[Emerging-updates] Daily Ruleset Update Summary 2020/05/06

James Emery-Callcott jcallcott at emergingthreats.net
Wed May 6 12:44:20 HDT 2020


[***]            Summary:            [***]

  9 new Open, 28 new Pro (9 + 19).  JsOutProx, Ragnarok Ransomware,
DNSTEAL, Various Phish, Others.

  Thanks Kevin Ross, @malwrhunterteam, @james_inthe_box.

  Please be aware that after the deprecation of our Suricata 2/3 support
(April 15th 2020), the path for downloading the last pushed production
Suricata 2/3 rulesets have changed.  Deprecated rulesets are available at
https://rules.emergingthreatspro.com/OINK/old for ETPro and
https://rules.emergingthreatspro.com/open/old/ for ETOpen.  All requests
for the Suricata 2/3 at their previous locations will now lead to the
Suricata 4.0 production rules for ETPro and the rule download instructions
for ETOpen.

  Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2030111 - ET TROJAN Observed Default CobaltStrike SSL Certificate
(trojan.rules)
  2030112 - ET TROJAN Observed Cobalt Strike Stager Domain in DNS Query
(trojan.rules)
  2030113 - ET POLICY Observed iesnare/iovation Tracking Activity
(policy.rules)
  2030114 - ET TROJAN JsOutProx Variant CnC Activity (trojan.rules)
  2030115 - ET EXPLOIT Possible MPC Sharj 3.11.1 - Arbitrary File Download
Attempt (exploit.rules)
  2030116 - ET TROJAN Ragnarok Ransomware CnC Activity M1 (trojan.rules)
  2030117 - ET TROJAN Ragnarok Ransomware CnC Activity M2 (trojan.rules)
  2030118 - ET CURRENT_EVENTS SEO Injection/Fraud Domain in DNS Lookup
(stat.trackstatisticsss .com) (current_events.rules)
  2030119 - ET TROJAN EVILNUM CnC Response (trojan.rules)

Pro:

  2842414 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-06 1) (trojan.rules)
  2842415 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2020-05-06
(current_events.rules)
  2842416 - ETPRO CURRENT_EVENTS Successful Citibank Phish 2020-05-06
(current_events.rules)
  2842417 - ETPRO CURRENT_EVENTS Successful AT&T Phish 2020-05-06
(current_events.rules)
  2842418 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2020-05-06 (current_events.rules)
  2842419 - ETPRO TROJAN W32/Agent.ABXJF Variant Sending Logs (trojan.rules)
  2842420 - ETPRO TROJAN VBA/Agent.MR Variant CnC Host Checkin
(trojan.rules)
  2842421 - ETPRO TROJAN Win32/Downloader.Pbyw Variant CnC Host Checkin
(trojan.rules)
  2842422 - ETPRO CURRENT_EVENTS Successful Yandex Phish 2020-05-06
(current_events.rules)
  2842423 - ETPRO CURRENT_EVENTS Successful Apple Phish 2020-05-06
(current_events.rules)
  2842424 - ETPRO CURRENT_EVENTS Successful Santander Phish 2020-05-06
(current_events.rules)
  2842425 - ETPRO TROJAN Win32/Remcos RAT Checkin 418 (trojan.rules)
  2842426 - ETPRO TROJAN Win32/Remcos RAT Checkin 419 (trojan.rules)
  2842427 - ETPRO TROJAN Win32/Remcos RAT Checkin 420 (trojan.rules)
  2842428 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842429 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842430 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842431 - ETPRO TROJAN Observed Malicious SSL Cert (AZORult CnC)
(trojan.rules)
  2842432 - ETPRO POLICY Suspected DNSTEAL DNS Traffic (policy.rules)

[///]     Modified active rules:     [///]

  2002763 - ET TROJAN Dumador Reporting User Activity (trojan.rules)
  2011311 - ET POLICY request for hide-my-ip.com autoupdate (policy.rules)
  2011375 - ET POLICY HTTP Request to a *.cz.cc domain (policy.rules)
  2011821 - ET DOS User-Agent used in known DDoS Attacks Detected outbound
(dos.rules)
  2011822 - ET DOS User-Agent used in known DDoS Attacks Detected inbound
(dos.rules)
  2011823 - ET DOS User-Agent used in known DDoS Attacks Detected outbound
2 (dos.rules)
  2011824 - ET DOS User-Agent used in known DDoS Attacks Detected inbound 2
(dos.rules)
  2011861 - ET TROJAN Bredolab CnC URL Detected (trojan.rules)
  2011906 - ET CURRENT_EVENTS exploit kit x/load/svchost.exe
(current_events.rules)
  2011925 - ET TROJAN Rogue AV Downloader concat URI (trojan.rules)
  2011967 - ET TROJAN Suspicious bot.exe Request (trojan.rules)
  2011969 - ET TROJAN Ponmocup C2 Post-infection Checkin (trojan.rules)
  2011982 - ET TROJAN Suspicious flash_player.exe Download (trojan.rules)
  2012113 - ET TROJAN Trojan.BackDoor-DRV.gen.c Reporting-1 (trojan.rules)
  2012198 - ET TROJAN Possible Worm W32.Svich or Other Infection Request
for setting.ini (trojan.rules)
  2012199 - ET TROJAN Possible Worm W32.Svich or Other Infection Request
for setting.xls (trojan.rules)
  2012200 - ET TROJAN Possible Worm W32.Svich or Other Infection Request
for setting.doc (trojan.rules)
  2012392 - ET TROJAN Suspicious Download Setup_ exe (trojan.rules)
  2012405 - ET TROJAN Potential FakePAV Checkin (trojan.rules)
  2012460 - ET TROJAN Possible JKDDOS download wm.exe (trojan.rules)
  2012461 - ET TROJAN Possible JKDDOS download cl.exe (trojan.rules)
  2012514 - ET TROJAN Hiloti loader requesting payload URL (trojan.rules)
  2012542 - ET POLICY HTTP Request to a *.gv.vg domain (policy.rules)
  2012593 - ET POLICY HTTP Request to a *.ce.ms domain (policy.rules)
  2012616 - ET TROJAN Slugin.A PatchTimeCheck.dat Request (trojan.rules)
  2012737 - ET POLICY HTTP Request to a *.cw.cm domain (policy.rules)
  2012800 - ET TROJAN Ponmocup C2 Sending Data to Controller 2
(trojan.rules)
  2012896 - ET POLICY HTTP Request to a *.ae.am domain (policy.rules)
  2012897 - ET POLICY HTTP Request to a *.noc.su domain (policy.rules)
  2012898 - ET POLICY HTTP Request to a *.be.ma domain (policy.rules)
  2012899 - ET POLICY HTTP Request to a *.qc.cx domain (policy.rules)
  2013015 - ET POLICY HTTP Request to Illegal Drug Sales Site (SilkRoad)
(policy.rules)
  2013064 - ET TROJAN Possible Tracur.Q HTTP Communication (trojan.rules)
  2013123 - ET POLICY HTTP Request to a *.co.be domain (policy.rules)
  2013412 - ET INFO HTTP Request to a *.co.com.au domain (info.rules)
  2013415 - ET INFO HTTP Request to a *.cz.tf domain (info.rules)
  2013460 - ET INFO HTTP Request to a *.c0m.li domain (info.rules)
  2013790 - ET TROJAN Cnzz.cn Related Dropper Checkin (trojan.rules)
  2013829 - ET INFO HTTP Request to a *.int.tf domain (info.rules)
  2013830 - ET INFO HTTP Request to a *.edu.tf domain (info.rules)
  2013831 - ET INFO HTTP Request to a *.us.tf domain (info.rules)
  2013832 - ET INFO HTTP Request to a *.ca.tf domain (info.rules)
  2013833 - ET INFO HTTP Request to a *.bg.tf domain (info.rules)
  2013834 - ET INFO HTTP Request to a *.ru.tf domain (info.rules)
  2013835 - ET INFO HTTP Request to a *.pl.tf domain (info.rules)
  2013837 - ET INFO HTTP Request to a *.de.tf domain (info.rules)
  2013838 - ET INFO HTTP Request to a *.at.tf domain (info.rules)
  2013839 - ET INFO HTTP Request to a *.ch.tf domain (info.rules)
  2013840 - ET INFO HTTP Request to a *.sg.tf domain (info.rules)
  2013841 - ET INFO HTTP Request to a *.nl.ai domain (info.rules)
  2013842 - ET INFO HTTP Request to a *.xe.cx domain (info.rules)
  2013844 - ET INFO HTTP Request to a *.orge.pl Domain (info.rules)
  2014141 - ET DOS LOIC Javascript DDoS Outbound (dos.rules)
  2016030 - ET DOS LOIC POST (dos.rules)
  2016031 - ET DOS LOIC GET (dos.rules)
  2017120 - ET POLICY Possible IPMI 2.0 RAKP Remote SHA1 Password Hash
Retrieval RAKP message 1 with default BMC usernames
(Admin|root|Administrator|USERID) (policy.rules)
  2017121 - ET ATTACK_RESPONSE Possible IPMI 2.0 RAKP Remote SHA1 Password
Hash Retrieval RAKP message 2 status code Unauthorized Name
(attack_response.rules)
  2019162 - ET TROJAN Win.Trojan.Chewbacca connectivity check (trojan.rules)
  2030099 - ET CURRENT_EVENTS SEO Injection/Fraud DNS Lookup
(count.trackstatisticsss .com) (current_events.rules)
  2030100 - ET TROJAN WEBMONITOR RAT CnC Domain in DNS Lookup
(dabmaster.wm01 .to) (trojan.rules)
  2840724 - ETPRO USER_AGENTS Suspicious User-Agent (Bootstrapper/)
(user_agents.rules)
  2842383 - ETPRO TROJAN Suspected LIMERAT CnC Domain in DNS Lookup
(trojan.rules)

 [---]         Removed rules:         [---]

  2030107 - ET EXPLOIT Online Scheduling System 1.0 - Authentication Bypass
Attempt (exploit.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20200506/97b47f86/attachment.html>


More information about the Emerging-updates mailing list