[Emerging-updates] Daily Ruleset Update Summary 2017/02/16

Francis Trudeau ftrudeau at emergingthreats.net
Thu Feb 16 17:16:48 EST 2017


 [***] Summary: [***]

 56 Open signatures, 76 new Pro (56 + 20).  (?:Mini|Cosmic)Duke,
MAGICHOUND, Satan Ransomware.

 Thanks:  @J0hnnyXm4s and @cyber_attacks.

 [+++]          Added rules:          [+++]

  2023909 - ET TROJAN Miniduke variant C&C activity (trojan.rules)
  2023910 - ET TROJAN CosmicDuke Exfiltrating Data via FTP STOR (trojan.rules)
  2023911 - ET TROJAN Miniduke variant FTP upload (trojan.rules)
  2023912 - ET TROJAN APT28 SEDNIT Variant CnC Beacon 1 (trojan.rules)
  2023913 - ET TROJAN APT28 SEDNIT Variant CnC Beacon 2 (trojan.rules)
  2023914 - ET TROJAN APT28 SEDNIT Variant CnC Beacon 3 (trojan.rules)
  2023915 - ET TROJAN APT28 SEDNIT Variant CnC Beacon 4 (trojan.rules)
  2023916 - ET TROJAN APT28 Uploader Variant CnC Beacon (trojan.rules)
  2023917 - ET TROJAN APT28 Uploader Variant Fake Request to Google
(trojan.rules)
  2023918 - ET TROJAN MiniDuke CnC Beacon (string1_slide_1_1) (trojan.rules)
  2023919 - ET TROJAN MiniDuke CnC Beacon (string1_slide_1_2) (trojan.rules)
  2023920 - ET TROJAN MiniDuke CnC Beacon (string1_slide_2_1) (trojan.rules)
  2023921 - ET TROJAN MiniDuke CnC Beacon (string1_slide_2_2) (trojan.rules)
  2023922 - ET TROJAN MiniDuke CnC Beacon (string1_slide_3_1) (trojan.rules)
  2023923 - ET TROJAN MiniDuke CnC Beacon (string1_slide_3_2) (trojan.rules)
  2023924 - ET TROJAN MiniDuke CnC Beacon (string2_slide_1_1) (trojan.rules)
  2023925 - ET TROJAN MiniDuke CnC Beacon (string2_slide_1_2) (trojan.rules)
  2023926 - ET TROJAN MiniDuke CnC Beacon (string2_slide_2_1) (trojan.rules)
  2023927 - ET TROJAN MiniDuke CnC Beacon (string2_slide_2_2) (trojan.rules)
  2023928 - ET TROJAN MiniDuke CnC Beacon (string2_slide_3_1) (trojan.rules)
  2023929 - ET TROJAN MiniDuke CnC Beacon (string2_slide_3_2) (trojan.rules)
  2023930 - ET TROJAN Miniduke Variant CnC Beacon via WebDAV (trojan.rules)
  2023931 - ET TROJAN APT29 Cache_DLL SSL Cert (trojan.rules)
  2023932 - ET TROJAN Qadars CnC DNS Lookup (zkdef09i7ola . net) (trojan.rules)
  2023933 - ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b CnC Beacon
(mobile_malware.rules)
  2023934 - ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b Apps List
Exfil (mobile_malware.rules)
  2023935 - ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup
(mobile_malware.rules)
  2023936 - ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup
(mobile_malware.rules)
  2023937 - ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup
(mobile_malware.rules)
  2023938 - ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup
(mobile_malware.rules)
  2023939 - ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup
(mobile_malware.rules)
  2023940 - ET TROJAN MAGICHOUND.MPK Activity via IRC (trojan.rules)
  2023941 - ET TROJAN Possibly Malicious Base64 Unicode WebClient
DownloadString M1 (trojan.rules)
  2023942 - ET TROJAN Possibly Malicious Base64 Unicode WebClient
DownloadString M2 (trojan.rules)
  2023943 - ET TROJAN Possibly Malicious Base64 Unicode WebClient
DownloadString M3 (trojan.rules)
  2023944 - ET TROJAN Possibly Malicious Double Base64 Unicode
Net.ServicePointManager M1 (trojan.rules)
  2023945 - ET TROJAN Possibly Malicious Double Base64 Unicode
Net.ServicePointManager M2 (trojan.rules)
  2023946 - ET TROJAN Possibly Malicious Double Base64 Unicode
Net.ServicePointManager M3 (trojan.rules)
  2023947 - ET TROJAN Possible Malicious PowerSploit PowerShell Script
Observed over HTTP (trojan.rules)
  2023948 - ET TROJAN MAGICHOUND.FETCH Retrieving Malicious PowerShell
(trojan.rules)
  2023949 - ET TROJAN Likely MAGICHOUND.FETCH Receiving PowerSploit
PowerShell over HTTP (trojan.rules)
  2023950 - ET TROJAN MAGICHOUND.RETRIEVER CnC Beacon (trojan.rules)
  2023951 - ET TROJAN MAGICHOUND.FETCH CnC Beacon (trojan.rules)
  2023952 - ET TROJAN MAGICHOUND.FETCH SSL Cert (trojan.rules)
  2023953 - ET TROJAN MAGICHOUND-related DNS Lookup (chrome-up .date)
(trojan.rules)
  2023954 - ET TROJAN MAGICHOUND-related DNS Lookup (timezone .live)
(trojan.rules)
  2023955 - ET TROJAN MAGICHOUND-related DNS Lookup (servicesystem
.serveirc.com) (trojan.rules)
  2023956 - ET TROJAN MAGICHOUND-related DNS Lookup (analytics-google
.org) (trojan.rules)
  2023957 - ET TROJAN MAGICHOUND-related DNS Lookup (com-adm .in) (trojan.rules)
  2023958 - ET TROJAN MAGICHOUND-related DNS Lookup
(microsoftexplorerservices .cloud) (trojan.rules)
  2023959 - ET TROJAN MAGICHOUND-related DNS Lookup (msservice .site)
(trojan.rules)
  2023960 - ET TROJAN MAGICHOUND-related DNS Lookup (com-ho .me) (trojan.rules)
  2023961 - ET TROJAN MAGICHOUND-related DNS Lookup (ntg-sa .com) (trojan.rules)
  2023962 - ET TROJAN MAGICHOUND-related DNS Lookup (briefl .ink) (trojan.rules)
  2023963 - ET TROJAN MAGICHOUND.LEASH IRC CnC Beacon (trojan.rules)
  2023964 - ET CURRENT_EVENTS Successful WeTransfer Phish Oct 04 2016
(current_events.rules)

 Pro:

  2824992 - ETPRO TROJAN Win32/Unknown Fake SSL CnC Beacon 3 (cipher
suite) (trojan.rules)
  2824993 - ETPRO TROJAN Win32/Unknown Fake SSL CnC Beacon 4
(ec_point_formats) (trojan.rules)
  2824994 - ETPRO TROJAN Win32/Unknown Fake SSL CnC Beacon 5
(renegotiation_info/blank SNI ) (trojan.rules)
  2824995 - ETPRO TROJAN Win32/Unknown Fake SSL CnC Beacon 6 (Server
Hello pre-packet) (trojan.rules)
  2824996 - ETPRO TROJAN Win32/Unknown Fake SSL CnC Beacon 7
(compress_method/blank SNI) (trojan.rules)
  2824997 - ETPRO TROJAN Satan Ransomware .onion Proxy Domain (trojan.rules)
  2824998 - ETPRO MOBILE_MALWARE PUA RiskTool.AndroidOS.Dnotua.oe
Checkin (mobile_malware.rules)
  2824999 - ETPRO MOBILE_MALWARE PUA RiskTool.AndroidOS.Dnotua.oe
Checkin 2 (mobile_malware.rules)
  2825000 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc
Download) (current_events.rules)
  2825001 - ETPRO CURRENT_EVENTS Successful My ADP Phish (set) Feb 16
2017 (current_events.rules)
  2825002 - ETPRO CURRENT_EVENTS Successful My ADP Phish Feb 16 2017
(current_events.rules)
  2825003 - ETPRO CURRENT_EVENTS Successful Bank of America Phish M1
Feb 16 2017 (current_events.rules)
  2825004 - ETPRO CURRENT_EVENTS Successful Bank of America Phish M2
Feb 16 2017 (current_events.rules)
  2825005 - ETPRO CURRENT_EVENTS Successful Bank of America Phish M3
Feb 16 2017 (current_events.rules)
  2825006 - ETPRO MOBILE_MALWARE Android/Iop.DJ Checkin (mobile_malware.rules)
  2825007 - ETPRO CURRENT_EVENTS Paypal Phishing Landing Feb 16 2017
(current_events.rules)
  2825008 - ETPRO CURRENT_EVENTS Successful Paypal Phish M1 Feb 16
2017 (current_events.rules)
  2825009 - ETPRO CURRENT_EVENTS Successful Paypal Phish M2 Feb 16
2017 (current_events.rules)
  2825010 - ETPRO CURRENT_EVENTS Successful Generic Personalized Email
Phish Feb 16 2017 (current_events.rules)
  2825011 - ETPRO CURRENT_EVENTS Successful DHL Phish Feb 16 2017
(current_events.rules)


 [///]     Modified active rules:     [///]

  2023814 - ET TROJAN CryptoShield Ransomware Checkin (trojan.rules)
  2821129 - ETPRO TROJAN Win32/Unknown Fake SSL CnC Beacon 1 (trojan.rules)
  2821148 - ETPRO TROJAN Sharik/Smoke Checkin 2 (trojan.rules)
  2823117 - ETPRO INFO DNS TXT Response Contains URL (info.rules)


 [---]         Removed rules:         [---]

  2808272 - ETPRO TROJAN Miniduke variant FTP upload (trojan.rules)
  2808273 - ETPRO TROJAN Miniduke variant C&C activity (trojan.rules)
  2812049 - ETPRO TROJAN CosmicDuke Exfiltrating Data via FTP STOR
(trojan.rules)
  2814358 - ETPRO TROJAN Win32/Slackbot.F Activity via IRC (trojan.rules)
  2822374 - ETPRO CURRENT_EVENTS Successful WeTransfer Phish Oct 04
2016 (current_events.rules)


More information about the Emerging-updates mailing list