[Emerging-Sigs] Daily Ruleset Update Summary 2019/04/30
James Emery-Callcott
jcallcott at emergingthreats.net
Tue Apr 30 13:21:36 HDT 2019
[***] Summary: [***]
8 new Open, 51 new Pro (8 + 43). Megumin Stealer, DonotGroup, Zebrocy,
Various SSL/TLS, Various Phish.
[+++] Added rules: [+++]
Open:
2027293 - ET TROJAN Megumin v2 Stealer User-Agent (trojan.rules)
2027294 - ET CURRENT_EVENTS Successful Generic Phish 2019-04-30 (set)
(current_events.rules)
2027295 - ET TROJAN DonotGroup CnC Domain in DNS Lookup (trojan.rules)
2027296 - ET TROJAN DonotGroup Stage 2 CnC Domain in DNS Lookup
(trojan.rules)
2027297 - ET TROJAN Observed Malicious SSL Cert (DonotGroup Stage 2 CnC)
(trojan.rules)
2027298 - ET TROJAN Observed Malicious SSL Cert (DonotGroup CnC)
(trojan.rules)
2027299 - ET INFO DYNAMIC_DNS Query to *.autoddns .com Domain (info.rules)
2027300 - ET INFO DYNAMIC_DNS HTTP Request to a *.autoddns.com Domain
(info.rules)
Pro:
2836130 - ETPRO MOBILE_MALWARE AndroidOS/Trojan.KYFR-0 Checkin
(mobile_malware.rules)
2836131 - ETPRO MOBILE_MALWARE Trojan.Dropper.AndroidOS.Agent.hg Checkin
(mobile_malware.rules)
2836132 - ETPRO TROJAN IcedID CnC Domain in SNI (trojan.rules)
2836133 - ETPRO TROJAN IcedID CnC Domain in SNI (trojan.rules)
2836134 - ETPRO TROJAN IcedID CnC Domain in SNI (trojan.rules)
2836135 - ETPRO TROJAN IcedID CnC Domain in SNI (trojan.rules)
2836136 - ETPRO TROJAN Tech Support Scam Landing Page iframe JS Inbound
(trojan.rules)
2836137 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2019-04-30 1) (trojan.rules)
2836138 - ETPRO INFO Suspicious POST with 0 Len and Minimal Headers
(info.rules)
2836139 - ETPRO TROJAN Suspicious Download Inbound (dll.dll)
(trojan.rules)
2836140 - ETPRO TROJAN Zebrocy Variant CnC Checkin (trojan.rules)
2836141 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
2836142 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
2836143 - ETPRO TROJAN Observed Malicious SSL Cert (Gozi Injects Server)
(trojan.rules)
2836144 - ETPRO TROJAN Observed Malicious SSL Cert (Gozi Injects Server)
(trojan.rules)
2836145 - ETPRO TROJAN Observed Malicious SSL Cert (Gozi Injects Server)
(trojan.rules)
2836146 - ETPRO TROJAN Suspicious Computer Name in User-Agent
(trojan.rules)
2836147 - ETPRO TROJAN Megumin Stealer CnC Command (Suicide)
(trojan.rules)
2836148 - ETPRO TROJAN Megumin Stealer CnC Command (Msgbox) (trojan.rules)
2836149 - ETPRO TROJAN Megumin Stealer CnC Command (SelfDel)
(trojan.rules)
2836150 - ETPRO TROJAN Megumin Stealer CnC Command (Blacklist)
(trojan.rules)
2836151 - ETPRO TROJAN Megumin Stealer CnC Command (IsUSB) (trojan.rules)
2836152 - ETPRO TROJAN Megumin Stealer CnC Command (Cpu) (trojan.rules)
2836153 - ETPRO TROJAN Megumin Stealer CnC Command (IsClipper)
(trojan.rules)
2836154 - ETPRO TROJAN Megumin Stealer CnC Command (Wallets)
(trojan.rules)
2836155 - ETPRO TROJAN Megumin Stealer CnC Command (Reconnect Time)
(trojan.rules)
2836156 - ETPRO TROJAN Megumin Stealer CnC Command (Config) (trojan.rules)
2836157 - ETPRO TROJAN Megumin v2 Stealer Completed (trojan.rules)
2836158 - ETPRO TROJAN SSL/TLS Certificate Observed (More_Eggs)
(trojan.rules)
2836159 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2019-04-30 (current_events.rules)
2836160 - ETPRO CURRENT_EVENTS Successful Sparkasse Phish 2019-04-30
(current_events.rules)
2836161 - ETPRO CURRENT_EVENTS Successful Sparkasse Phish 2019-04-30
(current_events.rules)
2836162 - ETPRO CURRENT_EVENTS Successful Sparkasse Phish 2019-04-30
(current_events.rules)
2836163 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2019-04-30
(current_events.rules)
2836164 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2019-04-30
(current_events.rules)
2836165 - ETPRO CURRENT_EVENTS Successful CIBC Phish 2019-04-30
(current_events.rules)
2836166 - ETPRO CURRENT_EVENTS Successful Generic Step2 Phish 2019-04-30
(current_events.rules)
2836167 - ETPRO CURRENT_EVENTS Successful Generic Chalbhai Phish
2019-04-30 (current_events.rules)
2836168 - ETPRO CURRENT_EVENTS Successful CIBC Phish 2019-04-30
(current_events.rules)
2836169 - ETPRO CURRENT_EVENTS Successful CIBC Phish 2019-04-30
(current_events.rules)
2836170 - ETPRO CURRENT_EVENTS Successful OneDrive Phish 2019-04-30
(current_events.rules)
2836171 - ETPRO WEB_CLIENT Possible Google Chrome 'NewFixedDoubleArray'
Integer Overflow RCE - Trigger Out of Bounds Stage (web_client.rules)
2836172 - ETPRO TROJAN Win32/Backdoor PING Command (trojan.rules)
[///] Modified active rules: [///]
2027177 - ET POLICY Command Shell Activity Over SMB - Possible Lateral
Movement (policy.rules)
2027280 - ET TROJAN APT DNSpionage/Karkoff CnC Domain in DNS Lookup
(trojan.rules)
2832193 - ETPRO TROJAN Vidar/Arkei/Megumin Stealer HTTP POST Pattern
(trojan.rules)
2833685 - ETPRO TROJAN W32.Sarwent Checkin -- count (trojan.rules)
2833686 - ETPRO TROJAN W32.Sarwent Checkin -- add_bot (trojan.rules)
2836094 - ETPRO TROJAN Megumin v2 Stealer Task Request (trojan.rules)
2836095 - ETPRO TROJAN Megumin v2 Stealer Checkin (trojan.rules)
---------------------------------------
James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20190430/5d061068/attachment.html>
More information about the Emerging-sigs
mailing list