[prev in list] [next in list] [prev in thread] [next in thread] 

List:       emerging-sigs
Subject:    [Emerging-Sigs] Daily Ruleset Update Summary 2022/07/29
From:       Brandon Murphy <bmurphy () emergingthreats ! net>
Date:       2022-07-29 22:58:33
Message-ID: CAGK-UvJDfpnm-vM+r=A0gaxGwMOh22V=PznrbRSj9_9TPkH8JQ () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


[***]            Summary:            [***]

  24 new OPEN, 26 new PRO (24 + 2) EvilProxy AiTM, Robin Banks, RKO Remote
File Upload, Danabot and LimeRAT.

   Thanks @twinwavesec, @phage_nz, and @James_inthe_box

  Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2037848 - ET PHISHING [TW] EvilProxy AiTM Set-Cookie (phishing.rules)
  2037849 - ET PHISHING [TW] EvilProxy AiTM Username Checkin
(phishing.rules)
  2037850 - ET PHISHING [TW] EvilProxy AiTM Cookie Value (phishing.rules)
  2037851 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M1
(phishing.rules)
  2037852 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M2
(phishing.rules)
  2037853 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M3
(phishing.rules)
  2037854 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M4
(phishing.rules)
  2037855 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M5
(phishing.rules)
  2037856 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M6
(phishing.rules)
  2037857 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M7
(phishing.rules)
  2037858 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M8
(phishing.rules)
  2037859 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M9
(phishing.rules)
  2037860 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M10
(phishing.rules)
  2037861 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M11
(phishing.rules)
  2037862 - ET PHISHING [TW] EvilProxy AiTM Network Reporting
(phishing.rules)
  2037863 - ET ATTACK_RESPONSE Trojan.Dropper.HTML.Agent Payload
(attack_response.rules)
  2037864 - ET PHISHING [TW] Robin Banks HTTP HOST M1 (phishing.rules)
  2037865 - ET PHISHING [TW] Robin Banks HTTP HOST M2 (phishing.rules)
  2037866 - ET PHISHING [TW] Robin Banks HTTP GET Struct (phishing.rules)
  2037867 - ET PHISHING [TW] Robin Banks Redirect M1 (phishing.rules)
  2037868 - ET PHISHING [TW] Robin Banks Redirect M2 (phishing.rules)
  2037869 - ET PHISHING Facebook Credential Theft Landing Page 2022-07-29
(phishing.rules)
  2037870 - ET MALWARE RKO Remote File Upload Attempt (malware.rules)
  2037871 - ET PHISHING Successful Generic Phish 2022-07-29 (phishing.rules)

Pro:

  2851981 - ETPRO MALWARE Danabot - Server Response (malware.rules)
  2851982 - ETPRO MALWARE LimeRat Domain in DNS Lookup (one-drive .sly .io)
(malware.rules)

[///]     Modified active rules:     [///]

  2035595 - ET MALWARE Generic AsyncRAT Style SSL Cert (malware.rules)

[---]         Disabled rules:        [---]

  2037210 - ET PHISHING Observed DNS Query to Alibaba Phishing Domain
(krikam .net) (phishing.rules)
  2037212 - ET PHISHING Observed DNS Query to ING Bank Phishing Domain
(servesrs -kontendiba .cyou) (phishing.rules)
  2851840 - ETPRO PHISHING Observed DNS Query to O365 QR Phishing Domain
(phishing.rules)
  2851842 - ETPRO PHISHING Observed DNS Query to O365 QR Phishing Domain
(phishing.rules)

[Attachment #5 (text/html)]

<div dir="ltr">[***]                  Summary:                  [***]<br><br>   24 \
new OPEN, 26 new PRO (24 + 2) EvilProxy AiTM, Robin Banks, RKO Remote File Upload, \
Danabot and LimeRAT.  <br><br>     Thanks @twinwavesec, @phage_nz, and \
@James_inthe_box<br><br>   Please share issues, feedback, and requests at  <a \
href="https://feedback.emergingthreats.net/feedback" rel="noreferrer" \
target="_blank">https://feedback.emergingthreats.net/feedback</a><br><br>[+++]        \
Added rules:               [+++]<br><br>Open:<br><br>   2037848 - ET PHISHING [TW] \
EvilProxy AiTM Set-Cookie (phishing.rules)<br>   2037849 - ET PHISHING [TW] EvilProxy \
AiTM Username Checkin (phishing.rules)<br>   2037850 - ET PHISHING [TW] EvilProxy \
AiTM Cookie Value (phishing.rules)<br>   2037851 - ET PHISHING [TW] EvilProxy AiTM \
Microsoft HTTP HOST M1 (phishing.rules)<br>   2037852 - ET PHISHING [TW] EvilProxy \
AiTM Microsoft HTTP HOST M2 (phishing.rules)<br>   2037853 - ET PHISHING [TW] \
EvilProxy AiTM Microsoft HTTP HOST M3 (phishing.rules)<br>   2037854 - ET PHISHING \
[TW] EvilProxy AiTM Microsoft HTTP HOST M4 (phishing.rules)<br>   2037855 - ET \
PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M5 (phishing.rules)<br>   2037856 - \
ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M6 (phishing.rules)<br>   2037857 \
- ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M7 (phishing.rules)<br>   \
2037858 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M8 (phishing.rules)<br> \
2037859 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M9 (phishing.rules)<br> \
2037860 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M10 \
(phishing.rules)<br>   2037861 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST \
M11 (phishing.rules)<br>   2037862 - ET PHISHING [TW] EvilProxy AiTM Network \
Reporting (phishing.rules)<br>   2037863 - ET ATTACK_RESPONSE \
Trojan.Dropper.HTML.Agent Payload (attack_response.rules)<br>   2037864 - ET PHISHING \
[TW] Robin Banks HTTP HOST M1 (phishing.rules)<br>   2037865 - ET PHISHING [TW] Robin \
Banks HTTP HOST M2 (phishing.rules)<br>   2037866 - ET PHISHING [TW] Robin Banks HTTP \
GET Struct (phishing.rules)<br>   2037867 - ET PHISHING [TW] Robin Banks Redirect M1 \
(phishing.rules)<br>   2037868 - ET PHISHING [TW] Robin Banks Redirect M2 \
(phishing.rules)<br>   2037869 - ET PHISHING Facebook Credential Theft Landing Page \
2022-07-29 (phishing.rules)<br>   2037870 - ET MALWARE RKO Remote File Upload Attempt \
(malware.rules)<br>   2037871 - ET PHISHING Successful Generic Phish 2022-07-29 \
(phishing.rules)<br><br>Pro:<br><br>   2851981 - ETPRO MALWARE Danabot - Server \
Response (malware.rules)<br>   2851982 - ETPRO MALWARE LimeRat Domain in DNS Lookup \
(one-drive .sly .io) (malware.rules)<br><br>[///]        Modified active rules:       \
[///]<br><br>   2035595 - ET MALWARE Generic AsyncRAT Style SSL Cert \
(malware.rules)<br><br>[---]              Disabled rules:            [---]<br><br>   \
2037210 - ET PHISHING Observed DNS Query to Alibaba Phishing Domain (krikam .net) \
(phishing.rules)<br>   2037212 - ET PHISHING Observed DNS Query to ING Bank Phishing \
Domain (servesrs -kontendiba .cyou) (phishing.rules)<br>   2851840 - ETPRO PHISHING \
Observed DNS Query to O365 QR Phishing Domain (phishing.rules)<br>   2851842 - ETPRO \
PHISHING Observed DNS Query to O365 QR Phishing Domain (phishing.rules)<br></div>


[Attachment #6 (text/plain)]

_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net



[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic