[Emerging-updates] [Emerging-Sigs] Daily Ruleset Update Summary 2016/10/31

Ryan Stillions rstillions at vigilantnow.com
Tue Nov 1 11:30:08 EDT 2016


Seeing a significant increase in FP¹s off 2022535¹s rev 8 release from
yesterday.    Here¹s a couple examples:

site: www.bluecore.com
Issuer: CN=Go Daddy Secure Certificate Authority -
G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\,
Inc.,L=Scottsdale,ST=Arizona,C=US
subject: CN=www.bluecore.com,O=Bluecore Inc.,L=New York,ST=New
York,C=US,serialNumber=3665273,businessCategory=Private
Organization,1.3.6.1.4.1.311.60.2.1.2=#13084E657720596F726B,1.3.6.1.4.1.311
.60.2.1.3=#13025553

site: www.androidcentral.com
Issuer: CN=Go Daddy Secure Certificate Authority -
G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\,
Inc.,L=Scottsdale,ST=Arizona,C=US
Subject: CN=www.mobilenations.com,O=Mobile Nations
LLC,L=Inverness,ST=Florida,C=US,serialNumber=L12000001404,businessCategory=
Private
Organization,1.3.6.1.4.1.311.60.2.1.2=#1307466C6F72696461,1.3.6.1.4.1.311.6
0.2.1.3=#13025553

site: www.mobilenations.com
Issuer: CN=Go Daddy Secure Certificate Authority -
G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\,
Inc.,L=Scottsdale,ST=Arizona,C=US
Subject: CN=www.mobilenations.com,O=Mobile Nations
LLC,L=Inverness,ST=Florida,C=US,serialNumber=L12000001404,businessCategory=
Private
Organization,1.3.6.1.4.1.311.60.2.1.2=#1307466C6F72696461,1.3.6.1.4.1.311.6
0.2.1.3=#13025553

site: www.wholesaledirectmetals.com
Issuer: CN=Go Daddy Secure Certificate Authority -
G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\,
Inc.,L=Scottsdale,ST=Arizona,C=US
Subject: CN=www.wholesaledirectmetals.com,O=Wholesale Direct
Metals,L=Pacific
Palisades,ST=California,C=US,serialNumber=C3025240,businessCategory=Private
 Organization,1.3.6.1.4.1.311.60.2.1.2=#130A43616C69666F726E6961,1.3.6.1.4.
1.311.60.2.1.3=#13025553


Thanks,
ryan


Ryan Stillions
Head of Detection and Response Services
rstillions at vigilantnow.com
9378 S. Mason Montgomery Rd. Suite 220
Mason, Ohio 45040
(855)-238-4445 ext 707









On 10/31/16, 5:48 PM, "emerging-sigs-bounces at lists.emergingthreats.net on
behalf of Francis Trudeau"
<emerging-sigs-bounces at lists.emergingthreats.net on behalf of
ftrudeau at emergingthreats.net> wrote:

> [***] Summary: [***]
>
> 5 new Open signatures, 37 new Pro (5 + 32).  VARIOUS PHISHING,
>NanoCore RAT, Astrum EK, Cerber.
>
> Thanks:  Cayde and @GrujaRS
>
> [+++]          Added rules:          [+++]
>
> Open:
>
>  2023466 - ET EXPLOIT D-Link DSL-2740R Remote DNS Change Attempt
>(exploit.rules)
>  2023467 - ET EXPLOIT COMTREND ADSL Router CT-5367 Remote DNS Change
>Attempt (exploit.rules)
>  2023468 - ET EXPLOIT Unknown Router Remote DNS Change Attempt
>(exploit.rules)
>  2023469 - ET POLICY External IP Address Lookup - b4secure .com
>(policy.rules)
>  2023470 - ET TROJAN Possible Emissary External IP Lookup (trojan.rules)
>
> Pro:
>
>  2823007 - ETPRO CURRENT_EVENTS Successful Office 365 Phish Oct 31
>2016 (current_events.rules)
>  2823008 - ETPRO CURRENT_EVENTS Successful Chase Phish Oct 27 2016
>(current_events.rules)
>  2823009 - ETPRO CURRENT_EVENTS Successful Apple ID Phish Oct 27 2016
>(current_events.rules)
>  2823010 - ETPRO CURRENT_EVENTS Successful American Express Phish M1
>Oct 31 2016 (current_events.rules)
>  2823011 - ETPRO CURRENT_EVENTS Successful American Express Phish M2
>Oct 31 2016 (current_events.rules)
>  2823012 - ETPRO CURRENT_EVENTS Successful FreeMobile (FR) Phish M1
>Oct 31 2016 (current_events.rules)
>  2823013 - ETPRO CURRENT_EVENTS Successful FreeMobile (FR) Phish M3
>Oct 31 2016 (current_events.rules)
>  2823014 - ETPRO CURRENT_EVENTS Successful Impots.gouv.fr Phish Oct
>31 2016 (current_events.rules)
>  2823015 - ETPRO CURRENT_EVENTS Successful Gmail Phish Oct 31 2016
>(current_events.rules)
>  2823016 - ETPRO CURRENT_EVENTS Successful Paypal Phish Oct 31 2016
>(current_events.rules)
>  2823017 - ETPRO CURRENT_EVENTS Successful Generic Phish Oct 31 2016
>(current_events.rules)
>  2823018 - ETPRO TROJAN NanoCore RAT CnC 21 (trojan.rules)
>  2823019 - ETPRO CURRENT_EVENTS Astrum EK Landing Oct 31 2016 M1
>(current_events.rules)
>  2823020 - ETPRO CURRENT_EVENTS Astrum EK Landing Oct 31 2016 M2
>(current_events.rules)
>  2823021 - ETPRO CURRENT_EVENTS Astrum EK Flash Oct 31 2016
>(current_events.rules)
>  2823022 - ETPRO CURRENT_EVENTS Astrum EK Flash Oct 31 2016
>(current_events.rules)
>  2823023 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
>(2016-10-31 1) (trojan.rules)
>  2823024 - ETPRO TROJAN Bitcoin Miner Known Malicious Basic Auth
>(MVBCTjd5aGk2SkxFYTZWVjMxbnBHTFYyZWhyZXBvWWR5Ujp4) (trojan.rules)
>  2823025 - ETPRO TROJAN DNS Query to Cerber Domain (iiujsy . bid)
>(trojan.rules)
>  2823026 - ETPRO TROJAN DNS Query to Cerber Domain (mustspace . us)
>(trojan.rules)
>  2823027 - ETPRO TROJAN DNS Query to Cerber Domain (someputt . bid)
>(trojan.rules)
>  2823028 - ETPRO TROJAN DNS Query to Cerber Domain (5ggovj . bid)
>(trojan.rules)
>  2823029 - ETPRO TROJAN DNS Query to Cerber Domain (54vw9b . bid)
>(trojan.rules)
>  2823030 - ETPRO TROJAN DNS Query to Cerber Domain (n8niwa . bid)
>(trojan.rules)
>  2823031 - ETPRO TROJAN DNS Query to Cerber Domain (8kcfnk . bid)
>(trojan.rules)
>  2823032 - ETPRO TROJAN DNS Query to Cerber Domain (zp9i1l . bid)
>(trojan.rules)
>  2823033 - ETPRO TROJAN DNS Query to Cerber Domain (zda7bk . top)
>(trojan.rules)
>  2823034 - ETPRO TROJAN DNS Query to Cerber Domain (4pjetv . bid)
>(trojan.rules)
>  2823036 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher DNS
>Lookup (mobile_malware.rules)
>  2823037 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher DNS
>Lookup (mobile_malware.rules)
>  2823039 - ETPRO TROJAN RedTeam SSL Cert (trojan.rules)
>  2823040 - ETPRO MOBILE_MALWARE Android/AdDisplay.Drosel.A Checkin
>(mobile_malware.rules)
>
>
> [///]     Modified active rules:     [///]
>
>  2022535 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
>detected (Dridex) (trojan.rules)
>  2803537 - ETPRO TROJAN Backdoor.DsBot.dov/Win32.Morto.A Checkin
>(trojan.rules)
>  2812139 - ETPRO TROJAN Pirpi CnC Beacon Response (trojan.rules)
>  2812406 - ETPRO TROJAN Win32/Venik CnC Beacon (trojan.rules)
>  2822211 - ETPRO CURRENT_EVENTS Astrum EK Landing Sep 23 2016
>(current_events.rules)
>  2822305 - ETPRO CURRENT_EVENTS Successful Dropbox Phish Sept 29 2016
>(current_events.rules)
>
>
> [---]  Disabled and modified rules:  [---]
>
>  2822537 - ETPRO EXPLOIT Possible Win32k Elevation of Privilege
>Vulnerability (CVE-2016-7191) (exploit.rules)
>_______________________________________________
>Emerging-sigs mailing list
>Emerging-sigs at lists.emergingthreats.net
>https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>Support Emerging Threats! Subscribe to Emerging Threats Pro
>http://www.emergingthreats.net
>

NOTICE: This electronic mail transmission is for the use of the named individual or entity to which it is directed and may contain information that is privileged or confidential. It is not to be transmitted to or received by anyone other than the named addressee (or a person authorized to deliver it to the named addressee). It is not to be copied or forwarded to any unauthorized persons. If you have received this electronic mail transmission in error, delete it from your system without copying or forwarding it, and notify the sender of the error by replying via email or by calling Vigilant LLC at (855.238.4445), so that our address record can be corrected.


More information about the Emerging-updates mailing list