/DB Code Execution Unauthenticated Lock
Server Shutdown (sql.rules)
2801305 - ETPRO POP3 Inetserv 3.23 POP3 DoS (RETR) (pop3.rules)
2801306 - ETPRO POP3 Inetserv 3.23 POP3 DoS (DELE) (pop3.rules)
2801632 - ETPRO SMTP Multiple Products STARTTLS Plaintext Command Injection
(smtp.rules)
2802836 - ETPRO SMTP Postfix SASL AUTH Handle Reuse Memory
Corruption(Published Exploit) 3 (smtp.rules)
2805284 - ETPRO MALWARE Win32/Pelfpoi.M Checkin (malware.rules)
2805668 - ETPRO MALWARE Generic PUP.x!vi!1B41AF78BF55 Checkin
(malware.rules)
2805855 - ETPRO MALWARE Porn-Dialer.Win32.Agent.a / DIAL_RAS.IQ Checkin
(malware.rules)


-- 
PGP: 0xBED7B297
<https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20180126/518b8b76/attachment.html>


More information about the Emerging-sigs mailing list