[Emerging-Sigs] Daily Ruleset Update Summary 2020/04/16

James Emery-Callcott jcallcott at emergingthreats.net
Thu Apr 16 14:11:39 HDT 2020


[***]            Summary:            [***]

  6 new Open, 19 new Pro (6 + 13).  Win32/CONFUCIUS_B, AgentTesla, Various
Phish, Others.

  Thanks @401TRG.

  Please be aware that after the deprecation of our Suricata 2/3 support
(April 15th 2020), the path for downloading the last pushed production
Suricata 2/3 rulesets have changed.  Deprecated rulesets are available at
https://rules.emergingthreatspro.com/OINK/old for ETPro and
https://rules.emergingthreatspro.com/open/old/ for ETOpen.  All requests
for the Suricata 2/3 at their previous locations will now lead to the
Suricata 4.0 production rules for ETPro and the rule download instructions
for ETOpen.

  Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2029923 - ET POLICY IP Check (ip. jsontest .com) (policy.rules)
  2029924 - ET TROJAN Win32/CONFUCIUS_B CnC Checkin (trojan.rules)
  2029925 - ET TROJAN Win32/CONFUCIUS_B External IP Check to CnC M2
(trojan.rules)
  2029926 - ET TROJAN Observed Malicious SSL Cert (CONFUCIOUS_B CnC)
(trojan.rules)
  2029927 - ET TROJAN AgentTesla Exfil via FTP (trojan.rules)
  2029928 - ET TROJAN AgentTesla HTML System Info Report Exfil via FTP
(trojan.rules)

Pro:

  2842057 - ETPRO TROJAN Observed Malicious SSL Cert (Cobalt Strike CnC)
(trojan.rules)
  2842058 - ETPRO CURRENT_EVENTS MalDoc Retrieving Payload 2020-04-16 M1
(current_events.rules)
  2842059 - ETPRO CURRENT_EVENTS MalDoc Retrieving Payload 2020-04-16 M2
(current_events.rules)
  2842060 - ETPRO TROJAN Observed Decmial Encoded Executable Inbound
(trojan.rules)
  2842061 - ETPRO TROJAN MalDoc Retrieving Lemon_Duck Payload 2020-04-16
(trojan.rules)
  2842062 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-16 1) (trojan.rules)
  2842063 - ETPRO CURRENT_EVENTS Successful AlaskaUSA Federal Credit Union
Phish 2020-04-16 (current_events.rules)
  2842064 - ETPRO CURRENT_EVENTS Successful AlaskaUSA Federal Credit Union
Phish 2020-04-16 (current_events.rules)
  2842065 - ETPRO CURRENT_EVENTS Successful Coinbase Phish 2020-04-16
(current_events.rules)
  2842066 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-04-16
(current_events.rules)
  2842067 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-04-16 (current_events.rules)
  2842068 - ETPRO CURRENT_EVENTS Successful Zoom Phish 2020-04-16
(current_events.rules)
  2842069 - ETPRO TROJAN Observed Malicious SSL Cert (MSIL/Agent.UL CnC)
(trojan.rules)

[///]     Modified active rules:     [///]

  2012887 - ET POLICY HTTP POST contains pass= in cleartext (policy.rules)
  2015895 - ET TROJAN Win32/TrojanDownloader.Wauchos.A CnC Activity
(trojan.rules)
  2017080 - ET INFO HTTP POST contains pasa= in cleartext (info.rules)
  2028837 - ET TROJAN Possible APT 41 Fake Server Response (trojan.rules)
  2028906 - ET TROJAN Suspected Zebrocy Implant CnC Checkin (trojan.rules)
  2029055 - ET MALWARE Win32/Adware.Adposhel.A Checkin M6 (malware.rules)
  2029910 - ET TROJAN Suspected SPECULOOS Backdoor CnC Init Packet
Masquerading as SNI Request to live .com (trojan.rules)
  2801363 - ETPRO TROJAN Trojan.Win32.Lanaur.A Checkin (trojan.rules)
  2810115 - ETPRO TROJAN TrojanDownloader.Banload.VGH checkin (trojan.rules)
  2814529 - ETPRO TROJAN Win32/Gamker.A Checkin (trojan.rules)
  2838953 - ETPRO USER_AGENTS Observed Suspicious UA (M) (user_agents.rules)
  2839149 - ETPRO TROJAN Win32/PowerVBS Uploading Screenshot to CnC
(trojan.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200417/51413804/attachment.html>


More information about the Emerging-sigs mailing list