[Emerging-Sigs] Daily Ruleset Update Summary 2019/08/15

Brandon Murphy bmurphy at emergingthreats.net
Thu Aug 15 15:34:35 HDT 2019


[***]            Summary:            [***]

7 new Open, 18 new Pro (7 + 11). Py.Machete, Python/PBot.M,
Win32.Ransom.Birele, Win32/Dostre

Thanks @James_inthe_box and @travisbgreen

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

 2027886 - ET TROJAN Win32/DarkRAT CnC Activity (trojan.rules)
 2027887 - ET TROJAN [TGI] Py.Machete HTTP CnC Exfil (trojan.rules)
 2027888 - ET TROJAN [TGI] Py.Machete FTP Exfil 1 (trojan.rules)
 2027889 - ET TROJAN [TGI] Py.Machete FTP Exfil 2 (trojan.rules)
 2027890 - ET SNMP Cisco Non-Trap PDU request on SNMPv1 trap port
(snmp.rules)
 2027891 - ET EXPLOIT FortiOS SSL VPN - Remote Code Execution
(CVE-2018-13383) (exploit.rules)
 2027892 - ET TROJAN Win32/Dostre CnC Activity (trojan.rules)

Pro:

 2838038 - ETPRO CURRENT_EVENTS Generic 302 Redirect to Phishing Landing
(current_events.rules)
 2838039 - ETPRO MALWARE Python/PBot.M CnC Domain in DNS Query
(malware.rules)
 2838040 - ETPRO MALWARE Python/PBot.M Redirector Domain in DNS Query
(malware.rules)
 2838041 - ETPRO TROJAN Win32/Tofsee Template 2 Active - Outbound Malicious
Email Spam (trojan.rules)
 2838042 - ETPRO POLICY High Volume Outbound SMTP Observed (policy.rules)
 2838043 - ETPRO MALWARE Python/PBot.M CnC Response (malware.rules)
 2838044 - ETPRO MALWARE Python/PBot.M JS Injects Inbound (malware.rules)
 2838045 - ETPRO MALWARE Python/PBot.M Redirect Config Inbound
(malware.rules)
 2838047 - ETPRO TROJAN Win32/PSW.Agent.OGR CnC Checkin (trojan.rules)
 2838048 - ETPRO TROJAN Win32.Ransom.Birele UDP Checkin (trojan.rules)
 2838049 - ETPRO MALWARE Python/PBot.M CnC Checkin (malware.rules)


[///]     Modified active rules:     [///]

 2027249 - ET POLICY Request for Possible Adobe Phishing Hosted on
Github.io (policy.rules)
 2812742 - ETPRO TROJAN APT WinHTTPHelper/Tabuvys CnC Beacon (trojan.rules)
 2837550 - ETPRO TROJAN Observed Trickbot Style SSL Cert (Internet Widgets
Pty Ltd) (trojan.rules)
 2837750 - ETPRO TROJAN Win32/Azden.A CnC Checkin (trojan.rules)


[---]  Disabled and modified rules:  [---]

 2016851 - ET CURRENT_EVENTS Winwebsec/Zbot/Luder Checkin Response
(current_events.rules)
 2017671 - ET CURRENT_EVENTS Possible CVE-2013-3906 CnC Checkin
(current_events.rules)
 2018344 - ET CURRENT_EVENTS Hikvision DVR Synology Recon Scan Checkin
(current_events.rules)
 2018973 - ET CURRENT_EVENTS Possible Dyre SSL Cert Aug 20 2014 D1
(current_events.rules)
 2018974 - ET CURRENT_EVENTS Possible Dyre SSL Cert Aug 20 2014 D2
(current_events.rules)
 2019104 - ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 3 2014
(current_events.rules)
 2019173 - ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 15 2014
(current_events.rules)
 2019178 - ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 16 2014
(current_events.rules)
 2019186 - ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 16 2014
(current_events.rules)
 2019200 - ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 19 2014
(current_events.rules)
 2019213 - ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 22 2014
(current_events.rules)
 2019275 - ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 26 2014
(current_events.rules)
 2019276 - ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 26 2014
(current_events.rules)
 2019319 - ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 30 2014
(current_events.rules)
 2019320 - ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 30 2014
(current_events.rules)
 2019342 - ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 3 2014
(current_events.rules)
 2019413 - ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 15 2014
(current_events.rules)
 2019419 - ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 15 2014
(current_events.rules)
 2019493 - ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 22 2014
(current_events.rules)
 2019494 - ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 22 2014
(current_events.rules)
 2019495 - ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 22 2014
(current_events.rules)
 2019520 - ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 27 2014
(current_events.rules)
 2019521 - ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 27 2014
(current_events.rules)
 2019522 - ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 27 2014
(current_events.rules)
 2019523 - ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 27 2014
(current_events.rules)
 2019651 - ET CURRENT_EVENTS Possible Dyre SSL Cert Nov 05 2014
(current_events.rules)
 2019699 - ET CURRENT_EVENTS Possible Dyre SSL Cert Nov 11 2014
(current_events.rules)
 2019700 - ET CURRENT_EVENTS Possible Dyre SSL Cert Nov 11 2014
(current_events.rules)
 2019701 - ET CURRENT_EVENTS Possible Dyre SSL Cert Nov 11 2014
(current_events.rules)
 2019702 - ET CURRENT_EVENTS Possible Dyre SSL Cert Nov 11 2014
(current_events.rules)
 2019703 - ET CURRENT_EVENTS Possible Dyre SSL Cert Nov 11 2014
(current_events.rules)
 2019705 - ET CURRENT_EVENTS Possible Dyre SSL Cert Nov 12 2014
(current_events.rules)
 2019719 - ET CURRENT_EVENTS Possible Dyre SSL Cert Nov 17 2014
(current_events.rules)
 2019875 - ET CURRENT_EVENTS  Possible Dyre SSL Cert Dec 4 2014
(current_events.rules)
 2020288 - ET CURRENT_EVENTS Possible Dyre SSL Cert Jan 22 2015
(current_events.rules)
 2020328 - ET CURRENT_EVENTS Possible Dridex Campaign Download Jan 28 2015
(current_events.rules)
 2020351 - ET CURRENT_EVENTS Possible Dridex e-mail inbound
(current_events.rules)
 2020758 - ET CURRENT_EVENTS VBA Office Document Dridex Binary Download
User-Agent (current_events.rules)
 2020806 - ET CURRENT_EVENTS VBA Office Document Dridex Binary Download
User-Agent 2 (current_events.rules)
 2020866 - ET CURRENT_EVENTS Possible Dridex downloader SSL Certificate
srv1.mainsftdomain.com (current_events.rules)
 2020943 - ET CURRENT_EVENTS Possible Dridex downloader SSL Certificate
(current_events.rules)
 2020986 - ET CURRENT_EVENTS Possible Dridex Downloader SSL Certificate
(current_events.rules)
 2021093 - ET CURRENT_EVENTS Possible Dridex Remote Macro Download
(current_events.rules)
 2021586 - ET CURRENT_EVENTS Possible Dyre SSL Cert (non-ASCII) Jul 21 2015
(current_events.rules)
 2021615 - ET CURRENT_EVENTS Dridex Downloader SSL Certificate
(current_events.rules)
 2021735 - ET CURRENT_EVENTS Possible Dyre SSL Cert Aug 31 2015
(current_events.rules)
 2021736 - ET CURRENT_EVENTS Possible Dyre SSL Cert Aug 31 2015
(current_events.rules)
 2021948 - ET CURRENT_EVENTS Possible Upatre/Dyre/Kegotip SSL Cert Oct 12
2015 (current_events.rules)
 2022339 - ET CURRENT_EVENTS Dridex Download 6th Jan 2016 Flowbit
(current_events.rules)
 2022340 - ET CURRENT_EVENTS W32/Dridex Binary Download 6th Jan 2016
(current_events.rules)
 2023315 - ET CURRENT_EVENTS Possible Locky AlphaNum Downloader Oct 3 2016
(current_events.rules)
 2023316 - ET CURRENT_EVENTS Possible Locky AlphaNum Downloader Oct 3 2016
(current_events.rules)
 2027414 - ET CURRENT_EVENTS Observed Malicious SSL Cert (BrushaLoader CnC)
2019-05-30 (current_events.rules)
 2837970 - ETPRO TROJAN Win32/DarkRAT CnC Activity (trojan.rules)


[---]         Disabled rules:        [---]

 2024767 - ET CURRENT_EVENTS Possible Locky Payload DL Sept 26 2017 M1
(current_events.rules)
 2024768 - ET CURRENT_EVENTS Possible Locky Payload DL Sept 26 2017 M2
(current_events.rules)
 2026461 - ET CURRENT_EVENTS Possible Locky Payload DL Sept 26 2017 M3
(current_events.rules)
 2026462 - ET CURRENT_EVENTS Possible Locky Payload DL Sept 26 2017 M4
(current_events.rules)
 2026644 - ET CURRENT_EVENTS Observed Malicious SSL Cert (BrushaLoader
Domain) (current_events.rules)
 2026659 - ET CURRENT_EVENTS Observed Malicious SSL Cert (BrushaLoader
Domain) (current_events.rules)
 2027415 - ET CURRENT_EVENTS Brushaloader Domain in DNS Lookup 2019-05-30
(current_events.rules)
 2827505 - ETPRO CURRENT_EVENTS Locky Payload DL 2017-08-11
(current_events.rules)
 2828343 - ETPRO CURRENT_EVENTS Unknown MalDoc Checkin Oct 2017
(current_events.rules)
 2828426 - ETPRO CURRENT_EVENTS JS/Locky Downloader Checkin
(current_events.rules)
 2833864 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (BrushaLoader
CnC) (current_events.rules)
 2834920 - ETPRO CURRENT_EVENTS Brushaloader Domain in DNS Lookup
(current_events.rules)
 2834921 - ETPRO CURRENT_EVENTS Brushaloader Domain in TLS SNI
(current_events.rules)
 2835110 - ETPRO CURRENT_EVENTS MalDoc Requesting Dridex Payload 2018-03-01
(current_events.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20190815/e856636f/attachment.html>


More information about the Emerging-sigs mailing list