[Emerging-Sigs] Daily Ruleset Update Summary 2020/05/05

James Emery-Callcott jcallcott at emergingthreats.net
Tue May 5 13:42:18 HDT 2020


[***]            Summary:            [***]

  10 new Open, 40 new Pro (10 + 30).  Nazar, nspps Backdoor, Various
Exploits, Various Phish, Others.

  Please be aware that after the deprecation of our Suricata 2/3 support
(April 15th 2020), the path for downloading the last pushed production
Suricata 2/3 rulesets have changed.  Deprecated rulesets are available at
https://rules.emergingthreatspro.com/OINK/old for ETPro and
https://rules.emergingthreatspro.com/open/old/ for ETOpen.  All requests
for the Suricata 2/3 at their previous locations will now lead to the
Suricata 4.0 production rules for ETPro and the rule download instructions
for ETOpen.

  Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2030101 - ET TROJAN Observed Malicious SSL Cert (Lazarus APT MalDoc DL
2020-05-05) (trojan.rules)
  2030102 - ET EXPLOIT NEC SL2100 - Session Enumeration Attempt
(exploit.rules)
  2030103 - ET EXPLOIT Image Manager 5.2.4 - RCE Attempt (exploit.rules)
  2030104 - ET MALWARE Nazar Implant - Sending Ping Response to CnC
(malware.rules)
  2030105 - ET TROJAN Nazar Implant - Sending Basic System Info to CnC
(trojan.rules)
  2030106 - ET EXPLOIT BlogEngine 3.3 - syndication.axd XXE Injection
Attempt (exploit.rules)
  2030107 - ET EXPLOIT Online Scheduling System 1.0 - Authentication Bypass
Attempt (exploit.rules)
  2030108 - ET TROJAN nspps Backdoor CnC Activity (trojan.rules)
  2030109 - ET TROJAN nspps Backdoor - Sending SOCKS Details (trojan.rules)
  2030110 - ET TROJAN nspps Backdoor - Task Response (trojan.rules)

Pro:

  2842384 - ETPRO TROJAN Win32/Wacatac.D!ml Variant CnC Activity
(trojan.rules)
  2842385 - ETPRO TROJAN ELF/Lady.K Variant CnC Activity (trojan.rules)
  2842386 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-05 1) (trojan.rules)
  2842387 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-05 2) (trojan.rules)
  2842388 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-05 3) (trojan.rules)
  2842389 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-05 4) (trojan.rules)
  2842390 - ETPRO CURRENT_EVENTS Successful Outlook Web App Phish
2020-05-05 (current_events.rules)
  2842391 - ETPRO CURRENT_EVENTS Successful Outlook Web App Phish
2020-05-05 (current_events.rules)
  2842392 - ETPRO TROJAN Win32/Agent.TCF Variant CnC Host Checkin
(trojan.rules)
  2842393 - ETPRO CURRENT_EVENTS Successful Casas Bahia Phish 2020-05-05
(current_events.rules)
  2842394 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2020-05-05
(current_events.rules)
  2842395 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2020-05-05
(current_events.rules)
  2842396 - ETPRO TROJAN xRAT CnC Domain in DNS Query (trojan.rules)
  2842397 - ETPRO TROJAN Win32/Downloader.Paph CnC Checkin (trojan.rules)
  2842398 - ETPRO TROJAN Win32/Remcos RAT Checkin 416 (trojan.rules)
  2842399 - ETPRO TROJAN Win32/Remcos RAT Checkin 417 (trojan.rules)
  2842400 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842401 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842402 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842403 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842404 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842405 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842406 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842407 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842408 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842409 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842410 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842411 - ETPRO TROJAN Suspected MEDUSA RAT CnC Response (trojan.rules)
  2842412 - ETPRO TROJAN Win32/Unk.Downloader.BR Activity (trojan.rules)
  2842413 - ETPRO TROJAN Win32/Unk.Stealer.BR System Info POST
(trojan.rules)

[///]     Modified active rules:     [///]

  2007994 - ET INFO Suspicious User-Agent (1 space) (info.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200505/56cc2405/attachment.html>


More information about the Emerging-sigs mailing list