[Emerging-Sigs] EverBe 2.0
Matthew Clairmont (R* NYC)
Matthew.Clairmont at rockstargames.com
Wed Apr 3 11:46:08 HDT 2019
I found a couple hashes, reports for it. I’m not sure if samples or PCAPs are available via private API though. It doesn’t appear to be hosted on VirusShare.
https://www.virustotal.com/en/file/14633206a2b1e42d5a960eef94e957100204289333fc60fddc7f704327fec65e/analysis/
https://www.virustotal.com/en/file/80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af/analysis/
Hopefully this helps!
From: Emerging-sigs <emerging-sigs-bounces at lists.emergingthreats.net> On Behalf Of emerging-sigs-request at lists.emergingthreats.net
Sent: Wednesday, April 3, 2019 04:06 PM
To: emerging-sigs at lists.emergingthreats.net
Subject: Emerging-sigs Digest, Vol 137, Issue 2
** EXTERNAL EMAIL **
Send Emerging-sigs mailing list submissions to
emerging-sigs at lists.emergingthreats.net<mailto:emerging-sigs at lists.emergingthreats.net>
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs<https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs>
or, via email, send a message with subject or body 'help' to
emerging-sigs-request at lists.emergingthreats.net<mailto:emerging-sigs-request at lists.emergingthreats.net>
You can reach the person managing the list at
emerging-sigs-owner at lists.emergingthreats.net<mailto:emerging-sigs-owner at lists.emergingthreats.net>
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Emerging-sigs digest..."
Today's Topics:
1. Daily Ruleset Update Summary 2019/04/02 (James Emery-Callcott)
2. EverBe 2.0 (Alan Knox)
3. Re: EverBe 2.0 (Travis Green)
4. Re: EverBe 2.0 (Alan Knox)
----------------------------------------------------------------------
Message: 1
Date: Tue, 2 Apr 2019 23:28:36 +0100
From: James Emery-Callcott <jcallcott at emergingthreats.net<mailto:jcallcott at emergingthreats.net>>
To: ETPro-sigs List <etpro-sigs at emergingthreatspro.com<mailto:etpro-sigs at emergingthreatspro.com>>, Emerging
Sigs <emerging-sigs at emergingthreats.net<mailto:emerging-sigs at emergingthreats.net>>, Emerging-updates redirect
<emerging-updates at emergingthreats.net<mailto:emerging-updates at emergingthreats.net>>
Subject: [Emerging-Sigs] Daily Ruleset Update Summary 2019/04/02
Message-ID:
<CAMAH=ZjY_yRTd345Xs=voWiAUNxE+qb77TFEPYZOMxyO-3bspQ at mail.gmail.com<mailto:CAMAH=ZjY_yRTd345Xs=voWiAUNxE+qb77TFEPYZOMxyO-3bspQ at mail.gmail.com>>
Content-Type: text/plain; charset="utf-8"
[***] Summary: [***]
3 new Open, 32 new Pro (3 + 29). Fakeslic/Cohhoc RAT, Remcos RAT,
Various SSL, Various Phish.
Thanks, DakotaCon Threat Hunting Class.
[+++] Added rules: [+++]
Open:
2027143 - ET CURRENT_EVENTS MalDoc Request for Payload (TA505 Related)
(current_events.rules)
2027144 - ET TROJAN Xwo CnC Activity (trojan.rules)
2027145 - ET CURRENT_EVENTS Spelevo EK Flash Exploit Attempt
(current_events.rules)
Pro:
2835686 - ETPRO TROJAN Fakeslic/Cohhoc RAT CnC Request (trojan.rules)
2835687 - ETPRO POLICY External IP Lookup - jsonip.com (policy.rules)
2835688 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2019-04-02 1) (trojan.rules)
2835689 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2019-04-02 2) (trojan.rules)
2835690 - ETPRO POLICY External IP Lookup - whoami.php (policy.rules)
2835691 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
2835692 - ETPRO TROJAN Win32/Malex.gen!E CnC Checkin (trojan.rules)
2835693 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc DL
2019-04-02) (current_events.rules)
2835694 - ETPRO TROJAN Observed Malicious SSL Cert (Gootkit CnC)
(trojan.rules)
2835695 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
2835696 - ETPRO CURRENT_EVENTS Successful ING Phish 2019-04-02
(current_events.rules)
2835697 - ETPRO CURRENT_EVENTS Successful ING Phish 2019-04-02
(current_events.rules)
2835698 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2019-04-02
(current_events.rules)
2835699 - ETPRO CURRENT_EVENTS Successful Adobe Document Cloud Phish
2019-04-02 (current_events.rules)
2835700 - ETPRO CURRENT_EVENTS Successful Apple Phish 2019-04-02
(current_events.rules)
2835701 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2019-04-02 (current_events.rules)
2835702 - ETPRO CURRENT_EVENTS Successful Banco do Brasil Phish
2019-04-02 (current_events.rules)
2835703 - ETPRO CURRENT_EVENTS Successful Banco do Brasil Phish
2019-04-02 (current_events.rules)
2835704 - ETPRO CURRENT_EVENTS Successful Targo Bank DE Phish 2019-04-02
(current_events.rules)
2835705 - ETPRO CURRENT_EVENTS Successful American Express Phish
2019-04-02 (current_events.rules)
2835706 - ETPRO CURRENT_EVENTS Successful OneDrive Phish 2019-04-02
(current_events.rules)
2835707 - ETPRO CURRENT_EVENTS Successful Personalized OneDrive Phish
2019-04-02 (current_events.rules)
2835708 - ETPRO CURRENT_EVENTS Successful Societe Generale Phish
2019-04-02 (current_events.rules)
2835709 - ETPRO CURRENT_EVENTS Successful Personalized Shipping Phish
2019-03-11 (current_events.rules)
2835710 - ETPRO CURRENT_EVENTS Successful Payoneer Phish 2019-04-02
(current_events.rules)
2835711 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2019-04-02 (current_events.rules)
2835712 - ETPRO CURRENT_EVENTS Successful Volksbank Phish 2019-04-02
(current_events.rules)
2835713 - ETPRO TROJAN MSIL/Filecoder.AK/GhostDakri Uploading Keylog File
(trojan.rules)
2835714 - ETPRO TROJAN Remcos RAT Checkin 97 (trojan.rules)
[///] Modified active rules: [///]
2026738 - ET TROJAN [PTsecurity] Trickbot Data Exfiltration (trojan.rules)
2027024 - ET TROJAN Win32/Kribat-A Downloader Activity (trojan.rules)
---------------------------------------
James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20190402/5cb62a6b/attachment-0001.html<http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20190402/5cb62a6b/attachment-0001.html>>
------------------------------
Message: 2
Date: Wed, 3 Apr 2019 12:53:03 -0400
From: "Alan Knox" <alan2308a at gmail.com<mailto:alan2308a at gmail.com>>
To: <Emerging-sigs at emergingthreats.net<mailto:Emerging-sigs at emergingthreats.net>>
Subject: [Emerging-Sigs] EverBe 2.0
Message-ID: <000001d4ea3d$b51f77b0$1f5e6710$@gmail.com<mailto:000001d4ea3d$b51f77b0$1f5e6710$@gmail.com>>
Content-Type: text/plain; charset="utf-8"
One of our sites just got hit by EverBe 2.0. Are there any signatures for
this malware? I'm getting a lot of questions about this and I didn't see
any.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20190403/e32b59bc/attachment-0001.html<http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20190403/e32b59bc/attachment-0001.html>>
------------------------------
Message: 3
Date: Wed, 3 Apr 2019 11:02:08 -0600
From: Travis Green <tgreen at emergingthreats.net<mailto:tgreen at emergingthreats.net>>
To: Alan Knox <alan2308a at gmail.com<mailto:alan2308a at gmail.com>>
Cc: "emerging-sigs at emergingthreats.net<mailto:emerging-sigs at emergingthreats.net>"
<Emerging-sigs at emergingthreats.net<mailto:Emerging-sigs at emergingthreats.net>>
Subject: Re: [Emerging-Sigs] EverBe 2.0
Message-ID:
<CAKgkF6khKNuW=Mkzd7KiW76cZkqGYy+73DuJVA9LQY+P1qQw9Q at mail.gmail.com<mailto:CAKgkF6khKNuW=Mkzd7KiW76cZkqGYy+73DuJVA9LQY+P1qQw9Q at mail.gmail.com>>
Content-Type: text/plain; charset="UTF-8"
A quick google search has revealed no file hashes. Do you have any
further info with regard to how this was delivered or if it performed
any network activity after infection?
-Travis
On Wed, Apr 3, 2019 at 10:53 AM Alan Knox <alan2308a at gmail.com<mailto:alan2308a at gmail.com>> wrote:
>
> One of our sites just got hit by EverBe 2.0. Are there any signatures for this malware? I’m getting a lot of questions about this and I didn’t see any.
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net<mailto:Emerging-sigs at lists.emergingthreats.net>
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs<https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs>
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net<http://www.emergingthreats.net>
>
--
PGP:
travisgreen.net/tgreen at emergingthreats.net.asc<http://travisgreen.net/tgreen@emergingthreats.net.asc>
travisgreen.net/travis at travisgreen.net.asc<http://travisgreen.net/travis@travisgreen.net.asc>
------------------------------
Message: 4
Date: Wed, 3 Apr 2019 16:06:18 -0400
From: "Alan Knox" <alan2308a at gmail.com<mailto:alan2308a at gmail.com>>
To: "'Travis Green'" <tgreen at emergingthreats.net<mailto:tgreen at emergingthreats.net>>
Cc: <Emerging-sigs at emergingthreats.net<mailto:Emerging-sigs at emergingthreats.net>>
Subject: Re: [Emerging-Sigs] EverBe 2.0
Message-ID: <002701d4ea58$b3967270$1ac35750$@gmail.com<mailto:002701d4ea58$b3967270$1ac35750$@gmail.com>>
Content-Type: text/plain; charset="UTF-8"
Right now no, I don't have anything other than several machines were infected and management is asking whether or not there were any signatures in place. A search of the signatures didn't turn up anything but I figured I'd at least ask.
Thanks,
Alan
-----Original Message-----
From: Travis Green <tgreen at emergingthreats.net<mailto:tgreen at emergingthreats.net>>
Sent: Wednesday, April 3, 2019 1:02 PM
To: Alan Knox <alan2308a at gmail.com<mailto:alan2308a at gmail.com>>
Cc: Emerging-sigs at emergingthreats.net<mailto:Emerging-sigs at emergingthreats.net>
Subject: Re: [Emerging-Sigs] EverBe 2.0
A quick google search has revealed no file hashes. Do you have any
further info with regard to how this was delivered or if it performed
any network activity after infection?
-Travis
On Wed, Apr 3, 2019 at 10:53 AM Alan Knox <alan2308a at gmail.com<mailto:alan2308a at gmail.com>> wrote:
>
> One of our sites just got hit by EverBe 2.0. Are there any signatures for this malware? I’m getting a lot of questions about this and I didn’t see any.
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net<mailto:Emerging-sigs at lists.emergingthreats.net>
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs<https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs>
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net<http://www.emergingthreats.net>
>
--
PGP:
travisgreen.net/tgreen at emergingthreats.net.asc<http://travisgreen.net/tgreen@emergingthreats.net.asc>
travisgreen.net/travis at travisgreen.net.asc<http://travisgreen.net/travis@travisgreen.net.asc>
------------------------------
Subject: Digest Footer
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs at lists.emergingthreats.net<mailto:Emerging-sigs at lists.emergingthreats.net>
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs<https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs>
------------------------------
End of Emerging-sigs Digest, Vol 137, Issue 2
*********************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20190403/2aeafce1/attachment-0001.html>
More information about the Emerging-sigs
mailing list