[Emerging-Sigs] Daily Ruleset Update Summary 2020/04/15

James Emery-Callcott jcallcott at emergingthreats.net
Wed Apr 15 13:43:41 HDT 2020


[***]            Summary:            [***]

  12 new Open, 37 new Pro (12 + 25).  Remcos, CryBot, Various Phish,
Various SSL/TLS, Others.

  Suricata 2/3 Support from Emerging Threats will become End-Of-Life today!
(April 15th, 2020)

  Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2029911 - ET TROJAN Observed Malicious SSL Cert (Sidewinder APT CnC)
(trojan.rules)
  2029912 - ET POLICY Observed DeepFreezeWeb User-Agent (policy.rules)
  2029913 - ET TROJAN ELF/Mirai Variant CnC Activity (trojan.rules)
  2029914 - ET CURRENT_EVENTS 16Shop Phishing Kit Accessed on External
Compromised Server (current_events.rules)
  2029915 - ET WEB_SERVER 16Shop Phishing Kit Accessed on Internal
Compromised Server (web_server.rules)
  2029916 - ET WEB_CLIENT Generic Webshell Accessed on External Compromised
Server (web_client.rules)
  2029917 - ET WEB_SERVER Generic Webshell Accessed on Internal Compromised
Server (web_server.rules)
  2029918 - ET WEB_CLIENT Generic Webshell Accessed on External Compromised
Server (web_client.rules)
  2029919 - ET WEB_SERVER Generic Webshell Accessed on Internal Compromised
Server (web_server.rules)
  2029920 - ET TROJAN Observed Malicious SSL Cert (FIN7/JSSLoader CnC)
(trojan.rules)
  2029921 - ET TROJAN Observed Malicious SSL Cert (Malicious Browser Ext
CnC) (trojan.rules)
  2029922 - ET TROJAN Observed Malicious SSL Cert (Malicious Browser Ext
CnC) (trojan.rules)

Pro:

  2842032 - ETPRO MOBILE_MALWARE Android/Noranja Reporting App List
(mobile_malware.rules)
  2842033 - ETPRO MOBILE_MALWARE Android/FOMI Checkin (mobile_malware.rules)
  2842034 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.SmsThief.itn Checkin
(mobile_malware.rules)
  2842035 - ETPRO TROJAN Win32/Agent.ABLU Connectivity Check (trojan.rules)
  2842036 - ETPRO TROJAN Observed Malicious UA (fuckuskidswwww)
(trojan.rules)
  2842037 - ETPRO TROJAN MSIL/CryBot CnC Checkin (trojan.rules)
  2842038 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-15 1) (trojan.rules)
  2842039 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-15 2) (trojan.rules)
  2842040 - ETPRO TROJAN MSIL/Injector.PP Variant CnC Host Checkin
(trojan.rules)
  2842041 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-04-15 (current_events.rules)
  2842042 - ETPRO CURRENT_EVENTS Successful GiffGaff Phish 2020-04-15
(current_events.rules)
  2842043 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2020-04-15
(current_events.rules)
  2842044 - ETPRO CURRENT_EVENTS Successful Hulu Phish 2020-04-15
(current_events.rules)
  2842045 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-04-15
(current_events.rules)
  2842046 - ETPRO CURRENT_EVENTS Successful Microsoft Account 000webhostapp
Phish 2020-04-15 (current_events.rules)
  2842047 - ETPRO CURRENT_EVENTS Successful IRS Phish 2020-04-15
(current_events.rules)
  2842048 - ETPRO TROJAN Win32/Farfli.CTT CnC Activity (trojan.rules)
  2842049 - ETPRO TROJAN Win32/Spy.Guildma.BV Requesting Binary
(trojan.rules)
  2842050 - ETPRO TROJAN Win32/Remcos RAT Checkin 392 (trojan.rules)
  2842051 - ETPRO TROJAN Win32/Remcos RAT Checkin 393 (trojan.rules)
  2842052 - ETPRO TROJAN Win32/Remcos RAT Checkin 394 (trojan.rules)
  2842053 - ETPRO TROJAN Win32/Remcos RAT Checkin 395 (trojan.rules)
  2842054 - ETPRO TROJAN Win32/Remcos RAT Checkin 396 (trojan.rules)
  2842055 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
  2842056 - ETPRO WEB_CLIENT Evil Keitaro Set-Cookie Inbound (e1d02)
(web_client.rules)

 [///]     Modified active rules:     [///]

  2017642 - ET TROJAN Linux/Ssemgrvd sshd Backdoor HTTP CNC 1 (trojan.rules)
  2024837 - ET TROJAN [PTsecurity] Ursnif Encoded Payload Inbound
(trojan.rules)
  2025437 - ET CURRENT_EVENTS [PTsecurity] Grandsoft EK Payload
(current_events.rules)
  2025455 - ET TROJAN Win32/GandCrab Ransomware CnC Activity M2
(trojan.rules)
  2025530 - ET TROJAN [PTsecurity] Trojan.JS.Agent.dwz Checkin 2
(trojan.rules)
  2025558 - ET CURRENT_EVENTS [PTsecurity] Possible Malicious
(HTA-VBS-PowerShell) obfuscated command (current_events.rules)
  2028631 - ET TROJAN DNSG - Data Exfiltration via DNS (trojan.rules)
  2028880 - ET TROJAN Anchor_DNS Trickbot DNS CnC Command - Sending Data
(trojan.rules)
  2028881 - ET TROJAN Anchor_DNS Trickbot DNS CnC Command - Prepare to
Receive Data (trojan.rules)
  2028882 - ET TROJAN Anchor_DNS Trickbot DNS CnC Command - Receive Data
(trojan.rules)
  2830363 - ETPRO TROJAN MSIL/Limitail Variant CnC Sending Payload Hashes
(trojan.rules)
  2834614 - ETPRO CURRENT_EVENTS Successful AliExpress Phish 2019-01-28
(current_events.rules)
  2837233 - ETPRO TROJAN Possible Unk JSP WebShell Access M4 (trojan.rules)
  2838649 - ETPRO TROJAN Win32/Presenoker Requesting Batch File M3
(trojan.rules)
  2838650 - ETPRO TROJAN Win32/Presenoker Requesting Batch File M4
(trojan.rules)
  2838853 - ETPRO TROJAN Possible Win32/Zebrocy CnC Checkin (trojan.rules)
  2838924 - ETPRO TROJAN MedusaHTTP Variant CnC Checkin (trojan.rules)
  2841022 - ETPRO TROJAN ELF/Mirai Dropper Style DNS Query CnC Domain
(trojan.rules)
  2841974 - ETPRO TROJAN Win32/Agent.UAW CnC Activity (trojan.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200415/70709192/attachment.html>


More information about the Emerging-sigs mailing list