[Emerging-updates] Daily Ruleset Update Summary 2017/02/17

Francis Trudeau ftrudeau at emergingthreats.net
Fri Feb 17 17:24:13 EST 2017


 [***] Summary: [***]

 40 new Pro signatures, 59 new Pro (40 + 19).  CozyCar, ShellCrew APT,
TP-LINK DNSChanger, Sundown EK.

 Thanks:  @illegalFawn.

 [+++]          Added rules:          [+++]

 Open:

  2023965 - ET TROJAN CozyCar CnC Beacon (trojan.rules)
  2023966 - ET TROJAN CozyCar V2 CnC Beacon (trojan.rules)
  2023967 - ET TROJAN APT29 Implant8 - Evil Twitter Callback (trojan.rules)
  2023968 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 1 (trojan.rules)
  2023969 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 2 (trojan.rules)
  2023970 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 3 (trojan.rules)
  2023971 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 4 (trojan.rules)
  2023972 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 5 (trojan.rules)
  2023973 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 6 (trojan.rules)
  2023974 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 7 (trojan.rules)
  2023975 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 8 (trojan.rules)
  2023976 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 9 (trojan.rules)
  2023977 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 10 (trojan.rules)
  2023978 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 11 (trojan.rules)
  2023979 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 12 (trojan.rules)
  2023980 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 13 (trojan.rules)
  2023981 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 14 (trojan.rules)
  2023982 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 15 (trojan.rules)
  2023983 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 16 (trojan.rules)
  2023984 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 17 (trojan.rules)
  2023985 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 18 (trojan.rules)
  2023986 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 19 (trojan.rules)
  2023987 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 20 (trojan.rules)
  2023988 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 21 (trojan.rules)
  2023989 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 22 (trojan.rules)
  2023990 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 23 (trojan.rules)
  2023991 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 24 (trojan.rules)
  2023992 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 25 (trojan.rules)
  2023993 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 26 (trojan.rules)
  2023994 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 27 (trojan.rules)
  2023995 - ET EXPLOIT TP-LINK DNS Change GET Request (DNSChanger EK)
(exploit.rules)
  2023996 - ET EXPLOIT TP-LINK Password Change GET Request (DNSChanger
EK) (exploit.rules)
  2023997 - ET INFO Potentially unsafe SMBv1 protocol in use (info.rules)
  2023998 - ET TROJAN ABUSE.CH Ransomware Domain Detected
(TorrentLocker C2) (trojan.rules)
  2023999 - ET CURRENT_EVENTS Successful Apple Account Phish Feb 17
2017 (current_events.rules)
  2024000 - ET CURRENT_EVENTS Successful iCloud (CN) Phish Feb 17 2017
(current_events.rules)
  2024001 - ET CURRENT_EVENTS Successful California Bank & Trust Phish
Feb 17 2017 (current_events.rules)
  2024002 - ET CURRENT_EVENTS Successful Banco Itau (BR) Mobile Phish
Feb 17 2017 (current_events.rules)
  2024003 - ET CURRENT_EVENTS Possible Phishing Verified by Visa title
over non SSL Feb 17 2017 (current_events.rules)
  2024004 - ET TROJAN APT29 Implant8 - MAL_REFERER (trojan.rules)

 Pro:

  2825013 - ETPRO TROJAN Gabby.APT/Rambo DNS Lookup (trojan.rules)
  2825014 - ETPRO TROJAN Gabby.APT/Rambo DNS Lookup (trojan.rules)
  2825015 - ETPRO MOBILE_MALWARE Android.Trojan.Ogel.AU CnC Beacon
(mobile_malware.rules)
  2825016 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Iop.j Checkin
(mobile_malware.rules)
  2825017 - ETPRO MOBILE_MALWARE Android.Adware.Mulad.AD Checkin
(mobile_malware.rules)
  2825018 - ETPRO TROJAN Sage Ransomware Domain (er29sl . com) (trojan.rules)
  2825019 - ETPRO TROJAN Torrentlocker Ransomware Domain (fixnix . pl)
(trojan.rules)
  2825020 - ETPRO TROJAN Sage Ransomware Domain (pbt2ac . com) (trojan.rules)
  2825021 - ETPRO TROJAN Sage Ransomware Domain (op7su2 . com) (trojan.rules)
  2825022 - ETPRO TROJAN DNS Query to Cerber Domain (1enbyr . top)
(trojan.rules)
  2825023 - ETPRO TROJAN DNS Query to Cerber Domain (18kkhl . top)
(trojan.rules)
  2825024 - ETPRO TROJAN DNS Query to Cerber Domain (17g6gc . top)
(trojan.rules)
  2825025 - ETPRO TROJAN DNS Query to Cerber Domain (1cb19l . top)
(trojan.rules)
  2825026 - ETPRO TROJAN Win32.Abnores.R Checkin (trojan.rules)
  2825027 - ETPRO CURRENT_EVENTS Possible SunDown EK Landing URI
Struct T2 Feb 17 2017 (current_events.rules)
  2825028 - ETPRO CURRENT_EVENTS Possible SunDown EK Payload T2 Feb 17
2017 (current_events.rules)
  2825029 - ETPRO TROJAN Unknown Stealer CnC Activity (trojan.rules)
  2825030 - ETPRO POLICY SSL Cert Free File Hosting Site (lewd . se)
(policy.rules)
  2825032 - ETPRO TROJAN Zeus Panda Banker Malicious SSL Certificate
Detected (trojan.rules)


 [///]     Modified active rules:     [///]

  2010677 - ET MALWARE Suspicious User-Agent (My Session) (malware.rules)
  2022894 - ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD IE Flash
request to set non-standard filename (some overlap with 2021752)
(current_events.rules)
  2022896 - ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no
Referer June 13 2016 (current_events.rules)
  2820592 - ETPRO CURRENT_EVENTS Firesale gTLD and QHEX Likely
Magintude EK URI struct June 13 2016 (current_events.rules)
  2822886 - ETPRO TROJAN Unknown APT Downloader Receiving Payload
(Rambo Backdoor) (trojan.rules)
  2822887 - ETPRO TROJAN APT.Gabby/Rambo CnC Beacon (trojan.rules)
  2822888 - ETPRO TROJAN APT.Gabby/Rambo CnC Beacon Response (trojan.rules)
  2823788 - ETPRO TROJAN DNSChanger Rogue DNS Server (A Lookup) (trojan.rules)
  2823855 - ETPRO CURRENT_EVENTS SunDown EK Flash Exploit Dec 13 2016
(current_events.rules)


More information about the Emerging-updates mailing list