[Emerging-updates] Daily Ruleset Update Summary 2020/07/07

James Emery-Callcott jcallcott at emergingthreats.net
Tue Jul 7 14:15:02 HDT 2020


[***]            Summary:            [***]

        8 new OPEN, 46 new PRO (8 + 38).  DCRat, MageCart, ArcaneStealer,
Various Others.

        Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

        2030475 - ET TROJAN Observed Malicious SSL Cert (Zeromax Stealer
CnC) (trojan.rules)
        2030476 - ET TROJAN Observed Malicious SSL Cert (TaurusStealer CnC)
(trojan.rules)
        2030477 - ET TROJAN Observed TaurusStealer CnC Domain in TLS SNI
(trojan.rules)
        2030478 - ET TROJAN SuperKillerX Checkin Activity (trojan.rules)
        2030479 - ET TROJAN SuperKillerX CnC Activity (trojan.rules)
        2030480 - ET TROJAN Magecart/Skimmer Domain in DNS Lookup (cddn
.site) (trojan.rules)
        2030481 - ET TROJAN Magecart/Skimmer Domain in DNS Lookup (cxizi
.net) (trojan.rules)
        2030482 - ET TROJAN Magecart/Skimmer Domain in DNS Lookup (yzxi
.net) (trojan.rules)

Pro:

        2843350 - ETPRO TROJAN Win32/ArcaneStealer CnC Exfil (trojan.rules)
        2843351 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (cookieDomains.log) (trojan.rules)
        2843352 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (Cookies_Mozilla.txt) (trojan.rules)
        2843353 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (Default_Google_Chrome_Credit_Cards.log) (trojan.rules)
        2843354 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (Default_Google_Chrome_Autofill.log) (trojan.rules)
        2843355 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (Default_Google_Chrome_Cookies.txt) (trojan.rules)
        2843356 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (Google_Password.txt) (trojan.rules)
        2843357 - ETPRO INFO Suspicious Zipped Filename in Outbound POST
Request (BSSID.txt) (info.rules)
        2843358 - ETPRO INFO Suspicious Zipped Filename in Outbound POST
Request (System_Info.txt) (info.rules)
        2843359 - ETPRO CURRENT_EVENTS Successful BNP Paribas Phish
2020-07-06 (current_events.rules)
        2843360 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-07-07 1) (trojan.rules)
        2843361 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-07-07 2) (trojan.rules)
        2843362 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-07-07 3) (trojan.rules)
        2843363 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-07-07 4) (trojan.rules)
        2843364 - ETPRO CURRENT_EVENTS Successful Yahoo Phish 2020-07-07
(current_events.rules)
        2843365 - ETPRO CURRENT_EVENTS Successful HSBC Phish 2020-07-07
(current_events.rules)
        2843366 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-07-07
(current_events.rules)
        2843367 - ETPRO CURRENT_EVENTS Successful Generic Webmail Phish
2020-07-07 (current_events.rules)
        2843368 - ETPRO CURRENT_EVENTS Successful OneDrive Phish 2020-07-07
(current_events.rules)
        2843369 - ETPRO CURRENT_EVENTS Successful IONOS Webmail Phish
2020-07-07 (current_events.rules)
        2843370 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2020-07-07
(current_events.rules)
        2843371 - ETPRO CURRENT_EVENTS Successful Visa OTP Phish 2020-07-07
(current_events.rules)
        2843372 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-07-07
(current_events.rules)
        2843373 - ETPRO CURRENT_EVENTS Successful Banco Caja Phish
2020-07-07 (current_events.rules)
        2843374 - ETPRO CURRENT_EVENTS Successful Verified by Visa Phish
2020-07-07 (current_events.rules)
        2843375 - ETPRO CURRENT_EVENTS Successful Generic Credit Card
Information Phish 2020-07-07 (current_events.rules)
        2843376 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-07-07
(current_events.rules)
        2843377 - ETPRO CURRENT_EVENTS Successful Banco Itau Phish
2020-07-07 (current_events.rules)
        2843378 - ETPRO TROJAN Win32/Presenoker CnC Checkin (trojan.rules)
        2843379 - ETPRO TROJAN DCRat CnC Activity M2 (trojan.rules)
        2843380 - ETPRO TROJAN DCRat CnC Activity M3 (trojan.rules)
        2843381 - ETPRO TROJAN DCRat CnC Activity M4 (trojan.rules)
        2843382 - ETPRO TROJAN DCRat CnC Activity M5 (trojan.rules)
        2843383 - ETPRO TROJAN DCRat CnC Activity M6 (trojan.rules)
        2843384 - ETPRO TROJAN DCRat CnC Activity M7 (trojan.rules)
        2843385 - ETPRO TROJAN DCRat CnC Activity M8 (trojan.rules)
        2843386 - ETPRO TROJAN DCRat CnC Activity M9 (trojan.rules)
        2843387 - ETPRO TROJAN DCRat CnC Activity M10 (trojan.rules)

[///]     Modified active rules:     [///]

        2018132 - ET WORM TheMoon.linksys.router 2 (worm.rules)
        2018155 - ET WORM TheMoon.linksys.router 3 (worm.rules)
        2022505 - ET TROJAN W32/Gaudox Checkin (trojan.rules)
        2022756 - ET TROJAN APT.Fwits CnC Beacon M1 (trojan.rules)
        2022757 - ET TROJAN APT.Fwits CnC Beacon M2 (trojan.rules)
        2022759 - ET TROJAN Blackmoon/Banbra Configuration Request
(trojan.rules)
        2022760 - ET DOS Linux/Tsunami DOS User-Agent
(x00_-gawa.sa.pilipinas.2015) INBOUND (dos.rules)
        2022775 - ET USER_AGENTS BLEXBot User-Agent (user_agents.rules)
        2022776 - ET WEB_SPECIFIC_APPS Magento Shoplift Exploit Inbound
(web_specific_apps.rules)
        2022788 - ET TROJAN Backdoor.Darpapox/Jaku Initial C2 Checkin
(trojan.rules)
        2029881 - ET TROJAN DCRat Initial CnC Activity (trojan.rules)
        2029897 - ET TROJAN DCRat CnC Activity (trojan.rules)
        2814810 - ETPRO TROJAN TinyDownloader Retrieving PE (trojan.rules)
        2816861 - ETPRO TROJAN Rockloader Checkin (trojan.rules)
        2819884 - ETPRO POLICY IP Check smart-ip.net HTTP (policy.rules)
        2819887 - ETPRO CURRENT_EVENTS Possible Nuclear EK Payload VarLen
XOR (Nulls) M2 Apr 20 2016 (current_events.rules)
        2819924 - ETPRO CURRENT_EVENTS Adobe Online Document Phishing
Landing Apr 25 M1 (current_events.rules)
        2819925 - ETPRO CURRENT_EVENTS Adobe Online Document Phishing
Landing Apr 25 M2 (current_events.rules)
        2819926 - ETPRO CURRENT_EVENTS Successful Adobe Online Document
Phish Apr 25 (current_events.rules)
        2819962 - ETPRO EXPLOIT Belkin n150 Directory Path Traversal
Attempt (exploit.rules)
        2819964 - ETPRO EXPLOIT Belkin g_plus Information Disclosure
Attempt (exploit.rules)
        2819965 - ETPRO EXPLOIT Cisco ucs_manager Remote Code Execution
(exploit.rules)
        2819968 - ETPRO EXPLOIT Asmax ar_804_gu Remote Code Execution
(exploit.rules)
        2819969 - ETPRO EXPLOIT Dlink dwr_932 Information Disclosure
Attempt (exploit.rules)
        2819970 - ETPRO EXPLOIT Dlink dsl_2750b Information Disclosure
Attempt (exploit.rules)
        2819972 - ETPRO EXPLOIT Dlink dns_320l_327l Remote Code Execution
Attempt (exploit.rules)
        2819974 - ETPRO EXPLOIT Dlink dir_300_600_615 Information
Disclosure Attempt (exploit.rules)
        2819975 - ETPRO EXPLOIT Dlink dir_300_320_615 Auth Bypass Attempt
(exploit.rules)
        2819976 - ETPRO CURRENT_EVENTS Successful Craigslist Phish
2016-04-25 (current_events.rules)
        2819983 - ETPRO EXPLOIT Netgear Multi Remote Code Execution Attempt
(exploit.rules)
        2819985 - ETPRO EXPLOIT Technicolor tc7200 Password Disclosure
Attempt (exploit.rules)
        2819986 - ETPRO TROJAN Possible APT.Inif Downloader Retrieving
Payload (trojan.rules)
        2819989 - ETPRO TROJAN APT.Rexpot Stage1 Variant CnC Beacon 2
(trojan.rules)
        2819991 - ETPRO TROJAN Downloader Requesting Likely APT.Rexpot
Variant (trojan.rules)
        2819993 - ETPRO TROJAN Win32/Spy.KeyLogger.NHM Retrieving Secondary
CnC (trojan.rules)
        2820002 - ETPRO TROJAN Win32/Strumapine.A Requesting Modules (set)
(trojan.rules)
        2820003 - ETPRO TROJAN Win32/Strumapine.A Module Download
(trojan.rules)
        2820005 - ETPRO TROJAN Emissary External IP Check 2 (trojan.rules)
        2820022 - ETPRO TROJAN Ransomware MM Locker CnC Activity M2
(trojan.rules)
        2820044 - ETPRO TROJAN APT.MADMAX CnC Beacon 3 (trojan.rules)
        2820054 - ETPRO TROJAN Pirpi Variant CnC Beacon (trojan.rules)
        2820055 - ETPRO TROJAN DeputyDog Variant CnC Beacon (trojan.rules)
        2820057 - ETPRO TROJAN APT.HILIGHT CnC Beacon (trojan.rules)
        2820058 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Tiny.az Checkin
(mobile_malware.rules)
        2820072 - ETPRO TROJAN Trojan-PSW.Win32.KeyLogger.j CnC Beacon
(trojan.rules)
        2820075 - ETPRO TROJAN Win32/Spy.Agent.OQX CnC Beacon (trojan.rules)
        2820078 - ETPRO TROJAN APT.Rexpot Variant CnC Beacon 5
(trojan.rules)
        2820080 - ETPRO TROJAN Possible APT.Rexpot Variant User-Agent
(trojan.rules)
        2820095 - ETPRO TROJAN H1N1 Loader CnC Beacon M3 (trojan.rules)
        2820096 - ETPRO TROJAN H1N1 Loader CnC Beacon HTTP Header
(trojan.rules)
        2820108 - ETPRO MOBILE_MALWARE Android/TrojanSMS.FakeInst.FP
Checkin (mobile_malware.rules)
        2833194 - ETPRO CURRENT_EVENTS Successful Generic Credit Card
Information Phish 2018-10-18 (current_events.rules)
        2834712 - ETPRO CURRENT_EVENTS Successful Generic Credit Card
Information Phish 2019-02-04 (current_events.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20200708/d447e242/attachment.html>


More information about the Emerging-updates mailing list