[Emerging-updates] Daily Ruleset Update Summary 2020/04/08

Jason Williams jwilliams at emergingthreats.net
Wed Apr 8 13:36:32 HDT 2020


[***]            Summary:            [***]

  11 Open, 32 Pro (11 + 21). KPOT, Sorano Stealer, SmsThief, Flowbit
Cleanup/Optimization, Various Phish.

  Suricata 2/3 Support from Emerging Threats will become End-Of-Life on
April 15th, 2020.

  Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

 [+++]          Added rules:          [+++]

 Open:

  2029829 - ET CURRENT_EVENTS Observed DNS Query to Knowb4 Simulated Phish
Domain (current_events.rules)
  2029830 - ET CURRENT_EVENTS Observed DNS Query to Knowb4 Simulated Phish
Domain (current_events.rules)
  2029831 - ET CURRENT_EVENTS Observed DNS Query to Knowb4 Simulated Phish
Domain (current_events.rules)
  2029832 - ET CURRENT_EVENTS Observed DNS Query to Knowb4 Simulated Phish
Domain (current_events.rules)
  2029833 - ET CURRENT_EVENTS Observed DNS Query to Knowb4 Simulated Phish
Domain (current_events.rules)
  2029834 - ET CURRENT_EVENTS Observed DNS Query to Knowb4 Simulated Phish
Domain (current_events.rules)
  2029835 - ET CURRENT_EVENTS Observed DNS Query to Knowb4 Simulated Phish
Domain (current_events.rules)
  2029836 - ET CURRENT_EVENTS Observed DNS Query to Knowb4 Simulated Phish
Domain (current_events.rules)
  2029837 - ET TROJAN KPOT Stealer Initial CnC Activity M4 (trojan.rules)
  2029838 - ET TROJAN Sorano Stealer CnC Checkin (trojan.rules)
  2029839 - ET TROJAN ELF Linux/Dnsamp.AB Variant CnC (trojan.rules)

 Pro:

  2841916 - ETPRO TROJAN Burp Collector Reporting Group Information
(trojan.rules)
  2841934 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.oi TLS SNI
(mobile_malware.rules)
  2841935 - ETPRO TROJAN Unk.MalDoc Reporting System Information
(trojan.rules)
  2841936 - ETPRO USER_AGENTS Observed Suspicious UA (Microsoft Windows
Network Diagnostics) (user_agents.rules)
  2841937 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-08 1) (trojan.rules)
  2841938 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-08 2) (trojan.rules)
  2841939 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-04-08
(current_events.rules)
  2841940 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-04-08 (current_events.rules)
  2841941 - ETPRO CURRENT_EVENTS Successful Banco do Brasil Phish
2020-04-08 (current_events.rules)
  2841942 - ETPRO CURRENT_EVENTS Successful Galicia Bank Phish 2020-04-08
(current_events.rules)
  2841943 - ETPRO CURRENT_EVENTS Successful Generic Webmail Phish
2020-04-08 (current_events.rules)
  2841944 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-04-08
(current_events.rules)
  2841945 - ETPRO CURRENT_EVENTS Successful Alibaba Phish 2020-04-08
(current_events.rules)
  2841946 - ETPRO CURRENT_EVENTS Successful Generic Personalized Phish
2020-04-08 (current_events.rules)
  2841947 - ETPRO TROJAN MSIL/Spy.Agent.BXY Variant CnC Checkin
 (trojan.rules)
  2841948 - ETPRO TROJAN TrojanDropper.Binder.FR CnC Activity M1
(trojan.rules)
  2841949 - ETPRO TROJAN TrojanDropper.Binder.FR CnC Activity M2
(trojan.rules)
  2841950 - ETPRO TROJAN TrojanDropper.Binder.FR CnC Activity M3
(trojan.rules)
  2841951 - ETPRO TROJAN TrojanDropper.Binder.FR CnC Activity M4
(trojan.rules)
  2841952 - ETPRO TROJAN TrojanDropper.Binder.FR CnC Activity M5
(trojan.rules)
  2841953 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)

 [///]     Modified active rules:     [///]

  2024513 - ET TROJAN [PTsecurity] Win32/TinyNuke Payload ACF40 Inbound
(trojan.rules)
  2024991 - ET TROJAN Win32/TinyNuke CnC Checkin (trojan.rules)
  2027250 - ET INFO Dotted Quad Host DLL Request (info.rules)
  2027251 - ET INFO Dotted Quad Host DOC Request (info.rules)
  2027252 - ET INFO Dotted Quad Host DOCX Request (info.rules)
  2027253 - ET INFO Dotted Quad Host XLS Request (info.rules)
  2027254 - ET INFO Dotted Quad Host XLSX Request (info.rules)
  2027255 - ET INFO Dotted Quad Host PPT Request (info.rules)
  2027256 - ET INFO Dotted Quad Host PPTX Request (info.rules)
  2027257 - ET INFO Dotted Quad Host RTF Request (info.rules)
  2027258 - ET INFO Dotted Quad Host PS Request (info.rules)
  2027259 - ET INFO Dotted Quad Host PS1 Request (info.rules)
  2027260 - ET INFO Dotted Quad Host VBS Request (info.rules)
  2027261 - ET INFO Dotted Quad Host HTA Request (info.rules)
  2027262 - ET INFO Dotted Quad Host ZIP Request (info.rules)
  2027263 - ET INFO Dotted Quad Host GZ Request (info.rules)
  2027264 - ET INFO Dotted Quad Host TGZ Request (info.rules)
  2027265 - ET INFO Dotted Quad Host PDF Request (info.rules)
  2027266 - ET INFO Dotted Quad Host RAR Request (info.rules)
  2800869 - ETPRO EXPLOIT Microsoft Office PowerPoint Download Verification
(exploit.rules)
  2802013 - ETPRO TROJAN Trojan.Win32.Banker.qmd Activity - SET
(trojan.rules)
  2832577 - ETPRO TROJAN Win32/TinyNuke CnC Checkin (trojan.rules)
  2833514 - ETPRO TROJAN Win32/TinyNuke CnC Checkin M2 (trojan.rules)

 [///]    Modified inactive rules:    [///]

  2805142 - ETPRO CURRENT_EVENTS Possible WORM W32.Printlove spreading via
cve 2010-2729 (SPOOLSS StartDocPrinter request SET) (current_events.rules)

 [---]  Disabled and modified rules:  [---]

  2009128 - ET TROJAN Bifrose Connect to Controller (PING PONG)
(trojan.rules)
  2011502 - ET EXPLOIT Possible Etrust Secure Transaction Platform
Identification and Entitlements Server File Disclosure Attempt
(exploit.rules)
  2014264 - ET POLICY IP Geo Location Request (policy.rules)
  2014645 - ET INFO RuggedCom Banner with MAC (info.rules)
  2014758 - ET TROJAN Trojan.BAT.Qhost - SET (trojan.rules)
  2014922 - ET CURRENT_EVENTS DRIVEBY Incognito Landing Page Requested
.php?showtopic=6digit (current_events.rules)
  2018360 - ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF Struct
(current_events.rules)
  2018361 - ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF Struct
(current_events.rules)
  2019209 - ET CURRENT_EVENTS DRIVEBY Nuclear EK PDF Struct (no alert)
(current_events.rules)
  2019358 - ET CURRENT_EVENTS Nuclear EK Payload URI Struct Oct 5 2014 (no
alert) (current_events.rules)
  2019844 - ET CURRENT_EVENTS DRIVEBY Nuclear EK Exploit Struct
(current_events.rules)
  2019872 - ET CURRENT_EVENTS DRIVEBY Nuclear EK Payload (flowbits set)
(current_events.rules)
  2020837 - ET CURRENT_EVENTS Malicious Doc Download EXE Primer (flowbits
set) (current_events.rules)
  2020993 - ET CURRENT_EVENTS IonCube Encoded Page (no alert)
(current_events.rules)
  2022572 - ET TROJAN Andromeda Download (set) (trojan.rules)
  2022770 - ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 27 2016
(fbset) (current_events.rules)
  2025038 - ET CURRENT_EVENTS Evil Redirector Leading to EK Feb 24 2016
(Evil Keitaro FB Set) (current_events.rules)
  2025039 - ET CURRENT_EVENTS Evil Redirector Leading to EK Feb 29 2016
(Evil Keitaro FB Set) (current_events.rules)
  2029424 - ET INFO [TGI] Entrust Entelligence Security Provider (Flowbits
Set) (info.rules)
  2800638 - ETPRO EXPLOIT Cisco IOS Show Memory URI Connection
(exploit.rules)
  2800843 - ETPRO WEB_CLIENT RealNetworks RealPlayer CDDA Access
(web_client.rules)
  2800844 - ETPRO WEB_CLIENT RealNetworks RealPlayer CDDA Access 2
(web_client.rules)
  2800854 - ETPRO EXPLOIT Oracle Java Runtime CMM readMabCurveData Buffer
Overflow ICC DL (exploit.rules)
  2800855 - ETPRO EXPLOIT Oracle Java Runtime CMM readMabCurveData Buffer
Overflow ICM DL (exploit.rules)
  2800879 - ETPRO EXPLOIT Adobe Shockwave Player Lnam Chunk Processing
Buffer Overflow Big Endian Header (exploit.rules)
  2800881 - ETPRO EXPLOIT Adobe Shockwave Player Lnam Chunk Processing
Buffer Overflow Little Endian Header (exploit.rules)
  2800954 - ETPRO TROJAN Backdoor.Win32.Ripinip Requesting Config
(trojan.rules)
  2801290 - ETPRO WORM Worm.Win32.Slenfbot.G Checkin 2 (worm.rules)
  2801304 - ETPRO POP3 Inetserv 3.23 POP3 DoS (pop3.rules)
  2801383 - ETPRO WORM Worm.Win32.Imamihong.A flowbits set 1 (worm.rules)
  2801385 - ETPRO WORM Worm.Win32.Imamihong.A flowbits set 1 (worm.rules)
  2801404 - ETPRO TROJAN Unknown RBN Based BiFrost Botnet Query
(trojan.rules)
  2802835 - ETPRO SMTP Postfix SASL AUTH Handle Reuse Memory
Corruption(Published Exploit) 2 (smtp.rules)
  2815138 - ETPRO CURRENT_EVENTS Possible Nuclear EK Payload Nov 30 2015
(fb set) (current_events.rules)
  2815534 - ETPRO CURRENT_EVENTS Possible Nuclear EK Payload Dec 30 2015 M2
(fb set) (current_events.rules)
  2815955 - ETPRO CURRENT_EVENTS Phishing Landing via Sitey.me Jan 25 M2
(current_events.rules)

 [---]         Disabled rules:        [---]

  2006398 - ET TROJAN Socks666 Checkin Packet (trojan.rules)
  2007751 - ET TROJAN Saturn Proxy Initial Outbound Checkin (404.txt)
(trojan.rules)
  2009238 - ET TROJAN PcClient Backdoor Checkin Packet 1 (trojan.rules)
  2010695 - ET TROJAN Aurora Backdoor (C&C) client connection to CnC
(trojan.rules)
  2012960 - ET TROJAN Trojan.Vaklik.kku Checkin Request (trojan.rules)
  2013135 - ET TROJAN FakeAV FakeAlert.Rena.n Checkin Flowbit set
(trojan.rules)
  2013419 - ET TROJAN FakeAV FakeAlert.Rena or similar Checkin Flowbit Set
2 (trojan.rules)
  2025985 - ET INFO Adobe PDX in HTTP Flowbit Set (info.rules)
  2027956 - ET CURRENT_EVENTS Successful Gmail Phish (set) 2016-09-12
(current_events.rules)
  2800808 - ETPRO TROJAN Backdoor.Win32.VBKrypt.dxe Checkin (trojan.rules)
  2800950 - ETPRO TROJAN Backdoor.Win32.Loopas Initial checkin
(trojan.rules)
  2801347 - ETPRO TROJAN Mariposa or Palevo Bot Checkin to Server
(trojan.rules)
  2801420 - ETPRO MALWARE RogueSoftware.Win32.AVGAntivirus2011 Checkin 3
(malware.rules)
  2801914 - ETPRO TROJAN NCom Linux Rootkit Checkin (trojan.rules)
  2802002 - ETPRO TROJAN Backdoor.Win32.Refpron.I Checkin flowbit set
(trojan.rules)
  2802159 - ETPRO TROJAN Delf/Hupigon/PWS.Banker.54377 Checkin Response
from CnC (trojan.rules)
  2802197 - ETPRO TROJAN Trojan.Win32.Banker.bkvd Checkin flowbit set
(trojan.rules)
  2803059 - ETPRO TROJAN Win32.Coinbit.A Checkin Flowbit Set (trojan.rules)
  2815667 - ETPRO WEB_CLIENT Ezweb123 Phishing (set) Jan 8
(web_client.rules)
  2815892 - ETPRO CURRENT_EVENTS Phishing Landing via Stinge.com (set) Jan
22 (current_events.rules)
  2815896 - ETPRO CURRENT_EVENTS Phishing Landing via Jimdo.com (set) Jan
22 (current_events.rules)
  2816290 - ETPRO WEB_CLIENT Igg.biz Phishing Redirector (set) Feb 17
(web_client.rules)
  2824151 - ETPRO CURRENT_EVENTS Successful Santander Phish (set) M1 Dec 30
2016 (current_events.rules)
  2827610 - ETPRO CURRENT_EVENTS Evil Redirector iFrame Observed Aug 18
2017 (current_events.rules)
  2829091 - ETPRO CURRENT_EVENTS Magnitude EK Payload URI Struct 2017-12-27
(current_events.rules)
  2830648 - ETPRO MALWARE Win32/InstallCore set bit (malware.rules)

 [---]         Removed rules:         [---]

  2836370 - ETPRO TROJAN MSIL/Spy.Agent.BXY Variant CnC Checkin
(trojan.rules)
  2841916 - ETPRO MALWARE Burp Collector Reporting Group Information
(malware.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20200408/950c508e/attachment-0001.html>


More information about the Emerging-updates mailing list