[Emerging-updates] Daily Ruleset Update Summary 2019/07/02

James Emery-Callcott jcallcott at emergingthreats.net
Tue Jul 2 13:20:35 HDT 2019 

[***]            Summary:            [***]

  18 new Open, 47 new Pro (18 + 29).  APT32, Godlua, Ratsnif, Various Phish.

  Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2027651 - ET TROJAN Win32/Unk HeavensGate Loader CnC in DNS Lookup
(trojan.rules)
  2027652 - ET TROJAN Win32/Unk HeavensGate Loader CnC in DNS Lookup
(trojan.rules)
  2027653 - ET TROJAN Win32/Unk HeavensGate Loader CnC in DNS Lookup
(trojan.rules)
  2027654 - ET TROJAN APT32 CnC in DNS Lookup (trojan.rules)
  2027655 - ET TROJAN APT32 CnC in DNS Lookup (trojan.rules)
  2027656 - ET TROJAN APT32 Win32/Ratsnif POSTing Log Message to CnC
(trojan.rules)
  2027657 - ET TROJAN APT32 Win32/Ratsnif Submitting Output of Command to
CnC (trojan.rules)
  2027658 - ET TROJAN APT32 Win32/Ratsnif Requesting Command from CnC
(trojan.rules)
  2027659 - ET TROJAN APT32 Win32/Ratsnif CnC Checkin (trojan.rules)
  2027660 - ET TROJAN Win32/Remcos RAT Checkin 109 (trojan.rules)
  2027661 - ET TROJAN Operation Tripoli Related CnC Checkin (trojan.rules)
  2027662 - ET TROJAN Observed Godlua Backdoor Domain (helegedada .github
.io in TLS SNI) (trojan.rules)
  2027663 - ET TROJAN Observed Godlua Backdoor Domain (dd .heheda .tk in
TLS SNI) (trojan.rules)
  2027664 - ET TROJAN Observed Godlua Backdoor Domain (d .heheda .tk in TLS
SNI) (trojan.rules)
  2027665 - ET TROJAN Observed Godlua Backdoor Domain (c .heheda .tk in TLS
SNI) (trojan.rules)
  2027666 - ET TROJAN Observed Godlua Backdoor Domain (dd .cloudappconfig
.com in TLS SNI) (trojan.rules)
  2027667 - ET TROJAN Observed Godlua Backdoor Domain (d .cloudappconfig
.com in TLS SNI) (trojan.rules)
  2027668 - ET TROJAN Observed Godlua Backdoor Domain (c .cloudappconfig
.com in TLS SNI) (trojan.rules)

Pro:

  2837167 - ETPRO TROJAN Hancitor-fknmo Loader Checkin (trojan.rules)
  2837168 - ETPRO TROJAN QCRAT CnC Activity (trojan.rules)
  2837169 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc DL
2019-07-01) (current_events.rules)
  2837170 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc DL
2019-07-01 2) (current_events.rules)
  2837171 - ETPRO TROJAN SSL/TLS Certificate Observed (Cobalt)
(trojan.rules)
  2837172 - ETPRO CURRENT_EVENTS Successful HSBC FR Phish 2019-07-02
(current_events.rules)
  2837173 - ETPRO CURRENT_EVENTS Successful Ebay DE Phish 2019-07-02
(current_events.rules)
  2837174 - ETPRO CURRENT_EVENTS Successful Netflix Phish 2019-07-02
(current_events.rules)
  2837175 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2019-07-02 (current_events.rules)
  2837176 - ETPRO CURRENT_EVENTS Successful Visa Phish 2019-07-02
(current_events.rules)
  2837177 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2019-07-02 (current_events.rules)
  2837178 - ETPRO CURRENT_EVENTS Successful Banco Original Phish 2019-07-02
(current_events.rules)
  2837179 - ETPRO CURRENT_EVENTS Successful CIBC Phish 2019-07-02
(current_events.rules)
  2837180 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2019-07-02 (current_events.rules)
  2837181 - ETPRO CURRENT_EVENTS Successful Magalu Phish 2019-07-02
(current_events.rules)
  2837182 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2019-07-02 1) (trojan.rules)
  2837183 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2019-07-02 2) (trojan.rules)
  2837184 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2019-07-02 3) (trojan.rules)
  2837185 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2019-07-02 4) (trojan.rules)
  2837186 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2019-07-02 5) (trojan.rules)
  2837187 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2019-07-02 6) (trojan.rules)
  2837188 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2019-07-02 7) (trojan.rules)
  2837189 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2019-07-02 8) (trojan.rules)
  2837190 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2019-07-02 9) (trojan.rules)
  2837191 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2019-07-02 10) (trojan.rules)
  2837192 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2019-07-02 11) (trojan.rules)
  2837193 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2019-07-02 12) (trojan.rules)
  2837194 - ETPRO INFO Outbound HTTP Request to Web4Africa VPS (info.rules)
  2837195 - ETPRO TROJAN Observed Malicious SSL Cert (Variety Staging CnC)
(trojan.rules)

[///]     Modified active rules:     [///]

  2836975 - ETPRO TROJAN AndroMut Checkin (trojan.rules)
  2837093 - ETPRO TROJAN Inbound DDE PowerShell String - Likely MalDoc
Related (trojan.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20190702/402328ec/attachment.html>

More information about the Emerging-updates mailing list