[Emerging-Sigs] Daily Ruleset Update Summary 2019/10/21

James Emery-Callcott jcallcott at emergingthreats.net
Mon Oct 21 13:36:43 HDT 2019


[***]            Summary:            [***]

  14 new Open, 45 new Pro (14 + 31).  APT41, Remcos, WinLoader, Various
Phish.

  We have a blog up now outlining the new Suricata 5.0 ruleset information
as well information regarding our upcoming plans to EOL rule support for
Suricata 2.0/3.0 Rulesets.

  Suricata 5.0 Support blog:
https://www.proofpoint.com/us/corporate-blog/post/emerging-threats-announcing-support-suricata-50
  Suricata 2/3 EOL information:
https://lists.emergingthreats.net/pipermail/emerging-updates/2019-October/004655.html

  Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2028879 - ET USER_AGENTS Observed Suspicious UA (Windows)
(user_agents.rules)
  2028880 - ET TROJAN Anchor_DNS Trickbot DNS CnC Command - Sending Data
(trojan.rules)
  2028881 - ET TROJAN Anchor_DNS Trickbot DNS CnC Command - Prepare to
Receive Data (trojan.rules)
  2028882 - ET TROJAN Anchor_DNS Trickbot DNS CnC Command - Receive Data
(trojan.rules)
  2028883 - ET TROJAN APT 41 LOWKEY Backdoor - Ping Command Inbound
(trojan.rules)
  2028884 - ET TROJAN APT 41 LOWKEY Backdoor - Ping Success Code sent to
CnC (trojan.rules)
  2028885 - ET TROJAN APT 41 LOWKEY Backdoor - Ping Error Code sent to CnC
(trojan.rules)
  2028886 - ET TROJAN APT 41 LOWKEY Backdoor [TCP Relay Module] - PID
Injection Command (trojan.rules)
  2028887 - ET TROJAN APT 41 LOWKEY Backdoor [TCP Relay Module] -
Establishing Connection with New Host (trojan.rules)
  2028888 - ET TROJAN APT 41 LOWKEY Backdoor [TCP Relay Module] - TCP Relay
Successfully Activated on New Host (trojan.rules)
  2028889 - ET TROJAN APT 41 LOWKEY Backdoor [TCP Relay Module] -
Exchanging RC4 & XOR Encrypted Data with Internal Host (trojan.rules)
  2028890 - ET TROJAN APT 41 LOWKEY Backdoor [TCP Relay Module] - Close
Socket Command Observed (trojan.rules)
  2028891 - ET TROJAN APT 41 LOWKEY Backdoor [TCP Relay Module] - Close
Named Pipe Command Observed (trojan.rules)
  2028892 - ET TROJAN Unk Spam Bot Template 1 Active - Outbound Malicious
Email Spam (trojan.rules)

Pro:

  2839018 - ETPRO TROJAN Win32/WinLoader Requesting Payload (trojan.rules)
  2839021 - ETPRO CURRENT_EVENTS Observed MalDoc DL 2019-10-21 Domain in
TLS SNI (current_events.rules)
  2839022 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2019-10-18 1) (trojan.rules)
  2839023 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2019-10-18 2) (trojan.rules)
  2839024 - ETPRO CURRENT_EVENTS Successful OneDrive Phish 2019-10-21
(current_events.rules)
  2839025 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2019-10-21 (current_events.rules)
  2839026 - ETPRO CURRENT_EVENTS Successful Sekerbank Phish 2019-10-21
(current_events.rules)
  2839027 - ETPRO CURRENT_EVENTS Successful Sekerbank Phish 2019-10-21
(current_events.rules)
  2839028 - ETPRO CURRENT_EVENTS Successful Adobe Phish 2019-10-21
(current_events.rules)
  2839029 - ETPRO CURRENT_EVENTS Successful Adobe Document Cloud Phish
2019-10-21 (current_events.rules)
  2839030 - ETPRO CURRENT_EVENTS Successful Desjardins Phish 2019-10-21
(current_events.rules)
  2839031 - ETPRO CURRENT_EVENTS Successful American Express Phish
2019-10-21 (current_events.rules)
  2839032 - ETPRO CURRENT_EVENTS Successful American Express Phish
2019-10-21 (current_events.rules)
  2839033 - ETPRO CURRENT_EVENTS Successful Amazon Phish 2019-10-21
(current_events.rules)
  2839034 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2019-10-21 (current_events.rules)
  2839035 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2019-10-21 (current_events.rules)
  2839036 - ETPRO CURRENT_EVENTS Successful Generic Email Web App Phish
2019-10-21 (current_events.rules)
  2839037 - ETPRO CURRENT_EVENTS Successful ING Phish 2019-10-21
(current_events.rules)
  2839038 - ETPRO CURRENT_EVENTS Successful Caixa Phish 2019-10-21
(current_events.rules)
  2839039 - ETPRO CURRENT_EVENTS Successful Generic Webmail Mini Phish
2019-10-21 (current_events.rules)
  2839040 - ETPRO CURRENT_EVENTS Successful Generic Mailbox Phish
2019-10-21 (current_events.rules)
  2839041 - ETPRO TROJAN Gh0stNoxy CnC Activity (trojan.rules)
  2839042 - ETPRO TROJAN Win32/Remcos RAT Checkin 209 (trojan.rules)
  2839043 - ETPRO TROJAN Win32/Remcos RAT Checkin 210 (trojan.rules)
  2839044 - ETPRO TROJAN Win32/Remcos RAT Checkin 211 (trojan.rules)
  2839045 - ETPRO TROJAN Win32/Remcos RAT Checkin 212 (trojan.rules)
  2839046 - ETPRO TROJAN Win32/Remcos RAT Checkin 213 (trojan.rules)
  2839047 - ETPRO TROJAN Win32/Remcos RAT Checkin 214 (trojan.rules)
  2839048 - ETPRO TROJAN Win32/Remcos RAT Checkin 215 (trojan.rules)
  2839049 - ETPRO TROJAN Win32/Remcos RAT Checkin 216 (trojan.rules)
  2839050 - ETPRO TROJAN Win32/Remcos RAT Checkin 217 (trojan.rules)

[///]     Modified active rules:     [///]

  2002945 - ET POLICY Java Url Lib User Agent Web Crawl (policy.rules)
  2027886 - ET TROJAN Win32/DarkRAT CnC Activity (trojan.rules)
  2838997 - ETPRO CURRENT_EVENTS Successful DHL Phish 2019-10-18
(current_events.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20191021/acf7889c/attachment.html>


More information about the Emerging-sigs mailing list