[Emerging-updates] Daily Ruleset Update Summary 2020/03/13

James Emery-Callcott jcallcott at emergingthreats.net
Fri Mar 13 13:34:39 HDT 2020


[***]            Summary:            [***]

  14 new Open, 26 new Pro (14 + 12).  Vicious Panda, CVE-2020-8518, Various
Phish, Others.

  Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2029623 - ET TROJAN VBS/Unk.TrojanDownloader.Agent.SEB Checkin
(trojan.rules)
  2029624 - ET TROJAN VBS/Unk.TrojanDownloader.Agent.SEB Keep-Alive
(trojan.rules)
  2029625 - ET TROJAN VBS/Unk.TrojanDownloader.Agent.SEB Reporting Network
Info (trojan.rules)
  2029626 - ET TROJAN Observed DNS Query to Vicious Panda CnC Domain
(trojan.rules)
  2029627 - ET TROJAN Observed DNS Query to Vicious Panda CnC Domain
(trojan.rules)
  2029628 - ET TROJAN Observed DNS Query to Vicious Panda CnC Domain
(trojan.rules)
  2029629 - ET TROJAN Observed DNS Query to Vicious Panda CnC Domain
(trojan.rules)
  2029630 - ET TROJAN Observed DNS Query to Vicious Panda CnC Domain
(trojan.rules)
  2029631 - ET TROJAN Observed DNS Query to Vicious Panda CnC Domain
(trojan.rules)
  2029632 - ET POLICY QQ Browser WUP Request - qbpcstatf.stat (policy.rules)
  2029633 - ET POLICY QQ Browser WUP Request - qbkpireportbakf.stat
(policy.rules)
  2029634 - ET TROJAN Suspected Malicious Telegram Communication (POST)
(trojan.rules)
  2029635 - ET MOBILE_MALWARE Suspected Android Youzicheng Proxy Activity
(mobile_malware.rules)
  2029636 - ET WEB_SPECIFIC_APPS Possible CVE-2020-8518 (Horde Groupware
RCE) (web_specific_apps.rules)


Pro:

  2841500 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-03-13 1) (trojan.rules)
  2841501 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-03-13 2) (trojan.rules)
  2841502 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-03-13 3) (trojan.rules)
  2841503 - ETPRO CURRENT_EVENTS Successful Chase Phish 2020-03-13
(current_events.rules)
  2841504 - ETPRO CURRENT_EVENTS Successful UPS Phish 2020-03-13
(current_events.rules)
  2841505 - ETPRO CURRENT_EVENTS Successful Banque et Assurances Phish
2020-03-13 (current_events.rules)
  2841506 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-13
(current_events.rules)
  2841507 - ETPRO CURRENT_EVENTS Successful Blockchain Phish 2020-03-13
(current_events.rules)
  2841508 - ETPRO CURRENT_EVENTS Successful Yahoo Phish 2020-03-13
(current_events.rules)
  2841509 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-03-13 (current_events.rules)
  2841510 - ETPRO TROJAN Win32/Bancos.AEU CnC Host Checkin (trojan.rules)
  2841511 - ETPRO TROJAN MSIL/Small.AEC!tr.dldr Screenshot upload via FTP
(trojan.rules)

[///]     Modified active rules:     [///]

  2010133 - ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable INSERT
INTO SQL Injection Attempt (web_specific_apps.rules)
  2010134 - ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable DELETE
FROM SQL Injection Attempt (web_specific_apps.rules)
  2010457 - ET WEB_SERVER Possible Cisco Adaptive Security Appliance Web
VPN FTP or CIFS Authentication Form Phishing Attempt (web_server.rules)
  2010669 - ET WEB_SPECIFIC_APPS Possible Zenoss Network Monitoring
Application INTO OUTFILE SQL Injection Attempt (web_specific_apps.rules)
  2010670 - ET WEB_SPECIFIC_APPS Possible Zenoss Network Monitoring
Application SELECT FROM SQL Injection Attempt (web_specific_apps.rules)
  2010672 - ET WEB_SPECIFIC_APPS Possible Zenoss Network Monitoring
Application INSERT INTO SQL Injection Attempt (web_specific_apps.rules)
  2010673 - ET WEB_SPECIFIC_APPS Possible Zenoss Network Monitoring
Application UNTION SELECT SQL Injection Attempt (web_specific_apps.rules)
  2010704 - ET WEB_SERVER Possible HP OpenView Network Node Manager
ovalarm.exe CGI Buffer Overflow Attempt (web_server.rules)
  2010728 - ET WEB_SPECIFIC_APPS WordPress wp-admin/admin.php Module
Configuration Security Bypass Attempt (web_specific_apps.rules)
  2010863 - ET WEB_SERVER LANDesk Command Injection Attempt
(web_server.rules)
  2010964 - ET WEB_SERVER SHOW CHARACTER SET SQL Injection Attempt in URI
(web_server.rules)
  2022298 - ET TROJAN Ironhalo CnC Beacon (trojan.rules)
  2023082 - ET TROJAN Curso Banker Downloading Modules (trojan.rules)
  2023927 - ET TROJAN MiniDuke CnC Beacon (string2_slide_2_2) (trojan.rules)
  2023928 - ET TROJAN MiniDuke CnC Beacon (string2_slide_3_1) (trojan.rules)
  2804421 - ETPRO TROJAN Win32/Dofoil.A Checkin (trojan.rules)
  2804967 - ETPRO TROJAN Win32/Bancos.AEW Checkin (trojan.rules)
  2805030 - ETPRO TROJAN PWS.Win32/Sinowal.gen!Y/Torpig Checkin
(trojan.rules)
  2805617 - ETPRO TROJAN Trojan-Downloader.Win32.Agent.qsl Checkin
(trojan.rules)
  2806091 - ETPRO POLICY IP geo location service ipinfodb.com request
(policy.rules)
  2806713 - ETPRO TROJAN Backdoor.Win32.Androm.aatu Checkin (trojan.rules)
  2816161 - ETPRO TROJAN Possible Ironhalo Receiving Encoded Payload M1
(trojan.rules)
  2816162 - ETPRO TROJAN Possible Ironhalo Receiving Encoded Payload M2
(trojan.rules)
  2816163 - ETPRO TROJAN Possible Ironhalo Receiving Encoded Payload M3
(trojan.rules)
  2820970 - ETPRO TROJAN APT.Scarcruft CnC Beacon (pCloud) (trojan.rules)
  2826884 - ETPRO MOBILE_MALWARE Anubis Android Loader / BankBot Checkin 12
(mobile_malware.rules)
  2826932 - ETPRO MOBILE_MALWARE Android/Fobus.BD Checkin
(mobile_malware.rules)
  2826933 - ETPRO MOBILE_MALWARE Android/Fobus.BD Retrieving IP
(mobile_malware.rules)
  2841255 - ETPRO TROJAN STATUSCREW Downloader Activity (trojan.rules)

[---]  Disabled and modified rules:  [---]

  2805919 - ETPRO TROJAN CryptoWall Check-in M3 (trojan.rules)

[---]         Disabled rules:        [---]

  2805918 - ETPRO TROJAN Unknown Ransomware Checkin 1 (trojan.rules)
  2807876 - ETPRO TROJAN Backdoor.Win32/Tofsee.F Checkin (trojan.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20200313/b97795ae/attachment.html>


More information about the Emerging-updates mailing list