[Emerging-Sigs] Daily Ruleset Update Summary 2020/02/05

Brandon Murphy bmurphy at emergingthreats.net
Wed Feb 5 15:31:06 HST 2020


[***]            Summary:            [***]

 29 new Open, 48 new Pro (29 + 19). Win32/Emotet, Charming Kitten,
Parallax, Various Phish

 Thanks @James_inthe_box

 Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback


[+++]          Added rules:          [+++]

Open:

 2029352 - ET TROJAN Parallax CnC Activity M6 (set) (trojan.rules)
 2029353 - ET TROJAN Parallax CnC Response Activity M6 (trojan.rules)
 2029354 - ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten
Phishing Domain) (web_client.rules)
 2029355 - ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten
Phishing Domain) (web_client.rules)
 2029356 - ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten
Phishing Domain) (web_client.rules)
 2029357 - ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten
Phishing Domain) (web_client.rules)
 2029358 - ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten
Phishing Domain) (web_client.rules)
 2029359 - ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten
Phishing Domain) (web_client.rules)
 2029360 - ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten
Phishing Domain) (web_client.rules)
 2029361 - ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten
Phishing Domain) (web_client.rules)
 2029362 - ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten
Phishing Domain) (web_client.rules)
 2029363 - ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten
Phishing Domain) (web_client.rules)
 2029364 - ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten
Phishing Domain) (web_client.rules)
 2029365 - ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten
Phishing Domain) (web_client.rules)
 2029366 - ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten
Phishing Domain) (web_client.rules)
 2029367 - ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten
Phishing Domain) (web_client.rules)
 2029368 - ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten
Phishing Domain) (web_client.rules)
 2029369 - ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten
Phishing Domain) (web_client.rules)
 2029370 - ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten
Phishing Domain) (web_client.rules)
 2029371 - ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten
Phishing Domain) (web_client.rules)
 2029372 - ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten
Phishing Domain) (web_client.rules)
 2029373 - ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten
Phishing Domain) (web_client.rules)
 2029374 - ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten
Phishing Domain) (web_client.rules)
 2029375 - ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten
Phishing Domain) (web_client.rules)
 2029376 - ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten
Phishing Domain) (web_client.rules)
 2029377 - ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten
Phishing Domain) (web_client.rules)
 2029378 - ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten
Phishing Domain) (web_client.rules)
 2029379 - ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten
Phishing Domain) (web_client.rules)
 2029380 - ET TROJAN Win32/Emotet CnC Activity (POST) M8 (trojan.rules)

Pro:

 2840871 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-02-05 1) (trojan.rules)
 2840872 - ETPRO CURRENT_EVENTS Successful Raiffeisen Bank Phish 2020-02-05
(current_events.rules)
 2840873 - ETPRO CURRENT_EVENTS Successful Generic BR Bank Phish 2020-02-05
(current_events.rules)
 2840874 - ETPRO EXPLOIT AVTECH DVR Unauthenticated SSRF (Outbound)
(exploit.rules)
 2840875 - ETPRO SCAN AVTECH DVR Unauthenticated SSRF (Inbound) (scan.rules)
 2840876 - ETPRO TROJAN ELF/Mirai User-Agent Observed (Outbound)
(trojan.rules)
 2840877 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)
 2840878 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-02-05 (current_events.rules)
 2840879 - ETPRO CURRENT_EVENTS Successful Latam Phish 2020-02-05
(current_events.rules)
 2840880 - ETPRO CURRENT_EVENTS Successful Bank of America Phish 2020-02-05
(current_events.rules)
 2840881 - ETPRO CURRENT_EVENTS Successful Nubank Phish 2020-02-05
(current_events.rules)
 2840882 - ETPRO CURRENT_EVENTS Successful Whatsapp/Facebook Phish
2020-02-05 (current_events.rules)
 2840883 - ETPRO USER_AGENTS Suspicious User-Agent containing Malware
(user_agents.rules)
 2840884 - ETPRO CURRENT_EVENTS Successful WeTransfer Phish 2020-02-05
(current_events.rules)
 2840885 - ETPRO CURRENT_EVENTS Successful Adobe PDF Online Phish
2020-02-05 (current_events.rules)
 2840886 - ETPRO CURRENT_EVENTS Successful Dena Bank Phish 2020-02-05
(current_events.rules)
 2840887 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-02-05
(current_events.rules)
 2840888 - ETPRO MALWARE Win32/InstallCore Checkin (malware.rules)
 2840889 - ETPRO TROJAN Discord Token Grabber Exfil Attempt M2
(trojan.rules)


[///]     Modified active rules:     [///]

 2013327 - ET MOBILE_MALWARE Android.Zitmo Forwarding SMS Message to CnC
Server (mobile_malware.rules)
 2013536 - ET TROJAN BKDR_BTMINE.MNR BitCoin Miner Retrieving Server IP
Addresses (trojan.rules)
 2013537 - ET TROJAN BKDR_BTMINE.MNR BitCoin Miner Retrieving New IP
Addresses From Server (trojan.rules)
 2013538 - ET TROJAN BKDR_BTMINE.MNR BitCoin Miner Retrieving New Malware
>From Server (trojan.rules)
 2013539 - ET TROJAN BKDR_BTMINE.MNR BitCoin Miner Server Checkin
(trojan.rules)
 2013668 - ET TROJAN Win32.Riberow.A (listdir) (trojan.rules)
 2013669 - ET TROJAN Win32.Riberow.A (mkdir) (trojan.rules)
 2013791 - ET SCAN Apache mod_proxy Reverse Proxy Exposure 1 (scan.rules)
 2802863 - ETPRO TROJAN Win32.CashOn!IK Checkin (trojan.rules)
 2803333 - ETPRO TROJAN Downloader.Win32.NSIS.hn Checkin (trojan.rules)
 2803495 - ETPRO TROJAN Win32.Lexip Checkin (trojan.rules)
 2803502 - ETPRO TROJAN Virus.Win32.Sality.k Checkin (trojan.rules)
 2803619 - ETPRO TROJAN W32/Infostealer.A!Maximus Checkin (trojan.rules)
 2803684 - ETPRO WEB_CLIENT MPlayer for Windows Calloc Integer Overflow -
SET .qt (web_client.rules)
 2803908 - ETPRO MOBILE_MALWARE LeNa Android CnC Command (StartDown)
(mobile_malware.rules)
 2804054 - ETPRO TROJAN Tapaoux Initial Checkin (trojan.rules)
 2804083 - ETPRO WEB_CLIENT Flash authoring tool Flex XSS attempt
(web_client.rules)
 2804095 - ETPRO TROJAN Win32/Virut.BN Download Set (trojan.rules)
 2804414 - ETPRO TROJAN TrojanDropper.Win32/Agent.KA Checkin (trojan.rules)
 2839723 - ETPRO TROJAN Win32/Agent Tesla SMTP Activity (trojan.rules)
 2840655 - ETPRO TROJAN Discord Token Grabber Exfil Attempt M1
(trojan.rules)


[---]  Disabled and modified rules:  [---]

 2013671 - ET TROJAN Win32.Riberow.A (touch) (trojan.rules)
 2014265 - ET POLICY IP geo location service response (policy.rules)


[---]         Disabled rules:        [---]

 2010153 - ET TROJAN Koobface fetch C&C command detected (trojan.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200205/1d5be24e/attachment.html>


More information about the Emerging-sigs mailing list