[Emerging-Sigs] Daily Ruleset Update Summary 2020/01/27

Jack Mott jmott at emergingthreats.net
Mon Jan 27 14:12:55 HST 2020


[***]            Summary:            [***]

  2 new Open, 44 new Pro (2 + 42). ELF/MooBot, Telegram Stuff,
PS/ServLoader, HttpRat, FinderBot Loader, Win32/Remcos, Lightning Backdoor,
Various Phishing.

  Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

 [+++]          Added rules:          [+++]

 Open:

  2029322 - ET POLICY Telegram API Certificate Observed (policy.rules)
  2029323 - ET TROJAN Possible Generic RAT over Telegram API (trojan.rules)

 Pro:

  2840656 - ETPRO TROJAN ELF/Mirai Variant CnC Checkin (trojan.rules)
  2840657 - ETPRO TROJAN ELF/MooBot Variant CnC Checkin (trojan.rules)
  2840658 - ETPRO TROJAN Phoenix Keylogger Variant Stealer Exfil Via
Telegram (trojan.rules)
  2840659 - ETPRO TROJAN Observed Glupteba CnC Domain in TLS SNI
(trojan.rules)
  2840660 - ETPRO TROJAN Observed Glupteba CnC Domain in TLS SNI
(trojan.rules)
  2840661 - ETPRO TROJAN Observed Glupteba CnC Domain in TLS SNI
(trojan.rules)
  2840662 - ETPRO TROJAN PS/ServLoader CnC Activity (trojan.rules)
  2840664 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-01-25 1) (trojan.rules)
  2840665 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-01-25 2) (trojan.rules)
  2840666 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-01-27 1) (trojan.rules)
  2840667 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-01-27 2) (trojan.rules)
  2840668 - ETPRO TROJAN ELF/Mirai User-Agent Observed (Outbound)
(trojan.rules)
  2840669 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)
  2840670 - ETPRO TROJAN ELF/Mirai User-Agent Observed (Outbound)
(trojan.rules)
  2840671 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)
  2840672 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-01-27 (current_events.rules)
  2840673 - ETPRO CURRENT_EVENTS Successful BBVA Phish 2020-01-27
(current_events.rules)
  2840674 - ETPRO CURRENT_EVENTS Successful Banco do Brasil Phish
2020-01-27 (current_events.rules)
  2840675 - ETPRO CURRENT_EVENTS Successful Banco do Brasil Phish
2020-01-27 (current_events.rules)
  2840676 - ETPRO CURRENT_EVENTS Successful Maersk Phish 2020-01-27
(current_events.rules)
  2840677 - ETPRO CURRENT_EVENTS Successful Maersk Phish 2020-01-27
(current_events.rules)
  2840678 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-01-27 (current_events.rules)
  2840679 - ETPRO TROJAN PS/Meranbaba Script Host Checkin (trojan.rules)
  2840680 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish
2020-01-27 (current_events.rules)
  2840681 - ETPRO CURRENT_EVENTS Successful Unicredit Phish 2020-01-27
(current_events.rules)
  2840682 - ETPRO CURRENT_EVENTS Successful Gov UK Identity Verification
Phish 2020-01-27 (current_events.rules)
  2840683 - ETPRO CURRENT_EVENTS Successful Casas Bahia Phish 2020-01-27
(current_events.rules)
  2840684 - ETPRO TROJAN HttpRat Host Checkin (trojan.rules)
  2840685 - ETPRO POLICY Observed SSL Cert (ipecho IP Check) (policy.rules)
  2840686 - ETPRO MALWARE Observed Malicious SSL Cert (Bspro Ads)
(malware.rules)
  2840687 - ETPRO TROJAN Observed Malicious SSL Cert (Wizzcaster)
(trojan.rules)
  2840688 - ETPRO TROJAN Possibly Malicious Doc Requesting Known VBS
Template (trojan.rules)
  2840689 - ETPRO TROJAN Observed FinderBot Loader Domain in TLS SNI
(trojan.rules)
  2840690 - ETPRO TROJAN FinderBot Loader - CnC Activity M1 (trojan.rules)
  2840691 - ETPRO TROJAN FinderBot Loader - CnC Activity M2 (trojan.rules)
  2840692 - ETPRO TROJAN Lighting Backdoor - GetCommand via JSON
(trojan.rules)
  2840693 - ETPRO TROJAN Lighting Backdoor - GetCommand via XML
(trojan.rules)
  2840694 - ETPRO TROJAN Win32/Remcos RAT Checkin 317 (trojan.rules)
  2840695 - ETPRO TROJAN Win32/Remcos RAT Checkin 318 (trojan.rules)
  2840696 - ETPRO TROJAN Win32/Remcos RAT Checkin 319 (trojan.rules)
  2840697 - ETPRO TROJAN Win32/Remcos RAT Checkin 320 (trojan.rules)

[///]     Modified active rules:     [///]

  2837353 - ETPRO TROJAN Sharik/Smokeloader CnC Beacon 15 (trojan.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200127/037cac49/attachment.html>


More information about the Emerging-sigs mailing list