Daily Ruleset Update Summary 2017/04/11

[***]            Summary:            [***]

6 new Open, 60 new Pro (6 + 54). April MAPP, EITest, Various Android, Various Phishing

Thanks: MS_ISAC

[+++]          Added rules:          [+++]

Open:

2024197 - ET CURRENT_EVENTS SUSPICIOUS MSXMLHTTP DL of HTA (Observed in RTF 0-day ) (current_events.rules)
2024198 - ET CURRENT_EVENTS EITest SocENG Payload DL (current_events.rules)
2024199 - ET CURRENT_EVENTS EITest SocENG Inject M2 (current_events.rules)
2024200 - ET CURRENT_EVENTS EITest SocENG Inject M3 (current_events.rules)
2024201 - ET MOBILE_MALWARE AdWare.AndroidOS.Ewind.cd Checkin (mobile_malware.rules)
2024202 - ET MOBILE_MALWARE AdWare.AndroidOS.Ewind.cd Response (mobile_malware.rules)

Pro:

2825844 - ETPRO MOBILE_MALWARE Android/Agent.ST Checkin (mobile_malware.rules)
2825845 - ETPRO MOBILE_MALWARE Android/Spy.SmsSpy.IT CnC Beacon (mobile_malware.rules)
2825846 - ETPRO MOBILE_MALWARE Android/Spy.SmsSpy.IT CnC Beacon 2 (mobile_malware.rules)
2825847 - ETPRO MOBILE_MALWARE Android/Spy.SmsSpy.IT CnC Beacon 3 (mobile_malware.rules)
2825848 - ETPRO EXPLOIT Windows Graphics Elevation of Privilege Vulnerability Inbound (CVE-2017-0155) (exploit.rules)
2825849 - ETPRO WEB_CLIENT Possible IE UAF (CVE-2017-0158) (web_client.rules)
2825850 - ETPRO EXPLOIT Windows Kernel Information Disclosure Vulnerability Inbound (CVE-2017-0167) (exploit.rules)
2825851 - ETPRO EXPLOIT Win32k Elevation of Privilege Vulnerability Inbound (CVE-2017-0189) (exploit.rules)
2825852 - ETPRO EXPLOIT Possible Microsoft Office 2007 DLL Sideloading (CVE-2017-0197) (exploit.rules)
2825853 - ETPRO EXPLOIT Microsoft Outlook Remote Code Execution Vulnerability Inbound (CVE-2017-0199) (exploit.rules)
2825854 - ETPRO WEB_CLIENT Possible Microsoft Edge Type Confusion (CVE-2017-0200) (web_client.rules)
2825855 - ETPRO EXPLOIT Internet Explorer Memory Corruption Vulnerability (CVE-2017-0202) (exploit.rules)
2825856 - ETPRO WEB_CLIENT Possible Edge Render Format Type Confusion (CVE-2017-0205) (web_client.rules)
2825857 - ETPRO WEB_CLIENT Possible Windows Scripting Engine Information Disclosure Vulnerability (CVE-2017-0208) (web_client.rules)
2825858 - ETPRO WEB_CLIENT Internet Explorer EOP Vulnerability (CVE-2017-0210) (web_client.rules)
2825859 - ETPRO WEB_CLIENT Possible Adobe Reader CVE-2017-3014 Use After Free (web_client.rules)
2825860 - ETPRO WEB_CLIENT Possible Adobe Reader Memory Corruption CVE-2017-3017 (web_client.rules)
2825861 - ETPRO WEB_CLIENT Possible Adobe Reader Memory Corruption CVE-2017-3019 (web_client.rules)
2825862 - ETPRO WEB_CLIENT Possible Adobe Reader Information Disclosure CVE-2017-3020 (web_client.rules)
2825863 - ETPRO WEB_CLIENT Possible Adobe Reader Information Disclosure CVE-2017-3022 (web_client.rules)
2825864 - ETPRO WEB_CLIENT Possible Adobe Reader Memory Corruption CVE-2017-3024 (web_client.rules)
2825865 - ETPRO WEB_CLIENT Possible Adobe Reader Use After Free CVE-2017-3027 (web_client.rules)
2825866 - ETPRO WEB_CLIENT Possible Adobe Reader Information Disclosure CVE-2017-3023 (web_client.rules)
2825867 - ETPRO WEB_CLIENT Possible Adobe Reader Information Disclosure CVE-2017-3029 (web_client.rules)
2825868 - ETPRO WEB_CLIENT Possible Adobe Reader Memory Corruption CVE-2017-3030 (web_client.rules)
2825869 - ETPRO WEB_CLIENT Possible Adobe Reader Information Disclosure CVE-2017-3032 (web_client.rules)
2825870 - ETPRO WEB_CLIENT Possible Adobe Reader Information Disclosure CVE-2017-3033 (web_client.rules)
2825871 - ETPRO WEB_CLIENT Possible Adobe Reader Integer Overflow CVE-2017-3034 (web_client.rules)
2825872 - ETPRO WEB_CLIENT Possible Adobe Reader Integer Overflow CVE-2017-3035 (web_client.rules)
2825873 - ETPRO WEB_CLIENT Possible Adobe Reader Memory Corruption CVE-2017-3039 (web_client.rules)
2825874 - ETPRO WEB_CLIENT Possible Adobe Reader Information Disclosure CVE-2017-3044 (web_client.rules)
2825875 - ETPRO WEB_CLIENT Possible Adobe Reader Information Disclosure CVE-2017-3045 (web_client.rules)
2825876 - ETPRO WEB_CLIENT Possible Adobe Reader Information Disclosure CVE-2017-3046 (web_client.rules)
2825877 - ETPRO WEB_CLIENT Adobe Reader Use After Free CVE-2017-3047 (web_client.rules)
2825878 - ETPRO WEB_CLIENT Possible Adobe Reader TIFF Heap Overflow (CVE-2017-3048) (web_client.rules)
2825879 - ETPRO WEB_CLIENT Possible Adobe Reader TIFF Heap Overflow (CVE-2017-3049) (web_client.rules)
2825880 - ETPRO WEB_CLIENT Possible Adobe Reader Memory Corruption CVE-2017-3056 (web_client.rules)
2825881 - ETPRO WEB_CLIENT Adobe Reader Use After Free CVE-2017-3057 (web_client.rules)
2825882 - ETPRO CURRENT_EVENTS Successful Email Shutdown/Verification Phish Apr 11 2017 (current_events.rules)
2825883 - ETPRO TROJAN Malicious SSL Certificate Observed (Blue Lambert Implant) (trojan.rules)
2825884 - ETPRO CURRENT_EVENTS Successful Office 365 Phish M1 Apr 11 2017 (current_events.rules)
2825885 - ETPRO CURRENT_EVENTS Successful Office 365 Phish M2 Apr 11 2017 (current_events.rules)
2825886 - ETPRO CURRENT_EVENTS Successful Credit Agricole Bank (FR) Phish Apr 11 2017 (current_events.rules)
2825887 - ETPRO MOBILE_MALWARE Android/Styricka.A CnC Beacon 2 (mobile_malware.rules)
2825888 - ETPRO CURRENT_EVENTS Successful American Express Phish Apr 11 2017 (current_events.rules)
2825889 - ETPRO CURRENT_EVENTS Successful Chase Phish Apr 11 2017 (current_events.rules)
2825890 - ETPRO CURRENT_EVENTS Successful Santander Phish Apr 11 2017 (current_events.rules)
2825891 - ETPRO CURRENT_EVENTS Successful ZIX Message Center Phish Apr 11 2017 (current_events.rules)
2825892 - ETPRO TROJAN Unknown MalDoc VBS Downloader Requesting Payload (trojan.rules)
2825893 - ETPRO TROJAN BlueNoroff/Lazarus Variant CnC Beacon (trojan.rules)
2825894 - ETPRO CURRENT_EVENTS Successful UBS Phish M1 Mar 13 2017 (current_events.rules)
2825895 - ETPRO CURRENT_EVENTS Successful UBS Phish M2 Mar 13 2017 (current_events.rules)
2825896 - ETPRO CURRENT_EVENTS Possible Magnitude EK Apr 04 2017 (current_events.rules)
2825897 - ETPRO CURRENT_EVENTS Possible Magnitude EK First Stage Landing Apr 04 2017 (current_events.rules)

[///]     Modified active rules:     [///]

2013091 - ET TROJAN Backdoor.Win32.DarkComet Keepalive Inbound (trojan.rules)
2014726 - ET POLICY Outdated Windows Flash Version IE (policy.rules)
2022836 - ET TROJAN PowerShell/Agent.A DNS Checkin (trojan.rules)
2815637 - ETPRO TROJAN Win32/Agent.XOA Checkin (APT-C-23) (trojan.rules)
2825769 - ETPRO CURRENT_EVENTS RIG EK Landing Apr 04 2017 (current_events.rules)
2825831 - ETPRO CURRENT_EVENTS RIG EK Landing Apr 04 2017 (current_events.rules)
 

Date: 
Tuesday, April 11, 2017 - 00:00