[Emerging-Sigs] Daily Ruleset Update Summary 2020/03/18

Jason Williams jwilliams at emergingthreats.net
Wed Mar 18 13:45:48 HDT 2020


[***]            Summary:            [***]

  5 new Open, 40 new Pro (5 + 35). MZRevenge, Polaris Botnet, Various
Reversed Strings, Various Phish.

  Tks @PTSecurity

  Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

 Open:

  2029634 - ET INFO Suspected Malicious Telegram Communication (POST)
(info.rules)
  2029644 - ET MALWARE [PTsecurity] MZRevenge Ransomware Server Response
(malware.rules)
  2029645 - ET SCAN Polaris Botnet User-Agent (Inbound) (scan.rules)
  2029646 - ET TROJAN Polaris Botnet User-Agent (Outbound) (trojan.rules)
  2029647 - ET TROJAN MZRevenge Ransomware CnC (trojan.rules)

 Pro:

  2841555 - ETPRO INFO Observed Suspicious Reversed String Inbound
(DeleteFile) (info.rules)
  2841556 - ETPRO TROJAN Observed Suspicious Reversed String Inbound
(obshell.run) (trojan.rules)
  2841557 - ETPRO INFO Observed Suspicious Reversed String Inbound
(objFile.Write) (info.rules)
  2841558 - ETPRO TROJAN Observed Suspicious Reversed String Inbound
(Winmgmts:/) (trojan.rules)
  2841559 - ETPRO TROJAN Observed Suspicious Reversed String Inbound
(cmd.exe /C) (trojan.rules)
  2841560 - ETPRO INFO Observed Suspicious Reversed String Inbound
(CreateTextFile) (info.rules)
  2841561 - ETPRO INFO Observed Suspicious Reversed String Inbound
(FileSystemObject) (info.rules)
  2841562 - ETPRO INFO Observed Suspicious Reversed String Inbound
(ExpandEnvironmentStrings) (info.rules)
  2841563 - ETPRO TROJAN Observed Suspicious Reversed String Inbound
(Wscript.Shell) (trojan.rules)
  2841564 - ETPRO INFO Observed Suspicious Reversed String Inbound
(ProgramData) (info.rules)
  2841565 - ETPRO INFO Observed Suspicious Reversed String Inbound
(Microsoft) (info.rules)
  2841566 - ETPRO TROJAN Observed Suspicious Reversed String Inbound
(WScript.CreateObject) (trojan.rules)
  2841567 - ETPRO INFO Observed Suspicious Reversed String Inbound
(Scripting.FileSystemObject) (info.rules)
  2841568 - ETPRO TROJAN Observed Suspicious Reversed String Inbound
(Shell.Application) (trojan.rules)
  2841569 - ETPRO TROJAN Observed Suspicious Reversed String Inbound
(objWMIService.ExecQuery) (trojan.rules)
  2841570 - ETPRO INFO Observed Suspicious Reversed String Inbound
(StrReverse) (info.rules)
  2841571 - ETPRO INFO Observed Suspicious Reversed String Inbound
(Microsoft.XMLHTTP) (info.rules)
  2841572 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-03-18 1) (trojan.rules)
  2841573 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-03-18 2) (trojan.rules)
  2841574 - ETPRO CURRENT_EVENTS Successful Adobe PDF Online Phish
2020-03-18 (current_events.rules)
  2841575 - ETPRO CURRENT_EVENTS Successful Whatsapp Phish 2020-03-18
(current_events.rules)
  2841576 - ETPRO CURRENT_EVENTS Successful Generic Webmail Phish
2020-03-18 (current_events.rules)
  2841577 - ETPRO CURRENT_EVENTS Successful DCU Phish 2020-03-18
(current_events.rules)
  2841578 - ETPRO CURRENT_EVENTS Successful DCU Phish 2020-03-18
(current_events.rules)
  2841579 - ETPRO CURRENT_EVENTS Successful DCU Phish 2020-03-18
(current_events.rules)
  2841580 - ETPRO CURRENT_EVENTS Successful BNP Paribas Phish 2020-03-18
(current_events.rules)
  2841581 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2020-03-18
(current_events.rules)
  2841582 - ETPRO CURRENT_EVENTS Successful Sharepoint Phish 2020-03-18
(current_events.rules)
  2841583 - ETPRO CURRENT_EVENTS Successful Telekom/Tmobile Phish
2020-03-18 (current_events.rules)
  2841584 - ETPRO CURRENT_EVENTS Successful Citibank Phish 2020-03-18
(current_events.rules)
  2841585 - ETPRO CURRENT_EVENTS Successful NAB Phish 2020-03-18
(current_events.rules)
  2841586 - ETPRO CURRENT_EVENTS Successful ING Phish 2020-03-18
(current_events.rules)
  2841587 - ETPRO CURRENT_EVENTS Successful Stripe Phish 2020-03-18
(current_events.rules)
  2841588 - ETPRO TROJAN Fake Teamviewer CnC Host Checkin (trojan.rules)
  2841592 - ETPRO TROJAN Observed Malicious SSL Cert (Cobalt Strike CnC)
(trojan.rules)

 [///]     Modified active rules:     [///]

  2829455 - ETPRO MOBILE_MALWARE Android/Agent.IW SMS Exfil
(mobile_malware.rules)
  2829588 - ETPRO MOBILE_MALWARE Android.Trojan.SmsSpy.TF Checkin
(mobile_malware.rules)
  2829886 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.Dnotua.olg Checkin
(mobile_malware.rules)
  2829888 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Triada.cx Checkin
(mobile_malware.rules)
  2829899 - ETPRO MOBILE_MALWARE SMS-Flooder.AndroidOS.Agent.l CnC Beacon
(mobile_malware.rules)
  2830033 - ETPRO TROJAN Win32/Agent.xxxyeb Connectivity Check
(trojan.rules)
  2830040 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.BHH Checkin
(mobile_malware.rules)
  2830045 - ETPRO MOBILE_MALWARE Android/Inmobi.D Checkin 2
(mobile_malware.rules)
  2830078 - ETPRO POLICY Android Bitcoin Wallet CnC Beacon (policy.rules)
  2830249 - ETPRO TROJAN MSIL/SocketPlayer RAT Receiving Screenshot Command
(trojan.rules)
  2830303 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.w Checkin
(mobile_malware.rules)
  2830305 - ETPRO MOBILE_MALWARE Android.Trojan.SLocker.PN Checkin
(mobile_malware.rules)
  2830307 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Triada.dm Checkin 2
(mobile_malware.rules)
  2830513 - ETPRO MOBILE_MALWARE Android Trojan-Spy EmSeven Device Info
Exfil (mobile_malware.rules)
  2830515 - ETPRO MOBILE_MALWARE Android Trojan-Spy EmSeven Location Exfil
(mobile_malware.rules)
  2830516 - ETPRO MOBILE_MALWARE Android Trojan-Spy EmSeven SMS Exfil
(mobile_malware.rules)
  2830535 - ETPRO MOBILE_MALWARE Android Trojan-Spy Simpkol Call Log Exfil
(mobile_malware.rules)
  2830686 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.ZooPark Checkin
(mobile_malware.rules)
  2830727 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Wifle.A CallLog/SMS Exfil
(mobile_malware.rules)
  2830868 - ETPRO MOBILE_MALWARE Android/Monitor.SpyHuman Checkin
(mobile_malware.rules)
  2830870 - ETPRO MOBILE_MALWARE Android-Trojan/Downloader.907ce CnC Beacon
(mobile_malware.rules)
  2830925 - ETPRO WEB_CLIENT Tech Support Phone Scam Landing M1 - May 20
2018 (web_client.rules)
  2830996 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.SMSreg.pf CnC Beacon
(mobile_malware.rules)

 [---]         Removed rules:         [---]

  2029634 - ET TROJAN Suspected Malicious Telegram Communication (POST)
(trojan.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200318/5513c1ed/attachment.html>


More information about the Emerging-sigs mailing list