[Emerging-updates] Daily Ruleset Update Summary 2020/02/13

James Emery-Callcott jcallcott at emergingthreats.net
Thu Feb 13 14:22:22 HST 2020


[***]            Summary:            [***]

  24 new Open, 49 new Pro (24 + 25).  AZORult, MoleRAT, Remcos, Various
Phish, Others.

  Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2029426 - ET TROJAN DNS Query to MINEBRIDGE CnC Domain (123faster .top)
(trojan.rules)
  2029427 - ET TROJAN DNS Query to MINEBRIDGE CnC Domain (conversia91 .top)
(trojan.rules)
  2029428 - ET TROJAN DNS Query to MINEBRIDGE CnC Domain (fatoftheland
.top) (trojan.rules)
  2029429 - ET TROJAN DNS Query to MINEBRIDGE CnC Domain (creatorz123 .top)
(trojan.rules)
  2029430 - ET TROJAN DNS Query to MINEBRIDGE CnC Domain (compilator333
.top) (trojan.rules)
  2029431 - ET TROJAN MoleRAT/Pierogi Backdoor Activity (trojan.rules)
  2029432 - ET TROJAN MoleRAT/Pierogi CnC Response (Command) (trojan.rules)
  2029433 - ET TROJAN MoleRAT/Pierogi CnC Response (Download) (trojan.rules)
  2029434 - ET TROJAN MoleRAT/Pierogi CnC Response (Screenshot)
(trojan.rules)
  2029435 - ET TROJAN MoleRAT/Pierogi CnC Activity (Upload) (trojan.rules)
  2029436 - ET TROJAN Win32/AZORult V3.2 Client Checkin M4 (trojan.rules)
  2029437 - ET TROJAN Win32/AZORult V3.2 Client Checkin M5 (trojan.rules)
  2029438 - ET TROJAN Win32/AZORult V3.2 Client Checkin M6 (trojan.rules)
  2029439 - ET TROJAN Win32/AZORult V3.3 Client Checkin M4 (trojan.rules)
  2029440 - ET TROJAN Win32/AZORult V3.3 Client Checkin M5 (trojan.rules)
  2029441 - ET TROJAN Win32/AZORult V3.3 Client Checkin M6 (trojan.rules)
  2029442 - ET TROJAN Win32/AZORult V3.2 Client Checkin M7 (trojan.rules)
  2029443 - ET TROJAN Win32/AZORult V3.2 Client Checkin M8 (trojan.rules)
  2029444 - ET TROJAN Win32/AZORult V3.2 Client Checkin M9 (trojan.rules)
  2029445 - ET TROJAN Win32/AZORult V3.3 Client Checkin M7 (trojan.rules)
  2029446 - ET TROJAN Win32/AZORult V3.3 Client Checkin M8 (trojan.rules)
  2029447 - ET TROJAN Win32/AZORult V3.3 Client Checkin M9 (trojan.rules)
  2029448 - ET TROJAN POWERTON CnC Domain in DNS Lookup (trojan.rules)
  2029449 - ET TROJAN Observed Malicious SSL Cert (FIN7/GRIFFON CnC)
(trojan.rules)

Pro:

  2839487 - ETPRO HUNTING Observed Office Doc Download From .msi Request
(hunting.rules)
  2841019 - ETPRO TROJAN ELF/Unk.Siggen Request for Malicious bash Script
(trojan.rules)
  2841020 - ETPRO TROJAN Observed Malicious SSL Cert (Get2) (trojan.rules)
  2841021 - ETPRO TROJAN Observed Malicious SSL Cert (MalDoc DL 2020-02-13)
(trojan.rules)
  2841022 - ETPRO TROJAN ELF/Mirai Dropper Style DNS Query CnC Domain
(trojan.rules)
  2841023 - ETPRO TROJAN Request for Malicious Packed EXE (trojan.rules)
  2841027 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-02-12 1) (trojan.rules)
  2841028 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-02-12 2) (trojan.rules)
  2841029 - ETPRO CURRENT_EVENTS Successful WeTransfer Phish 2020-02-13
(current_events.rules)
  2841030 - ETPRO CURRENT_EVENTS Successful Apple Phish 2020-02-13
(current_events.rules)
  2841031 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2020-02-13
(current_events.rules)
  2841032 - ETPRO CURRENT_EVENTS Successful Tesco Bank Phish 2020-02-13
(current_events.rules)
  2841033 - ETPRO CURRENT_EVENTS Successful Telekom/Tmobile Phish
2020-02-13 (current_events.rules)
  2841034 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-02-13
(current_events.rules)
  2841035 - ETPRO TROJAN Win32/Detplock CnC Activity (trojan.rules)
  2841036 - ETPRO TROJAN Win32/Remcos RAT Checkin 335 (trojan.rules)
  2841037 - ETPRO TROJAN Win32/Remcos RAT Checkin 336 (trojan.rules)
  2841038 - ETPRO TROJAN Win32/Remcos RAT Checkin 337 (trojan.rules)
  2841039 - ETPRO TROJAN Win32/Remcos RAT Checkin 338 (trojan.rules)
  2841040 - ETPRO TROJAN Win32/Remcos RAT Checkin 339 (trojan.rules)
  2841041 - ETPRO TROJAN Win32/Remcos RAT Checkin 340 (trojan.rules)
  2841042 - ETPRO TROJAN Win32/Remcos RAT Checkin 341 (trojan.rules)
  2841043 - ETPRO TROJAN Win32/Remcos RAT Checkin 342 (trojan.rules)
  2841044 - ETPRO TROJAN Observed Malicious SSL Cert (IcedID CnC)
(trojan.rules)
  2841045 - ETPRO TROJAN Observed Malicious SSL Cert (IcedID CnC)
(trojan.rules)

[///]     Modified active rules:     [///]

  2010217 - ET TROJAN DownloaderExchanger/Cbeplay Variant Checkin
(trojan.rules)
  2022990 - ET CURRENT_EVENTS Evil Redirect Leading to EK Jul 28 2016
(current_events.rules)
  2025001 - ET CURRENT_EVENTS Possible Successful Websocket Credential
Phish Sep 15 2017 (current_events.rules)
  2029022 - ET SCAN Mirai Variant User-Agent (Inbound) (scan.rules)
  2029034 - ET TROJAN Mirai Variant User-Agent (Outbound) (trojan.rules)
  2029338 - ET CURRENT_EVENTS Successful Generic Phish 2020-01-29 (set)
(current_events.rules)
  2800850 - ETPRO WEB_SERVER Microsoft ASP.NET PKCS Padding Information
Disclosure via 500 normal oracle response (web_server.rules)
  2800851 - ETPRO WEB_SERVER Microsoft ASP.NET PKCS Padding Information
Disclosure via 500 abnormal oracle response (web_server.rules)
  2805967 - ETPRO TROJAN Trojan.Larhife.A reporting via ICQ WWW script
(trojan.rules)
  2808718 - ETPRO TROJAN Backdoor.Win32/Turla.A Checkin (trojan.rules)
  2808719 - ETPRO TROJAN Win32.Virut.ua Dropping Files (trojan.rules)
  2808958 - ETPRO TROJAN Backdoor.Cakwerd Dropping Files (trojan.rules)
  2811966 - ETPRO TROJAN Win32/Zlader.J Checkin (trojan.rules)
  2811970 - ETPRO MALWARE Adware.Gigaclicks.3 Checkin (malware.rules)
  2811984 - ETPRO TROJAN Win32/Plugx.L Variant Checkin (trojan.rules)
  2812015 - ETPRO TROJAN Python/FBook.B CnC Beacon 2 (trojan.rules)
  2812414 - ETPRO TROJAN Win32.Diztakun.zsg Infostealer M1 (trojan.rules)
  2816768 - ETPRO TROJAN Possible Dridex Executable Download Request (set)
(trojan.rules)
  2816788 - ETPRO TROJAN Ransomware.Hidden-Tear Variant CnC Checkin
(trojan.rules)
  2816810 - ETPRO TROJAN Godzilla Loader Set Cookie from Server
(trojan.rules)
  2819826 - ETPRO TROJAN MSIL/BrLock Screenlocker Activity (trojan.rules)
  2819842 - ETPRO TROJAN Possible APT Win32/Chinema HTTP CnC Beacon 1
(trojan.rules)
  2819858 - ETPRO TROJAN OfficeDownloader Requesting Payload (trojan.rules)
  2819955 - ETPRO MOBILE_MALWARE PUP Android/NagaProtect.A Checkin
(mobile_malware.rules)
  2819959 - ETPRO TROJAN Vawtrak Dropper Checkin (trojan.rules)
  2820008 - ETPRO TROJAN Emissary CnC Beacon Response 2 (trojan.rules)
  2820023 - ETPRO TROJAN W32/Infy Config Download (trojan.rules)
  2820025 - ETPRO MALWARE Kuping Config Download (malware.rules)
  2820035 - ETPRO MALWARE Win32.Adware.FlyStudio.O Checkin (malware.rules)
  2820681 - ETPRO TROJAN W32/XPCSpyPro/RemoteManipulator RAT Checkin
(trojan.rules)
  2820775 - ETPRO CURRENT_EVENTS Evil Redirector Leading to EK Keitaro Jun
21 2016 T1 (current_events.rules)
  2820803 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish Jun 22
(current_events.rules)
  2821475 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Hiddapp.l Checkin
(mobile_malware.rules)
  2821476 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Hiddapp.l Checkin 2
(mobile_malware.rules)
  2821753 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish Aug 16
2016 (current_events.rules)
  2823488 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phish Nov 28
2016 (current_events.rules)
  2823577 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phish M1 Dec 02
2016 (current_events.rules)
  2823578 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phish M2 Dec 02
2016 (current_events.rules)
  2824472 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phish Jan 17
2017 (current_events.rules)
  2826551 - ETPRO CURRENT_EVENTS Successful Banking Phish M1 May 31 2017
(current_events.rules)
  2829738 - ETPRO MOBILE_MALWARE Android/Coinminer.V Checkin
(mobile_malware.rules)
  2829823 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.DroidSpy.a Checkin
(mobile_malware.rules)
  2829906 - ETPRO TROJAN Win32/Onliner Spam Bot Requesting Additional
Modules (trojan.rules)
  2830520 - ETPRO TROJAN MSIL/TBR Screenshot Upload (trojan.rules)
  2830685 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.ZooPark CnC Beacon 2
(mobile_malware.rules)
  2838139 - ETPRO TROJAN Unusual Header Contents - Likely Downloader
(trojan.rules)
  2838303 - ETPRO EXPLOIT Cisco UCS Director - Attempted Authenticated
Command Injection (CVE-2019-1936) (exploit.rules)
  2838342 - ETPRO CURRENT_EVENTS Successful Netflix Phish 2019-09-06
(current_events.rules)
  2839211 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2019-11-04 (current_events.rules)
  2839649 - ETPRO TROJAN Win32/Chapak Downloader Activity (trojan.rules)

 [---]  Disabled and modified rules:  [---]

  2022904 - ET CURRENT_EVENTS Evil Redirector Leading to EK Jun 15 2016
(current_events.rules)
  2810899 - ETPRO CURRENT_EVENTS Evil Redirector Leading to EK/Malware
(current_events.rules)
  2819880 - ETPRO CURRENT_EVENTS Nuclear EK Flash Version IE PostBack M1
Apr 20 2016 (current_events.rules)
  2819881 - ETPRO CURRENT_EVENTS Possible Nuclear EK IE PostBack M1 Apr 20
2016(fb set) (current_events.rules)
  2819882 - ETPRO CURRENT_EVENTS Possible Nuclear EK IE PostBack Response
M1 Apr 20 2016 (current_events.rules)
  2820404 - ETPRO CURRENT_EVENTS Possible KaiXin EK Common Flash Exploit
URI Constructn May 31 2016 (current_events.rules)
  2820776 - ETPRO CURRENT_EVENTS Evil Redirector Leading to EK Keitaro Jun
21 2016 T2 (current_events.rules)
  2820975 - ETPRO CURRENT_EVENTS Evil Redirector Leading to EK Keitaro Jul
05 2016 T1 (current_events.rules)
  2821342 - ETPRO CURRENT_EVENTS Evil Redirector Leading to EK Keitaro Jul
25 2016 T1 (current_events.rules)
  2821385 - ETPRO WEB_SPECIFIC_APPS Centreon 2.5.3 Web Useralias RCE
(web_specific_apps.rules)
  2821389 - ETPRO CURRENT_EVENTS Evil Redirector Leading to EK Keitaro Aug
1 2016 T1 (current_events.rules)
  2821641 - ETPRO TROJAN Win32.Shakti HTTP Pattern (trojan.rules)
  2821644 - ETPRO TROJAN Win32.Shakti Uploading Files (trojan.rules)
  2826553 - ETPRO CURRENT_EVENTS Successful Bank of America Phish M2 May 31
2017 (current_events.rules)

 [---]         Disabled rules:        [---]

  2800389 - ETPRO MALWARE Trojan Downloader Exchanger.Gen2 (malware.rules)
  2808734 - ETPRO MALWARE PUA.DNWRandomHack Checkin (malware.rules)
  2810713 - ETPRO TROJAN Bedep CnC Beacon Response (trojan.rules)
  2811867 - ETPRO TROJAN Win32/Unknown Checkin (trojan.rules)
  2811973 - ETPRO TROJAN Win32/Korplug.FO Checkin (trojan.rules)
  2821774 - ETPRO TROJAN Alma Locker CnC Beacon (trojan.rules)

 [---]         Removed rules:         [---]

  2839362 - ETPRO HUNTING Inbound Doc Containing WScript Shell
(hunting.rules)
  2839363 - ETPRO HUNTING Inbound Doc Containing WScript Network
(hunting.rules)
  2839365 - ETPRO HUNTING Inbound Doc Containing OS Shutdown Functionality
(hunting.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20200214/2f94db25/attachment-0001.html>


More information about the Emerging-updates mailing list