[Emerging-Sigs] [Etpro-sigs] Daily Ruleset Update Summary 2020/06/26

Escudero, Ferdinand feescudero at ucsd.edu
Mon Jun 29 16:49:58 HDT 2020


Hello Jack,
    I did not see this SID in any of the ruleset updates mails but it seems it was created today and maybe a false positive.  Can you check this when you get a chance?
Seem to be legit cloudflare IPs.

/etc/suricata/rules/malware.rules:alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ETPRO MALWARE Observed Malicious SSL Cert (AZORult CnC)"
flow:established,to_client
tls.cert_subject
content:"C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com"
bsize:74
fast_pattern
metadata: former_category POLICY
reference:md5,9967be1acbbeb7621df54418bd118b75
classtype:domain-c2
sid:2843255
rev:1
metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2020_06_29, malware_family AZORult, performance_impact Low, updated_at 2020_06_29


Thanks for your help,

Ferdie Escudero
OIA Incident Response & Threat Detection Team
University of California, San Diego
https://cybersecurity.ucsd.edu<https://cybersecurity.ucsd.edu/>




From: Etpro-sigs <etpro-sigs-bounces at lists.emergingthreats.net> On Behalf Of Jack Mott
Sent: Friday, June 26, 2020 3:27 PM
To: Emerging Sigs <emerging-sigs at emergingthreats.net>; Emerging-updates redirect <emerging-updates at emergingthreats.net>; ETPro-sigs List <etpro-sigs at emergingthreatspro.com>
Subject: [Etpro-sigs] Daily Ruleset Update Summary 2020/06/26

 [***]            Summary:            [***]

3 new OPEN, 33 new PRO (3 + 30). IndigoDrop/Cobalt Strike, RCtrl Backdoor CnC, ToxicEye Stealer, Various SSL, VARIOUS PHISH.

TIIF.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback<https://urldefense.com/v3/__https:/feedback.emergingthreats.net/feedback__;!!Mih3wA!QBDXz4iwd_cy8YStd47erwiVzD52ltnyVE4k6cr4DRt2chvyXCsjilLPJuQhGOu8eA$>

[+++]          Added rules:          [+++]

Open:

  2030400 - ET TROJAN Possible IndigoDrop/Cobalt Strike Download (trojan.rules)
  2030401 - ET TROJAN RCtrl Backdoor CnC Checkin M1 (trojan.rules)
  2030402 - ET POLICY COCCOC Browser (VN) Installed (policy.rules)

Pro:

  2843202 - ETPRO TROJAN Observed Malicious SSL Cert (MalDoc DL 2020-06-26) (trojan.rules)
  2843203 - ETPRO TROJAN Observed Malicious SSL Cert (CobaltStrike CnC) (trojan.rules)
  2843204 - ETPRO TROJAN Observed Malicious SSL Cert (MalDoc DL 2020-06-26 2) (trojan.rules)
  2843205 - ETPRO TROJAN Malicious Encoded EXE Inbound (trojan.rules)
  2843206 - ETPRO TROJAN ToxicEye Stealer Checkin via Telegram (trojan.rules)
  2843207 - ETPRO TROJAN ToxicEye Stealer Command via Telegram (starting autostealer) (trojan.rules)
  2843208 - ETPRO TROJAN ToxicEye Stealer Command via Telegram (uploading file) (trojan.rules)
  2843209 - ETPRO TROJAN ToxicEye Stealer Credit Card Exfil via Telegram (trojan.rules)
  2843210 - ETPRO TROJAN ToxicEye Stealer Cookies Exfil via Telegram (trojan.rules)
  2843211 - ETPRO TROJAN ToxicEye Stealer Passwords Exfil via Telegram (trojan.rules)
  2843212 - ETPRO TROJAN Observed Malicious SSL Cert (Get2 CnC) (trojan.rules)
  2843213 - ETPRO TROJAN MSIL/Spy.Small.EU<https://urldefense.com/v3/__http:/Spy.Small.EU__;!!Mih3wA!QBDXz4iwd_cy8YStd47erwiVzD52ltnyVE4k6cr4DRt2chvyXCsjilLPJuRF00S5VA$> Variant exfil (firefoxpwd) (trojan.rules)
  2843216 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-06-26 (current_events.rules)
  2843217 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-06-26 (current_events.rules)
  2843218 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-06-26 (current_events.rules)
  2843219 - ETPRO CURRENT_EVENTS Successful Adobe PDF Online Phish 2020-06-26 (current_events.rules)
  2843220 - ETPRO CURRENT_EVENTS Successful China Mobile Phish 2020-06-26 (current_events.rules)
  2843221 - ETPRO CURRENT_EVENTS Successful Shaw Webmail Phish 2020-06-26 (current_events.rules)
  2843222 - ETPRO CURRENT_EVENTS Successful WeTransfer Phish 2020-06-26 (current_events.rules)
  2843223 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-06-26 (current_events.rules)
  2843224 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-06-26 (current_events.rules)
  2843225 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information Phish 2020-06-26 (current_events.rules)
  2843226 - ETPRO CURRENT_EVENTS Successful Office 365 Phish 2020-06-26 (current_events.rules)
  2843227 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-06-26 (current_events.rules)
  2843229 - ETPRO CURRENT_EVENTS Wells Fargo Phish 2020-06-26 (current_events.rules)
  2843228 - ETPRO TROJAN PawnBAT CnC Activity (getjob) (trojan.rules)
  2843230 - ETPRO TROJAN PawnBAT CnC Activity (active) (trojan.rules)
  2843201 - ETPRO TROJAN PawnBAT CnC Activity (trojan.rules)

[///]     Modified active rules:     [///]

  2821683 - ETPRO SCADA DNP3 Cold Restart (scada.rules)

[---]  Disabled and modified rules:  [---]

  2812204 - ETPRO TROJAN Nlex UDP CnC Beacon (trojan.rules)

[---]         Disabled rules:        [---]

  2812203 - ETPRO TROJAN Nlex TCP CnC Beacon (trojan.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200630/432fdbb9/attachment-0001.html>


More information about the Emerging-sigs mailing list