[Emerging-Sigs] Daily Ruleset Update Summary 2020/02/06

Brandon Murphy bmurphy at emergingthreats.net
Thu Feb 6 13:30:14 HST 2020


[***]            Summary:            [***]

 17 new Open, 35 new Pro (17 + 19). DarkRAT Variant, ELF/Mirai, Win32/VIP6,
APT34 TONEDEAF 2.0, Various Phish

 Thanks GM CIRT

 Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2029381 - ET TROJAN Cobalt Strike Malleable C2 Request (Stackoverflow
Profile) (trojan.rules)
  2029382 - ET TROJAN APT34 TONEDEAF 2.0 Requesting Commands from CnC
(trojan.rules)
  2029383 - ET TROJAN APT34 TONEDEAF 2.0 Uploading to CnC (trojan.rules)
  2029384 - ET TROJAN Possible APT34 TONEDEAF 2.0 User-Agent Observed
(trojan.rules)
  2029385 - ET TROJAN Observed Malicious SSL Cert (APT34 CnC) (trojan.rules)
  2029386 - ET TROJAN Observed Malicious SSL Cert (BrushaLoader CnC)
(trojan.rules)
  2029387 - ET TROJAN Observed Malicious SSL Cert (BrushaLoader CnC)
(trojan.rules)
  2029388 - ET TROJAN Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR CnC)
(trojan.rules)
  2029389 - ET TROJAN Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR CnC)
(trojan.rules)
  2029390 - ET TROJAN Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR CnC)
(trojan.rules)
  2029391 - ET TROJAN Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR CnC)
(trojan.rules)
  2029392 - ET TROJAN Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR CnC)
(trojan.rules)
  2029393 - ET TROJAN MINEBRIDGE/MINEDOOR CnC Checkin (malware.rules)
  2029394 - ET TROJAN Malicious SSL Certificate detected (Patchwork CnC)
(trojan.rules)
  2029395 - ET TROJAN Patchwork Backdoor Checkin (trojan.rules)
  2029396 - ET TROJAN Patchwork Backdoor - Sending Task Results
 (trojan.rules)
  2029397 - ET TROJAN Patchwork Backdoor - Requesting Task (malware.rules)

Pro:

  2816665 - ETPRO INFO Fake Doc Request Retrieving MZ Payload (set)
(info.rules)
  2816666 - ETPRO INFO Fake Doc Request Retrieving MZ Payload  (info.rules)
  2840891 - ETPRO TROJAN DarkRAT Variant CnC Checkin (trojan.rules)
  2840892 - ETPRO TROJAN DarkRAT Variant Init Checkin (trojan.rules)
  2840893 - ETPRO TROJAN Win32/Occamy.C Activity M3 (malware.rules)
  2840895 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-02-06 1) (trojan.rules)
  2840896 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-02-06 2) (trojan.rules)
  2840897 - ETPRO CURRENT_EVENTS Successful Mimecast Office 365 Phish
2020-02-06 (current_events.rules)
  2840898 - ETPRO CURRENT_EVENTS Successful Yahoo Phish 2020-02-06
(current_events.rules)
  2840899 - ETPRO CURRENT_EVENTS Successful Generic Banking Phish
2020-02-06 (current_events.rules)
  2840900 - ETPRO CURRENT_EVENTS Successful Maersk Phish 2020-02-06
(current_events.rules)
  2840901 - ETPRO CURRENT_EVENTS Successful ADP Phish 2020-02-06
(current_events.rules)
  2840902 - ETPRO CURRENT_EVENTS Successful VDK Bank Phish 2020-02-06
(current_events.rules)
  2840903 - ETPRO TROJAN ELF/Mirai User-Agent Observed (Outbound)
(trojan.rules)
  2840904 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)
  2840905 - ETPRO TROJAN ELF/Mirai User-Agent Observed (Outbound)
(trojan.rules)
  2840906 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)
  2840907 - ETPRO TROJAN Win32/VIP6 CnC Checkin (malware.rules)


[///]     Modified active rules:     [///]

  2009813 - ET TROJAN Trojan.MyDNS DNSChanger - HTTP POST (trojan.rules)
  2010439 - ET TROJAN Generic Trojan Checkin (UA VBTagEdit) (trojan.rules)
  2013043 - ET POLICY Android.Plankton/Tonclank Successful Installation
Device Information POST Message Body (policy.rules)
  2013441 - ET TROJAN EXE Download When Server Claims To Send Audio File -
Must Be Win32 (trojan.rules)
  2014544 - ET CURRENT_EVENTS TDS Sutra - cookie set (current_events.rules)
  2014643 - ET TROJAN ConstructorWin32/Agent.V (trojan.rules)
  2016108 - ET CURRENT_EVENTS Topic EK Requesting PDF (current_events.rules)
  2016452 - ET TROJAN WEBC2-CLOVER Checkin APT1 Related (trojan.rules)
  2017086 - ET WEB_SERVER WebShell - GODSpy - MySQL (web_server.rules)
  2017368 - ET TROJAN Possible Avatar RootKit Yahoo Group Search
(trojan.rules)
  2017731 - ET CURRENT_EVENTS Possible Styx EK SilverLight Payload
(current_events.rules)
  2017999 - ET MOBILE_MALWARE Android/HeHe.Spy getLastVersion CnC Beacon
(mobile_malware.rules)
  2803338 - ETPRO TROJAN Autorun.ajbk/Alureon.J Checkin (trojan.rules)
  2803339 - ETPRO TROJAN Downloader.Win32.BaoFa.cfx checkin (trojan.rules)
  2805231 - ETPRO TROJAN Worm.Win32/Taterf.B Checkin (trojan.rules)
  2807392 - ETPRO TROJAN Banload Variant Checkin (trojan.rules)
  2807401 - ETPRO TROJAN Trojan-Downloader.Win32.Banload.byyi Checkin
(trojan.rules)
  2840692 - ETPRO TROJAN Lightning Backdoor - GetCommand via JSON
(trojan.rules)
  2840693 - ETPRO TROJAN Lightning Backdoor - GetCommand via XML
(trojan.rules)


[---]  Disabled and modified rules:  [---]

  2016345 - ET MOBILE_MALWARE DroidKungFu Variant (mobile_malware.rules)
  2017200 - ET CURRENT_EVENTS Possible Sakura Jar Download
(current_events.rules)
  2018263 - ET CURRENT_EVENTS Dell Kace backdoor (current_events.rules)
  2018300 - ET TROJAN Win32/Stoberox.B (trojan.rules)


[---]         Disabled rules:        [---]

  2016240 - ET CURRENT_EVENTS Impact Exploit Kit Class Download
(current_events.rules)
  2807548 - ETPRO TROJAN Win32.VJadtre.2 Checkin (trojan.rules)
  2838717 - ETPRO TROJAN Possible Unk JSP WebShell Access M6 (trojan.rules)


[---]         Removed rules:         [---]

  2816665 - ETPRO TROJAN Win32/TrojanDownloader.Banload.XAK Fake Doc
Request Retrieving Payload (trojan.rules)
  2816666 - ETPRO TROJAN Win32/TrojanDownloader.Banload.XAK Downloading PE
(trojan.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200206/63b12309/attachment.html>


More information about the Emerging-sigs mailing list