[***] Summary: [***]

2 new Open signatures, 33 new Pro (2 + 31). Bunitu, SunDownEK, ShinoBot.

Thanks: @jonny55555 and MS-ISAC.

[+++]          Added rules:          [+++]

Open:

2023740 - ET TROJAN Possible Pony Payload DL (trojan.rules)
2023741 - ET TROJAN Pony DLL Download M2 (trojan.rules)

Pro:

2824407 - ETPRO CURRENT_EVENTS SunDown EK Payload Jan 12 2017 (current_events.rules)
2824408 - ETPRO CURRENT_EVENTS PowerShell Empire Session Initial Activity (current_events.rules)
2824409 - ETPRO TROJAN Cmstar or Etirehni or Related Implant DNS Lookup (trojan.rules)
2824410 - ETPRO TROJAN Cmstar or Etirehni or Related Implant DNS Lookup (trojan.rules)
2824411 - ETPRO TROJAN Cmstar or Etirehni or Related Implant DNS Lookup (trojan.rules)
2824412 - ETPRO TROJAN Cmstar or Etirehni or Related Implant DNS Lookup (trojan.rules)
2824413 - ETPRO TROJAN Cmstar or Etirehni or Related Implant DNS Lookup (trojan.rules)
2824414 - ETPRO TROJAN Cmstar or Etirehni or Related Implant DNS Lookup (trojan.rules)
2824415 - ETPRO TROJAN Cmstar or Etirehni or Related Implant DNS Lookup (trojan.rules)
2824416 - ETPRO TROJAN Cmstar or Etirehni or Related Implant DNS Lookup (trojan.rules)
2824417 - ETPRO TROJAN Cmstar or Etirehni or Related Implant DNS Lookup (trojan.rules)
2824418 - ETPRO TROJAN Cmstar or Etirehni or Related Implant DNS Lookup (trojan.rules)
2824419 - ETPRO TROJAN Cmstar or Etirehni or Related Implant DNS Lookup (trojan.rules)
2824420 - ETPRO TROJAN Cmstar or Etirehni or Related Implant DNS Lookup (trojan.rules)
2824421 - ETPRO TROJAN Win32.Bunitu DNS Lookup (trojan.rules)
2824422 - ETPRO TROJAN Nomri (Cmstar related) DNS Lookup (trojan.rules)
2824423 - ETPRO TROJAN Nomri (Cmstar related) DNS Lookup (trojan.rules)
2824424 - ETPRO TROJAN Nomri (Cmstar related) DNS Lookup (trojan.rules)
2824425 - ETPRO MOBILE_MALWARE Android.Trojan.InfoStealer.IB .onion Proxy Domain (mobile_malware.rules)
2824426 - ETPRO MOBILE_MALWARE Android.Trojan.FakeInst.DU Checkin 2 (mobile_malware.rules)
2824427 - ETPRO CURRENT_EVENTS Possible SunDownEK Payload Jan 13 2017 (current_events.rules)
2824428 - ETPRO WEB_SERVER PHP Ransomware Crypter Upload (web_server.rules)
2824429 - ETPRO TROJAN MSIL/ShinoBot HTTP CnC Checkin (trojan.rules)
2824430 - ETPRO CURRENT_EVENTS Successful Stripe Phish Jan 13 2017 (current_events.rules)
2824431 - ETPRO CURRENT_EVENTS Successful Paypal Phish M1 Jan 13 2017 (current_events.rules)
2824432 - ETPRO CURRENT_EVENTS Successful Paypal Phish M2 Jan 13 2017 (current_events.rules)
2824433 - ETPRO CURRENT_EVENTS Successful RBC Royal Bank Phish Jan 13 2017 (current_events.rules)
2824434 - ETPRO CURRENT_EVENTS Successful Santander Bank Phish M1 Jan 13 2017 (current_events.rules)
2824435 - ETPRO CURRENT_EVENTS Successful Santander Bank Phish M2 Jan 13 2017 (current_events.rules)
2824436 - ETPRO CURRENT_EVENTS Successful Santander Bank Phish M3 Jan 13 2017 (current_events.rules)
2824437 - ETPRO CURRENT_EVENTS Successful Santander Bank Phish M4 Jan 13 2017 (current_events.rules)

[///]     Modified active rules:     [///]

2013721 - ET TROJAN Suspicious User-Agent (WindowsNT) With No Separating Space (trojan.rules)
2016935 - ET WEB_SERVER SQL Injection Select Sleep Time Delay (web_server.rules)
2018575 - ET TROJAN Possible Andromeda download with fake Zip header (1) (trojan.rules)
2018576 - ET TROJAN Possible Andromeda download with fake Zip header (2) (trojan.rules)
2021918 - ET TROJAN DustySky Checkin (trojan.rules)
2022939 - ET CURRENT_EVENTS Possible Pony DLL Download (current_events.rules)
2803784 - ETPRO SCADA Rockwell RNA Message Negative Header Length (scada.rules)
2806121 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.MTK.a Checkin (mobile_malware.rules)
2822347 - ETPRO CURRENT_EVENTS Successful Adobe Shared Document Phish Oct 3 2016 (current_events.rules)
2822380 - ETPRO CURRENT_EVENTS Successful Paypal Phish Oct 04 2016 (current_events.rules)
2822430 - ETPRO CURRENT_EVENTS Successful Paypal Phish M1 Oct 06 2016 (current_events.rules)
2822434 - ETPRO CURRENT_EVENTS Successful Dropbox Phish Oct 06 2016 (current_events.rules)
2822466 - ETPRO CURRENT_EVENTS Successful Paypal Phish M1 Oct 06 2016 (current_events.rules)
2822471 - ETPRO CURRENT_EVENTS Successful Google Drive Phish Oct 06 2016 (current_events.rules)
2822482 - ETPRO CURRENT_EVENTS SunDown/Xer Payload (URL Primer) (current_events.rules)
2822848 - ETPRO CURRENT_EVENTS Successful Generic Phish (Observed in Apple/Paypal/Amazon Campaigns) M1 Oct 25 2016 (current_events.rules)
2822979 - ETPRO CURRENT_EVENTS Possible Bizarro SunDown Payload (current_events.rules)

[---]         Removed rules:         [---]

2814617 - ETPRO CURRENT_EVENTS Successful Excel Online Phish Oct 27 (current_events.rules)
2815247 - ETPRO CURRENT_EVENTS Successful Excel Online Phish Dec 8 (current_events.rules)
 

Date: 
Thursday, January 12, 2017 - 22:00