[Emerging-updates] Daily Ruleset Update Summary 2020/06/09

Jason Williams jwilliams at emergingthreats.net
Tue Jun 9 13:07:48 HDT 2020


[***]            Summary:            [***]

  8 Open, 35 Pro (8 + 27). BazarLoader, Callstranger, CVE-2020-1214,
Various Mobile, Various Phishing, Suri5 updates.

  Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

 [+++]          Added rules:          [+++]

 Open:

  2030267 - ET TROJAN Observed Malicious DNS Query (BazarLoader/Team9
Backdoor CnC Domain) (trojan.rules)
  2030268 - ET TROJAN Observed Malicious DNS Query (BazarLoader/Team9
Backdoor CnC Domain) (trojan.rules)
  2030269 - ET TROJAN Observed Malicious DNS Query (BazarLoader/Team9
Backdoor CnC Domain) (trojan.rules)
  2030270 - ET TROJAN Observed Malicious DNS Query (BazarLoader/Team9
Backdoor CnC Domain) (trojan.rules)
  2030271 - ET SCAN Observed Suspicious UA (Callstranger Vulnerability
Checker) (scan.rules)
  2030272 - ET SCAN UPnP SUBSCRIBE Inbound - Possible CallStranger Scan
(CVE-2020-12695) (scan.rules)
  2030273 - ET SCAN ELF/Mirai Variant User-Agent (Inbound) (scan.rules)
  2030274 - ET TROJAN ELF/Mirai Variant User-Agent (Outbound) (trojan.rules)

 Pro:

  2842927 - ETPRO MOBILE_MALWARE Android/FakeApp.QL!tr CnC Beacon
(mobile_malware.rules)
  2842928 - ETPRO MOBILE_MALWARE Android/FakeApp.QL!tr CnC Beacon 2
(mobile_malware.rules)
  2842929 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.Resharer.l CnC Beacon
(mobile_malware.rules)
  2842930 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.Resharer.o CnC Beacon
(mobile_malware.rules)
  2842931 - ETPRO MOBILE_MALWARE Android Wyzpy Reporting App List
(mobile_malware.rules)
  2842932 - ETPRO MALWARE Observed KuaiZip User-Agent (malware.rules)
  2842933 - ETPRO TROJAN Observed Malicious SSL Cert (Zloader CnC)
(trojan.rules)
  2842934 - ETPRO TROJAN Observed Malicious SSL Cert (MalDoc DL 2020-06-09)
(trojan.rules)
  2842935 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-06-09 1) (trojan.rules)
  2842936 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-06-09 2) (trojan.rules)
  2842937 - ETPRO EXPLOIT Possible IE UAF Attempt (CVE-2020-1214)
(exploit.rules)
  2842938 - ETPRO EXPLOIT Possible SMBv1 Denial of Service (CVE-2020-1301)
(exploit.rules)
  2842939 - ETPRO TROJAN Win32/Spy.Agent.PRG Variant File Upload
(trojan.rules)
  2842940 - ETPRO TROJAN Win32/Remcos RAT Checkin 452 (trojan.rules)
  2842941 - ETPRO TROJAN Win32/Remcos RAT Checkin 453 (trojan.rules)
  2842942 - ETPRO TROJAN Win32/Remcos RAT Checkin 454 (trojan.rules)
  2842943 - ETPRO TROJAN Win32/Remcos RAT Checkin 455 (trojan.rules)
  2842944 - ETPRO TROJAN Win32/Remcos RAT Checkin 456 (trojan.rules)
  2842945 - ETPRO TROJAN SSL/TLS Certificate Observed
(MSIL/TrojanDownloader.Agent.GCD Variant) (trojan.rules)
  2842946 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
  2842947 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
  2842948 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2020-06-09 (current_events.rules)
  2842949 - ETPRO CURRENT_EVENTS Successful Generic Credential Phish
2020-06-09 (current_events.rules)
  2842950 - ETPRO CURRENT_EVENTS Successful Ebay Phish 2020-06-09
(current_events.rules)
  2842951 - ETPRO CURRENT_EVENTS Successful WeTransfer Phish 2020-06-09
(current_events.rules)
  2842952 - ETPRO CURRENT_EVENTS Successful HSBC (UK) Phish 2020-06-09
(current_events.rules)
  2842953 - ETPRO CURRENT_EVENTS Successful Yahoo Phish 2020-06-09
(current_events.rules)

 [///]     Modified active rules:     [///]

  2014006 - ET TROJAN Backdoor.Win32.Sykipot Checkin (trojan.rules)
  2014314 - ET CURRENT_EVENTS DRIVEBY Incognito Payload Download /load/*exe
(current_events.rules)
  2014778 - ET TROJAN Bebloh connectivity check (trojan.rules)
  2014869 - ET SCAN Arachni Scanner Web Scan (scan.rules)
  2016067 - ET POLICY Possible BitCoin Miner User-Agent (miner)
(policy.rules)
  2017389 - ET WEB_SERVER WebShell - ASPyder - Auth Creds (web_server.rules)
  2019534 - ET TROJAN Sednit/AZZY Checkin (trojan.rules)
  2022034 - ET TROJAN Silent Miner Changelog Checkin (trojan.rules)
  2022037 - ET TROJAN JS/Nemucod.M.gen requesting EXE payload 2015-11-02
(trojan.rules)
  2022038 - ET TROJAN JS/Nemucod.M.gen requesting PDF payload 2015-11-02
(trojan.rules)
  2022039 - ET CURRENT_EVENTS Possible vBulletin object injection
vulnerability Attempt (current_events.rules)
  2022073 - ET TROJAN Bookworm CnC Beacon (trojan.rules)
  2022074 - ET TROJAN Bookworm CnC Beacon 2 (trojan.rules)
  2022081 - ET MOBILE_MALWARE Android Trojan Cloudsota HTTP Host
(mobile_malware.rules)
  2022105 - ET TROJAN r0 CnC Check (trojan.rules)
  2022106 - ET TROJAN r0 CnC Architecture GET 1 (trojan.rules)
  2022107 - ET TROJAN r0 CnC Architecture GET 2 (trojan.rules)
  2022108 - ET TROJAN r0 CnC Architecture GET 3 (trojan.rules)
  2022109 - ET TROJAN r0 CnC Architecture GET 4 (trojan.rules)
  2022110 - ET TROJAN r0 CnC Report GET (trojan.rules)
  2022111 - ET TROJAN r0 CnC GET (trojan.rules)
  2022119 - ET TROJAN Nymaim.BA CnC M1 (trojan.rules)
  2022120 - ET TROJAN Nymaim.BA CnC M2 (trojan.rules)
  2022126 - ET TROJAN MegalodonHTTP CnC Checkin (trojan.rules)
  2022128 - ET TROJAN MegalodonHTTP CoinMiner Activity (trojan.rules)
  2022135 - ET CURRENT_EVENTS Possible Spartan/Nuclear EK Payload
(current_events.rules)
  2022186 - ET TROJAN Win32/Swrort.A Checkin 3 (trojan.rules)
  2022192 - ET TROJAN VBKlip/ClipBanker.P Status Update (trojan.rules)
  2022207 - ET TROJAN JS/Nemucod requesting EXE payload 2015-12-01
(trojan.rules)
  2022220 - ET INFO possible .jpg download by VBA macro (info.rules)
  2022224 - ET TROJAN Linux/MayhemBruter Inbound Ping From CnC
(trojan.rules)
  2022240 - ET SCAN Possible Scanning for Vulnerable JBoss (scan.rules)
  2806289 - ETPRO POLICY RemoteAdmin Win32.Ammyy.z Checkin (policy.rules)
  2807822 - ETPRO TROJAN Win32/Paramis.A Checkin 2 (trojan.rules)
  2808977 - ETPRO POLICY howtofindmyipaddress.com IP Check (policy.rules)
  2812942 - ETPRO POLICY External IP Address Lookup - ipmonkey.com
(policy.rules)
  2813008 - ETPRO TROJAN Win32/CMSBrute/Pifagor Attempted Bruteforcing
(trojan.rules)
  2814492 - ETPRO CURRENT_EVENTS Nuclear EK Landing Oct 20 2015 M1
(current_events.rules)
  2814493 - ETPRO CURRENT_EVENTS Nuclear EK Landing Oct 20 2015 M2
(current_events.rules)
  2814724 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2015-11-03 M3
(current_events.rules)
  2814725 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2015-11-03 M4
(current_events.rules)
  2814729 - ETPRO TROJAN Bmdoor Variant CnC Beacon 3 (trojan.rules)
  2814731 - ETPRO TROJAN Likely Evil Binary Sent (.pdf.scr) (trojan.rules)
  2814734 - ETPRO TROJAN Win32/Banload.WQI Retrieving File (trojan.rules)
  2814735 - ETPRO TROJAN Win32.Nanobot/Libix Checkin (trojan.rules)
  2814754 - ETPRO TROJAN W32/Nymaim Checkin (trojan.rules)
  2814775 - ETPRO TROJAN Win32.Trojan.Yxjtips.Svrd Config File Download
(trojan.rules)
  2814796 - ETPRO MOBILE_MALWARE Android/TrojanSMS.Agent.BMT Checkin
(mobile_malware.rules)
  2814797 - ETPRO TROJAN Win32.Maica.A Checkin (trojan.rules)
  2814819 - ETPRO TROJAN Ransomware/Poshcoder CnC Checkin (trojan.rules)
  2814846 - ETPRO MOBILE_MALWARE Android/Fobus.X Checkin
(mobile_malware.rules)
  2814850 - ETPRO INFO Data Submitted to Weebly.com - Possible Phishing
(info.rules)
  2814851 - ETPRO CURRENT_EVENTS Weebly Phishing Landing Observed Nov 10
(current_events.rules)
  2814854 - ETPRO TROJAN Win32.PerfectBN.A Checkin (trojan.rules)
  2814855 - ETPRO TROJAN Win32.PerfectBN.A Checkin 2 (trojan.rules)
  2814862 - ETPRO TROJAN Sosinf CnC Beacon (trojan.rules)
  2814882 - ETPRO TROJAN Gippers Connectivity Check (trojan.rules)
  2814884 - ETPRO TROJAN Gippers CnC Beacon 2 (trojan.rules)
  2814901 - ETPRO MOBILE_MALWARE InstaAgent Password Harvester Cred Upload
(mobile_malware.rules)
  2814907 - ETPRO TROJAN Farfli.aaot User-Agent (Xxiaoxu) (trojan.rules)
  2814909 - ETPRO TROJAN CryptoBrazzer Ransomware File Upload (trojan.rules)
  2814914 - ETPRO TROJAN Linux.IptabLes/IptabLex Retreiving Processes to
Kill (trojan.rules)
  2814932 - ETPRO TROJAN CherryPickerPOS HTTP POST Exfiltration
(trojan.rules)
  2814938 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Agent.dm Checkin 2
(mobile_malware.rules)
  2814939 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Agent.dm Checkin 3
(mobile_malware.rules)
  2814942 - ETPRO MOBILE_MALWARE Android.Riskware.SMSSend.AY Checkin 2
(mobile_malware.rules)
  2814951 - ETPRO POLICY Screenleap Download Executable M1 (policy.rules)
  2814952 - ETPRO POLICY Screenleap Application Version Check (policy.rules)
  2814953 - ETPRO POLICY Screenleap Download Executable M2 (policy.rules)
  2814954 - ETPRO POLICY Screenleap Application Downloading CrashSender
(policy.rules)
  2814955 - ETPRO POLICY Screenleap Session Active (policy.rules)
  2814957 - ETPRO POLICY Screenleap Screen Viewing In Progress
(policy.rules)
  2814958 - ETPRO POLICY Screenleap Download Executable M3 (policy.rules)
  2814960 - ETPRO TROJAN Kraken Stresser Pastebin Checkin (trojan.rules)
  2814963 - ETPRO MOBILE_MALWARE Android/TrojanSMS.Agent.BMT Checkin 2
(mobile_malware.rules)
  2814969 - ETPRO CURRENT_EVENTS Google Drive Phishing Landing 2015-11-17
(current_events.rules)
  2814975 - ETPRO TROJAN Unknown CnC Checkin (trojan.rules)
  2815049 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.SMSreg.cu Checkin 2
(mobile_malware.rules)
  2815051 - ETPRO INFO Bitcoin Address QR Download (info.rules)
  2815060 - ETPRO TROJAN Reveton.ScreenLocker Checkin (trojan.rules)
  2815076 - ETPRO TROJAN Project Silent Backdoor Checkin (trojan.rules)
  2815077 - ETPRO TROJAN Project Silent Backdoor Update Check (trojan.rules)
  2815078 - ETPRO TROJAN Cyborg Keylogger v4.0 Reporting via HTTP
(trojan.rules)
  2815088 - ETPRO CURRENT_EVENTS Successful SFR Phishing 2015-11-24
(current_events.rules)
  2815091 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.ff Checkin 2
(mobile_malware.rules)
  2815096 - ETPRO TROJAN Limitless Keylogger Reporting Sending Data
(trojan.rules)
  2815097 - ETPRO TROJAN Win32/Pinguin Checkin (trojan.rules)
  2815099 - ETPRO TROJAN Steam Filestealer Extreme Sending Compressed
Credentials (trojan.rules)
  2815100 - ETPRO TROJAN Steam Filestealer Extreme Stolen Password
(trojan.rules)
  2815104 - ETPRO TROJAN Prism HTTP Bot Checkin (trojan.rules)
  2815105 - ETPRO TROJAN Prism HTTP Bot Geo Check (trojan.rules)
  2815106 - ETPRO TROJAN Prism HTTP Bot Downloading Assets (trojan.rules)
  2815126 - ETPRO TROJAN Andromeda CnC (trojan.rules)
  2815127 - ETPRO TROJAN Win32/Denisca.A CnC (clickfraud) (trojan.rules)
  2815131 - ETPRO TROJAN Win32/Spy.Banker Variant Checkin (trojan.rules)
  2815134 - ETPRO USER_AGENTS Zmap User-Agent (zgrab) (user_agents.rules)
  2815141 - ETPRO POLICY UserBenchmark Reporting Computer Details
(policy.rules)
  2815156 - ETPRO TROJAN Bergard.A Checkin (trojan.rules)
  2815170 - ETPRO TROJAN Win32/Kapahyku.A Activity 2 (trojan.rules)
  2815224 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Agent.ef Checkin
(mobile_malware.rules)
  2815226 - ETPRO TROJAN Win32/XSpider Spam Bot CnC Checkin (trojan.rules)
  2815227 - ETPRO TROJAN Win32/XSpider Spam Bot Getting Command
(trojan.rules)
  2815228 - ETPRO TROJAN Win32/XSpider Spam Bot Executing Command
(trojan.rules)
  2815229 - ETPRO TROJAN Win32/TrojanDownloader.Banload Variant Checkin
(trojan.rules)
  2815230 - ETPRO MOBILE_MALWARE Monitor.AndroidOS.Norex.a Checkin
(mobile_malware.rules)
  2815233 - ETPRO TROJAN Trojan/KillProc.l Checkin (trojan.rules)
  2815236 - ETPRO MOBILE_MALWARE Android/Spy.SmsSpy.CB Checkin
(mobile_malware.rules)
  2815250 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2015-12-05
(current_events.rules)
  2815260 - ETPRO EXPLOIT MS15-134 Media Center Library Parsing RCE
Vulnerability (CVE-2015-6131) MCL File Download (exploit.rules)
  2815283 - ETPRO TROJAN Win32/Downloader.Banload.WTK CnC Checkin
(trojan.rules)
  2815286 - ETPRO TROJAN BKDR_GRABBOT.A Checkin (trojan.rules)
  2815289 - ETPRO TROJAN Backdoor.Cadelspy Checkin 1 (trojan.rules)
  2815293 - ETPRO CURRENT_EVENTS Successful Google Docs Phish 2015-12-09
(current_events.rules)
  2815312 - ETPRO MOBILE_MALWARE Android.Riskware.Cheica.A Checkin
(mobile_malware.rules)
  2815321 - ETPRO TROJAN Meterpreter/Swrort CnC Beacon (trojan.rules)
  2815322 - ETPRO TROJAN Win32/Kivars.B Checkin (trojan.rules)
  2815323 - ETPRO TROJAN Andromeda CnC Beacon (trojan.rules)

 [---]  Disabled and modified rules:  [---]

  2012460 - ET TROJAN Possible JKDDOS download wm.exe (trojan.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20200609/b3dbe01c/attachment-0001.html>


More information about the Emerging-updates mailing list