5/28

[***]            Summary:            [***]

2 new OPEN, 30 new PRO (2 + 28). SmailMax PHPMailer, Lemon_Duck Powershell, AutoIT/Trojan.Injector.Autoit.F, Various SSL, Various CoinMiners, Various PHISH.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

  2030227 - ET WEB_CLIENT SmailMax PHPMailer Accessed on External Server
(web_client.rules)
  2030228 - ET WEB_SERVER SmailMax PHPMailer Accessed on Internal Server
(web_server.rules)

Pro:

  2842749 - ETPRO INFO Observed Suspicious regasm.exe in URI - Possible
Payload Execution (info.rules)
  2842750 - ETPRO INFO Observed Suspicious vbc.exe in URI - Possible
Payload Execution  (info.rules)
  2842751 - ETPRO TROJAN Observed Malicious SSL Cert (MalDoc 2020-05-28)
(trojan.rules)
  2842753 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-28 1) (trojan.rules)
  2842754 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-05-28 2) (trojan.rules)
  2842755 - ETPRO CURRENT_EVENTS Successful IRS Phish 2020-05-28
(current_events.rules)
  2842756 - ETPRO CURRENT_EVENTS Successful Generic Account Verification
Phish 2020-05-28 (current_events.rules)
  2842757 - ETPRO CURRENT_EVENTS Successful Generic Verification Phish
2020-05-28 (current_events.rules)
  2842758 - ETPRO CURRENT_EVENTS Successful Navy Federal Credit Union Phish
2020-05-28 (current_events.rules)
  2842759 - ETPRO CURRENT_EVENTS Successful Navy Federal Credit Union Phish
2020-05-28 (current_events.rules)
  2842760 - ETPRO CURRENT_EVENTS Successful Generic Webmail Security Phish
2020-05-28 (current_events.rules)
  2842761 - ETPRO CURRENT_EVENTS Successful MKB Bank Phish 2020-05-28
(current_events.rules)
  2842762 - ETPRO CURRENT_EVENTS Successful WHO Phish 2020-05-28
(current_events.rules)
  2842763 - ETPRO CURRENT_EVENTS Successful Palo Alto Global Protect Phish
2020-05-28 (current_events.rules)
  2842764 - ETPRO CURRENT_EVENTS Successful Mimecast Phish 2020-05-28
(current_events.rules)
  2842765 - ETPRO CURRENT_EVENTS Successful Mimecast Phish 2020-05-28
(current_events.rules)
  2842766 - ETPRO CURRENT_EVENTS Successful Mimecast Phish 2020-05-28
(current_events.rules)
  2842767 - ETPRO CURRENT_EVENTS Successful Generic Compromised Wordpress
Phish 2020-05-28 (current_events.rules)
  2842768 - ETPRO CURRENT_EVENTS Successful Huntington Bank Phish
2020-05-28 (current_events.rules)
  2842769 - ETPRO TROJAN W32/Unk.Dropper CnC Host Checkin (trojan.rules)
  2842770 - ETPRO TROJAN Lemon_Duck Powershell CnC Checkin M4 (trojan.rules)
  2842771 - ETPRO TROJAN Win32/Remcos RAT Checkin 439 (trojan.rules)
  2842772 - ETPRO TROJAN AutoIT/Trojan.Injector.Autoit.F Checkin
(trojan.rules)
  2842773 - ETPRO TROJAN Win32/Remcos RAT Checkin 440 (trojan.rules)
  2842774 - ETPRO TROJAN Observed Malicious SSL Cert (AZORult CnC)
(trojan.rules)
  2842775 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)
  2842776 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI
(trojan.rules)

[///]     Modified active rules:     [///]

  2011336 - ET TROJAN Win32/Keatep.B Checkin (trojan.rules)
  2017713 - ET TROJAN Taidoor Checkin (trojan.rules)
  2018681 - ET TROJAN W32/Kazy.325252 Variant CnC Beacon 1 (trojan.rules)
  2018682 - ET TROJAN W32/Kazy.325252 Variant CnC Beacon 2 (trojan.rules)
  2019115 - ET TROJAN W32/Waterspout.APT Backdoor CnC Beacon (trojan.rules)
  2021277 - ET TROJAN Backdoor.Elise CnC Beacon 3 M1 (trojan.rules)
  2021299 - ET TROJAN Downloader.Win32.Adload (KaiXin Payload) Config
Download (trojan.rules)
  2021311 - ET INFO User-Agent (wininet) (info.rules)
  2021321 - ET TROJAN Gozi/Ursnif/Papras Grabftp Module Download
(trojan.rules)
  2021334 - ET TROJAN DDoS.XOR Checkin 2 (trojan.rules)
  2021335 - ET TROJAN DDoS.XOR Checkin 3 (trojan.rules)
  2021390 - ET WEB_SPECIFIC_APPS WEB-PHP RCE PHPBB 2004-1315
(web_specific_apps.rules)
  2021404 - ET TROJAN W32/Banload.VZS Banker POST CnC Beacon 2
(trojan.rules)
  2027517 - ET EXPLOIT Tomcat File Upload Payload Request (CVE-2017-12615)
(exploit.rules)
  2803490 - ETPRO TROJAN Suspicious User-Agent (DOGX) (trojan.rules)
  2803932 - ETPRO TROJAN Scar.evje/Fraudtool.AvSoft DDoS Traffic (Munged
UA) Outbound (trojan.rules)
  2811474 - ETPRO TROJAN KazyBot DATA Checkin (trojan.rules)
  2811475 - ETPRO TROJAN Win32/Denisca.A Checkin (trojan.rules)
  2811488 - ETPRO TROJAN MSIL/Minuplo.A Adfraud Activity (trojan.rules)
  2811569 - ETPRO TROJAN Possible Tinba CnC Beacon (trojan.rules)
  2811574 - ETPRO TROJAN VBS Backdoor.Copre CnC Beacon (trojan.rules)
  2811575 - ETPRO TROJAN Win32/Tivmonk.B Reporting Browser Activity
(trojan.rules)
  2811578 - ETPRO TROJAN Win32/Nitedrem.E CnC (trojan.rules)
  2811580 - ETPRO USER_AGENTS ProxyGate Client User Agent
(user_agents.rules)
  2811593 - ETPRO EXPLOIT Symantec Encryption Gateway RCE Exploit Attempt
(exploit.rules)
  2811603 - ETPRO USER_AGENTS Suspicious User-Agent UPDATER
(user_agents.rules)
  2811628 - ETPRO TROJAN BACKDOOR.EMDIVI Checkin 2 (trojan.rules)
  2811664 - ETPRO TROJAN Win32/Delf.SPE Downloader CnC Beacon 2
(trojan.rules)
  2811674 - ETPRO TROJAN Win32/Trubsil.A Checkin (trojan.rules)
  2811675 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Opfake.cc Checkin 2
(mobile_malware.rules)
  2811676 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Opfake.cc Checkin 3
(mobile_malware.rules)
  2811692 - ETPRO WEB_SERVER Possible b374k 2.2/8 Shell Upload
(web_server.rules)
  2811693 - ETPRO WEB_SERVER Possible b374k 2.2/8 Shell Access (phpinfo)
(web_server.rules)
  2811694 - ETPRO WEB_SERVER Possible b374k 2.2/8 Shell Access (eval)
(web_server.rules)
  2811696 - ETPRO TROJAN Win32/Delf.SPE Downloader Requesting File
(trojan.rules)
  2811702 - ETPRO WEB_SERVER b374k 3.x Shell Upload (web_server.rules)
  2811703 - ETPRO WEB_SERVER b374k 3.x Shell Access (web_server.rules)
  2811709 - ETPRO TROJAN Tirabot CnC (trojan.rules)
  2811711 - ETPRO TROJAN Unknown Checkin (trojan.rules)
  2811722 - ETPRO TROJAN AnimalFarm APT Trojan CnC Beacon (trojan.rules)
  2811740 - ETPRO TROJAN LockScreen.AVP Downloader (trojan.rules)
  2811748 - ETPRO WEB_SPECIFIC_APPS GeniXCMS register.php SQLi Attempt
(web_specific_apps.rules)
  2811751 - ETPRO TROJAN AnimalFarm APT Trojan CnC Beacon 2 (trojan.rules)
  2811763 - ETPRO MOBILE_MALWARE Monitoring-Tool Android/SafeKidZone.A
Checkin (mobile_malware.rules)
  2811764 - ETPRO MOBILE_MALWARE Monitoring-Tool Android/SafeKidZone.A
Checkin 2 (mobile_malware.rules)
  2811765 - ETPRO MOBILE_MALWARE Android PUP Wodsha-E Checkin
(mobile_malware.rules)
  2811802 - ETPRO TROJAN Win32.Generic Downloader Checkin (trojan.rules)
  2811804 - ETPRO TROJAN Win32/Zegost.BZ IP Check (IP.CHINAZ.COM)
(trojan.rules)
  2811809 - ETPRO TROJAN Win32/Spy.KeyLogger.NYE CnC Checkin (trojan.rules)
  2811837 - ETPRO TROJAN TrojanDownloader.Delf.BAY (trojan.rules)
  2811840 - ETPRO TROJAN DiamondFox HTTP POST CnC Beacon 2 (trojan.rules)
  2811841 - ETPRO TROJAN Win32.Banker2.bwv Variant Checkin (trojan.rules)
  2811844 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.ac Checkin
(mobile_malware.rules)
  2811846 - ETPRO WEB_SPECIFIC_APPS WP Easy2Map Plugin SQLi Attempt
(web_specific_apps.rules)
  2811853 - ETPRO TROJAN Win32/Banker Variant Checkin (trojan.rules)
  2811859 - ETPRO TROJAN Unknown VB Downloader Initial CnC Beacon
(trojan.rules)
  2811860 - ETPRO TROJAN Win32/Sohanad.AL Yahoo.com Connectivity Check
(trojan.rules)
  2811865 - ETPRO TROJAN PredatorPain Keylogger Checkin (trojan.rules)
  2811877 - ETPRO TROJAN Win32/Shutdowner.agpb Activity (trojan.rules)
  2811881 - ETPRO TROJAN Ransomware Win32/Troldesh.A IP Lookup
(trojan.rules)
  2811895 - ETPRO TROJAN Plat1 CnC Beacon POST (trojan.rules)
  2811963 - ETPRO TROJAN APT HTTPBrowser dropped by CVE-2015-5119 CnC
Beacon (trojan.rules)
  2811965 - ETPRO WEB_SPECIFIC_APPS GWC CMS SQLi Attempt
(web_specific_apps.rules)
  2811977 - ETPRO TROJAN Python/VSAgent CnC Beacon (trojan.rules)
  2811978 - ETPRO TROJAN Python/Malwr CnC Beacon (trojan.rules)
  2811979 - ETPRO WEB_SPECIFIC_APPS WP Plugin Multi View Calendar SQLi
Attempt (web_specific_apps.rules)
  2811998 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.aj Checkin 4
(mobile_malware.rules)
  2812020 - ETPRO TROJAN Python/FBook.B CnC Beacon (trojan.rules)
  2812023 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.al Download
(mobile_malware.rules)
  2812024 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Iserdal Checkin
(mobile_malware.rules)
  2812027 - ETPRO TROJAN Win32/Skeeyah.A!rfn Activity (trojan.rules)
  2812030 - ETPRO TROJAN Win32/Sality.AT Checkin 2 (trojan.rules)
  2812034 - ETPRO TROJAN Derusbi CnC Beacon 1 (trojan.rules)
  2812042 - ETPRO TROJAN Win32/Zegost.fn IP Lookup (ip.aa2.cn)
(trojan.rules)
  2841429 - ETPRO TROJAN MSIL/Spy.Small.EU Variant Host Checkin
(trojan.rules)
  2841977 - ETPRO TROJAN Lemon_Duck Powershell Requesting Payload M1
(trojan.rules)
  2841978 - ETPRO TROJAN Lemon_Duck Powershell Requesting Payload M2
(trojan.rules)

Date:
Summary title:
2 new OPEN, 30 new PRO (2 + 28). SmailMax PHPMailer, Lemon_Duck Powershell, AutoIT/Trojan.Injector.Autoit.F, Various SSL, Various CoinMiners, Various PHISH.