[Emerging-updates] Daily Ruleset Update Summary 2020/04/17

James Emery-Callcott jcallcott at emergingthreats.net
Fri Apr 17 13:50:30 HDT 2020


[***]            Summary:            [***]

  3 new Open, 25 new Pro (3 + 22).  Remcos, VBS/Agent.OHV, Various Phish,
Others.

  Thanks @401TRG.

  Please be aware that after the deprecation of our Suricata 2/3 support
(April 15th 2020), the path for downloading the last pushed production
Suricata 2/3 rulesets have changed.  Deprecated rulesets are available at
https://rules.emergingthreatspro.com/OINK/old for ETPro and
https://rules.emergingthreatspro.com/open/old/ for ETOpen.  All requests
for the Suricata 2/3 at their previous locations will now lead to the
Suricata 4.0 production rules for ETPro and the rule download instructions
for ETOpen.

  Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2029929 - ET SCAN ELF/Mirai Variant User-Agent (Inbound) (scan.rules)
  2029930 - ET TROJAN ELF/Mirai Variant User-Agent (Outbound) (trojan.rules)
  2029931 - ET TROJAN 401TRG SMB Create AndX Request For Emotet Spreader
(trojan.rules)

Pro:

  2842070 - ETPRO MOBILE_MALWARE Android/Agent.BLA Checkin
(mobile_malware.rules)
  2842071 - ETPRO MOBILE_MALWARE Android/Tchurnay Reporting System Details
(mobile_malware.rules)
  2842072 - ETPRO USER_AGENTS Observed Suspicious UA (user_agent)
(user_agents.rules)
  2842073 - ETPRO TROJAN Win64/GenKryptik.EIPF Variant CnC (Checkin)
(trojan.rules)
  2842074 - ETPRO TROJAN Win32/Gidro CnC Activity (trojan.rules)
  2842075 - ETPRO CURRENT_EVENTS Successful Banco do Brasil Phish
2020-04-17 (current_events.rules)
  2842076 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2020-04-17
(current_events.rules)
  2842077 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-04-17 (current_events.rules)
  2842078 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-04-17
(current_events.rules)
  2842079 - ETPRO CURRENT_EVENTS Successful Telekom/Tmobile Phish
2020-04-17 (current_events.rules)
  2842080 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-17 1) (trojan.rules)
  2842081 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-17 2) (trojan.rules)
  2842082 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-17 3) (trojan.rules)
  2842083 - ETPRO TROJAN Possible Malicious Macro Host Checkin
(trojan.rules)
  2842084 - ETPRO CURRENT_EVENTS Successful WhatsApp Phish 2020-04-17
(current_events.rules)
  2842085 - ETPRO TROJAN Win32/WonderShare CnC Checkin (trojan.rules)
  2842086 - ETPRO TROJAN Observed Malicious SSL Cert (Possible CyberPay
Phish) (trojan.rules)
  2842087 - ETPRO TROJAN Win32/Remcos RAT Checkin 397 (trojan.rules)
  2842088 - ETPRO TROJAN Win32/Remcos RAT Checkin 398 (trojan.rules)
  2842089 - ETPRO TROJAN Win32/Remcos RAT Checkin 399 (trojan.rules)
  2842090 - ETPRO TROJAN Win64/GenKryptik.EIPF Variant CnC (Download
Request) (trojan.rules)
  2842091 - ETPRO TROJAN VBS/Agent.OHV Downloader Activity (trojan.rules)

[///]     Modified active rules:     [///]

  2004158 - ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt --
page.asp NewsID SELECT (web_specific_apps.rules)
  2004159 - ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt --
page.asp NewsID UNION SELECT (web_specific_apps.rules)
  2004160 - ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt --
page.asp NewsID INSERT (web_specific_apps.rules)
  2004161 - ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt --
page.asp NewsID DELETE (web_specific_apps.rules)
  2004162 - ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt --
page.asp NewsID ASCII (web_specific_apps.rules)
  2004163 - ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt --
page.asp NewsID UPDATE (web_specific_apps.rules)
  2004936 - ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt --
addcomment2.php commentname SELECT (web_specific_apps.rules)
  2004937 - ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt --
addcomment2.php commentname UNION SELECT (web_specific_apps.rules)
  2004938 - ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt --
addcomment2.php commentname INSERT (web_specific_apps.rules)
  2004939 - ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt --
addcomment2.php commentname DELETE (web_specific_apps.rules)
  2004940 - ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt --
addcomment2.php commentname ASCII (web_specific_apps.rules)
  2004941 - ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt --
addcomment2.php commentname UPDATE (web_specific_apps.rules)
  2004942 - ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt --
addcomment2.php commentmail SELECT (web_specific_apps.rules)
  2004943 - ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt --
addcomment2.php commentmail UNION SELECT (web_specific_apps.rules)
  2004945 - ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt --
addcomment2.php commentmail INSERT (web_specific_apps.rules)
  2004946 - ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt --
addcomment2.php commentmail DELETE (web_specific_apps.rules)
  2004947 - ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt --
addcomment2.php commentmail ASCII (web_specific_apps.rules)
  2004948 - ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt --
addcomment2.php commentmail UPDATE (web_specific_apps.rules)
  2004949 - ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt --
addcomment2.php commentwebsite SELECT (web_specific_apps.rules)
  2004950 - ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt --
addcomment2.php commentwebsite UNION SELECT (web_specific_apps.rules)
  2004951 - ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt --
addcomment2.php commentwebsite INSERT (web_specific_apps.rules)
  2004952 - ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt --
addcomment2.php commentwebsite DELETE (web_specific_apps.rules)
  2004953 - ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt --
addcomment2.php commentwebsite ASCII (web_specific_apps.rules)
  2004954 - ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt --
addcomment2.php commentwebsite UPDATE (web_specific_apps.rules)
  2006547 - ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL
Injection Attempt -- ViewCat.php s_user_id SELECT (web_specific_apps.rules)
  2006548 - ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL
Injection Attempt -- ViewCat.php s_user_id UNION SELECT
(web_specific_apps.rules)
  2006549 - ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL
Injection Attempt -- ViewCat.php s_user_id INSERT (web_specific_apps.rules)
  2006550 - ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL
Injection Attempt -- ViewCat.php s_user_id DELETE (web_specific_apps.rules)
  2006551 - ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL
Injection Attempt -- ViewCat.php s_user_id ASCII (web_specific_apps.rules)
  2006552 - ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL
Injection Attempt -- ViewCat.php s_user_id UPDATE (web_specific_apps.rules)
  2009375 - ET CHAT General MSN Chat Activity (chat.rules)
  2017081 - ET INFO HTTP URI contains pasa= (info.rules)
  2017082 - ET INFO HTTP POST contains pasa form (info.rules)
  2800837 - ETPRO WEB_CLIENT Adobe Shockwave Director tSAC Chunk Parsing
Memory Corruption (web_client.rules)
  2801349 - ETPRO MALWARE Trojan-Downloader.Win32.FraudLoad.yevp Related UA
(malware.rules)
  2801398 - ETPRO WEB_SPECIFIC_APPS Check Point Endpoint Security Server
Information Disclosure Attempt (web_specific_apps.rules)
  2804234 - ETPRO POLICY HTTP Request to free file hosting site fileden.com
(policy.rules)
  2808516 - ETPRO MOBILE_MALWARE SMSPay.D Checkin (mobile_malware.rules)
  2829507 - ETPRO TROJAN MSIL/Vermin RAT Checkin via SOAP (trojan.rules)
  2841816 - ETPRO CURRENT_EVENTS Successful Outlook Web App Phish
2020-04-01 (current_events.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20200417/580225b9/attachment.html>


More information about the Emerging-updates mailing list