[Emerging-updates] Daily Ruleset Update Summary 2017/12/11

Travis Green tgreen at emergingthreats.net
Mon Dec 11 13:11:38 HST 2017


[***]            Summary:            [***]

3 new Open, 12 new Pro (3 + 9). GratefulPOS, NxRansomware, MagicHound,
Various Mobile, Various Phishing.

Thanks: Arvind Kumar


[+++]          Added rules:          [+++]

Open:

 2025143 - ET TROJAN MSIL/NxRansomware C2 Domain Detected (0cf5ff34 .ngrok
.io in DNS Lookup) (trojan.rules)
 2025144 - ET TROJAN GratefulPOS Covert DNS CnC Initial Checkin
(trojan.rules)
 2025145 - ET TROJAN Win32/Backdoor.Randrew.A CnC Checkin (trojan.rules)

Pro:

 2828839 - ETPRO TROJAN MagicHound.Retriever CnC Check-in (trojan.rules)
 2828840 - ETPRO TROJAN Rocket Kitten/MagicHound Stealer CnC Check-in
(trojan.rules)
 2828841 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin
253 (mobile_malware.rules)
 2828842 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.iz Contact
Exfil via SMTP 34 (mobile_malware.rules)
 2828843 - ETPRO TROJAN W32/Backdoor.Ratenjay C2 Domain Detected
(printscreens .info in TLS SNI) (trojan.rules)
 2828844 - ETPRO TROJAN RemoteAdmin/RMS RAT Variant CnC Requesting ID
(trojan.rules)
 2828845 - ETPRO TROJAN RemoteAdmin/RMS RAT Variant CnC Checkin
(trojan.rules)
 2828846 - ETPRO CURRENT_EVENTS Possible Successful Mailbox Shutdown Phish
2017-12-11 (current_events.rules)
 2828847 - ETPRO CURRENT_EVENTS Mailbox Shutdown Phishing Landing
2017-12-11 (current_events.rules)


[///]     Modified active rules:     [///]

 2008297 - ET CHAT GaduGadu Chat Server Welcome Packet (chat.rules)
 2018281 - ET TROJAN Possible Netwire RAT Client HeartBeat C1 (no alert)
(trojan.rules)
 2018283 - ET TROJAN Possible Netwire RAT Client HeartBeat C2 (trojan.rules)
 2822567 - ETPRO CURRENT_EVENTS Successful Gmail Phish M1 Oct 11 2016
(current_events.rules)


[---]  Disabled and modified rules:  [---]

 2014828 - ET CURRENT_EVENTS UPS Spam Inbound (current_events.rules)
 2014929 - ET CURRENT_EVENTS Request to .in FakeAV Campaign June 19 2012
exe or zip (current_events.rules)
 2018282 - ET TROJAN Possible Netwire RAT Client HeartBeat S1 (no alert)
(trojan.rules)
 2020566 - ET TROJAN Netwire RAT Client HeartBeat (trojan.rules)
 2021290 - ET TROJAN Netwire RAT Client Check-in 2 (trojan.rules)


[---]         Disabled rules:        [---]

 2018099 - ET MALWARE W32/Safekeeper.Adware CnC Beacon (malware.rules)
 2018149 - ET MALWARE W32/InstallMonetizer.Adware Beacon 2 (malware.rules)
 2018338 - ET MALWARE W32/DownloadAdmin.Adware CnC Beacon (malware.rules)
 2018339 - ET MALWARE W32/DownloadAdmin.Adware Executable Download Request
(malware.rules)
 2018441 - ET CURRENT_EVENTS Goon/Infinity URI Struct EK Landing May 05
2014 (current_events.rules)
 2018442 - ET CURRENT_EVENTS 32-byte by 32-byte PHP EK Gate with HTTP POST
(current_events.rules)
 2018454 - ET CURRENT_EVENTS Possible Malvertising Redirect URI Struct
(current_events.rules)
 2018458 - ET MALWARE DomainIQ Check-in (malware.rules)
 2018493 - ET CURRENT_EVENTS Sweet Orange WxH redirection
(current_events.rules)
 2018501 - ET CURRENT_EVENTS Gongda EK Secondary Landing
(current_events.rules)
 2018502 - ET CURRENT_EVENTS Gongda EK Landing 1 (current_events.rules)
 2018503 - ET CURRENT_EVENTS Gongda EK Landing 2 (current_events.rules)
 2018514 - ET CURRENT_EVENTS Possible Malicious Injected Redirect June 02
2014 (current_events.rules)
 2018535 - ET CURRENT_EVENTS CottonCastle EK Landing June 05 2014
(current_events.rules)
 2018536 - ET CURRENT_EVENTS CottonCastle EK Landing EK Struct
(current_events.rules)
 2018539 - ET CURRENT_EVENTS TorExplorer Certificate - Potentially Linked
To W32/Cryptowall.Ransomware (current_events.rules)
 2018544 - ET CURRENT_EVENTS CottonCastle EK Landing June 05 2014 2
(current_events.rules)
 2018545 - ET CURRENT_EVENTS CottonCastle EK Jar Download Method 2
(current_events.rules)
 2018562 - ET CURRENT_EVENTS BleedingLife Exploit Kit Landing Page
Requested (current_events.rules)
 2018563 - ET CURRENT_EVENTS BleedingLife Exploit Kit SWF Exploit Request
(current_events.rules)
 2018564 - ET CURRENT_EVENTS BleedingLife Exploit Kit JAR Exploit Request
(current_events.rules)
 2018573 - ET CURRENT_EVENTS Safe/CritX/FlashPack EK Secondary Landing
(current_events.rules)
 2018577 - ET CURRENT_EVENTS Safe/CritX/FlashPack EK Secondary Landing 2
(current_events.rules)
 2018583 - ET CURRENT_EVENTS Sweet Orange EK Common Java Exploit
(current_events.rules)
 2018591 - ET CURRENT_EVENTS Trojan-Banker.JS.Banker fraudulent redirect
boleto payment code (current_events.rules)
 2018593 - ET CURRENT_EVENTS Safe/CritX/FlashPack EK CVE-2013-3918
(current_events.rules)
 2018606 - ET CURRENT_EVENTS Safe/CritX/FlashPack EK Secondary Landing June
25 2014 (current_events.rules)
 2018613 - ET CURRENT_EVENTS Evil EK Redirector Cookie June 27 2014
(current_events.rules)
 2018668 - ET CURRENT_EVENTS Safe/CritX/FlashPack EK Secondary Landing Jul
11 2014 (current_events.rules)
 2018686 - ET CURRENT_EVENTS Possible Malvertising Redirect URI Struct Jul
16 2014 (current_events.rules)
 2018737 - ET CURRENT_EVENTS Fake CDN Sweet Orange Gate July 17 2014
(current_events.rules)
 2018756 - ET CURRENT_EVENTS XMLDOM Check for Presence Kaspersky AV
Observed in RIG EK (current_events.rules)
 2018757 - ET CURRENT_EVENTS XMLDOM Check for Presence TrendMicro AV
Observed in RIG EK (current_events.rules)
 2018783 - ET CURRENT_EVENTS Likely Evil XMLDOM Detection of Local File
(current_events.rules)
 2018785 - ET CURRENT_EVENTS Possible ShellCode Passed as Argument to
FlashVars (current_events.rules)
 2018786 - ET CURRENT_EVENTS Sweet Orange EK CDN Landing Page
(current_events.rules)
 2018794 - ET CURRENT_EVENTS Safe/CritX/FlashPack EK Secondary Landing June
28 2014 (current_events.rules)
 2018795 - ET CURRENT_EVENTS Safe/CritX/FlashPack EK Plugin Detect IE
Exploit (current_events.rules)
 2018796 - ET CURRENT_EVENTS Safe/CritX/FlashPack EK Plugin Detect Java
Exploit (current_events.rules)
 2018797 - ET CURRENT_EVENTS Safe/CritX/FlashPack EK Plugin Detect Flash
Exploit (current_events.rules)
 2018922 - ET CURRENT_EVENTS Turla/SPL EK Java Applet (current_events.rules)
 2018923 - ET CURRENT_EVENTS Turla/SPL EK Java Exploit
(current_events.rules)
 2018924 - ET CURRENT_EVENTS Turla/SPL EK Java Exploit
(current_events.rules)
 2018925 - ET CURRENT_EVENTS Turla/SPL EK Java Exploit Requested - /spl/
(current_events.rules)
 2018963 - ET CURRENT_EVENTS ZeroLocker EXE Download (current_events.rules)
 2018965 - ET CURRENT_EVENTS Malvertising Leading to EK Aug 19 2014 M3
(current_events.rules)
 2018966 - ET CURRENT_EVENTS Malvertising Leading to EK Aug 19 2014 M1
(current_events.rules)
 2018967 - ET CURRENT_EVENTS Malvertising Leading to EK Aug 19 2014 M2
(current_events.rules)
 2018987 - ET CURRENT_EVENTS Sweet Orange EK Thread Specific Java Exploit
(current_events.rules)
 2018988 - ET CURRENT_EVENTS Unknown Malvertising EK Landing Aug 22 2014
(current_events.rules)
 2018989 - ET CURRENT_EVENTS Unknown Malvertising EK Landing URI Sruct Aug
22 2014 (current_events.rules)
 2018990 - ET CURRENT_EVENTS Unknown Malvertising EK Payload URI Sruct Aug
22 2014 (current_events.rules)
 2018991 - ET CURRENT_EVENTS Unknown Malvertising EK Silverlight URI Sruct
Aug 22 2014 (current_events.rules)
 2018992 - ET CURRENT_EVENTS Unknown Malvertising EK Flash URI Sruct Aug 22
2014 (current_events.rules)
 2018993 - ET CURRENT_EVENTS Unknown Malvertising EK Payload URI Sruct Aug
22 2014 (current_events.rules)
 2018995 - ET CURRENT_EVENTS Archie EK CVE-2014-0515 Aug 24 2014
(current_events.rules)
 2018996 - ET CURRENT_EVENTS Archie EK CVE-2014-0497 Aug 24 2014
(current_events.rules)
 2018997 - ET CURRENT_EVENTS Archie EK Secondary Landing Aug 24 2014
(current_events.rules)
 2018998 - ET CURRENT_EVENTS Archie EK Landing Aug 24 2014
(current_events.rules)
 2019004 - ET CURRENT_EVENTS FlashPack EK Exploit Flash Post Aug 25 2014
(current_events.rules)
 2019005 - ET CURRENT_EVENTS FlashPack EK Redirect Aug 25 2014
(current_events.rules)
 2019006 - ET CURRENT_EVENTS FlashPack EK Exploit Landing Aug 25 2014
(current_events.rules)
 2019007 - ET CURRENT_EVENTS FlashPack EK JS Include Aug 25 2014
(current_events.rules)
 2019008 - ET CURRENT_EVENTS Safe/CritX/FlashPack Java Payload
(current_events.rules)
 2019023 - ET CURRENT_EVENTS BleedingLife EK Variant Aug 26 2014
(current_events.rules)
 2019024 - ET CURRENT_EVENTS Offensive Security EMET Bypass Observed in
BleedingLife Variant Aug 26 2014 (current_events.rules)
 2019071 - ET CURRENT_EVENTS NullHole EK Landing Aug 27 2014
(current_events.rules)
 2019072 - ET CURRENT_EVENTS RIG EK Landing URI Struct
(current_events.rules)
 2019073 - ET CURRENT_EVENTS NullHole EK Landing Redirect Aug 27 2014
(current_events.rules)
 2019093 - ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks
(current_events.rules)
 2019094 - ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks
Intial (POST) (current_events.rules)
 2019095 - ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks
(POST) PluginData (current_events.rules)
 2019096 - ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks
KeepAlive (current_events.rules)
 2019097 - ET CURRENT_EVENTS Archie EK SilverLight URI Struct
(current_events.rules)
 2019098 - ET CURRENT_EVENTS Archie EK Sending Plugin-Detect Data
(current_events.rules)
 2019100 - ET CURRENT_EVENTS FlashPack EK Redirect Sept 01 2014
(current_events.rules)
 2019130 - ET CURRENT_EVENTS Astrum EK Landing (current_events.rules)
 2019131 - ET CURRENT_EVENTS Astrum EK Landing (current_events.rules)
 2019134 - ET CURRENT_EVENTS Flashpack Redirect Method 2
(current_events.rules)
 2019146 - ET CURRENT_EVENTS Sweet Orange CDN Gate Sept 09 2014 Method 2
(current_events.rules)
 2019154 - ET CURRENT_EVENTS Sweet Orange EK Java Exploit
(current_events.rules)
 2019180 - ET CURRENT_EVENTS Malvertising Leading to EK Aug 19 2014 M4
(current_events.rules)
 2019183 - ET CURRENT_EVENTS Fiesta EK Gate (current_events.rules)
 2019184 - ET CURRENT_EVENTS Fiesta EK Silverlight Based Redirect
(current_events.rules)
 2019193 - ET CURRENT_EVENTS RIG EK Landing Page Sept 17 2014
(current_events.rules)
 2019375 - ET CURRENT_EVENTS Possible Sweet Orange redirection Oct 8 2014
(current_events.rules)
 2019385 - ET CURRENT_EVENTS Possible TWiki RCE attempt
(current_events.rules)
 2019386 - ET CURRENT_EVENTS Possible TWiki Apache config file upload
attempt (current_events.rules)
 2019456 - ET CURRENT_EVENTS FlashPack Payload URI Struct Oct 16 2014
(current_events.rules)
 2019461 - ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE1
(current_events.rules)
 2019462 - ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE2
(current_events.rules)
 2019463 - ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE3
(current_events.rules)
 2019464 - ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE4
(current_events.rules)
 2019465 - ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE5
(current_events.rules)
 2019479 - ET CURRENT_EVENTS Job314 EK URI Exploit/Payload Struct
(current_events.rules)
 2019480 - ET CURRENT_EVENTS Job314 EK URI Landing Struct
(current_events.rules)
 2019487 - ET CURRENT_EVENTS FlashPack Payload URI Struct Oct 22 2014
(current_events.rules)
 2019503 - ET CURRENT_EVENTS SSL SinkHole Cert Possible Infected Host
(current_events.rules)
 2019543 - ET CURRENT_EVENTS Likely SweetOrange EK Flash Exploit URI Struct
(current_events.rules)
 2019594 - ET CURRENT_EVENTS FlashPack EK Plugin-Detect Post
(current_events.rules)
 2019595 - ET CURRENT_EVENTS FlashPack Payload Download Oct 29
(current_events.rules)
 2019596 - ET CURRENT_EVENTS FlashPack Secondary Landing Oct 29
(current_events.rules)
 2019600 - ET CURRENT_EVENTS Likely SweetOrange EK Java Exploit Struct
(JNLP) (current_events.rules)
 2019611 - ET CURRENT_EVENTS Fiesta Java Exploit/Payload URI Struct
(current_events.rules)
 2019623 - ET CURRENT_EVENTS Fiesta SilverLight 4.x Exploit URI Struct
(current_events.rules)
 2019638 - ET CURRENT_EVENTS Evil EK Redirector Cookie Nov 03 2014
(current_events.rules)
 2019643 - ET CURRENT_EVENTS Possible Sweet Orange Landing Nov 3 2014
(current_events.rules)
 2019647 - ET CURRENT_EVENTS Sweet Orange Landing Nov 04 2013
(current_events.rules)
 2019656 - ET CURRENT_EVENTS Archie EK Exploit Flash URI Struct
(current_events.rules)
 2019657 - ET CURRENT_EVENTS Archie EK Exploit Flash URI Struct
(current_events.rules)
 2019658 - ET CURRENT_EVENTS Archie EK Exploit SilverLight URI Struct
(current_events.rules)
 2019659 - ET CURRENT_EVENTS Archie EK Exploit IE URI Struct
(current_events.rules)
 2019672 - ET CURRENT_EVENTS Possible HanJuan EK Flash Payload DL
(current_events.rules)
 2019673 - ET CURRENT_EVENTS Possible HanJuan EK URI Struct Actor Specific
(current_events.rules)
 2019674 - ET CURRENT_EVENTS Possible HanJuan Flash Exploit
(current_events.rules)
 2019675 - ET CURRENT_EVENTS Possible HanJuan EK Actor Specific Injected
iframe (current_events.rules)
 2019677 - ET CURRENT_EVENTS Archie EK Exploit Flash URI Struct
(current_events.rules)
 2019681 - ET CURRENT_EVENTS Operation Huyao Landing Page Nov 07 2014
(current_events.rules)
 2019684 - ET CURRENT_EVENTS Evil EK Redirector Cookie Nov 07 2014
(current_events.rules)
 2019685 - ET CURRENT_EVENTS Archie EK Landing URI Struct
(current_events.rules)
 2019689 - ET CURRENT_EVENTS Job314 EK Landing Nov 10 2014
(current_events.rules)
 2019690 - ET CURRENT_EVENTS Archie EK Landing Nov 10 2014
(current_events.rules)
 2019697 - ET CURRENT_EVENTS Possible Dridex Campaign Download Nov 11 2014
(current_events.rules)
 2019722 - ET CURRENT_EVENTS Archie EK Landing Nov 17 2014
(current_events.rules)
 2019723 - ET CURRENT_EVENTS Archie EK Landing Nov 17 2014 M2
(current_events.rules)
 2019724 - ET CURRENT_EVENTS Archie EK Flash Exploit URI Struct Nov 17 2014
(current_events.rules)
 2019725 - ET CURRENT_EVENTS Archie EK Flash Exploit URI Struct 2 Nov 17
2014 (current_events.rules)
 2019726 - ET CURRENT_EVENTS Archie EK Landing URI Struct 2 Nov 17 2014
(current_events.rules)
 2019727 - ET CURRENT_EVENTS NullHole EK Exploit URI Struct
(current_events.rules)
 2019742 - ET CURRENT_EVENTS SPL2 EK Landing Nov 18 2014
(current_events.rules)
 2019743 - ET CURRENT_EVENTS SPL2 EK PluginDetect Data Hash Nov 18 2014
(current_events.rules)
 2019744 - ET CURRENT_EVENTS SPL2 EK JS HashLib Nov 18 2014
(current_events.rules)
 2019745 - ET CURRENT_EVENTS SPL2 EK Flash Exploit Nov 18 2014
(current_events.rules)
 2019751 - ET CURRENT_EVENTS SweetOrange EK Landing Nov 19 2014
(current_events.rules)
 2019753 - ET CURRENT_EVENTS Possible FlashPack (FlashOnly) Payload Struct
Nov 19 2014 (current_events.rules)
 2019761 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing Nov 20 2014
(current_events.rules)
 2019762 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing Nov 20 2014
(current_events.rules)
 2019763 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Flash Exploit Nov 20
2014 (current_events.rules)
 2019766 - ET CURRENT_EVENTS FlashPack Flash Exploit Nov 20 2014
(current_events.rules)
 2019768 - ET CURRENT_EVENTS Archie EK T2 PD Struct Nov 20 2014
(current_events.rules)
 2019769 - ET CURRENT_EVENTS Archie EK T2 Landing Struct Nov 20 2014
(current_events.rules)
 2019770 - ET CURRENT_EVENTS Archie EK T2 SWF Exploit Struct Nov 20 2014
(current_events.rules)
 2019798 - ET CURRENT_EVENTS Malicious Iframe Leading to EK
(current_events.rules)
 2019799 - ET CURRENT_EVENTS Magnitude Flash Exploit (IE)
(current_events.rules)
 2019800 - ET CURRENT_EVENTS Magnitude Flash Payload (current_events.rules)
 2019877 - ET CURRENT_EVENTS MS Office Macro Dridex Download URI Dec 5 2014
(current_events.rules)
 2019892 - ET CURRENT_EVENTS Malicious Iframe Leading to EK Dec 08 2014
(current_events.rules)
 2019895 - ET CURRENT_EVENTS Malicious Redirect Leading to EK Dec 08 2014
(current_events.rules)
 2019908 - ET CURRENT_EVENTS Evil Flash Redirector to Job314/Neutrino
Reboot EK (current_events.rules)
 2019916 - ET CURRENT_EVENTS HanJuan Landing Dec 10 2014
(current_events.rules)
 2019920 - ET CURRENT_EVENTS Malicious JS Leading to Fiesta EK
(current_events.rules)
 2019939 - ET CURRENT_EVENTS SoakSoak Malware GET request
(current_events.rules)
 2019940 - ET CURRENT_EVENTS DNS Query SoakSoak Malware
(current_events.rules)
 2019950 - ET CURRENT_EVENTS Malicious Referer Bulk Traffic Sometimes
Leading to EKs (Possible Bedep infection) Dec 16 2014 (current_events.rules)
 2019973 - ET CURRENT_EVENTS Archie EK T2 Activity Dec 18 2014
(current_events.rules)
 2019977 - ET CURRENT_EVENTS W32/Dridex Distribution Campaign Dec 19 2014
(current_events.rules)


-- 
PGP: 0xBED7B297
<https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20171211/3687bc84/attachment-0001.html>


More information about the Emerging-updates mailing list