[Emerging-updates] Daily Ruleset Update Summary 2020/02/20

Jason Williams jwilliams at emergingthreats.net
Thu Feb 20 14:17:38 HST 2020


[***]            Summary:            [***]

  24 new Open, 40 new Pro (24 + 16). Magecart, PHPs Labyrinth,
SeptemberRAT, OrcusRAT, Various Phishing.

  Thanks @dadamitis @prevailion

  Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

 [+++]          Added rules:          [+++]

 Open:

  2029501 - ET TROJAN Observed Malicious SSL Cert (MageCart CnC)
(trojan.rules)
  2029502 - ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)
(trojan.rules)
  2029503 - ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)
(trojan.rules)
  2029504 - ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)
(trojan.rules)
  2029505 - ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)
(trojan.rules)
  2029506 - ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)
(trojan.rules)
  2029507 - ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)
(trojan.rules)
  2029508 - ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)
(trojan.rules)
  2029509 - ET POLICY Observed DNS Query for Suspicious TLD (.management)
(policy.rules)
  2029510 - ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI
(trojan.rules)
  2029511 - ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI
(trojan.rules)
  2029512 - ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI
(trojan.rules)
  2029513 - ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI
(trojan.rules)
  2029514 - ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI
(trojan.rules)
  2029515 - ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI
(trojan.rules)
  2029516 - ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI
(trojan.rules)
  2029517 - ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI
(trojan.rules)
  2029518 - ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI
(trojan.rules)
  2029519 - ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI
(trojan.rules)
  2029520 - ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI
(trojan.rules)
  2029521 - ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI
(trojan.rules)
  2029522 - ET TROJAN Observed Malicious SSL Cert (PHPs Labyrinth Stage1
CnC) (trojan.rules)
  2029523 - ET MALWARE Fake ProtonVPN/AZORult CnC Domain Query
(malware.rules)
  2029524 - ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)
(trojan.rules)

 Pro:

  2841121 - ETPRO TROJAN MSIL/SeptemberRAT CnC Checkin (trojan.rules)
  2841122 - ETPRO TROJAN Observed Orcus RAT Server Name in TLS SNI
(trojan.rules)
  2841123 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-02-19 1) (trojan.rules)
  2841124 - ETPRO WEB_SPECIFIC_APPS Possible OWA Remote Privilege
Escalation Attempt (CVE-2020-0692) (web_specific_apps.rules)
  2841125 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-02-20 (current_events.rules)
  2841126 - ETPRO CURRENT_EVENTS Successful Vancity Online Banking Phish
2020-02-20 (current_events.rules)
  2841127 - ETPRO CURRENT_EVENTS Successful Credit Agricole Phish
2020-02-20 (current_events.rules)
  2841128 - ETPRO CURRENT_EVENTS Successful Outlook Web App Phish
2020-02-20 (current_events.rules)
  2841129 - ETPRO CURRENT_EVENTS Successful CIBC Phish 2020-02-20
(current_events.rules)
  2841130 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-02-20 (current_events.rules)
  2841131 - ETPRO CURRENT_EVENTS Successful Sharefile Phish 2020-02-20
(current_events.rules)
  2841132 - ETPRO TROJAN Win32/Brontok Outbound Malicious Email Spam -
Template 1 Active (Outbound) (trojan.rules)
  2841133 - ETPRO TROJAN Observed Malicious AHK Downloader Activity
(trojan.rules)
  2841134 - ETPRO TROJAN Win32/Remcos RAT Checkin 348 (trojan.rules)
  2841135 - ETPRO TROJAN Win32/Remcos RAT Checkin 349 (trojan.rules)
  2841136 - ETPRO TROJAN Win32/Remcos RAT Checkin 350 (trojan.rules)

 [///]     Modified active rules:     [///]

  2001202 - ET WEB_SPECIFIC_APPS PHPNuke general SQL injection attempt
(web_specific_apps.rules)
  2001677 - ET MALWARE Webhancer Data Post (malware.rules)
  2001992 - ET MALWARE SurfSidekick Download (malware.rules)
  2002001 - ET MALWARE 180solutions Spyware Keywords Download
(malware.rules)
  2002402 - ET MALWARE Spyware Related User-Agent (UtilMind HTTPGet)
(malware.rules)
  2029453 - ET TROJAN Kimsuky Related CnC (trojan.rules)
  2810115 - ETPRO TROJAN TrojanDownloader.Banload.VGH checkin (trojan.rules)
  2810148 - ETPRO MALWARE Win32/Autoit.HZ Checkin (malware.rules)
  2810326 - ETPRO TROJAN PlugX Related Checkin (trojan.rules)
  2810454 - ETPRO TROJAN Mal/Banker-AA Conf Download (trojan.rules)
  2810615 - ETPRO WEB_SERVER Possible Information Leak Vuln CVE-2015-1648
(web_server.rules)
  2810686 - ETPRO TROJAN Win32/Dupzom Retrieving Payload (trojan.rules)
  2810703 - ETPRO TROJAN MSIL/Golroted.B or HawkEye External IP Check with
minimal headers (trojan.rules)
  2810936 - ETPRO MOBILE_MALWARE Android.Adware.Wapsx.A Checkin 5
(mobile_malware.rules)
  2810982 - ETPRO MALWARE Win32.AdLoad CnC Beacon (malware.rules)
  2811002 - ETPRO MALWARE Win32/BomJogo.A Checkin (malware.rules)
  2811014 - ETPRO CURRENT_EVENTS Fiesta Java Exploit/Payload
(current_events.rules)
  2811221 - ETPRO TROJAN ReactorBot CnC Observed (trojan.rules)
  2811238 - ETPRO WEB_SPECIFIC_APPS WP Landing Pages Plugin 1.8.4 SQLi
Attempt (web_specific_apps.rules)
  2811243 - ETPRO EXPLOIT DLink DNS/DNR 320 check_login Authentication
Bypass HTTP Request (exploit.rules)
  2811402 - ETPRO TROJAN Emotet CnC Beacon (trojan.rules)
  2811433 - ETPRO TROJAN Win32/Dishigy CnC Beacon (trojan.rules)
  2811631 - ETPRO TROJAN BACKDOOR.EMDIVI Checkin 3 (trojan.rules)
  2812052 - ETPRO MALWARE PUA.Spyware.XPCSpyPro GeoLocate Request
(malware.rules)
  2825926 - ETPRO TROJAN Callisto RCS CnC Beacon 1 (trojan.rules)
  2825927 - ETPRO TROJAN RCS Variant CnC Beacon (trojan.rules)
  2826404 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Hqwar.jck Checkin
(mobile_malware.rules)
  2826433 - ETPRO TROJAN GhostAdmin/KeyTrap/BlakStar Requesting Config M1
(trojan.rules)
  2826434 - ETPRO TROJAN GhostAdmin/KeyTrap/BlakStar Requesting Config M2
(trojan.rules)
  2828111 - ETPRO MOBILE_MALWARE Android Unknown Trojan Checkin
(mobile_malware.rules)
  2828331 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish Oct 17
2017 (current_events.rules)
  2829719 - ETPRO CURRENT_EVENTS Successful Apple Phish 2018-02-19
(current_events.rules)
  2830153 - ETPRO CURRENT_EVENTS Successful Blackboard Phish 2018-03-27
(current_events.rules)
  2830252 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Triada.dm Checkin
(mobile_malware.rules)
  2830267 - ETPRO TROJAN W32/PinoRAT C2 HTTP Pattern (trojan.rules)
  2830311 - ETPRO MOBILE_MALWARE Anubis Android Loader / BankBot Checkin 17
(mobile_malware.rules)
  2830512 - ETPRO MOBILE_MALWARE Android Trojan-Spy EmSeven File Exfil
(mobile_malware.rules)
  2831055 - ETPRO MOBILE_MALWARE Trojan-Downloader.AndroidOS.Agent.bf
Checkin (mobile_malware.rules)
  2831093 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC Domain)
(trojan.rules)
  2831335 - ETPRO TROJAN W32.1ms0rry Variant Generic Checkin (trojan.rules)
  2831491 - ETPRO TROJAN Win32/Agent.QGZR CnC Checkin (trojan.rules)
  2831817 - ETPRO CURRENT_EVENTS Likely Malicious JS Inbound
(current_events.rules)
  2831896 - ETPRO TROJAN Trojan.Redaman CnC Beacon (trojan.rules)
  2831948 - ETPRO CURRENT_EVENTS MalDoc Requesting Ursnif Payload M1
2018-07-23 (current_events.rules)
  2831950 - ETPRO CURRENT_EVENTS MalDoc Requesting Ursnif Payload M2
2018-07-23 (current_events.rules)
  2832122 - ETPRO TROJAN Win32.Pavica Checkin (trojan.rules)
  2832154 - ETPRO TROJAN MSIL/Haunted Miner CnC Checkin (trojan.rules)
  2835109 - ETPRO TROJAN Observed Malicious JScript Downloader Inbound
(trojan.rules)
  2835275 - ETPRO CURRENT_EVENTS Successful Apple Phish 2019-03-11
(current_events.rules)
  2836198 - ETPRO TROJAN Segrev Stealer FakeZip Conn Check (trojan.rules)
  2836976 - ETPRO CURRENT_EVENTS Known Evil Inject on Compromised Revive
AdServer (2019-06-20) (current_events.rules)
  2841054 - ETPRO TROJAN Win32/IcedID CnC Activity (trojan.rules)
  2841098 - ETPRO CURRENT_EVENTS Fallout EK Redirector Domain TLS SNI
(current_events.rules)
  2841099 - ETPRO CURRENT_EVENTS Fallout EK Redirector Domain Malicious SSL
Cert  (current_events.rules)

 [---]  Disabled and modified rules:  [---]

  2026434 - ET TROJAN VBScript Redirect Style Exe File Download
(trojan.rules)
  2811492 - ETPRO CURRENT_EVENTS Possible HanJuan EK Secondary Flash File
June 15 2015 (current_events.rules)
  2827052 - ETPRO CURRENT_EVENTS Evil Redirector Leading to EK (Known Evil
Keitaro TDS) Jul 07 2017 (current_events.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20200220/1c46e4c0/attachment.html>


More information about the Emerging-updates mailing list