[Emerging-updates] Daily Ruleset Update Summary 2018/07/31

Travis Green tgreen at emergingthreats.net
Tue Jul 31 12:03:33 HDT 2018


[***]            Summary:            [***]

1 new Open, 26 new Pro (1 + 25). Win32/Bisonal, Remcos RAT, Win32/Slimware,
Various Mobile.

Thanks: @eSentire


[+++]          Added rules:          [+++]

Open:

 2025920 - ET POLICY IP Check Domain (showmyipaddress .com in HTTP Host)
(policy.rules)
 2025921 - ET TROJAN [eSentire] Remcos RAT Checkin 24 (trojan.rules)
 2025922 - ET TROJAN Win32/Bisonal CnC Checkin (trojan.rules)
 2025923 - ET TROJAN Win32/Bisonal RC4 Encrypted 8 Byte Static CnC Checkin
(trojan.rules)
 2025924 - ET TROJAN Win32/Bisonal DNS Lookup 1 (trojan.rules)
 2025925 - ET TROJAN Win32/Bisonal DNS Lookup 2 (trojan.rules)
 2025926 - ET TROJAN Win32/Bisonal DNS Lookup 3 (trojan.rules)
 2025927 - ET TROJAN Win32/Bisonal DNS Lookup 4 (trojan.rules)
 2025928 - ET TROJAN Win32/Bisonal DNS Lookup 5 (trojan.rules)

Pro:

 2832018 - ETPRO TROJAN Win32/FlyStudio/Agent.EW Variant CnC Checkin
(trojan.rules)
 2832019 - ETPRO MALWARE Win32/Slimware PUA CnC Checkin (malware.rules)
 2832020 - ETPRO TROJAN Observed Ursnif CnC 2018-07-30 Domain (bybybaby
.top in TLS SNI) (trojan.rules)
 2832021 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc DL
2018-07-31) (current_events.rules)
 2832022 - ETPRO POLICY Observed Suspicious SSL Cert (External IP Address
Lookup) (policy.rules)
 2832023 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Handda.san Checkin
(mobile_malware.rules)
 2832024 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Handda.san CnC Beacon
(mobile_malware.rules)


[///]     Modified active rules:     [///]

 2008985 - ET POLICY IP Check whatismyip.com Automation Page (policy.rules)
 2008986 - ET POLICY IP Check Domain (whatismyip in HTTP Host)
(policy.rules)
 2008987 - ET POLICY IP Check Domain (showip in HTTP Host) (policy.rules)
 2008988 - ET POLICY IP Check Domain (cmyip.com in HTTP Host) (policy.rules)
 2008989 - ET POLICY IP Check Domain (showmyip in HTTP Host) (policy.rules)
 2009020 - ET POLICY IP Check Domain (whatismyip in HTTP Host)
(policy.rules)
 2017398 - ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
(policy.rules)
 2024108 - ET TROJAN KHRAT DragonOK DNS Lookup (inter-ctrip .com)
(trojan.rules)
 2025880 - ET CURRENT_EVENTS Volexity - JS Sniffer Data Theft Beacon
Detected (current_events.rules)
 2805815 - ETPRO POLICY IP Check Domain (whatismyipaddress .com in HTTP
Host) (policy.rules)
 2814702 - ETPRO POLICY IP Check Domain (ip-address .ru in HTTP Host)
(policy.rules)
 2827749 - ETPRO TROJAN IDKEY/Ghoul Banker Checkin (trojan.rules)
 2827750 - ETPRO TROJAN IDKEY/Ghoul Banker Exfil System Info (trojan.rules)
 2831894 - ETPRO MOBILE_MALWARE Android/Spy.Agent.ANM CnC Beacon
(mobile_malware.rules)


[---]         Removed rules:         [---]

 2012691 - ET POLICY Internal Host visiting Showmyipaddress.com - Possible
Trojan (policy.rules)
 2805814 - ETPRO POLICY Internal Host Retrieving External IP via
whatismyip.everdot.org - Possible Infection (policy.rules)
 2805816 - ETPRO POLICY Internal Host Retrieving External IP via
showmyipaddress.com - Possible Infection (policy.rules)


-- 
PGP: 0xBED7B297
<https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20180731/74126750/attachment.html>


More information about the Emerging-updates mailing list