[Emerging-updates] Daily Ruleset Update Summary 2017/07/11

Travis Green tgreen at emergingthreats.net
Tue Jul 11 18:23:56 EDT 2017


[***]            Summary:            [***]

3 new Open, 38 new Pro (3 + 35). MAPP, Andromeda HTA Downloader, Various
Phishing, Various Mobile.

Thanks: @malwrhunterteam

CVE to ET Sid mapping for MAPP:

2827087 -> CVE-2017-3099
2827088 -> CVE-2017-3099
2827089 -> CVE-2017-3100
2827090 -> CVE-2017-0243
2827091 -> CVE-2017-8577
2827092 -> CVE-2017-8578
2827093 -> CVE-2017-8524
2827094 -> CVE-2017-8598
2827095 -> CVE-2017-8601
2827096 -> CVE-2017-8605
2827097 -> CVE-2017-8617
2827098 -> CVE-2017-8618
2827099 -> CVE-2017-8619


[+++]          Added rules:          [+++]

Open:

 2024453 - ET CURRENT_EVENTS Possible Capitech Internet Banking Phishing
Landing - Title over non SSL (current_events.rules)
 2024454 - ET TROJAN CoinMiner Known Malicious Stratum Authline
(2017-07-11) (trojan.rules)
 2024455 - ET TROJAN MSIL/Unk.Stealer Data Exfil Via HTTP (trojan.rules)

Pro:

 2827072 - ETPRO TROJAN Cerber Blockchain Query 2 (trojan.rules)
 2827073 - ETPRO CURRENT_EVENTS Successful Norton Email Scan Phish Jul 11
2017 (current_events.rules)
 2827074 - ETPRO CURRENT_EVENTS Successful Norton Email Scan Phish -
Payment Information Submitted Jul 11 2017 (current_events.rules)
 2827075 - ETPRO CURRENT_EVENTS Successful Blockchain Phish Jul 11 2017
(current_events.rules)
 2827076 - ETPRO CURRENT_EVENTS Successful Capitec Internet Banking Phish
Jul 11 2017 (current_events.rules)
 2827077 - ETPRO CURRENT_EVENTS Successful Banco do Brasil Phish M1 Jul 11
2017 (current_events.rules)
 2827078 - ETPRO CURRENT_EVENTS Successful Banco do Brasil Phish M2 Jul 11
2017 (current_events.rules)
 2827079 - ETPRO CURRENT_EVENTS Successful Banco do Brasil Phish M3 Jul 11
2017 (current_events.rules)
 2827080 - ETPRO CURRENT_EVENTS Successful Blockchain Phish - POST to Title
over non SSL (current_events.rules)
 2827081 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin
174 (mobile_malware.rules)
 2827082 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish (set) Jul
11 2017 (current_events.rules)
 2827083 - ETPRO CURRENT_EVENTS Successful OWA Phish Jul 11 2017
(current_events.rules)
 2827084 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.iz SMS/Contact
Exfil via SMTP 3 (mobile_malware.rules)
 2827085 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.ic
SMS/Contact Exfil via SMTP 3 (mobile_malware.rules)
 2827086 - ETPRO CURRENT_EVENTS Possible Watering Hole Targeting Energy
Industry Jul 11 2017 (current_events.rules)
 2827087 - ETPRO EXPLOIT Adobe Flash Action Script 3 OOB flowbits set
(CVE-2017-3099) (exploit.rules)
 2827088 - ETPRO EXPLOIT Adobe Flash Action Script 3 OOB (CVE-2017-3099)
(exploit.rules)
 2827089 - ETPRO EXPLOIT Action Script 2 BitmapData OOB (CVE-2017-3100)
(exploit.rules)
 2827090 - ETPRO EXPLOIT MS Word Memory Corruption Vuln (CVE-2017-0243)
(exploit.rules)
 2827091 - ETPRO WEB_CLIENT MS Windows Unsane Memory Access Vuln
(CVE-2017-8577) (web_client.rules)
 2827092 - ETPRO WEB_CLIENT MS Windows Unsane Memory Access Vuln
(CVE-2017-8578) (web_client.rules)
 2827093 - ETPRO WEB_CLIENT IE11 Type Confusion Vuln (CVE-2017-8524)
(web_client.rules)
 2827094 - ETPRO WEB_CLIENT MS Edge Uninitialized Memory Vuln
(CVE-2017-8598) (web_client.rules)
 2827095 - ETPRO WEB_CLIENT MS Edge Chakra Core Type Confusion Vuln
(CVE-2017-8601) (web_client.rules)
 2827096 - ETPRO WEB_CLIENT MS Edge Use-After-Free Vuln (CVE-2017-8605)
(web_client.rules)
 2827097 - ETPRO WEB_CLIENT MS Edge Type Confusion Vuln (CVE-2017-8617)
(web_client.rules)
 2827098 - ETPRO WEB_CLIENT MS Edge Out-of-Bounds Vuln (CVE-2017-8618)
(web_client.rules)
 2827099 - ETPRO WEB_CLIENT MS Edge Out-of-Bounds Write Vuln
(CVE-2017-8619) (web_client.rules)
 2827100 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.ic SMS/Contact
Exfil via SMTP 4 (mobile_malware.rules)
 2827101 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.iz SMS/Contact
Exfil via SMTP 4 (mobile_malware.rules)
 2827102 - ETPRO CURRENT_EVENTS Successful Schoolmessenger Phish Jul 11
2017 (current_events.rules)
 2827103 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.ic SMS/Contact
Exfil via SMTP 5 (mobile_malware.rules)
 2827104 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.ic SMS/Contact
Exfil via SMTP 6 (mobile_malware.rules)
 2827105 - ETPRO TROJAN Andromeda HTA Downloader Stage 1 (trojan.rules)
 2827106 - ETPRO TROJAN Andromeda HTA Downloader Stage 3 (trojan.rules)


[///]     Modified active rules:     [///]

 2823624 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.iz Contacts
Exfil via SMTP (mobile_malware.rules)
 2826518 - ETPRO TROJAN DNS Query matching Cerber Domain Format
(trojan.rules)
 2827005 - ETPRO MALWARE W32.DriverPack PUP Checkin (malware.rules)


[---]         Disabled rules:        [---]

 2013289 - ET POLICY MOBILE Apple device leaking UDID from SpringBoard
(policy.rules)


[---]         Removed rules:         [---]

 2023676 - ET TROJAN Cerber Bitcoin Address Check (trojan.rules)
 2822804 - ETPRO TROJAN DiamondFox HTTP POST CnC Checkin 2 (trojan.rules)


-- 
PGP: 0xBED7B297
<https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20170711/7826eeb5/attachment-0001.html>


More information about the Emerging-updates mailing list