[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: [Emerging-Sigs] Daily Ruleset Update Summary 2022/07/29
From: Brandon Murphy <bmurphy () emergingthreats ! net>
Date: 2022-07-29 22:58:33
Message-ID: CAGK-UvJDfpnm-vM+r=A0gaxGwMOh22V=PznrbRSj9_9TPkH8JQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
[***] Summary: [***]
24 new OPEN, 26 new PRO (24 + 2) EvilProxy AiTM, Robin Banks, RKO Remote
File Upload, Danabot and LimeRAT.
Thanks @twinwavesec, @phage_nz, and @James_inthe_box
Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2037848 - ET PHISHING [TW] EvilProxy AiTM Set-Cookie (phishing.rules)
2037849 - ET PHISHING [TW] EvilProxy AiTM Username Checkin
(phishing.rules)
2037850 - ET PHISHING [TW] EvilProxy AiTM Cookie Value (phishing.rules)
2037851 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M1
(phishing.rules)
2037852 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M2
(phishing.rules)
2037853 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M3
(phishing.rules)
2037854 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M4
(phishing.rules)
2037855 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M5
(phishing.rules)
2037856 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M6
(phishing.rules)
2037857 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M7
(phishing.rules)
2037858 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M8
(phishing.rules)
2037859 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M9
(phishing.rules)
2037860 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M10
(phishing.rules)
2037861 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M11
(phishing.rules)
2037862 - ET PHISHING [TW] EvilProxy AiTM Network Reporting
(phishing.rules)
2037863 - ET ATTACK_RESPONSE Trojan.Dropper.HTML.Agent Payload
(attack_response.rules)
2037864 - ET PHISHING [TW] Robin Banks HTTP HOST M1 (phishing.rules)
2037865 - ET PHISHING [TW] Robin Banks HTTP HOST M2 (phishing.rules)
2037866 - ET PHISHING [TW] Robin Banks HTTP GET Struct (phishing.rules)
2037867 - ET PHISHING [TW] Robin Banks Redirect M1 (phishing.rules)
2037868 - ET PHISHING [TW] Robin Banks Redirect M2 (phishing.rules)
2037869 - ET PHISHING Facebook Credential Theft Landing Page 2022-07-29
(phishing.rules)
2037870 - ET MALWARE RKO Remote File Upload Attempt (malware.rules)
2037871 - ET PHISHING Successful Generic Phish 2022-07-29 (phishing.rules)
Pro:
2851981 - ETPRO MALWARE Danabot - Server Response (malware.rules)
2851982 - ETPRO MALWARE LimeRat Domain in DNS Lookup (one-drive .sly .io)
(malware.rules)
[///] Modified active rules: [///]
2035595 - ET MALWARE Generic AsyncRAT Style SSL Cert (malware.rules)
[---] Disabled rules: [---]
2037210 - ET PHISHING Observed DNS Query to Alibaba Phishing Domain
(krikam .net) (phishing.rules)
2037212 - ET PHISHING Observed DNS Query to ING Bank Phishing Domain
(servesrs -kontendiba .cyou) (phishing.rules)
2851840 - ETPRO PHISHING Observed DNS Query to O365 QR Phishing Domain
(phishing.rules)
2851842 - ETPRO PHISHING Observed DNS Query to O365 QR Phishing Domain
(phishing.rules)
[Attachment #5 (text/html)]
<div dir="ltr">[***] Summary: [***]<br><br> 24 \
new OPEN, 26 new PRO (24 + 2) EvilProxy AiTM, Robin Banks, RKO Remote File Upload, \
Danabot and LimeRAT. <br><br> Thanks @twinwavesec, @phage_nz, and \
@James_inthe_box<br><br> Please share issues, feedback, and requests at <a \
href="https://feedback.emergingthreats.net/feedback" rel="noreferrer" \
target="_blank">https://feedback.emergingthreats.net/feedback</a><br><br>[+++] \
Added rules: [+++]<br><br>Open:<br><br> 2037848 - ET PHISHING [TW] \
EvilProxy AiTM Set-Cookie (phishing.rules)<br> 2037849 - ET PHISHING [TW] EvilProxy \
AiTM Username Checkin (phishing.rules)<br> 2037850 - ET PHISHING [TW] EvilProxy \
AiTM Cookie Value (phishing.rules)<br> 2037851 - ET PHISHING [TW] EvilProxy AiTM \
Microsoft HTTP HOST M1 (phishing.rules)<br> 2037852 - ET PHISHING [TW] EvilProxy \
AiTM Microsoft HTTP HOST M2 (phishing.rules)<br> 2037853 - ET PHISHING [TW] \
EvilProxy AiTM Microsoft HTTP HOST M3 (phishing.rules)<br> 2037854 - ET PHISHING \
[TW] EvilProxy AiTM Microsoft HTTP HOST M4 (phishing.rules)<br> 2037855 - ET \
PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M5 (phishing.rules)<br> 2037856 - \
ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M6 (phishing.rules)<br> 2037857 \
- ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M7 (phishing.rules)<br> \
2037858 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M8 (phishing.rules)<br> \
2037859 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M9 (phishing.rules)<br> \
2037860 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M10 \
(phishing.rules)<br> 2037861 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST \
M11 (phishing.rules)<br> 2037862 - ET PHISHING [TW] EvilProxy AiTM Network \
Reporting (phishing.rules)<br> 2037863 - ET ATTACK_RESPONSE \
Trojan.Dropper.HTML.Agent Payload (attack_response.rules)<br> 2037864 - ET PHISHING \
[TW] Robin Banks HTTP HOST M1 (phishing.rules)<br> 2037865 - ET PHISHING [TW] Robin \
Banks HTTP HOST M2 (phishing.rules)<br> 2037866 - ET PHISHING [TW] Robin Banks HTTP \
GET Struct (phishing.rules)<br> 2037867 - ET PHISHING [TW] Robin Banks Redirect M1 \
(phishing.rules)<br> 2037868 - ET PHISHING [TW] Robin Banks Redirect M2 \
(phishing.rules)<br> 2037869 - ET PHISHING Facebook Credential Theft Landing Page \
2022-07-29 (phishing.rules)<br> 2037870 - ET MALWARE RKO Remote File Upload Attempt \
(malware.rules)<br> 2037871 - ET PHISHING Successful Generic Phish 2022-07-29 \
(phishing.rules)<br><br>Pro:<br><br> 2851981 - ETPRO MALWARE Danabot - Server \
Response (malware.rules)<br> 2851982 - ETPRO MALWARE LimeRat Domain in DNS Lookup \
(one-drive .sly .io) (malware.rules)<br><br>[///] Modified active rules: \
[///]<br><br> 2035595 - ET MALWARE Generic AsyncRAT Style SSL Cert \
(malware.rules)<br><br>[---] Disabled rules: [---]<br><br> \
2037210 - ET PHISHING Observed DNS Query to Alibaba Phishing Domain (krikam .net) \
(phishing.rules)<br> 2037212 - ET PHISHING Observed DNS Query to ING Bank Phishing \
Domain (servesrs -kontendiba .cyou) (phishing.rules)<br> 2851840 - ETPRO PHISHING \
Observed DNS Query to O365 QR Phishing Domain (phishing.rules)<br> 2851842 - ETPRO \
PHISHING Observed DNS Query to O365 QR Phishing Domain (phishing.rules)<br></div>
[Attachment #6 (text/plain)]
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic