[Emerging-Sigs] Daily Ruleset Update Summary 2019/12/23

Jason Williams jwilliams at emergingthreats.net
Mon Dec 23 14:02:34 HST 2019


[***]            Summary:            [***]

  9 new Open, 42 new Pro (9 + 33). OilRig, Valak, DarkRATv2, Docxer and
Various Phish.

  Thanks @prsecurity_ and @hyasinc

  Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

 [+++]          Added rules:          [+++]

Open:

  2029189 - ET TROJAN OilRig APT PowDesk Powershell Check (trojan.rules)
  2029190 - ET TROJAN Possible XServer Backdoor Certificate Observed
(trojan.rules)
  2029191 - ET ACTIVEX Suspicious TLS SNI Request for Root (activex.rules)
  2029192 - ET TROJAN Win32/Valak Checkin (trojan.rules)
  2029193 - ET TROJAN Win32/Valak - Stage 2 - Request (trojan.rules)
  2029194 - ET TROJAN Win32/Valak Checkin - Server Response (trojan.rules)
  2029195 - ET TROJAN Win32/Valak - Stage 2 - Response - Task (trojan.rules)
  2029196 - ET TROJAN Win32/Valak - Stage 2 - Response - Plugin
(trojan.rules)
  2029197 - ET TROJAN Win32/Valak - Plugin Data Exfil (trojan.rules)

 Pro:

  2840047 - ETPRO INFO Possible OAuth Redirect Observed (info.rules)
  2840048 - ETPRO INFO Possible OAuth Redirect Observed (info.rules)
  2840049 - ETPRO CURRENT_EVENTS Successful Chase Phish 2019-12-23
(current_events.rules)
  2840050 - ETPRO CURRENT_EVENTS Successful Chase Phish 2019-12-23
(current_events.rules)
  2840051 - ETPRO CURRENT_EVENTS Successful Navy Federal Credit Union Phish
2019-12-23 (current_events.rules)
  2840052 - ETPRO CURRENT_EVENTS Successful Navy Federal Credit Union Phish
2019-12-23 (current_events.rules)
  2840053 - ETPRO CURRENT_EVENTS Successful Adobe PDF Online Phish
2019-12-23 (current_events.rules)
  2840054 - ETPRO CURRENT_EVENTS Successful Chase Phish 2019-12-23
(current_events.rules)
  2840055 - ETPRO CURRENT_EVENTS Successful Chase Phish 2019-12-23
(current_events.rules)
  2840056 - ETPRO CURRENT_EVENTS Successful Sina Webmail CN Phish
2019-12-23 (current_events.rules)
  2840057 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2019-12-23
(current_events.rules)
  2840058 - ETPRO CURRENT_EVENTS Successful HSBC Phish 2019-12-23
(current_events.rules)
  2840059 - ETPRO CURRENT_EVENTS Successful Chase Phish 2019-12-23
(current_events.rules)
  2840060 - ETPRO TROJAN Zloader Inject SSL/TLS Certificate Observed
(trojan.rules)
  2840061 - ETPRO CURRENT_EVENTS Successful SunTrust Phish 2019-12-23
(current_events.rules)
  2840062 - ETPRO CURRENT_EVENTS Successful BMO Phish 2019-12-23
(current_events.rules)
  2840064 - ETPRO CURRENT_EVENTS Successful Verizon Phish 2019-12-23
(current_events.rules)
  2840065 - ETPRO CURRENT_EVENTS Successful Banco Itau Phish 2019-12-23
(current_events.rules)
  2840066 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2019-12-23
(current_events.rules)
  2840067 - ETPRO CURRENT_EVENTS Successful RBC Royal Bank Phish 2019-12-23
(current_events.rules)
  2840068 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2019-12-23 (current_events.rules)
  2840069 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2019-12-23 (current_events.rules)
  2840070 - ETPRO CURRENT_EVENTS Successful Raiffeisen Bank Phish
2019-12-23 (current_events.rules)
  2840071 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2019-12-23 (current_events.rules)
  2840072 - ETPRO TROJAN Docxer CnC Initial Checkin (trojan.rules)
  2840073 - ETPRO TROJAN Docxer CnC Heartbeat (trojan.rules)
  2840074 - ETPRO TROJAN DarkRATv2 CnC Checkin (trojan.rules)
  2840075 - ETPRO TROJAN DarkRATv2 CnC Heartbeat (trojan.rules)
  2840076 - ETPRO TROJAN DarkRATv2 CnC Heartbeat Response (trojan.rules)
  2840077 - ETPRO TROJAN Win32/Downloader.Agent.EWB Variant Checkin
(trojan.rules)
  2840078 - ETPRO TROJAN Win32/Remcos RAT Checkin 288 (trojan.rules)
  2840079 - ETPRO TROJAN Win32/Remcos RAT Checkin 289 (trojan.rules)
  2840080 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)

 [---]         Removed rules:         [---]

  2839070 - ETPRO TROJAN Win32/Valak CnC Activity M1 (trojan.rules)
  2839071 - ETPRO TROJAN Win32/Valak CnC Activity M2 (trojan.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20191223/d76fac27/attachment.html>


More information about the Emerging-sigs mailing list