[Emerging-updates] Daily Ruleset Update Summary 2020/05/22

Brandon Murphy bmurphy at emergingthreats.net
Fri May 22 13:51:13 HDT 2020


[***]            Summary:            [***]

7 new OPEN, 26 new PRO (7 + 19). KETRUM2, BF Botnet, MAZE Ransomware,
VARIOUS Phish

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

2030205 - ET INFO HTTP Request for ISO File Direct to IP (info.rules)
2030206 - ET EXPLOIT UCM6202 1.0.18.13 - Remote Command Injection Attempt
(exploit.rules)
2030207 - ET MALWARE BF Botnet CnC Checkin (malware.rules)
2030208 - ET TROJAN Suspected KETRUM2 CnC (trojan.rules)
2030209 - ET TROJAN Observed MAZE Ransomware CnC Domain (checksoffice .me
in TLS SNI) (trojan.rules)
2030210 - ET TROJAN Observed MAZE Ransomware CnC Domain (plaintsotherest
.net in TLS SNI) (malware.rules)
2030211 - ET TROJAN Observed MAZE Ransomware CnC Domain (thesawmeinrew .net
in TLS SNI) (trojan.rules)

Pro:

2842687 - ETPRO WEB_CLIENT Observed Evil JavaScript Payment Card Skimmer
Code Inbound (web_client.rules)
2842688 - ETPRO POLICY External IP Lookup via ip tbip .alicdn .com
(policy.rules)
2842689 - ETPRO POLICY External IP Lookup via ip ip.tool.chinaz .com
(policy.rules)
2842690 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-22 1) (trojan.rules)
2842691 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-22 2) (trojan.rules)
2842692 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-22 3) (trojan.rules)
2842695 - ETPRO TROJAN VBS/Unk.Downloader Host CnC Checkin (trojan.rules)
2842696 - ETPRO CURRENT_EVENTS Successful Citibank Phish 2020-05-22
(current_events.rules)
2842697 - ETPRO CURRENT_EVENTS Successful GOV UK Income Support Scheme
Phish 2020-05-22 (current_events.rules)
2842698 - ETPRO CURRENT_EVENTS Successful Generic Phish Error Response
2020-05-22 (current_events.rules)
2842699 - ETPRO CURRENT_EVENTS Successful Generic Secure Email Server Phish
2020-05-22 (current_events.rules)
2842700 - ETPRO POLICY Suspicious IFS String Observed in HTTP URI
(policy.rules)
2842701 - ETPRO POLICY Suspicious IFS String Observed in HTTP Header
(policy.rules)
2842702 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
2842703 - ETPRO TROJAN Win32/Remcos RAT Checkin 432 (trojan.rules)
2842704 - ETPRO TROJAN Win32/Remcos RAT Checkin 433 (trojan.rules)
2842705 - ETPRO TROJAN Win32/Remcos RAT Checkin 434 (trojan.rules)

[///]     Modified active rules:     [///]

2018373 - ET EXPLOIT Malformed HeartBeat Response (exploit.rules)
2018462 - ET TROJAN W32/Fsysna.Downloader CnC Beacon (trojan.rules)
2020855 - ET TROJAN CryptoWall Check-in M2 (trojan.rules)
2020900 - ET TROJAN Emotet v2 Exfiltrating Outlook information
(trojan.rules)
2021088 - ET TROJAN Win32/Agent.WVW CnC Beacon 2 (trojan.rules)
2021103 - ET TROJAN FrauDrop Checkin (trojan.rules)
2021104 - ET TROJAN FrauDrop UA LETITGO (trojan.rules)
2021105 - ET TROJAN FrauDrop UA single (trojan.rules)
2021108 - ET TROJAN APT Hellsing Proxy Checker Checkin (trojan.rules)
2021114 - ET TROJAN Yahoyah CnC Beacon (trojan.rules)
2021120 - ET POLICY External Timezone Check (earthtools.org) (policy.rules)
2021123 - ET TROJAN Worm.VBS.Jenxcus.H User Agent (trojan.rules)
2021129 - ET TROJAN Blue Bot DDoS Blog Request (trojan.rules)
2021130 - ET TROJAN Blue Bot DDoS Target Request (trojan.rules)
2021131 - ET TROJAN Blue Bot DDoS Logger Request (trojan.rules)
2021138 - ET WEB_SERVER ElasticSearch Directory Traversal Attempt
(CVE-2015-3337) (web_server.rules)
2021140 - ET TROJAN H1N1 Loader CnC Beacon M2 (trojan.rules)
2021147 - ET TROJAN Linux/Moose HTTP CnC Beacon (trojan.rules)
2021148 - ET TROJAN Linux/Moose HTTP CnC Beacon Response (trojan.rules)
2021160 - ET TROJAN Win32/Gatak.DR Payload Instructions (trojan.rules)
2021168 - ET TROJAN PunkeyPOS HTTP CnC Beacon 9 (trojan.rules)
2021185 - ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Wroba.m Checkin
(mobile_malware.rules)
2021187 - ET TROJAN IOS.Oneclickfraud HTTP Host (trojan.rules)
2021189 - ET TROJAN Databack CnC (trojan.rules)
2021205 - ET POLICY Xpopup Instant Messenger Downloading Configuration
(policy.rules)
2021215 - ET TROJAN IsSpace/Zacom Connectivity Check (trojan.rules)
2021228 - ET TROJAN Poweliks Clickfraud CnC M3 (trojan.rules)
2021246 - ET TROJAN Win32/Gatak.DR Activity (trojan.rules)
2021257 - ET TROJAN Win32/Agent.WVW CnC Beacon 1 (trojan.rules)
2021262 - ET TROJAN Win32/Chinad Checkin (trojan.rules)
2025437 - ET CURRENT_EVENTS [PTsecurity] Grandsoft EK Payload
(current_events.rules)
2025651 - ET TROJAN [eSentire] Win32/Spy.Banker CnC Command (DOWNLOAD)
(trojan.rules)
2027369 - ET EXPLOIT [NCC GROUP] Possible Bluekeep Inbound RDP Exploitation
Attempt (CVE-2019-0708) (exploit.rules)
2030140 - ET TROJAN MSIL/Modi RAT CnC Command Outbound (aw) (trojan.rules)
2030141 - ET TROJAN MSIL/Modi RAT CnC Command Inbound (in) (trojan.rules)
2030142 - ET TROJAN MSIL/Modi RAT CnC Command Outbound (ds) (trojan.rules)
2030143 - ET TROJAN MSIL/Modi RAT CnC Screenshot Outbound (trojan.rules)
2809599 - ETPRO TROJAN KazyBot Checkin (trojan.rules)
2810981 - ETPRO TROJAN Win32/Agent.WEW Likely Filename in URI (trojan.rules)
2810986 - ETPRO MOBILE_MALWARE Android-Trojan/Crosate Checkin
(mobile_malware.rules)
2810989 - ETPRO TROJAN MSIL/Muxif.A Checkin (trojan.rules)
2810993 - ETPRO TROJAN Generic Downloader Retrieving PE (trojan.rules)
2810999 - ETPRO TROJAN Win32/Chaori.A Checkin (trojan.rules)
2811000 - ETPRO TROJAN Win32/Bancos.YW Checkin (trojan.rules)
2811003 - ETPRO TROJAN W32/Banload.UOL!tr.dldr Checkin (trojan.rules)
2811024 - ETPRO TROJAN Win32/Troldesh.A Ransomware External IP Check 2
(trojan.rules)
2811026 - ETPRO TROJAN Win32/Duetag.A Checkin 1 (trojan.rules)
2811041 - ETPRO TROJAN SpyBanker Install (trojan.rules)
2811045 - ETPRO TROJAN Hupigon Backdoor Checkin (trojan.rules)
2811052 - ETPRO MOBILE_MALWARE Android/TrojanSMS.Agent.BDO Checkin
(mobile_malware.rules)
2811055 - ETPRO TROJAN Win32/Zegost.AD Checkin (trojan.rules)
2811062 - ETPRO TROJAN Win32/Spy.POSCardStealer.O CnC Beacon 1
(trojan.rules)
2811063 - ETPRO TROJAN Win32/Spy.POSCardStealer.O CnC Beacon 2
(trojan.rules)
2811064 - ETPRO TROJAN Win32/Blacked.dropper CnC Beacon (trojan.rules)
2811069 - ETPRO MOBILE_MALWARE Android/TrojanSMS.Agent.AAJ Checkin
(mobile_malware.rules)
2811072 - ETPRO MOBILE_MALWARE Android.Riskware.SmsPay.IB Checkin
(mobile_malware.rules)
2811077 - ETPRO TROJAN Win32/Banload.BBG Dropping EXE (trojan.rules)
2811093 - ETPRO TROJAN MSIL/Golroted.B/Hawkeye Keylogger Execution
(trojan.rules)
2811094 - ETPRO TROJAN MSIL/Golroted.B/Hawkeye Keylogger Sending Data
(trojan.rules)
2811097 - ETPRO TROJAN Possible TOX Ransomware Downloading TOR Client
(trojan.rules)
2811124 - ETPRO TROJAN Win32/Hupigon CnC Beacon (trojan.rules)
2811125 - ETPRO TROJAN IPuR.h Style IP Check (trojan.rules)
2811137 - ETPRO POLICY Netseal Licensing System Check - Observed in RAT
Licensing (policy.rules)
2811138 - ETPRO POLICY Netseal Licensing System Data POST - Observed in RAT
Licensing (policy.rules)
2811139 - ETPRO POLICY Netseal Licensing System Login - Observed in RAT
Licensing (policy.rules)
2811190 - ETPRO WEB_SPECIFIC_APPS WP dzs-zoomsounds Plugin < 2.0 Remote
File Upload Attempt (web_specific_apps.rules)
2811192 - ETPRO TROJAN Ransom.Win32/Urausy.A Beacon (trojan.rules)
2811212 - ETPRO TROJAN Asterope Payload Download (trojan.rules)
2811216 - ETPRO INFO C: \\ filepath observed in HTTP header (info.rules)
2811217 - ETPRO TROJAN Win32/Mikcer.B Checkin (trojan.rules)
2811239 - ETPRO TROJAN Unknown Downloader CnC (trojan.rules)
2811240 - ETPRO EXPLOIT DLink DNS/DNR 320 Default Credential Authentication
Bypass HTTP Request (exploit.rules)
2811241 - ETPRO EXPLOIT DLink DNS/DNR 320 cgi_set_wto Authentication Bypass
HTTP Request 1 (exploit.rules)
2811242 - ETPRO EXPLOIT DLink DNS/DNR 320 cgi_set_wto Authentication Bypass
HTTP Request 2 (exploit.rules)
2811244 - ETPRO EXPLOIT DLink DNS/DNR 320 save_ajax.php AFU HTTP Request
(exploit.rules)
2811247 - ETPRO TROJAN Win32/Skeeyah Checkin (trojan.rules)
2811251 - ETPRO MOBILE_MALWARE Android.Trojan.Giser.A Checkin
(mobile_malware.rules)
2811333 - ETPRO TROJAN Win32/Banker.ChePro Payload Request (trojan.rules)
2811334 - ETPRO TROJAN Ponik host config (trojan.rules)
2811338 - ETPRO USER_AGENTS Suspicious User-Agent VB Project
(user_agents.rules)
2811341 - ETPRO TROJAN WIN32/Msposer.A Payload Request (trojan.rules)
2811428 - ETPRO TROJAN Win32/Navattle.A HTTP Request - SourceForge
(trojan.rules)
2811445 - ETPRO TROJAN Win32/Plugx.J Checkin (trojan.rules)
2811448 - ETPRO TROJAN Win32/Bicololo Checkin (trojan.rules)
2811449 - ETPRO TROJAN Win32/Bicololo Checkin 2 (trojan.rules)
2811459 - ETPRO TROJAN Unknown Checkin (trojan.rules)
2811473 - ETPRO TROJAN KazyBot SERVER Checkin (trojan.rules)
2831962 - ETPRO TROJAN Ursnif Variant CnC Beacon 8 M1 (trojan.rules)
2842453 - ETPRO TROJAN ELF/Gafygt Variant CnC Activity Inbound
(trojan.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20200522/14597796/attachment.html>


More information about the Emerging-updates mailing list