[Emerging-Sigs] Daily Ruleset Update Summary 2020/04/13

Brandon Murphy bmurphy at emergingthreats.net
Mon Apr 13 14:12:07 HDT 2020


[***]            Summary:            [***]

  17 Open, 33 Pro (17 + 16). DCRat, DDG Botnet, Win32/Agent.AAIB, Various
Webshell, Various Phish.

  Suricata 2/3 Support from Emerging Threats will become End-Of-Life on
April 15th, 2020.

  Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

  Thanks @james_inthe_box

[+++]          Added rules:          [+++]

Open:

  2027363 - ET POLICY Observed DNS Query to DynDNS Domain (dns-report .com)
(policy.rules)
  2029881 - ET TROJAN DCRat Initial CnC Activity (trojan.rules)
  2029882 - ET WEB_CLIENT Generic WSO Webshell Password Prompt Accessed on
External Compromised Server (web_client.rules)
  2029883 - ET WEB_SERVER Generic WSO Webshell Password Prompt Accessed on
Internal Compromised Server (web_server.rules)
  2029884 - ET WEB_CLIENT Generic WSO Webshell Password Prompt Accessed on
External Compromised Server (web_client.rules)
  2029885 - ET WEB_SERVER Generic WSO Webshell Password Prompt Accessed on
Internal Compromised Server (web_server.rules)
  2029886 - ET WEB_CLIENT Anonymous Webshell Accessed on External
Compromised Server (web_client.rules)
  2029887 - ET WEB_SERVER Anonymous Webshell Accessed on Internal
Compromised Server (web_server.rules)
  2029888 - ET WEB_CLIENT Generic Mini Webshell Accessed on External
Compromised Server (web_client.rules)
  2029889 - ET WEB_SERVER Generic Mini Webshell Accessed on Internal
Compromised Server (web_server.rules)
  2029890 - ET WEB_CLIENT Generic Webshell Password Prompt Accessed on
External Compromised Server (web_client.rules)
  2029891 - ET WEB_SERVER Generic Webshell Password Prompt Accessed on
Internal Compromised Server (web_server.rules)
  2029892 - ET USER_AGENTS Observed Malicious CASPER/Mirai UA
(user_agents.rules)
  2029893 - ET TROJAN Win32/Agent.AAIB Variant CnC (trojan.rules)
  2029894 - ET TROJAN DDG Botnet CnC Job Request (trojan.rules)
  2029895 - ET TROJAN DDG Botnet CnC Slave POST (trojan.rules)
  2029896 - ET TROJAN DDG Botnet Miner Download (trojan.rules)

Pro:

  2841989 - ETPRO TROJAN Unk.BR Email Address Harvester Exfil (trojan.rules)
  2841990 - ETPRO INFO Observed Suspicious Base64 Encoded Wide String
Inbound (exe) (info.rules)
  2841991 - ETPRO INFO Observed Suspicious Base64 Encoded Wide String
Inbound (zip) (info.rules)
  2841992 - ETPRO INFO Observed Suspicious Base64 Encoded Wide String
Inbound ($env:APPDATA) (info.rules)
  2841993 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-11 1) (trojan.rules)
  2841994 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-11 2) (trojan.rules)
  2841995 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-12 1) (trojan.rules)
  2841996 - ETPRO CURRENT_EVENTS Successful Banco Itau Phish 2020-04-13
(current_events.rules)
  2841997 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-04-13 (current_events.rules)
  2841998 - ETPRO CURRENT_EVENTS Successful HSA bank Phish 2020-04-13
(current_events.rules)
  2841999 - ETPRO CURRENT_EVENTS Successful ANZ Bank Phish 2020-04-13
(current_events.rules)
  2842000 - ETPRO CURRENT_EVENTS Successful Ziraat Bankasi Phish 2020-04-13
(current_events.rules)
  2842001 - ETPRO CURRENT_EVENTS Successful Microsoft Excel Phish
2020-04-13 (current_events.rules)
  2842002 - ETPRO TROJAN Win32/Remcos RAT Checkin 389 (trojan.rules)
  2842003 - ETPRO TROJAN Win32/Remcos RAT Checkin 390 (trojan.rules)
  2842004 - ETPRO TROJAN Win32/Remcos RAT Checkin 391 (trojan.rules)


[///]     Modified active rules:     [///]

  2814030 - ETPRO TROJAN W32/Quasar RAT Connectivity Check 2 (trojan.rules)
  2814031 - ETPRO TROJAN W32/Quasar RAT Connectivity Check (trojan.rules)
  2823674 - ETPRO TROJAN W32/Quasar 1.3 RAT MiscHandler HTTP Pattern
(trojan.rules)
  2823675 - ETPRO TROJAN W32/Quasar 1.3 RAT Connectivity Check 2
(trojan.rules)
  2823676 - ETPRO TROJAN W32/Quasar 1.3 RAT Connectivity Check
(trojan.rules)
  2832799 - ETPRO TROJAN MSIL/Quasar RAT Checkin (trojan.rules)
  2832800 - ETPRO TROJAN MSIL/Quasar RAT Checkin Response (trojan.rules)
  2836270 - ETPRO TROJAN QuasarRAT C2 Init (trojan.rules)
  2836632 - ETPRO TROJAN Possible Quasar RAT Websocket Document Exfil
Parameters Received (trojan.rules)
  2836661 - ETPRO TROJAN Observed Malicious SSL Cert (Quasar RAT Staging
Server CnC) (trojan.rules)
  2841947 - ETPRO TROJAN MSIL/Spy.Agent.BXY Variant CnC Checkin
(trojan.rules)


[///]    Modified inactive rules:    [///]

  2836269 - ETPRO TROJAN QuasarRAT C2 KeepAlive (trojan.rules)


[---]         Removed rules:         [---]

  2027363 - ET TROJAN BlackTech Plead CnC in DNS Lookup (trojan.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200413/50757968/attachment.html>


More information about the Emerging-sigs mailing list