[Emerging-Sigs] Daily Ruleset Update Summary 2020/04/03

Jack Mott jmott at emergingthreats.net
Fri Apr 3 13:46:52 HDT 2020


[***]            Summary:            [***]

10 new Open, 35 new Pro (10 + 25). FTCode Stealer, Multiple DrayTek
Products Pre-authentication Remote RCE, ELF/Mirai, Win32/Kapers.a
CnC, MSIL/PSW.Agent.RPT CnC, Ursnif SSL, Various Phishing.

TIIF. Thanks: @malware_traffic, @PAsinovsky

Suricata 2/3 Support from Emerging Threats will become End-Of-Life on April
15th, 2020.

Suricata 2/3 EOL information:
https://lists.emergingthreats.net/pipermail/emerging-updates/2019-October/004655.html


[+++]          Added rules:          [+++]

Open:

  2029802 - ET TROJAN FTCode Stealer Init Activity (trojan.rules)
  2029803 - ET TROJAN FTCode Stealer CnC Activity (trojan.rules)
  2029804 - ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote
RCE Outbound (CVE-2020-8515) M1 (exploit.rules)
  2029805 - ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote
RCE Inbound (CVE-2020-8515) M1 (exploit.rules)
  2029806 - ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote
RCE Outbound (CVE-2020-8515) M2 (exploit.rules)
  2029807 - ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote
RCE Inbound (CVE-2020-8515) M2 (exploit.rules)
  2029808 - ET SCAN ELF/Mirai Variant User-Agent (Inbound) (scan.rules)
  2029809 - ET TROJAN ELF/Mirai Variant User-Agent (Outbound) (trojan.rules)
  2029811 - ET MOBILE_MALWARE Android/TrojanDropper.Agent.EQO Variant CnC
Activity (mobile_malware.rules)
  2029812 - ET TROJAN Malicious VBE Script (COVID-19 Phish 04-03-2020)
(trojan.rules)

Pro:

  2841853 - ETPRO TROJAN Win32/Kapers.a CnC Init Checkin (trojan.rules)
  2841854 - ETPRO TROJAN Win32/Kapers.a FileZilla Password Exfil
(trojan.rules)
  2841855 - ETPRO TROJAN Win32/Kapers.a CnC Checkin Process List Exfil
(trojan.rules)
  2841856 - ETPRO CURRENT_EVENTS Successful Keesler Federal Credit Union
Phish 2020-04-03 (current_events.rules)
  2841857 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-04-03 (current_events.rules)
  2841858 - ETPRO CURRENT_EVENTS Successful Amazon Phish 2020-04-03
(current_events.rules)
  2841859 - ETPRO CURRENT_EVENTS Successful SunTrust Phish 2020-04-03
(current_events.rules)
  2841860 - ETPRO TROJAN PS/Downloader.EATI UA Observed (trojan.rules)
  2841861 - ETPRO CURRENT_EVENTS Successful Banco Itau Phish 2020-04-03
(current_events.rules)
  2841862 - ETPRO CURRENT_EVENTS Successful Ebay Phish 2020-04-03
(current_events.rules)
  2841863 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-04-03
(current_events.rules)
  2841864 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-04-03
(current_events.rules)
  2841865 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-03 1) (trojan.rules)
  2841866 - ETPRO CURRENT_EVENTS Successful Dropbox Phish 2020-04-03
(current_events.rules)
  2841867 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-04-03 (current_events.rules)
  2841868 - ETPRO CURRENT_EVENTS Successful Shaw Account Update Phish
2020-04-03 (current_events.rules)
  2841869 - ETPRO CURRENT_EVENTS Successful WeTransfer Phish 2020-04-03
(current_events.rules)
  2841870 - ETPRO TROJAN Win32/Azden.B!cl CnC Host Checkin (trojan.rules)
  2841871 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-04-03
(current_events.rules)
  2841872 - ETPRO CURRENT_EVENTS Successful VBV Mastercard Securecode Phish
2020-04-03 (current_events.rules)
  2841873 - ETPRO TROJAN MSIL/PSW.Agent.RPT CnC Activity (trojan.rules)
  2841874 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
  2841875 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
  2841876 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
  2841877 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)

 [///]     Modified active rules:     [///]

  2021245 - ET TROJAN Possible Dridex Download URI Struct with no referer
(trojan.rules)
  2024004 - ET TROJAN APT29 Implant8 - MAL_REFERER (trojan.rules)
  2029790 - ET SCAN ELF/Mirai Variant User-Agent (Inbound) (scan.rules)
  2029791 - ET TROJAN ELF/Mirai Variant User-Agent (Outbound) (trojan.rules)
  2809309 - ETPRO WEB_CLIENT IE Double Encoding Reflected XSS Vulnerability
CVE-2014-6365 (web_client.rules)
  2809315 - ETPRO WEB_CLIENT Exchange URL Redirection Vulnerability GET
request (CVE-2014-6336) (web_client.rules)
  2810578 - ETPRO MALWARE PUP.OptimizerPro Google Connectivity Check
(malware.rules)
  2814213 - ETPRO TROJAN LatentBot/GrayBird CnC Checkin (trojan.rules)
  2815080 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.DD Checkin
(mobile_malware.rules)
  2815081 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.DD Checkin 2
(mobile_malware.rules)
  2815102 - ETPRO TROJAN W32/Nymaim Checkin 2 (trojan.rules)
  2815138 - ETPRO CURRENT_EVENTS Possible Nuclear EK Payload Nov 30 2015
(fb set) (current_events.rules)
  2815177 - ETPRO CURRENT_EVENTS PowerShell Empire Session via Excel Macro
(current_events.rules)
  2815181 - ETPRO CURRENT_EVENTS Nuclear EK Landing URI struct Dec 03 2015
M2 (current_events.rules)
  2815182 - ETPRO CURRENT_EVENTS Nuclear EK Landing URI struct Dec 03 2015
M3 (current_events.rules)
  2815183 - ETPRO CURRENT_EVENTS Nuclear EK Flash Exploit IE Dec 03 2015 M1
(current_events.rules)
  2815199 - ETPRO CURRENT_EVENTS Possible Evil Redirector Leading to EK Dec
03 2015 M3 (current_events.rules)
  2815200 - ETPRO CURRENT_EVENTS Possible Evil Redirector Leading to EK Dec
03 2015 M3 (current_events.rules)
  2815281 - ETPRO MALWARE W32/BrowseFox Checkin (malware.rules)
  2815326 - ETPRO TROJAN Andromeda Downloading Payload Fake UA
(trojan.rules)
  2820514 - ETPRO TROJAN Suspicious Terse Request to hastebin.com -
Possible Download (trojan.rules)
  2824087 - ETPRO TROJAN MSIL/DeriaLock Ransomware CnC Activity
(trojan.rules)
  2824449 - ETPRO CURRENT_EVENTS GreenFlash SunDown EK Flash Exploit
2017-01-17 (current_events.rules)
  2824567 - ETPRO CURRENT_EVENTS Successful Paypal Phish M1 Jan 20 2017
(current_events.rules)
  2824637 - ETPRO TROJAN Troj/Agent-APJC CnC Beacon (trojan.rules)
  2824669 - ETPRO TROJAN APT.ChChes CnC Beacon 1 (trojan.rules)
  2824670 - ETPRO TROJAN APT.ChChes CnC Beacon 2 (trojan.rules)
  2824761 - ETPRO TROJAN MSIL/Agent.RZW CoinMiner CnC Activity
(trojan.rules)
  2825027 - ETPRO CURRENT_EVENTS Possible SunDown EK Landing URI Struct T2
Feb 17 2017 (current_events.rules)
  2828324 - ETPRO TROJAN Gh0st Variant CnC Beacon (trojan.rules)
  2838770 - ETPRO TROJAN MalDoc Requesting FTCode / Stealer Payload
(trojan.rules)

 [---]         Disabled rules:        [---]

  2815121 - ETPRO TROJAN Win32/HydraCrypt CnC Beacon 4 (trojan.rules)
  2815239 - ETPRO TROJAN Molerats/GazaHacker Checkin (trojan.rules)
  2823672 - ETPRO TROJAN LatentBot HTTP POST CnC (trojan.rules)
  2823930 - ETPRO MALWARE MSIL/TrojanDownloader.AdLoad.AZ Activity
(malware.rules)
  2824186 - ETPRO TROJAN fs0ciety Bot CnC Activity (trojan.rules)
  2824617 - ETPRO TROJAN Greenbug Ismdoor Checkin (trojan.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200403/11bc65d3/attachment.html>


More information about the Emerging-sigs mailing list