[Emerging-updates] Daily Ruleset Update Summary 2018/07/16

Travis Green tgreen at emergingthreats.net
Mon Jul 16 13:28:06 HDT 2018


[***]            Summary:            [***]

65 new Open, 20 new Pro (22 + 43). Rostpay, W32.Suviapen, Bloodlust,
Various Phish.

Thanks: Kevin Ross and @Ledtech3


[+++]          Added rules:          [+++]

Open:

 2025697 - ET TROJAN Rostpay Downloader User-Agent (trojan.rules)
 2025698 - ET CURRENT_EVENTS Bank of America Phishing Landing
(current_events.rules)
 2025699 - ET POLICY SMB Executable File Transfer (policy.rules)
 2025700 - ET POLICY SMB NT Create AndX Request For an Executable File
(policy.rules)
 2025701 - ET POLICY SMB2 NT Create AndX Request For an Executable File
(policy.rules)
 2025702 - ET POLICY SMB NT Create AndX Request For an Executable File In a
Temp Directory (policy.rules)
 2025703 - ET POLICY SMB2 NT Create AndX Request For an Executable File In
a Temp Directory (policy.rules)
 2025704 - ET POLICY SMB NT Create AndX Request For a Powershell .ps1 File
(policy.rules)
 2025705 - ET POLICY SMB2 NT Create AndX Request For a Powershell .ps1 File
(policy.rules)
 2025706 - ET POLICY SMB NT Create AndX Request For a .bat File
(policy.rules)
 2025707 - ET POLICY SMB2 NT Create AndX Request For a .bat File
(policy.rules)
 2025708 - ET POLICY SMB NT Create AndX Request For a DLL File
(policy.rules)
 2025709 - ET POLICY SMB2 NT Create AndX Request For a DLL File - Possible
Lateral Movement (policy.rules)
 2025710 - ET POLICY SMB NT Create AndX Request For a .sys File - Possible
Lateral Movement (policy.rules)
 2025711 - ET POLICY SMB2 NT Create AndX Request For a .sys File - Possible
Lateral Movement (policy.rules)
 2025712 - ET POLICY SMB Remote AT Scheduled Job Create Request - Possible
Lateral Movement (policy.rules)
 2025713 - ET POLICY SMB2 Remote AT Scheduled Job Create Request
(policy.rules)
 2025714 - ET POLICY SMB Remote AT Scheduled Job Pipe Creation
(policy.rules)
 2025715 - ET CURRENT_EVENTS Fake Adobe Software Update Landing
(current_events.rules)
 2025716 - ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 Inbound Web
Servers Likely Command Execution 1 (web_specific_apps.rules)
 2025717 - ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 Inbound Web
Servers Likely Command Execution 2 (web_specific_apps.rules)
 2025718 - ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 Inbound Web
Servers Likely Command Execution 3 (web_specific_apps.rules)

Pro:

 2831772 - ETPRO TROJAN W32.Suviapen Checkin (trojan.rules)
 2831773 - ETPRO CURRENT_EVENTS Successful Generic Phish - Redirect to PDF
2018-07-16 (current_events.rules)
 2831774 - ETPRO WEB_SPECIFIC_APPS Fortify Software Security Center XML
External Entity Injection 1 (web_specific_apps.rules)
 2831775 - ETPRO WEB_SPECIFIC_APPS Fortify Software Security Center XML
External Entity Injection 2 (web_specific_apps.rules)
 2831776 - ETPRO WEB_SPECIFIC_APPS Fortify Software Security Center XML
External Entity Injection 3 (web_specific_apps.rules)
 2831777 - ETPRO WEB_SPECIFIC_APPS Fortify Software Security Center XML
External Entity Injection 4 (web_specific_apps.rules)
 2831778 - ETPRO CURRENT_EVENTS Successful Generic Phish - Redirect to
Voicemail 2018-07-16 (current_events.rules)
 2831779 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2018-07-16 (current_events.rules)
 2831780 - ETPRO TROJAN W32.Gamaredon.Variant Checkin (trojan.rules)
 2831781 - ETPRO CURRENT_EVENTS Successful Generic Phish - Redirect to FTP
2018-07-16 (current_events.rules)
 2831782 - ETPRO TROJAN Win32.Ursu.Variant Checkin (trojan.rules)
 2831783 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2018-07-16
(current_events.rules)
 2831784 - ETPRO TROJAN Hawkeye Keylogger SMTP Checkin M3 (trojan.rules)
 2831785 - ETPRO CURRENT_EVENTS Successful Chalbhai Phish 2018-07-16
(current_events.rules)
 2831786 - ETPRO CURRENT_EVENTS Successful Banco do Brasil Phish M1
2018-07-16 (current_events.rules)
 2831787 - ETPRO CURRENT_EVENTS Successful Banco do Brasil Phish M2
2018-07-16 (current_events.rules)
 2831788 - ETPRO CURRENT_EVENTS Successful Santander Phish M1 2018-07-16
(current_events.rules)
 2831789 - ETPRO CURRENT_EVENTS Successful Santander Phish M2 2018-07-16
(current_events.rules)
 2831790 - ETPRO CURRENT_EVENTS Successful Apple Phish 2018-07-16
(current_events.rules)
 2831791 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2018-07-16
(current_events.rules)
 2831792 - ETPRO CURRENT_EVENTS Successful SFR Phish 2018-07-16
(current_events.rules)
 2831793 - ETPRO CURRENT_EVENTS Successful Netflix M1 Phish 2018-07-16
(current_events.rules)
 2831794 - ETPRO CURRENT_EVENTS Successful Netflix M2 Phish 2018-07-16
(current_events.rules)
 2831795 - ETPRO TROJAN Possible Shrug2 Ransomware Checkin (trojan.rules)
 2831796 - ETPRO CURRENT_EVENTS Successful Bank of America M1 Phish
2018-07-16 (current_events.rules)
 2831797 - ETPRO CURRENT_EVENTS Successful Bank of America M2 Phish
2018-07-16 (current_events.rules)
 2831798 - ETPRO CURRENT_EVENTS Successful Bank of America M3 Phish
2018-07-16 (current_events.rules)
 2831799 - ETPRO CURRENT_EVENTS Successful Adobe Phish 2018-07-16
(current_events.rules)
 2831800 - ETPRO WEB_SPECIFIC_APPS WordPress Plugin Job Manager Stored
Cross-Site Scripting (web_specific_apps.rules)
 2831801 - ETPRO TROJAN W32.Suviapen Checkin M2 (trojan.rules)
 2831802 - ETPRO WEB_SPECIFIC_APPS Hadoop YARN ResourceManager
Unauthenticated Command Execution (web_specific_apps.rules)
 2831803 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc DL
2018-07-16) (current_events.rules)
 2831804 - ETPRO CURRENT_EVENTS Bloodlust Redirect JS Inbound Jul 16
(current_events.rules)
 2831805 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-07-16 1) (trojan.rules)
 2831806 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-07-16 2) (trojan.rules)
 2831807 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-07-16 3) (trojan.rules)
 2831808 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-07-16 4) (trojan.rules)
 2831809 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-07-16 5) (trojan.rules)
 2831810 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-07-16 6) (trojan.rules)
 2831811 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-07-16 7) (trojan.rules)
 2831812 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-07-16 8) (trojan.rules)
 2831813 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-07-16 9) (trojan.rules)
 2831814 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-07-16 10) (trojan.rules)


[///]     Modified active rules:     [///]

 2017128 - ET TROJAN W32.Berbew Check-in (trojan.rules)


-- 
PGP: 0xBED7B297
<https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20180716/482c6483/attachment.html>


More information about the Emerging-updates mailing list