[Emerging-Sigs] Daily Ruleset Update Summary 2020/05/08

Jason Williams jwilliams at emergingthreats.net
Fri May 8 12:50:14 HDT 2020


[***]            Summary:            [***]

  11 Open, 35 Pro (11 + 24). Maze Ransomware, CVE-2020-2551, IcedID,
Various Phish, Suricata 5 Rule Updates.

  Please be aware that after the deprecation of our Suricata 2/3 support
(April 15th 2020), the path for downloading the last pushed production
Suricata 2/3 rulesets have changed.  Deprecated rulesets are available at
https://rules.emergingthreatspro.com/OINK/old for ETPro and
https://rules.emergingthreatspro.com/open/old/ for ETOpen.  All requests
for the Suricata 2/3 at their previous locations will now lead to the
Suricata 4.0 production rules for ETPro and the rule download instructions
for ETOpen.

  Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

 [+++]          Added rules:          [+++]

 Open:

  2030128 - ET EXPLOIT Possible Oracle WebLogic CVE-2020-2551 Scanning
(exploit.rules)
  2030129 - ET POLICY External Oracle T3 Requests Inbound (policy.rules)
  2030130 - ET POLICY Oracle T3 Response with CVE-2020-2551 Vulnerable
Version (12.2.1) (policy.rules)
  2030131 - ET POLICY Oracle T3 Response with CVE-2020-2551 Vulnerable
Version (10.3.6) (policy.rules)
  2030132 - ET POLICY Oracle T3 Response with CVE-2020-2551 Vulnerable
Version (12.1.3) (policy.rules)
  2030133 - ET TROJAN MAZE Ransomware Payment Domain in DNS Lookup
(trojan.rules)
  2030134 - ET TROJAN MAZE Ransomware Payment Domain DNS Lookup
(trojan.rules)
  2030135 - ET POLICY MAZE Ransomware Victim Publishing Site DNS Lookup
(policy.rules)
  2030136 - ET POLICY MAZE Ransomware Victim Publishing Site DNS Lookup
(policy.rules)
  2030137 - ET POLICY External IP Lookup (ipchicken .com) (policy.rules)
  2030138 - ET POLICY ipchicken .com DNS Lookup (policy.rules)

 Pro:

  2842453 - ETPRO TROJAN ELF/Gafygt Variant CnC Activity Inbound
(trojan.rules)
  2842454 - ETPRO TROJAN ELF/Gafygt Variant CnC Scanner Status Inbound
(trojan.rules)
  2842455 - ETPRO TROJAN Win64/Spy.Agent.CB CnC Activity (trojan.rules)
  2842456 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-08 1) (trojan.rules)
  2842457 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-08 2) (trojan.rules)
  2842458 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-08 3) (trojan.rules)
  2842459 - ETPRO CURRENT_EVENTS Successful Generic Banking Information
Phish 2020-05-08 (current_events.rules)
  2842460 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-05-08 (current_events.rules)
  2842461 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-05-08 (current_events.rules)
  2842462 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-05-08 (current_events.rules)
  2842463 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-05-08 (current_events.rules)
  2842464 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-05-08 (current_events.rules)
  2842465 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-05-08 (current_events.rules)
  2842466 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-05-08 (current_events.rules)
  2842467 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-05-08 (current_events.rules)
  2842468 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-05-08
(current_events.rules)
  2842469 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-05-08 (current_events.rules)
  2842470 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-05-08 (current_events.rules)
  2842471 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-05-08 (current_events.rules)
  2842472 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-05-08 (current_events.rules)
  2842473 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842474 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842475 - ETPRO TROJAN Win32/Remcos RAT Checkin 421 (trojan.rules)
  2842476 - ETPRO TROJAN Win32/Remcos RAT Checkin 422 (trojan.rules)

 [///]     Modified active rules:     [///]

  2014207 - ET WEB_CLIENT Likely MS12-004 midiOutPlayNextPolyEvent Heap
Overflow Midi Filename Requested baby.mid (web_client.rules)
  2014289 - ET INFO HTTP Request to a 3322.org.cn Domain (info.rules)
  2014752 - ET TROJAN Win32.HLLW.Autoruner USA_Load UA (trojan.rules)
  2014822 - ET TROJAN Possible SKyWIper/Win32.Flame POST (trojan.rules)
  2015512 - ET TROJAN Urlzone/Bebloh/Bublik Checkin /was/vas.php
(trojan.rules)
  2015780 - ET TROJAN Zbot UA (trojan.rules)
  2015850 - ET TROJAN Georgian Targeted Attack - Trojan Checkin
(trojan.rules)
  2015984 - ET WEB_SERVER Joomla Component SQLi Attempt (web_server.rules)
  2016033 - ET SCAN Simple Slowloris Flooder (scan.rules)
  2016186 - ET TROJAN W32/Tobfy.Ransomware CnC Request - status.php
(trojan.rules)
  2016187 - ET TROJAN W32/Tobfy.Ransomware Invalid URI CnC Request -
 (trojan.rules)
  2016212 - ET TROJAN BroBot POST (trojan.rules)
  2016305 - ET WEB_SERVER Ruby on Rails CVE-2013-0333 Attempt
(web_server.rules)
  2016475 - ET TROJAN CommentCrew downloader without user-agent string exe
download without User Agent (trojan.rules)
  2016487 - ET TROJAN CommentCrew Possible APT backdoor download logo.png
(trojan.rules)
  2017895 - ET TROJAN Kuluoz/Asprox Activity (trojan.rules)
  2018184 - ET TROJAN Zeus.Downloader Campaign Second Stage Executable
Request (trojan.rules)
  2018385 - ET TROJAN Zeus.Downloader Campaign Second Stage Executable
Request 10/4/2014 (trojan.rules)
  2018413 - ET TROJAN Probable OneLouder downloader (Zeus P2P)
(trojan.rules)
  2019074 - ET TROJAN Vawtrak/NeverQuest Posting Data (trojan.rules)
  2019197 - ET TROJAN NewPosThings Checkin (trojan.rules)
  2019198 - ET TROJAN NewPosThings Data Exfiltration (trojan.rules)
  2019199 - ET TROJAN NewPosThings POST with Fake UA and Accept Header
(trojan.rules)
  2019212 - ET TROJAN Bossabot DDoS tool RFI attempt (trojan.rules)
  2100977 - GPL EXPLOIT .cnf access (exploit.rules)
  2804562 - ETPRO TROJAN Trojan.Generic.KDV.199860 download (trojan.rules)
  2804736 - ETPRO TROJAN Rogue.Win32/FakePAV Checkin (trojan.rules)
  2804745 - ETPRO TROJAN Win32/Alureon.V exe download 2 (trojan.rules)
  2806414 - ETPRO TROJAN FakeAV-BT Checkin (trojan.rules)
  2807450 - ETPRO MOBILE_MALWARE PUP Android/SMSAgent.F
(mobile_malware.rules)
  2808810 - ETPRO TROJAN Win32/LightMoon variant C2 (trojan.rules)
  2808821 - ETPRO TROJAN Win32.IRCBot Variant C2 (trojan.rules)
  2808826 - ETPRO TROJAN Win32/Regitry Checkin (trojan.rules)
  2808828 - ETPRO WEB_SPECIFIC_APPS HttpFileServer 2.3.x Remote Command
Execution (web_specific_apps.rules)
  2808831 - ETPRO WEB_SPECIFIC_APPS ALCASAR up to 2.8.1 RCE Vulnerabily
being exploited (web_specific_apps.rules)
  2808836 - ETPRO TROJAN suspicious User-Agent (payloadworking)
(trojan.rules)
  2808837 - ETPRO TROJAN Troj/BadCab CnC (trojan.rules)
  2808848 - ETPRO TROJAN Win32/Sefnit.R Checkin (trojan.rules)
  2808849 - ETPRO TROJAN Win32.CFPass.dcb Checkin (trojan.rules)
  2808851 - ETPRO TROJAN Win32/Spy.Rehtesyk.A Checkin 1 (trojan.rules)
  2808852 - ETPRO TROJAN Win32/Spy.Rehtesyk.A Checkin 2 (trojan.rules)
  2808856 - ETPRO WEB_SPECIFIC_APPS Possible UFONet DDoS Participation
(web_specific_apps.rules)
  2808863 - ETPRO TROJAN TROJAN Win32/Seey.A Checkin (trojan.rules)
  2808865 - ETPRO TROJAN TROJAN Win32/Seey.A User-Agent (trojan.rules)
  2808866 - ETPRO TROJAN TROJAN Win32/Seey.A Checkin 2 (trojan.rules)
  2808876 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.u Checkin 4
(mobile_malware.rules)
  2808883 - ETPRO MOBILE_MALWARE Android.Trojan.AutoSMS.BF Checkin 2
(mobile_malware.rules)
  2838512 - ETPRO MOBILE_MALWARE Android Trickbot 2fa app Checkin
(mobile_malware.rules)

 [---]  Disabled and modified rules:  [---]

  2808891 - ETPRO MOBILE_MALWARE AndroidOS/Agent.EJ Checkin
(mobile_malware.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200508/3fa9fdbf/attachment.html>


More information about the Emerging-sigs mailing list