[Emerging-Sigs] Daily Ruleset Update Summary 2020/02/10

James Emery-Callcott jcallcott at emergingthreats.net
Mon Feb 10 13:56:55 HST 2020


[***]            Summary:            [***]

  7 new Open, 38 new Pro (7 + 31).  AZORult, TransparentTribe, HeyRAT,
Various Phish, Others.

  Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2029400 - ET TROJAN Observed Malicious SSL Cert (TinyNuke Variant CnC)
2020-02-09 (trojan.rules)
  2029401 - ET TROJAN Win32/AZORult V3.2 Client Checkin M1 (trojan.rules)
  2029402 - ET TROJAN Win32/AZORult V3.2 Client Checkin M2 (trojan.rules)
  2029403 - ET TROJAN Win32/AZORult V3.2 Client Checkin M3 (trojan.rules)
  2029404 - ET TROJAN Win32/AZORult V3.3 Client Checkin M1 (trojan.rules)
  2029405 - ET TROJAN Win32/AZORult V3.3 Client Checkin M2 (trojan.rules)
  2029406 - ET TROJAN Win32/AZORult V3.3 Client Checkin M3 (trojan.rules)

Pro:

  2840940 - ETPRO WEB_CLIENT WordPress Plugin DZS-VideoGallery Cross-Site
Scripting (Inbound) M1 (web_client.rules)
  2840941 - ETPRO WEB_CLIENT WordPress Plugin DZS-VideoGallery Cross-Site
Scripting (Inbound) M2 (web_client.rules)
  2840942 - ETPRO WEB_CLIENT WordPress Plugin DZS-VideoGallery Cross-Site
Scripting (Outbound) M1 (web_client.rules)
  2840943 - ETPRO WEB_CLIENT WordPress Plugin DZS-VideoGallery Cross-Site
Scripting (Outbound) M2 (web_client.rules)
  2840944 - ETPRO TROJAN APT/TransparentTribe CnC Checkin M2 (trojan.rules)
  2840945 - ETPRO TROJAN MalDoc Requesting Malicious crt Payload 2020-02-10
(trojan.rules)
  2840946 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-02-08 1) (trojan.rules)
  2840947 - ETPRO TROJAN HeyRAT CnC Activity (trojan.rules)
  2840948 - ETPRO MALWARE Win32/Adware.Kraddare Variant Checkin
(malware.rules)
  2840949 - ETPRO TROJAN Win32/Hematite.C Checkin (trojan.rules)
  2840950 - ETPRO CURRENT_EVENTS Successful First Bank Phish 2020-02-10
(current_events.rules)
  2840951 - ETPRO CURRENT_EVENTS Successful Ionos 1&1 Phish 2020-02-10
(current_events.rules)
  2840952 - ETPRO CURRENT_EVENTS Successful Ionos 1&1 Phish 2020-02-10
(current_events.rules)
  2840953 - ETPRO CURRENT_EVENTS Successful Quickbooks Phish 2020-02-10
(current_events.rules)
  2840954 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-02-10
(current_events.rules)
  2840955 - ETPRO CURRENT_EVENTS Successful DHL Phish 2020-02-10
(current_events.rules)
  2840956 - ETPRO CURRENT_EVENTS Successful Banco Itau Phish 2020-02-10
(current_events.rules)
  2840957 - ETPRO CURRENT_EVENTS Successful Banco Itau Phish 2020-02-10
(current_events.rules)
  2840958 - ETPRO CURRENT_EVENTS Successful Generic FR Phish 2020-02-10
(current_events.rules)
  2840959 - ETPRO CURRENT_EVENTS Successful Yahoo Phish 2020-02-10
(current_events.rules)
  2840960 - ETPRO CURRENT_EVENTS Successful Amazon Phish 2020-02-10
(current_events.rules)
  2840961 - ETPRO CURRENT_EVENTS Successful Generic Webmail Phish
2020-02-10 (current_events.rules)
  2840962 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-02-10 (current_events.rules)
  2840963 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-02-10 (current_events.rules)
  2840964 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-02-10 (current_events.rules)
  2840965 - ETPRO CURRENT_EVENTS Successful Caixa Phish 2020-02-10
(current_events.rules)
  2840969 - ETPRO TROJAN Win32/Occamy.C Activity M4 (trojan.rules)
  2840970 - ETPRO TROJAN Win32/Occamy.C Activity M5 (trojan.rules)
  2840971 - ETPRO TROJAN Win32/Occamy.C Activity M6 (trojan.rules)
  2840972 - ETPRO TROJAN Win32/Occamy.C Activity M7 (trojan.rules)
  2840973 - ETPRO TROJAN Win32/Remcos RAT Checkin 334 (trojan.rules)

[///]     Modified active rules:     [///]

  2009053 - ET WEB_SPECIFIC_APPS MODx CMS Thumbnail.php base_path Remote
File Inclusion (web_specific_apps.rules)
  2009220 - ET SCAN Tomcat upload from external source (scan.rules)
  2009670 - ET WEB_SERVER Nagios statuswml.cgi Remote Arbitrary Shell
Command Injection attempt (web_server.rules)
  2010009 - ET WEB_SPECIFIC_APPS Webmin Pre-1.290 Compromise Attempt
(web_specific_apps.rules)
  2010379 - ET WEB_SERVER JBOSS/JMX REMOTE WAR deployment attempt (POST)
(web_server.rules)
  2010380 - ET WEB_SERVER JBOSS/JMX REMOTE WAR deployment attempt (GET)
(web_server.rules)
  2010510 - ET WEB_SPECIFIC_APPS Possible OSSIM uniqueid Parameter Remote
Command Execution Attempt (web_specific_apps.rules)
  2016976 - ET CURRENT_EVENTS CoolEK Payload Download (9)
(current_events.rules)
  2017309 - ET TROJAN FortDisco Reporting Status (trojan.rules)
  2017787 - ET MOBILE_MALWARE Android.KorBanker Fake Banking App Install
CnC Beacon (mobile_malware.rules)
  2017869 - ET TROJAN W32/Liftoh.Downloader Final.html Payload Request
(trojan.rules)
  2018025 - ET MALWARE W32/BettrExperience.Adware POST Checkin
(malware.rules)
  2018026 - ET MALWARE W32/BettrExperience.Adware Update Checkin
(malware.rules)
  2018123 - ET TROJAN Win32/Almanahe.B Checkin (trojan.rules)
  2018143 - ET TROJAN Backdoor.Win32.Popwin Checkin (trojan.rules)
  2018245 - ET TROJAN Gamut Spambot Checkin (trojan.rules)
  2018257 - ET TROJAN Gamut Spambot Checkin 2 (trojan.rules)
  2018640 - ET TROJAN Unknown Trojan with Fake Java User-Agent
(trojan.rules)
  2018650 - ET TROJAN Win32.Banload.BTQP Checkin 2 (trojan.rules)
  2018775 - ET TROJAN Dyreza RAT Fake Server Header (trojan.rules)
  2018793 - ET TROJAN EUPUDS.A Requests for Boleto replacement
 (trojan.rules)
  2020470 - ET TROJAN Dridex POST Retrieving Second Stage (trojan.rules)
  2021133 - ET TROJAN JavaScriptBackdoor HTTP POST CnC Beacon (trojan.rules)
  2021153 - ET TROJAN Wordpress Errorcontent CnC Beacon (trojan.rules)
  2028963 - ET TROJAN DADJOKE/Rail Tycoon Initial Macro Execution
(trojan.rules)
  2029380 - ET TROJAN Win32/Emotet CnC Activity (POST) M8 (trojan.rules)
  2820288 - ETPRO TROJAN Bolek/Kbot CnC Checkin (trojan.rules)
  2822685 - ETPRO TROJAN TheTrick Banking Trojan Affiliate Download
(trojan.rules)
  2822734 - ETPRO TROJAN Win32/DNtoolz0.BR Checkin (trojan.rules)
  2822753 - ETPRO CURRENT_EVENTS Successful Google Docs Phish M2 Oct 19
2016 (current_events.rules)
  2822893 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phish Oct 26
2016 (current_events.rules)
  2823266 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phish Nov 15
2016 (current_events.rules)
  2823401 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phish Nov 21 M1
2016 (current_events.rules)
  2823402 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phish Nov 21 M2
2016 (current_events.rules)
  2823403 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phish Nov 21 M3
2016 (current_events.rules)
  2828629 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.ff CnC Beacon
(mobile_malware.rules)
  2828634 - ETPRO MOBILE_MALWARE Android/SMSFlooder.Agent.BP CnC Beacon
(mobile_malware.rules)
  2828644 - ETPRO TROJAN Zebrocy Requesting Stage 2 Payload (trojan.rules)
  2828913 - ETPRO TROJAN WIN32/KOVTER.B Checkin 2 M3 (trojan.rules)
  2829537 - ETPRO TROJAN VBS.ARS Plugin Report (trojan.rules)
  2829538 - ETPRO TROJAN VBS.ARS Password Stealer Plugin Report
(trojan.rules)
  2829908 - ETPRO MOBILE_MALWARE Android.Styricka.GEN6254 Checkin
(mobile_malware.rules)
  2831402 - ETPRO TROJAN MSIL/Predator The Thief CnC Checkin (trojan.rules)

[---]  Disabled and modified rules:  [---]

  2014884 - ET CURRENT_EVENTS Request to malicious SutraTDS - lonly= in
cookie (current_events.rules)
  2015818 - ET CURRENT_EVENTS g01pack Exploit Kit .homeip. Landing Page
(current_events.rules)
  2015819 - ET CURRENT_EVENTS g01pack Exploit Kit .homelinux. Landing Page
(current_events.rules)
  2015946 - ET CURRENT_EVENTS CrimeBoss - Setup (current_events.rules)
  2016708 - ET CURRENT_EVENTS CrimeBoss Recent Jar (3)
(current_events.rules)
  2018533 - ET MOBILE_MALWARE Android.Adware.Wapsx.A (mobile_malware.rules)
  2021056 - ET TROJAN Dyre Downloading Mailer 2 (trojan.rules)


[---]         Disabled rules:        [---]

  2015939 - ET CURRENT_EVENTS g01pack Exploit Kit .blogsite. Landing Page
(current_events.rules)
  2017718 - ET TROJAN Trojan.BlackRev Botnet Login Request CnC Beacon
(trojan.rules)
  2020654 - ET TROJAN Banker Boleto Fraud JS_BROBAN.SM Checkin 1
(trojan.rules)
  2020655 - ET TROJAN Banker Boleto Fraud JS_BROBAN.SM Checkin 2
(trojan.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200210/991c9cae/attachment.html>


More information about the Emerging-sigs mailing list