[Emerging-Sigs] Daily Ruleset Update Summary 2019/08/13

Brandon Murphy bmurphy at emergingthreats.net
Tue Aug 13 14:57:32 HDT 2019


[***]            Summary:            [***]

21 new Open, 34 new Pro (21 + 13). MedusaHTTP, Kodiac CnC, Various Phishing.

Thanks @james_inthe_box and @malware_traffic

[+++]          Added rules:          [+++]

Open:

  2027861 - ET TROJAN MedusaHTTP Variant CnC Checkin (trojan.rules)
  2027863 - ET INFO Observed DNS Query to .biz TLD (info.rules)
  2027864 - ET INFO Observed DNS Query to .okinawa TLD (info.rules)
  2027865 - ET INFO Observed DNS Query to .cloud TLD (info.rules)
  2027866 - ET INFO Observed DNS Query to .desi TLD (info.rules)
  2027867 - ET INFO Observed DNS Query to .life TLD (info.rules)
  2027868 - ET INFO Observed DNS Query to .work TLD (info.rules)
  2027869 - ET INFO Observed DNS Query to .ryukyu TLD (info.rules)
  2027870 - ET INFO Observed DNS Query to .world TLD (info.rules)
  2027871 - ET INFO Observed DNS Query to .fit TLD (info.rules)
  2027872 - ET INFO HTTP Request to Suspicious *.biz Domain (info.rules)
  2027873 - ET INFO HTTP Request to Suspicious *.okinawa Domain (info.rules)
  2027874 - ET INFO HTTP Request to Suspicious *.cloud Domain (info.rules)
  2027875 - ET INFO HTTP Request to Suspicious *.desi Domain (info.rules)
  2027876 - ET INFO HTTP Request to Suspicious *.life Domain (info.rules)
  2027877 - ET INFO HTTP Request to Suspicious *.work Domain (info.rules)
  2027878 - ET INFO HTTP Request to Suspicious *.ryukyu Domain (info.rules)
  2027879 - ET INFO HTTP Request to Suspicious *.world Domain (info.rules)
  2027880 - ET INFO HTTP Request to Suspicious *.fit Domain (info.rules)
  2027881 - ET EXPLOIT NETGEAR R7000/R6400 - Command Injection Inbound
(CVE-2019-6277) (exploit.rules)
  2027882 - ET EXPLOIT NETGEAR R7000/R6400 - Command Injection Outbound
(CVE-2019-6277) (exploit.rules)

Pro:

  2838004 - ETPRO TROJAN Observed Malicious SSL Cert (Kodiac CnC)
(trojan.rules)
  2838005 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2019-08-13 1) (trojan.rules)
  2838006 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2019-08-13 2) (trojan.rules)
  2838007 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2019-08-13
(current_events.rules)
  2838008 - ETPRO CURRENT_EVENTS Successful OurTime Phish 2019-08-13
(current_events.rules)
  2838009 - ETPRO CURRENT_EVENTS Successful Banco do Brasil Phish
2019-08-13 (current_events.rules)
  2838010 - ETPRO CURRENT_EVENTS Successful Banco do Brasil Phish
2019-08-13 (current_events.rules)
  2838011 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2019-08-13 (current_events.rules)
  2838012 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2019-08-13 (current_events.rules)
  2838013 - ETPRO CURRENT_EVENTS Successful Banco do Brasil Phish
2019-08-13 (current_events.rules)
  2838014 - ETPRO CURRENT_EVENTS Successful OneNevada Credit Union Phish
2019-08-13 (current_events.rules)
  2838015 - ETPRO CURRENT_EVENTS Successful Desjardins Phish 2019-08-13
(current_events.rules)
  2838016 - ETPRO CURRENT_EVENTS Successful HSBC Phish 2019-08-13
(current_events.rules)

[///]     Modified active rules:     [///]

  2002400 - ET USER_AGENTS Suspicious User Agent (Microsoft Internet
Explorer) (user_agents.rules)
  2003626 - ET MALWARE Double User-Agent (User-Agent User-Agent)
(malware.rules)
  2014634 - ET TROJAN Possible Variant.Kazy.53640 Malformed Client Hello
SSL 3.0 (Session_Id length greater than Client_Hello Length) (trojan.rules)
  2018403 - ET TROJAN GENERIC Likely Malicious Fake IE Downloading .exe
(trojan.rules)
  2834303 - ETPRO TROJAN MedusaHTTP Variant CnC Checkin (trojan.rules)
  2834367 - ETPRO TROJAN GoBrut CnC Checkin (trojan.rules)
  2834368 - ETPRO TROJAN GoBrut Requesting Brute Force List (flowbit set)
(trojan.rules)
  2834369 - ETPRO TROJAN GoBrut Brute Force List Inbound (trojan.rules)
  2836433 - ETPRO TROJAN GoBrut Service Bruter CnC Activity (trojan.rules)
  2836434 - ETPRO TROJAN GoBrut Service Bruter CnC Checkin (trojan.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20190813/4af1b775/attachment.html>


More information about the Emerging-sigs mailing list