[Emerging-Sigs] Lot's of FP's on 2841370

Matthew Clairmont (R* NYC) Matthew.Clairmont at rockstargames.com
Thu Mar 5 11:57:01 HST 2020


We're seeing the same. We've confirmed all 300+ hits to be iPhone traffic with the commonality appearing to be news oriented.

-----Original Message-----
From: Emerging-sigs <emerging-sigs-bounces at lists.emergingthreats.net> On Behalf Of emerging-sigs-request at lists.emergingthreats.net
Sent: Thursday, March 5, 2020 01:42 PM
To: emerging-sigs at lists.emergingthreats.net
Subject: Emerging-sigs Digest, Vol 148, Issue 4

** EXTERNAL EMAIL **

Send Emerging-sigs mailing list submissions to
	emerging-sigs at lists.emergingthreats.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.emergingthreats.net_mailman_listinfo_emerging-2Dsigs&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=-iCgLAddLxkHqCkJ1ZzK0qpBxxU4T0aeBSV1UgoYdWA&s=0WcLeukE0S_vAMPuCcsSUFgGXSogBJF2OBGYia4r_Vc&e=
or, via email, send a message with subject or body 'help' to
	emerging-sigs-request at lists.emergingthreats.net

You can reach the person managing the list at
	emerging-sigs-owner at lists.emergingthreats.net

When replying, please edit your Subject line so it is more specific than "Re: Contents of Emerging-sigs digest..."


Today's Topics:

   1. Daily Ruleset Update Summary 2020/03/04 (Jack Mott)
   2. Lot's of FP's on 2841370 (James Lay)


----------------------------------------------------------------------

Message: 1
Date: Wed, 4 Mar 2020 17:28:50 -0700
From: Jack Mott <jmott at emergingthreats.net>
To: "emerging-sigs at emergingthreats.net"
	<emerging-sigs at emergingthreats.net>,  Emerging-updates redirect
	<emerging-updates at emergingthreats.net>,  Pro Subscriber Sig Discussion
	and Updates <etpro-sigs at emergingthreatspro.com>
Subject: [Emerging-Sigs] Daily Ruleset Update Summary 2020/03/04
Message-ID:
	<CAHHK96HdfJLReb+=059s6rsn=R8BUwETrhae7=a72NSxEFrspw at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

[***]            Summary:            [***]

 9 new Open, 60 new Pro (9 + 51). CROSSWALK, KimKitty, Win32/Neshta.A, MSIL/MumbaiLoader, Various Mirai, Win32/Presenoker, and VARIOUS PHISHING

 Please share issues, feedback, and requests at https://urldefense.proofpoint.com/v2/url?u=https-3A__feedback.emergingthreats.net_feedback&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=-iCgLAddLxkHqCkJ1ZzK0qpBxxU4T0aeBSV1UgoYdWA&s=9ikEwPI6LhcYt8hMR_ADPGMe53R9HZUJJMD_bxkm4wY&e= 

[+++]          Added rules:          [+++]

Open:

  2024420 - ET INFO Request for .bin with BITS/ User-Agent (info.rules)
  2029568 - ET TROJAN Observed Malicious SSL Cert (Get2 CnC) (trojan.rules)
  2029569 - ET USER_AGENTS Observed Suspicious UA (easyhttp client)
(user_agents.rules)
  2029570 - ET TROJAN CROSSWALK CnC Checkin (trojan.rules)
  2029571 - ET TROJAN Observed Malicious SSL Cert (MageCart) (trojan.rules)
  2029572 - ET TROJAN Observed Malicious SSL Cert (MageCart) (trojan.rules)
  2029573 - ET INFO EXE Downloaded from Github (info.rules)
  2029574 - ET MALWARE SharpExec EXE Lateral Movement Tool Downloaded
(malware.rules)
  2029575 - ET POLICY External IP Lookup (avast .com) (policy.rules)

Pro:

  2841332 - ETPRO TROJAN MSIL/MumbaiLoader CnC Checkin (trojan.rules)
  2841333 - ETPRO TROJAN MSIL/MumbaLoader CnC Heartbeat (trojan.rules)
  2841334 - ETPRO TROJAN ELF/Mirai Variant CnC Checkin (trojan.rules)
  2841335 - ETPRO TROJAN ELF/Mirai Variant CnC Checkin (trojan.rules)
  2841336 - ETPRO TROJAN ELF/Mirai Variant CnC Checkin (trojan.rules)
  2841337 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-03-04 1) (trojan.rules)
  2841338 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2020-03-04
(current_events.rules)
  2841339 - ETPRO CURRENT_EVENTS Successful Novo Banco Phish 2020-03-04
(current_events.rules)
  2841340 - ETPRO CURRENT_EVENTS Successful Yahoo Phish 2020-03-04
(current_events.rules)
  2841341 - ETPRO CURRENT_EVENTS Successful Generic Webmail Phish
2020-03-04 (current_events.rules)
  2841342 - ETPRO CURRENT_EVENTS Successful AOL Phish 2020-03-04
(current_events.rules)
  2841343 - ETPRO CURRENT_EVENTS Successful Hotmail Phish 2020-03-04
(current_events.rules)
  2841344 - ETPRO CURRENT_EVENTS Successful Turkey.gov.tr Phish 2020-03-04
(current_events.rules)
  2841345 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information Phish 2020-03-04 (current_events.rules)
  2841346 - ETPRO CURRENT_EVENTS Successful My3 Phish 2020-03-04
(current_events.rules)
  2841347 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-03-04 (current_events.rules)
  2841348 - ETPRO CURRENT_EVENTS Successful Umpqua Bank Phish 2020-03-04
(current_events.rules)
  2841349 - ETPRO CURRENT_EVENTS Successful Banco Itau Phish 2020-03-04
(current_events.rules)
  2841350 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-04
(current_events.rules)
  2841351 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-04
(current_events.rules)
  2841352 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2020-03-04 (current_events.rules)
  2841353 - ETPRO TROJAN KimKitty CnC Activity (trojan.rules)
  2841354 - ETPRO CURRENT_EVENTS Successful ABSA Phish 2020-03-04
(current_events.rules)
  2841355 - ETPRO CURRENT_EVENTS Successful Alibaba Phish 2020-03-04
(current_events.rules)
  2841356 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-03-04
(current_events.rules)
  2841357 - ETPRO CURRENT_EVENTS Successful WeTranfser Phish 2020-03-04
(current_events.rules)
  2841358 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-04 M1
(current_events.rules)
  2841359 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-04 M2
(current_events.rules)
  2841360 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-04 M3
(current_events.rules)
  2841361 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-04 M4
(current_events.rules)
  2841362 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-04 M5
(current_events.rules)
  2841363 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-04 M6
(current_events.rules)
  2841364 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-04 M7
(current_events.rules)
  2841365 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-04 M8
(current_events.rules)
  2841366 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-04 M9
(current_events.rules)
  2841367 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-04 M10
(current_events.rules)
  2841368 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-04 M11
(current_events.rules)
  2841369 - ETPRO TROJAN MSIL/Pterodo.AO Variant Host Checkin (trojan.rules)
  2841372 - ETPRO TROJAN Win32/Presenoker Variant Host Checkin
(trojan.rules)
  2841373 - ETPRO CURRENT_EVENTS JS/Skimmer Inbound (Likely MageCart)
(current_events.rules)
  2841374 - ETPRO TROJAN Win32/Neshta.A CnC Activity - Retrieving Settings
(set) (trojan.rules)
  2841375 - ETPRO TROJAN Win32/Neshta.A CnC Activity - Retrieving Settings
(trojan.rules)
  2841376 - ETPRO TROJAN Win32/Black.Gen2 CnC Activity (trojan.rules)
  2841377 - ETPRO TROJAN ELF/Mirai User-Agent Observed (Outbound)
(trojan.rules)
  2841378 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)
  2841379 - ETPRO TROJAN iNerino Loader Checkin (trojan.rules)
  2841380 - ETPRO TROJAN Win32/Remcos RAT Checkin 358 (trojan.rules)
  2841381 - ETPRO TROJAN Observed Malicious SSL Cert (AZORult CnC)
2020-03-04 (trojan.rules)

[///]     Modified active rules:     [///]

  2023576 - ET TROJAN Locky CnC Checkin Dec 5 M1 (trojan.rules)
  2023595 - ET TROJAN Trojan.Kwampirs Outbound GET request (trojan.rules)
  2023670 - ET INFO IE7UA No Cookie No Referer (info.rules)
  2023740 - ET TROJAN Possible Pony Payload DL (trojan.rules)
  2023816 - ET TROJAN WSF/JS Downloader Jan 30 2017 M1 (trojan.rules)
  2023916 - ET TROJAN APT28 Uploader Variant CnC Beacon (trojan.rules)
  2023951 - ET TROJAN MAGICHOUND.FETCH CnC Beacon (trojan.rules)
  2024041 - ET TROJAN Spora Ransomware Checkin (trojan.rules)
  2024048 - ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017
(current_events.rules)
  2024049 - ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017 M2
(current_events.rules)
  2024123 - ET MOBILE_MALWARE Android.C2P.Qd!c Ransomware CnC Beacon
(mobile_malware.rules)
  2024508 - ET CURRENT_EVENTS Nemucod JS Downloader Aug 01 2017
(current_events.rules)
  2024765 - ET MOBILE_MALWARE Trojan-Banker.AndroidOS.RedAlert CnC Beacon
(mobile_malware.rules)
  2024901 - ET TROJAN Trickbot Payload Request (trojan.rules)
  2024996 - ET WEB_CLIENT Google Chrome XSS (CVE-2017-5124)
(web_client.rules)
  2025007 - ET TROJAN Powershell commands sent when remote host claims to send an image  (trojan.rules)
  2025149 - ET POLICY IP Check (rl. ammyy. com) (policy.rules)
  2025283 - ET TROJAN Trojan-Dropper.Delf Checkin (trojan.rules)
  2025432 - ET EXPLOIT Apache CouchDB JSON Remote Privesc Attempt
(CVE-2017-12636) (exploit.rules)
  2025435 - ET EXPLOIT Apache CouchDB JSON Remote Privesc Attempt
(CVE-2017-12635) (exploit.rules)
  2025458 - ET TROJAN [PTsecurity] Win32/SocStealer.Socelars C2 Response
(trojan.rules)
  2025459 - ET WEB_SPECIFIC_APPS Possible CVE-2013-2618 Attempt (PHP Weathermap Persistent XSS) (web_specific_apps.rules)
  2025465 - ET TROJAN OSX/OceanLotus.D Requesting Commands from CnC
(trojan.rules)
  2025545 - ET WEB_SPECIFIC_APPS DNN DNNPersonalization Cookie RCE Attempt
(CVE-2017-9822) (web_specific_apps.rules)
  2025671 - ET CURRENT_EVENTS Suspicious Wordpress Redirect - Possible Phishing Landing Jan 7 2016 (current_events.rules)
  2025747 - ET WEB_SPECIFIC_APPS WordPress Plugin Pie Register SQL Injection (web_specific_apps.rules)
  2025820 - ET WEB_SPECIFIC_APPS GitList Argument Injection
(web_specific_apps.rules)
  2026002 - ET TROJAN [PTsecurity] Tinba (Banking Trojan) Check-in
(trojan.rules)
  2026435 - ET TROJAN Win32.YordanyanActiveAgent CnC Reporting
(trojan.rules)
  2026517 - ET TROJAN Locky CnC Checkin (trojan.rules)
  2026882 - ET POLICY Observed External IP Lookup SSL Cert (policy.rules)
  2027075 - ET CURRENT_EVENTS Spelevo EK Post-Compromise Data Dump
(current_events.rules)
  2027273 - ET TROJAN Baldr Stealer Checkin M2 (trojan.rules)
  2027380 - ET CURRENT_EVENTS Possible Router EK Landing Page Inbound
2019-05-24 (current_events.rules)
  2029009 - ET INFO Generic IOT Downloader Malware in POST (Outbound)
(info.rules)
  2029011 - ET INFO Generic IOT Downloader Malware in POST (Inbound)
(info.rules)
  2810099 - ETPRO TROJAN Chthonic CnC Beacon 7 (trojan.rules)
  2814068 - ETPRO TROJAN XCodeGhost Beacon (trojan.rules)
  2814103 - ETPRO TROJAN Spammer MSIL/Misnt.A GetList (trojan.rules)
  2814104 - ETPRO TROJAN Spammer MSIL/Misnt.A Get MX (trojan.rules)
  2814105 - ETPRO TROJAN Spammer MSIL/Misnt.A Spam Payload Download
(trojan.rules)
  2814106 - ETPRO TROJAN Spammer MSIL/Misnt.A Fetching Spam List
(trojan.rules)
  2814167 - ETPRO CURRENT_EVENTS Possible Nuclear EK Flash Exploit M2
(current_events.rules)
  2814203 - ETPRO MALWARE Adware.Win32/Bayads Activity (malware.rules)
  2814364 - ETPRO TROJAN Possible IIS Backdoor Receiving Commands via URI
(trojan.rules)
  2814384 - ETPRO WEB_CLIENT APT SWC PluginDetect Landing Cookie Oct 14
2015 (web_client.rules)
  2814429 - ETPRO TROJAN Bergard CnC Beacon (trojan.rules)
  2815025 - ETPRO TROJAN Win32/Kitkiot.A Checkin (trojan.rules)

 [---]         Disabled rules:        [---]

  2814131 - ETPRO TROJAN W32/Unknown.JP Checkin (trojan.rules)
  2814887 - ETPRO TROJAN Bookworm CnC Beacon 4 (trojan.rules)
  2815052 - ETPRO TROJAN Unknown PWS C2 (trojan.rules)
  2822970 - ETPRO TROJAN Malicious SSL certificate detected (Ursnif CnC)
(trojan.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.emergingthreats.net_pipermail_emerging-2Dsigs_attachments_20200304_e4565ac8_attachment-2D0001.html&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=-iCgLAddLxkHqCkJ1ZzK0qpBxxU4T0aeBSV1UgoYdWA&s=UCwbLcGluiY5yyr1ccGJMBE26TW_e8lVni1WRfh9-yM&e= >

------------------------------

Message: 2
Date: Thu, 05 Mar 2020 11:41:43 -0700
From: James Lay <jlay at slave-tothe-box.net>
To: emerging-sigs <emerging-sigs at emergingthreats.net>
Subject: [Emerging-Sigs] Lot's of FP's on 2841370
Message-ID: <121bdc6c660b9aeda07bef24ff3d4519 at slave-tothe-box.net>
Content-Type: text/plain; charset=US-ASCII; format=flowed

FYI:

User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 13_3 like Mac OS X)
AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148

James


------------------------------

Subject: Digest Footer

_______________________________________________
Emerging-sigs mailing list
Emerging-sigs at lists.emergingthreats.net
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.emergingthreats.net_mailman_listinfo_emerging-2Dsigs&d=DwIGaQ&c=RKDswobrOGdp5vDCbl5XjxW8HqrsRSr80dGTvu3rE9Q&r=6WrfY5KEBEPfMah_8-yqKNhrSXZ_uxnVeHHRBLiLOOQ2fd5oy_RThbD74j83K_0Q&m=-iCgLAddLxkHqCkJ1ZzK0qpBxxU4T0aeBSV1UgoYdWA&s=0WcLeukE0S_vAMPuCcsSUFgGXSogBJF2OBGYia4r_Vc&e= 


------------------------------

End of Emerging-sigs Digest, Vol 148, Issue 4
*********************************************


More information about the Emerging-sigs mailing list