[Emerging-Sigs] Daily Ruleset Update Summary 2020/01/22

Jason Williams jwilliams at emergingthreats.net
Wed Jan 22 13:32:02 HST 2020


[***]            Summary:            [***]

  11 new Open, 48 new Pro (11 + 37). Magecart, Thanatos Ransomware, Masad
Stealer, DiamondFox, Various Phishing.

  Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

 [+++]          Added rules:          [+++]

 Open:

  2029299 - ET POLICY HTTP Request to IP Logging Service (2no .co)
(policy.rules)
  2029300 - ET TROJAN Magecart CnC Domain Observed in DNS Query
(trojan.rules)
  2029301 - ET TROJAN Observed Magecart CnC Domain in TLS SNI (trojan.rules)
  2029302 - ET TROJAN Malicious SSL Cert (Magecart) (trojan.rules)
  2029303 - ET TROJAN Magecart CnC Domain Observed in DNS Query
(trojan.rules)
  2029304 - ET TROJAN Observed Magecart CnC Domain in TLS SNI (trojan.rules)
  2029305 - ET TROJAN Malicious SSL Cert (Magecart) (trojan.rules)
  2029306 - ET TROJAN Observed Thanatos Ransomware Variant Pico User-Agent
(trojan.rules)
  2029307 - ET TROJAN Observed Malicious SSL Cert (ELF/Rekoobe CnC)
(trojan.rules)
  2029308 - ET POLICY Website Hosting Service Observed in DNS Query
(policy.rules)
  2029309 - ET TROJAN ELF/Rekoobe CnC Observed in DNS Query (trojan.rules)

 Pro:

  2840549 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (Browsers.log) (trojan.rules)
  2840550 - ETPRO TROJAN Masad Stealer Exfil Via Telegram (trojan.rules)
  2840551 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (Domains.log) (trojan.rules)
  2840552 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (information.log) (trojan.rules)
  2840553 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (Passwords.log) (trojan.rules)
  2840554 - ETPRO TROJAN Observed Malicious SSL Cert (Get2 Downloader)
(trojan.rules)
  2840555 - ETPRO INFO Inbound Base64 Encoded Wide PowerShell Keyword
(New-Object System.Net.WebClient) (info.rules)
  2840556 - ETPRO TROJAN ELF/Mirai User-Agent Observed (Outbound)
(trojan.rules)
  2840557 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)
  2840558 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2020-01-22
(current_events.rules)
  2840559 - ETPRO CURRENT_EVENTS Successful VK Phish 2020-01-22
(current_events.rules)
  2840560 - ETPRO CURRENT_EVENTS Successful VK Phish 2020-01-22
(current_events.rules)
  2840561 - ETPRO CURRENT_EVENTS Successful Sando Bank Phish 2020-01-22
(current_events.rules)
  2840562 - ETPRO CURRENT_EVENTS Successful Spectrum Webmail Phish
2020-01-22 (current_events.rules)
  2840563 - ETPRO TROJAN Muddywater Payload CnC Checkin (trojan.rules)
  2840564 - ETPRO CURRENT_EVENTS Successful Banco Itau Phish 2020-01-22
(current_events.rules)
  2840565 - ETPRO CURRENT_EVENTS Successful Banco Itau Phish 2020-01-22
(current_events.rules)
  2840566 - ETPRO CURRENT_EVENTS Successful Banco Itau Phish 2020-01-22
(current_events.rules)
  2840567 - ETPRO CURRENT_EVENTS Successful Sprint Phish 2020-01-22
(current_events.rules)
  2840568 - ETPRO CURRENT_EVENTS Successful Rackspace Phish 2020-01-22
(current_events.rules)
  2840569 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-01-22
(current_events.rules)
  2840570 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2020-01-22 (current_events.rules)
  2840571 - ETPRO CURRENT_EVENTS Successful Tesco Phish 2020-01-22
(current_events.rules)
  2840572 - ETPRO CURRENT_EVENTS Successful WeTransfer Phish 2020-01-22
(current_events.rules)
  2840573 - ETPRO CURRENT_EVENTS Successful ADCB Phish 2020-01-22
(current_events.rules)
  2840574 - ETPRO CURRENT_EVENTS Successful Nubank Phish 2020-01-22
(current_events.rules)
  2840575 - ETPRO CURRENT_EVENTS Successful Sharepoint Phish 2020-01-22
(current_events.rules)
  2840576 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-01-22
(current_events.rules)
  2840577 - ETPRO CURRENT_EVENTS Successful Nubank Phish 2020-01-22
(current_events.rules)
  2840578 - ETPRO CURRENT_EVENTS Successful Mobile DE Phish 2020-01-22
(current_events.rules)
  2840579 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-01-22
(current_events.rules)
  2840580 - ETPRO TROJAN Inbound Base64 Encoded Wide PowerShell Payload
Observed (trojan.rules)
  2840581 - ETPRO INFO Inbound Base64 Encoded Wide PowerShell Keyword
(DownloadFile) (info.rules)
  2840582 - ETPRO TROJAN PS/Deathhm Script Inbound via HTTP (trojan.rules)
  2840583 - ETPRO INFO Inbound VBS with Possible Heavy Math Obfuscation
(info.rules)
  2840584 - ETPRO TROJAN Observed Malicious SSL Cert (APT32/OceanLotus CnC)
(trojan.rules)
  2840585 - ETPRO TROJAN DiamondFox CnC Checkin Variant (trojan.rules)

 [///]     Modified active rules:     [///]

  2029269 - ET TROJAN Satan/5ss5c Ransomware CnC Activity (trojan.rules)
  2833620 - ETPRO TROJAN Powerstats/Muddywater CnC 2nd Stage Activity
Checkin (trojan.rules)
  2840271 - ETPRO TROJAN Unk.JS/Downloader Activity (trojan.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200122/577c41f3/attachment.html>


More information about the Emerging-sigs mailing list