[Emerging-Sigs] [Etpro-sigs] Daily Ruleset Update Summary 2020/02/27

Pietro Delsante p.delsante at certego.net
Thu Feb 27 23:23:42 HST 2020


Hello Brandon,

It looks like GMail has been marking the last few messages as spam, because
the signature names you list in the recapt often include malicious domain
names. I suspect other mail services may be doing the same.

Would it be possible to always obfuscate any IP address or domain name
before sending out the message (or even when assigning new signature names)?

For example, if you look at today's disabled rules, all domains related to
Cerber (e.g. 2820854) are correctly obfuscated with a whitespace between
first and second level, while the ones regarding phishing landing
(e.g. 2820854) are unobfuscated.

Kind regards,
Pietro

Il giorno ven 28 feb 2020 alle ore 01:44 Brandon Murphy <
bmurphy at emergingthreats.net> ha scritto:

> [***]            Summary:            [***]
>
>  8 new Open, 27 new Pro (8 + 20). Legion Loader, GoLang Discord Token
> Grabber, Win32/Presenoker, Win32/Vidar/Arkei/Oski Variant, Various
> Phishing, Ongoing Rule Pruning (192 disabled rules).
>
>  Thanks: @sysopfb
>
>  Please share issues, feedback, and requests at
> https://feedback.emergingthreats.net/feedback
>
>
> [+++]          Added rules:          [+++]
>
> Open:
>
>   2029541 - ET TROJAN Legion Loader Activity Observed (heil_satan)
> (trojan.rules)
>   2029542 - ET TROJAN GoLang Discord Token Grabber Exfil (trojan.rules)
>   2029543 - ET MALWARE Ads2Srv Bundle Installer Offer Request
> (malware.rules)
>   2029544 - ET USER_AGENTS Suspicious User-Agent (VB OpenUrl)
> (user_agents.rules)
>   2029545 - ET MALWARE Win32/Adware.YoutubeDownloaderGuru.A Variant CnC
> Activity (malware.rules)
>   2029546 - ET MALWARE Win32/YTDDownloader.F Variant CnC Activity
> (malware.rules)
>   2029547 - ET TROJAN Observed Ursnif Domain in TLS SNI (trojan.rules)
>   2029548 - ET TROJAN Observed Ursnif Domain in TLS SNI (trojan.rules)
>
> Pro:
>
>   2841237 - ETPRO TROJAN Win32/Vidar/Arkei/Oski Variant Stealer Uploading
> System Information (trojan.rules)
>   2841238 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
> Request (Cookies/MozillaFirefox) (trojan.rules)
>   2841239 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
> Request (Screensh0t.) (trojan.rules)
>   2841240 - ETPRO INFO Suspicious Zipped Filename in Outbound POST Request
> (wallet.dat) (info.rules)
>   2841241 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
> Request (Cookies_List.txt) (trojan.rules)
>   2841242 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> (2020-02-27 1) (trojan.rules)
>   2841243 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> (2020-02-27 2) (trojan.rules)
>   2841244 - ETPRO CURRENT_EVENTS Successful Verizon Phish 2020-02-27
> (current_events.rules)
>   2841245 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-02-27
> (current_events.rules)
>   2841246 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-02-27
> (current_events.rules)
>   2841247 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
> 2020-02-27 (current_events.rules)
>   2841248 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
> 2020-02-27 (current_events.rules)
>   2841249 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
> 2020-02-27 (current_events.rules)
>   2841250 - ETPRO CURRENT_EVENTS Successful Linkedin Phish 2020-02-27
> (current_events.rules)
>   2841251 - ETPRO CURRENT_EVENTS Successful Adobe PDF Cloud Phish
> 2020-02-27 (current_events.rules)
>   2841252 - ETPRO TROJAN AvatarLoader CnC Download and Execute Request
> (trojan.rules)
>   2841253 - ETPRO TROJAN Legion Loader Activity Observed (trojan.rules)
>   2841254 - ETPRO TROJAN Win32/Presenoker Requesting Batch File M8
> (trojan.rules)
>   2841255 - ETPRO TROJAN STATUSCREW Downloader Activity (trojan.rules)
>   2841256 - ETPRO TROJAN STATUSCREW Downloader Activity M2 (trojan.rules)
>
>
> [///]     Modified active rules:     [///]
>
>   2025134 - ET POLICY OnePlus phone data leakage (policy.rules)
>   2026007 - ET TROJAN [PTsecurity] MSIL/Biskvit.A Check-in (trojan.rules)
>   2029539 - ET TROJAN JS/Ostap Maldoc Check-in (trojan.rules)
>   2810581 - ETPRO TROJAN Win32/Vflooder.C CnC Beacon (trojan.rules)
>   2821811 - ETPRO TROJAN Win32/Banload Variant Connectivity Check
> (trojan.rules)
>   2825767 - ETPRO TROJAN Stolich Gen Ransomware CnC Create Key
> (trojan.rules)
>   2825768 - ETPRO TROJAN Stolich Gen Ransomware CnC Save Key (trojan.rules)
>   2825789 - ETPRO MOBILE_MALWARE Android.Trojan.InfoStealer.IC CnC Beacon
> (mobile_malware.rules)
>   2825791 - ETPRO MOBILE_MALWARE Android.Trojan.InfoStealer.IC Contacts
> Exfil (mobile_malware.rules)
>   2828791 - ETPRO MOBILE_MALWARE Android/Guerrilla.AM Checkin
> (mobile_malware.rules)
>   2828878 - ETPRO MOBILE_MALWARE Android/DroidDream.D Checkin 2
> (mobile_malware.rules)
>   2828879 - ETPRO MOBILE_MALWARE Android/DroidDream.D Checkin 3
> (mobile_malware.rules)
>   2828880 - ETPRO MOBILE_MALWARE Android/DroidDream.D Checkin 4
> (mobile_malware.rules)
>   2829003 - ETPRO MOBILE_MALWARE ANDROIDOS_ANUBISSPY Checkin
> (mobile_malware.rules)
>   2829618 - ETPRO TROJAN Chthonic CnC Beacon 13 (trojan.rules)
>   2829620 - ETPRO TROJAN Chthonic CnC Beacon Generic M1 (trojan.rules)
>   2829625 - ETPRO TROJAN Chthonic CnC Beacon 14 (trojan.rules)
>   2831162 - ETPRO TROJAN BKDR_QULKONWI.GHR Checkin M2 (trojan.rules)
>   2831202 - ETPRO TROJAN W32.PP2018.CN Stealer Checkin (trojan.rules)
>   2831258 - ETPRO MALWARE Win32/SoftExperts.A PUP/PUA Checkin
> (malware.rules)
>   2831780 - ETPRO TROJAN W32.Gamaredon.Variant Checkin (trojan.rules)
>   2831782 - ETPRO TROJAN Win32.Ursu.Variant Checkin (trojan.rules)
>   2831888 - ETPRO MOBILE_MALWARE Android/Agent-MJK CnC Beacon
> (mobile_malware.rules)
>   2833279 - ETPRO TROJAN W32.SpyBanker.BR Variant Checkin (trojan.rules)
>   2833295 - ETPRO TROJAN W32.YBomeMiner Checkin M2 (trojan.rules)
>   2835216 - ETPRO TROJAN Win32/Agent.RNS Requesting New Payload CnC
> Address (trojan.rules)
>   2838440 - ETPRO TROJAN AvatarLoader CnC Checkin (trojan.rules)
>   2840985 - ETPRO POLICY Wscript Being Retrieved from Pastebin
> (policy.rules)
>
>
> [---]  Disabled and modified rules:  [---]
>
>   2820814 - ETPRO CURRENT_EVENTS Phishing Landing via my-free.website Jun
> 21 M4 (current_events.rules)
>   2820855 - ETPRO CURRENT_EVENTS Phishing Landing via yolasite.com Jun 24
> M1 (current_events.rules)
>   2820856 - ETPRO CURRENT_EVENTS Phishing Landing via yolasite.com Jun 24
> M2 (current_events.rules)
>   2820857 - ETPRO CURRENT_EVENTS Phishing Landing via yolasite.com Jun 24
> M3 (current_events.rules)
>   2820858 - ETPRO CURRENT_EVENTS Phishing Landing via yolasite.com Jun 24
> M4 (current_events.rules)
>   2820859 - ETPRO CURRENT_EVENTS Phishing Landing via yolasite.com Jun 24
> M5 (current_events.rules)
>   2820923 - ETPRO CURRENT_EVENTS Phishing Landing via udo.photo Jun 28 M1
> (current_events.rules)
>   2820924 - ETPRO CURRENT_EVENTS Phishing Landing via udo.photo Jun 28 M2
> (current_events.rules)
>   2820926 - ETPRO CURRENT_EVENTS Phishing Landing via ulcraft.com Jun 28
> M1 (current_events.rules)
>   2820928 - ETPRO CURRENT_EVENTS Phishing Landing via biennale.info Jun
> 28 M1 (current_events.rules)
>   2820929 - ETPRO CURRENT_EVENTS Phishing Landing via biennale.info Jun
> 28 M2 (current_events.rules)
>   2820931 - ETPRO CURRENT_EVENTS Phishing Landing via topstyle.me Jun 28
> M1 (current_events.rules)
>   2821228 - ETPRO CURRENT_EVENTS Phishing Landing via Webydo.com Jul 21 M2
> (current_events.rules)
>   2821323 - ETPRO CURRENT_EVENTS Phishing Landing via imcreator.com /
> imxprs.com Jul 22 M1 (current_events.rules)
>   2821324 - ETPRO CURRENT_EVENTS Phishing Landing via imcreator.com /
> imxprs.com Jul 22 M2 (current_events.rules)
>   2821325 - ETPRO CURRENT_EVENTS Phishing Landing via imcreator.com /
> imxprs.com Jul 22 M3 (current_events.rules)
>   2821326 - ETPRO CURRENT_EVENTS Phishing Landing via imcreator.com /
> imxprs.com Jul 22 M4 (current_events.rules)
>   2821634 - ETPRO CURRENT_EVENTS Successful Gmail Phish M2 Aug 12 2016
> (current_events.rules)
>   2822366 - ETPRO CURRENT_EVENTS Phishing Landing via urest.org Oct 03 M1
> (current_events.rules)
>   2822367 - ETPRO CURRENT_EVENTS Phishing Landing via urest.org Oct 03 M2
> (current_events.rules)
>
>
>  [---]         Disabled rules:        [---]
>
>   2015981 - ET CURRENT_EVENTS Zuponcic Hostile Jar (current_events.rules)
>   2016542 - ET CURRENT_EVENTS Possible Portal TDS Kit GET
> (current_events.rules)
>   2016718 - ET CURRENT_EVENTS BHEK q.php iframe outbound
> (current_events.rules)
>   2016817 - ET CURRENT_EVENTS Possible Java Applet JNLP
> applet_ssv_validated in Base64 2 (current_events.rules)
>   2016818 - ET CURRENT_EVENTS Possible Java Applet JNLP
> applet_ssv_validated in Base64 3 (current_events.rules)
>   2017187 - ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 1
> (current_events.rules)
>   2017189 - ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 3
> (current_events.rules)
>   2018568 - ET CURRENT_EVENTS Possible Inbound SNMP Router DoS (TTL 1)
> (current_events.rules)
>   2018569 - ET CURRENT_EVENTS Possible Inbound SNMP Router DoS (Disable
> Forwarding) (current_events.rules)
>   2019194 - ET CURRENT_EVENTS Nuclear EK Redirect Sept 18 2014
> (current_events.rules)
>   2019610 - ET TROJAN Possible EITest Flash Redirect (trojan.rules)
>   2019634 - ET CURRENT_EVENTS Sweet Orange Landing Nov 3 2014
> (current_events.rules)
>   2019775 - ET CURRENT_EVENTS Possible Internet Explorer CVE-2014-6332
> Common Construct b64 3 (Observed in Archie EK) (current_events.rules)
>   2019894 - ET CURRENT_EVENTS Probable malicious download from e-mail link
> /1.php (current_events.rules)
>   2019989 - ET CURRENT_EVENTS Evil Redirector Leading to EK Dec 22 2014
> Video (current_events.rules)
>   2019991 - ET CURRENT_EVENTS Evil Redirector Leading to EK Dec 22 2014
> Search (current_events.rules)
>   2020091 - ET CURRENT_EVENTS Cushion Redirection URI Struct Mon Jan 05
> 2015 (current_events.rules)
>   2020318 - ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Jan 27 2015 M1
> (current_events.rules)
>   2020392 - ET CURRENT_EVENTS KaiXin Secondary Landing Page
> (current_events.rules)
>   2020584 - ET CURRENT_EVENTS Sweet Orange EK Flash Exploit IE March 03
> 2015 (current_events.rules)
>   2020626 - ET CURRENT_EVENTS Fiesta EK Landing URI Struct March 6 2015
> (current_events.rules)
>   2020824 - ET CURRENT_EVENTS VBScript Driveby Related TDS MAR 31 2015
> (current_events.rules)
>   2020838 - ET CURRENT_EVENTS Malicious Doc Downloading EXE
> (current_events.rules)
>   2021156 - ET CURRENT_EVENTS Evil JS iframe Embedded In GIF
> (current_events.rules)
>   2021364 - ET CURRENT_EVENTS Magnitude CVE-2015-3113 Jun 29 2015 M1
> (current_events.rules)
>   2021429 - ET CURRENT_EVENTS Possible IE MSMXL Detection of Local DLL
> (Likely Malicious) (current_events.rules)
>   2021430 - ET CURRENT_EVENTS Possible IE MSMXL Detection of Local SYS
> (Likely Malicious) (current_events.rules)
>   2021762 - ET CURRENT_EVENTS Spartan EK Secondary Flash Exploit DL
> (current_events.rules)
>   2022349 - ET CURRENT_EVENTS CoinMiner Malicious Authline Seen in JAR
> Backdoor (current_events.rules)
>   2022604 - ET CURRENT_EVENTS Successful Enom Phish Mar 08 2016
> (current_events.rules)
>   2805070 - ETPRO TROJAN Trojan.Downloader receiving config for
> spearphishing campaign (trojan.rules)
>   2809795 - ETPRO CURRENT_EVENTS Possible Magnitude exploit payload
> contype check Feb 12 2015 (current_events.rules)
>   2810583 - ETPRO CURRENT_EVENTS DRIVEBY Magnitude Landing Dec 03 2014 M2
> (current_events.rules)
>   2810910 - ETPRO CURRENT_EVENTS .zip Download from GoogleAPI with Minimal
> headers Possible Trojan.MSIL.Banload.DD Dropping Spy.Banker (Download)
> (current_events.rules)
>   2811604 - ETPRO CURRENT_EVENTS Likely Evil JS ECS Shop With Various
> Crypto Primatives In Page (Observed in Unknown EK) (current_events.rules)
>   2811762 - ETPRO CURRENT_EVENTS Evil Redirector Leading to EK (Anti-AV
> Check) (current_events.rules)
>   2812062 - ETPRO CURRENT_EVENTS Adfraud Redirector (current_events.rules)
>   2812124 - ETPRO MALWARE Win32/Adware.FileTour Variant PUP - IE Redirect
> (malware.rules)
>   2812603 - ETPRO TROJAN Win32/Genasom.FO Malicious Redirect (trojan.rules)
>   2813049 - ETPRO CURRENT_EVENTS File Enum Image Res (Observed in
> Magnitude EK Landing) Sept 16 2015 (current_events.rules)
>   2814480 - ETPRO CURRENT_EVENTS Generic Mix Alpha-Numeric Encoded HTML
> Entity in Object (Observed in SunDown/Xer EK) (current_events.rules)
>   2814712 - ETPRO CURRENT_EVENTS Ursnif Payload via Document Macro
> (current_events.rules)
>   2814756 - ETPRO CURRENT_EVENTS Ursnif Payload via Document Macro Nov 4
> (current_events.rules)
>   2814804 - ETPRO CURRENT_EVENTS Ursnif Payload via Document Macro Nov 5
> (current_events.rules)
>   2815006 - ETPRO CURRENT_EVENTS Successful Jimdo Outlook Web App Phishing
> Nov 19 (current_events.rules)
>   2815831 - ETPRO CURRENT_EVENTS Form Submission to Ezweb123.com -
> Possible Successful Phish Jan 15 (current_events.rules)
>   2815897 - ETPRO CURRENT_EVENTS Phishing Landing via Jimdo.com Jan 22 M1
> (current_events.rules)
>   2815898 - ETPRO CURRENT_EVENTS Phishing Landing via Jimdo.com Jan 22 M2
> (current_events.rules)
>   2815954 - ETPRO CURRENT_EVENTS Phishing Landing via Sitey.me Jan 25 M1
> (current_events.rules)
>   2815956 - ETPRO CURRENT_EVENTS Phishing Landing via Sitey.me Jan 25 M3
> (current_events.rules)
>   2815964 - ETPRO CURRENT_EVENTS Phishing Landing via Jimdo.com Jan 26 M2
> (current_events.rules)
>   2815967 - ETPRO CURRENT_EVENTS Successful Jimdo Phishing Jan 26
> (current_events.rules)
>   2816078 - ETPRO CURRENT_EVENTS TorrentLocker Localization Redirect Feb 3
> (current_events.rules)
>   2816330 - ETPRO CURRENT_EVENTS Possible Nuclear EK Payload VarLen XOR
> (Nulls) M2 (current_events.rules)
>   2816450 - ETPRO CURRENT_EVENTS Apple Phishing Landing Mar 1
> (current_events.rules)
>   2816490 - ETPRO CURRENT_EVENTS Apple Phishing Landing Redirect M1 Mar 02
> 2016 (current_events.rules)
>   2816725 - ETPRO TROJAN Win32/Unknown CnC (upload) (trojan.rules)
>   2816765 - ETPRO CURRENT_EVENTS Apple Phishing Landing Obfuscation Mar 28
> (current_events.rules)
>   2816843 - ETPRO CURRENT_EVENTS Successful MyFreeSites.com Phish Mar 31
> (current_events.rules)
>   2816943 - ETPRO TROJAN Possible Derusbi SSL Cert (trojan.rules)
>   2819670 - ETPRO TROJAN Unknown Keylogger Checkin (trojan.rules)
>   2819819 - ETPRO TROJAN Ransomware/Poshcoder Onion Domain Lookup
> (trojan.rules)
>   2819913 - ETPRO TROJAN Jupiter Banker Injects DNS Lookup (trojan.rules)
>   2819914 - ETPRO TROJAN Jupiter Banker Injects Domain in SSL Client Hello
> (trojan.rules)
>   2819960 - ETPRO TROJAN Malicious SSL certificate detected (Ursnif
> Injects) (trojan.rules)
>   2820004 - ETPRO TROJAN Malicious SSL Certificate Detected (Social
> Engineering Kit) (trojan.rules)
>   2820010 - ETPRO TROJAN Observerd Malvertising Domain SSL Cert
> (trojan.rules)
>   2820013 - ETPRO CURRENT_EVENTS Possible XML Phishing Landing May 2
> (current_events.rules)
>   2820036 - ETPRO CURRENT_EVENTS Generic Email Credential Theft Phishing
> Landing May 3 (current_events.rules)
>   2820094 - ETPRO CURRENT_EVENTS Sundown/Xer EK Landing May 05 2016 M2
> (b642) (current_events.rules)
>   2820155 - ETPRO CURRENT_EVENTS French Gmail Account Update Phishing
> Landing May 10 (current_events.rules)
>   2820173 - ETPRO TROJAN Malicious SSL certificate detected (Gozi CnC)
> (trojan.rules)
>   2820178 - ETPRO TROJAN Unknown Locker C2 domain (trojan.rules)
>   2820292 - ETPRO TROJAN Bolek/Kbot CnC DNS Lookup (cibc-security.com)
> (trojan.rules)
>   2820452 - ETPRO CURRENT_EVENTS Versobank Phishing Landing Jun 2
> (current_events.rules)
>   2820491 - ETPRO CURRENT_EVENTS Northwell Health Phishing Landing Jun 6
> (current_events.rules)
>   2820511 - ETPRO TROJAN Dridex Injects SSL Cert (trojan.rules)
>   2820547 - ETPRO TROJAN Malicious SSL certificate detected (Ursnif
> Injects) (trojan.rules)
>   2820548 - ETPRO TROJAN Malicious SSL certificate detected (Ursnif
> Injects) (trojan.rules)
>   2820593 - ETPRO TROJAN Zeus Panda Banker Malicious SSL Certificate
> Detected (trojan.rules)
>   2820594 - ETPRO TROJAN Zeus Panda Banker Malicious SSL Certificate
> Detected (trojan.rules)
>   2820615 - ETPRO WEB_CLIENT Suspicious Domain - Possible Apple Phishing
> Jun 14 (web_client.rules)
>   2820733 - ETPRO CURRENT_EVENTS Dropbox Shared Document Phishing Landing
> Jun 17 (current_events.rules)
>   2820738 - ETPRO TROJAN Malicious SSL certificate detected (Ursnif
> Injects) (trojan.rules)
>   2820789 - ETPRO TROJAN Malicious SSL certificate detected (Ursnif
> Injects) (trojan.rules)
>   2820790 - ETPRO TROJAN Malicious SSL certificate detected (Gootkit
> Injects) (trojan.rules)
>   2820792 - ETPRO TROJAN Ursnif Injects Domain in SNI (trojan.rules)
>   2820793 - ETPRO TROJAN Ursnif Injects Domain in SNI (trojan.rules)
>   2820794 - ETPRO TROJAN Ursnif Injects Domain in SNI (trojan.rules)
>   2820810 - ETPRO CURRENT_EVENTS Phishing Landing via my-free.website
> (set) Jun 21 2016 (current_events.rules)
>   2820811 - ETPRO CURRENT_EVENTS Phishing Landing via my-free.website Jun
> 21 M1 (current_events.rules)
>   2820812 - ETPRO CURRENT_EVENTS Phishing Landing via my-free.website Jun
> 21 M2 (current_events.rules)
>   2820813 - ETPRO CURRENT_EVENTS Phishing Landing via my-free.website Jun
> 21 M3 (current_events.rules)
>   2820815 - ETPRO CURRENT_EVENTS Phishing Landing via my-free.website Jun
> 21 M5 (current_events.rules)
>   2820816 - ETPRO INFO Data Submitted to my-free.website - Possible
> Phishing (info.rules)
>   2820817 - ETPRO TROJAN Malicious SSL certificate detected (Ursnif
> Injects) (trojan.rules)
>   2820854 - ETPRO CURRENT_EVENTS Phishing Landing via yolasite.com (set)
> Jun 24 2016 (current_events.rules)
>   2820860 - ETPRO CURRENT_EVENTS Phishing Landing via yolasite.com Jun 24
> M6 (current_events.rules)
>   2820922 - ETPRO CURRENT_EVENTS Phishing Landing via udo.photo (set) Jun
> 28 2016 (current_events.rules)
>   2820925 - ETPRO CURRENT_EVENTS Phishing Landing via ulcraft.com (set)
> Jun 28 (current_events.rules)
>   2820927 - ETPRO CURRENT_EVENTS Phishing Landing via biennale.info (set)
> Jun 28 (current_events.rules)
>   2820930 - ETPRO CURRENT_EVENTS Phishing Landing via topstyle.me (set)
> Jun 28 2016 (current_events.rules)
>   2820932 - ETPRO CURRENT_EVENTS Phishing Landing via topstyle.me Jun 28
> M2 (current_events.rules)
>   2820936 - ETPRO TROJAN Ransomware WildFire Locker .onion Payment Domain
> (gsxrmcgsygcxfkbb) (trojan.rules)
>   2820944 - ETPRO TROJAN Dridex Injects SSL Cert (trojan.rules)
>   2820945 - ETPRO TROJAN Dridex Injects SSL Cert (trojan.rules)
>   2821037 - ETPRO CURRENT_EVENTS Generic Email Account Phishing Landing
> Jul 11 (current_events.rules)
>   2821042 - ETPRO CURRENT_EVENTS Yahoo Phishing Landing Jul 11
> (current_events.rules)
>   2821055 - ETPRO TROJAN Possible Gootkit CnC Domain in SNI (trojan.rules)
>   2821056 - ETPRO TROJAN Possible Gootkit CnC Domain in SNI (trojan.rules)
>   2821141 - ETPRO TROJAN Malicious SSL certificate detected (Gootkit
> Injects) (trojan.rules)
>   2821203 - ETPRO CURRENT_EVENTS Earthlink Phishing Landing Jul 19
> (current_events.rules)
>   2821209 - ETPRO TROJAN Malicious SSL certificate detected (Malware C2)
> (trojan.rules)
>   2821226 - ETPRO CURRENT_EVENTS Phishing Landing via Webydo.com (set) Jul
> 21 (current_events.rules)
>   2821227 - ETPRO CURRENT_EVENTS Phishing Landing via Webydo.com Jul 21 M1
> (current_events.rules)
>   2821229 - ETPRO CURRENT_EVENTS Phishing Landing via Webydo.com Jul 21 M3
> (current_events.rules)
>   2821230 - ETPRO CURRENT_EVENTS Phishing Landing via Webydo.com Jul 21 M4
> (current_events.rules)
>   2821231 - ETPRO CURRENT_EVENTS Phishing Landing via Webydo.com Jul 21 M5
> (current_events.rules)
>   2821310 - ETPRO CURRENT_EVENTS Evil Redirect Leading to EK (AdGholas
> Sending Link in Header) (current_events.rules)
>   2821321 - ETPRO CURRENT_EVENTS Phishing Landing via imcreator.com (set)
> Jul 22 (current_events.rules)
>   2821322 - ETPRO CURRENT_EVENTS Phishing Landing via imxprs.com (set)
> Jul 22 (current_events.rules)
>   2821327 - ETPRO CURRENT_EVENTS Phishing Landing via imcreator.com /
> imxprs.com Jul 22 M5 (current_events.rules)
>   2821528 - ETPRO TROJAN Pony CnC Domain in SSL Client Hello SNI
> (trojan.rules)
>   2821529 - ETPRO TROJAN Pony CnC Domain in SSL Client Hello SNI
> (trojan.rules)
>   2821530 - ETPRO TROJAN Pony CnC Domain in SSL Client Hello SNI
> (trojan.rules)
>   2821531 - ETPRO TROJAN Pony CnC Domain in SSL Client Hello SNI
> (trojan.rules)
>   2821567 - ETPRO TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
> detected (Ursnif Injects) (trojan.rules)
>   2821568 - ETPRO TROJAN Possible Ursnif Injects Domain in SNI
> (trojan.rules)
>   2821613 - ETPRO TROJAN Observed Malicious SSL Cert (Zeus Panda Banker)
> (trojan.rules)
>   2821624 - ETPRO TROJAN Observed Malicious SSL Cert (Zeus Panda Injects)
> (trojan.rules)
>   2821625 - ETPRO TROJAN Observed Malicious SSL Cert (Zeus Panda Injects)
> (trojan.rules)
>   2821629 - ETPRO CURRENT_EVENTS Stripe Phishing Landing Aug 12 2016
> (current_events.rules)
>   2821633 - ETPRO CURRENT_EVENTS Successful Gmail Phish M2 (set) Aug 12
> 2016 (current_events.rules)
>   2821645 - ETPRO CURRENT_EVENTS Phishing Landing via webnode.fr (set)
> Aug 15 2016 (current_events.rules)
>   2821647 - ETPRO CURRENT_EVENTS Phishing Landing via webnode.fr Aug 15
> 2016 M2 (current_events.rules)
>   2821648 - ETPRO CURRENT_EVENTS Phishing Landing via webnode.fr Aug 15
> 2016 M3 (current_events.rules)
>   2821650 - ETPRO CURRENT_EVENTS Phishing Landing via webnode.fr Aug 15
> 2016 M5 (current_events.rules)
>   2822041 - ETPRO CURRENT_EVENTS Paypal Javascript Phishing Landing Sept 8
> 2016 (current_events.rules)
>   2822042 - ETPRO CURRENT_EVENTS Paypal Phishing Landing Sept 8 2016
> (current_events.rules)
>   2822167 - ETPRO TROJAN Malicious SSL certificate detected (Ursnif
> Injects) (trojan.rules)
>   2822168 - ETPRO TROJAN Malicious SSL certificate detected (Ursnif
> Injects) (trojan.rules)
>   2822193 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.l DNS
> Lookup 12 (mobile_malware.rules)
>   2822249 - ETPRO CURRENT_EVENTS Evil Redirector to EK - Observed
> Malicious SSL Cert (current_events.rules)
>   2822256 - ETPRO TROJAN Unlock92 Ransomware .onion Proxy Payment Domain
> (ezulxxtwqos5g736) (trojan.rules)
>   2822272 - ETPRO TROJAN Ransomware Domain Detected (TorrentLocker C2)
> (trojan.rules)
>   2822290 - ETPRO WEB_CLIENT Byet Free Webhost Adobe Phishing Cookie Sept
> 29 2016 (web_client.rules)
>   2822365 - ETPRO CURRENT_EVENTS Phishing Landing via urest.org (set) Oct
> 03 (current_events.rules)
>   2822414 - ETPRO TROJAN Zloader Malicious SSL Cert Observed (trojan.rules)
>   2822442 - ETPRO CURRENT_EVENTS Multibank Phishing Landing/Redirect (NL)
> M1 2016-10-06 (current_events.rules)
>   2822443 - ETPRO CURRENT_EVENTS SNS Bank Phishing Landing/Redirect (NL)
> M1 2016-10-06 (current_events.rules)
>   2822444 - ETPRO CURRENT_EVENTS SNS Bank Phishing Landing/Redirect/ (NL)
> M2 2016-10-06 (current_events.rules)
>   2822445 - ETPRO CURRENT_EVENTS ASN/Regio Bank Phishing Landing/Redirect
> (NL) M1 2016-10-06 (current_events.rules)
>   2822446 - ETPRO CURRENT_EVENTS ASN/Regio Bank Phishing Landing/Redirect
> (NL) M2 2016-10-06 (current_events.rules)
>   2822447 - ETPRO CURRENT_EVENTS Multibank Phishing Landing/Redirect (NL)
> M2 2016-10-06 (current_events.rules)
>   2822479 - ETPRO CURRENT_EVENTS Bizarro SunDown EK Landing Oct 07 2016 M4
> (current_events.rules)
>   2822481 - ETPRO CURRENT_EVENTS Bizarro SunDown EK Landing Oct 07 2016 M6
> (current_events.rules)
>   2822482 - ETPRO CURRENT_EVENTS SunDown/Xer Payload (URL Primer)
> (current_events.rules)
>   2822602 - ETPRO CURRENT_EVENTS Phishing Landing via Webeden.net (set)
> Oct 13 (current_events.rules)
>   2822923 - ETPRO TROJAN DNS Query to Cerber Domain (gio6f6 . bid)
> (trojan.rules)
>   2822933 - ETPRO CURRENT_EVENTS Paypal Phishing Landing M1 Oct 26 2016
> (current_events.rules)
>   2822935 - ETPRO CURRENT_EVENTS Paypal Phishing Landing M2 Oct 26 2016
> (current_events.rules)
>   2822969 - ETPRO TROJAN Observed Malicious SSL Cert (Shifu CnC)
> (trojan.rules)
>   2823057 - ETPRO TROJAN Ransomware Domain Detected (TorrentLocker C2)
> (trojan.rules)
>   2823062 - ETPRO TROJAN DNS Query to Cerber Domain (3do9h1 . bid)
> (trojan.rules)
>   2823122 - ETPRO TROJAN DNS Query to Cerber Domain (t0su8p . bid)
> (trojan.rules)
>   2823128 - ETPRO TROJAN DNS Query to Cerber Domain (69ju9u . bid)
> (trojan.rules)
>   2823276 - ETPRO TROJAN DNS Query to Cerber Domain (51a47u . bid)
> (trojan.rules)
>   2823281 - ETPRO TROJAN DNS Query to Cerber Domain (v9y6z8 . bid)
> (trojan.rules)
>   2823284 - ETPRO TROJAN DNS Query to Cerber Domain (j5spvw . bid)
> (trojan.rules)
>   2823294 - ETPRO TROJAN DNS Query to Cerber Domain (1pr9as . top)
> (trojan.rules)
>   2823340 - ETPRO TROJAN Zloader CnC SSL Cert (trojan.rules)
>   2823341 - ETPRO TROJAN Ransomware/Princess Onion Domain Lookup
> (trojan.rules)
>   2823342 - ETPRO TROJAN Ransomware/Princess Onion Domain Lookup
> (trojan.rules)
>   2823404 - ETPRO TROJAN Win32/Ranscrape Ransomware Onion Domain Lookup
> (trojan.rules)
>   2823427 - ETPRO TROJAN DNS Query to Cerber Domain (1p5lyh . top)
> (trojan.rules)
>   2823444 - ETPRO TROJAN Malicious SSL Certificate Detected (Ursnif
> Injects) (trojan.rules)
>   2823445 - ETPRO TROJAN Malicious SSL Certificate Detected (Ursnif
> Injects) (trojan.rules)
>   2823446 - ETPRO TROJAN Malicious SSL Certificate Detected (Ursnif
> Injects) (trojan.rules)
>   2823453 - ETPRO CURRENT_EVENTS Astrum EK Landing Nov 23 2016 M1
> (current_events.rules)
>   2823522 - ETPRO TROJAN DNS Query to Cerber Domain (19jmfr . top)
> (trojan.rules)
>   2823600 - ETPRO TROJAN Zeus Panda Banker Malicious SSL Certificate
> Detected (trojan.rules)
>   2823602 - ETPRO CURRENT_EVENTS Possible Successful Phish via
> imcreator.com / imxprs.com Dec 02 2016 (current_events.rules)
>   2823619 - ETPRO TROJAN DNS Query to Cerber Domain (1k1dxt . top)
> (trojan.rules)
>   2823634 - ETPRO TROJAN Ransomware Domain Detected (TorrentLocker C2)
> (trojan.rules)
>   2823658 - ETPRO TROJAN Malicious SSL Certificate Detected (Dreambot)
> (trojan.rules)
>   2823673 - ETPRO TROJAN Observed Malicious SSL Cert (MalDoc DL)
> (trojan.rules)
>   2823750 - ETPRO TROJAN Likely Phishing DNS Lookup (Fake MS Service)
> (trojan.rules)
>   2823846 - ETPRO TROJAN DNS Query to Cerber Domain (g0lpnj . bid)
> (trojan.rules)
>   2823881 - ETPRO MOBILE_MALWARE Possible Malvertising Redirection for iOS
> (mobile_malware.rules)
>   2823912 - ETPRO CURRENT_EVENTS Google Drive Phishing Landing Redirect
> Dec 15 2016 (current_events.rules)
>   2824029 - ETPRO TROJAN Observed Malvertising Domain SSL Cert
> (trojan.rules)
>   2828275 - ETPRO WEB_CLIENT Anonisma Phishing CSS M3 Oct 12 2017
> (web_client.rules)
> _______________________________________________
> Etpro-sigs mailing list
> Etpro-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/etpro-sigs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200228/2af48e0c/attachment-0001.html>


More information about the Emerging-sigs mailing list