[Emerging-updates] Daily Ruleset Update Summary 2020/04/06

Jason Williams jwilliams at emergingthreats.net
Mon Apr 6 14:17:30 HDT 2020


[***]            Summary:            [***]

  12 Open, 42 Pro (12 + 30). Sarwent, Parallax, Ave Maria, Nemty
Ransomware, Various Phish.

  Suricata 2/3 Support from Emerging Threats will become End-Of-Life on
April 15th, 2020.

  Tks: @James_inthe_box @sysopfb @VK_Intel @VirtualAlloc

  Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

 Open:

  2029813 - ET TROJAN Win32/MOOZ.THCCABO CoinMiner CnC Checkin
(trojan.rules)
  2029814 - ET TROJAN Parallax CnC Activity M8 (set) (trojan.rules)
  2029815 - ET TROJAN Parallax CnC Response Activity M8 (trojan.rules)
  2029816 - ET TROJAN Sarwent CnC Response (cmd_exec) (trojan.rules)
  2029817 - ET TROJAN Sarwent CnC Response (powershell_exec) (trojan.rules)
  2029818 - ET TROJAN Sarwent CnC Response (rdp_exec) (trojan.rules)
  2029819 - ET TROJAN Sarwent CnC Response (update_exec) (trojan.rules)
  2029820 - ET TROJAN Sarwent CnC Response (download_exec) (trojan.rules)
  2029821 - ET TROJAN Sarwent CnC Command (update) (trojan.rules)
  2029822 - ET TROJAN Sarwent CnC Command (download) (trojan.rules)
  2029823 - ET TROJAN Sarwent CnC Command (powershell) (trojan.rules)
  2029824 - ET TROJAN Sarwent CnC Command (rdp) (trojan.rules)

 Pro:

  2841878 - ETPRO TROJAN Observed Office Doc with Reversed Strings Inbound
(trojan.rules)
  2841879 - ETPRO TROJAN MalDoc Reporting Infection (trojan.rules)
  2841880 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-04 1) (trojan.rules)
  2841881 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-06 1) (trojan.rules)
  2841882 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-06 2) (trojan.rules)
  2841883 - ETPRO CURRENT_EVENTS Successful Telstra Phish 2020-04-06
(current_events.rules)
  2841884 - ETPRO CURRENT_EVENTS Successful Bank of Ireland Phish
2020-04-06 (current_events.rules)
  2841885 - ETPRO CURRENT_EVENTS Successful AOL Phish 2020-04-06
(current_events.rules)
  2841886 - ETPRO CURRENT_EVENTS Successful AOL Phish 2020-04-06
(current_events.rules)
  2841887 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2020-04-06 (current_events.rules)
  2841888 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2020-04-06 (current_events.rules)
  2841889 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-04-06 (current_events.rules)
  2841890 - ETPRO CURRENT_EVENTS Successful SF Express Phish 2020-04-06
(current_events.rules)
  2841891 - ETPRO CURRENT_EVENTS Successful Interbank Phish 2020-04-06
(current_events.rules)
  2841892 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-04-06 (current_events.rules)
  2841893 - ETPRO CURRENT_EVENTS Successful Yahoo Phish 2020-04-06
(current_events.rules)
  2841894 - ETPRO CURRENT_EVENTS GOV UK Possible COVID-19 Phish 2020-04-06
(current_events.rules)
  2841895 - ETPRO CURRENT_EVENTS GOV UK Possible COVID-19 Phish 2020-04-06
(current_events.rules)
  2841896 - ETPRO CURRENT_EVENTS Successful Generic Webmail Phish
2020-04-06 (current_events.rules)
  2841897 - ETPRO CURRENT_EVENTS Successful Swiss Bankers Prepaid Services
Phish 2020-04-06 (current_events.rules)
  2841898 - ETPRO CURRENT_EVENTS Successful Yahoo Small Business Phish
2020-04-06 (current_events.rules)
  2841899 - ETPRO CURRENT_EVENTS Successful Banco do Brasil Phish
2020-04-06 (current_events.rules)
  2841900 - ETPRO CURRENT_EVENTS Successful Co-operative Bank Phish
2020-04-06 (current_events.rules)
  2841901 - ETPRO CURRENT_EVENTS Successful Comcast/Xfinity Phish
2020-04-06 (current_events.rules)
  2841902 - ETPRO CURRENT_EVENTS Successful Generic Bank Account
Information Phish 2020-04-06 (current_events.rules)
  2841903 - ETPRO TROJAN Ave Maria RAT Encrypted CnC Checkin (Inbound)
(trojan.rules)
  2841904 - ETPRO TROJAN Ransomware Checkin via IPLogger (trojan.rules)
  2841905 - ETPRO TROJAN Nemty Ransomware CnC Checkin (trojan.rules)
  2841906 - ETPRO TROJAN Win32/Remcos RAT Checkin 383 (trojan.rules)
  2841907 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)

 [///]     Modified active rules:     [///]

  2015483 - ET INFO Java .jar request to dotted-quad domain (info.rules)
  2018421 - ET TROJAN Zbot downloader Installing Zeus (trojan.rules)
  2808018 - ETPRO TROJAN Win32.LockScreen.BHI checkin (trojan.rules)
  2815364 - ETPRO TROJAN Win32/Qbot/Quakbot Checkin via HTTP GET
(trojan.rules)
  2815431 - ETPRO TROJAN Emissary CnC Beacon M1 (trojan.rules)
  2815434 - ETPRO TROJAN Emissary CnC Beacon Response (trojan.rules)
  2815474 - ETPRO TROJAN Worm.Linux.Mworm Checkin (trojan.rules)
  2815478 - ETPRO CURRENT_EVENTS Possible Nuclear EK Landing URI struct Dec
27 2015 M4 (current_events.rules)
  2815534 - ETPRO CURRENT_EVENTS Possible Nuclear EK Payload Dec 30 2015 M2
(fb set) (current_events.rules)
  2815548 - ETPRO CURRENT_EVENTS Possible CryptoWall JS Dropper GET Request
(current_events.rules)
  2815600 - ETPRO CURRENT_EVENTS DHL/Adobe/Excel Phishing Landing Jan 05
2016 (current_events.rules)
  2815818 - ETPRO CURRENT_EVENTS Possible Nuclear EK Flash URI Struct Jan
14 M2 (current_events.rules)
  2815926 - ETPRO CURRENT_EVENTS Successful IRS Phish Jan 22 2016
(current_events.rules)
  2816087 - ETPRO TROJAN Win32/Uloz Botnet Filename Generator (trojan.rules)
  2816110 - ETPRO TROJAN Sylavriu.A/TorCT RAT CnC Checkin (trojan.rules)
  2816144 - ETPRO TROJAN Win32/VertexNet CnC Checkin (trojan.rules)
  2816152 - ETPRO TROJAN Backdoor.Mizzmo CnC Beacon 2 (trojan.rules)
  2816180 - ETPRO TROJAN Backdoor.Mizzmo CnC Beacon 3 (trojan.rules)
  2816181 - ETPRO TROJAN Backdoor.Mizzmo Service-Proxied CnC Beacon
(trojan.rules)
  2816286 - ETPRO TROJAN Tendrit CnC Beacon 3 (trojan.rules)
  2816329 - ETPRO CURRENT_EVENTS Possible Magnitude EK Flash Exploit URI
Struct Feb 19 2016 (current_events.rules)
  2816433 - ETPRO MOBILE_MALWARE Trojan.Android.AndroRAT.D Checkin
(mobile_malware.rules)
  2816441 - ETPRO TROJAN MSIL/Datsup.A Activity (trojan.rules)
  2816506 - ETPRO TROJAN Possible Cerber Ransomware IP Check (trojan.rules)
  2820263 - ETPRO TROJAN Gozi ISFB CnC Checkin (trojan.rules)
  2820364 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish
2016-05-26 (current_events.rules)
  2820703 - ETPRO MOBILE_MALWARE Android Unknown Trojan Checkin
(mobile_malware.rules)
  2820705 - ETPRO TROJAN W32/Bayrob Attempted Checkin 3 (trojan.rules)
  2821424 - ETPRO TROJAN Win32/Daserf CnC Beacon 1 (trojan.rules)
  2822231 - ETPRO TROJAN ORK/ARIK Keylogger Download Request - Obsevered
Dropped from Macro (trojan.rules)
  2822387 - ETPRO CURRENT_EVENTS Possible Evil Redirector Leading to EK Oct
04 2016 (BossTDS) M3 (current_events.rules)
  2822393 - ETPRO TROJAN MSIL/Pony Stealer Variant CnC Checkin
(trojan.rules)
  2822394 - ETPRO TROJAN MSIL/UBN CP Downloader Requesting Payload
(trojan.rules)
  2822697 - ETPRO CURRENT_EVENTS MalDoc Downloader Retrieving Payload Oct
14 (current_events.rules)
  2831008 - ETPRO TROJAN Unix/VPNFilter HTTP Request Structure 1
(trojan.rules)
  2831009 - ETPRO TROJAN Unix/VPNFilter HTTP Request Structure 2
(trojan.rules)
  2831049 - ETPRO TROJAN PS/QuadAgent Communicating with CnC (trojan.rules)
  2832325 - ETPRO TROJAN NewcoreRAT HTTP CnC Pattern (trojan.rules)
  2833580 - ETPRO TROJAN ExtremeDownloader CnC Checkin (trojan.rules)
  2841814 - ETPRO TROJAN W32/TrojanDownloader.Agent.FBF Variant CnC Host
Checkin (trojan.rules)

 [---]  Disabled and modified rules:  [---]

  2815867 - ETPRO TROJAN MSIL/Gurim.A Downloader Request (trojan.rules)
  2816183 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.hf Checkin
(mobile_malware.rules)
  2816720 - ETPRO MOBILE_MALWARE Android/AdDisplay.Kuguo.V Checkin
(mobile_malware.rules)
  2816742 - ETPRO TROJAN Rexpot Receiving Payload M2 (trojan.rules)
  2820889 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Cloudatlas.a Checkin
(mobile_malware.rules)
  2822526 - ETPRO TROJAN Quant Loader Download Request 2 (trojan.rules)
  2822683 - ETPRO TROJAN MSIL/Exotic Ransomware Image Request (trojan.rules)
  2831322 - ETPRO TROJAN Observed Malicious SSL Certificate (IcedID)
(trojan.rules)

 [---]         Disabled rules:        [---]

  2815338 - ETPRO TROJAN Unknown CnC Checkin (trojan.rules)
  2815942 - ETPRO TROJAN W32/Nymaim Checkin 3 (trojan.rules)
  2816097 - ETPRO TROJAN Win32/Rogue Browser Extension Installer Checkin
(trojan.rules)
  2816440 - ETPRO TROJAN Unknown Bot CnC Checkin (trojan.rules)
  2820396 - ETPRO TROJAN Helminth Checkin (trojan.rules)
  2821156 - ETPRO CURRENT_EVENTS Likely Magnitude EK Flash Exploit Struct
Jul 13 2016 T1 (current_events.rules)
  2821903 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.kz CnC Beacon
(mobile_malware.rules)
  2822695 - ETPRO TROJAN MSIL/ApolloHTTP Bot CnC Checkin (trojan.rules)
  2822696 - ETPRO TROJAN MSIL/ApolloHTTP Bot CnC Keep-Alive (trojan.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20200406/7bb83a65/attachment.html>


More information about the Emerging-updates mailing list