[***]            Summary:            [***]

9 new Open, 33 new Pro (9 + 24). APT32 Komprogo, APT32 Win32/Agent.YFL, Mole Ransomware Payment Domain, Samba (CVE-2017-7494), Win32/Adonis, Various Mobile, Various Phishing.

Thanks: Noah Dunker

[+++]          Added rules:          [+++]

Open:

2024328 - ET CURRENT_EVENTS Successful Banco do Brasil Phish Mar 30 2017 (current_events.rules)
2024329 - ET CURRENT_EVENTS Successful Banco do Brasil Phish May 25 2017 (current_events.rules)
2024330 - ET TROJAN APT32 Komprogo DNS Lookup (trojan.rules)
2024331 - ET TROJAN APT32 Komprogo DNS Lookup (trojan.rules)
2024332 - ET TROJAN APT32 Komprogo DNS Lookup (trojan.rules)
2024333 - ET TROJAN APT32 Komprogo DNS Lookup (trojan.rules)
2024334 - ET TROJAN APT32 Komprogo DNS Lookup (trojan.rules)
2024335 - ET EXPLOIT Samba Arbitrary Module Loading Vulnerability (.so file write to share) (CVE-2017-7494) (exploit.rules)
2024336 - ET EXPLOIT Samba Arbitrary Module Loading Vulnerability (NT Create AndX .so) (CVE-2017-7494) (exploit.rules)

Pro:

2826510 - ETPRO TROJAN MSIL/Unk Reporting Infection via FTP (trojan.rules)
2826511 - ETPRO MOBILE_MALWARE Unknown Android Loader Checkin (mobile_malware.rules)
2826512 - ETPRO TROJAN BigKlim CnC Beacon (trojan.rules)
2826513 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 132 (mobile_malware.rules)
2826514 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.FakeInst.ft CnC Beacon (mobile_malware.rules)
2826515 - ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.PP CnC Beacon (mobile_malware.rules)
2826517 - ETPRO CURRENT_EVENTS Successful Generic Phish - Observed in OneDrive Phishing May 25 2017 (current_events.rules)
2826518 - ETPRO TROJAN Possible DNS Query matching Cerber Domain Format (trojan.rules)
2826519 - ETPRO TROJAN Win32/Adonis/Other Screenlocker CnC Checkin (trojan.rules)
2826520 - ETPRO CURRENT_EVENTS Successful Generic Phish - Common Multiple JS Unescape May 25 2017 (current_events.rules)
2826521 - ETPRO CURRENT_EVENTS Successful Adobe PDF Phish May 25 2017 (current_events.rules)
2826522 - ETPRO CURRENT_EVENTS Successful Discover Phish M1 May 25 2017 (current_events.rules)
2826523 - ETPRO CURRENT_EVENTS Successful Discover Phish M2 May 25 2017 (current_events.rules)
2826524 - ETPRO TROJAN Observed DNS Request for Mole Ransomware Payment Domain (trojan.rules)
2826525 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish (set) May 25 2017 (current_events.rules)
2826526 - ETPRO CURRENT_EVENTS Successful Paypal Phish May 25 2017 (current_events.rules)
2826527 - ETPRO CURRENT_EVENTS Successful Bank of America Phish May 25 2017 (current_events.rules)
2826528 - ETPRO MOBILE_MALWARE Android/Agent.LK CnC Beacon (mobile_malware.rules)
2826529 - ETPRO MOBILE_MALWARE Android/Agent.LK CnC Beacon 2 (mobile_malware.rules)
2826530 - ETPRO TROJAN APT32 Win32/Agent.YFL Checkin (trojan.rules)
2826531 - ETPRO TROJAN APT32 Win32/Agent.YFL Fake User-Agent (trojan.rules)
2826532 - ETPRO TROJAN APT32 Win32/Agent.YFL CnC Beacon (trojan.rules)
2826533 - ETPRO TROJAN APT32 Win32/Agent.YFL DNS TXT CnC Beacon (trojan.rules)
2826534 - ETPRO TROJAN Win32/Ibashade CnC Beacon (trojan.rules)

[///]     Modified active rules:     [///]

2010595 - ET MALWARE User-Agent (???) (malware.rules)
2019750 - ET WEB_CLIENT Samsung Galaxy Knox Android Browser RCE smdm attempt (web_client.rules)
2801787 - ETPRO SCADA IGSS SCADA System Directory Traversal and Download (scada.rules)
2801788 - ETPRO SCADA IGSS SCADA system Directory Traversal Upload and Overwrite (scada.rules)
2804426 - ETPRO WEB_CLIENT Microsoft Windows midiOutPlayNextPolyEvent Heap Overflow 1 (web_client.rules)
2804427 - ETPRO WEB_CLIENT Microsoft Windows midiOutPlayNextPolyEvent Heap Overflow 2 (web_client.rules)
2804428 - ETPRO WEB_CLIENT Microsoft Windows midiOutPlayNextPolyEvent Heap Overflow 3 (web_client.rules)
2804641 - ETPRO SCADA MOXA Device Manager Tool 2.1 Buffer Overflow (scada.rules)
2804645 - ETPRO SCADA ScadaTEC ScadaPhone <= v5.3.11.1230 Stack Buffer Overflow (scada.rules)
2804886 - ETPRO ACTIVEX VLC MMS Stream Handling access to vulnerable function potential Buffer Overflow attempt (activex.rules)
2807370 - ETPRO TROJAN Backdoor.Win32.Agent.dbtl (Likely APT32 WINDSHIELD) Checkin (trojan.rules)
2825296 - ETPRO TROJAN APT32 Win32/Denis CnC Initial Request DNS Beacon (trojan.rules)

[---]         Disabled rules:        [---]

2824431 - ETPRO CURRENT_EVENTS Successful Paypal Phish M1 Jan 13 2017 (current_events.rules)
2826097 - ETPRO CURRENT_EVENTS Successful Paypal Phish M3 Apr 24 2017 (current_events.rules)

[---]         Removed rules:         [---]

2821335 - ETPRO CURRENT_EVENTS Windows Settings Phishing Landing Jul 22 (current_events.rules)
2821995 - ETPRO CURRENT_EVENTS iCloud Phishing Landing Sept 2 2016 (current_events.rules)
2825690 - ETPRO CURRENT_EVENTS Successful Banco do Brasil Phish Mar 30 2017 (current_events.rules)
 

Date: 
Wednesday, May 24, 2017 - 22:00