[Emerging-Sigs] Daily Ruleset Update Summary 2019/10/15

Jack Mott jmott at emergingthreats.net
Tue Oct 15 14:27:15 HDT 2019


[***]            Summary:            [***]

2 new Open, 22 new Pro (2 + 20).  Maze Ransomware, TLDR Stealer, Get2,
Ursnif, Remcos, Various Phish.

Tks: GM CIRT

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2028827 - ET TROJAN Observed Malicious SSL Cert (OSX/AppleJeus Variant
CnC) (trojan.rules)
  2028833 - ET TROJAN Redirect on ActiveXObject support (trojan.rules)

Pro:

  2838927 - ETPRO POLICY SecureDNS .eu DNS Over HTTPS Certificate Inbound
(policy.rules)
  2838928 - ETPRO TROJAN Win32/Maze Ransomware CnC Activity (trojan.rules)
  2838929 - ETPRO TROJAN Win32/TLDR Stealer CnC Checkin (trojan.rules)
  2838930 - ETPRO TROJAN Win32/TLDR Stealer CnC Activity (trojan.rules)
  2838931 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (Get2 CnC)
(current_events.rules)
  2838932 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (Get2 CnC)
(current_events.rules)
  2838933 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (Get2 CnC)
(current_events.rules)
  2838934 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
  2838935 - ETPRO TROJAN Observed Malicious SSL Cert (CobInt CnC)
(trojan.rules)
  2838938 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2019-10-15 (current_events.rules)
  2838939 - ETPRO CURRENT_EVENTS Successful Banco Itau Phish 2019-10-15
(current_events.rules)
  2838940 - ETPRO CURRENT_EVENTS Successful Outlook Web Access Phish
2019-10-15 (current_events.rules)
  2838941 - ETPRO CURRENT_EVENTS Successful RBC Royal Bank Phish 2019-10-15
(current_events.rules)
  2838942 - ETPRO CURRENT_EVENTS Successful Microsoft Excel Phish
2019-10-15 (current_events.rules)
  2838943 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2019-10-15
(current_events.rules)
  2838944 - ETPRO CURRENT_EVENTS Successful CIBC Phish 2019-10-15
(current_events.rules)
  2838945 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2019-10-15 (current_events.rules)
  2838946 - ETPRO TROJAN Win32/Remcos RAT Checkin 204 (trojan.rules)
  2838947 - ETPRO TROJAN Win32/Remcos RAT Checkin 205 (trojan.rules)
  2838948 - ETPRO TROJAN Win32/Remcos RAT Checkin 206 (trojan.rules)

[///]     Modified active rules:     [///]

  2001808 - ET P2P LimeWire P2P Traffic (p2p.rules)
  2003486 - ET MALWARE Drivecleaner.com Spyware User-Agent (DriveCleaner
Updater) (malware.rules)
  2009029 - ET WEB_SERVER SQL Injection Attempt (Agent NV32ts)
(web_server.rules)
  2009751 - ET TROJAN Fraudload/FakeAlert/FakeVimes Downloader - POST
(trojan.rules)
  2009833 - ET SCAN WITOOL SQL Injection Scan (scan.rules)
  2011497 - ET SCAN Hydra User-Agent (scan.rules)
  2012611 - ET USER_AGENTS Suspicious User-Agent Sample (user_agents.rules)
  2012620 - ET TROJAN Win32.FakeAV.chhq Checkin (trojan.rules)
  2012629 - ET MALWARE Optimum Installer User-Agent IE6 on Windows XP
(malware.rules)
  2012751 - ET USER_AGENTS suspicious user agent string (changhuatong)
(user_agents.rules)
  2012757 - ET USER_AGENTS suspicious user agent string (CholTBAgent)
(user_agents.rules)
  2012860 - ET USER_AGENTS Suspicious User-Agent SimpleClient 1.0
(user_agents.rules)
  2012893 - ET TROJAN Known Skunkx DDOS Bot User-Agent Cyberdog
(trojan.rules)
  2013018 - ET POLICY HTMLGET User Agent Detected - Often Linux utility
based (policy.rules)
  2013072 - ET MOBILE_MALWARE Android.HongTouTou Checkin
(mobile_malware.rules)
  2013173 - ET USER_AGENTS Atomic_Email_Hunter User-Agent Inbound
(user_agents.rules)
  2013174 - ET USER_AGENTS Atomic_Email_Hunter User-Agent Outbound
(user_agents.rules)
  2013185 - ET TROJAN Trojan-Banker.Win32.Agent Checkin (trojan.rules)
  2013221 - ET TROJAN Win32/Sefnit Initial Checkin (trojan.rules)
  2013392 - ET TROJAN W32/Hupigon.B User Agent TSDownload (trojan.rules)
  2013401 - ET TROJAN Win32/Winshow User Agent (trojan.rules)
  2013445 - ET TROJAN W32/NetShare User-Agent (trojan.rules)
  2013446 - ET TROJAN Win32/TrojanDownloader.Chekafe.D User-Agent
my_check_data On Off HTTP Port (trojan.rules)
  2013542 - ET USER_AGENTS Win32/OnLineGames User-Agent (Revolution Win32)
(user_agents.rules)
  2013717 - ET TROJAN Trojan Downloader User-Agent BGroom (trojan.rules)
  2013719 - ET POLICY GridinSoft.com Software Version Check (policy.rules)
  2013914 - ET POLICY APT User-Agent to BackTrack Repository (policy.rules)
  2013967 - ET USER_AGENTS Suspicious User-Agent (adlib) (user_agents.rules)
  2013968 - ET MOBILE_MALWARE Android/KungFu Package Delete Command
(mobile_malware.rules)
  2014193 - ET TROJAN W32/VPEYE Trojan Downloader User-Agent (VP-EYE
Downloader) (trojan.rules)
  2014213 - ET TROJAN MSUpdater Connectivity Check to Google (trojan.rules)
  2014283 - ET TROJAN Trustezeb Checkin to CnC (trojan.rules)
  2014288 - ET TROJAN Java Archive sent when remote host claims to send an
image (trojan.rules)
  2014341 - ET POLICY Installshield One Click Install User-Agent Toys File
(policy.rules)
  2014342 - ET POLICY Snadboy.com Products User-Agent (policy.rules)
  2014345 - ET POLICY Suspicious User Agent UpdateSoft (policy.rules)
  2014581 - ET TROJAN Hoax.Win32.BadJoke/DownLoader1.57593 Checkin
(trojan.rules)
  2014604 - ET TROJAN Trojan.Win32.Yakes.pwo Checkin (trojan.rules)
  2014752 - ET TROJAN Win32.HLLW.Autoruner USA_Load UA (trojan.rules)
  2014754 - ET TROJAN W32/Mepaow.Backdoor Initial Checkin to Intermediary
Pre-CnC (trojan.rules)
  2014817 - ET TROJAN W32/Renos.Downloader User Agent zeroup (trojan.rules)
  2014963 - ET TROJAN W32/Armageddon CnC Checkin (trojan.rules)
  2016453 - ET TROJAN WEBC2-CLOVER Download UA (trojan.rules)
  2016695 - ET INFO SUSPICIOUS UA starting with Mozilla/0 (info.rules)
  2017702 - ET TROJAN Possible Trojan.APT.9002 POST (trojan.rules)
  2017746 - ET TROJAN Trojan-Downloader Win32.Genome.AV (trojan.rules)
  2017903 - ET TROJAN Win32/Urausy.C Checkin 4 (trojan.rules)
  2018224 - ET TROJAN Likely Geodo/Emotet Downloading PE (trojan.rules)
  2018404 - ET TROJAN GreenDou Downloader User-Agent (hello crazyk)
(trojan.rules)
  2018419 - ET TROJAN W32/Zbot.InfoStealer WindowsUpdate Connectivity Check
With Opera UA (trojan.rules)
  2018524 - ET TROJAN Soraya C2 User-Agent (SBTCM) (trojan.rules)
  2018782 - ET SCAN Internet Scanning Project HTTP scan (scan.rules)
  2019197 - ET TROJAN NewPosThings Checkin (trojan.rules)
  2019198 - ET TROJAN NewPosThings Data Exfiltration (trojan.rules)
  2019199 - ET TROJAN NewPosThings POST with Fake UA and Accept Header
(trojan.rules)
  2019498 - ET TROJAN W32/24x7Help.ScareWare CnC Beacon (trojan.rules)
  2019827 - ET TROJAN W32/Wadolin.Downloader CnC Beacon (trojan.rules)
  2019961 - ET TROJAN Win32/Spy.Banker.AAXV Retrieving key from Pinterest
(trojan.rules)
  2020298 - ET TROJAN Win32/Scieron-A UA (HTClient) (trojan.rules)
  2028666 - ET TROJAN CASHY200 Style DNS Query - Initial Hello Beacon
(trojan.rules)
  2028667 - ET TROJAN CASHY200 Style DNS Query - Sending Hostname
(trojan.rules)
  2028668 - ET TROJAN CASHY200 Style DNS Query - Sending Number of Queries
(trojan.rules)
  2028669 - ET TROJAN CASHY200 Style DNS Query - Finished Sending Results
(trojan.rules)
  2028670 - ET TROJAN CASHY200 Style DNS Query - Getting CnC Data
(trojan.rules)
  2028671 - ET TROJAN CASHY200 Style DNS Query - Sending Command Results
(trojan.rules)
  2028674 - ET TROJAN CASHY200 Style DNS Query - Request Command Beacon
(trojan.rules)
  2801264 - ETPRO TROJAN Unknown Malware UA RSDN (trojan.rules)
  2801989 - ETPRO USER_AGENTS Suspicious User-Agent (bajun)
(user_agents.rules)
  2801991 - ETPRO USER_AGENTS Suspicious User-Agent random
(user_agents.rules)
  2802584 - ETPRO TROJAN Trojan.Win32.Buzus.hond Checkin (trojan.rules)
  2802947 - ETPRO USER_AGENTS Rescudos ROSE Essentials Gaming User Agent
(user_agents.rules)
  2803128 - ETPRO TROJAN Suspicious User-Agent (CodeDoctor) (trojan.rules)
  2803231 - ETPRO TROJAN Suspicious User-Agent WMUpdate (trojan.rules)
  2803261 - ETPRO TROJAN Suspicious User-Agent (Desktop Ticker)
(trojan.rules)
  2803334 - ETPRO POLICY Suspicious User-Agent (Google Offerbot)
(policy.rules)
  2803508 - ETPRO TROJAN Suspicious User-Agent opera/8.11 (trojan.rules)
  2803908 - ETPRO MOBILE_MALWARE LeNa Android CnC Command (StartDown)
(mobile_malware.rules)
  2803925 - ETPRO GAMES Vice City Multiplayer PC Game User-Agent
(VCMP/0.3zr2) (games.rules)
  2804103 - ETPRO TROJAN User-Agent (yxh-yyy-internet-appliction) - Likely
Trojan (trojan.rules)
  2804106 - ETPRO TROJAN Backdoor.Win32.Gnutler User-Agent (ver0x3a0.)
(trojan.rules)
  2804220 - ETPRO TROJAN Trojan-PSW.Win32.Papras.bll Install (trojan.rules)
  2804290 - ETPRO TROJAN W32/Refroso.DZP!tr Checkin (trojan.rules)
  2804574 - ETPRO TROJAN Win32/Heckyebo.A User-Agent (FRANKIE WILL FUCK
YOU) (trojan.rules)
  2804706 - ETPRO TROJAN Win32/Votwup.D Checkin (trojan.rules)
  2805778 - ETPRO TROJAN Win32/AgentBypass.gen!A Checkin (trojan.rules)
  2806027 - ETPRO TROJAN Win32/Aybo.A Checkin (trojan.rules)
  2807275 - ETPRO USER_AGENTS Suspicious User Agent
UniversalUserAgent(winHTTP) (user_agents.rules)
  2807296 - ETPRO TROJAN Viknok (trojan.rules)
  2807347 - ETPRO TROJAN W32/Injector_Autoit.BE!tr Checkin (trojan.rules)
  2807348 - ETPRO TROJAN Trojan.Vobfus variant XP checkin (trojan.rules)
  2807350 - ETPRO USER_AGENTS Suspicious User Agent D3DL0 G00D N1C3
(user_agents.rules)
  2807725 - ETPRO TROJAN Trojan.Win32.Inject.hpit Checkin (trojan.rules)
  2807859 - ETPRO TROJAN Variant.Symmi Checkin 3 (trojan.rules)
  2807915 - ETPRO TROJAN Trojan-Downloader.Win32.Banload.cqhl Checkin
(trojan.rules)
  2807967 - ETPRO TROJAN Backdoor.Win32.Destrukor.20 Checkin (trojan.rules)
  2808736 - ETPRO TROJAN Backdoor.Comdinter Checkin (trojan.rules)
  2808915 - ETPRO TROJAN Trojan.FakeAlert.CAF Checkin (trojan.rules)
  2808925 - ETPRO TROJAN Win32/Microjoin.gen!C Checkin (trojan.rules)
  2808926 - ETPRO TROJAN Trojan.Win32.LaSta Checkin (trojan.rules)
  2809077 - ETPRO TROJAN JST Perl IrcBot v3.0 HTTP GET Request
(trojan.rules)
  2809282 - ETPRO TROJAN Wauchos.AO/Andromeda Checkin 2 (trojan.rules)
  2809325 - ETPRO TROJAN Win32/Bagle.L Checkin (trojan.rules)
  2809405 - ETPRO TROJAN Win32.Spy.Banker.UAE Checkin (trojan.rules)
  2809445 - ETPRO TROJAN Win32/Cuepilini.A Checkin (trojan.rules)
  2809586 - ETPRO TROJAN Win32/Neshta.A Checkin 4 (trojan.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20191015/8c68fd47/attachment.html>


More information about the Emerging-sigs mailing list