[Emerging-updates] Daily Ruleset Update Summary 2020/04/09

Jason Williams jwilliams at emergingthreats.net
Thu Apr 9 13:52:55 HDT 2020


[***]            Summary:            [***]

  16 Open, 38 Pro (16 + 22). RocketX Stealer, Lemon Duck, Agent.TRM,
Various Phish.

  Tks: @James_inthe_box, @w3ndige

  Suricata 2/3 Support from Emerging Threats will become End-Of-Life on
April 15th, 2020.

  Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

 [+++]          Added rules:          [+++]

 Open:

  2029840 - ET INFO Request for EXE via WinHTTP M1 (info.rules)
  2029841 - ET INFO Request for EXE via WinHTTP M2 (info.rules)
  2029842 - ET INFO Request for EXE via WinHTTP M3 (info.rules)
  2029843 - ET INFO Suspicious Zipped Filename in Outbound POST Request
(Hardware.txt) (info.rules)
  2029844 - ET INFO Suspicious Zipped Filename in Outbound POST Request
(Prgrm.txt) (info.rules)
  2029845 - ET INFO Suspicious Zipped Filename in Outbound POST Request
(CookiesList.txt) (info.rules)
  2029846 - ET TROJAN Suspicious Zipped Filename in Outbound POST Request
(Passwords.txt) (trojan.rules)
  2029847 - ET TROJAN Win32/RocketX Stealer CnC Exfil (trojan.rules)
  2029848 - ET TROJAN Lemon_Duck Powershell CnC Checkin M2 (trojan.rules)
  2029849 - ET CURRENT_EVENTS GOV UK Possible COVID-19 Phish 2020-04-06
(current_events.rules)
  2029850 - ET CURRENT_EVENTS GOV UK Possible COVID-19 Phish 2020-04-06
(current_events.rules)
  2029851 - ET TROJAN Possible Kimsuky APT Connectivity Check via Document
(trojan.rules)
  2029852 - ET TROJAN Observed Malicious SSL Cert (MSIL/Agent.TRM CnC)
(trojan.rules)
  2029853 - ET TROJAN MSIL/Agent.TRM Checkin Response (trojan.rules)
  2029854 - ET TROJAN MSIL/Agent.TRM Task Command (trojan.rules)
  2029855 - ET TROJAN MSIL/Agent.TRM Data Exfil (sysinfo) (trojan.rules)

 Pro:

  2841954 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2020-04-09 (current_events.rules)
  2841955 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2020-04-09 (current_events.rules)
  2841956 - ETPRO CURRENT_EVENTS Successful USAA Phish 2020-04-09
(current_events.rules)
  2841957 - ETPRO CURRENT_EVENTS Successful Ziraat Bankasi Phish 2020-04-09
(current_events.rules)
  2841958 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-09 1) (trojan.rules)
  2841959 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-09 2) (trojan.rules)
  2841960 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-04-09 (current_events.rules)
  2841961 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-04-09
(current_events.rules)
  2841962 - ETPRO CURRENT_EVENTS Successful Offerup Phish 2020-04-09
(current_events.rules)
  2841963 - ETPRO CURRENT_EVENTS Successful Runescape Phish 2020-04-09
(current_events.rules)
  2841964 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-04-09 (current_events.rules)
  2841965 - ETPRO CURRENT_EVENTS Successful Blockchain Phish 2020-04-09
(current_events.rules)
  2841966 - ETPRO CURRENT_EVENTS Successful ANZ Bank Phish 2020-04-09
(current_events.rules)
  2841967 - ETPRO CURRENT_EVENTS Successful ANZ Bank Phish 2020-04-09
(current_events.rules)
  2841968 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-04-09
(current_events.rules)
  2841969 - ETPRO TROJAN Win32/Remcos RAT Checkin 384 (trojan.rules)
  2841970 - ETPRO TROJAN Win32/Remcos RAT Checkin 385 (trojan.rules)
  2841971 - ETPRO TROJAN Win32/Remcos RAT Checkin 386 (trojan.rules)
  2841972 - ETPRO TROJAN Win32/Remcos RAT Checkin 387 (trojan.rules)
  2841973 - ETPRO TROJAN Win32/Remcos RAT Checkin 388 (trojan.rules)
  2841974 - ETPRO TROJAN Win32/Agent.UAW CnC Activity (trojan.rules)
  2841975 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)

 [///]     Modified active rules:     [///]

  2026420 - ET INFO Generic 000webhostapp.com POST 2018-09-27 (set)
(info.rules)
  2029013 - ET TROJAN Lemon_Duck Powershell - Install Tracking
(trojan.rules)
  2833021 - ETPRO CURRENT_EVENTS Possible Malicious Second Stage Download
with Terse Headers (set) (current_events.rules)
  2833022 - ETPRO CURRENT_EVENTS Possible Malicious Second Stage Download
with Terse Headers (current_events.rules)

 [---]         Removed rules:         [---]

  2841894 - ETPRO CURRENT_EVENTS GOV UK Possible COVID-19 Phish 2020-04-06
(current_events.rules)
  2841895 - ETPRO CURRENT_EVENTS GOV UK Possible COVID-19 Phish 2020-04-06
(current_events.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20200409/be12dd5e/attachment.html>


More information about the Emerging-updates mailing list