[Emerging-updates] Daily Ruleset Update Summary 2020/03/23

Brandon Murphy bmurphy at emergingthreats.net
Mon Mar 23 15:17:09 HDT 2020


[***]            Summary:            [***]

34 new Open, 65 new Pro (34 + 31). MSIL/Modi RAT, CoreDDRAT, Sekhmet
Ransomware, Various COVID-19 "INFO" rules, Various Phishing.

Thanks @pmelson and @fbgwls248


[+++]          Added rules:          [+++]

Open:

  2029696 - ET TROJAN MSIL/Modi RAT CnC Command Inbound (info)
(trojan.rules)
  2029697 - ET TROJAN MSIL/Modi RAT CnC Command Inbound (aw) (trojan.rules)
  2029698 - ET TROJAN MSIL/Modi RAT CnC Checkin (DesktopPreview)
(trojan.rules)
  2029699 - ET TROJAN MSIL/Modi RAT CnC Command Inbound (plugin)
(trojan.rules)
  2029700 - ET CURRENT_EVENTS Successful World Health Organization COVID-19
Phish 2020-03-23 (current_events.rules)
  2029701 - ET CURRENT_EVENTS Successful NHS Webmail Phish 2020-03-23
(current_events.rules)
  2029702 - ET CURRENT_EVENTS UK GOV Identity Verification Phishing Landing
(current_events.rules)
  2029703 - ET INFO Observed Lets Encrypt Certificate - Possible COVID-19
Related M1 (info.rules)
  2029704 - ET INFO Observed Lets Encrypt Certificate - Possible COVID-19
Related M2 (info.rules)
  2029705 - ET INFO Possible COVID-19 Domain in SSL Certificate M1
(info.rules)
  2029706 - ET INFO Possible COVID-19 Domain in SSL Certificate M2
(info.rules)
  2029707 - ET INFO Suspicious TLS SNI Request for Possible COVID-19 Domain
M1 (info.rules)
  2029708 - ET INFO Suspicious TLS SNI Request for Possible COVID-19 Domain
M2 (info.rules)
  2029709 - ET INFO Suspicious Domain Request for Possible COVID-19 Domain
M1 (info.rules)
  2029710 - ET INFO Suspicious Domain Request for Possible COVID-19 Domain
M2 (info.rules)
  2029711 - ET INFO Suspicious GET Request with Possible COVID-19 Domain M1
(info.rules)
  2029712 - ET INFO Suspicious GET Request with Possible COVID-19 Domain M2
(info.rules)
  2029713 - ET INFO Suspicious POST Request with Possible COVID-19 Domain
M1 (info.rules)
  2029714 - ET INFO Suspicious POST Request with Possible COVID-19 Domain
M2 (info.rules)
  2029715 - ET TROJAN Possible APT28 Phishing Domain in DNS Query
(trojan.rules)
  2029716 - ET TROJAN Possible APT28 Phishing Domain in DNS Query
(trojan.rules)
  2029717 - ET TROJAN Possible APT28 Phishing Domain in DNS Query
(trojan.rules)
  2029718 - ET TROJAN Possible APT28 Phishing Domain in DNS Query
(trojan.rules)
  2029719 - ET TROJAN Possible APT28 Phishing Domain in DNS Query
(trojan.rules)
  2029720 - ET TROJAN Possible APT28 Phishing Domain in DNS Query
(trojan.rules)
  2029721 - ET TROJAN Possible APT28 Phishing Domain in DNS Query
(trojan.rules)
  2029722 - ET TROJAN Possible APT28 Phishing Domain in DNS Query
(trojan.rules)
  2029723 - ET TROJAN Possible APT28 Phishing Domain in DNS Query
(trojan.rules)
  2029724 - ET TROJAN CoreDDRAT Initial Checkin (trojan.rules)
  2029725 - ET TROJAN CoreDDRAT CnC Activity (trojan.rules)
  2029726 - ET TROJAN CoreDDRAT KeepAlive Message (trojan.rules)
  2029727 - ET TROJAN CoreDDRAT Screenshot Exfil (trojan.rules)
  2029728 - ET TROJAN Sekhmet Ransomware CnC Activity (trojan.rules)
  2029729 - ET TROJAN Observed Buer Loader CnC Domain (kkjjhhdff .site in
TLS SNI) (trojan.rules)

Pro:

  2835225 - ETPRO SCAN ELF/Mirai Solstice Variant User-Agent (scan.rules)
  2841646 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-03-21 1) (trojan.rules)
  2841647 - ETPRO CURRENT_EVENTS Successful British Gas Phish 2020-03-23
(current_events.rules)
  2841648 - ETPRO CURRENT_EVENTS Successful Caixa Phish 2020-03-23
(current_events.rules)
  2841649 - ETPRO CURRENT_EVENTS Successful Caixa Phish 2020-03-23
(current_events.rules)
  2841650 - ETPRO CURRENT_EVENTS Successful Caixa Phish 2020-03-23
(current_events.rules)
  2841651 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-03-23 (current_events.rules)
  2841652 - ETPRO CURRENT_EVENTS Successful Outlook Web App Phish
2020-03-23 (current_events.rules)
  2841653 - ETPRO CURRENT_EVENTS Successful EE Phish 2020-03-23
(current_events.rules)
  2841654 - ETPRO CURRENT_EVENTS Successful AU ID Phish 2020-03-23
(current_events.rules)
  2841655 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-03-23 (current_events.rules)
  2841656 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2020-03-23
(current_events.rules)
  2841657 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2020-03-23 (current_events.rules)
  2841658 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-03-23 (current_events.rules)
  2841659 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-03-23 (current_events.rules)
  2841660 - ETPRO TROJAN ELF/Mirai Variant User-Agent (Outbound)
(trojan.rules)
  2841661 - ETPRO TROJAN Backdoor.Wemosis CnC Activity (trojan.rules)
  2841662 - ETPRO CURRENT_EVENTS Successful Banque et Assurances Phish
2020-03-23 (current_events.rules)
  2841663 - ETPRO CURRENT_EVENTS Successful BMO Phish 2020-03-23
(current_events.rules)
  2841664 - ETPRO CURRENT_EVENTS Successful BMO Phish 2020-03-23
(current_events.rules)
  2841665 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-03-23 (current_events.rules)
  2841666 - ETPRO TROJAN Win32/Remcos RAT Checkin 370 (trojan.rules)
  2841667 - ETPRO TROJAN Win32/Remcos RAT Checkin 371 (trojan.rules)
  2841668 - ETPRO TROJAN Win32/Remcos RAT Checkin 372 (trojan.rules)
  2841669 - ETPRO TROJAN Win32/Remcos RAT Checkin 373 (trojan.rules)
  2841670 - ETPRO TROJAN Win32/Remcos RAT Checkin 374 (trojan.rules)
  2841671 - ETPRO TROJAN Observed Malicious SSL Cert (IcedID CnC)
(trojan.rules)
  2841672 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2841673 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2841674 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2841675 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)


[///]     Modified active rules:     [///]

  2014643 - ET TROJAN ConstructorWin32/Agent.V (trojan.rules)
  2025114 - ET CURRENT_EVENTS Successful EDU Phish 2017-12-04
(current_events.rules)
  2025163 - ET TROJAN W32/Patchwork.Backdoor Communicating with CnC
(trojan.rules)
  2025164 - ET TROJAN W32/Patchwork.Backdoor CnC Check-in M2 (trojan.rules)
  2027439 - ET TROJAN HAWKBALL CnC Initial Request (trojan.rules)
  2027440 - ET TROJAN HAWKBALL CnC Activity (trojan.rules)
  2028865 - ET CURRENT_EVENTS Spelevo VBS Payload Downloaded
(current_events.rules)
  2029025 - ET SCAN Mirai Variant User-Agent (Inbound) (scan.rules)
  2029037 - ET TROJAN Mirai Variant User-Agent (Outbound) (trojan.rules)
  2811002 - ETPRO MALWARE Win32/BomJogo.A Checkin (malware.rules)
  2815440 - ETPRO TROJAN Elmer Checkin (trojan.rules)
  2819677 - ETPRO MOBILE_MALWARE Trojan-Downloader.AndroidOS.Leech.f
Checkin (mobile_malware.rules)
  2819789 - ETPRO TROJAN APT.Hedas CnC Beacon 2 (trojan.rules)
  2819822 - ETPRO TROJAN Trojan/Win32.Miuref Posting Screenshot M1
(trojan.rules)
  2819966 - ETPRO EXPLOIT Linksys wap54gv3 Remote Code Execution
(exploit.rules)
  2820007 - ETPRO TROJAN Emissary CnC Beacon 3 (trojan.rules)
  2820009 - ETPRO TROJAN Emissary CnC Beacon 4 (trojan.rules)
  2820041 - ETPRO TROJAN APT.MADMAX CnC Beacon 1 M1 (trojan.rules)
  2820056 - ETPRO TROJAN APT.ZoxPNG CnC Beacon (trojan.rules)
  2820537 - ETPRO TROJAN Win32/Neutrino HTTP Structure (trojan.rules)
  2826326 - ETPRO MOBILE_MALWARE Anubis Android Loader / BankBot CnC Beacon
(mobile_malware.rules)
  2826511 - ETPRO MOBILE_MALWARE Unknown Android Loader CnC Beacon
(mobile_malware.rules)
  2826786 - ETPRO MOBILE_MALWARE Trojan-PSW.AndroidOS.Inazun.h CnC Beacon 2
(mobile_malware.rules)
  2826933 - ETPRO MOBILE_MALWARE Android/Fobus.BD Retrieving IP
(mobile_malware.rules)
  2828575 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.BLR Checkin
(mobile_malware.rules)
  2828578 - ETPRO MOBILE_MALWARE Android Bankbot CnC Beacon
(mobile_malware.rules)
  2828621 - ETPRO CURRENT_EVENTS MalDoc Retrieving Payload Nov 13 2017
(current_events.rules)
  2828747 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Guerrilla.l Checkin
(mobile_malware.rules)
  2828803 - ETPRO TROJAN StorageCrypt Downloading SambaCry (trojan.rules)
  2828875 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.a Checkin
2 (mobile_malware.rules)
  2831402 - ETPRO TROJAN Win32/Predator The Thief CnC Checkin (trojan.rules)
  2831998 - ETPRO TROJAN Possible Jenxcus Variant Exfiltrating via
User-Agent (trojan.rules)
  2832075 - ETPRO MALWARE Win32/FileTour Adware Activity (malware.rules)
  2832094 - ETPRO TROJAN Possible More_eggs Connectivity Check
(trojan.rules)
  2832705 - ETPRO TROJAN Win32/ELF Xbash CnC Checkin (trojan.rules)
  2833577 - ETPRO TROJAN Banload Variant CnC Activity (trojan.rules)
  2833969 - ETPRO TROJAN Silent Downloader CnC Initial Request
(trojan.rules)
  2834134 - ETPRO TROJAN Win32/SpyBanker.ADUT Activity (trojan.rules)
  2834577 - ETPRO TROJAN GearBest Stealer CnC Activity (trojan.rules)
  2834578 - ETPRO TROJAN TinyDeal Stealer CnC Activity (trojan.rules)
  2837092 - ETPRO TROJAN Win32/Various Unusual POST to ip-api .com
(trojan.rules)
  2837240 - ETPRO INFO Suspicious HTTP 448 Response (info.rules)
  2837678 - ETPRO MALWARE Win32/Downloader.Soft32 Checkin (malware.rules)
  2838087 - ETPRO TROJAN DonotGroup Maldoc Stage 1 CnC Checkin M2
(trojan.rules)
  2838311 - ETPRO TROJAN Win32/Predator The Thief Initial CnC Checkin
Request (trojan.rules)


[///]    Modified inactive rules:    [///]

  2836138 - ETPRO INFO Suspicious POST with 0 Len and Minimal Headers
(info.rules)


[---]         Disabled rules:        [---]

  2819790 - ETPRO TROJAN Ransomware/Coverton Checkin 2 (trojan.rules)
  2819953 - ETPRO TROJAN Ransomware TrueCrypter CnC Beacon (trojan.rules)
  2820027 - ETPRO TROJAN Unknown Checkin (trojan.rules)


[---]         Removed rules:         [---]

  2835225 - ETPRO TROJAN ELF/Mirai Solstice Variant User-Agent
(trojan.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20200323/cb022ab5/attachment.html>


More information about the Emerging-updates mailing list