[Emerging-updates] Daily Ruleset Update Summary 2020/05/11

James Emery-Callcott jcallcott at emergingthreats.net
Mon May 11 13:38:51 HDT 2020


[***]            Summary:            [***]

  16 new Open, 44 new Pro (16 + 28).  Modi RAT, More_eggs, MASSLOGGER,
Others.

  Thanks @moonbas3, @ReBensk, and @sysopfb.

  Please be aware that after the deprecation of our Suricata 2/3 support
(April 15th 2020), the path for downloading the last pushed production
Suricata 2/3 rulesets have changed.  Deprecated rulesets are available at
https://rules.emergingthreatspro.com/OINK/old for ETPro and
https://rules.emergingthreatspro.com/open/old/ for ETOpen.  All requests
for the Suricata 2/3 at their previous locations will now lead to the
Suricata 4.0 production rules for ETPro and the rule download instructions
for ETOpen.

  Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2030139 - ET TROJAN Unk.VBSLoader Retrieving Payload (trojan.rules)
  2030140 - ET TROJAN MSIL/Modi RAT CnC Command Outbound (aw) (trojan.rules)
  2030141 - ET TROJAN MSIL/Modi RAT CnC Command Inbound (in) (trojan.rules)
  2030142 - ET TROJAN MSIL/Modi RAT CnC Command Outbound (ds) (trojan.rules)
  2030143 - ET TROJAN MSIL/Modi RAT CnC Screenshot Outbound (trojan.rules)
  2030144 - ET TROJAN M3RAT CnC Checkin Outbound (trojan.rules)
  2030145 - ET CURRENT_EVENTS French Government COVID-19 Landing Page
(current_events.rules)
  2030146 - ET CURRENT_EVENTS NHS Gov UK COVID-19 Landing Page
(current_events.rules)
  2030147 - ET CURRENT_EVENTS IRS COVID-19 Landing Page
(current_events.rules)
  2030148 - ET TROJAN Unk.VBSLoader Retrieving Payload (trojan.rules)
  2030149 - ET USER_AGENTS Possible QBot User-Agent (user_agents.rules)
  2030150 - ET MOBILE_MALWARE SSL/TLS Certificate Observed (Betcity CnC)
(mobile_malware.rules)
  2030151 - ET TROJAN PowerShell Downloader CnC Activity (trojan.rules)
  2030152 - ET POLICY IP Check Domain (address .works) (policy.rules)
  2030153 - ET POLICY Observed IP Check Domain Domain (address .works in
TLS SNI) (policy.rules)
  2030154 - ET TROJAN MASSLOGGER Client Data Exfil (POST) (trojan.rules)

Pro:

  2842479 - ETPRO MOBILE_MALWARE Trojan.Android.Mazig.a Checkin
(mobile_malware.rules)
  2842480 - ETPRO POLICY XDumpGO Init Activity (Outbound) (policy.rules)
  2842481 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-09 1) (trojan.rules)
  2842482 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-09 2) (trojan.rules)
  2842483 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-11 1) (trojan.rules)
  2842484 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-11 2) (trojan.rules)
  2842485 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-11 3) (trojan.rules)
  2842486 - ETPRO TROJAN Win32/TrojanDownloader.Agent.FCI CnC Host Checkin
(trojan.rules)
  2842487 - ETPRO TROJAN Win32/TrojanDownloader.Agent.FCI CnC Activity
(trojan.rules)
  2842488 - ETPRO TROJAN MSIL/FakeSupport.DM Variant CnC Host Checkin
(trojan.rules)
  2842489 - ETPRO MALWARE MSIL/MaintainSystem.A CnC Host Checkin
(malware.rules)
  2842490 - ETPRO TROJAN MSIL/Agent.NK Variant CnC Host Checkin
(trojan.rules)
  2842491 - ETPRO TROJAN Win32/Spy.VB.NJG Variant CnC Host Checkin
(trojan.rules)
  2842492 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2020-05-11
(current_events.rules)
  2842493 - ETPRO CURRENT_EVENTS Successful WeTransfer Phish 2020-05-11
(current_events.rules)
  2842494 - ETPRO TROJAN SSL/TLS Certificate Observed (More_Eggs)
(trojan.rules)
  2842495 - ETPRO TROJAN SSL/TLS Certificate Observed (More_Eggs)
(trojan.rules)
  2842496 - ETPRO TROJAN Win32/Remcos RAT Checkin 423 (trojan.rules)
  2842497 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
  2842498 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842499 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842500 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842501 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842502 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842503 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842504 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842505 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842506 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)

[///]     Modified active rules:     [///]

  2029788 - ET CURRENT_EVENTS Canada Revenue Agency COVID-19 Assistance
Eligibility Phishing Landing 2020-04-01 (current_events.rules)
  2029789 - ET CURRENT_EVENTS Canada Revenue Agency COVID-19 Assistance
Eligibility Phishing Landing 2020-04-01 (current_events.rules)
  2841552 - ETPRO TROJAN MSIL/Poulight Stealer - Data Exfil (trojan.rules)

[---]         Removed rules:         [---]

  2841137 - ETPRO TROJAN Unk.VBSLoader Retrieving Payload (trojan.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20200511/7f5a66e4/attachment.html>


More information about the Emerging-updates mailing list