[Emerging-Sigs] Daily Ruleset Update Summary 2020/05/21

Brandon Murphy bmurphy at emergingthreats.net
Thu May 21 13:24:55 HDT 2020


[***]            Summary:            [***]

7 new OPEN, 25 new PRO (7 + 18). Multiple QNAP PhotoStation Exploit
Attempts, SystemdMiner, Various CoinMiner and Phish.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

2030198 - ET SCAN ELF/Mirai Variant User-Agent (Inbound) (scan.rules)
2030199 - ET TROJAN ELF/Mirai Variant User-Agent (Outbound) (trojan.rules)
2030200 - ET TROJAN SystemdMiner CnC Activity (trojan.rules)
2030201 - ET EXPLOIT QNAP PhotoStation Privilege Escalation Attempt M1
(encrypted token) (exploit.rules)
2030202 - ET EXPLOIT QNAP PhotoStation Pre-Auth Local File Disclosure
Attempt (exploit.rules)
2030203 - ET EXPLOIT QNAP PhotoStation Privilege Escalation Attempt M2
(plaintext token) (exploit.rules)
2030204 - ET EXPLOIT QNAP PhotoStation Authenticated Session Tampering
Attempt (exploit.rules)

Pro:

2842669 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-21 1) (trojan.rules)
2842670 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-21 2) (trojan.rules)
2842671 - ETPRO CURRENT_EVENTS Successful Adobe PDF Online Phish 2020-05-21
(current_events.rules)
2842672 - ETPRO CURRENT_EVENTS Successful Linkedin Phish 2020-05-21
(current_events.rules)
2842673 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-05-21
(current_events.rules)
2842674 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-05-21
(current_events.rules)
2842675 - ETPRO CURRENT_EVENTS Successful Yahoo Phish 2020-05-21
(current_events.rules)
2842676 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2020-05-21
(current_events.rules)
2842677 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2020-05-21
(current_events.rules)
2842678 - ETPRO CURRENT_EVENTS Successful Impots FR Phish 2020-05-21
(current_events.rules)
2842679 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-05-21 (current_events.rules)
2842680 - ETPRO CURRENT_EVENTS Successful Banco do Brasil Phish 2020-05-21
(current_events.rules)
2842681 - ETPRO CURRENT_EVENTS Successful Bancolumbia Phish 2020-05-21
(current_events.rules)
2842682 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-05-21 (current_events.rules)
2842683 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-05-21 (current_events.rules)
2842684 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-05-21 (current_events.rules)
2842685 - ETPRO TROJAN Win32/Injector.AKNL Variant CnC Activity
(trojan.rules)
2842686 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)

[///]     Modified active rules:     [///]

2003062 - ET MALWARE 180 Solutions (Zango Installer) User Agent
(malware.rules)
2010067 - ET POLICY Data POST to an image file (jpg) (policy.rules)
2012326 - ET WEB_CLIENT Obfuscated Javascript // ptth (escaped)
(web_client.rules)
2015744 - ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
(info.rules)
2018055 - ET TROJAN Upatre Binary Download Jan 02 2014 (trojan.rules)
2018567 - ET TROJAN Hangover related campaign Response (trojan.rules)
2020348 - ET TROJAN BePush/Kilim Checkin (trojan.rules)
2020801 - ET TROJAN Skyfall fake Skype install link (trojan.rules)
2020804 - ET POLICY Remote Access - RView - Host - *.rview.com
(policy.rules)
2020810 - ET TROJAN Volatile Cedar Win32.Explosive Fake User-Agent
(trojan.rules)
2020812 - ET TROJAN Volatile Cedar Win32.Explosive HTTP CnC Beacon 1
(trojan.rules)
2020813 - ET TROJAN Volatile Cedar Win32.Explosive HTTP CnC Beacon 1
(trojan.rules)
2020830 - ET POLICY External IP Lookup - Bravica (policy.rules)
2020831 - ET POLICY External IP Lookup - ip-whois (policy.rules)
2020833 - ET TROJAN Mikey Variant HTTP CnC Beacon 1 (trojan.rules)
2020835 - ET TROJAN Mikey Variant HTTP CnC Beacon 3 (trojan.rules)
2020845 - ET TROJAN Possible Win32/SillyFDC WordPress Traffic (trojan.rules)
2020859 - ET EXPLOIT Netgear WNDR Router DNS Change POST Request
(exploit.rules)
2020861 - ET EXPLOIT Motorola SBG900 Router DNS Change GET Request
(exploit.rules)
2020862 - ET EXPLOIT ASUS RT N56U Router DNS Change GET Request 1
(exploit.rules)
2020863 - ET EXPLOIT ASUS RT N56U Router DNS Change GET Request 2
(exploit.rules)
2020868 - ET EXPLOIT FritzBox RCE GET Request (exploit.rules)
2020871 - ET EXPLOIT ASUS RT N56U Router DNS Change GET Request 3
(exploit.rules)
2020872 - ET EXPLOIT TP-LINK Known Malicious Router DNS Change GET Request
(exploit.rules)
2020873 - ET EXPLOIT D-link DI604 Known Malicious Router DNS Change GET
Request (exploit.rules)
2020875 - ET EXPLOIT Belkin G F5D7230-4 Router DNS Change GET Request
(exploit.rules)
2020878 - ET EXPLOIT TP-LINK TL-WR841N Router DNS Change GET Request
(exploit.rules)
2020879 - ET EXPLOIT Linksys WRT54GL DNS Change GET Request (exploit.rules)
2020880 - ET EXPLOIT TP-LINK TL-WR750N DNS Change GET Request
(exploit.rules)
2020885 - ET TROJAN Kriptovor Retrieving RAR Payload (trojan.rules)
2020886 - ET TROJAN Kriptovor External IP Lookup checkip.dyndns.org
(trojan.rules)
2020892 - ET TROJAN Possible Maldoc Retrieving Dridex from pastebin
(trojan.rules)
2020902 - ET TROJAN LankerBoy HTTP CnC Beacon (trojan.rules)
2020908 - ET TROJAN CoinVault CnC Beacon M2 (trojan.rules)
2020919 - ET TROJAN FighterPOS CnC Beacon 2 (trojan.rules)
2020924 - ET TROJAN Zacom/NFlog HTTP POST Connectivity Check (trojan.rules)
2020934 - ET TROJAN PunkeyPOS HTTP CnC Beacon Fake UA (trojan.rules)
2020935 - ET TROJAN PunkeyPOS HTTP CnC Beacon 1 (trojan.rules)
2020937 - ET TROJAN PunkeyPOS HTTP CnC Beacon 3 (trojan.rules)
2020938 - ET TROJAN PunkeyPOS HTTP CnC Beacon 4 (trojan.rules)
2020945 - ET TROJAN  Win32/Tesch.B CnC Beacon (trojan.rules)
2020981 - ET CURRENT_EVENTS Fiesta EK Flash Exploit Apr 23 2015
(current_events.rules)
2021005 - ET WEB_SPECIFIC_APPS Vulnerable Magento Adminhtml Access
(web_specific_apps.rules)
2021017 - ET TROJAN Dalexis Downloading EXE (trojan.rules)
2021025 - ET INFO Possible ThousandEyes User-Agent Outbound (info.rules)
2021026 - ET INFO Possible ThousandEyes User-Agent Inbound (info.rules)
2021060 - ET USER_AGENTS MSF Meterpreter Default User Agent
(user_agents.rules)
2021081 - ET TROJAN Possible CryptoPHP Leaking Credentials May 8 2015 M1
(trojan.rules)
2021082 - ET TROJAN Possible CryptoPHP Leaking Credentials May 8 2015 M2
(trojan.rules)
2021083 - ET TROJAN Possible CryptoPHP Leaking Credentials May 8 2015 M3
(trojan.rules)
2023909 - ET TROJAN Miniduke variant C&C activity (trojan.rules)
2805877 - ETPRO TROJAN W32.Virut.CF exe request (trojan.rules)
2806447 - ETPRO TROJAN Win32/Autoit.IT Checkin 1 (trojan.rules)
2806448 - ETPRO TROJAN Win32/Autoit.IT Checkin 2 (trojan.rules)
2808220 - ETPRO TROJAN W32/Redyms.AF Checkin 2 (trojan.rules)
2809663 - ETPRO TROJAN Chthonic Variant Checkin (trojan.rules)
2810107 - ETPRO TROJAN Likely Geodo/Emotet CnC Beacon (trojan.rules)
2810182 - ETPRO TROJAN Expiro.AY Checkin (trojan.rules)
2810236 - ETPRO TROJAN Win32.SysUpdater Scanning External Sites
(trojan.rules)
2810295 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Aulrin.a Checkin
(mobile_malware.rules)
2810304 - ETPRO TROJAN Backdoor.Win32.Gobap.A Check-in 1 (trojan.rules)
2810305 - ETPRO TROJAN Backdoor.Win32.Gobap.A Check-in 2 (trojan.rules)
2810468 - ETPRO TROJAN Win32/TrojanDownloader.Banload Variant Retrieving
Zipped PE (trojan.rules)
2810485 - ETPRO MOBILE_MALWARE Android/UpdtKiller.F Checkin 3
(mobile_malware.rules)
2810515 - ETPRO POLICY Elsinore ScreenConnect URI Struct (policy.rules)
2810575 - ETPRO TROJAN BKDR_POSTBOT.ED Checkin (trojan.rules)
2810716 - ETPRO TROJAN VBS.BackDoor.DuCk.1 Screenshot Upload (trojan.rules)
2810717 - ETPRO TROJAN VBS.BackDoor.DuCk.1 Command Output Upload
(trojan.rules)
2810721 - ETPRO WEB_SPECIFIC_APPS WP DukaPress Dir Traversal Attempt
(web_specific_apps.rules)
2810722 - ETPRO WEB_SPECIFIC_APPS WP Mobile Edition Dir Traversal Attempt
(web_specific_apps.rules)
2810727 - ETPRO WEB_SPECIFIC_APPS WorkTheFlow Plugin Arbitrary PHP File
Upload (web_specific_apps.rules)
2810732 - ETPRO WEB_SPECIFIC_APPS WP N-Media Plugin Arbitrary PHP File
Upload (web_specific_apps.rules)
2810735 - ETPRO TROJAN Banker.Win32.Banbra Checkin (trojan.rules)
2810752 - ETPRO TROJAN Tempedreve Checkin (trojan.rules)
2810757 - ETPRO TROJAN Win32/Rovnix.P HTTP GET CnC Beacon (trojan.rules)
2810760 - ETPRO POLICY IP Check ip.xss.ru (policy.rules)
2810815 - ETPRO TROJAN Win32/Dofoil.R Connectivity Check (trojan.rules)
2810816 - ETPRO TROJAN Win32/Dofoil.R CnC Beacon (trojan.rules)
2810835 - ETPRO TROJAN Win32/VB.QCU CnC Beacon (trojan.rules)
2810847 - ETPRO TROJAN AutoIt variant CnC Beacon (trojan.rules)
2810854 - ETPRO TROJAN Win32.Hawker Checkin (trojan.rules)
2810857 - ETPRO TROJAN Win32.Banload.VNK Variant Dropping Exe (trojan.rules)
2810875 - ETPRO TROJAN WIN32/SPY.KEYLOGGER.OVR Sending Report (trojan.rules)
2810888 - ETPRO WEB_SPECIFIC_APPS WP Plugin WooCommerce Amazon Affiliates
Default Credentials Attempt (web_specific_apps.rules)
2810912 - ETPRO TROJAN MSIL/BrobanDel.B Checkin (trojan.rules)
2810913 - ETPRO TROJAN Win32/Botbolsog.A Connectivity check (trojan.rules)
2810921 - ETPRO TROJAN PolloLocker Downloading Pubkey (trojan.rules)
2810946 - ETPRO TROJAN Banload DLL Encoded Request (trojan.rules)
2810948 - ETPRO TROJAN MSIL.Banload.CX Checkin (trojan.rules)
2810949 - ETPRO TROJAN MSIL.Banload.CX Checkin 2 (trojan.rules)
2810958 - ETPRO MOBILE_MALWARE Android/Spy.SmsSpy.AA Checkin
(mobile_malware.rules)
2835255 - ETPRO CURRENT_EVENTS Possible MalDoc DL 2019-03-08
(current_events.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200521/73abc20a/attachment.html>


More information about the Emerging-sigs mailing list