[Emerging-Sigs] Daily Ruleset Update Summary 2020/04/29

Jack Mott jmott at emergingthreats.net
Wed Apr 29 14:40:19 HDT 2020


[***]            Summary:            [***]

 13 new Open, 44 new Pro (13 + 31). BeeMovie, Win32/IcedID, NAZAR
EYService, Win32/Remcos, ELF/Gafygt Variant, Generic Ping/Pong, VARIOUS
Phishing.

tks: @sysopfb, @3XS0

Please be aware that after the deprecation of our Suricata 2/3 support
(April 15th 2020), the path for downloading the last pushed production
Suricata 2/3 rulesets have changed.  Deprecated rulesets are available at
https://rules.emergingthreatspro.com/OINK/old for ETPro and
https://rules.emergingthreatspro.com/open/old/ for ETOpen.  All requests
for the Suricata 2/3 at their previous locations will now lead to the
Suricata 4.0 production rules for ETPro and the rule download instructions
for ETOpen.

 Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2030046 - ET TROJAN Observed Malicious SSL Cert
(W32/TrojanDownloader.Agent.FBF Variant CnC) (trojan.rules)
  2030047 - ET INFO URL Observed in PDF Downloaded via Dropbox (info.rules)
  2030048 - ET SCAN ELF/Mirai Variant User-Agent (Inbound) (scan.rules)
  2030049 - ET TROJAN ELF/Mirai Variant User-Agent (Outbound) (trojan.rules)
  2030050 - ET USER_AGENTS BeeMovie Related Activity (user_agents.rules)
  2030051 - ET TROJAN IcedID CnC Domain in SNI (trojan.rules)
  2030052 - ET TROJAN IcedID CnC Domain in SNI (trojan.rules)
  2030053 - ET TROJAN Win32/IcedID Requesting Encoded Binary M4
(trojan.rules)
  2030054 - ET TROJAN Win32/Kryptik.HCZR Variant Initial Checkin
(trojan.rules)
  2030055 - ET TROJAN NAZAR EYService Pong response (trojan.rules)
  2030056 - ET TROJAN NAZAR EYService OSInfo response (trojan.rules)
  2030057 - ET TROJAN NAZAR EYService File exfiltrate response
(trojan.rules)
  2030058 - ET USER_AGENTS Observed Suspicious UA (h55u4u4u5uii5)
(user_agents.rules)

Pro:

  2842256 - ETPRO TROJAN ELF/Gafygt Variant CnC Checkin (trojan.rules)
  2842257 - ETPRO TROJAN ELF/Gafygt Variant CnC Response (trojan.rules)
  2842258 - ETPRO TROJAN ELF/Gafygt Variant CnC Telscan Command Inbound
(trojan.rules)
  2842259 - ETPRO POLICY External IP Lookup via ip .tfblzp .com
(policy.rules)
  2842260 - ETPRO INFO Generic Ping Keep-Alive Outbound M1 (info.rules)
  2842261 - ETPRO INFO Generic Ping Keep-Alive Outbound M2 (info.rules)
  2842262 - ETPRO INFO Generic Ping Keep-Alive Outbound M3 (info.rules)
  2842263 - ETPRO INFO Generic Pong Keep-Alive Inbound M1 (info.rules)
  2842264 - ETPRO INFO Generic Pong Keep-Alive Inbound M2 (activex.rules)
  2842265 - ETPRO INFO Generic Pong Keep-Alive Inbound M3 (info.rules)
  2842266 - ETPRO INFO Generic Pong Keep-Alive Outbound M1 (info.rules)
  2842267 - ETPRO INFO Generic Pong Keep-Alive Outbound M2 (info.rules)
  2842268 - ETPRO INFO Generic Pong Keep-Alive Outbound M3 (info.rules)
  2842269 - ETPRO INFO Generic Ping Keep-Alive Inbound M1 (info.rules)
  2842270 - ETPRO INFO Generic Ping Keep-Alive Inbound M2 (info.rules)
  2842271 - ETPRO INFO Generic Ping Keep-Alive Inbound M3 (info.rules)
  2842272 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-29 1) (trojan.rules)
  2842273 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-29 2) (trojan.rules)
  2842274 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-29 3) (trojan.rules)
  2842275 - ETPRO TROJAN Unk.VBS Downloader Activity (trojan.rules)
  2842276 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2020-04-29 (current_events.rules)
  2842277 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2020-04-29 (current_events.rules)
  2842278 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2020-04-29 (current_events.rules)
  2842279 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2020-04-29 (current_events.rules)
  2842280 - ETPRO CURRENT_EVENTS Successful Office 365 Phish 2020-04-29
(current_events.rules)
  2842281 - ETPRO CURRENT_EVENTS Successful Ebay Phish 2020-04-29
(current_events.rules)
  2842282 - ETPRO CURRENT_EVENTS Successful Capitec Bank Phish 2020-04-29
(current_events.rules)
  2842283 - ETPRO CURRENT_EVENTS Successful Caixa Phish 2020-04-29
(current_events.rules)
  2842284 - ETPRO CURRENT_EVENTS Successful Adobe PDF Online Phish
2020-04-29 (current_events.rules)
  2842285 - ETPRO CURRENT_EVENTS Successful Assurance Maladie Phish
2020-04-29 (current_events.rules)
  2842286 - ETPRO TROJAN Win32/Remcos RAT Checkin 414 (trojan.rules)

[///]     Modified active rules:     [///]

  2003171 - ET SCAN IBM NSA User Agent (scan.rules)
  2009444 - ET TROJAN Virut Family GET (trojan.rules)
  2013201 - ET TROJAN Win32/Rodecap CnC Checkin (trojan.rules)
  2013423 - ET TROJAN User-Agent in Referer Field - Likely Malware
(trojan.rules)
  2013865 - ET TROJAN Kazy/Kryptor/Cycbot Trojan Checkin 2 (trojan.rules)
  2014083 - ET TROJAN Trojan.Win32.A.FakeAV Reporting (trojan.rules)
  2014341 - ET POLICY Installshield One Click Install User-Agent Toys File
(policy.rules)
  2016460 - ET TROJAN WEBC2-CSON Checkin - APT1 Related (trojan.rules)
  2016527 - ET TROJAN W32/Asprox php.dll.crp POST CnC Beacon (trojan.rules)
  2016528 - ET TROJAN W32/Asprox CnC Beacon (trojan.rules)
  2016578 - ET TROJAN Dorkbot Loader Payload Request (trojan.rules)
  2016794 - ET CURRENT_EVENTS Possible Linux/Cdorked.A Incoming Command
(current_events.rules)
  2016862 - ET TROJAN Hangover Campaign Keylogger 2 checkin (trojan.rules)
  2016903 - ET USER_AGENTS Suspicious User-Agent (DownloadMR)
(user_agents.rules)
  2017582 - ET TROJAN Citadel Activity POST (trojan.rules)
  2017662 - ET TROJAN Known Sinkhole Response Header (trojan.rules)
  2017714 - ET TROJAN PlugX Checkin (trojan.rules)
  2017937 - ET TROJAN Fake/Short Google Search Appliance UA Win32/Ranbyus
and Others (trojan.rules)
  2018176 - ET WEB_SPECIFIC_APPS Symantec Endpoint Manager XXE RCE Attempt
(web_specific_apps.rules)
  2018200 - ET TROJAN Win32/Matsnu.L Checkin (trojan.rules)
  2018204 - ET TROJAN W32/Qakbot.Bot Version 8 CnC Beacon (trojan.rules)
  2018208 - ET DOS Inbound GoldenEye DoS attack (dos.rules)
  2018220 - ET INFO DYNAMIC_DNS HTTP Request to a *.ddns.info Domain
(info.rules)
  2018221 - ET INFO DYNAMIC_DNS HTTP Request to a *.ddns.name Domain
(info.rules)
  2018222 - ET POLICY InstallIQ Updater Software request (policy.rules)
  2018223 - ET CURRENT_EVENTS SWF filename used in IE 2014-0322 Watering
Hole Attacks (current_events.rules)
  2018224 - ET TROJAN Likely Geodo/Emotet Downloading PE (trojan.rules)
  2018230 - ET TROJAN SMSHoax Riskware checkin (trojan.rules)
  2018233 - ET INFO JAR Sent Claiming To Be Image - Likely Exploit Kit
(info.rules)
  2018234 - ET INFO JAR Sent Claiming To Be Text Content - Likely Exploit
Kit (info.rules)
  2018241 - ET TROJAN Possible Kelihos Infection Executable Download With
Malformed Header (trojan.rules)
  2018249 - ET TROJAN W32/PointOfSales.Misc CnC Beacon (trojan.rules)
  2018250 - ET TROJAN W32/PointOfSales.Misc CnC Activity (trojan.rules)
  2018331 - ET TROJAN W32/SpeedingUpMyPC.Rootkit Install CnC Beacon
(trojan.rules)
  2018332 - ET TROJAN W32/SpeedingUpMyPC.Rootkit CnC Beacon (trojan.rules)
  2018345 - ET TROJAN W32/SpeedingUpMyPC.Rootkit Successful Install GET
Type CnC Beacon (trojan.rules)
  2018381 - ET TROJAN Suspicious User-Agent (hi) (trojan.rules)
  2018404 - ET TROJAN GreenDou Downloader User-Agent (hello crazyk)
(trojan.rules)
  2018434 - ET WEB_CLIENT Microsoft Application Crash Report Indicates
Potential VGX Memory Corruption (web_client.rules)
  2018436 - ET WEB_CLIENT Microsoft Application Crash Report Indicates
Potential VGX Memory Corruption 2 (web_client.rules)
  2018443 - ET TROJAN W32/Karagany.Downloader CnC Beacon (trojan.rules)
  2018451 - ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing May 05 2014
(current_events.rules)
 2800000 - ETPRO WEB_SERVER Microsoft IIS ISAPI Heap Overflow
(web_server.rules)
  2804765 - ETPRO TROJAN Dirt Jumper/Russkill v5 Checkin (trojan.rules)
  2806100 - ETPRO TROJAN Win32/Vkhost.F .dll download (trojan.rules)
  2806220 - ETPRO MOBILE_MALWARE Android/TrojanSMS.Agent.JY Checkin
(mobile_malware.rules)
  2806272 - ETPRO TROJAN Win32/Sality.AM Checkin 2 (trojan.rules)
  2806495 - ETPRO TROJAN Trojan-Downloader.Win32.VB.gzui Checkin
(trojan.rules)
  2806610 - ETPRO TROJAN Trojan-Ransom.Win32.Foreign.ehru Checkin
(trojan.rules)
  2806657 - ETPRO TROJAN Win32.CCProxy.jk (proxy redirect) (trojan.rules)
  2806880 - ETPRO TROJAN Suspicious HTTP Referer artifact.exe at drive C
(trojan.rules)
  2806883 - ETPRO TROJAN Worm.AutoIt/Renocide.gen!A Checkin (trojan.rules)
  2807179 - ETPRO TROJAN Trojan.DownLoader10.36780 User-Agent (odin)
(trojan.rules)
  2807275 - ETPRO USER_AGENTS Suspicious User Agent
UniversalUserAgent(winHTTP) (user_agents.rules)
  2807424 - ETPRO TROJAN Trojan-Dropper.Win32.Dorifel.hlu Checkin
(trojan.rules)
  2807446 - ETPRO MOBILE_MALWARE Android/Spy.Agent.AF Checkin 2
(mobile_malware.rules)
  2807547 - ETPRO TROJAN Downloader.Win32.Genome.fvmi Checkin (trojan.rules)
  2807605 - ETPRO TROJAN Win32/Agent.UWF Checkin (trojan.rules)
  2807689 - ETPRO TROJAN Win32/Injector.Autoit.ADN Checkin (trojan.rules)
  2807725 - ETPRO TROJAN Trojan.Win32.Inject.hpit Checkin (trojan.rules)
  2807743 - ETPRO TROJAN Backdoor.Win32.VB.atj Checkin (trojan.rules)
  2807744 - ETPRO TROJAN Backdoor.Win32/Zegost.AY Checkin (trojan.rules)
  2807758 - ETPRO TROJAN GameThief.Win32.OnLineGames.aqv User-Agent
(My_Agenter) (trojan.rules)
  2807759 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.GingerMaster.a Checkin 5
(mobile_malware.rules)
  2807760 - ETPRO MOBILE_MALWARE Android.Adware.Wapsx.A Suspicious
User-Agent (mobile_malware.rules)
  2807772 - ETPRO TROJAN Win32/Neglemir.A Checkin (trojan.rules)
  2807774 - ETPRO TROJAN Trojan.Win32.Siggen Downloader (trojan.rules)
  2807786 - ETPRO MOBILE_MALWARE AndroidOS/OpFakeSms.C Checkin
(mobile_malware.rules)
  2807792 - ETPRO TROJAN Win32/Obfuscator.XZ Checkin 3 (trojan.rules)
  2807814 - ETPRO TROJAN Trojan.Autoit.F Checkin 4 (trojan.rules)
  2807816 - ETPRO TROJAN Win32/Agent.DE Checkin 2 (trojan.rules)
  2807823 - ETPRO TROJAN Trojan-Dropper.Win32.Sysn.acbq Checkin
(trojan.rules)
  2807832 - ETPRO TROJAN Generic.Mitglied Checkin 2 (trojan.rules)
  2807859 - ETPRO TROJAN Variant.Symmi Checkin 3 (trojan.rules)
  2807861 - ETPRO TROJAN Backdoor.Win32.Nbdd.bsj Checkin (trojan.rules)
  2807862 - ETPRO TROJAN Backdoor.Win32.Nbdd.bsj Checkin 2 (trojan.rules)
  2807868 - ETPRO TROJAN Win32.Inject.gynk Checkin (trojan.rules)
  2807869 - ETPRO TROJAN Win32/Necurs Checkin 2 (trojan.rules)
  2807875 - ETPRO MOBILE_MALWARE Monitor.AndroidOS.PhoneSpy.b Checkin
(mobile_malware.rules)
  2807880 - ETPRO TROJAN Trojan-Downloader.Win32.Vivia.r Checkin
(trojan.rules)
  2807906 - ETPRO TROJAN Backdoor.Win32.IRCBot.aerz Checkin (trojan.rules)
  2807915 - ETPRO TROJAN Trojan-Downloader.Win32.Banload.cqhl Checkin
(trojan.rules)
  2807938 - ETPRO MOBILE_MALWARE Android/SmsSpy.X Checkin
(mobile_malware.rules)
  2807939 - ETPRO MOBILE_MALWARE Android/SmsSpy.X Checkin 2
(mobile_malware.rules)
  2807943 - ETPRO TROJAN Trojan-PSW.Win32.QQDragon.bq Checkin (trojan.rules)
  2807947 - ETPRO TROJAN Win32/Chksyn.gen!A Checkin (trojan.rules)
  2807948 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.FakeInst.ft Checkin
(mobile_malware.rules)
  2807966 - ETPRO TROJAN W32.Tinba/Zusy Checkin 2 (trojan.rules)
  2807967 - ETPRO TROJAN Backdoor.Win32.Destrukor.20 Checkin (trojan.rules)
  2807973 - ETPRO TROJAN Trojan-Ransom.Win32.Blocker.eemn Checkin
(trojan.rules)
  2807977 - ETPRO TROJAN Backdoor.Win32.Destrukor.20 Checkin 2
(trojan.rules)
  2807979 - ETPRO TROJAN Trojan.Win32.Agentb.apga Checkin (trojan.rules)
  2807980 - ETPRO TROJAN Trojan.Win32.Agentb.apga Checkin 2 (trojan.rules)
  2807992 - ETPRO TROJAN Trojan-Downloader.Win32.INService User-Agent
(trojan.rules)
  2807993 - ETPRO TROJAN Trojan-Downloader.Win32.Small.gri Checkin
(trojan.rules)
  2807996 - ETPRO TROJAN Worm.Win32.VBNA.b Checkin 3 (trojan.rules)
  2807999 - ETPRO TROJAN Worm.Win32.VBNA.b Checkin 4 (trojan.rules)
  2808031 - ETPRO TROJAN Trojan-PSW.Win32.QQShou.ch User-Agent
(trojan.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200429/56fd2d28/attachment-0001.html>


More information about the Emerging-sigs mailing list