[Emerging-Sigs] Daily Ruleset Update Summary 2020/02/11

James Emery-Callcott jcallcott at emergingthreats.net
Tue Feb 11 14:33:44 HST 2020


[***]            Summary:            [***]

  14 new Open, 26 new Pro (14 + 12).  APT40, Mozart Loader, BroomFury,
Various Phish, Others.

  Thanks @james_inthe_box.

  Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2029407 - ET TROJAN Mozart Loader CnC Checkin (getid) (trojan.rules)
  2029408 - ET TROJAN Mozart Loader Command Request (gettasks)
(trojan.rules)
  2029409 - ET TROJAN Mozart Loader Command Request (getupdates)
(trojan.rules)
  2029410 - ET TROJAN Mozart Loader Command Request (reporttask)
(trojan.rules)
  2029411 - ET TROJAN Mozart Loader Command Request (reportupdates)
(trojan.rules)
  2029412 - ET TROJAN APT40/Dadstache Related DNS Lookup (trojan.rules)
  2029413 - ET TROJAN APT40/Dadstache Related DNS Lookup (trojan.rules)
  2029414 - ET TROJAN APT40/Dadstache Related DNS Lookup (trojan.rules)
  2029415 - ET TROJAN APT40/Dadstache Related DNS Lookup (trojan.rules)
  2029416 - ET TROJAN APT40/Dadstache Related DNS Lookup (trojan.rules)
  2029417 - ET TROJAN APT40/Dadstache Related DNS Lookup (trojan.rules)
  2029418 - ET TROJAN APT40/Dadstache Related DNS Lookup (trojan.rules)
  2029419 - ET TROJAN APT40/Dadstache Related DNS Lookup (trojan.rules)
  2029420 - ET TROJAN Possible APT40/Dadstache Stage 2 Payload Beacon
(trojan.rules)

Pro:

  2840977 - ETPRO INFO Suspicious Bash Script Contents Inbound M1
(info.rules)
  2840978 - ETPRO INFO Suspicious Bash Script Contents Inbound M2
(info.rules)
  2840979 - ETPRO TROJAN Evil Mirai Variant Bash Script Inbound
(trojan.rules)
  2840980 - ETPRO CURRENT_EVENTS Possible APT40/Dadstache CnC Activity
(current_events.rules)
  2840981 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-02-11 (current_events.rules)
  2840982 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2020-02-11
(current_events.rules)
  2840983 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2020-02-11
(current_events.rules)
  2840984 - ETPRO TROJAN MSIL/ClipBanker.MH Variant CnC Activity
(trojan.rules)
  2840985 - ETPRO POLICY Wscript Being Retrieved from Pastebin
(policy.rules)
  2840986 - ETPRO TROJAN Win32/BroomFury Malicious Email Spam - Template 1
Active M1 (Outbound) (trojan.rules)
  2840987 - ETPRO TROJAN Win32/BroomFury Malicious Email Spam - Template 1
Active M2 (Outbound) (trojan.rules)
  2840988 - ETPRO TROJAN MSIL/Unk RAT Sending Screenshots via SMTP
(trojan.rules)

[///]     Modified active rules:     [///]

  2017520 - ET TROJAN Worm.VBS.ayr CnC command (is-enum-folder)
(trojan.rules)
  2020944 - ET TROJAN Chthonic CnC Beacon 5 (trojan.rules)
  2020946 - ET TROJAN Chthonic CnC Beacon 6 (trojan.rules)
  2021030 - ET TROJAN BePush/Kilim CnC Beacon (trojan.rules)
  2021051 - ET TROJAN Linux.Mumblehard Initial Checkin (trojan.rules)
  2021052 - ET TROJAN Linux.Mumblehard Command Status CnC (trojan.rules)
  2021141 - ET CURRENT_EVENTS DNSChanger EK Landing URI Struct May 22 2015
(current_events.rules)
  2021229 - ET TROJAN Scanbox Sending Host Data (trojan.rules)
  2820288 - ETPRO TROJAN Bolek/Kbot CnC Checkin (trojan.rules)

[---]  Disabled and modified rules:  [---]

  2839262 - ETPRO CURRENT_EVENTS Possible GreenFlash Sundown EK Flash
Artifact (current_events.rules)

[---]         Disabled rules:        [---]

  2017518 - ET TROJAN Worm.VBS.ayr CnC command (/iam-ready) (trojan.rules)
  2020989 - ET CURRENT_EVENTS Possible Sundown EK Payload Struct T1 Apr 24
2015 (current_events.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200212/a376a81e/attachment.html>


More information about the Emerging-sigs mailing list