[Emerging-Sigs] Daily Ruleset Update Summary 2020/04/30

Jack Mott jmott at emergingthreats.net
Thu Apr 30 14:25:57 HDT 2020


[***]            Summary:            [***]

12 new Open, 30 new Pro (12 + 18). Various Generic
Mailer Accessed, MINEBRIDGE CnC, Rhabdo CnC, Babylon RAT CnC, Strongpity
CnC, VARIOUS Phishing.

 Please be aware that after the deprecation of our Suricata 2/3 support
(April 15th 2020), the path for downloading the last pushed production
Suricata 2/3 rulesets have changed.  Deprecated rulesets are available at
https://rules.emergingthreatspro.com/OINK/old for ETPro and
https://rules.emergingthreatspro.com/open/old/ for ETOpen.  All requests
for the Suricata 2/3 at their previous locations will now lead to the
Suricata 4.0 production rules for ETPro and the rule download instructions
for ETOpen.

 Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2030059 - ET WEB_CLIENT Generic Mailer Accessed on External Server
(web_client.rules)
  2030060 - ET WEB_SERVER Generic Mailer Accessed on Internal Server
(web_server.rules)
  2030061 - ET WEB_CLIENT Generic Mailer Accessed on External Server
(web_client.rules)
  2030062 - ET WEB_SERVER Generic Mailer Accessed on Internal Server
(web_server.rules)
  2030063 - ET WEB_CLIENT Generic Mailer Check Accessed on External Server
(web_client.rules)
  2030064 - ET WEB_SERVER Generic Mailer Check Accessed on Internal Server
(web_server.rules)
  2030065 - ET WEB_CLIENT Generic Webshell Accessed on External Server
(web_client.rules)
  2030066 - ET WEB_SERVER Generic Webshell Accessed on Internal Server
(web_server.rules)
  2030067 - ET TROJAN MINEBRIDGE CnC Request (trojan.rules)
  2030068 - ET TROJAN MINEBRIDGE CnC Response (trojan.rules)
  2030069 - ET TROJAN Rhabdo CnC Activity M1 (trojan.rules)
  2030070 - ET TROJAN Rhabdo CnC Activity M2 (trojan.rules)

Pro:

  2842264 - ETPRO INFO Generic Pong Keep-Alive Inbound M2 (info.rules)
  2842287 - ETPRO TROJAN Babylon RAT CnC Keep-Alive (Outbound)
(trojan.rules)
  2842288 - ETPRO TROJAN Babylon RAT CnC Checkin (trojan.rules)
  2842290 - ETPRO TROJAN Observed More_eggs CnC Domain in DNS Query
(trojan.rules)
  2842291 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-30 1) (trojan.rules)
  2842292 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-30 2) (trojan.rules)
  2842293 - ETPRO CURRENT_EVENTS Successful Generic Work Survey Phish
2020-04-30 (current_events.rules)
  2842294 - ETPRO CURRENT_EVENTS Successful BT Phish 2020-04-30
(current_events.rules)
  2842295 - ETPRO CURRENT_EVENTS Successful Blockchain Phish 2020-04-30
(current_events.rules)
  2842296 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-04-30 (current_events.rules)
  2842297 - ETPRO CURRENT_EVENTS Successful Cogenco Phish 2020-04-30
(current_events.rules)
  2842298 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-04-30
(current_events.rules)
  2842299 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-04-30 (current_events.rules)
  2842300 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2020-04-30
(current_events.rules)
  2842301 - ETPRO TROJAN Observed Malicious SSL Cert (Adwind CnC)
(trojan.rules)
  2842302 - ETPRO TROJAN Observed Malicious SSL Cert (Strongpity CnC)
(trojan.rules)
  2842303 - ETPRO TROJAN Strongpity CnC Activity (POST) (trojan.rules)
  2842304 - ETPRO TROJAN Glupteba CnC Domain in DNS Lookup (trojan.rules)

 [///]     Modified active rules:     [///]

  2011706 - ET P2P Bittorrent P2P Client User-Agent (uTorrent) (p2p.rules)
  2012629 - ET MALWARE Optimum Installer User-Agent IE6 on Windows XP
(malware.rules)
  2014705 - ET CURRENT_EVENTS Bleeding Life 2 GPLed Exploit Pack exploit
request (current_events.rules)
  2014706 - ET CURRENT_EVENTS Bleeding Life 2 GPLed Exploit Pack payload
request (exploit successful!) (current_events.rules)
  2014707 - ET CURRENT_EVENTS Bleeding Life 2 GPLed Exploit Pack payload
download (current_events.rules)
  2017903 - ET TROJAN Win32/Urausy.C Checkin 4 (trojan.rules)
  2018117 - ET TROJAN Possible Sinkhole banner (trojan.rules)
  2018419 - ET TROJAN W32/Zbot.InfoStealer WindowsUpdate Connectivity Check
With Opera UA (trojan.rules)
  2018504 - ET TROJAN W32/Zeus.BitcoinMiner Variant CnC Beacon
(trojan.rules)
  2018519 - ET TROJAN Soraya C2 User-Agent (trojan.rules)
  2018523 - ET TROJAN Soraya C2 User-Agent (rhyno321) (trojan.rules)
  2018524 - ET TROJAN Soraya C2 User-Agent (SBTCM) (trojan.rules)
  2018525 - ET TROJAN Soraya C2 User-Agent (slayer) (trojan.rules)
  2018526 - ET TROJAN Soraya C2 User-Agent (Vulture) (trojan.rules)
  2018527 - ET TROJAN Soraya C2 User-Agent (VHIbot/1.0) (trojan.rules)
  2018528 - ET TROJAN Soraya C2 User-Agent (xehanort321) (trojan.rules)
  2018529 - ET TROJAN Soraya C2 User-Agent (x09) (trojan.rules)
  2018546 - ET TROJAN EtumBot Registration Request (trojan.rules)
  2018553 - ET TROJAN Pandemiya User-Agent (trojan.rules)
  2018566 - ET TROJAN Hangover related campaign Checkin (trojan.rules)
  2018570 - ET TROJAN HTTP Request to a *.su domain with direct
request/fakebrowser (multiple families flowbit set)  (trojan.rules)
  2018571 - ET TROJAN HTTP Request to a *.pw domain with direct
request/fake browser (multiple families flowbit set)  (trojan.rules)
  2018574 - ET TROJAN W32/Asprox.Bot Knock Variant CnC Beacon (trojan.rules)
  2018588 - ET EXPLOIT Supermicro BMC Password Disclosure 4 (exploit.rules)
  2018599 - ET TROJAN W32/Citadel Download From CnC Server /files/
attachment (trojan.rules)
  2018607 - ET WEB_SERVER PHP Crawler (web_server.rules)
  2018618 - ET TROJAN Possible W32/VBKlip BAN Download (trojan.rules)
  2018648 - ET WEB_SPECIFIC_APPS Possible WP Plug-in MailPoet  Arbitrary
File Upload/Auth Bypass Vulnerability (web_specific_apps.rules)
  2018652 - ET WEB_SPECIFIC_APPS Oracle Event Processing FileUploadServlet
Arbitrary File Upload (web_specific_apps.rules)
  2018659 - ET TROJAN CyberGate RAT Checkin (trojan.rules)
  2018660 - ET TROJAN CyberGate RAT User-Agent (USER_CHECK) (trojan.rules)
  2018663 - ET MOBILE_MALWARE Android Spyware Dowgin Checkin
(mobile_malware.rules)
  2018664 - ET TROJAN Minirem (trojan.rules)
  2018678 - ET TROJAN Upatre Common URI Struct July 15 2014 (trojan.rules)
  2018740 - ET WEB_SERVER Adobe Flash Player Rosetta Flash compressed CWS
in URI (web_server.rules)
  2026486 - ET POLICY DNS Lookup for Possible Common Brand Phishing Hosted
on Legitimate Windows Service (policy.rules)
  2026487 - ET POLICY Request for Possible Common Brand Phishing Hosted on
Legitimate Windows Service (policy.rules)
  2029710 - ET INFO Suspicious Domain Request for Possible COVID-19 Domain
M2 (info.rules)
  2804278 - ETPRO TROJAN Win32/TrojanDownloader.Banload.QOR Checkin
(trojan.rules)
  2806339 - ETPRO TROJAN TrojanDownloader Win32/Banload Download 4
(trojan.rules)
  2806956 - ETPRO TROJAN Generic.Mitglied.E3CF7B34 Checkin (trojan.rules)
  2807016 - ETPRO TROJAN  Win32.Agent Trojan Checkin (trojan.rules)
  2808052 - ETPRO MOBILE_MALWARE Android.Riskware.SmsPay.C Checkin
(mobile_malware.rules)
  2808061 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.ks Checkin
(mobile_malware.rules)
  2808078 - ETPRO TROJAN Win32/Webprefix Checkin (trojan.rules)
  2808080 - ETPRO EXPLOIT Symantec Workspace Streaming Arbitrary File
Upload (exploit.rules)
  2808134 - ETPRO MOBILE_MALWARE Android.Trojan.Dplug.A Checkin
(mobile_malware.rules)
  2808169 - ETPRO TROJAN Connectivity Check/Trojan-Downloader.Win32.Genome
(trojan.rules)
  2808179 - ETPRO MOBILE_MALWARE HackTool.AndroidOS.DroidSniff.a Checkin
(mobile_malware.rules)
  2808186 - ETPRO TROJAN suspicious User-Agent and Request on Unusual Port
Win32/Jeefo.A (trojan.rules)
  2808193 - ETPRO TROJAN Trojan.BAT.Agent.alb Checkin (trojan.rules)
  2808194 - ETPRO TROJAN Win32.Onkods.s payload retrieval (trojan.rules)
  2808197 - ETPRO TROJAN Suspicious User-Agent Win32/Mosucker (trojan.rules)
  2808201 - ETPRO TROJAN Win32/Locotout.gen!A Checkin (trojan.rules)
  2808202 - ETPRO TROJAN Suspicious User-Agent (None) (trojan.rules)
  2808211 - ETPRO MOBILE_MALWARE Android/TrojanSMS.Agent.WV Checkin 2
(mobile_malware.rules)
  2808216 - ETPRO P2P BTmagnat/BTStorm Client User-Agent (BTStorm)
(p2p.rules)
  2808230 - ETPRO TROJAN Win32/Miracovecz Download Payload (trojan.rules)
  2808247 - ETPRO MOBILE_MALWARE Dogwin.G Checkin (mobile_malware.rules)
  2808259 - ETPRO MOBILE_MALWARE Android/SMSreg.GS Checkin
(mobile_malware.rules)
  2808278 - ETPRO EXPLOIT HP autopass license traversal (exploit.rules)
  2808279 - ETPRO EXPLOIT Cogent DataHub Command Injection (exploit.rules)
  2808294 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Mseg.a Checkin
(mobile_malware.rules)
  2808304 - ETPRO TROJAN W32/Delf variant Checkin (trojan.rules)
  2808328 - ETPRO EXPLOIT Infoblox NetMRI Command Injection (exploit.rules)
  2808337 - ETPRO TROJAN Win32.Agentb.atpi Checkin (trojan.rules)
  2808362 - ETPRO TROJAN Win32/Zbot Aol.com Connectivity Check
(trojan.rules)
  2808387 - ETPRO TROJAN Trojan.Win32.Generic.AtsI Checkin 2 (trojan.rules)
  2808388 - ETPRO TROJAN W32/Expiro.BB checkin (trojan.rules)
  2808389 - ETPRO TROJAN Dtcontx.F Checkin (trojan.rules)
  2808394 - ETPRO MOBILE_MALWARE Android.Trojan.Agent.XFG Checkin
(mobile_malware.rules)
  2808396 - ETPRO TROJAN Cryptowall Downloading Executable (trojan.rules)
  2808400 - ETPRO TROJAN TrojanDownloader.Win32/Yesudac.A Download exe
(trojan.rules)
  2808404 - ETPRO TROJAN Trojan.Win32.Banload.crnfky Checkin (trojan.rules)
  2840310 - ETPRO TROJAN Win32/Valak Generic CnC Activity (trojan.rules)
  2841990 - ETPRO INFO Observed Suspicious Base64 Encoded Wide String
Inbound (exe) (info.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200430/ca974579/attachment.html>


More information about the Emerging-sigs mailing list