[Emerging-updates] Daily Ruleset Update Summary 2019/07/04

James Emery-Callcott jcallcott at emergingthreats.net
Thu Jul 4 10:32:16 HDT 2019


[***]            Summary:            [***]

  11 new Open, 52 new Pro (11 + 41).  MuddyWater, Ursnif, TRIPLESHOT,
Win32/Hirina, Various DNS.

  Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2027678 - ET TROJAN Known Malicious Server in DNS Lookup (updatecache
.com) (trojan.rules)
  2027679 - ET CURRENT_EVENTS Successful France Ministry of Action and
Public Accounts Phish 2019-07-04 (current_events.rules)
  2027680 - ET CURRENT_EVENTS France Ministry of Action and Public Accounts
Phish Landing (current_events.rules)
  2027681 - ET TROJAN MuddyWater Payload Sending Screenshot to CnC
(trojan.rules)
  2027682 - ET TROJAN MuddyWater Payload Sending Command Output to CnC
(trojan.rules)
  2027683 - ET TROJAN MuddyWater Payload Registering with CnC (trojan.rules)
  2027684 - ET TROJAN MuddyWater Payload Requesting Command from CnC
(trojan.rules)
  2027685 - ET TROJAN MuddyWater Payload CnC Checkin (trojan.rules)
  2027686 - ET USER_AGENTS Suspicious Custom Firefox UA Observed
(Firefox...) (user_agents.rules)
  2027687 - ET TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
  2027688 - ET TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)

Pro:

  2837235 - ETPRO CURRENT_EVENTS Suspicious Base64 Encoded ZIP Concat
Technique in Batch Inbound (current_events.rules)
  2837236 - ETPRO CURRENT_EVENTS Suspicious Base64 Encoded EXE Concat
Technique in Batch Inbound (current_events.rules)
  2837237 - ETPRO MOBILE_MALWARE Android/SmsReg.ZI CnC Response
(mobile_malware.rules)
  2837238 - ETPRO MALWARE Win32/DownloadAssistant.G Variant Checkin
(malware.rules)
  2837239 - ETPRO MALWARE Win32/OxyPumper Adware CnC Checkin (malware.rules)
  2837240 - ETPRO INFO Suspicious HTTP 448 Response (info.rules)
  2837241 - ETPRO MALWARE Win32/OxyPumper Adware Related Header Observed
(malware.rules)
  2837242 - ETPRO MALWARE Win32/OxyPumper Adware Related Header Observed
(malware.rules)
  2837243 - ETPRO USER_AGENTS Win32/OxyPumper Adware Related User-Agent
Observed (user_agents.rules)
  2837244 - ETPRO TROJAN Observed Malicious SSL Cert (Coinminer JS Host)
(trojan.rules)
  2837245 - ETPRO MALWARE Win32/Vopak Adware CnC Checkin (malware.rules)
  2837246 - ETPRO POLICY Observed SSL Cert (Torrent Tracker) (policy.rules)
  2837247 - ETPRO POLICY Observed SSL Cert (Torrent Tracker) (policy.rules)
  2837248 - ETPRO TROJAN Win32/Hirina Loader CnC Checkin (trojan.rules)
  2837249 - ETPRO TROJAN Win32/Remcos RAT Checkin 110 (trojan.rules)
  2837250 - ETPRO MALWARE Win32/InstallCore.Gen.A Requesting Install Files
(FlvPlayerSilent) (malware.rules)
  2837251 - ETPRO MALWARE Win32 SoftwareBundler Reporting to CnC
(malware.rules)
  2837253 - ETPRO TROJAN PS/AveCaesar Stealer CnC in DNS Lookup
(trojan.rules)
  2837252 - ETPRO MALWARE Observed SSL Cert (Chistilka PUA) (malware.rules)
  2837254 - ETPRO TROJAN Possible PS/AveCaesar Stage 2 Stealer Inbound
(trojan.rules)
  2837255 - ETPRO TROJAN PS/AveCaesar CnC Checkin (trojan.rules)
  2837256 - ETPRO TROJAN PowerShell Coinminer Downloader Inbound
(trojan.rules)
  2837257 - ETPRO TROJAN Win32/Inno5Head CnC Checkin (trojan.rules)
  2837258 - ETPRO TROJAN Win32/Inno5Head Dead CnC Response (trojan.rules)
  2837259 - ETPRO TROJAN SILENTTRINITY PowerShell Stage 1 Reflective Loader
Inbound M1 (trojan.rules)
  2837260 - ETPRO TROJAN SILENTTRINITY PowerShell Stage 1 Reflective Loader
Inbound M2 (trojan.rules)
  2837261 - ETPRO TROJAN Win32/PsDownload.DFY CnC Checkin (trojan.rules)
  2837262 - ETPRO TROJAN Win32/PsDownload.DFY Requesting Stage 2 Payload
(trojan.rules)
  2837263 - ETPRO CURRENT_EVENTS PowerShell Registry Reflective Loader
Inbound (current_events.rules)
  2837264 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
  2837265 - ETPRO TROJAN Possible TRIPLESHOT CnC in DNS Query (trojan.rules)
  2837266 - ETPRO TROJAN Possible TRIPLESHOT CnC in DNS Query (trojan.rules)
  2837267 - ETPRO TROJAN Possible TRIPLESHOT CnC in DNS Query (trojan.rules)
  2837268 - ETPRO TROJAN Possible TRIPLESHOT CnC in DNS Query (trojan.rules)
  2837269 - ETPRO TROJAN TRIPLESHOT CnC in DNS Query (trojan.rules)
  2837270 - ETPRO TROJAN TRIPLESHOT CnC in DNS Query (trojan.rules)
  2837271 - ETPRO TROJAN TRIPLESHOT CnC in DNS Query (trojan.rules)
  2837272 - ETPRO TROJAN TRIPLESHOT CnC in DNS Query (trojan.rules)
  2837273 - ETPRO TROJAN TRIPLESHOT CnC in DNS Query (trojan.rules)
  2837274 - ETPRO TROJAN TRIPLESHOT CnC in DNS Query (trojan.rules)
  2837275 - ETPRO TROJAN TRIPLESHOT CnC in DNS Query (trojan.rules)

[///]     Modified active rules:     [///]

  2836402 - ETPRO MALWARE ElementsBrowser PUA Checkin (malware.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20190704/db7d5231/attachment-0001.html>


More information about the Emerging-updates mailing list