[Emerging-updates] Daily Ruleset Update Summary 2020/02/14

James Emery-Callcott jcallcott at emergingthreats.net
Fri Feb 14 15:24:56 HST 2020


[***]            Summary:            [***]

  24 new Open, 36 new Pro (21 + 15).  AZORult, Parallax, Kimsuky, Various
SSL/TLS, Various Phish, Others.

  Thanks 0xCARNAGE.

  Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2029450 - ET TROJAN Kimsuky Related CnC (trojan.rules)
  2029451 - ET TROJAN Possible Kimsuky Related Exfil (trojan.rules)
  2029452 - ET TROJAN Possible Kimsuky Related Download (trojan.rules)
  2029453 - ET TROJAN Kimsuky Related CnC (trojan.rules)
  2029454 - ET TROJAN Parallax RAT CnC Domain Observed in DNS Query
(trojan.rules)
  2029455 - ET TROJAN Parallax CnC Activity M7 (set) (trojan.rules)
  2029456 - ET TROJAN Parallax CnC Response Activity M7 (trojan.rules)
  2029457 - ET TROJAN Win32/AZORult V3.2 Client Checkin M10 (trojan.rules)
  2029458 - ET TROJAN Win32/AZORult V3.2 Client Checkin M11 (trojan.rules)
  2029459 - ET TROJAN Win32/AZORult V3.2 Client Checkin M12 (trojan.rules)
  2029460 - ET TROJAN Win32/AZORult V3.3 Client Checkin M10 (trojan.rules)
  2029461 - ET TROJAN Win32/AZORult V3.3 Client Checkin M11 (trojan.rules)
  2029462 - ET TROJAN Win32/AZORult V3.3 Client Checkin M12 (trojan.rules)
  2029463 - ET TROJAN Win32/AZORult V3.2 Client Checkin M13 (trojan.rules)
  2029464 - ET TROJAN Win32/AZORult V3.2 Client Checkin M14 (trojan.rules)
  2029465 - ET TROJAN Win32/AZORult V3.2 Client Checkin M15 (trojan.rules)
  2029466 - ET TROJAN Win32/AZORult V3.3 Client Checkin M13 (trojan.rules)
  2029467 - ET TROJAN Win32/AZORult V3.3 Client Checkin M14 (trojan.rules)
  2029468 - ET TROJAN Win32/AZORult V3.3 Client Checkin M15 (trojan.rules)
  2029469 - ET TROJAN Observed Malicious SSL Cert (AgentTesla CnC)
(trojan.rules)
  2029470 - ET MALWARE Win32/YTDDownloader.F Activity (malware.rules)

Pro:

  2839487 - ETPRO INFO Observed Office Doc Download From .msi Request
(info.rules)
  2841046 - ETPRO TROJAN Observed Malicious User-Agent (trojan.rules)
  2841047 - ETPRO TROJAN Observed Malicious SSL Cert (Get2) (trojan.rules)
  2841048 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-02-14 1) (trojan.rules)
  2841049 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-02-14 2) (trojan.rules)
  2841050 - ETPRO TROJAN MSIL/Pterodo.K Variant Host Checkin (trojan.rules)
  2841051 - ETPRO CURRENT_EVENTS Successful Vodafone Phish 2020-02-14
(current_events.rules)
  2841052 - ETPRO CURRENT_EVENTS Successful Santander Phish 2020-02-14
(current_events.rules)
  2841053 - ETPRO CURRENT_EVENTS Successful Linkedin Phish 2020-02-14
(current_events.rules)
  2841054 - ETPRO TROJAN Win32/IcedID CnC Activity (trojan.rules)
  2841055 - ETPRO TROJAN Cryptbot AHK Downloader (trojan.rules)
  2841056 - ETPRO TROJAN Win32/Remcos RAT Checkin 343 (trojan.rules)
  2841057 - ETPRO TROJAN Win32/Remcos RAT Checkin 344 (trojan.rules)
  2841058 - ETPRO TROJAN Win32/Remcos RAT Checkin 345 (trojan.rules)
  2841059 - ETPRO TROJAN Win32/Remcos RAT Checkin 346 (trojan.rules)

[///]     Modified active rules:     [///]

  2023764 - ET TROJAN X2000M.Agent Checkin Jan 24 2017 (trojan.rules)
  2028616 - ET CURRENT_EVENTS Facebook Phishing Domain in DNS Lookup
(current_events.rules)
  2029200 - ET TROJAN Observed Malicious SSL Cert (jssLoader CnC)
(trojan.rules)
  2029245 - ET TROJAN Observed Malicious SSL Cert (ServHelper CnC)
(trojan.rules)
  2029380 - ET TROJAN Win32/Emotet CnC Activity (POST) M8 (trojan.rules)
  2029394 - ET TROJAN Malicious SSL Certificate detected (Patchwork CnC)
(trojan.rules)
  2029400 - ET TROJAN Observed Malicious SSL Cert (TinyNuke Variant CnC)
2020-02-09 (trojan.rules)
  2816614 - ETPRO TROJAN OnionDog/TrosmAgent CnC Beacon (trojan.rules)
  2820288 - ETPRO TROJAN Bolek/Kbot CnC Checkin (trojan.rules)
  2820973 - ETPRO EXPLOIT Possible Wget Arbitrary File Write Exploit
Attempt (CVE-2016-4971) (exploit.rules)
  2821167 - ETPRO TROJAN W32/Unknown Dropper Downloading Cobalt Strike
Beacon (trojan.rules)
  2821343 - ETPRO TROJAN Win32.Swizzor Checkin (trojan.rules)
  2821344 - ETPRO TROJAN Cerber Ransomware Macro EXE Download (trojan.rules)
  2821827 - ETPRO WEB_SPECIFIC_APPS Navis WebAccess SQLi Attempt
(web_specific_apps.rules)
  2821839 - ETPRO TROJAN Panda Banker CnC (trojan.rules)
  2822055 - ETPRO TROJAN Likely APT29 Retrieving Payload Embedded In PNG 2
(trojan.rules)
  2822080 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phishing Sept 12
2016 (current_events.rules)
  2822181 - ETPRO TROJAN Bolek HTTP Checkin (trojan.rules)
  2822235 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phishing M1 Sept
26 2016 (current_events.rules)
  2822236 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phishing M2 Sept
26 2016 (current_events.rules)
  2822240 - ETPRO CURRENT_EVENTS MalDoc Retrieving Payload Sep 26 2016
(current_events.rules)
  2822241 - ETPRO TROJAN Sharik/Smoke Loader Connectivity Check M3
(trojan.rules)
  2822242 - ETPRO TROJAN MSIL.ShopBot.avf Downloader Checkin (trojan.rules)
  2822246 - ETPRO TROJAN MSIL.ShopBot.avf Downloader Execute Command
Request (trojan.rules)
  2822250 - ETPRO MALWARE Win32/ZonaInstaller PUP Install Beacon
(malware.rules)
  2822482 - ETPRO CURRENT_EVENTS SunDown/Xer Payload (URL Primer)
(current_events.rules)
  2822483 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish Oct 07
2016 (current_events.rules)
  2823197 - ETPRO TROJAN Possible APT29 Compressed Payload Download Request
(trojan.rules)
  2823671 - ETPRO TROJAN LatentBot HTTP POST Checkin 2 (trojan.rules)
  2823965 - ETPRO CURRENT_EVENTS Successful Paypal (DE) Phish Dec 19 2016
(current_events.rules)
  2824209 - ETPRO TROJAN MSIL/Downloader.Agent.CUL Checkin (trojan.rules)
  2824764 - ETPRO CURRENT_EVENTS RedKit EK Landing Feb 02 2017 M1
(current_events.rules)
  2824765 - ETPRO CURRENT_EVENTS RedKit EK Landing Feb 02 2017 M2
(current_events.rules)
  2824777 - ETPRO CURRENT_EVENTS EITest SocEng Chrome Fonts DL Feb 06 M1
(current_events.rules)
  2824807 - ETPRO CURRENT_EVENTS Evil Redirector Leading to EK Feb 07 2017
(current_events.rules)
  2824916 - ETPRO MOBILE_MALWARE PUA Android/Odpa.A Checkin
(mobile_malware.rules)
  2824975 - ETPRO TROJAN JS/Nemucod Retrieving Payload (trojan.rules)
  2825236 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish Mar 03
2017 (current_events.rules)
  2825585 - ETPRO TROJAN Misdat/Poldat Variant CnC Beacon (trojan.rules)
  2825659 - ETPRO TROJAN Crypteando KeyLogger CnC Checkin (trojan.rules)
  2826028 - ETPRO TROJAN Malicious SSL Certificate Observed
(Win32/Kryptik.FRIW Banker Injects) (trojan.rules)
  2827624 - ETPRO TROJAN Possible APT.9002 Fileless Variant CnC Beacon 1
(trojan.rules)
  2828540 - ETPRO CURRENT_EVENTS MalDoc Retrieving Payload Nov 6 2017
(current_events.rules)
  2828955 - ETPRO TROJAN W32/Nymaim Checkin 8 (trojan.rules)
  2829235 - ETPRO CURRENT_EVENTS Successful Secure Cloud Files Phish
2018-01-10 M2 (current_events.rules)
  2829339 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Skygofree.a Checkin 2
(mobile_malware.rules)
  2829396 - ETPRO MOBILE_MALWARE Android/Agent.AKX /
Trojan-Spy.AndroidOS.Agent.oe Checkin 3 (mobile_malware.rules)
  2829434 - ETPRO MOBILE_MALWARE Android.Trojan.SmsSpy.O CnC Beacon
(mobile_malware.rules)
  2829563 - ETPRO CURRENT_EVENTS Successful Ebay Phish 2018-02-06 (DE)
(current_events.rules)
  2829757 - ETPRO MOBILE_MALWARE Android/Agent.ATW Checkin
(mobile_malware.rules)
  2830046 - ETPRO MOBILE_MALWARE Android/LockScreen.Jisut.AP Checkin
(mobile_malware.rules)
  2830049 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Shedun.V Checkin 4
(mobile_malware.rules)
  2830111 - ETPRO MOBILE_MALWARE Android/Spy.Agent.ALE / ArmedRocket
Checkin (mobile_malware.rules)
  2830123 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Mwiam.e Checkin
(mobile_malware.rules)
  2830125 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Triada.bh Checkin 3
(mobile_malware.rules)
  2830309 - ETPRO MOBILE_MALWARE Anubis Android Loader / BankBot Checkin 16
(mobile_malware.rules)
  2830813 - ETPRO CURRENT_EVENTS Evil Redirector Leading to TechSupport
Scam (current_events.rules)
  2830914 - ETPRO CURRENT_EVENTS Malicious Redirect Leading to SocEng May
18 2018 (current_events.rules)
  2830924 - ETPRO WEB_CLIENT Tech Support Phone Scam - Redirection to
Landing Inbound (web_client.rules)
  2841023 - ETPRO TROJAN Request for Malicious Packed EXE (trojan.rules)

[---]  Disabled and modified rules:  [---]

  2805813 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.GingerMaster.a Checkin 4
(mobile_malware.rules)
  2822002 - ETPRO CURRENT_EVENTS Evil Redirector Leading to EK Keitaro Sep
6 2016 T1 (current_events.rules)
  2822142 - ETPRO CURRENT_EVENTS Evil Redirector Leading to EK Keitaro Sep
16 2016 (current_events.rules)
  2822451 - ETPRO CURRENT_EVENTS Evil Redirector Leading to EK Keitaro Oct
02 2016 (current_events.rules)
  2822452 - ETPRO CURRENT_EVENTS Evil Redirector Leading to EK Keitaro Oct
06 2016 (current_events.rules)
  2823059 - ETPRO CURRENT_EVENTS Evil Redirector Leading to EK Keitaro TDS
Nov 01 2016 (current_events.rules)
  2823173 - ETPRO CURRENT_EVENTS Evil Redirector Leading to EK Keitaro TDS
Nov 01 2016 (current_events.rules)
  2823247 - ETPRO CURRENT_EVENTS Evil Redirector Leading to EK Keitaro TDS
Nov 14 2016 (current_events.rules)
  2824806 - ETPRO TROJAN Unknown Backdoor SSL Cert (legitimate compromised
site) (trojan.rules)
  2825526 - ETPRO CURRENT_EVENTS Evil Redirector Leading to EK Keitaro TDS
Mar 17 2017 (current_events.rules)
  2826393 - ETPRO CURRENT_EVENTS Evil Redirector Leading to EK Keitaro TDS
May 15 2017 (current_events.rules)
  2827154 - ETPRO CURRENT_EVENTS Evil Redirector Leading to EK Keitaro TDS
July 16 2017 (current_events.rules)

[---]         Disabled rules:        [---]

  2821333 - ETPRO TROJAN W32/Pislik Checkin (trojan.rules)
  2823603 - ETPRO TROJAN MSIL.Unknown Checkin (trojan.rules)

[---]         Removed rules:         [---]

  2824463 - ETPRO TROJAN Observed Malicious Domain SSL Cert in SNI
(Unknown) (trojan.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20200215/005c7e8d/attachment.html>


More information about the Emerging-updates mailing list