[Emerging-updates] Daily Ruleset Update Summary 2017/03/29

Travis Green tgreen at emergingthreats.net
Wed Mar 29 18:53:07 EDT 2017


Daily Ruleset Update Summary 2017/03/29
Thanks: Jeff H, @rmkml

[***]            Summary:            [***]

16 new Open, 30 new Pro (16 + 14). CrypMIC/HappyDayzz Ransomware, Various
Phishing, Various Android


[+++]          Added rules:          [+++]

Open:

 2020839 - ET TROJAN Win32/Teslacrypt Ransomware .onion domain (
63ghdye17.com) (trojan.rules)
 2020844 - ET TROJAN Win32/Teslacrypt Ransomware .onion domain (
7hwr34n18.com) (trojan.rules)
 2020869 - ET TROJAN Win32/Teslacrypt Ransomware .onion domain (
wh47f2as19.com) (trojan.rules)
 2024105 - ET TROJAN Win32/Teslacrypt Ransomware .onion domain (2kjb7.net)
(trojan.rules)
 2024108 - ET TROJAN KHRAT DragonOK DNS Lookup (inter-ctrip .com)
(trojan.rules)
 2024109 - ET CURRENT_EVENTS Possible Malicious Macro DL BIN March 2017
(current_events.rules)
 2024110 - ET TROJAN DeepEnd Research Ransomware CrypMIC Payment Onion
Domain (trojan.rules)
 2024111 - ET TROJAN DeepEnd Research Ransomware CrypMIC Payment Onion
Domain (trojan.rules)
 2024112 - ET TROJAN DeepEnd Research Ransomware CrypMIC Payment Onion
Domain (trojan.rules)
 2024113 - ET TROJAN DeepEnd Research Ransomware CrypMIC Payment Onion
Domain (trojan.rules)
 2024114 - ET TROJAN DeepEnd Research Ransomware CrypMIC Payment Onion
Domain  (trojan.rules)
 2024115 - ET TROJAN DeepEnd Research Ransomware CrypMIC Payment Onion
Domain (trojan.rules)
 2024116 - ET TROJAN DeepEnd Research Ransomware CrypMIC Payment Onion
Domain (trojan.rules)
 2024117 - ET TROJAN Ransomware CrypMIC Payment Onion Domain (trojan.rules)
 2024118 - ET TROJAN Ransomware CrypMIC Payment Onion Domain (trojan.rules)
 2024119 - ET TROJAN Ransomware CrypMIC Payment Onion Domain (trojan.rules)

Pro:

2825660 - ETPRO CURRENT_EVENTS Successful Bank of America Phish Mar 28 2017
(current_events.rules)
 2825661 - ETPRO CURRENT_EVENTS Successful Amazon Phish Mar 28 2017
(current_events.rules)
 2825662 - ETPRO CURRENT_EVENTS Successful DHL Phish Mar 28 2017
(current_events.rules)
 2825663 - ETPRO CURRENT_EVENTS Successful Amazon Phish Mar 29 2017
(current_events.rules)
 2825664 - ETPRO CURRENT_EVENTS Successful Facebook Phish Mar 28 2017
(current_events.rules)
 2825665 - ETPRO CURRENT_EVENTS Successful Yahoo Phish Mar 28 2017
(current_events.rules)
 2825666 - ETPRO CURRENT_EVENTS Successful Chase Phish Mar 28 2017
(current_events.rules)
 2825669 - ETPRO CURRENT_EVENTS Successful DHL Phish Mar 29 2017
(current_events.rules)
 2825670 - ETPRO TROJAN Possible Banker.Win32.Alreay SSL Cert (legit
compromised) (trojan.rules)
 2825671 - ETPRO TROJAN W32/Unknown Checkin (trojan.rules)
 2825672 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2017-03-29 1) (trojan.rules)
 2825673 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2017-03-29 2) (trojan.rules)
 2825674 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2017-03-29 3) (trojan.rules)
 2825675 - ETPRO TROJAN Win32/HappyDayzz Ransomware CnC Checkin
(trojan.rules)


[///]     Modified active rules:     [///]

 2016868 - ET CURRENT_EVENTS Neutrino EK Plugin-Detect 2 May 20 2013
(current_events.rules)
 2017587 - ET MOBILE_MALWARE Android/Opfake.A GetTask CnC Beacon
(mobile_malware.rules)
 2017594 - ET CURRENT_EVENTS Possible Neutrino EK Java Exploit Download Oct
15 2013 (current_events.rules)
 2017595 - ET CURRENT_EVENTS Possible Neutrino EK Java Payload Download Oct
15 2013 (current_events.rules)
 2017596 - ET CURRENT_EVENTS Neutrino EK XORed pluginDetect 1
(current_events.rules)
 2017597 - ET CURRENT_EVENTS Neutrino EK XORed pluginDetect 2
(current_events.rules)
 2017653 - ET CURRENT_EVENTS Possible Neutrino EK Java Exploit/Payload
Download Nov 1 2013 (current_events.rules)
 2017661 - ET CURRENT_EVENTS Possible Redirect to Neutrino EK goi.php Nov 4
2013 (current_events.rules)
 2017824 - ET CURRENT_EVENTS Neutrino EK Landing Page Dec 09 2013
(current_events.rules)
 2017963 - ET CURRENT_EVENTS Possible Neutrino/Fiesta EK SilverLight
Exploit Jan 13 2014 DLL Naming Convention (current_events.rules)
 2017971 - ET CURRENT_EVENTS Possible Neutrino EK IE/Silverlight Payload
Download (current_events.rules)
 2018226 - ET CURRENT_EVENTS Possible Neutrino/Fiesta EK SilverLight
Exploit March 05 2014 DLL Naming Convention (current_events.rules)
 2018580 - ET TROJAN Win32/Neutrino Checkin (trojan.rules)
 2019211 - ET TROJAN Win32/Neutrino ping (trojan.rules)
 2020093 - ET TROJAN Win32/Neutrino Cookie (trojan.rules)
 2020094 - ET TROJAN Win32/Neutrino CC dump (trojan.rules)
 2020779 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 78
(trojan.rules)
 2020781 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 80
(trojan.rules)
 2020783 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 82
(trojan.rules)
 2020785 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 84
(trojan.rules)
 2020791 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 90
(trojan.rules)
 2020949 - ET TROJAN Win32/Neutrino Bot Fake 404 Checkin Response
(trojan.rules)
 2021128 - ET TROJAN Blue Bot DDoS Proxy Request (trojan.rules)
 2021588 - ET CURRENT_EVENTS Job314/Neutrino EK Flash Exploit M2 Aug 02
2015 (current_events.rules)
 2021589 - ET CURRENT_EVENTS Job314/Neutrino EK Flash Exploit M3 Aug 02
2015 (current_events.rules)
 2021590 - ET CURRENT_EVENTS Job314/Neutrino EK Flash Exploit M1 Aug 02
2015 (IE) (current_events.rules)
 2022462 - ET TROJAN Win32/Neutrino Checkin 2 (trojan.rules)
 2022463 - ET TROJAN Win32/Neutrino Checkin 3 (trojan.rules)
 2810822 - ETPRO TROJAN Win32/Neutrino Checkin Response (trojan.rules)
 2812645 - ETPRO TROJAN Win32/Neutrino Checkin 1 (trojan.rules)
 2812646 - ETPRO TROJAN Win32/Neutrino Checkin 2 (trojan.rules)
 2812647 - ETPRO TROJAN Win32/Neutrino Failed Task (trojan.rules)
 2812659 - ETPRO TROJAN Possible Win32/Neutrino Checkin Response
(trojan.rules)
 2814472 - ETPRO CURRENT_EVENTS Likely Neutrino EK Payload Oct 20 2015 M1
(current_events.rules)
 2814473 - ETPRO CURRENT_EVENTS Likely Neutrino EK Payload Oct 20 2015 M2
(current_events.rules)
 2814474 - ETPRO CURRENT_EVENTS Likely Neutrino EK Payload Oct 20 2015 M3
(current_events.rules)
 2814475 - ETPRO CURRENT_EVENTS Likely Neutrino EK Payload Oct 20 2015 M4
(current_events.rules)
 2814476 - ETPRO CURRENT_EVENTS Likely Neutrino EK Payload Oct 20 2015 M5
(current_events.rules)
 2814477 - ETPRO CURRENT_EVENTS Likely Neutrino EK Payload Oct 20 2015 M6
(current_events.rules)
 2814570 - ETPRO CURRENT_EVENTS Possible Neutrino EK Landing Oct 20 2015 M1
(current_events.rules)
 2814571 - ETPRO CURRENT_EVENTS Possible Neutrino EK Landing Oct 20 2015 M2
(current_events.rules)
 2814572 - ETPRO CURRENT_EVENTS Possible Neutrino EK Landing Oct 20 2015 M3
(current_events.rules)
 2814573 - ETPRO CURRENT_EVENTS Possible Neutrino EK Landing Oct 20 2015 M4
(current_events.rules)
 2814574 - ETPRO CURRENT_EVENTS Possible Neutrino EK Landing Oct 20 2015 M5
(current_events.rules)
 2814575 - ETPRO CURRENT_EVENTS Possible Neutrino EK Landing Oct 20 2015 M6
(current_events.rules)
 2814604 - ETPRO MALWARE Win32/Dorv.A/Expiro CnC Beacon (malware.rules)
 2814950 - ETPRO CURRENT_EVENTS Likely Neutrino EK Payload Oct 20 2015 M7
(current_events.rules)
 2815413 - ETPRO CURRENT_EVENTS Possible Neutrino EK Landing Oct 20 2015 M8
Landing URI Struct (current_events.rules)
 2815414 - ETPRO CURRENT_EVENTS Possible Neutrino EK Landing Oct 20 2015 M9
Landing URI Struct (current_events.rules)
 2815415 - ETPRO CURRENT_EVENTS Possible Neutrino EK Landing Oct 20 2015 10
Landing URI Struct (current_events.rules)
 2815664 - ETPRO CURRENT_EVENTS Possible Neutrino EK Landing Oct 20 2015
M11 Landing URI Struct (current_events.rules)
 2820851 - ETPRO CURRENT_EVENTS Possible Neutrino EK Landing Landing URI
Struct (fb set) (current_events.rules)
 2821023 - ETPRO TROJAN Win32/Neutrino Bot Malicious SSL Certificate
Detected (trojan.rules)
 2825239 - ETPRO TROJAN Lets Encrypt Free SSL Cert Observed in Possible
Apple Phishing (trojan.rules)
 2825650 - ETPRO TROJAN Win32/Filecoder Ransomware Variant .onion Proxy
Domain (trojan.rules)


[///]    Modified inactive rules:    [///]

 2017179 - ET CURRENT_EVENTS Possible Neutrino EK Java Payload Download
(current_events.rules)
 2017180 - ET CURRENT_EVENTS Possible Neutrino EK Java Payload Download 2
(current_events.rules)
 2017267 - ET CURRENT_EVENTS Possible Neutrino EK Java Exploit Download Sep
30 2013 (current_events.rules)
 2017268 - ET CURRENT_EVENTS Possible Neutrino EK Java Payload Download Sep
30 2013 (current_events.rules)


[---]  Disabled and modified rules:  [---]

 2809527 - ETPRO TROJAN Infostealer.Gamania Checkin (trojan.rules)


[---]         Removed rules:         [---]

 2020839 - ET POLICY Win32/Teslacrypt Ransomware .onion domain (
63ghdye17.com) (policy.rules)
 2020844 - ET POLICY Win32/Teslacrypt Ransomware .onion domain (
7hwr34n18.com) (policy.rules)
 2020869 - ET POLICY Win32/Teslacrypt Ransomware .onion domain (
wh47f2as19.com) (policy.rules)
 2024105 - ET POLICY Win32/Teslacrypt Ransomware .onion domain (2kjb7.net)
(policy.rules)


-- 
PGP: 0xBED7B297
<https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20170329/fe757106/attachment.html>


More information about the Emerging-updates mailing list