[Emerging-updates] Daily Ruleset Update Summary 2017/12/01

Travis Green tgreen at emergingthreats.net
Fri Dec 1 12:57:16 HST 2017


[***]            Summary:            [***]

4 new Open, 20 new Pro (4 + 16). UBoatRAT, Powerstats, Sigma Ransomware
Domains, Trojan.AndroidOS.Guerrilla.l.


[+++]          Added rules:          [+++]

Open:

 2025093 - ET TROJAN UBoatRAT CnC Check-in (trojan.rules)
 2025094 - ET MALWARE Win32/Adware.Adposhel.A Checkin 5 (malware.rules)
 2025095 - ET POLICY .onion proxy Domain (onion .plus in DNS Lookup)
(policy.rules)
 2025096 - ET POLICY .onion proxy Domain (onion .casa in DNS Lookup)
(policy.rules)

Pro:

 2828734 - ETPRO TROJAN Powerstats C2 (trojan.rules)
 2828735 - ETPRO TROJAN Sidewinder.A C2 (trojan.rules)
 2828736 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2017-12-01 1) (trojan.rules)
 2828737 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2017-12-01 2) (trojan.rules)
 2828738 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2017-12-01 3) (trojan.rules)
 2828739 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2017-12-01 3) (trojan.rules)
 2828740 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2017-12-01 4) (trojan.rules)
 2828741 - ETPRO TROJAN Bitcoin Miner Known Malicious Basic Auth
(dnJreGtpYmRueHg5OTl0aXo6ODduMnl6M2h1d2hlbmpnaHl3Zmdsa2w=) (trojan.rules)
 2828742 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin
248 (mobile_malware.rules)
 2828743 - ETPRO TROJAN Malicious VBScript Inbound (trojan.rules)
 2828744 - ETPRO TROJAN Sigma Ransomware Decryptor/Payment Domain
(6uhryhsrr577vykz in DNS Lookup) (trojan.rules)
 2828745 - ETPRO TROJAN Sigma Ransomware Decryptor/Payment Domain
(yowl2ugopitfzzwb in DNS Lookup) (trojan.rules)
 2828746 - ETPRO TROJAN Sigma Ransomware Decryptor/Payment Domain
(ypg7rfjvfywj7jhp in DNS Lookup) (trojan.rules)
 2828747 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Guerrilla.l Checkin
(mobile_malware.rules)
 2828748 - ETPRO TROJAN Win32/DarkKomet CnC Communicating with Infected
Host (trojan.rules)
 2828749 - ETPRO TROJAN MSIL/ReadMe Ransomware CnC Checkin (trojan.rules)


[///]     Modified active rules:     [///]

 2003492 - ET INFO Suspicious Mozilla User-Agent - Likely Fake
(Mozilla/4.0) (info.rules)
 2003658 - ET MALWARE qq.com related Spyware User-Agent (QQGame)
(malware.rules)
 2007860 - ET MALWARE User-Agent (Internet Explorer 6.0) - Possible Trojan
Downloader (malware.rules)
 2007866 - ET CHAT Gadu-Gadu Chat Client Checkin via HTTP (chat.rules)
 2008295 - ET CHAT Gadu-Gadu IM Login Server Request (chat.rules)
 2008538 - ET SCAN Sqlmap SQL Injection Scan (scan.rules)
 2008570 - ET POLICY External Unencrypted Connection to BASE Console
(policy.rules)
 2009020 - ET POLICY Internal Host Retrieving External IP via ipchicken.com
- Possible Infection (policy.rules)
 2009362 - ET WEB_SERVER /system32/ in Uri - Possible Protected Directory
Access Attempt (web_server.rules)
 2009867 - ET TROJAN Suspicious User-Agent (Mozilla/3.0 (compatible))
(trojan.rules)
 2010066 - ET POLICY Data POST to an image file (gif) (policy.rules)
 2010592 - ET WEB_SERVER Possible Microsoft Internet Information Services
(IIS) .asp Filename Extension Parsing File Upload Security Bypass Attempt
(asp) (web_server.rules)
 2010677 - ET MALWARE Suspicious User-Agent (My Session) (malware.rules)
 2011037 - ET WEB_SERVER Possible Attempt to Get SQL Server Version in URI
using SELECT VERSION (web_server.rules)
 2011141 - ET WEB_SERVER PHP Easteregg Information-Disclosure (phpinfo)
(web_server.rules)
 2011161 - ET WEB_SPECIFIC_APPS HotNews hnmain.inc.php3 incdir Parameter
Remote File Inclusion Attempt (web_specific_apps.rules)
 2011341 - ET TROJAN Suspicious POST With Reference to WINDOWS Folder
Possible Malware Infection (trojan.rules)
 2011719 - ET POLICY Win32/Sogou User-Agent (SOGOU_UPDATER) (policy.rules)
 2012810 - ET POLICY HTTP Request to a *.tk domain (policy.rules)
 2012870 - ET POLICY HTTP Outbound Request contains pw (policy.rules)
 2013256 - ET POLICY Majestic12 User-Agent Request Outbound (policy.rules)
 2013290 - ET POLICY MOBILE Apple device leaking UDID from SpringBoard via
GET (policy.rules)
 2013508 - ET USER_AGENTS Downloader User-Agent HTTPGET (user_agents.rules)
 2013535 - ET INFO HTTP Request to a *.tc domain (info.rules)
 2014473 - ET INFO JAVA - Java Archive Download By Vulnerable Client
(info.rules)
 2014799 - ET POLICY OpenVPN Update Check (policy.rules)
 2016870 - ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
(policy.rules)
 2016871 - ET POLICY Unsupported/Fake Internet Explorer Version MSIE 4.
(policy.rules)
 2017398 - ET POLICY Internal Host Retrieving External IP via icanhazip.com
- Possible Infection (policy.rules)
 2017926 - ET POLICY External IP Lookup / Tor Checker Domain
(check.torproject .org in DNS lookup) (policy.rules)
 2017928 - ET POLICY check.torproject.org IP lookup/Tor Usage check over
TLS with SNI (policy.rules)
 2017933 - ET POLICY TraceMyIP IP lookup (policy.rules)
 2018359 - ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser
2 (info.rules)
 2018766 - ET TROJAN DNS Query to Pseudo Random Domain for Web Malware (.
mynumber.org) (trojan.rules)
 2019714 - ET CURRENT_EVENTS Terse alphanumeric executable downloader high
likelihood of being hostile (current_events.rules)
 2019876 - ET SCAN SSH BruteForce Tool with fake PUTTY version (scan.rules)
 2020475 - ET POLICY Metasploit Framework Checking For Update (policy.rules)
 2020716 - ET POLICY Possible External IP Lookup ipinfo.io (policy.rules)
 2020844 - ET TROJAN Win32/Teslacrypt Ransomware .onion domain (
7hwr34n18.com) (trojan.rules)
 2020869 - ET TROJAN Win32/Teslacrypt Ransomware .onion domain (
wh47f2as19.com) (trojan.rules)
 2020882 - ET TROJAN Win32/Teslacrypt Ransomware .onion domain
(epmhyca5ol6plmx3) (trojan.rules)
 2021062 - ET WEB_SPECIFIC_APPS WP Jetpack/Twentyfifteen Possible XSS
Request (web_specific_apps.rules)
 2022351 - ET POLICY External IP Lookup - ipecho.net (policy.rules)
 2022452 - ET TROJAN Scarlet Mimic DNS Lookup 42 (trojan.rules)
 2022769 - ET TROJAN Ransomware Locky CnC Beacon 2 (trojan.rules)
 2022816 - ET WEB_SERVER Possible SQLi Attempt in User Agent (Inbound)
(web_server.rules)
 2022858 - ET CURRENT_EVENTS Suspicious BITS EXE DL Dotted Quad as Observed
in Recent Cerber Campaign (current_events.rules)
 2022986 - ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
(trojan.rules)
 2023472 - ET POLICY External IP Lookup Domain (myip.opendns .com in DNS
lookup) (policy.rules)
 2023475 - ET MOBILE_MALWARE Adware.Adwo.A (mobile_malware.rules)
 2023516 - ET POLICY Android Adups Firmware DNS Query 2 (policy.rules)
 2023517 - ET POLICY Android Adups Firmware DNS Query 3 (policy.rules)
 2024038 - ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression
Injection (CVE-2017-5638) (web_specific_apps.rules)
 2024044 - ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression
Injection (CVE-2017-5638) M2 (web_specific_apps.rules)
 2024106 - ET TROJAN Win32/Teslacrypt Ransomware .onion domain
(7tno4hib47vlep5o) (trojan.rules)
 2024291 - ET TROJAN Possible WannaCry DNS Lookup 1 (trojan.rules)
 2024420 - ET TROJAN MalDoc Retrieving Malicious Payload (Possibly Ursnif)
(trojan.rules)
 2024527 - ET POLICY External IP Lookup Domain (ipapi .co in DNS lookup)
(policy.rules)
 2024788 - ET POLICY Request for Jsecoin Browser Miner M2 (policy.rules)
 2024814 - ET EXPLOIT Likely Struts S2-053-CVE-2017-12611 Exploit Attempt
M1 (exploit.rules)
 2024831 - ET POLICY Observed IP Lookup Domain (l2 .io in DNS Lookup)
(policy.rules)
 2024833 - ET POLICY Observed IP Lookup Domain (l2 .io in TLS SNI)
(policy.rules)
 2024946 - ET CURRENT_EVENTS BankAustria Phishing Domain Nov 03 2017
(current_events.rules)
 2024949 - ET CURRENT_EVENTS Successful BankAustria Phish Nov 03 2017
(current_events.rules)
 2025005 - ET CURRENT_EVENTS Possible Successful Generic Phish Jan 14 2016
(current_events.rules)
 2801300 - ETPRO USER_AGENTS  SUSPICIOUS UA Starting With IE6
(user_agents.rules)
 2804336 - ETPRO INFO DYNAMIC_DNS Query to a *.1dumb.com Domain (info.rules)
 2805815 - ETPRO POLICY Internal Host Retrieving External IP via
whatismyipaddress.com - Possible Infection (policy.rules)
 2805897 - ETPRO TROJAN Bifrose.IQ requesting setup.exe (trojan.rules)
 2807216 - ETPRO TROJAN Orbit downloader checkin 3 (trojan.rules)
 2809358 - ETPRO TROJAN Win32/Injector.BRLE Checkin (trojan.rules)
 2809682 - ETPRO TROJAN Andromeda/Gamarue Checkin (trojan.rules)
 2810481 - ETPRO TROJAN Possible zipped Windows executable sent when remote
host claims to send an image (trojan.rules)
 2810582 - ETPRO TROJAN WIN32/KOVTER.B Checkin 2 M1 (trojan.rules)
 2812740 - ETPRO POLICY NetSupport Remote Admin Response (policy.rules)
 2812918 - ETPRO TROJAN Cobalt Strike Beacon Observed (trojan.rules)
 2814543 - ETPRO MALWARE WebBar PUA Checkin (malware.rules)
 2816032 - ETPRO POLICY OSX/Potential Vulnerable Application using Sparkle
Updater (policy.rules)
 2816855 - ETPRO TROJAN Downloader Possibly Retrieving Locky (trojan.rules)
 2819828 - ETPRO TROJAN Redyms/Ramdo CnC DGA DNS Lookup (yw//.org)
(trojan.rules)
 2821001 - ETPRO CURRENT_EVENTS PowerShell Empire Session via MSOffice Doc
Macro (current_events.rules)
 2821200 - ETPRO POLICY Observed External IP (wtfismyip) Lookup SSL Cert
(Server Hello) (policy.rules)
 2821367 - ETPRO MALWARE Adware.QkSee/WinSaber Checkin 2 (malware.rules)
 2821585 - ETPRO MOBILE_MALWARE Trojan-Ransom.AndroidOS.Congur.al Checkin
(mobile_malware.rules)
 2821712 - ETPRO TROJAN LatentBot HTTP POST Checkin (trojan.rules)
 2822392 - ETPRO MALWARE Win32/Xiazai Checkin (malware.rules)
 2822817 - ETPRO TROJAN Terse HTTP Request to Pastebin Likely Malicious
(trojan.rules)
 2823423 - ETPRO TROJAN Unknown Bot CnC Beacon (trojan.rules)
 2824844 - ETPRO MALWARE Win32/Rising.B PUP CnC Beacon (malware.rules)
 2825610 - ETPRO TROJAN Lets Encrypt Free SSL Cert Observed in Possible
Apple Phishing (trojan.rules)
 2826184 - ETPRO TROJAN APT10 Redleaves/PlugX/ChChes DNS Lookup
(app.lehigtapp .com) (trojan.rules)
 2826296 - ETPRO TROJAN PowerShell/TrojanDownloader.Agent.AP - Powerstats
Checkin  (trojan.rules)
 2826824 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.AZQ /
Android.Triada Checkin (mobile_malware.rules)
 2827579 - ETPRO INFO .moe Domain in TLS SNI (info.rules)
 2828162 - ETPRO MOBILE_MALWARE Android/HiddenApp.CE Checkin
(mobile_malware.rules)
 2828587 - ETPRO TROJAN APT19 Downloader SSL Cert (trojan.rules)


[---]  Disabled and modified rules:  [---]

 2807133 - ETPRO MALWARE W32/Toolbar.WIDGI User-Agent(WidgiToolbar-)
(malware.rules)


-- 
PGP: 0xBED7B297
<https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20171201/dd34f356/attachment.html>


More information about the Emerging-updates mailing list