[Emerging-Sigs] Daily Ruleset Update Summary 2020/06/04

James Emery-Callcott jcallcott at emergingthreats.net
Thu Jun 4 13:43:05 HDT 2020


[***]            Summary:            [***]

        2 new OPEN, 24 new PRO (2 + 22).  Lemon_Duck, Various SSL/TLS,
Various Phish, Others.

        Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

        2030249 - ET CURRENT_EVENTS Cushion Redirection
(current_events.rules)
        2030250 - ET MALWARE Win32/Adware.Qjwmonkey.H Variant CnC Activity
M2 (malware.rules)

Pro:

        2842862 - ETPRO TROJAN VBS/Unk.VBSLoader CnC Checkin (trojan.rules)
        2842863 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
        2842864 - ETPRO TROJAN Observed Malicious SSL Cert (Get2 CnC)
(trojan.rules)
        2842866 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-06-04 1) (trojan.rules)
        2842867 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-06-04 2) (trojan.rules)
        2842868 - ETPRO CURRENT_EVENTS Successful Box Phish 2020-06-04
(current_events.rules)
        2842869 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2020-06-04
(current_events.rules)
        2842870 - ETPRO CURRENT_EVENTS Successful Netflix Phish 2020-06-04
(current_events.rules)
        2842871 - ETPRO TROJAN Lemon_Duck Powershell CnC Activity M1
(trojan.rules)
        2842872 - ETPRO TROJAN Lemon_Duck Powershell CnC Activity M2
(trojan.rules)
        2842873 - ETPRO TROJAN Lemon_Duck Powershell CnC Activity M3
(trojan.rules)
        2842874 - ETPRO TROJAN Lemon_Duck Powershell CnC Activity M4
(trojan.rules)
        2842875 - ETPRO TROJAN Lemon_Duck Powershell CnC Activity M5
(trojan.rules)
        2842876 - ETPRO TROJAN Lemon_Duck Powershell CnC Activity M6
(trojan.rules)
        2842877 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-06-04
(current_events.rules)
        2842878 - ETPRO CURRENT_EVENTS Successful S-Pankki Phish 2020-06-04
(current_events.rules)
        2842879 - ETPRO CURRENT_EVENTS Successful Apple Phish 2020-06-04
(current_events.rules)
        2842880 - ETPRO CURRENT_EVENTS Successful Outlook Web App Phish
2020-06-04 (current_events.rules)
        2842881 - ETPRO CURRENT_EVENTS Successful Netflix Phish 2020-06-04
(current_events.rules)
        2842882 - ETPRO TROJAN Cyborg Ransomware Desktop Image Retrieval
(trojan.rules)
        2842883 - ETPRO TROJAN Win32/Sality.NBA CnC Activity (trojan.rules)
        2842884 - ETPRO POLICY Large 404 Content-Length (policy.rules)

[///]     Modified active rules:     [///]

        2014704 - ET WEB_SPECIFIC_APPS PHP-CGI query string parameter
vulnerability (web_specific_apps.rules)
        2015034 - ET WEB_SPECIFIC_APPS Concrete CMS btask parameter
Cross-Site Scripting Attempt (web_specific_apps.rules)
        2020947 - ET TROJAN Win32/StreamFlaw.A Checkin (trojan.rules)
        2021951 - ET CURRENT_EVENTS Possible Magento Directory Traversal
Attempt (current_events.rules)
        2021952 - ET TROJAN JS/Nemucod.M.gen requesting EXE payload
2015-10-07 (trojan.rules)
        2021953 - ET TROJAN JS/Nemucod.M.gen requesting PDF payload
2015-10-07 (trojan.rules)
        2021956 - ET TROJAN Nemucod Downloading Payload 2 (trojan.rules)
        2021991 - ET WEB_CLIENT Fake Java Installer Landing Page Oct 21
(web_client.rules)
        2021992 - ET WEB_SPECIFIC_APPS Possible Joomla SQLi Attempt
(web_specific_apps.rules)
        2026040 - ET TROJAN CobaltStrike DNS Beacon Response (trojan.rules)
        2810181 - ETPRO TROJAN Malicious Office Doc Retrieving PE
(trojan.rules)
        2814260 - ETPRO TROJAN Trojan.InfoStealer.PHPA Checkin
(trojan.rules)
        2814351 - ETPRO TROJAN Banker.AIS Checkin (trojan.rules)
        2814352 - ETPRO MOBILE_MALWARE PUP Android.Adend.A Checkin
(mobile_malware.rules)
        2814357 - ETPRO TROJAN W32/Unknown.IT CnC (trojan.rules)
        2814363 - ETPRO TROJAN BAT/Runner.AV Checkin (trojan.rules)
        2814365 - ETPRO TROJAN Possible IIS Backdoor Receiving Commands via
Client Body (trojan.rules)
        2814370 - ETPRO CURRENT_EVENTS Successful Outlook Web App Phish
2015-10-15 (current_events.rules)
        2814374 - ETPRO TROJAN Trojan.Win32.InsectsAttack.gep Beacon
(trojan.rules)
        2814389 - ETPRO CURRENT_EVENTS possible Nuclear EK DHE traffic
client to server (current_events.rules)
        2814397 - ETPRO TROJAN Win32.Generic Downloader Checkin
(trojan.rules)
        2814398 - ETPRO TROJAN Unknown Shell Backdoor Checkin 1
(trojan.rules)
        2814399 - ETPRO TROJAN Unknown Shell Backdoor CnC 1 (trojan.rules)
        2814400 - ETPRO TROJAN Unknown Shell Backdoor CnC 2 (trojan.rules)
        2814438 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Agent.ak
Checkin (mobile_malware.rules)
        2814440 - ETPRO TROJAN Win32/Bagoox.A Checkin (trojan.rules)
        2814469 - ETPRO TROJAN InfiniteLocker CnC Beacon 1 (trojan.rules)
        2814470 - ETPRO TROJAN InfiniteLocker CnC Beacon 2 (trojan.rules)
        2814502 - ETPRO MOBILE_MALWARE Android.Agent.HY Checkin
(mobile_malware.rules)
        2814511 - ETPRO TROJAN Unknown Banker Checkin 1 (trojan.rules)
        2814516 - ETPRO TROJAN MSIL/Injector.MHV Beacon (trojan.rules)
        2814544 - ETPRO TROJAN MSIL/Injector.MFJ Checkin (trojan.rules)
        2814555 - ETPRO TROJAN Win32/Banload.WOO Checkin (trojan.rules)
        2814560 - ETPRO TROJAN Backdoor.Emdivi Checkin 5 (trojan.rules)
        2814561 - ETPRO TROJAN Backdoor.Emdivi Connectivity Check
(trojan.rules)
        2814562 - ETPRO TROJAN Backdoor.Emdivi Checkin 6 (trojan.rules)
        2814563 - ETPRO TROJAN Backdoor.Emdivi Checkin Response 3
(trojan.rules)
        2814564 - ETPRO TROJAN Win32/Zacom External IP Check (trojan.rules)
        2814566 - ETPRO TROJAN Win32/Zacom CnC Checkin 1 (trojan.rules)
        2814567 - ETPRO TROJAN Win32/Zacom CnC Checkin 2 (trojan.rules)
        2814568 - ETPRO TROJAN Win32/Zacom CnC Beacon 2 (trojan.rules)
        2814579 - ETPRO TROJAN Password Stealer Upload (trojan.rules)
        2814607 - ETPRO TROJAN Win32/Brolux.A Configuration File 1
(trojan.rules)
        2814621 - ETPRO TROJAN Win32/Brolux.A Configuration File 2
(trojan.rules)
        2814633 - ETPRO TROJAN Win32/TrojanDownloader.Banload.UKZ Receiving
Payload (trojan.rules)
        2814634 - ETPRO TROJAN Win32/TrojanDownloader.Banload.UKZ Receiving
Payload 2 (trojan.rules)
        2814647 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2015-10-28
(current_events.rules)
        2814648 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2015-10-28 3
(current_events.rules)
        2814657 - ETPRO TROJAN MSIL/Injector.MFJ Checkin (trojan.rules)

[---]         Removed rules:         [---]

        2017552 - ET CURRENT_EVENTS Cushion Redirection
(current_events.rules)
        2814646 - ETPRO CURRENT_EVENTS Successful Paypal Phish Oct 28 1
(current_events.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200604/4e89ef7d/attachment-0001.html>


More information about the Emerging-sigs mailing list