[Emerging-updates] Daily Ruleset Update Summary 2020/05/01

Jack Mott jmott at emergingthreats.net
Fri May 1 14:50:31 HDT 2020


[***]            Summary:            [***]

19 new Open, 28 new Pro (19 + 9). Saltstack Authentication Bypass, Various
Generic Webshell Access, Various Cpanel Cracker, PHANTOMLANCE, More_eggs
CnC, VARIOUS Phishing.

TIIF

 Please be aware that after the deprecation of our Suricata 2/3 support
(April 15th 2020), the path for downloading the last pushed production
Suricata 2/3 rulesets have changed.  Deprecated rulesets are available at
https://rules.emergingthreatspro.com/OINK/old for ETPro and
https://rules.emergingthreatspro.com/open/old/ for ETOpen.  All requests
for the Suricata 2/3 at their previous locations will now lead to the
Suricata 4.0 production rules for ETPro and the rule download instructions
for ETOpen.

 Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

   2030071 - ET EXPLOIT Possible Saltstack Authentication Bypass
CVE-2020-11651 M1 (exploit.rules)
  2030072 - ET EXPLOIT Possible SaltStack Authentication Bypass
CVE-2020-11651 M2 (exploit.rules)
  2030073 - ET WEB_CLIENT Generic Webshell Accessed on External Server
(web_client.rules)
  2030074 - ET WEB_SERVER Generic Webshell Accessed on Internal Server
(web_server.rules)
  2030075 - ET WEB_CLIENT Generic Webshell Accessed on External Server
(web_client.rules)
  2030076 - ET WEB_SERVER Generic Webshell Accessed on Internal Server
(web_server.rules)
  2030077 - ET WEB_CLIENT Generic Mailer Accessed on External Server
(web_client.rules)
  2030078 - ET WEB_SERVER Generic Mailer Accessed on Internal Server
(web_server.rules)
  2030079 - ET WEB_CLIENT Generic Stolen Credentials Accessed on External
Server (web_client.rules)
  2030080 - ET WEB_SERVER Generic Stolen Credentials Accessed on Internal
Server (web_server.rules)
  2030081 - ET WEB_CLIENT Generic Stolen Credentials Accessed on External
Server (web_client.rules)
  2030082 - ET WEB_SERVER Generic Stolen Credentials Accessed on Internal
Server (web_server.rules)
  2030083 - ET WEB_CLIENT Cpanel Cracker Accessed on External Server
(web_client.rules)
  2030084 - ET WEB_SERVER Cpanel Cracker Accessed on Internal Server
(web_server.rules)
  2030085 - ET WEB_CLIENT Generic Mailer Accessed on External Server
(web_client.rules)
  2030086 - ET WEB_SERVER Generic Mailer Accessed on Internal Server
(web_server.rules)
  2030089 - ET MOBILE_MALWARE PHANTOMLANCE CnC Domain in DNS Lookup
(mobile_malware.rules)
  2030090 - ET MOBILE_MALWARE PHANTOMLANCE CnC Domain in DNS Lookup
(mobile_malware.rules)
  2030091 - ET MOBILE_MALWARE PHANTOMLANCE CnC Domain in DNS Lookup
(mobile_malware.rules)

Pro:

  2842305 - ETPRO TROJAN More_eggs CnC Activity (trojan.rules)
  2842306 - ETPRO MALWARE ELF/Unk.Ameliyat Checkin (malware.rules)
  2842307 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2020-05-01 (current_events.rules)
  2842308 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-01 1) (trojan.rules)
  2842309 - ETPRO CURRENT_EVENTS Successful Generic Server Backup Phish
2020-05-01 (current_events.rules)
  2842310 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-05-01
(current_events.rules)
  2842311 - ETPRO TROJAN W32/TrojanDownloader.Agent.FCD CnC Activity
(trojan.rules)
  2842312 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-05-01 (current_events.rules)
  2842313 - ETPRO TROJAN Win32/Remcos RAT Checkin 415 (trojan.rules)

 [///]     Modified active rules:     [///]

  2006445 - ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM
(web_server.rules)
  2009521 - ET TROJAN Win32/Nubjub.A HTTP Check-in  (trojan.rules)
  2013026 - ET TROJAN Secure-Soft.Stealer Checkin (trojan.rules)
  2014523 - ET TROJAN OSX/Flashback.K/I reporting successful infection 2
(trojan.rules)
  2016581 - ET CURRENT_EVENTS SUSPICIOUS Java Request to ChangeIP Dynamic
DNS Domain (current_events.rules)
  2016582 - ET CURRENT_EVENTS SUSPICIOUS Java Request to NOIP Dynamic DNS
Domain (current_events.rules)
  2016933 - ET CURRENT_EVENTS SUSPICIOUS Java Request to Afraid.org Top 100
Dynamic DNS Domain (current_events.rules)
  2018522 - ET TROJAN Soraya C2 User-Agent (default) (trojan.rules)
  2018578 - ET TROJAN Dyreza RAT Ex-filtrating Data (trojan.rules)
  2018683 - ET TROJAN Dyreza RAT Checkin 2 (trojan.rules)
  2018764 - ET TROJAN W32/Zbot.Variant CnC Response (trojan.rules)
  2018765 - ET TROJAN Win32/Swizzor User-Agent (Swizz03r) (trojan.rules)
  2018770 - ET TROJAN Dridex/Bugat/Feodo Cookie (trojan.rules)
  2018771 - ET TROJAN Dridex/Bugat/Feodo POST Checkin (trojan.rules)
  2018782 - ET SCAN Internet Scanning Project HTTP scan (scan.rules)
  2018787 - ET TROJAN Unknown Locker DL URI Struct Jul 25 2014
(trojan.rules)
  2018799 - ET TROJAN Win32/Gatak Activity (trojan.rules)
  2018800 - ET SCAN Chroot-apache0day Unknown Web Scanner User Agent
(scan.rules)
  2018888 - ET MOBILE_MALWARE Android/Spy.Kasandra.A Checkin
(mobile_malware.rules)
  2018895 - ET TROJAN Ddex Loader Check-in (trojan.rules)
  2018897 - ET TROJAN Pushdo.S CnC response (trojan.rules)
  2018900 - ET TROJAN BITTERBUG Checkin (trojan.rules)
  2018914 - ET CURRENT_EVENTS Nuclear Exploit Kit exe.exe Payload
(current_events.rules)
  2018926 - ET TROJAN Lurk Downloader Check-in (trojan.rules)
  2018927 - ET TROJAN Lurk Click fraud Template Request (trojan.rules)
  2018985 - ET TROJAN Suspicious User-Agent (Asteria md5) (trojan.rules)
  2030006 - ET CURRENT_EVENTS Possible iOS MobileMail OOB Write/Heap
Overflow Exploit Email (Inbound) (current_events.rules)
  2030008 - ET CURRENT_EVENTS Possible iOS MobileMail OOB Write/Heap
Overflow Exploit Email (Inbound) (current_events.rules)
  2801468 - ETPRO WEB_CLIENT Insecure Library Loading Request (.dll)
(web_client.rules)
  2803669 - ETPRO SCADA Progea Movicon PowerHMI Memory Corruption Negative
Content Length (scada.rules)
  2806150 - ETPRO MOBILE_MALWARE AndroidOS_Adrd.VTD Checkin
(mobile_malware.rules)
  2806169 - ETPRO MOBILE_MALWARE Android.Enesoluty /
Trojan.AndroidOS.Maistealer.a Checkin (mobile_malware.rules)
  2807180 - ETPRO TROJAN Win32.Sisron.B Checkin Checkin (trojan.rules)
  2807234 - ETPRO TROJAN Protux CnC traffic (trojan.rules)
  2808008 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Ackposts.a Checkin
(mobile_malware.rules)
  2808264 - ETPRO TROJAN Trojan.Win32.FrauDrop.dbnyoz Checkin (trojan.rules)
  2808309 - ETPRO TROJAN Win32/Beaugrit.gen!AAA Checkin (trojan.rules)
  2808314 - ETPRO TROJAN Win32.Tavex.A Checkin 1 (trojan.rules)
  2808375 - ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.RZ Checkin
(mobile_malware.rules)
  2808395 - ETPRO TROJAN Win32/Rovnix.H checkin (trojan.rules)
  2808405 - ETPRO TROJAN Trojan.Win32.Invader Checkin (trojan.rules)
  2808408 - ETPRO MOBILE_MALWARE Android.Trojan.FakeInst.BX Checkin 3
(mobile_malware.rules)
  2808418 - ETPRO MOBILE_MALWARE Android/Smforw.AJ Checkin
(mobile_malware.rules)
  2808427 - ETPRO TROJAN Win32.Nyxem.M checkin (trojan.rules)
  2808429 - ETPRO TROJAN Password Stealer TSPY_WOWSPY.A Checkin
(trojan.rules)
  2808430 - ETPRO TROJAN Backdoor.Jolob Checkin (trojan.rules)
  2808436 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Agent.aj Checkin
(mobile_malware.rules)
  2808438 - ETPRO MOBILE_MALWARE Trojan.Android.TrojanSMS.bABM Checkin
(mobile_malware.rules)
  2808439 - ETPRO TROJAN Trojan-Clicker.Win32.Agent.adoa Checkin
(trojan.rules)
  2808441 - ETPRO MOBILE_MALWARE Android-Spyware/SpyApp Checkin
(mobile_malware.rules)
  2808444 - ETPRO TROJAN Trojan.Win32.Stantinko.bF Checkin (trojan.rules)
  2808447 - ETPRO MOBILE_MALWARE Android/SMSreg.CL Checkin
(mobile_malware.rules)
  2808449 - ETPRO TROJAN Win32/Lmir.BMR Checkin (trojan.rules)
  2808462 - ETPRO MOBILE_MALWARE AndroidOS/GinMaster.AR Checkin
(mobile_malware.rules)
  2808470 - ETPRO TROJAN Password Stealer MSIL/Vonriamt.A Checkin 3
(trojan.rules)
  2808471 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.FakeInst.a Checkin 3
(mobile_malware.rules)
  2808474 - ETPRO P2P P2PShare Client Installed Checkin (p2p.rules)
  2808477 - ETPRO MOBILE_MALWARE Android.Trojan.Portal.A Checkin
(mobile_malware.rules)
  2808478 - ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.AK Checkin
(mobile_malware.rules)
  2808499 - ETPRO TROJAN Win32/Zemot User-Agent (trojan.rules)
  2808506 - ETPRO TROJAN Trojan.Crypt.CG Checkin (trojan.rules)
  2808512 - ETPRO MOBILE_MALWARE Android/SmsSpy.AS Checkin
(mobile_malware.rules)
  2808514 - ETPRO MOBILE_MALWARE Android.Riskware.SmsPay.AO Checkin 2
(mobile_malware.rules)
  2808515 - ETPRO MOBILE_MALWARE Android.Riskware.SmsPay.C Checkin 4
(mobile_malware.rules)
  2808526 - ETPRO TROJAN Win32.Comune.A checkin (trojan.rules)
  2808527 - ETPRO USER_AGENTS Suspicious User Agent Get HTML Source Code
Program (user_agents.rules)
  2808528 - ETPRO MOBILE_MALWARE Android FakeInst-OG Checkin
(mobile_malware.rules)
  2808533 - ETPRO TROJAN TROJAN.WIN32.SYSMAIN.C Checkin (trojan.rules)
  2808551 - ETPRO TROJAN Trojan.Win32.Agent.cralxq Checkin (trojan.rules)
  2808558 - ETPRO MOBILE_MALWARE AndroidOS/Lemon.A Checkin
(mobile_malware.rules)
  2808568 - ETPRO TROJAN TrojanDownloader.Murlo.jr Checkin (trojan.rules)
  2808582 - ETPRO MOBILE_MALWARE Android.Trojan.Joye.D Checkin
(mobile_malware.rules)
  2808609 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Iconosys.a Checkin 4
(mobile_malware.rules)
  2808610 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Iconosys.a Checkin 5
(mobile_malware.rules)
  2808617 - ETPRO TROJAN VBS/Safa C2 (trojan.rules)
  2808618 - ETPRO MOBILE_MALWARE Android/HippoSms.B Request to C2
(mobile_malware.rules)
  2808642 - ETPRO TROJAN Win32.BHO Variant Checkin (trojan.rules)
  2808650 - ETPRO TROJAN PWS.MicroGaming Checkin (trojan.rules)
  2808651 - ETPRO TROJAN TROJAN-DROPPER.WIN32.FRAUDROP.AETPC Checkin
(trojan.rules)
  2808654 - ETPRO TROJAN BackDoor.Ebot Checkin (trojan.rules)
  2808655 - ETPRO TROJAN WIN32/LOCKSCREEN.BIK Checkin (trojan.rules)
  2808657 - ETPRO TROJAN W32/Delf.GY Callback (trojan.rules)
  2836551 - ETPRO TROJAN SSL/TLS Certificate Observed (Default POSHC2 cert)
(trojan.rules)

 [---]         Removed rules:         [---]

  2030007 - ET CURRENT_EVENTS Possible iOS MobileMail OOB Write/Heap
Overflow Exploit Email (Inbound) (current_events.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20200501/36b525fc/attachment.html>


More information about the Emerging-updates mailing list