[Emerging-updates] Daily Ruleset Update Summary 2019/03/05
Jack Mott
jmott at emergingthreats.net
Tue Mar 5 14:48:20 HST 2019
[***] Summary: [***]
45 new Open, 63 new Pro (45 + 18). Various PowerShell Execution String
Base64 Encoded, FinderBot, Cayosin Botnet, Remcos RAT, Various Phishing.
Thanks: Nathan Fowler
[+++] Added rules: [+++]
Open:
2026876 - ET TROJAN Cayosin Botnet User-Agent Observed M1 (trojan.rules)
2026877 - ET TROJAN Cayosin Botnet User-Agent Observed M2 (trojan.rules)
2026920 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded
New-Object (V3LU9) in DNS TXT Reponse (attack_response.rules)
2026921 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded
New-Object (ctT2J) in DNS TXT Reponse (attack_response.rules)
2026922 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded
New-Object (dy1PYmp) in DNS TXT Reponse (attack_response.rules)
2026923 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded
New-Object (V3LU9iam) in DNS TXT Reponse (attack_response.rules)
2026924 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded
New-Object (XctT2JqZW) in DNS TXT Reponse (attack_response.rules)
2026925 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded
New-Object (dy1PYmplY3) in DNS TXT Reponse (attack_response.rules)
2026926 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded
Start-Process (FydC1Qcm9) in DNS TXT Reponse (attack_response.rules)
2026927 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded
Start-Process (RhcnQtUHJ) in DNS TXT Reponse (attack_response.rules)
2026928 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded
Start-Process (YXJ0LVByb2N) in DNS TXT Reponse (attack_response.rules)
2026929 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded
Start-Process (RhcnQtUHJvY2) in DNS TXT Reponse (attack_response.rules)
2026930 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded
Start-Process (GFydC1Qcm9jZX) in DNS TXT Reponse (attack_response.rules)
2026931 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded
Start-Process (YXJ0LVByb2Nlc3) in DNS TXT Reponse (attack_response.rules)
2026932 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded
Invoke-WmiMethod (Zva2UtV21pTWV) in DNS TXT Reponse (attack_response.rules)
2026933 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded
Invoke-WmiMethod (52b2tlLVdtaU1) in DNS TXT Reponse (attack_response.rules)
2026934 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded
Invoke-WmiMethod (dm9rZS1XbWlNZXR) in DNS TXT Reponse
(attack_response.rules)
2026935 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded
Invoke-WmiMethod (52b2tlLVdtaU1ldG) in DNS TXT Reponse
(attack_response.rules)
2026936 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded
Invoke-WmiMethod (nZva2UtV21pTWV0aG) in DNS TXT Reponse
(attack_response.rules)
2026937 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded
Invoke-WmiMethod (dm9rZS1XbWlNZXRob2) in DNS TXT Reponse
(attack_response.rules)
2026938 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded
Invoke-Command (Zva2UtQ29) in DNS TXT Reponse (attack_response.rules)
2026939 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded
Invoke-Command (dm9rZS1Db21) in DNS TXT Reponse (attack_response.rules)
2026940 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded
Invoke-Command (nZva2UtQ29tbW) in DNS TXT Reponse (attack_response.rules)
2026941 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded
Invoke-Command (52b2tlLUNvbW1) in DNS TXT Reponse (attack_response.rules)
2026942 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded
Invoke-Command (dm9rZS1Db21tYW) in DNS TXT Reponse (attack_response.rules)
2026943 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded
Invoke-Command (52b2tlLUNvbW1hbm) in DNS TXT Reponse (attack_response.rules)
2027027 - ET ATTACK_RESPONSE UTF8 base64 string /This Program/ in DNS TXT
Reponse (attack_response.rules)
2027028 - ET ATTACK_RESPONSE UTF8 base64 string /This Program/ in DNS TXT
Reponse (attack_response.rules)
2027029 - ET ATTACK_RESPONSE UTF8 base64 string /This Program/ in DNS TXT
Reponse (attack_response.rules)
2027030 - ET ATTACK_RESPONSE UTF16-LE base64 string /This Program/ in DNS
TXT Reponse (attack_response.rules)
2027031 - ET ATTACK_RESPONSE UTF16-LE base64 string /This Program/ in DNS
TXT Reponse (attack_response.rules)
2027032 - ET ATTACK_RESPONSE UTF16-LE base64 string /This Program/ in DNS
TXT Reponse (attack_response.rules)
2027033 - ET ATTACK_RESPONSE UTF8 base64 wide string /This Program/ in
DNS TXT Reponse (attack_response.rules)
2027034 - ET ATTACK_RESPONSE UTF8 base64 wide string /This Program/ in
DNS TXT Reponse (attack_response.rules)
2027035 - ET ATTACK_RESPONSE UTF8 base64 wide string /This Program/ in
DNS TXT Reponse (attack_response.rules)
2027036 - ET ATTACK_RESPONSE UTF16-LE base64 wide string /This Program/
in DNS TXT Reponse (attack_response.rules)
2027037 - ET ATTACK_RESPONSE UTF16-LE base64 wide string /This Program/
in DNS TXT Reponse (attack_response.rules)
2027038 - ET ATTACK_RESPONSE UTF16-LE base64 wide string /This Program/
in DNS TXT Reponse (attack_response.rules)
2027039 - ET ATTACK_RESPONSE UTF8 base64 reversed string /This Program/
in DNS TXT Reponse (attack_response.rules)
2027040 - ET ATTACK_RESPONSE UTF8 base64 reversed string /This Program/
in DNS TXT Reponse (attack_response.rules)
2027041 - ET ATTACK_RESPONSE UTF8 base64 reversed string /This Program/
in DNS TXT Reponse (attack_response.rules)
2027042 - ET ATTACK_RESPONSE UTF16 base64 reversed string /This Program/
in DNS TXT Reponse (attack_response.rules)
2027043 - ET ATTACK_RESPONSE UTF16 base64 reversed string /This Program/
in DNS TXT Reponse (attack_response.rules)
2027044 - ET ATTACK_RESPONSE UTF16 base64 reversed string /This Program/
in DNS TXT Reponse (attack_response.rules)
2027045 - ET USER_AGENTS Suspicious User-Agent (Clever Internet Suite)
(user_agents.rules)
Pro:
2835157 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2019-03-05 1) (trojan.rules)
2835158 - ETPRO TROJAN FinderBot User-Agent (iii/) (trojan.rules)
2835159 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
2835160 - ETPRO TROJAN Observed Malicious SSL Cert (FinderBot DL)
(trojan.rules)
2835161 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc DL
2019-03-05) (current_events.rules)
2835162 - ETPRO CURRENT_EVENTS Successful Booking.com Phish 2019-03-05
(current_events.rules)
2835163 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2019-03-05 (current_events.rules)
2835164 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2019-03-05 (current_events.rules)
2835165 - ETPRO CURRENT_EVENTS Successful Paypal Bank Phish 2019-03-05
(current_events.rules)
2835166 - ETPRO CURRENT_EVENTS Successful Paypal VBV Phish 2019-03-05
(current_events.rules)
2835167 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2019-03-05 (current_events.rules)
2835168 - ETPRO CURRENT_EVENTS Successful Ameli FR Phish 2019-03-05
(current_events.rules)
2835169 - ETPRO CURRENT_EVENTS Successful Apple Phish 2019-03-05
(current_events.rules)
2835170 - ETPRO CURRENT_EVENTS Successful CapitalOne Phish 2019-03-05
(current_events.rules)
2835171 - ETPRO TROJAN Suspicious Inbound Wide String XML with RAT-like
Elements (trojan.rules)
2835172 - ETPRO TROJAN Win32/Gupsip Variant CnC Checkin (trojan.rules)
2835173 - ETPRO TROJAN Win32/Remcos RAT Checkin 95 (trojan.rules)
2835174 - ETPRO TROJAN Win32/Remcos RAT Checkin 96 (trojan.rules)
[///] Modified active rules: [///]
2026827 - ET TROJAN Observed Malicious SSL Cert (DonotGroup/Patchwork
CnC) (trojan.rules)
2026992 - ET INFO PowerShell Base64 Encoded Content Command Common In
Powershell Stagers M1 (info.rules)
2835090 - ETPRO TROJAN Observed Malicious SSL Cert (DonotGroup/Patchwork
CnC) (trojan.rules)
2835140 - ETPRO TROJAN FinderBot Cookie Exfil (trojan.rules)
2835141 - ETPRO TROJAN FinderBot Login Exfil (trojan.rules)
2835142 - ETPRO TROJAN FinderBot CnC Checkin (trojan.rules)
[---] Disabled and modified rules: [---]
2021607 - ET CURRENT_EVENTS Potential W32/Dridex Alphanumeric Download
Pattern (current_events.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20190305/c299a4f6/attachment.html>
More information about the Emerging-updates
mailing list