[Emerging-updates] Daily Ruleset Update Summary 2020/02/12

James Emery-Callcott jcallcott at emergingthreats.net
Wed Feb 12 13:50:57 HST 2020


[***]            Summary:            [***]

  5 new Open, 35 new Pro (5 + 30).  NewMoonlight, ABBCCoin, CobaltStrike,
Various Phish, Others.

  Thanks @401TRG and @james_inthe_box.

  Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2029421 - ET INFO Suspicious EXE requested with Java UA (info.rules)
  2029422 - ET POLICY ABBCCoin Checkin (policy.rules)
  2029423 - ET USER_AGENTS ABBCCoin Activity Observed (user_agents.rules)
  2029424 - ET INFO [TGI] Entrust Entelligence Security Provider (Flowbits
Set) (info.rules)
  2029425 - ET INFO [TGI] Possible Cobalt Strike Extra Whitespace HTTP
Response (info.rules)

Pro:

  2840989 - ETPRO TROJAN MalDoc Request for Malicious Packed EXE
(trojan.rules)
  2840990 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-02-12 1) (trojan.rules)
  2840991 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-02-12 2) (trojan.rules)
  2840992 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-02-12 3) (trojan.rules)
  2840993 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-02-12 4) (trojan.rules)
  2840994 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-02-12 5) (trojan.rules)
  2840995 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-02-12 6) (trojan.rules)
  2840996 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-02-12 7) (trojan.rules)
  2840997 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-02-12 8) (trojan.rules)
  2840998 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-02-12 9) (trojan.rules)
  2840999 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-02-12 10) (trojan.rules)
  2841000 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-02-12 11) (trojan.rules)
  2841001 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-02-12 12) (trojan.rules)
  2841002 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-02-12
(current_events.rules)
  2841003 - ETPRO CURRENT_EVENTS Successful Netflix Phish 2020-02-12
(current_events.rules)
  2841004 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-02-12
(current_events.rules)
  2841005 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-02-12 (current_events.rules)
  2841006 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-02-12
(current_events.rules)
  2841007 - ETPRO CURRENT_EVENTS Successful Google Drive Phish 2020-02-12
(current_events.rules)
  2841008 - ETPRO CURRENT_EVENTS Successful Nedbank Phish 2020-02-12
(current_events.rules)
  2841009 - ETPRO CURRENT_EVENTS Successful My3 Phish 2020-02-12
(current_events.rules)
  2841010 - ETPRO CURRENT_EVENTS Successful Citi Phish 2020-02-12
(current_events.rules)
  2841011 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2020-02-12
(current_events.rules)
  2841012 - ETPRO CURRENT_EVENTS Successful Visa Phish 2020-02-12
(current_events.rules)
  2841013 - ETPRO TROJAN ELF/Mirai User-Agent Observed (Outbound)
(trojan.rules)
  2841014 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)
  2841015 - ETPRO TROJAN ELF/Mirai User-Agent Observed (Outbound)
(trojan.rules)
  2841016 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)
  2841017 - ETPRO TROJAN Win32/Spy.Pavica.FD Variant Checkin (trojan.rules)
  2841018 - ETPRO TROJAN Win32/NewMoonlight Malicious Email Spam - Template
1 Active (Outbound) (trojan.rules)

[///]     Modified active rules:     [///]

  2814937 - ETPRO TROJAN Trojan/Win32.Scar Conn Check (trojan.rules)
  2814996 - ETPRO TROJAN Win32/Spy.VB.OBX Checkin (trojan.rules)
  2815039 - ETPRO TROJAN NewCT2 CnC Beacon (trojan.rules)
  2815180 - ETPRO CURRENT_EVENTS Nuclear EK Landing URI struct Dec 03 2015
M1 (current_events.rules)
  2815198 - ETPRO CURRENT_EVENTS Possible Evil Redirector Leading to EK Dec
03 2015 M2 (current_events.rules)
  2822458 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phishing Oct 06
2016 (current_events.rules)
  2822459 - ETPRO CURRENT_EVENTS Successful Dynamic Folder FreeMobile (FR)
Phishing Oct 07 2016 (current_events.rules)
  2822485 - ETPRO TROJAN Automated Tor EXE Download Possibly Raum Trojan
(trojan.rules)
  2822522 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phish Oct 10
2016 (current_events.rules)
  2822523 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phish Oct 10
2016 (current_events.rules)
  2822647 - ETPRO CURRENT_EVENTS Successful Bank of America Phish Oct 14
2016 (current_events.rules)
  2825129 - ETPRO TROJAN Carbanak VBS/GGLDR v2 Checkin (trojan.rules)
  2825196 - ETPRO TROJAN Win64/Agent.GR CnC Beacon (trojan.rules)
  2826000 - ETPRO MOBILE_MALWARE Android/HiddenApp.BF CnC Beacon
(mobile_malware.rules)
  2826043 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish Apr 20
2017 (current_events.rules)
  2826123 - ETPRO TROJAN MSIL/Unk.CoinMiner CnC Install Activity
(trojan.rules)
  2826148 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.o Contact
Exfil (mobile_malware.rules)
  2830308 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Triada.dm Checkin 3
(mobile_malware.rules)
  2830765 - ETPRO MOBILE_MALWARE Android/Clicker.JV CnC Beacon
(mobile_malware.rules)
  2833623 - ETPRO TROJAN W32.HTTP.Stager Checkin M1 (trojan.rules)
  2834335 - ETPRO TROJAN AZORult CnC Beacon M3 (trojan.rules)
  2835751 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Agent.ms Checkin
(mobile_malware.rules)
  2837686 - ETPRO MALWARE Win32/Adware.Zzinfor.U Retrieving Payload Details
(malware.rules)
  2837751 - ETPRO MALWARE Win32/Adposhel Adware Activity (malware.rules)
  2837832 - ETPRO CURRENT_EVENTS Successful Geneneric Credit Card
Information Phish 2019-08-02 (current_events.rules)
  2837863 - ETPRO CURRENT_EVENTS Successful TalkTalk Phish 2019-08-05
(current_events.rules)
  2838096 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2019-08-20 (current_events.rules)
  2838314 - ETPRO TROJAN Trickbot CnC Activity - Account (trojan.rules)
  2838315 - ETPRO TROJAN Trickbot CnC Activity - Executable Path
(trojan.rules)
  2838316 - ETPRO TROJAN Trickbot CnC Activity - NAT Status (trojan.rules)
  2839701 - ETPRO MOBILE_MALWARE Android/TrojanSMS.FakeInst.RA Checkin
(mobile_malware.rules)
  2840014 - ETPRO CURRENT_EVENTS Successful Chase Phish 2019-12-19
(current_events.rules)
  2840072 - ETPRO TROJAN Docxer CnC Initial Checkin (trojan.rules)
  2840073 - ETPRO TROJAN Docxer CnC Heartbeat (trojan.rules)
  2840081 - ETPRO MOBILE_MALWARE Android/Spy.Agent.BAK Checkin
(mobile_malware.rules)
  2840082 - ETPRO MOBILE_MALWARE Android/Spy.Agent.BAK Contact Exfil
(mobile_malware.rules)
  2840212 - ETPRO CURRENT_EVENTS Successful TD Bank Phish 2020-01-02
(current_events.rules)
  2840608 - ETPRO CURRENT_EVENTS Successful Indeed Phish 2020-01-23
(current_events.rules)
  2840986 - ETPRO TROJAN Win32/BroomFury Malicious Email Spam - Template 1
Active M1 (Outbound) (trojan.rules)
  2840987 - ETPRO TROJAN Win32/BroomFury Malicious Email Spam - Template 1
Active M2 (Outbound) (trojan.rules)

[---]  Disabled and modified rules:  [---]

  2814766 - ETPRO CURRENT_EVENTS Possible Nuclear EK Flash Exploit M3
(current_events.rules)
  2814767 - ETPRO CURRENT_EVENTS Possible Nuclear EK Flash Exploit M4
(current_events.rules)
  2815122 - ETPRO CURRENT_EVENTS Malicious Redirect Leading to EK Nov 28
2015 (current_events.rules)
  2815178 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Pyrof.a Checkin
(mobile_malware.rules)
  2815214 - ETPRO CURRENT_EVENTS Possible Nuclear EK Payload Dec 06 2015
(current_events.rules)
  2822643 - ETPRO CURRENT_EVENTS Successful Outlook Phish Oct 14 2016
(current_events.rules)
  2825295 - ETPRO TROJAN MSIL/Neptune Reporting System Information
(trojan.rules)

 [---]         Disabled rules:        [---]

  2814970 - ETPRO TROJAN Variant.Barys.5471 (B) Checkin (trojan.rules)
  2815216 - ETPRO TROJAN Unknown CnC Checkin (trojan.rules)
  2815282 - ETPRO MALWARE W32/Unk Reporting PUP Installs (malware.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20200212/cb55abfd/attachment.html>


More information about the Emerging-updates mailing list