[Emerging-Sigs] Daily Ruleset Update Summary 2020/02/19

Jason Williams jwilliams at emergingthreats.net
Wed Feb 19 13:57:21 HST 2020


[***]            Summary:            [***]

9 new Open, 29 new Pro (9 + 20). Mermaid Ransomware, Charming Kitten,
Gamaredon, Revenge-RAT, Ursnif.

Thanks @dadamitis @prevailion @AdAstra247

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

 Open:

  2029492 - ET TROJAN Spark Backdoor CnC Domain Query (trojan.rules)
  2029493 - ET CURRENT_EVENTS Possible Glitch.me Phishing Domain
(current_events.rules)
  2029494 - ET TROJAN Possible Charming Kitten Backdoor Checkin
(trojan.rules)
  2029495 - ET TROJAN Possible Charming Kitten Backdoor CnC Activity
(trojan.rules)
  2029496 - ET TROJAN Mermaid Ransomware Variant CnC Activity M4
(trojan.rules)
  2029497 - ET TROJAN PHPs Labyrinth Backdoor Stage2 CnC Activity M1
(trojan.rules)
  2029498 - ET TROJAN PHPs Labyrinth Backdoor Stage2 CnC Activity M2
(trojan.rules)
  2029499 - ET TROJAN PHPs Labyrinth Backdoor Stage1 CnC Activity
(trojan.rules)
  2029500 - ET TROJAN Suspected Gamaredon Downloader Activity (trojan.rules)

 Pro:

  2841101 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc DL
2020-02-18) (current_events.rules)
  2841102 - ETPRO CURRENT_EVENTS Observed MalDoc DL 2020-02-18 Domain in
TLS SNI (current_events.rules)
  2841103 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc DL
2020-02-18 2) (current_events.rules)
  2841104 - ETPRO TROJAN Observed Inbound Obfuscated PowerShell/VBS
(trojan.rules)
  2841105 - ETPRO TROJAN ELF/Gafygt Variant CnC Activity (trojan.rules)
  2841106 - ETPRO TROJAN Observed Malicious SSL Cert (PsiXbot CnC)
(trojan.rules)
  2841107 - ETPRO TROJAN Observed Malicious SSL Cert (MalDoc DL 2020-02-19)
(trojan.rules)
  2841108 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-02-19 1) (trojan.rules)
  2841109 - ETPRO CURRENT_EVENTS Successful Ziraat Bankasi Phish 2020-02-19
(current_events.rules)
  2841110 - ETPRO CURRENT_EVENTS Successful Outlook Web App Phish
2020-02-19 (current_events.rules)
  2841111 - ETPRO CURRENT_EVENTS Successful American Express Phish
2020-02-19 (current_events.rules)
  2841112 - ETPRO TROJAN Win32/BlackNET CnC Checkin M3 (trojan.rules)
  2841113 - ETPRO TROJAN MSIL/Revenge-RAT CnC Checkin M4 (trojan.rules)
  2841114 - ETPRO TROJAN MSIL/Revenge-RAT Keep-Alive Activity (Outbound) M2
(trojan.rules)
  2841115 - ETPRO TROJAN MSIL/Revenge-RAT Keep-Alive Activity (Inbound) M2
(trojan.rules)
  2841116 - ETPRO TROJAN Observed Malicious SSL Cert (IcedID CnC)
(trojan.rules)
  2841117 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
  2841118 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
  2841119 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
  2841120 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)

 [///]     Modified active rules:     [///]

  2022503 - ET TROJAN Dridex AlphaNum DL Feb 10 2016 (trojan.rules)
  2025892 - ET TROJAN Observed Malicious SSL Cert (OilRig QUADAGENT CnC)
(trojan.rules)
  2025918 - ET TROJAN Observed Malicious SSL Cert (MICROPSIA CnC Domain)
(trojan.rules)
  2026946 - ET TROJAN Unk.GanDownloader CnC Checkin (trojan.rules)
  2027089 - ET EXPLOIT Possible LG SuperSign EZ CMS 2.5 RCE
(CVE-2018-17173) (exploit.rules)
  2027144 - ET TROJAN Xwo CnC Activity (trojan.rules)
  2027417 - ET GAMES Wolfteam HileYapak Server Response (games.rules)
  2027424 - ET MALWARE LNKR Possible Response for LNKR js file
(malware.rules)
  2027425 - ET MALWARE LNKR landing page (possible compromised site) M1
(malware.rules)
  2027426 - ET MALWARE LNKR landing page (possible compromised site) M2
(malware.rules)
  2027427 - ET MALWARE LNKR landing page (possible compromised site) M3
(malware.rules)
  2027429 - ET MALWARE LNKR landing page (possible compromised site) M5
(malware.rules)
  2027810 - ET TROJAN Win32/Onliner Mailer Module Communicating with CnC
(trojan.rules)
  2028913 - ET TROJAN BadPatch CnC Activity (trojan.rules)
  2028941 - ET CURRENT_EVENTS Powershell Download Command Observed within
Flash File - Probable EK Activity (current_events.rules)
  2029298 - ET TROJAN Nexus Stealer CnC Data Exfil (trojan.rules)
  2802861 - ETPRO TROJAN Trojan.Win32.Dalgan.A Activity (trojan.rules)
  2802952 - ETPRO TROJAN Herpbot.B Checkin (trojan.rules)
  2805970 - ETPRO TROJAN Backdoor.Win32.MoSucker.23 reporting via ICQ WWW
script (trojan.rules)
  2806376 - ETPRO TROJAN Trojan-Spy.Win32.Ambler Checkin (trojan.rules)
  2806668 - ETPRO TROJAN Win32.Jorik.Agent.mi 3 (trojan.rules)
  2806776 - ETPRO TROJAN Win32/Ghodow.NAS .exe Download (trojan.rules)
  2806809 - ETPRO TROJAN Win32/Agent.URS Checkin (trojan.rules)
  2806864 - ETPRO TROJAN Win32/Alureon.GD Checkin (trojan.rules)
  2806896 - ETPRO TROJAN Backdoor.Graybird Checkin (trojan.rules)
  2807440 - ETPRO TROJAN Win32/Ranbyus Check-in (trojan.rules)
  2811035 - ETPRO INFO Application Installer Prompt via Smart Installer
(info.rules)
  2811429 - ETPRO TROJAN Downeks CnC Beacon (trojan.rules)
  2811472 - ETPRO TROJAN NSIS/TrojanDownloader.Agent.NRQ Downloader Checkin
(trojan.rules)
  2811842 - ETPRO TROJAN Win32/Sifre.A Checkin (trojan.rules)
  2812016 - ETPRO TROJAN Win32.YY Generic Checkin 1 (trojan.rules)
  2812025 - ETPRO MALWARE Win32/Adware.Kraddare.LA Variant PUP Activity
(malware.rules)
  2812029 - ETPRO EXPLOIT TOTOLINK Possible RCE HTTP Request (exploit.rules)
  2812039 - ETPRO TROJAN Win32/Parite.B Connectivity Check (trojan.rules)
  2812040 - ETPRO TROJAN Win32/Parite.B Checkin 2 (trojan.rules)
  2812117 - ETPRO TROJAN Win32/VB.RZM Checkin (trojan.rules)
  2812125 - ETPRO TROJAN Win32/Renocide.gen!H Checkin (trojan.rules)
  2812126 - ETPRO TROJAN Win32/Poindampa.A Geolocate Request (trojan.rules)
  2812138 - ETPRO MALWARE Win32/VK.SerfingBot PUP Activity (malware.rules)
  2812178 - ETPRO TROJAN Win32/Bagsu.A Checkin (trojan.rules)
  2812188 - ETPRO TROJAN Win32/Huhk.7005 CnC Checkin (trojan.rules)
  2812205 - ETPRO TROJAN Win32/Bagsu.A Connectivity Check (trojan.rules)
  2812206 - ETPRO TROJAN Win32/Bagsu.A Connectivity Check 2 (trojan.rules)
  2812415 - ETPRO TROJAN Win32.Diztakun.zsg Infostealer M2 (trojan.rules)
  2812417 - ETPRO TROJAN Win32.Diztakun.zsg Infostealer M4 (trojan.rules)
  2816568 - ETPRO TROJAN Win32/Pottieq.A Ransomware CnC Checkin M2
(trojan.rules)
  2826356 - ETPRO MOBILE_MALWARE Anubis Android Loader / BankBot Checkin 5
(mobile_malware.rules)
  2830555 - ETPRO TROJAN Observed Malicious SSL Cert (MSIL/Vinstrok.Stealer
CnC) (trojan.rules)
  2830927 - ETPRO TROJAN Observed Malicious SSL Cert (Bateleur CnC Domain)
(trojan.rules)
  2830985 - ETPRO TROJAN Observed Malicious SSL Cert (Cobalt Group Loader
CnC Domain) (trojan.rules)
  2830986 - ETPRO TROJAN Observed Malicious SSL Cert (Cobalt Group Loader
CnC Domain) (trojan.rules)
  2831027 - ETPRO TROJAN Observed Malicious SSL Cert (Bateleur CnC Domain)
(trojan.rules)
  2831494 - ETPRO TROJAN Observed Malicious SSL Cert (Zeus Panda CnC
Domain) (trojan.rules)
  2832026 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif Loader CnC
Domain) (trojan.rules)
  2832027 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC Domain)
(trojan.rules)
  2833467 - ETPRO TROJAN Observed Malicious SSL Cert (Zeus Panda CnC)
(trojan.rules)
  2833468 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
  2833471 - ETPRO TROJAN Observed Malicious SSL Cert (BrushaLoader CnC)
(trojan.rules)
  2838349 - ETPRO TROJAN Win32/TrickBot CnC Initial Checkin (trojan.rules)

 [---]  Disabled and modified rules:  [---]

  2026460 - ET TROJAN Possible Locky JS Downloading Payload (trojan.rules)
  2811861 - ETPRO CURRENT_EVENTS Possible Nuclear EK Landing Jul 08 2015 M1
(current_events.rules)
  2811862 - ETPRO CURRENT_EVENTS Possible Nuclear EK Landing Jul 08 2015 M2
(current_events.rules)
  2811863 - ETPRO CURRENT_EVENTS Possible Nuclear EK Landing  Jul 08 2015
M2 (current_events.rules)
  2812171 - ETPRO TROJAN Win32/QQpass.gen!E Activity (trojan.rules)
  2826158 - ETPRO CURRENT_EVENTS Successful Amazon Phish via JS Form in PDF
Apr 27 2017 (current_events.rules)
  2826159 - ETPRO INFO Possible Successful Credential Phish via JS Form in
PDF Apr 27 2017 (info.rules)

 [---]         Disabled rules:        [---]

  2026899 - ET TROJAN Observed Malicious SSL Cert (BrushaLoader CnC)
(trojan.rules)
  2811144 - ETPRO TROJAN WORM.VBS/JENXCUS.DN Checkin (trojan.rules)
  2811335 - ETPRO TROJAN Win32/PSW.Papras.DT CnC (trojan.rules)
  2812119 - ETPRO TROJAN Win32/Banload.BBN Checkin (trojan.rules)
  2815374 - ETPRO TROJAN Win32.Keylogger.dklygt Checkin (trojan.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200219/951626fe/attachment.html>


More information about the Emerging-sigs mailing list