[Emerging-Sigs] Daily Ruleset Update Summary 2020/01/28

Jack Mott jmott at emergingthreats.net
Tue Jan 28 13:26:38 HST 2020


[***]            Summary:            [***]

  1 new Open, 29 new Pro (1 + 28). Various Suspicious Zipped Filenames,
Win32/Spatet.I, Slimrat CnC, Win32/Ronefen, Win32/Remcos.

  Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

 [+++]          Added rules:          [+++]

 Open:

  2029324 - ET POLICY GeoIP Lookup (nydus. battle .net) (policy.rules)

 Pro:

  2840698 - ETPRO POLICY Observed DNS Query to api .imgbb .com (Possible
Image Upload) (policy.rules)
  2840699 - ETPRO TROJAN Observed Malicious SSL Cert (Eyxa Stealer CnC)
(trojan.rules)
  2840700 - ETPRO POLICY Observed Free Image Hosting Domain SSL Cert (*.
imgbb .com) (policy.rules)
  2840701 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (Firefox_Autocomplete) (trojan.rules)
  2840702 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (default_Cookies.txt) (trojan.rules)
  2840703 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (Browsers/History/Firefox_) (trojan.rules)
  2840704 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (Browsers/Cookies/Thunderbird_) (trojan.rules)
  2840705 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (General/forms.txt) (trojan.rules)
  2840706 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (History/Mozilla.txt) (trojan.rules)
  2840707 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (History/Edge.txt) (trojan.rules)
  2840708 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (History/Chrome.txt) (trojan.rules)
  2840709 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (Wallets/Bitcoin.dat) (trojan.rules)
  2840710 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (Other/Actions.txt) (trojan.rules)
  2840711 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (Wallets/Documents.dat) (trojan.rules)
  2840712 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (FileForms.txt) (trojan.rules)
  2840713 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (FileCookies.txt) (trojan.rules)
  2840714 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (FilePasswords.txt) (trojan.rules)
  2840717 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-01-28 1) (trojan.rules)
  2840718 - ETPRO TROJAN Win32/Spatet.I Host Checkin (trojan.rules)
  2840719 - ETPRO TROJAN Slimrat CnC Activity (trojan.rules)
  2840720 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-01-28
(current_events.rules)
  2840721 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-01-28
(current_events.rules)
  2840722 - ETPRO TROJAN Win32/Ronefen CnC (trojan.rules)
  2840723 - ETPRO TROJAN Win32/Agent.TIG Variant Checkin (trojan.rules)
  2840724 - ETPRO USER_AGENTS Suspicious User-Agent (Bootstrapper/)
(user_agents.rules)
  2840725 - ETPRO TROJAN Win32/Remcos RAT Checkin 321 (trojan.rules)

 [///]     Modified active rules:     [///]

  2027941 - ET POLICY DNS Query to a Reverse Proxy Service Observed
(policy.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200128/ab0a0de6/attachment.html>


More information about the Emerging-sigs mailing list