[Emerging-updates] Daily Ruleset Update Summary 2020/04/27

Jack Mott jmott at emergingthreats.net
Mon Apr 27 14:14:45 HDT 2020


[***]            Summary:            [***]

 8 new Open, 36 new Pro (8 + 28). ASNAROK, APT-C-37/MoonLight,
Win32/Remcos, Ursnif SSL Certs, VARIOUS Phishing.

 Please be aware that after the deprecation of our Suricata 2/3 support
(April 15th 2020), the path for downloading the last pushed production
Suricata 2/3 rulesets have changed.  Deprecated rulesets are available at
https://rules.emergingthreatspro.com/OINK/old for ETPro and
https://rules.emergingthreatspro.com/open/old/ for ETOpen.  All requests
for the Suricata 2/3 at their previous locations will now lead to the
Suricata 4.0 production rules for ETPro and the rule download instructions
for ETOpen.

 Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2030027 - ET TROJAN Parallax CnC Activity M9 (set) (trojan.rules)
  2030028 - ET TROJAN Observed Malicious SSL Cert (Gozi ISFB) (trojan.rules)
  2030029 - ET TROJAN Observed Malicious SSL Cert (Gozi ISFB) (trojan.rules)
  2030030 - ET TROJAN Observed Malicious SSL Cert (Gozi ISFB) (trojan.rules)
  2030031 - ET TROJAN ASNAROK Related Domain in DNS Lookup (trojan.rules)
  2030032 - ET TROJAN ASNAROK Related Domain in TLS SNI (trojan.rules)
  2030033 - ET TROJAN ASNAROK CnC Domain in DNS Lookup (trojan.rules)
  2030034 - ET TROJAN ASNAROK Domain in TLS SNI (trojan.rules)

Pro:

  2842199 - ETPRO POLICY Observed EICAR Test File String Inbound
(policy.rules)
  2842200 - ETPRO TROJAN Win32/Unk.Stealer Exfil via HTTP POST
(trojan.rules)
  2842201 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-25 1) (trojan.rules)
  2842202 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-25 2) (trojan.rules)
  2842203 - ETPRO CURRENT_EVENTS Successful EMS Phish 2020-04-27
(current_events.rules)
  2842204 - ETPRO CURRENT_EVENTS Successful Outlook Web App Phish
2020-04-27 (current_events.rules)
  2842205 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-04-27
(current_events.rules)
  2842206 - ETPRO CURRENT_EVENTS Successful Sparkasse Bank Phish 2020-04-27
(current_events.rules)
  2842207 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-04-27
(current_events.rules)
  2842208 - ETPRO CURRENT_EVENTS Successful Bankia Phish 2020-04-27
(current_events.rules)
  2842209 - ETPRO CURRENT_EVENTS Successful Alibaba Phish 2020-04-27
(current_events.rules)
  2842210 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2020-04-27
(current_events.rules)
  2842211 - ETPRO CURRENT_EVENTS Successful American Express Phish
2020-04-27 (current_events.rules)
  2842212 - ETPRO CURRENT_EVENTS Successful Orange Phish 2020-04-27
(current_events.rules)
  2842213 - ETPRO CURRENT_EVENTS Successful SMBC Phish 2020-04-27
(current_events.rules)
  2842214 - ETPRO CURRENT_EVENTS Successful Sparkasse Bank Phish 2020-04-27
(current_events.rules)
  2842215 - ETPRO CURRENT_EVENTS Successful Societe Generale Phish
2020-04-27 (current_events.rules)
  2842216 - ETPRO CURRENT_EVENTS Successful Citibank Phish 2020-04-27
(current_events.rules)
  2842217 - ETPRO TROJAN Win32/Downloader.Agent.EZV Batch Script Inbound
(trojan.rules)
  2842218 - ETPRO TROJAN APT-C-37/MoonLight VBS Stage 1 Inbound
(trojan.rules)
  2842219 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
  2842220 - ETPRO TROJAN Observed Malicious SSL Cert (ServHelper CnC)
(trojan.rules)
  2842221 - ETPRO TROJAN Parallax CnC Response Activity M9 (trojan.rules)
  2842225 - ETPRO TROJAN Win32/Remcos RAT Checkin 409 (trojan.rules)
  2842226 - ETPRO TROJAN Win32/Remcos RAT Checkin 410 (trojan.rules)
  2842227 - ETPRO TROJAN Win32/Remcos RAT Checkin 411 (trojan.rules)
  2842228 - ETPRO TROJAN Win32/Remcos RAT Checkin 412 (trojan.rules)
  2842229 - ETPRO TROJAN Win32/Remcos RAT Checkin 413 (trojan.rules)

 [///]     Modified active rules:     [///]

  2002677 - ET SCAN Nikto Web App Scan in Progress (scan.rules)
  2002801 - ET POLICY Google Desktop User-Agent Detected (policy.rules)
  2002823 - ET POLICY Possible Web Crawl using Wget (policy.rules)
  2008350 - ET POLICY Autoit Windows Automation tool User-Agent in HTTP
Request - Possibly Hostile (policy.rules)
  2008416 - ET SCAN Httprint Web Server Fingerprint Scan (scan.rules)
  2010071 - ET TROJAN Hiloti/Mufanom Downloader Checkin (trojan.rules)
  2010241 - ET TROJAN WindowsEnterpriseSuite FakeAV check-in GET
(trojan.rules)
  2011464 - ET WEB_SERVER /bin/csh In URI Possible Shell Command Execution
Attempt (web_server.rules)
  2011466 - ET WEB_SERVER /bin/tsh In URI Possible Shell Command Execution
Attempt (web_server.rules)
  2011467 - ET WEB_SERVER /bin/ksh In URI Possible Shell Command Execution
Attempt (web_server.rules)
  2011827 - ET TROJAN Xilcter/Zeus related malware dropper reporting in
(trojan.rules)
  2011852 - ET WEB_SPECIFIC_APPS W-Agora search.php bn Parameter Cross Site
Scripting Attempt (web_specific_apps.rules)
  2011857 - ET TROJAN SpyEye C&C Check-in URI (trojan.rules)
  2012619 - ET USER_AGENTS Suspicious User-Agent Mozilla/3.0
(user_agents.rules)
  2012620 - ET TROJAN Win32.FakeAV.chhq Checkin (trojan.rules)
  2012761 - ET USER_AGENTS Suspicious user agent (mdms) (user_agents.rules)
  2012805 - ET WEB_SPECIFIC_APPS Automne upload-controler.php Arbitrary
File Upload Vulnerability (web_specific_apps.rules)
  2013533 - ET TROJAN Backdoor.Win32.Fynloski.A Command Response
(trojan.rules)
  2013534 - ET TROJAN VirTool.Win32/VBInject.gen!DM Checkin (trojan.rules)
  2013556 - ET MALWARE UBar Trojan/Adware Checkin 1 (malware.rules)
  2014297 - ET POLICY Vulnerable Java Version 1.7.x Detected (policy.rules)
  2014651 - ET ACTIVEX Tracker Software pdfSaver ActiveX InitFromRegistry
Method Access Potential Buffer Overflow 2 (activex.rules)
  2014652 - ET ACTIVEX Quest Explain Plan Display ActiveX Control
SaveToFile Insecure Method Access (activex.rules)
  2014653 - ET ACTIVEX Quest Explain Plan Display ActiveX Control
SaveToFile Insecure Method Access 2 (activex.rules)
  2014654 - ET WEB_SPECIFIC_APPS Joomla com_videogallery controller
parameter Local File Inclusion Attempt (web_specific_apps.rules)
  2014726 - ET POLICY Outdated Flash Version M1 (policy.rules)
  2015040 - ET WEB_SPECIFIC_APPS Joomla com_rssreader controller parameter
Local File Inclusion Attempt (web_specific_apps.rules)
  2015041 - ET WEB_SPECIFIC_APPS WordPress Custom Contact Forms
options-general.php Cross-Site Scripting Attempt (web_specific_apps.rules)
  2015045 - ET INFO Potential Common Malicious JavaScript Loop (info.rules)
  2015723 - ET TROJAN ZeroAccess Checkin (trojan.rules)
  2015786 - ET TROJAN Ransom.Win32.Birele.gsg Checkin (trojan.rules)
  2016742 - ET TROJAN Possible W32/Citadel Download From CnC Server Self
Referenced /files/ attachment (trojan.rules)
  2016803 - ET TROJAN Known Sinkhole Response Header (trojan.rules)
  2016806 - ET INFO Tor2Web .onion Proxy Service SSL Cert (1) (info.rules)
  2016810 - ET CURRENT_EVENTS Tor2Web .onion Proxy Service SSL Cert (2)
(current_events.rules)
  2016902 - ET TROJAN Trojan.BlackRev Download Executable (trojan.rules)
  2016922 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (trojan.rules)
  2016988 - ET TROJAN KeyBoy Backdoor File Manager Response Header
(trojan.rules)
  2016989 - ET TROJAN KeyBoy Backdoor File Download Response Header
(trojan.rules)
  2016990 - ET TROJAN KeyBoy Backdoor File Upload Response Header
(trojan.rules)
  2016991 - ET TROJAN Alina Server Response Code (trojan.rules)
  2016992 - ET WEB_SERVER WebShell Generic - *.tar.gz in POST body
(web_server.rules)
  2017006 - ET EXPLOIT CVE-2013-1331 Microsoft Office PNG Exploit
plugin-detect script access (exploit.rules)
  2017007 - ET EXPLOIT CVE-2013-1331 Microsoft Office PNG Exploit
plugin-detect script access (exploit.rules)
  2017008 - ET EXPLOIT CVE-2013-1331 Microsoft Office PNG Exploit Specific
(exploit.rules)
  2017166 - ET CURRENT_EVENTS Sibhost Zip as Applet Archive July 08 2013
(current_events.rules)
  2017308 - ET TROJAN W32/DirCrypt.Ransomware CnC Checkin (trojan.rules)
  2017399 - ET WEB_SERVER WebShell Generic eval of base64_decode
(web_server.rules)
  2017400 - ET WEB_SERVER WebShell Generic eval of gzinflate
(web_server.rules)
  2017401 - ET WEB_SERVER WebShell Generic eval of str_rot13
(web_server.rules)
  2017402 - ET WEB_SERVER WebShell Generic eval of gzuncompress
(web_server.rules)
  2017403 - ET WEB_SERVER WebShell Generic eval of convert_uudecode
(web_server.rules)
  2017404 - ET WORM W32/Njw0rm CnC Beacon (worm.rules)
  2017464 - ET TROJAN W32/Hesperus.Banker Tr-mail Variant Sending Data To
CnC (trojan.rules)
  2017466 - ET MOBILE_MALWARE Android/FakeAhnAV.A CnC Beacon
(mobile_malware.rules)
  2017489 - ET TROJAN W32/Zzinfor.A Retrieving Instructions From CnC Server
(trojan.rules)
  2017490 - ET TROJAN W32/Downloader.Mevade.FBV CnC Beacon (trojan.rules)
  2017504 - ET INFO DRIVEBY Generic - *.com.exe HTTP Attachment (info.rules)
  2017511 - ET TROJAN APT.Agtid callback (trojan.rules)
  2017512 - ET CURRENT_EVENTS W32/Caphaw DriveBy Campaign Statistic.js
(current_events.rules)
  2017517 - ET TROJAN Worm.VBS.ayr Checkin 2 (trojan.rules)
  2017558 - ET TROJAN Mevade Checkin  (trojan.rules)
  2017560 - ET WEB_SPECIFIC_APPS Possible WHMCS SQLi AES_ENCRYPT at start
of value (web_specific_apps.rules)
  2017583 - ET TROJAN CryptoLocker EXE Download (trojan.rules)
  2017586 - ET TROJAN Possible W32/KanKan Update officeaddinupdate.xml
Request (trojan.rules)
  2017615 - ET SCAN NETWORK Outgoing Masscan detected (scan.rules)
  2017616 - ET SCAN NETWORK Incoming Masscan detected (scan.rules)
  2017620 - ET TROJAN Kuluoz Activity (trojan.rules)
  2017622 - ET WEB_SPECIFIC_APPS WHMCS lt 5.2.8 SQL Injection
(web_specific_apps.rules)
  2017637 - ET INFO Java File Sent With X-Powered By HTTP Header - Common
In Exploit Kits (info.rules)
  2017641 - ET WEB_SERVER Possible Encrypted Webshell in POST
(web_server.rules)
  2017643 - ET TROJAN Linux/Ssemgrvd sshd Backdoor HTTP CNC 2 (trojan.rules)
  2017646 - ET TROJAN Possible TRAT proxy component user agent detected
(trojan.rules)
  2017655 - ET TROJAN W32/Badur.Spy User Agent lawl (trojan.rules)
  2017684 - ET WEB_SERVER Possible SUPERMICRO IPMI login.cgi Name Parameter
Buffer Overflow Attempt CVE-2013-3621 (web_server.rules)
  2017685 - ET WEB_SERVER Possible SUPERMICRO IPMI login.cgi PWD Parameter
Buffer Overflow Attempt CVE-2013-3621 (web_server.rules)
  2017686 - ET WEB_SERVER Possible SUPERMICRO IPMI close_window.cgi
sess_sid Parameter Buffer Overflow Attempt CVE-2013-3623 (web_server.rules)
  2017687 - ET WEB_SERVER Possible SUPERMICRO IPMI close_window.cgi ACT
Parameter Buffer Overflow Attempt CVE-2013-3623 (web_server.rules)
  2017688 - ET WEB_SERVER Possible SUPERMICRO IPMI url_redirect.cgi
Directory Traversal Attempt (web_server.rules)
  2017689 - ET TROJAN Possible Schneebly Posting ScreenShot (trojan.rules)
  2017690 - ET TROJAN W32/Citadel.Arx Variant CnC Beacon 1 (trojan.rules)
  2017691 - ET TROJAN W32/Citadel.Arx Varient CnC Beacon 2 (trojan.rules)
  2017694 - ET CURRENT_EVENTS Possible Magnitude IE EK Payload Nov 8 2013
(current_events.rules)
  2017697 - ET TROJAN FaceBook IM & Web Driven Facebook Trojan Posting Data
(trojan.rules)
  2017702 - ET TROJAN Possible Trojan.APT.9002 POST (trojan.rules)
  2017710 - ET TROJAN Bamital checkin (trojan.rules)
  2017721 - ET TROJAN Trojan.BlackRev V1.Botnet HTTP Login POST Flood
Traffic Outbound (trojan.rules)
  2017722 - ET DOS Trojan.BlackRev V1.Botnet HTTP Login POST Flood Traffic
Inbound (dos.rules)
  2017725 - ET TROJAN Sisproc update (trojan.rules)
  2017730 - ET EXPLOIT JavaX Toolkit Posting Plugin-Detect Data
(exploit.rules)
  2017746 - ET TROJAN Trojan-Downloader Win32.Genome.AV (trojan.rules)
  2017798 - ET EXPLOIT Zollard PHP Exploit UA (exploit.rules)
  2017802 - ET WEB_SPECIFIC_APPS SAP Possible CTC Auth/HTTP Verb Bypass
Attempt (web_specific_apps.rules)
  2017803 - ET WEB_SERVER Possible WebLogic Admin Login With Default Creds
(web_server.rules)
  2017804 - ET WEB_SERVER Possible WebLogic Admin Login With Default Creds
(web_server.rules)
  2017805 - ET WEB_SERVER Possible WebLogic Monitor Login With Default
Creds (web_server.rules)
  2017806 - ET WEB_SERVER Possible WebLogic Operator Login With Default
Creds (web_server.rules)
  2017807 - ET WEB_SERVER Possible MySQL SQLi User-Dump Attempt
(web_server.rules)
  2017808 - ET WEB_SERVER Possible MySQL SQLi Attempt Information Schema
Access (web_server.rules)
  2017814 - ET CURRENT_EVENTS Safe/CritX/FlashPack URI Struct .php?id=Hex
(current_events.rules)
  2017818 - ET TROJAN Common Zbot EXE filename Dec 09 2013 (trojan.rules)
  2017838 - ET TROJAN HTTP Connection To Known Sinkhole Domain sinkdns.org
 (trojan.rules)
  2017839 - ET TROJAN Vawtrak/NeverQuest Checkin (trojan.rules)
  2017853 - ET WEB_SPECIFIC_APPS Wordpress OptimizePress Arbitratry File
Upload (web_specific_apps.rules)
  2017855 - ET TROJAN W32/Ke3chang.MovieStar.APT Campaign CnC Beacon
(trojan.rules)
  2017856 - ET TROJAN W32/Ke3chang.Snake.APT Campaign CnC Beacon
(trojan.rules)
  2017857 - ET TROJAN W32/Ke3chang.MyWeb.APT Campaign CnC Beacon
(trojan.rules)
  2017859 - ET TROJAN W32/Ke3chang.Dream.APT Campaign CnC Beacon 2
(trojan.rules)
  2017860 - ET TROJAN W32/Ke3chang.MyWeb.APT Eourdegh Campaign CnC Beacon
(trojan.rules)
  2017867 - ET TROJAN W32/Liftoh.Downloader Feed404 CnC Beacon
(trojan.rules)
  2017868 - ET TROJAN W32/Liftoh.Downloader Images CnC Beacon (trojan.rules)
  2017870 - ET TROJAN W32/Liftoh.Downloader Get Final Payload Request
(trojan.rules)
  2017896 - ET EXPLOIT Metasploit Plugin-Detect Posting Data 1
(exploit.rules)
  2017897 - ET EXPLOIT Metasploit Plugin-Detect Posting Data 2
(exploit.rules)
  2017898 - ET EXPLOIT Metasploit Plugin-Detect Posting Data 3
(exploit.rules)
  2017917 - ET TROJAN W32/Ferret DDOS Bot CnC Beacon 2 (trojan.rules)
  2017949 - ET USER_AGENTS FOCA User-Agent (user_agents.rules)
  2017952 - ET WEB_SERVER ATTACKER WebShell - PHP Offender - POST Command
(web_server.rules)
  2017959 - ET TROJAN W32/Mevade.Variant CnC POST (trojan.rules)
  2017960 - ET POLICY Bitcoin Mining Server Stratum Protocol HTTP Header
(policy.rules)
  2017964 - ET TROJAN Kishop.A checkin (trojan.rules)
  2017970 - ET TROJAN PWS.Win32/Daceluw.A Checkin (trojan.rules)
  2018000 - ET MOBILE_MALWARE Android/HeHe.Spy RegisterRequest CnC Beacon
(mobile_malware.rules)
  2018001 - ET MOBILE_MALWARE Android/HeHe.Spy LoginRequest CnC Beacon
(mobile_malware.rules)
  2018002 - ET MOBILE_MALWARE Android/HeHe.Spy ReportRequest CnC Beacon
(mobile_malware.rules)
  2018003 - ET MOBILE_MALWARE Android/HeHe.Spy GetTaskRequest CnC Beacon
(mobile_malware.rules)
  2018004 - ET MOBILE_MALWARE Android/HeHe.Spy ReportMessageRequest CnC
Beacon (mobile_malware.rules)
  2018012 - ET P2P Vagaa peer-to-peer (Transfer) (p2p.rules)
  2018030 - ET TROJAN Limitless Logger RAT HTTP Activity (trojan.rules)
  2018038 - ET TROJAN SolarBot Plugin Download MessageBox (trojan.rules)
  2018039 - ET TROJAN SolarBot Plugin Download ComputerInfo (trojan.rules)
  2018040 - ET TROJAN SolarBot Plugin Download WalletSteal (trojan.rules)
  2018047 - ET TROJAN W32/Neverquest.InfoStealer Configuration Request CnC
Beacon (trojan.rules)
  2018071 - ET MOBILE_MALWARE Android/DwnlAPK-A Configuration File Request
(mobile_malware.rules)
  2018079 - ET TROJAN W32.Blackshades/Shadesrat Backdoor CnC Beacon
(trojan.rules)
  2018092 - ET WEB_SERVER Possible Oracle Reports Forms RCE CVE-2012-3152
(web_server.rules)
  2018094 - ET TROJAN DirtJumper Activity (trojan.rules)
  2018097 - ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon Acknowledgement
(trojan.rules)
  2018100 - ET TROJAN W32/Rshot.Backdoor File Upload CnC Beacon
(trojan.rules)
  2018102 - ET TROJAN W32/Woai.Dropper Config Request (trojan.rules)
  2018105 - ET TROJAN Possible Mask C2 Traffic (trojan.rules)
  2018106 - ET INFO Suspicious Jar name JavaUpdate.jar (info.rules)
  2018108 - ET TROJAN Infostealer.Jackpos Checkin (trojan.rules)
  2018112 - ET TROJAN Trojan/Win32.FraudPack User-Agent (Downloader MLR
1.0.0) (trojan.rules)
  2018118 - ET WEB_SERVER Recon-ng User-Agent (web_server.rules)
  2018120 - ET TROJAN Blackbeard Check-in (trojan.rules)
  2018122 - ET TROJAN Linkup Ransomware check-in (trojan.rules)
  2018137 - ET TROJAN Android/FakeKakao checkin (trojan.rules)
  2018138 - ET MOBILE_MALWARE Android/FakeKakao checkin 1
(mobile_malware.rules)
  2018139 - ET MOBILE_MALWARE Android/FakeKakao checkin 2
(mobile_malware.rules)
  2018140 - ET MOBILE_MALWARE Android/FakeKakao checkin 3
(mobile_malware.rules)
  2018142 - ET TROJAN MSIL.Zapchast Checkin (trojan.rules)
  2018150 - ET TROJAN W32/Dadobra.Downloader/DNSChanger Dnsmake CnC Beacon
(trojan.rules)
  2019401 - ET POLICY Vulnerable Java Version 1.8.x Detected (policy.rules)
  2020683 - ET TROJAN Gamarue/Andromeda Downloading Payload (trojan.rules)
  2020872 - ET EXPLOIT TP-LINK Known Malicious Router DNS Change GET
Request (exploit.rules)
  2020873 - ET EXPLOIT D-link DI604 Known Malicious Router DNS Change GET
Request (exploit.rules)
  2020874 - ET EXPLOIT Netgear DGN1000B Router DNS Change GET Request
(exploit.rules)
  2020875 - ET EXPLOIT Belkin G F5D7230-4 Router DNS Change GET Request
(exploit.rules)
  2020876 - ET EXPLOIT Tenda ADSL2/2+ Router DNS Change GET Request
(exploit.rules)
  2020877 - ET EXPLOIT Known Malicious Router DNS Change GET Request
(exploit.rules)
  2020878 - ET EXPLOIT TP-LINK TL-WR841N Router DNS Change GET Request
(exploit.rules)
  2020879 - ET EXPLOIT Linksys WRT54GL DNS Change GET Request
(exploit.rules)
  2020880 - ET EXPLOIT TP-LINK TL-WR750N DNS Change GET Request
(exploit.rules)
  2020881 - ET MALWARE PUP Win32/AdWare.Sendori User-Agent (malware.rules)
  2022895 - ET CURRENT_EVENTS Xbagger Macro Encrypted DL Jun 13 2016
(current_events.rules)
  2024379 - ET POLICY Outdated Flash Version M2 (policy.rules)
  2024579 - ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jun
08 2017 (current_events.rules)
  2027367 - ET DNS Query for Suspicious shell .now .sh Domain (dns.rules)
  2027621 - ET INFO SSL/TLS Certificate Observed (Lucy Phishing Awareness
Default Certificate) (info.rules)
  2027683 - ET TROJAN MuddyWater Payload Registering with CnC (trojan.rules)
  2027684 - ET TROJAN MuddyWater Payload Requesting Command from CnC
(trojan.rules)
  2027685 - ET TROJAN MuddyWater Payload CnC Checkin (trojan.rules)
  2028867 - ET POLICY Vulnerable Java Version 11.0.x Detected (policy.rules)
  2800816 - ETPRO TROJAN Backdoor.Win32.Remosh.A Checkin (trojan.rules)
  2802020 - ETPRO WEB_CLIENT Excel File Containing Integer Overrun
Vulnerability BIFF v6 Record ToolBarDef (web_client.rules)
  2802021 - ETPRO WEB_CLIENT Excel File Containing Integer Overrun
Vulnerability BIFF v5 Record ToolBarDef (web_client.rules)
  2802191 - ETPRO USER_AGENTS Suspicious User-Agent SameAgent
(user_agents.rules)
  2802192 - ETPRO USER_AGENTS Suspicious User-Agent UserLM
(user_agents.rules)
  2802193 - ETPRO TROJAN Win32.Adload.BZ Checkin (trojan.rules)
  2803829 - ETPRO POLICY Bitcoin Cash Guild Bot Work Request (policy.rules)
  2804347 - ETPRO INFO DYNAMIC_DNS HTTP Request to a *.dynamicDNS.biz
Domain (info.rules)
  2804466 - ETPRO POLICY Direct Support for Applications Remote control
session (policy.rules)
  2804471 - ETPRO TROJAN Win32/TrojanDownloader.Banload.QNW Checkin
(trojan.rules)
  2804926 - ETPRO TROJAN Win32/Autorun.GN Checkin (trojan.rules)
  2805555 - ETPRO POLICY OpenInstall Adware User-Agent (policy.rules)
  2806250 - ETPRO MOBILE_MALWARE Android/Phonerecon.A Checkin
(mobile_malware.rules)
  2806275 - ETPRO EXPLOIT DLink DIR-645 / DIR-815 diagnostic.php Command
Execution (exploit.rules)
  2806321 - ETPRO TROJAN Win32.Bicololo Checkin 2 (trojan.rules)
  2806482 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free
(web_client.rules)
  2806483 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free
(web_client.rules)
  2806484 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free
(web_client.rules)
  2806485 - ETPRO WEB_CLIENT Internet Explorer Double Free CVE-2013-3118
(web_client.rules)
  2806486 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free
(web_client.rules)
  2806488 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free
(web_client.rules)
  2806489 - ETPRO WEB_CLIENT Internet Explorer onscroll CVE-2013-3123
(web_client.rules)
  2806492 - ETPRO TROJAN Win32/TrojanDownloader.Banload.RVP Checkin 1
(trojan.rules)
  2806493 - ETPRO TROJAN Win32/TrojanDownloader.Banload.RVP Checkin 2
(trojan.rules)
  2806546 - ETPRO TROJAN W32/Zbot.AOV!tr Checkin (trojan.rules)
  2806612 - ETPRO TROJAN Trojan.Win32.Pincav.cngr Checkin (trojan.rules)
  2806676 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Antammi.a Checkin 2
(mobile_malware.rules)
  2806677 - ETPRO MOBILE_MALWARE Android/Helos.A Checkin 2
(mobile_malware.rules)
  2806678 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Opfake.a Checkin 6
(mobile_malware.rules)
  2806680 - ETPRO MOBILE_MALWARE Android-PUP/Wooboo Checkin
(mobile_malware.rules)
  2806681 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Iconosys.a Checkin 3
(mobile_malware.rules)
  2806682 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Sberik.a Checkin
(mobile_malware.rules)
  2806683 - ETPRO TROJAN Email-Worm.Win32.Wangy Checkin (trojan.rules)
  2806684 - ETPRO TROJAN Rogue.Win32/Winwebsec Install 6 (trojan.rules)
  2806685 - ETPRO TROJAN Netdevil.1_5 reporting via ICQ WWW script
(trojan.rules)
  2806926 - ETPRO TROJAN Muldrop Receiving Data (trojan.rules)
  2807032 - ETPRO TROJAN Win32.Mudrop.rsj (trojan.rules)
  2807036 - ETPRO TROJAN Win32.Clicker.AFKJ (trojan.rules)
  2807051 - ETPRO TROJAN DoS DirtJumper bot DDOS attack (trojan.rules)
  2807053 - ETPRO TROJAN Win32/Spy.Banker.ZWK Checkin (trojan.rules)
  2807076 - ETPRO TROJAN Generic.Banker.Delf.0DD62421 Checkin
(trojan.rules)
  2807077 - ETPRO TROJAN Win32.Zbot.f Checkin (trojan.rules)
  2807084 - ETPRO CURRENT_EVENTS Latest Internet Explorer 0day used against
Taiwan targets exe download (current_events.rules)
  2807091 - ETPRO TROJAN Trojan.Win32.Swisyn.ujq Checkin (trojan.rules)
  2807107 - ETPRO WEB_SERVER Microsoft SharePoint XSS attempt CVE-2013-3895
(web_server.rules)
  2807131 - ETPRO TROJAN Trojan.Win32.Bublik.aexq/Khan executing DDoS
(OUTBOUND) (trojan.rules)
  2807132 - ETPRO TROJAN Trojan.Win32.Bublik.aexq/Khan executing DDoS
(INBOUND) (trojan.rules)
  2807142 - ETPRO TROJAN Variant.Kazy.236558 Checkin (trojan.rules)
  2807144 - ETPRO POLICY PUP DomainIQ (policy.rules)
  2807154 - ETPRO TROJAN Win32/Gapz CnC (trojan.rules)
  2807168 - ETPRO TROJAN Win32/SystemHijack.gen Checkin 3 (trojan.rules)
  2807169 - ETPRO TROJAN Win32/SystemHijack.gen Checkin 2 (trojan.rules)
  2807176 - ETPRO TROJAN Variant.Kazy.253692 Checkin (trojan.rules)
  2807187 - ETPRO TROJAN User-Agent (explwer) (trojan.rules)
  2807190 - ETPRO TROJAN Trojan-Spy.Win32.Zbot.pnhr Checkin (trojan.rules)
  2807214 - ETPRO TROJAN Orbit downloader checkin 1 (trojan.rules)
  2807222 - ETPRO TROJAN Trojan-Downloader.Win32.Agent.duzx Checkin
(trojan.rules)
  2807225 - ETPRO TROJAN Trojan.Win32.Generic!SB.0 Checkin 2 (trojan.rules)
  2807246 - ETPRO TROJAN Variant.Zusy.71154 Checkin 2 (trojan.rules)
  2807264 - ETPRO TROJAN Trojan-Ransom.Win32.Blocker.cjfp Checkin
(trojan.rules)
  2807270 - ETPRO TROJAN Spider-network related CnC Checkin (trojan.rules)
  2807283 - ETPRO TROJAN PSW.Win32.Plagiator.a Checkin (trojan.rules)
  2807288 - ETPRO TROJAN Win32/Spy.Banker.AAIW Checkin (trojan.rules)
  2807290 - ETPRO TROJAN Win32/Swrort.A Checkin (trojan.rules)
  2807295 - ETPRO TROJAN Trojan-PSW.Win32.Tepfer.sqyx POST (trojan.rules)
  2807296 - ETPRO TROJAN Viknok (trojan.rules)
  2807297 - ETPRO TROJAN Viknok response (trojan.rules)
  2807312 - ETPRO TROJAN Trojan-Ransom.Win32.Blocker.cjon Checkin
(trojan.rules)
  2807327 - ETPRO TROJAN Dexter Variant (trojan.rules)
  2807330 - ETPRO TROJAN Trojan.MSIL.PGen (trojan.rules)
  2807344 - ETPRO TROJAN Win32/Uosproy.A Checkin 2 (trojan.rules)
  2807345 - ETPRO TROJAN Win32/Uosproy.A Checkin 3 (trojan.rules)
  2807347 - ETPRO TROJAN W32/Injector_Autoit.BE!tr Checkin (trojan.rules)
  2807348 - ETPRO TROJAN Trojan.Vobfus variant XP checkin (trojan.rules)
  2807350 - ETPRO USER_AGENTS Suspicious User Agent D3DL0 G00D N1C3
(user_agents.rules)
  2807361 - ETPRO EXPLOIT Cisco DCNM Arbitrary File Upload (exploit.rules)
  2807367 - ETPRO TROJAN TROJ_PIDIEF.SMKX PDF Checkin (trojan.rules)
  2807368 - ETPRO TROJAN Win32/Bedobot.B Checkin (trojan.rules)
  2807382 - ETPRO TROJAN Trojan/Win32.Zbot Variant 1 (trojan.rules)
  2807387 - ETPRO TROJAN Worm/Qvod.ey Checkin (trojan.rules)
  2807388 - ETPRO TROJAN Downloader.Win32.Genome.fcph (trojan.rules)
  2807408 - ETPRO TROJAN NSIS.StartPage.do Checkin (trojan.rules)
  2807409 - ETPRO TROJAN W32/Loosky.gen at MM Checkin (trojan.rules)
  2807426 - ETPRO TROJAN Trojan.Win32.Badur.gboh Download (trojan.rules)
  2807435 - ETPRO EXPLOIT Synology DSM SLICEUPLOAD RCE (exploit.rules)
  2807438 - ETPRO TROJAN Win.Trojan.Magania-4120 Checkin (trojan.rules)
  2807439 - ETPRO TROJAN Suspicious User-Agent (Opera/8.xx) Likely
Win32/Ranbyus (trojan.rules)
  2807442 - ETPRO TROJAN Win32/Tiop.A Checkin (trojan.rules)
  2807444 - ETPRO TROJAN Backdoor.Peeper.15.C Checkin (trojan.rules)
  2807449 - ETPRO TROJAN Trojan-Dropper.Win32.Kromeser.a Checkin 2
(trojan.rules)
  2807458 - ETPRO TROJAN Trojan/Downloader.Agent.gxth Checkin (trojan.rules)
  2807467 - ETPRO TROJAN TrojanDownloader.Win32/Unruy.C checkin - SET 2
(trojan.rules)
  2807469 - ETPRO TROJAN Win32.Hupigon.AIPM checkin (trojan.rules)
  2807471 - ETPRO TROJAN Worm.Win32.Luder.bebt Download (trojan.rules)
  2807473 - ETPRO TROJAN Trojan.Win32.Remko.m Checkin (trojan.rules)
  2807482 - ETPRO TROJAN Win32/Startpage.JT Checkin (trojan.rules)
  2807485 - ETPRO TROJAN Win32/Bervod.A 2 (trojan.rules)
  2807489 - ETPRO TROJAN Win32/Layrui.A Checkin (trojan.rules)
  2807495 - ETPRO TROJAN Trojan.Win32.Autoit.zk Checkin (trojan.rules)
  2807514 - ETPRO TROJAN win32.Kaliox.A (trojan.rules)
  2807516 - ETPRO TROJAN Ponmocup (newinstall.ru) (trojan.rules)
  2807521 - ETPRO TROJAN Win32/Qhost.Banker.MU Checkin (trojan.rules)
  2807523 - ETPRO TROJAN Win32.Genome.srs Downloader (trojan.rules)
  2807527 - ETPRO TROJAN Trojan-Downloader.Win32.Dapato.qio Download
(trojan.rules)
  2807529 - ETPRO TROJAN Banker.Win32.Banbra.axea Checkin (trojan.rules)
  2807535 - ETPRO TROJAN Win32/Zawat.A User-Agent (trojan.rules)
  2807543 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Pincer.a Checkin
(mobile_malware.rules)
  2807544 - ETPRO MOBILE_MALWARE Android.Fakebank.B Checkin
(mobile_malware.rules)
  2807563 - ETPRO TROJAN Win32/Hanove.E (trojan.rules)
  2807566 - ETPRO TROJAN Win32.Filezilla.Stealer Checkin (trojan.rules)
  2807577 - ETPRO TROJAN BackDoor.DOQ.gen.y Checkin 3 (trojan.rules)
  2807594 - ETPRO EXPLOIT D-Link DIR-100 admin password disclosure attempt
(exploit.rules)
  2807596 - ETPRO EXPLOIT D-Link DIR-100 information disclosure attempt
(exploit.rules)
  2807617 - ETPRO TROJAN Trojan.Win32.VBKrypt.ulrm Checkin (trojan.rules)
  2807619 - ETPRO TROJAN Trojan.Win32.Fsysna.jnb Checkin (trojan.rules)
  2807620 - ETPRO TROJAN Win32/Meredrop (trojan.rules)
  2807630 - ETPRO TROJAN TrojanDropper.Agent.cgsc Checkin (trojan.rules)
  2807637 - ETPRO TROJAN Win32.Androm.atfw Checkin (trojan.rules)
  2807639 - ETPRO TROJAN TrojanClicker.Win32.Hatigh.C (trojan.rules)
  2807667 - ETPRO TROJAN Virus.Win32.Virut.ce Checkin 6 (trojan.rules)
  2807672 - ETPRO TROJAN Alman Dropper Checkin 2 (trojan.rules)
  2807675 - ETPRO MOBILE_MALWARE Android/MobileTX.A (mobile_malware.rules)
  2807676 - ETPRO TROJAN Win32.MSIL/Injector (trojan.rules)
  2807677 - ETPRO TROJAN Win32/Miuref.A Checkin (trojan.rules)
  2807688 - ETPRO TROJAN Win32/Stitur.A Checkin (trojan.rules)
  2807694 - ETPRO TROJAN Win32/Delf.gen!A Checkin (trojan.rules)
  2808649 - ETPRO TROJAN Backdoor.Win32.Stantinko.A Checkin 3 (trojan.rules)
  2816506 - ETPRO TROJAN Possible Cerber Ransomware IP Check (trojan.rules)
  2823311 - ETPRO CURRENT_EVENTS Successful Linkedin Phish Nov 16 2016
(current_events.rules)
  2827188 - ETPRO POLICY External IP Address Lookup (utrace .de)
(policy.rules)
  2827189 - ETPRO TROJAN MSIL/TeslaWare Ransomware Requesting Image
(trojan.rules)
  2827566 - ETPRO CURRENT_EVENTS Successful Yapikredi Bank (TR) Phish M1
Aug 17 2017 (current_events.rules)
  2832047 - ETPRO TROJAN Observed Malicious SSL Cert (Hawkeye Keylogger
CnC) (trojan.rules)
  2835485 - ETPRO TROJAN Observed Malicious SSL Cert (BrushaLoader CnC)
(trojan.rules)
  2837249 - ETPRO TROJAN Win32/Remcos RAT Checkin 110 (trojan.rules)
  2838553 - ETPRO TROJAN Gh0stCringe CnC Activity M5 (trojan.rules)
  2839680 - ETPRO TROJAN Observed Malicious SSL Cert (ServHelper CnC)
(trojan.rules)
  2840223 - ETPRO TROJAN Win32/IcedID CnC Activity (trojan.rules)
  2841054 - ETPRO TROJAN Win32/IcedID CnC Activity (trojan.rules)
  2841480 - ETPRO TROJAN Win32/Valak PluginHost Request (trojan.rules)
  2841552 - ETPRO TROJAN MSIL/Poulight Stealer - Data Exfil (trojan.rules)
  2841553 - ETPRO TROJAN MSIL/Poulight Stealer CnC Activity (trojan.rules)
  2841554 - ETPRO TROJAN MSIL/Poulight Stealer Domain in DNS Lookup
(trojan.rules)
  2841589 - ETPRO TROJAN Win32/IcedID Requesting Encoded Binary M3
(trojan.rules)
  2841821 - ETPRO TROJAN Win32/PSW.Agent.OIN CnC Activity (trojan.rules)
  2841977 - ETPRO TROJAN Lemon_Duck Powershell Requesting Payload M1
(trojan.rules)
  2842061 - ETPRO TROJAN MalDoc Retrieving Lemon_Duck Payload 2020-04-16
(trojan.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20200427/4c625ba8/attachment-0001.html>


More information about the Emerging-updates mailing list