[Emerging-updates] Daily Ruleset Update Summary 2020/04/02

Jack Mott jmott at emergingthreats.net
Thu Apr 2 13:49:54 HDT 2020


[***]            Summary:            [***]

14 new Open, 40 new Pro (14 + 26). Various ELF/Mirai Variant
User-Agents, CHAOS CnC Commands,  Win32/Remcos,Various SSL, Various
Phishing.

Suricata 2/3 Support from Emerging Threats will become End-Of-Life on April
15th, 2020.

Suricata 2/3 EOL information:
https://lists.emergingthreats.net/pipermail/emerging-updates/2019-October/004655.html


[+++]          Added rules:          [+++]

Open:

  2029788 - ET CURRENT_EVENTS Canada Revenue Agency COVID-19 Assistance
Eligibility Phishing Landing 2020-04-01 (current_events.rules)
  2029789 - ET CURRENT_EVENTS Canada Revenue Agency COVID-19 Assistance
Eligibility Phishing Landing 2020-04-01 (current_events.rules)
  2029790 - ET SCAN ELF/Mirai Variant User-Agent (Inbound) (scan.rules)
  2029791 - ET TROJAN ELF/Mirai Variant User-Agent (Outbound) (trojan.rules)
  2029792 - ET SCAN ELF/Mirai Variant User-Agent (Inbound) (scan.rules)
  2029793 - ET TROJAN ELF/Mirai Variant User-Agent (Outbound) (trojan.rules)
  2029794 - ET TROJAN Suspected Stitch Variant Backdoor CnC (trojan.rules)
  2029795 - ET TROJAN Suspected CHAOS CnC Inbound (download command)
(trojan.rules)
  2029796 - ET TROJAN Suspected CHAOS CnC Inbound (upload command)
(trojan.rules)
  2029797 - ET TROJAN Suspected CHAOS CnC Inbound (screenshot command)
(trojan.rules)
  2029798 - ET TROJAN Suspected CHAOS CnC Inbound (keylogger start)
(trojan.rules)
  2029799 - ET TROJAN Suspected CHAOS CnC Inbound (persistence enable)
(trojan.rules)
  2029800 - ET TROJAN Suspected CHAOS CnC Inbound (getos) (trojan.rules)
  2029801 - ET TROJAN Suspected CHAOS CnC Inbound (openurl) (trojan.rules)

Pro:

  2841827 - ETPRO TROJAN Observed Malicious SSL Cert (StrongPity CnC)
(trojan.rules)
  2841828 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
  2841829 - ETPRO TROJAN Observed Malicious SSL Cert (MalDoc DL 2020-04-02)
(trojan.rules)
  2841830 - ETPRO CURRENT_EVENTS Successful Apple Phish 2020-04-01
(current_events.rules)
  2841831 - ETPRO CURRENT_EVENTS Successful Apple Phish 2020-04-01
(current_events.rules)
  2841832 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-04-01
(current_events.rules)
  2841833 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-04-01
(current_events.rules)
  2841834 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-04-01 (current_events.rules)
  2841835 - ETPRO CURRENT_EVENTS Likely Successful Facebook Phish on
000webhostapp.com 2020-04-01 (current_events.rules)
  2841836 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-02 1) (trojan.rules)
  2841837 - ETPRO TROJAN W32/Unknown Possible BR Downloader (trojan.rules)
  2841838 - ETPRO CURRENT_EVENTS Successful Gov UK Tax Refund Phish
2020-04-02 (current_events.rules)
  2841839 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-04-02
(current_events.rules)
  2841840 - ETPRO CURRENT_EVENTS Successful Scotiabank Phish 2020-04-02
(current_events.rules)
  2841841 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-04-02
(current_events.rules)
  2841842 - ETPRO CURRENT_EVENTS Successful Verizon Phish 2020-04-02
(current_events.rules)
  2841843 - ETPRO CURRENT_EVENTS Successful Genric Credit Card Information
Phish 2020-04-02 (current_events.rules)
  2841844 - ETPRO CURRENT_EVENTS Successful BBVA Phish 2020-04-02
(current_events.rules)
  2841845 - ETPRO CURRENT_EVENTS Successful Yahoo Phish 2020-04-02
(current_events.rules)
  2841846 - ETPRO CURRENT_EVENTS Successful TikTok Phish 2020-04-02
(current_events.rules)
  2841847 - ETPRO CURRENT_EVENTS Successful Blizzard Phish 2020-04-02
(current_events.rules)
  2841848 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-04-02 (current_events.rules)
  2841849 - ETPRO CURRENT_EVENTS Successful Scotiabank Phish 2020-04-02
(current_events.rules)
  2841850 - ETPRO TROJAN Win32/Packed.FlyStudio.AA CnC Checkin M3
(trojan.rules)
  2841851 - ETPRO TROJAN Win32/Remcos RAT Checkin 382 (trojan.rules)
  2841852 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)

 [///]     Modified active rules:     [///]

  2029705 - ET INFO Possible COVID-19 Domain in SSL Certificate M1
(info.rules)
  2029706 - ET INFO Possible COVID-19 Domain in SSL Certificate M2
(info.rules)
  2029707 - ET INFO Suspicious TLS SNI Request for Possible COVID-19 Domain
M1 (info.rules)
  2029708 - ET INFO Suspicious TLS SNI Request for Possible COVID-19 Domain
M2 (info.rules)
  2029711 - ET INFO Suspicious GET Request with Possible COVID-19 Domain M1
(info.rules)
  2029712 - ET INFO Suspicious GET Request with Possible COVID-19 Domain M2
(info.rules)
  2029713 - ET INFO Suspicious POST Request with Possible COVID-19 Domain
M1 (info.rules)
  2029714 - ET INFO Suspicious POST Request with Possible COVID-19 Domain
M2 (info.rules)
  2029753 - ET INFO Suspicious GET Request with Possible COVID-19 URI M1
(info.rules)
  2029754 - ET INFO Suspicious GET Request with Possible COVID-19 URI M2
(info.rules)
  2029755 - ET INFO Suspicious POST Request with Possible COVID-19 URI M1
(info.rules)
  2029756 - ET INFO Suspicious POST Request with Possible COVID-19 URI M2
(info.rules)
  2822801 - ETPRO TROJAN DiamondFox HTTP POST CnC Checkin M1 (trojan.rules)
  2822967 - ETPRO TROJAN PlugX Variant CnC Beacon (trojan.rules)
  2823169 - ETPRO TROJAN Mocker Retrieving Payload (trojan.rules)
  2823365 - ETPRO TROJAN Godzilla Loader Retrieving Payload (trojan.rules)
  2823420 - ETPRO POLICY External IP Address Lookup - myip.ch (policy.rules)
  2823534 - ETPRO CURRENT_EVENTS Likely Magnitude EK Flash Exploit Struct
Nov 30 2016 (current_events.rules)
  2823676 - ETPRO TROJAN W32/Quasar 1.3 RAT Connectivity Check
(trojan.rules)
  2826697 - ETPRO TROJAN Possible Win32/Jeefo.B Config DL (trojan.rules)
  2841290 - ETPRO TROJAN XAE Rat CnC Requesting Command (trojan.rules)

 [---]         Disabled rules:        [---]

  2019235 - ET TROJAN Pushdo v3 Checkin (trojan.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20200402/3a4e44d0/attachment.html>


More information about the Emerging-updates mailing list