[Emerging-Sigs] Daily Ruleset Update Summary 2019/08/07

James Emery-Callcott jcallcott at emergingthreats.net
Wed Aug 7 14:29:08 HDT 2019


[***]            Summary:            [***]

  7 new Open, 33 new Pro (7 + 26).  Card Skimmer/Form Stealer, Android
MoqHao, Various SSL/TLS, Various Phish.

  Thanks @James_inthe_box.

  Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2011227 - ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
(user_agents.rules)
  2027812 - ET TROJAN Nyanw0rm CnC Keep-Alive (Outbound) M1 (trojan.rules)
  2027813 - ET TROJAN Nyanw0rm CnC Keep-Alive (Outbound) M2 (trojan.rules)
  2027814 - ET CURRENT_EVENTS Possible FFSniff Inject Observed
(current_events.rules)
  2027815 - ET CURRENT_EVENTS Possible Injected JS Form Stealer Checking
Page Contents M1 (current_events.rules)
  2027816 - ET CURRENT_EVENTS Possible Injected JS Form Stealer Checking
Page Contents M2 (current_events.rules)
  2027817 - ET CURRENT_EVENTS Inbound JS with Possible 1px-1px Exfiltration
Image (current_events.rules)

Pro:

  2837900 - ETPRO MOBILE_MALWARE Android Spy MoqHao CnC Beacon
(mobile_malware.rules)
  2837901 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Plankton Reporting
Location (mobile_malware.rules)
  2837902 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
  2837904 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2019-08-07 1) (trojan.rules)
  2837905 - ETPRO CURRENT_EVENTS Successful USAA Phish 2019-08-07
(current_events.rules)
  2837906 - ETPRO CURRENT_EVENTS Successful Maersk Phish 2019-08-07
(current_events.rules)
  2837907 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2019-08-07 (current_events.rules)
  2837908 - ETPRO CURRENT_EVENTS Successful Office 365 Phish 2019-08-07
(current_events.rules)
  2837909 - ETPRO CURRENT_EVENTS Successful Banco Bradesco Phish 2019-08-07
(current_events.rules)
  2837910 - ETPRO CURRENT_EVENTS Successful BNP Paribas Phish 2019-08-07
(current_events.rules)
  2837911 - ETPRO CURRENT_EVENTS Successful Abanca Phish 2019-08-07
(current_events.rules)
  2837912 - ETPRO CURRENT_EVENTS Successful Allegro Phish 2019-08-07
(current_events.rules)
  2837913 - ETPRO CURRENT_EVENTS Successful Spark Phish 2019-08-07
(current_events.rules)
  2837914 - ETPRO CURRENT_EVENTS Successful Adobe PDF Online Phish
2019-08-07 (current_events.rules)
  2837915 - ETPRO CURRENT_EVENTS Successful Indeed Phish 2019-08-07
(current_events.rules)
  2837916 - ETPRO TROJAN MSIL.TScope Checkin 10 (trojan.rules)
  2837917 - ETPRO TROJAN Possible APT Related CnC in DNS Query
(trojan.rules)
  2837918 - ETPRO TROJAN Possible APT Related CnC in DNS Query
(trojan.rules)
  2837919 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (Card Skimmer
CnC) (current_events.rules)
  2837920 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (Card Skimmer
CnC) (current_events.rules)
  2837921 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (Card Skimmer
CnC) (current_events.rules)
  2837922 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (Card Skimmer
CnC) (current_events.rules)
  2837923 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (Card Skimmer
CnC) (current_events.rules)
  2837924 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (Card Skimmer
CnC) (current_events.rules)
  2837925 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (Card Skimmer
CnC) (current_events.rules)
  2837926 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (Card Skimmer
CnC) (current_events.rules)

 [///]     Modified active rules:     [///]

  2000026 - ET USER_AGENTS Gator Agent Traffic (user_agents.rules)
  2003492 - ET INFO Suspicious Mozilla User-Agent - Likely Fake
(Mozilla/4.0) (info.rules)
  2024969 - ET TROJAN OceanLotus System Profiling JavaScript HTTP Request
(trojan.rules)

 [---]  Disabled and modified rules:  [---]

  2836860 - ETPRO TROJAN Win32/Unk.SEE_N02 CnC Keep-Alive (Outbound)
(trojan.rules)

 [---]         Disabled rules:        [---]

  2834933 - ETPRO USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
(user_agents.rules)

 [---]         Removed rules:         [---]

  2011227 - ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by
hostile installers (policy.rules)


---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20190808/c0e08152/attachment.html>


More information about the Emerging-sigs mailing list