[Emerging-updates] Daily Ruleset Update Summary 2016/11/21

Francis Trudeau ftrudeau at emergingthreats.net
Mon Nov 21 19:09:59 EST 2016


 [***] Summary: [***]

 3 new Open signatures, 34 new Pro (3 + 31).  Gootkit, Zeus Banker,
Locky, Godzilla Loader.

 Thanks:  @cyber_attacks.

 [+++]          Added rules:          [+++]

 Open:

  2015708 - ET INFO - Applet Tag In Edwards Packed JavaScript (info.rules)
  2023536 - ET TROJAN Zeus Banker Variant Malicious SSL Certificate
Detected (trojan.rules)
  2023537 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
Certificate Detected (Gootkit C2) (trojan.rules)

 Pro:

  2823364 - ETPRO CURRENT_EVENTS Successful Generic PDF Online Phish
(set) Oct 11 2016 (current_events.rules)
  2823365 - ETPRO TROJAN Godzilla Loader Retrieving Payload (trojan.rules)
  2823366 - ETPRO TROJAN Locky CnC checkin Nov 21 (trojan.rules)
  2823367 - ETPRO TROJAN Locky CnC checkin Nov 21 M2 (trojan.rules)
  2823368 - ETPRO TROJAN DNS Query to Cerber Domain (kwrd4f . bid)
(trojan.rules)
  2823369 - ETPRO TROJAN DNS Query to Cerber Domain (ihuk7s . top)
(trojan.rules)
  2823370 - ETPRO TROJAN DNS Query to Cerber Domain (4bx196 . top)
(trojan.rules)
  2823371 - ETPRO TROJAN DNS Query to Cerber Domain (lt0h7j . top)
(trojan.rules)
  2823372 - ETPRO TROJAN DNS Query to Cerber Domain (y9kxz2 . bid)
(trojan.rules)
  2823373 - ETPRO TROJAN DNS Query to Cerber Domain (p93w1x . bid)
(trojan.rules)
  2823374 - ETPRO TROJAN DNS Query to Cerber Domain (gxccir . bid)
(trojan.rules)
  2823375 - ETPRO TROJAN DNS Query to Cerber Domain (34o9h1 . bid)
(trojan.rules)
  2823376 - ETPRO TROJAN DNS Query to Cerber Domain (hci9di . bid)
(trojan.rules)
  2823377 - ETPRO TROJAN DNS Query to Cerber Domain (vrgdrs . top)
(trojan.rules)
  2823378 - ETPRO TROJAN Win32/TrojanDownloader.Small.AAB SSL
Certificate Detected (trojan.rules)
  2823379 - ETPRO TROJAN DNS Query to Cerber Domain (tmfl6g . bid)
(trojan.rules)
  2823380 - ETPRO TROJAN DNS Query to Cerber Domain (y7603i . bid)
(trojan.rules)
  2823381 - ETPRO TROJAN DNS Query to Cerber Domain (1m47ka . bid)
(trojan.rules)
  2823382 - ETPRO TROJAN DNS Query to Cerber Domain (c4cwr4 . bid)
(trojan.rules)
  2823383 - ETPRO TROJAN DNS Query to Cerber Domain (jo73jn . bid)
(trojan.rules)
  2823384 - ETPRO TROJAN DNS Query to Cerber Domain (chnbyl . bid)
(trojan.rules)
  2823385 - ETPRO TROJAN DNS Query to Cerber Domain (735giv . top)
(trojan.rules)
  2823386 - ETPRO TROJAN DNS Query to Cerber Domain (6cfu46 . bid)
(trojan.rules)
  2823387 - ETPRO TROJAN DNS Query to Cerber Domain (odllm3 . bid)
(trojan.rules)
  2823388 - ETPRO TROJAN DNS Query to Cerber Domain (vth4o4 . bid)
(trojan.rules)
  2823389 - ETPRO TROJAN MSIL/Gentromal.A CnC Beacon (trojan.rules)
  2823390 - ETPRO TROJAN Win32/Mailpassview Variant PWS Exfil (trojan.rules)
  2823391 - ETPRO TROJAN Possible CobaltStrike Shellcode over HTTP
(trojan.rules)
  2823392 - ETPRO TROJAN Possible CobaltStrike CnC Beacon (HTTP GET)
(trojan.rules)
  2823393 - ETPRO TROJAN Possible CobaltStrike CnC Beacon (HTTP POST)
(trojan.rules)
  2823394 - ETPRO TROJAN Possible CobaltStrike CnC Beacon (fake
headers) (trojan.rules)


 [///]     Modified active rules:     [///]

  2019378 - ET TROJAN Gozi Checkin (trojan.rules)
  2820476 - ETPRO TROJAN Targeted Win32/Ispen CnC Beacon (trojan.rules)
  2820855 - ETPRO CURRENT_EVENTS Phishing Landing via yolasite.com Jun
24 M1 (current_events.rules)
  2821020 - ETPRO TROJAN CryptXXX Jul 07 2016 encrypting finished (trojan.rules)


 [---]         Removed rules:         [---]

  2015708 - ET CURRENT_EVENTS - Applet Tag In Edwards Packed
JavaScript (current_events.rules)
  2804051 - ETPRO TROJAN Win32/Kryptik.UOM User-Agent (USERAGENT) (trojan.rules)

 [---]  Disabled and modified rules:  [---]

  2823363 - ETPRO TROJAN Locky CnC Checkin Nov 18 2016 (trojan.rules)


More information about the Emerging-updates mailing list