[Emerging-Sigs] Daily Ruleset Update Summary 2020/03/02

Jack Mott jmott at emergingthreats.net
Mon Mar 2 15:07:10 HST 2020


[***]            Summary:            [***]

 2 new Open, 33 new Pro (2 + 31). Ostap Maldoc, XAE Rat, Various
Mirai/Polaris, Win32/Cheetah Keylogger, and VARIOUS PHISHING

 Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback


[+++]          Added rules:          [+++]

 Open:

  2029553 - ET TROJAN MalDoc Retrieving Possible Ostap Payload
(trojan.rules)
  2029554 - ET USER_AGENTS Observed Suspicious UA (\xa4) (user_agents.rules)

Pro:

  2825123 - ETPRO INFO Suspicious Cookie Observed (bot) (info.rules)
  2841279 - ETPRO MALWARE Win32/OfferGate PUA Activity (malware.rules)
  2841280 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-02-28 1) (trojan.rules)
  2841281 - ETPRO TROJAN ELF/Mirai User-Agent Observed (Outbound)
(trojan.rules)
  2841282 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)
  2841283 - ETPRO TROJAN ELF/Mirai User-Agent Observed (Outbound)
(trojan.rules)
  2841284 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)
  2841285 - ETPRO TROJAN ELF/Mirai User-Agent Observed (Outbound)
(trojan.rules)
  2841286 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)
  2841287 - ETPRO TROJAN ELF/Polaris User-Agent Observed (Outbound)
(trojan.rules)
  2841288 - ETPRO SCAN ELF/Polaris User-Agent Observed (Inbound)
(scan.rules)
  2841289 - ETPRO TROJAN XAE Rat CnC Host Checkin (trojan.rules)
  2841290 - ETPRO TROJAN XAE Rat CnC Requesting Command (trojan.rules)
  2841291 - ETPRO TROJAN Orcus Rat CnC Websocket Host Checkin (trojan.rules)
  2841292 - ETPRO CURRENT_EVENTS Successful Optimum Phish 2020-03-02
(current_events.rules)
  2841293 - ETPRO CURRENT_EVENTS Successful Firstbank Phish 2020-03-02
(current_events.rules)
  2841294 - ETPRO CURRENT_EVENTS Successful Telekom/Tmobile Phish
2020-03-02 (current_events.rules)
  2841295 - ETPRO CURRENT_EVENTS Successful USAA Phish 2020-03-02
(current_events.rules)
  2841296 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-03-02 (current_events.rules)
  2841297 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2020-03-02
(current_events.rules)
  2841298 - ETPRO CURRENT_EVENTS Successful Citibank Phish 2020-03-02
(current_events.rules)
  2841299 - ETPRO CURRENT_EVENTS Successful My3 Phish 2020-03-02
(current_events.rules)
  2841300 - ETPRO CURRENT_EVENTS Successful GMX Phish 2020-03-02
(current_events.rules)
  2841301 - ETPRO CURRENT_EVENTS Successful Adobe Phish 2020-03-02
(current_events.rules)
  2841302 - ETPRO CURRENT_EVENTS Successful WeTransfer Phish 2020-03-02
(current_events.rules)
  2841303 - ETPRO TROJAN Win32/PSW.Agent.OIN Variant - Downloader Config in
Server Response (trojan.rules)
  2841304 - ETPRO TROJAN Win32/Remcos RAT Checkin 356 (trojan.rules)
  2841305 - ETPRO TROJAN Win32/Remcos RAT Checkin 357 (trojan.rules)
  2841307 - ETPRO TROJAN Win32/Cheetah Keylogger SMTP Password Exfil
(trojan.rules)
  2841308 - ETPRO TROJAN Win32/Cheetah Keylogger SMTP Victim Info Exfil
(trojan.rules)

 [///]     Modified active rules:     [///]

  2017261 - ET TROJAN SmokeLoader Checkin (trojan.rules)
  2020064 - ET TROJAN Dridex Post Check-in Activity (trojan.rules)
  2021278 - ET TROJAN Backdoor.Elise CnC Beacon 3 M2 (trojan.rules)
  2027405 - ET TROJAN Possible APT28 Xtunnel Activity (trojan.rules)
  2027808 - ET TROJAN Win32/Onliner Receiving Commands from CnC
(trojan.rules)
  2029540 - ET WEB_SPECIFIC_APPS Possible Attempted Microsoft Exchange RCE
(CVE-2020-0688) (web_specific_apps.rules)
  2821358 - ETPRO TROJAN AZORult Variant Checkin (trojan.rules)
  2823458 - ETPRO CURRENT_EVENTS RIG EK Flash Exploit Nov 25 2016
(current_events.rules)
  2824408 - ETPRO CURRENT_EVENTS PowerShell Empire Session Initial Activity
(current_events.rules)
  2824766 - ETPRO CURRENT_EVENTS EK Silverlight Exploit
(current_events.rules)
  2824828 - ETPRO TROJAN APT.Turla XPI CnC Beacon (trojan.rules)
  2824960 - ETPRO TROJAN MSIL/TrojanDownloader.Agent.CXG CnC Checkin
(trojan.rules)
  2824961 - ETPRO TROJAN MSIL/TrojanDownloader.Agent.CXG Data Exfil
(trojan.rules)
  2824971 - ETPRO TROJAN Fareit/Pony Variant CnC Beacon (trojan.rules)
  2824992 - ETPRO TROJAN Fake SSL CnC Beacon 3 (cipher suite) (trojan.rules)
  2824993 - ETPRO TROJAN Fake SSL CnC Beacon 4 (ec_point_formats)
(trojan.rules)
  2824994 - ETPRO TROJAN Fake SSL CnC Beacon 5 (renegotiation_info/blank
SNI ) (trojan.rules)
  2824995 - ETPRO TROJAN Fake SSL CnC Beacon 6 (Server Hello pre-packet)
(trojan.rules)
  2824996 - ETPRO TROJAN Fake SSL CnC Beacon 7 (compress_method/blank SNI)
(trojan.rules)
  2825029 - ETPRO TROJAN Win32/Filecoder.NJV CnC Activity (trojan.rules)
  2825063 - ETPRO TROJAN PowerShell Empire Request HTTP Pattern
(trojan.rules)
  2825191 - ETPRO TROJAN Win32/Clodcfd HTTP CnC Activity (trojan.rules)
  2825654 - ETPRO TROJAN MSIL/TrojanDropper.Agent.CYH CnC Checkin via MSSQL
1 (trojan.rules)
  2825655 - ETPRO TROJAN MSIL/TrojanDropper.Agent.CYH CnC Checkin via MSSQL
2 (trojan.rules)
  2825795 - ETPRO MOBILE_MALWARE Android.Trojan.InfoStealer.IC Login Exfil
(mobile_malware.rules)
  2825797 - ETPRO MOBILE_MALWARE Android.Trojan.InfoStealer.IC Login Exfil
2 (mobile_malware.rules)
  2825831 - ETPRO CURRENT_EVENTS RIG EK Landing Apr 04 2017
(current_events.rules)
  2825833 - ETPRO TROJAN Possible Win32/PSWTool.WebBrowserPassView.B
Download From Free Hosting Service (trojan.rules)
  2825834 - ETPRO MOBILE_MALWARE Android/SMForw.AC SMS Exfil
(mobile_malware.rules)
  2825835 - ETPRO MOBILE_MALWARE Android/Styricka.A CnC Beacon
(mobile_malware.rules)
  2825844 - ETPRO MOBILE_MALWARE Android/Agent.ST Checkin
(mobile_malware.rules)
  2825845 - ETPRO MOBILE_MALWARE Android/Spy.SmsSpy.IT
<http://spy.smsspy.it/> CnC Beacon (mobile_malware.rules)
  2825846 - ETPRO MOBILE_MALWARE Android/Spy.SmsSpy.IT
<http://spy.smsspy.it/> CnC Beacon 2 (mobile_malware.rules)
  2825847 - ETPRO MOBILE_MALWARE Android/Spy.SmsSpy.IT
<http://spy.smsspy.it/> CnC Beacon 3 (mobile_malware.rules)
  2825918 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Fyec.bps CnC Beacon
(mobile_malware.rules)
  2825923 - ETPRO MOBILE_MALWARE Android.Trojan.InfoStealer.FY CnC Beacon
(mobile_malware.rules)
  2826229 - ETPRO TROJAN Possible TorrentLocker Connectivity Check 1
(trojan.rules)
  2826230 - ETPRO TROJAN Possible TorrentLocker Connectivity Check 2
(trojan.rules)
  2826231 - ETPRO TROJAN Possible TorrentLocker Connectivity Check 3
(trojan.rules)
  2826246 - ETPRO CURRENT_EVENTS Astrum EK Payload Callback May 03 2017
(current_events.rules)
  2826361 - ETPRO TROJAN AZORult Variant.2 Checkin m3 (trojan.rules)
  2826368 - ETPRO MOBILE_MALWARE Android.Trojan.InfoStealer.JZ SMS/Contact
Exfil (mobile_malware.rules)
  2826469 - ETPRO TROJAN PyCL/Fatboy Ransomware External IP Check
(trojan.rules)
  2826544 - ETPRO TROJAN Cyst Downloader Fake 404 (trojan.rules)
  2826589 - ETPRO TROJAN Win32/Neshta.A Download Request (trojan.rules)
  2826638 - ETPRO MALWARE Win32/TrojanDownloader.Banload Post Request
(malware.rules)
  2826799 - ETPRO TROJAN Win32/TrojanDownloader.Blocrypt Checkin 2
(trojan.rules)
  2826814 - ETPRO MOBILE_MALWARE Android.Trojan.SmsSpy.LP CnC Beacon
(mobile_malware.rules)
  2826822 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Triada.e CnC Beacon 4
(mobile_malware.rules)
  2826926 - ETPRO TROJAN MSIL/Unk.BrowserModifier CnC Checkin (trojan.rules)
  2827147 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish Jul 17
2017 (current_events.rules)
  2827462 - ETPRO TROJAN Win32.Agent.bjswlh CnC Beacon (trojan.rules)
  2827594 - ETPRO TROJAN Formbook Stealer Checkin (trojan.rules)
  2827604 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Sivu.h Checkin
(mobile_malware.rules)
  2827989 - ETPRO TROJAN Malicious Miner Downloading CoinMiner Binary M2
(trojan.rules)
  2828069 - ETPRO TROJAN Oiram CnC Beacon (trojan.rules)
  2828313 - ETPRO TROJAN MSIL/CoalaBot CnC Checkin M2 (trojan.rules)
  2840145 - ETPRO TROJAN PoshBastKey Stealer Browser Passwords Exfil
(trojan.rules)
  2840878 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-02-05 (current_events.rules)
  2841023 - ETPRO TROJAN Request for Malicious Packed EXE (trojan.rules)
  2841179 - ETPRO TROJAN Win32/Phorpiex.V CnC Activity M1 (trojan.rules)
  2841180 - ETPRO TROJAN Win32/Phorpiex.V CnC Activity M2 (trojan.rules)
  2841258 - ETPRO TROJAN LotusBlossom APT Sagerunex CnC Activity
(trojan.rules)

 [---]         Disabled rules:        [---]

  2828316 - ETPRO TROJAN Orz JavaScript Backdoor Sending Password to CnC
(trojan.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200302/d1b4a78b/attachment.html>


More information about the Emerging-sigs mailing list