[Emerging-Sigs] Daily Ruleset Update Summary 2019/08/09

James Emery-Callcott jcallcott at emergingthreats.net
Fri Aug 9 12:52:58 HDT 2019


[***]            Summary:            [***]

  29 new Open, 54 new Pro (29 + 25).  ELF/Emptiness, Kodiac, Remcos,
Various SSL/TLS, Various Phish.

  Thanks @james_inthe_box.

  Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2027831 - ET TROJAN HVNC USR Init Detected (trojan.rules)
  2027832 - ET TROJAN HVNC BOT Detected (trojan.rules)
  2027833 - ET USER_AGENTS Suspicious Generic Style UA Observed (My_App)
(user_agents.rules)
  2027834 - ET TROJAN ELF/Emptiness v1 CnC Checkin (trojan.rules)
  2027835 - ET TROJAN ELF/Emptiness v1.1 CnC Checkin (trojan.rules)
  2027836 - ET TROJAN ELF/Emptiness v2 XOR (b2bb01039307baa2) CnC Checkin
(trojan.rules)
  2027837 - ET TROJAN ELF/Emptiness v1 UDP Flood Command Inbound
(trojan.rules)
  2027838 - ET TROJAN ELF/Emptiness v1 DNS Flood Command Inbound
(trojan.rules)
  2027839 - ET TROJAN ELF/Emptiness v1 HTTP Flood Command Inbound
(trojan.rules)
  2027840 - ET TROJAN ELF/Emptiness v1.1 UDP Flood Command Inbound
(trojan.rules)
  2027841 - ET TROJAN ELF/Emptiness v1.1 DNS Flood Command Inbound
(trojan.rules)
  2027842 - ET TROJAN ELF/Emptiness v1.1 HTTP Flood Command Inbound
(trojan.rules)
  2027843 - ET TROJAN ELF/Emptiness v2 XOR UDP Flood Command Inbound
(trojan.rules)
  2027844 - ET TROJAN ELF/Emptiness v2 XOR DNS Flood Command Inbound
(trojan.rules)
  2027845 - ET TROJAN ELF/Emptiness v2 XOR HTTP Flood Command Inbound
(trojan.rules)
  2027846 - ET TROJAN ELF/Emptiness v2 XOR Exec Command Inbound
(trojan.rules)
  2027847 - ET TROJAN ELF/Emptiness v2 XOR Update Command Inbound
(trojan.rules)
  2027848 - ET TROJAN ELF/Mirai.shiina v3 CnC Checkin (trojan.rules)
  2027849 - ET TROJAN ELF/Emptiness CnC Domain in DNS Query (trojan.rules)
  2027850 - ET TROJAN ELF/Emptiness CnC Domain in DNS Query (trojan.rules)
  2027851 - ET TROJAN ELF/Emptiness CnC Domain in DNS Query (trojan.rules)
  2027852 - ET TROJAN ELF/Emptiness CnC Domain in DNS Query (trojan.rules)
  2027853 - ET TROJAN ELF/Emptiness CnC Domain in DNS Query (trojan.rules)
  2027854 - ET TROJAN ELF/Emptiness CnC Domain in DNS Query (trojan.rules)
  2027855 - ET TROJAN ELF/Emptiness CnC Domain in DNS Query (trojan.rules)
  2027856 - ET TROJAN ELF/Emptiness CnC Domain in DNS Query (trojan.rules)
  2027857 - ET TROJAN ELF/Mirai.shiina CnC Domain in DNS Query
(trojan.rules)
  2027858 - ET TROJAN APT Related - BLACKCOFFEE Command Delimiters in HTTP
Response M1 (trojan.rules)
  2027859 - ET TROJAN APT Related - BLACKCOFFEE Command Delimiters in HTTP
Response M2 (trojan.rules)

Pro:

  2837945 - ETPRO TROJAN SSL/TLS Certificate Observed (Koadic)
(trojan.rules)
  2837946 - ETPRO TROJAN SSL/TLS Certificate Observed (More_eggs / SONE)
(trojan.rules)
  2837947 - ETPRO TROJAN Kodiac CnC Activity (trojan.rules)
  2837948 - ETPRO TROJAN Win32/Remcos RAT Checkin 120 (trojan.rules)
  2837949 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2019-08-09 1) (trojan.rules)
  2837950 - ETPRO CURRENT_EVENTS Successful Godaddy Phish 2019-08-09
(current_events.rules)
  2837951 - ETPRO CURRENT_EVENTS Successful Banco Itau Phish 2019-08-09
(current_events.rules)
  2837952 - ETPRO CURRENT_EVENTS Successful Banco Itau Phish 2019-08-09
(current_events.rules)
  2837953 - ETPRO CURRENT_EVENTS Successful Banco Itau Phish 2019-08-09
(current_events.rules)
  2837954 - ETPRO CURRENT_EVENTS Successful Banco do Brasil Phish
2019-08-09 (current_events.rules)
  2837955 - ETPRO CURRENT_EVENTS Successful Banco do Brasil Phish
2019-08-09 (current_events.rules)
  2837956 - ETPRO CURRENT_EVENTS Successful WeTransfer Phish 2019-08-09
(current_events.rules)
  2837957 - ETPRO CURRENT_EVENTS Successful BT Phish 2019-08-09
(current_events.rules)
  2837958 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2019-08-09
(current_events.rules)
  2837959 - ETPRO MALWARE Possible Win32/Adware.Downloader Requesting
Installs (malware.rules)
  2837960 - ETPRO INFO Suspicious Outbound Dotted Quad .tmp POST Request
(info.rules)
  2837961 - ETPRO POLICY ScreenConnect Successful Connection Response
Inbound (policy.rules)
  2837962 - ETPRO POLICY ScreenConnect - Establish Connection Attempt
(policy.rules)
  2837963 - ETPRO TROJAN Win32/Downloader.Agent.ABTQH CnC Checkin
(trojan.rules)
  2837964 - ETPRO TROJAN Win32/Downloader.Agent.ABTQH Receiving Config from
CnC (trojan.rules)
  2837966 - ETPRO CURRENT_EVENTS Inbound Batch Script Creating Kernel-mode
Driver Service (current_events.rules)
  2837967 - ETPRO MALWARE Win32/Adware.RunBooster CnC Checkin
(malware.rules)
  2837968 - ETPRO TROJAN Observed Malicious SSL Cert (PowerShell/Kryptik.V
CnC) (trojan.rules)


---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20190809/b1154456/attachment.html>


More information about the Emerging-sigs mailing list