[Emerging-Sigs] Daily Ruleset Update Summary 2019/10/18

Jack Mott jmott at emergingthreats.net
Fri Oct 18 14:57:43 HDT 2019


[***]            Summary:            [***]

14 new Open, 45 new Pro (14 + 31).  Spelevo EK, APT-C-27, JS/BrushaLoader,
ChadWorker, Win32/Remcos RAT, Various Phishing. TIIF.

We have a blog up now outlining the new Suricata 5.0 ruleset information as
well information regarding our upcoming plans to EOL rule support for
Suricata 2.0/3.0 Rulesets.

Suricata 5.0 Support blog:
https://www.proofpoint.com/us/corporate-blog/post/emerging-threats-announcing-support-suricata-50
Suricata 2/3 EOL information:
https://lists.emergingthreats.net/pipermail/emerging-updates/2019-October/004655.html

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2028865 - ET CURRENT_EVENTS Spelevo VBS Payload Downloaded
(current_events.rules)
  2028866 - ET CURRENT_EVENTS Spelevo Download Payload Landing
(current_events.rules)
  2028867 - ET POLICY Vulnerable Java Version 11.0.x Detected (policy.rules)
  2028868 - ET POLICY Vulnerable Java Version 12.0.x Detected (policy.rules)
  2028869 - ET POLICY Vulnerable Java Version 12.0.x Detected (policy.rules)
  2028870 - ET TROJAN APT-C-27 CnC Domain Observed in DNS Query
(trojan.rules)
  2028871 - ET TROJAN APT-C-27 CnC Domain Observed in DNS Query
(trojan.rules)
  2028872 - ET TROJAN APT-C-27 CnC Domain Observed in DNS Query
(trojan.rules)
  2028873 - ET TROJAN APT-C-27 CnC Domain Observed in DNS Query
(trojan.rules)
  2028874 - ET TROJAN APT-C-27 CnC Domain Observed in DNS Query
(trojan.rules)
  2028875 - ET TROJAN APT-C-27 CnC Domain Observed in DNS Query
(trojan.rules)
  2028876 - ET TROJAN Steganographic Encoded WAV File Inbound via HTTP M1
(trojan.rules)
  2028877 - ET TROJAN Steganographic Encoded WAV File Inbound via HTTP M2
(trojan.rules)
  2028878 - ET MALWARE SoftwareTracking Site - Install Report
(malware.rules)

Pro:

  2838987 - ETPRO TROJAN JS/BrushaLoader Activity (trojan.rules)
  2838988 - ETPRO TROJAN Observed Malicious SSL Cert (CobInt CnC)
(trojan.rules)
  2838989 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
  2838990 - ETPRO TROJAN Observed Malicious SSL Cert (BrushaLoader CnC)
(trojan.rules)
  2838991 - ETPRO TROJAN Observed Malicious SSL Cert (BrushaLoader CnC)
(trojan.rules)
  2838992 - ETPRO TROJAN Observed Malicious SSL Cert (Get2 CnC)
(trojan.rules)
  2838993 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc DL
2019-10-18) (current_events.rules)
  2838994 - ETPRO CURRENT_EVENTS Spelevo VBS Cookie (current_events.rules)
  2838995 - ETPRO TROJAN ChadWorker DNS CnC Observed (trojan.rules)
  2838996 - ETPRO CURRENT_EVENTS Successful Charles Schwab Phish 2019-10-18
(current_events.rules)
  2838997 - ETPRO CURRENT_EVENTS Successful DHL Phish 2019-10-18
(current_events.rules)
  2838998 - ETPRO CURRENT_EVENTS Successful Generic Personalized Phish
2019-10-18 (current_events.rules)
  2838999 - ETPRO CURRENT_EVENTS Successful Posteitaliane Phish 2019-10-18
(current_events.rules)
  2839000 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2019-10-18 (current_events.rules)
  2839001 - ETPRO CURRENT_EVENTS Successful Simplii Phish 2019-10-18
(current_events.rules)
  2839002 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2019-10-18 (current_events.rules)
  2839003 - ETPRO CURRENT_EVENTS Successful Paypal FR Phish 2019-10-18
(current_events.rules)
  2839004 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2019-10-18
(current_events.rules)
  2839005 - ETPRO CURRENT_EVENTS Successful CIBC Phish 2019-10-18
(current_events.rules)
  2839006 - ETPRO CURRENT_EVENTS Successful Generic Phish 2019-10-18
(current_events.rules)
  2839007 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2019-10-18 (current_events.rules)
  2839008 - ETPRO CURRENT_EVENTS Successful Google Account Phish 2019-10-18
(current_events.rules)
  2839009 - ETPRO CURRENT_EVENTS Successful Facebook Pages Copyright
Content Phish 2019-10-18 (current_events.rules)
  2839010 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2019-10-18
(current_events.rules)
  2839011 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2019-10-18 (current_events.rules)
  2839012 - ETPRO TROJAN Possible APT-C-27 Payload CnC Checkin
(trojan.rules)
  2839013 - ETPRO TROJAN Upatre CnC Domain in DNS Lookup (trojan.rules)
  2839014 - ETPRO TROJAN Win32/TrojanDownloader.Agent.KW CnC Activity
(trojan.rules)
  2839015 - ETPRO TROJAN Win32/Remcos RAT Checkin 207 (trojan.rules)
  2839016 - ETPRO TROJAN Win32/Remcos RAT Checkin 208 (trojan.rules)
  2839017 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2019-10-17 1) (trojan.rules)

 [///]     Modified active rules:     [///]

  2014297 - ET POLICY Vulnerable Java Version 1.7.x Detected (policy.rules)
  2019401 - ET POLICY Vulnerable Java Version 1.8.x Detected (policy.rules)
  2025518 - ET POLICY Vulnerable Java Version 10.0.x Detected (policy.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20191018/0b33712e/attachment-0001.html>


More information about the Emerging-sigs mailing list