[Emerging-Sigs] Daily Ruleset Update Summary 2019/08/05

James Emery-Callcott jcallcott at emergingthreats.net
Mon Aug 5 13:59:18 HDT 2019


[***]            Summary:            [***]

  11 new Open, 43 new Pro (11 + 32).  Covenant Framework, Agent Tesla
Exfil, Various SSL/TLS, Various Phish.

  Thanks Kevin Ross and @401TRG.

  Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2027792 - ET TROJAN Covenant Framework Default HTTP Beacon (trojan.rules)
  2027793 - ET TROJAN Covenant Framework HTTP Beacon (trojan.rules)
  2027794 - ET TROJAN Covenant Framework HTTP Hello World Server Response
(trojan.rules)
  2027795 - ET TROJAN Possible Covenant Framework Grunt Stager HTTP
Download (Grunt.GruntStager) (trojan.rules)
  2027796 - ET TROJAN Possible Covenant Framework Grunt Stager HTTP
Download (DynamicInvoke) (trojan.rules)
  2027797 - ET TROJAN Possible Covenant Framework Grunt PowerShell Stager
HTTP Download (trojan.rules)
  2027798 - ET TROJAN Possible Covenant Framework Grunt MSBuild Stager HTTP
Download (trojan.rules)
  2027799 - ET TROJAN Observed Malicious SSL Cert (AZORult CnC)
(trojan.rules)
  2027800 - ET TROJAN Observed Malicious SSL Cert (Various CnC)
(trojan.rules)
  2027801 - ET TROJAN Observed Malicious SSL Cert (Various CnC)
(trojan.rules)
  2027802 - ET TROJAN Win32/Eris Ransomware CnC Checkin (trojan.rules)

Pro:

  2804853 - ETPRO USER_AGENTS User-Agent (MyIE2) (user_agents.rules)
  2837843 - ETPRO MALWARE Win32/MaxRev Adware Installer Activity
(malware.rules)
  2837844 - ETPRO TROJAN Win32/Agent Tesla/Origin Logger SMTP Keystroke
Exfil (trojan.rules)
  2837845 - ETPRO TROJAN Observed Malicious SSL Cert (The Trick CnC)
(trojan.rules)
  2837846 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (EvilJS
Retrieving Payload) (current_events.rules)
  2837847 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc
Retrieving Payload) (current_events.rules)
  2837848 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2019-08-04 (current_events.rules)
  2837849 - ETPRO CURRENT_EVENTS Successful BBVA Phish 2019-08-04
(current_events.rules)
  2837850 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2019-08-04 (current_events.rules)
  2837851 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2019-08-04 (current_events.rules)
  2837852 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2019-08-04 (current_events.rules)
  2837853 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2019-08-04
(current_events.rules)
  2837854 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2019-08-04
(current_events.rules)
  2837855 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2019-08-05 1) (trojan.rules)
  2837856 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2019-08-05 2) (trojan.rules)
  2837857 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2019-08-05 3) (trojan.rules)
  2837858 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2019-08-05 4) (trojan.rules)
  2837859 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2019-08-05 5) (trojan.rules)
  2837860 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2019-08-05 6) (trojan.rules)
  2837861 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2019-08-05 7) (trojan.rules)
  2837862 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2019-08-05 (current_events.rules)
  2837863 - ETPRO CURRENT_EVENTS Successful TalkTalk Phish 2019-08-05
(current_events.rules)
  2837864 - ETPRO CURRENT_EVENTS Successful Generic Online Virus Scanner
Phish 2019-08-05 (current_events.rules)
  2837865 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif Loader CnC)
(trojan.rules)
  2837866 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif Loader CnC)
(trojan.rules)
  2837867 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif Loader CnC)
(trojan.rules)
  2837868 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif Worker CnC)
(trojan.rules)
  2837869 - ETPRO TROJAN Observed Malicious SSL Cert (sLoad CnC)
(trojan.rules)
  2837870 - ETPRO TROJAN Observed Malicious SSL Cert (sLoad CnC)
(trojan.rules)
  2837871 - ETPRO TROJAN Variant.Strictor.141352 Payload Details in Server
Reponse (trojan.rules)
  2837872 - ETPRO TROJAN Variant.Strictor.141352 Client Request for Payload
(set) (trojan.rules)
  2837873 - ETPRO TROJAN Variant.Strictor.141352 Payload Download
(trojan.rules)

 [///]     Modified active rules:     [///]

  2001891 - ET USER_AGENTS Suspicious User Agent (agent) (user_agents.rules)
  2012612 - ET INFO Hiloti Style GET to PHP with invalid terse MSIE headers
(info.rules)
  2013315 - ET TROJAN Suspicious User-Agent (Agent and 5 or 6 digits)
(trojan.rules)

 [---]         Removed rules:         [---]

  2804853 - ETPRO TROJAN User-Agent (MyIE2) (trojan.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20190805/c81639ad/attachment.html>


More information about the Emerging-sigs mailing list