[Emerging-Sigs] Daily Ruleset Update Summary 2020/03/11

James Emery-Callcott jcallcott at emergingthreats.net
Wed Mar 11 17:24:03 HDT 2020


[***]            Summary:            [***]

  9 new Open, 32 new Pro (9 + 23).  MSIL/Firebird, ViperSoftX, Various
SSL/TLS, Various Phish, Others.

  Thanks @james_in_the_box.

  Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2029606 - ET TROJAN MSIL/Firebird RAT CnC Checkin (trojan.rules)
  2029607 - ET TROJAN MalDoc Retrieving msiexec Commands via DNS TXT
(trojan.rules)
  2029608 - ET TROJAN ViperSoftX CnC Activity M1 (trojan.rules)
  2029609 - ET TROJAN ViperSoftX CnC Activity M2 (trojan.rules)
  2029610 - ET TROJAN Observed Malicious SSL Cert (ServHelper CnC)
(trojan.rules)
  2029611 - ET TROJAN Observed Malicious SSL Cert (ServHelper CnC)
(trojan.rules)
  2029612 - ET TROJAN Observed Malicious SSL Cert (ServHelper CnC)
(trojan.rules)
  2029613 - ET TROJAN Observed Malicious SSL Cert (ServHelper CnC)
(trojan.rules)
  2029614 - ET TROJAN Observed Malicious SSL Cert (ServHelper CnC)
(trojan.rules)

Pro:

  2841457 - ETPRO INFO GET Request With Suspicious URL Parameters
(info.rules)
  2841458 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-03-11 1) (trojan.rules)
  2841459 - ETPRO CURRENT_EVENTS Successful America First Credit Union
Phish 2020-03-11 (current_events.rules)
  2841460 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-11
(current_events.rules)
  2841461 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-11
(current_events.rules)
  2841462 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-11
(current_events.rules)
  2841463 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-11
(current_events.rules)
  2841464 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-11
(current_events.rules)
  2841465 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-11
(current_events.rules)
  2841466 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-04
(current_events.rules)
  2841467 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-11
(current_events.rules)
  2841468 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-11
(current_events.rules)
  2841469 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-11
(current_events.rules)
  2841470 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-11
(current_events.rules)
  2841471 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-11
(current_events.rules)
  2841472 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-11
(current_events.rules)
  2841473 - ETPRO CURRENT_EVENTS Successful Booking.com Phish 2020-03-11
(current_events.rules)
  2841474 - ETPRO CURRENT_EVENTS Successful Banco Itau Phish 2020-03-11
(current_events.rules)
  2841475 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-03-11
(current_events.rules)
  2841476 - ETPRO CURRENT_EVENTS Successful Comerica Bank Phish 2020-03-11
(current_events.rules)
  2841477 - ETPRO CURRENT_EVENTS Possible Successful Generic Credit Card
Information Phish 2020-03-11 (current_events.rules)
  2841478 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (Various
Phish) (current_events.rules)
  2841481 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)

[///]     Modified active rules:     [///]

  2012657 - ET WEB_SPECIFIC_APPS eyeOS file Parameter Local File Inclusion
Attempt (web_specific_apps.rules)
  2012979 - ET WEB_SPECIFIC_APPS Possible ZOHO ManageEngine ADSelfService
Captcha Bypass Attempt (web_specific_apps.rules)
  2012981 - ET TROJAN Possible FakeAV Binary Download (Security)
(trojan.rules)
  2013416 - ET SCAN libwww-perl GET to // with specific HTTP header
ordering without libwww-perl User-Agent (scan.rules)
  2013757 - ET WEB_SPECIFIC_APPS iBrowser Plugin dir Parameter Cross Site
Scripting Attempt-1 (web_specific_apps.rules)
  2013792 - ET SCAN Apache mod_proxy Reverse Proxy Exposure 2 (scan.rules)
  2013870 - ET WEB_SPECIFIC_APPS Joomla component Simple File Lister sflDir
Parameter directory traversal attempt (web_specific_apps.rules)
  2013984 - ET WEB_SPECIFIC_APPS Zabbix popup.php  SELECT FROM SQL
Injection Vulnerability (web_specific_apps.rules)
  2014081 - ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter INSERT INTO
SQL Injection Vulnerability (web_specific_apps.rules)
  2014153 - ET DOS High Orbit Ion Cannon (HOIC) Attack Inbound Generic
Detection Double Spaced UA (dos.rules)
  2014409 - ET TROJAN FakeAV.dfze/FakeAV!IK Checkin (trojan.rules)
  2014562 - ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98
(trojan.rules)
  2014611 - ET CURRENT_EVENTS TDS Sutra - cookie set RULEZ
(current_events.rules)
  2014612 - ET CURRENT_EVENTS TDS Sutra - cookie is set RULEZ
(current_events.rules)
  2014726 - ET POLICY Outdated Flash Version M1 (policy.rules)
  2015028 - ET TROJAN Cridex Post to CnC (trojan.rules)
  2015050 - ET TROJAN Generic - 8Char.JAR Naming Algorithm (trojan.rules)
  2826456 - ETPRO MOBILE_MALWARE Android/Agent.AKX Checkin 2
(mobile_malware.rules)
  2826620 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Rymner.f CnC
Beacon (mobile_malware.rules)
  2826626 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Boogr.gsh CnC Beacon 3
(mobile_malware.rules)
  2826633 - ETPRO CURRENT_EVENTS Possible ETERNALROCKS .Net Module Download
(current_events.rules)
  2826659 - ETPRO TROJAN APT19 Cobalt Strike Checkin (trojan.rules)
  2826677 - ETPRO MOBILE_MALWARE Anubis Android Loader / BankBot Checkin 9
(mobile_malware.rules)
  2826678 - ETPRO MOBILE_MALWARE Anubis Android Loader / BankBot Checkin 10
(mobile_malware.rules)
  2826716 - ETPRO MOBILE_MALWARE Trojan-Clicker.AndroidOS.Simpo.bq CnC
Beacon (mobile_malware.rules)
  2826717 - ETPRO MOBILE_MALWARE Trojan-Clicker.AndroidOS.Simpo.az CnC
Beacon (mobile_malware.rules)
  2826718 - ETPRO MOBILE_MALWARE Trojan-Clicker.AndroidOS.Simpo.az CnC
Beacon 2 (mobile_malware.rules)
  2841131 - ETPRO CURRENT_EVENTS Successful Sharefile Phish 2020-02-20
(current_events.rules)
  2841358 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-04 M1
(current_events.rules)
  2841359 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-04 M2
(current_events.rules)
  2841360 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-04 M3
(current_events.rules)
  2841361 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-04 M4
(current_events.rules)
  2841362 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-04 M5
(current_events.rules)
  2841363 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-04 M6
(current_events.rules)
  2841364 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-04 M7
(current_events.rules)
  2841365 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-04 M8
(current_events.rules)
  2841366 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-04 M9
(current_events.rules)
  2841367 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-04 M10
(current_events.rules)
  2841368 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-04 M11
(current_events.rules)
  2841436 - ETPRO TROJAN RedLine - GetSettings Response (trojan.rules)
  2841437 - ETPRO TROJAN RedLine - GetTasks Response (trojan.rules)

 [---]  Disabled and modified rules:  [---]

  2012454 - ET MOBILE_MALWARE Android Trojan Fake10086 checkin 1
(mobile_malware.rules)
  2014913 - ET CURRENT_EVENTS NuclearPack - JAR Naming Algorithm
(current_events.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200312/09070af0/attachment.html>


More information about the Emerging-sigs mailing list