[Emerging-Sigs] Daily Ruleset Update Summary 2020/06/01

James Emery-Callcott jcallcott at emergingthreats.net
Mon Jun 1 15:02:52 HDT 2020


[***]            Summary:            [***]

        5 new OPEN, 33 new PRO (5 + 28).  OSX/NukeSped, TURLA NETFLASH,
Remcos, Various Phish, Rule Edits.

        Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

        2030232 - ET TROJAN Gamaredon Style MalDoc .dot Download on
freedynamicdns .org (trojan.rules)
        2030233 - ET TROJAN Higasia CnC Activity (trojan.rules)
        2030234 - ET TROJAN Observed OSX/NukeSped Variant CnC Domain
(fudcitydelivers .com) in TLS SNI (trojan.rules)
        2030235 - ET TROJAN Observed OSX/NukeSped Variant CnC Domain
(sctemarkets .com) in TLS SNI (trojan.rules)
        2030236 - ET TROJAN TURLA NETFLASH CnC (trojan.rules)

Pro:

        2842795 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-30 1) (trojan.rules)
        2842796 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-30 2) (trojan.rules)
        2842797 - ETPRO CURRENT_EVENTS Successful Outlook Web App Phish
2020-06-01 (current_events.rules)
        2842798 - ETPRO CURRENT_EVENTS Successful Outlook Web App Phish
2020-06-01 (current_events.rules)
        2842799 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish
2020-06-01 (current_events.rules)
        2842800 - ETPRO CURRENT_EVENTS Successful Generic Credit Card
Information Phish 2020-06-01 (current_events.rules)
        2842801 - ETPRO CURRENT_EVENTS Successful Citizens Bank Phish
2020-06-01 (current_events.rules)
        2842802 - ETPRO CURRENT_EVENTS Successful Gov UK Tax Refund Phish
2020-06-01 (current_events.rules)
        2842803 - ETPRO CURRENT_EVENTS Successful Excel Online Phish
2020-06-01 (current_events.rules)
        2842804 - ETPRO CURRENT_EVENTS Successful Outlook Web App Phish
2020-06-01 (current_events.rules)
        2842805 - ETPRO CURRENT_EVENTS Successful Generic Webmail FR Phish
2020-06-01 (current_events.rules)
        2842806 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2020-06-01 (current_events.rules)
        2842807 - ETPRO TROJAN ELF/Mirai Variant User-Agent (Outbound)
(trojan.rules)
        2842808 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound)
(scan.rules)
        2842809 - ETPRO CURRENT_EVENTS Successful Instagram Phish
2020-06-01 (current_events.rules)
        2842810 - ETPRO TROJAN Win32/Agent.NEJ CnC Activity (trojan.rules)
        2842811 - ETPRO TROJAN Win32/Remcos RAT Checkin 441 (trojan.rules)
        2842812 - ETPRO TROJAN Win32/Remcos RAT Checkin 442 (trojan.rules)
        2842813 - ETPRO TROJAN Win32/Remcos RAT Checkin 443 (trojan.rules)
        2842814 - ETPRO TROJAN Win32/Remcos RAT Checkin 444 (trojan.rules)
        2842815 - ETPRO TROJAN Win32/Remcos RAT Checkin 445 (trojan.rules)
        2842816 - ETPRO TROJAN Win32/Remcos RAT Checkin 446 (trojan.rules)
        2842817 - ETPRO TROJAN Win32/Remcos RAT Checkin 447 (trojan.rules)
        2842818 - ETPRO TROJAN Win32/Remcos RAT Checkin 448 (trojan.rules)
        2842819 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
        2842821 - ETPRO TROJAN Java/Ratty Windows Checkin (trojan.rules)
        2842822 - ETPRO TROJAN W32/Sofacy Variant Checkin (trojan.rules)

[///]     Modified active rules:     [///]

        2010597 - ET TROJAN Potential FakeAV HTTP GET Check-IN (/check)
(trojan.rules)
        2016680 - ET WEB_SERVER WebShell Generic - net user
(web_server.rules)
        2019400 - ET TROJAN Possible Bedep Connectivity Check (trojan.rules)
        2020722 - ET CURRENT_EVENTS RIG Landing URI Struct March 20 2015
(current_events.rules)
        2021719 - ET TROJAN APT Cheshire Cat CnC Beacon (trojan.rules)
        2021729 - ET CURRENT_EVENTS PawnStorm Sednit DL Aug 28 2015
(current_events.rules)
        2021739 - ET TROJAN Corebot Checkin (trojan.rules)
        2021741 - ET TROJAN Corebot Requesting Module (trojan.rules)
        2021742 - ET TROJAN Corebot Module Download (trojan.rules)
        2021754 - ET TROJAN Corebot Module Download 2 (trojan.rules)
        2021756 - ET EXPLOIT FireEye Appliance Unauthorized File Disclosure
(exploit.rules)
        2021765 - ET CURRENT_EVENTS Possible Spartan/Nuclear EK Payload
(current_events.rules)
        2021800 - ET TROJAN Win32/Spy.Odlanor CnC Checkin (trojan.rules)
        2021814 - ET TROJAN Ursnif Variant CnC Beacon 3 (trojan.rules)
        2021822 - ET TROJAN XcodeGhost CnC Checkin (trojan.rules)
        2021829 - ET TROJAN Ursnif Variant CnC Beacon 4 (trojan.rules)
        2021830 - ET TROJAN Ursnif Variant CnC Data Exfil (trojan.rules)
        2021832 - ET TROJAN XcodeGhost CnC M2 (trojan.rules)
        2021833 - ET TROJAN r0 CnC Check (trojan.rules)
        2021834 - ET TROJAN r0 CnC Architecture POST 1 (trojan.rules)
        2021835 - ET TROJAN r0 CnC Architecture POST 2 (trojan.rules)
        2021836 - ET TROJAN r0 CnC Architecture POST 3 (trojan.rules)
        2021837 - ET TROJAN r0 CnC Architecture POST 4 (trojan.rules)
        2021838 - ET TROJAN r0 CnC Report POST (trojan.rules)
        2021839 - ET TROJAN r0 CnC POST (trojan.rules)
        2023693 - ET TROJAN Win32.Banker.bqba Checkin (trojan.rules)
        2030222 - ET MALWARE Win32/Adware.Qjwmonkey.H Variant CnC Activity
(malware.rules)
        2805200 - ETPRO TROJAN Win32/Spy.Keydoor.D Checkin (trojan.rules)
        2807941 - ETPRO TROJAN Linopid HTTP POST CnC Beacon (trojan.rules)
        2809118 - ETPRO TROJAN BACKDOOR.SINPID Checkin (trojan.rules)
        2811048 - ETPRO TROJAN Superman APT CnC POST (trojan.rules)
        2812032 - ETPRO INFO Suspicious Terse HTTP Request to Pastebin
(info.rules)
        2812430 - ETPRO TROJAN Win32/Kryptik.DTJT Downloader POST
(trojan.rules)
        2812431 - ETPRO TROJAN Win32/Kryptik.DTJT Downloader HEAD Checkin
(trojan.rules)
        2812663 - ETPRO TROJAN Win32/Wedots.A Retrieving Config
(trojan.rules)
        2812666 - ETPRO MOBILE_MALWARE Android/Spy.Banker.CJ Checkin
(mobile_malware.rules)
        2812667 - ETPRO MOBILE_MALWARE Android/Secapk.F Checkin 3
(mobile_malware.rules)
        2812685 - ETPRO TROJAN Win32/Kazy.709388 Variant Connectivity Check
(trojan.rules)
        2812691 - ETPRO TROJAN Win32/Spy.Agent.OSK Activity (trojan.rules)
        2812692 - ETPRO USER_AGENTS Suspicious User-Agent (Browser)
(user_agents.rules)
        2812698 - ETPRO TROJAN Win32/Pasta.ztb Checkin (trojan.rules)
        2812702 - ETPRO TROJAN Win32/Hacktool.AntiBan Activity 1
(trojan.rules)
        2812703 - ETPRO TROJAN Win32/Hacktool.AntiBan Activity 2
(trojan.rules)
        2812704 - ETPRO USER_AGENTS Suspicious User-Agent (wf-AntiBan)
(user_agents.rules)
        2812709 - ETPRO TROJAN Linopid HTTP GET CnC Beacon (trojan.rules)
        2812729 - ETPRO TROJAN Arid Viper APT Checkin 4 (trojan.rules)
        2812745 - ETPRO TROJAN Win32.Alman Checkin (trojan.rules)
        2812747 - ETPRO TROJAN Win32/Banload.BAW Activity (trojan.rules)
        2812767 - ETPRO TROJAN KRBanker Checkin (trojan.rules)
        2812768 - ETPRO TROJAN KRBanker Checkin 2 (trojan.rules)
        2812770 - ETPRO TROJAN Speccom/Vehidis CnC Beacon (trojan.rules)
        2812771 - ETPRO TROJAN W32/Bradelf Checkin (trojan.rules)
        2812775 - ETPRO TROJAN Umbra/Multibot Checkin (trojan.rules)
        2812785 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.de
Checkin 3 (mobile_malware.rules)
        2812786 - ETPRO TROJAN Downloader Agent.wsjbj Checkin 1
(trojan.rules)
        2812787 - ETPRO TROJAN Downloader Agent.wsjbj Checkin 2
(trojan.rules)
        2812793 - ETPRO TROJAN IRCbot User-Agent (trojan.rules)
        2812812 - ETPRO TROJAN Backdoor.Telnneru Possible HTTP CnC Beacon 1
(trojan.rules)
        2812813 - ETPRO TROJAN Backdoor.Telnneru Possible HTTP CnC Beacon 2
(trojan.rules)
        2812814 - ETPRO TROJAN Backdoor.Telnneru Possible HTTP CnC Beacon 3
(trojan.rules)
        2812815 - ETPRO TROJAN Backdoor.Telnneru Possible HTTP CnC Beacon 4
(trojan.rules)
        2812822 - ETPRO EXPLOIT Hard Coded XXXXairocon Credentials Inbound
(exploit.rules)
        2812830 - ETPRO CURRENT_EVENTS Successful EDF Account Phish Aug 31
(current_events.rules)
        2812841 - ETPRO TROJAN Backdoor.Telnneru GET Session CnC Beacon
(trojan.rules)
        2812843 - ETPRO TROJAN Win32/Netdevil.1_5 CnC Checkin (trojan.rules)
        2812847 - ETPRO TROJAN Unknown Powershell Backdoor Checkin
(trojan.rules)
        2812848 - ETPRO TROJAN Unknown Powershell Backdoor Checkin Response
(trojan.rules)
        2812849 - ETPRO TROJAN Unknown Powershell Backdoor Beacon
(trojan.rules)
        2812850 - ETPRO TROJAN Unknown Powershell Backdoor Retrieve
Commands M1 (trojan.rules)
        2812852 - ETPRO TROJAN Unknown Powershell Backdoor Sending Host
Data (trojan.rules)
        2812853 - ETPRO MOBILE_MALWARE Android Unknown Trojan Checkin
(mobile_malware.rules)
        2812855 - ETPRO TROJAN Win32/Cekar.gen!A CnC Activity (trojan.rules)
        2812861 - ETPRO TROJAN Unknown Checkin (trojan.rules)
        2812862 - ETPRO MOBILE_MALWARE Android Unknown Trojan Checkin
(mobile_malware.rules)
        2812865 - ETPRO TROJAN Spyec Keylogger Checkin (trojan.rules)
        2812866 - ETPRO TROJAN Win32/Conpilf Posting Data (trojan.rules)
        2812873 - ETPRO TROJAN Win32/Critloki.B CnC Checkin (trojan.rules)
        2812874 - ETPRO TROJAN Bedep AdFraud Module Downloading Config
(trojan.rules)
        2812886 - ETPRO TROJAN Arcdoor.AJ!worm Checkin (trojan.rules)
        2812895 - ETPRO TROJAN Suspicious User-Agent (ExcelMalware)
(trojan.rules)
        2812898 - ETPRO TROJAN Kawpfuni.A/Keydoor CnC Checkin - POST Method
(trojan.rules)
        2812919 - ETPRO EXPLOIT Hard Coded Phillips In.Sight Credentials
Inbound (exploit.rules)
        2812927 - ETPRO TROJAN Tirabot CnC 2 (trojan.rules)
        2812928 - ETPRO TROJAN Win32/Skeeyah.A Uploading Stolen Creds
(trojan.rules)
        2812947 - ETPRO TROJAN PSW.Papras.EH Checkin (trojan.rules)
        2812961 - ETPRO TROJAN Trojan/Banker.Bancos.deq Checkin
(trojan.rules)
        2812968 - ETPRO TROJAN PWS.Steam.1991 Checkin (trojan.rules)
        2812969 - ETPRO TROJAN Win32/TrojanDownloader.Banload.CXAH
Retrieving Payload (trojan.rules)
        2812975 - ETPRO TROJAN Trojan/Win32.Agent Variant Checkin
(trojan.rules)
        2812976 - ETPRO TROJAN Python Backdoor Variant CnC Beacon M1
(trojan.rules)
        2812982 - ETPRO TROJAN TrojanDownloader.Banload.VHZ Checkin 2
(trojan.rules)
        2812989 - ETPRO TROJAN MacOSX.iMuler-1 CheckNetWorkWithCurl
(trojan.rules)
        2812995 - ETPRO TROJAN Razer DDoS Ultimate Mark II (trojan.rules)
        2813018 - ETPRO TROJAN AlphaCrypt CnC Beacon 4 (trojan.rules)
        2813020 - ETPRO TROJAN Win32/Frosparf.A Retrieving Payload
(trojan.rules)
        2813022 - ETPRO TROJAN Win32/Spy.Banker.ACLQ Checkin (trojan.rules)
        2813024 - ETPRO TROJAN W32.Neshuta.A Checkin (trojan.rules)
        2813036 - ETPRO TROJAN Win32/Banload.VJB CnC Checkin (trojan.rules)
        2813051 - ETPRO TROJAN MSIL/Bladabindi.G Checkin (trojan.rules)
        2813052 - ETPRO TROJAN Win32/TrojanDownloader.Banload.UPP
Requesting Data (trojan.rules)
        2813053 - ETPRO TROJAN Win32/Injector.gen!W CnC Checkin
(trojan.rules)
        2813060 - ETPRO TROJAN Vawtrak Retrieving Module (trojan.rules)
        2813063 - ETPRO TROJAN Trojan-Ransom.Win32.Blocker.hpri Checkin
(trojan.rules)
        2813068 - ETPRO TROJAN Win32/Skeeyah.A!rfn Variant Checkin
(trojan.rules)
        2813069 - ETPRO TROJAN H1N1 Loader connectivity check - adobe.com
(trojan.rules)
        2813071 - ETPRO TROJAN H1N1 Loader executable download
(trojan.rules)
        2813073 - ETPRO TROJAN Linux.Trojan.Concbak Checkin (trojan.rules)
        2813098 - ETPRO TROJAN Win32/Banload Variant CnC Activity 1
(trojan.rules)
        2813099 - ETPRO TROJAN Win32/Banload Variant CnC Activity 2
(trojan.rules)
        2814005 - ETPRO CURRENT_EVENTS Successful Battle.net Phish
2015-09-22 (current_events.rules)
        2814006 - ETPRO CURRENT_EVENTS Successful Amazon Phish Sept 21 M1
(current_events.rules)
        2814014 - ETPRO TROJAN Win32/Bancos.EC Activity (trojan.rules)
        2814017 - ETPRO TROJAN W32/Nurjax Checkin (trojan.rules)
        2814018 - ETPRO TROJAN W32/Delf.NLJ!worm Posting Data (trojan.rules)
        2814021 - ETPRO TROJAN Win32/BrowserPassview Sending Data via HTTP
(trojan.rules)
        2814025 - ETPRO TROJAN Win32/Banload.VUZ Activity (trojan.rules)
        2814028 - ETPRO TROJAN W32/Tepfer Variant CnC Beacon (trojan.rules)
        2814034 - ETPRO TROJAN Win32.Diztakun.zsg Infostealer M5
(trojan.rules)
        2814047 - ETPRO TROJAN Unknown Downloader CnC Checkin (trojan.rules)
        2814049 - ETPRO TROJAN Win32/TrojanDownloader.Banload.VUF
Retrieving Payload (trojan.rules)
        2814051 - ETPRO TROJAN Spy.Shiz HTTP b64 CnC Beacon M2 (1)
(trojan.rules)
        2814052 - ETPRO TROJAN Spy.Shiz HTTP b64 CnC Beacon M2 (2)
(trojan.rules)
        2814053 - ETPRO TROJAN Spy.Shiz HTTP b64 CnC Beacon M2 (3)
(trojan.rules)
        2814093 - ETPRO TROJAN Win32/Ramnit.A CnC Checkin 1 (trojan.rules)
        2814094 - ETPRO TROJAN Win32/Ramnit.A CnC Checkin 2 (trojan.rules)
        2814097 - ETPRO TROJAN Winlock/Torrentlocker Beacon (trojan.rules)
        2814108 - ETPRO TROJAN AutoClicker Beacon (trojan.rules)
        2814109 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.ax
Checkin (mobile_malware.rules)
        2814117 - ETPRO TROJAN Win32/Soloniti.A Activity (trojan.rules)
        2842768 - ETPRO CURRENT_EVENTS Successful Huntington Bank Phish
2020-05-28 (current_events.rules)

[---]         Removed rules:         [---]

        2814110 - ETPRO TROJAN W32/Sofacy Variant Checkin (trojan.rules)
        2816920 - ETPRO TROJAN Java/Ratty Windows Checkin (trojan.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200602/c955c541/attachment-0001.html>


More information about the Emerging-sigs mailing list