[Emerging-Sigs] Daily Ruleset Update Summary 2020/05/18

Brandon Murphy bmurphy at emergingthreats.net
Mon May 18 13:46:45 HDT 2020


[***]            Summary:            [***]

10 new OPEN, 36 new PRO (10 + 26). Win32/Ramsay, Parallax, Win32/Agent.XUY,
Various Phish

Thanks: @petrovic082.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

2030171 - ET TROJAN AgentTesla Exfil Via SMTP (trojan.rules)
2030172 - ET CURRENT_EVENTS Possible Successful Phish to NOIP DynDNS Domain
(current_events.rules)
2030173 - ET CURRENT_EVENTS Possible Successful Phish to ChangeIP Dynamic
DNS Domain (current_events.rules)
2030174 - ET CURRENT_EVENTS Possible Successful Phish to Afraid.org Top 100
Dynamic DNS Domain (current_events.rules)
2030176 - ET TROJAN Win32/Ramsay CnC Checkin (trojan.rules)
2030177 - ET TROJAN Win32/Ramsay CnC Domain in DNS Query (trojan.rules)
2030178 - ET TROJAN Win32/Ramsay CnC Domain in DNS Query (trojan.rules)
2030179 - ET TROJAN Observed Win32/DecryptStealer Exfil Domain (geroipanel
.site in TLS SNI) (trojan.rules)
2030180 - ET TROJAN Parallax CnC Activity M10 (set) (trojan.rules)
2030181 - ET TROJAN Parallax CnC Response Activity M10 (trojan.rules)

Pro:

2842610 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-16 1) (trojan.rules)
2842611 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-05-18 (current_events.rules)
2842612 - ETPRO CURRENT_EVENTS Successful Generic Webmail Phish 2020-05-18
(current_events.rules)
2842613 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-05-18 (current_events.rules)
2842614 - ETPRO CURRENT_EVENTS Successful Whatsapp Phish 2020-05-18
(current_events.rules)
2842615 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-05-18
(current_events.rules)
2842616 - ETPRO TROJAN W32/Unk.Downloader CnC Host Checkin (trojan.rules)
2842617 - ETPRO TROJAN Win32/Agent.XUY CnC Host Checkin (trojan.rules)
2842618 - ETPRO TROJAN Parallax CnC Activity (set) M11 (trojan.rules)
2842619 - ETPRO TROJAN Parallax CnC Response Activity M11 (trojan.rules)
2842620 - ETPRO TROJAN Win32/Delf.TTL Variant CnC Checkin (trojan.rules)
2842621 - ETPRO POLICY PearsonVUE SecureBrowser SSL/TLS Cert Inbound
(policy.rules)
2842622 - ETPRO POLICY PearsonVUE SecureBrowser Checkin (policy.rules)
2842623 - ETPRO TROJAN Win32/Remcos RAT Checkin 426 (trojan.rules)
2842624 - ETPRO TROJAN Win32/Remcos RAT Checkin 427 (trojan.rules)
2842625 - ETPRO TROJAN Win32/Remcos RAT Checkin 428 (trojan.rules)
2842626 - ETPRO TROJAN Win32/Remcos RAT Checkin 429 (trojan.rules)
2842627 - ETPRO TROJAN Win32/Remcos RAT Checkin 430 (trojan.rules)
2842628 - ETPRO TROJAN Win32/Remcos RAT Checkin 431 (trojan.rules)
2842629 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
2842630 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
2842631 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
2842632 - ETPRO TROJAN Observed Ursnif CnC Domain in TLS SNI (trojan.rules)
2842633 - ETPRO TROJAN Suspected Raccoon Stealer Telegram CnC (trojan.rules)
2842634 - ETPRO TROJAN MalDoc Retreving Payload 2020-05-18 (trojan.rules)
2842635 - ETPRO TROJAN MalDoc Retrieving Payload 2020-05-18 (trojan.rules)

[---]         Removed rules:         [---]

2030167 - ET EXPLOIT Possible Netlink XPON 1GE Remote Command Execution
Attempt (exploit.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200518/45b2dde1/attachment.html>


More information about the Emerging-sigs mailing list