Daily Ruleset Update Summary 2017/04/18

[***]            Summary:            [***]

6 new Open, 21 new Pro (6 + 15). Misc Shadowbrokers, MSIL/XnxxAgent, Various Phishing, Various Mobile

Thanks: @esentire, Kevin Branch

[+++]          Added rules:          [+++]

Open:

2024217 - ET EXPLOIT Possible ETERNALBLUE MS17-010 Heap Spray (exploit.rules)
2024218 - ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response (exploit.rules)
2024219 - ET EXPLOIT Possible ETERNALROMANCE MS17-010 Heap Spray (exploit.rules)
2024220 - ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Request (set) (exploit.rules)
2024221 - ET TROJAN Possible Malicious Gzip PowerShell over HTTP (trojan.rules)
2024222 - ET EXPLOIT Possible EXPLODINGCAN IIS5.0/6.0 Exploit Attempt (exploit.rules)

Pro:

2826014 - ETPRO CURRENT_EVENTS Successful Multi Email Account Dropbox - Gmail Credentials Phish Apr 17 2017 (current_events.rules)
2826015 - ETPRO CURRENT_EVENTS Successful Multi Email Account Dropbox - Other Credentials Phish Apr 17 2017 (current_events.rules)
2826016 - ETPRO CURRENT_EVENTS Successful Multi Email Account Dropbox Phish Apr 17 2017 (current_events.rules)
2826017 - ETPRO CURRENT_EVENTS Successful Groupwise Phish Apr 17 2017 (current_events.rules)
2826018 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Fyec.bna CnC Beacon (mobile_malware.rules)
2826019 - ETPRO TROJAN PowerShell Empire SSL Cert (trojan.rules)
2826020 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Fyec.bna CnC Beacon 2 (mobile_malware.rules)
2826021 - ETPRO CURRENT_EVENTS Successful Find My iPhone Phish Apr 18 2017 (current_events.rules)
2826022 - ETPRO MOBILE_MALWARE PUA Android/SMSreg.VR Checkin (mobile_malware.rules)
2826023 - ETPRO TROJAN MSIL/XnxxAgent Spam Bot Checkin M1 (trojan.rules)
2826024 - ETPRO TROJAN MSIL/XnxxAgent Spam Bot Checkin M2 (trojan.rules)
2826026 - ETPRO TROJAN MSIL/Softmalaria Trojan CnC Checkin (trojan.rules)
2826027 - ETPRO MALWARE MSIL/TrojanClicker.AdShow.NQB Initial Redirect Activity (malware.rules)
2826028 - ETPRO TROJAN Malicious SSL Certificate Observed (Unknown Banker Injects) (trojan.rules)
2826029 - ETPRO TROJAN Malicious SSL Certificate Observed (Unknown Banker) (trojan.rules)

[///]     Modified active rules:     [///]

2015972 - ET CURRENT_EVENTS Successful PayPal Account Phish (current_events.rules)
2015980 - ET CURRENT_EVENTS Successful Google Account Phish (current_events.rules)
2016063 - ET CURRENT_EVENTS Successful PayPal Account Phish (current_events.rules)
2812067 - ETPRO TROJAN SOGU DNS CnC Channel TXT Lookup (trojan.rules)
2822401 - ETPRO CURRENT_EVENTS Successful Apple Global Service Exchange Phish Oct 04 2016 (current_events.rules)

[---]         Disabled rules:        [---]

2011223 - ET CURRENT_EVENTS Malvertising drive by kit encountered - Loading... (current_events.rules)
2011348 - ET CURRENT_EVENTS DRIVEBY SEO Exploit Kit request for PDF exploit (current_events.rules)
2011349 - ET CURRENT_EVENTS DRIVEBY SEO Exploit Kit request for Java exploit (current_events.rules)
2011350 - ET CURRENT_EVENTS DRIVEBY SEO Exploit Kit request for Java and PDF exploits (current_events.rules)
2011355 - ET CURRENT_EVENTS Driveby bredolab hidden div served by nginx (current_events.rules)
2011797 - ET CURRENT_EVENTS Driveby Bredolab - client exploited by acrobat (current_events.rules)
2011978 - ET CURRENT_EVENTS MALVERTISING Alureon JavaScript IFRAME Redirect (current_events.rules)
2012333 - ET CURRENT_EVENTS Possible Neosploit Toolkit download (current_events.rules)
2012401 - ET CURRENT_EVENTS Likely Blackhole Exploit Kit Driveby Download Secondary Request (current_events.rules)
2012503 - ET CURRENT_EVENTS Compressed Adobe Flash File Embedded in XLS FILE Caution - Could be Exploit (current_events.rules)
2012504 - ET CURRENT_EVENTS Excel with Embedded .emf object downloaded (current_events.rules)
2012518 - ET CURRENT_EVENTS RetroGuard Obfuscated JAR likely part of hostile exploit kit (current_events.rules)
2012532 - ET CURRENT_EVENTS WindowsLive Imposter Site Payload Download (current_events.rules)
2012610 - ET CURRENT_EVENTS Java Exploit io.exe download served (current_events.rules)
2012625 - ET CURRENT_EVENTS Potential Lizamoon Client Request /ur.php (current_events.rules)
2012630 - ET CURRENT_EVENTS Paypal Phishing victim POSTing data (current_events.rules)
2012632 - ET CURRENT_EVENTS Potential Paypal Phishing Form Attachment (current_events.rules)
2012635 - ET CURRENT_EVENTS Potential ACH Transaction Phishing Attachment (current_events.rules)
2012644 - ET CURRENT_EVENTS Java Exploit Attempt Request for hostile binary (current_events.rules)
2012687 - ET CURRENT_EVENTS Unknown Exploit Pack Binary Load Request (current_events.rules)
2012731 - ET CURRENT_EVENTS Likely Redirector to Exploit Page /in/rdrct/rckt/? (current_events.rules)
2012732 - ET CURRENT_EVENTS Unknown .ru Exploit Redirect Page (current_events.rules)
2012884 - ET CURRENT_EVENTS Java Exploit Attempt applet via file URI param (current_events.rules)
2012940 - ET CURRENT_EVENTS Eleonore Exploit Pack exemple.com Request (current_events.rules)
2012942 - ET CURRENT_EVENTS Phoenix Exploit Kit Printf.pdf (current_events.rules)
2012943 - ET CURRENT_EVENTS Phoenix Exploit Kit Geticon.pdf (current_events.rules)
2012944 - ET CURRENT_EVENTS Phoenix Exploit Kit All.pdf (current_events.rules)
2013010 - ET CURRENT_EVENTS Request to malicious info.php drive-by landing (current_events.rules)
2013011 - ET CURRENT_EVENTS Malicious PHP 302 redirect response with avtor URI and cookie (current_events.rules)
2013024 - ET CURRENT_EVENTS Exploit kit mario.jar (current_events.rules)
2013025 - ET CURRENT_EVENTS Java/PDF Exploit kit from /Home/games/ initial landing (current_events.rules)
2013027 - ET CURRENT_EVENTS Java/PDF Exploit kit initial landing (current_events.rules)
2013048 - ET CURRENT_EVENTS Fake Shipping Invoice Request to JPG.exe Executable (current_events.rules)
2013061 - ET CURRENT_EVENTS Sidename.js Injected Script Served by Local WebServer (current_events.rules)
2013065 - ET CURRENT_EVENTS Possible CVE-2011-2110 Flash Exploit Attempt (current_events.rules)
2013066 - ET CURRENT_EVENTS Java Exploit Attempt applet via file URI setAttribute (current_events.rules)
2013093 - ET CURRENT_EVENTS Clickfraud Framework Request (current_events.rules)
2013094 - ET CURRENT_EVENTS Phoenix/Fiesta URI Requested Contains /? and hex (current_events.rules)
2013137 - ET CURRENT_EVENTS Possible CVE-2011-2110 Flash Exploit Attempt Embedded in Web Page (current_events.rules)
2013175 - ET CURRENT_EVENTS Likely EgyPack Exploit kit landing page (EGYPACK_CRYPT) (current_events.rules)
2013192 - ET CURRENT_EVENTS cssminibar.js Injected Script Served by Local WebServer (current_events.rules)
2013237 - ET CURRENT_EVENTS Obfuscated Javascript Often Used in Drivebys (current_events.rules)
2013244 - ET CURRENT_EVENTS Known Injected Credit Card Fraud Malvertisement Script (current_events.rules)
2013328 - ET CURRENT_EVENTS DNS Query for Known Hostile Domain gooqlepics com (current_events.rules)
2013353 - ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - flickr.com.*  (current_events.rules)
2013354 - ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - picasa.com.*  (current_events.rules)
2013355 - ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - blogger.com.*  (current_events.rules)
2013357 - ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - wordpress.com.*  (current_events.rules)
2013358 - ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - img.youtube.com.*  (current_events.rules)
2013359 - ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - upload.wikimedia.com.*  (current_events.rules)
2013360 - ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - photobucket.com.*  (current_events.rules)
2013380 - ET CURRENT_EVENTS Malicious 1px iframe related to Mass Wordpress Injections (current_events.rules)
2013474 - ET CURRENT_EVENTS DRIVEBY ACH - Redirection (current_events.rules)
2013484 - ET CURRENT_EVENTS Phoenix Java MIDI Exploit Received By Vulnerable Client (current_events.rules)
2013485 - ET CURRENT_EVENTS Phoenix Java MIDI Exploit Received (current_events.rules)
2013486 - ET CURRENT_EVENTS Phoenix landing page JAVASMB (current_events.rules)
2013487 - ET CURRENT_EVENTS Likely Generic Java Exploit Attempt Request for Java to decimal host (current_events.rules)
2013500 - ET CURRENT_EVENTS Known Fraudulent DigiNotar SSL Certificate for google.com (current_events.rules)
2013548 - ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit (current_events.rules)
2013549 - ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit 2 (current_events.rules)
2013551 - ET CURRENT_EVENTS Driveby Generic Java Exploit Attempt (current_events.rules)
2013552 - ET CURRENT_EVENTS Driveby Generic Java Exploit Attempt 2 (current_events.rules)
2013652 - ET CURRENT_EVENTS Blackhole Exploit Kit Landing Reporting Successful Java Compromise (current_events.rules)
2013661 - ET CURRENT_EVENTS Exploit kit worms.jar (current_events.rules)
2013662 - ET CURRENT_EVENTS Crimepack Java exploit attempt(2) (current_events.rules)
2013665 - ET CURRENT_EVENTS Likely Blackhole Exploit Kit Driveby ?n Download Secondary Request (current_events.rules)
2013666 - ET CURRENT_EVENTS Likely Blackhole Exploit Kit Driveby ?page Download Secondary Request (current_events.rules)
2013690 - ET CURRENT_EVENTS Unknown Exploit Kit reporting Java and PDF state (current_events.rules)
2013691 - ET CURRENT_EVENTS Unknown Exploit Kit Java requesting malicious JAR (current_events.rules)
2013692 - ET CURRENT_EVENTS Unknown Exploit Kit Java requesting malicious EXE (current_events.rules)
2013693 - ET CURRENT_EVENTS Unknown Exploit Kit request for pdf_err__Error__Unspecified (current_events.rules)
2013696 - ET CURRENT_EVENTS Unknown Java Exploit Kit x.jar?o= (current_events.rules)
2013697 - ET CURRENT_EVENTS Unknown Java Exploit Kit lo.class (current_events.rules)
2013698 - ET CURRENT_EVENTS Unknown Java Exploit Kit lo2.jar (current_events.rules)
2013699 - ET CURRENT_EVENTS Unknown Java Exploit Kit applet landing (current_events.rules)
2013700 - ET CURRENT_EVENTS Blackhole landing page with malicious Java applet (current_events.rules)
2013746 - ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit 3 (current_events.rules)
2013775 - ET CURRENT_EVENTS Saturn Exploit Kit binary download request (current_events.rules)
2013776 - ET CURRENT_EVENTS Saturn Exploit Kit probable Java exploit request (current_events.rules)
2013777 - ET CURRENT_EVENTS Saturn Exploit Kit probable Java MIDI exploit request (current_events.rules)
2013786 - ET CURRENT_EVENTS Blackhole Acrobat 8/9.3 PDF exploit download request 2 (current_events.rules)
2013787 - ET CURRENT_EVENTS Blackhole Acrobat 1-7 PDF exploit download request 2 (current_events.rules)
2013788 - ET CURRENT_EVENTS Likely Blackhole Exploit Kit Driveby ?doit Download Secondary Request (current_events.rules)
2013805 - ET CURRENT_EVENTS Suspicious Self Signed SSL Certificate CN of common Possible SSL CnC (current_events.rules)
2013806 - ET CURRENT_EVENTS Suspicious Self Signed SSL Certificate with admin at common Possible SSL CnC (current_events.rules)
2013916 - ET CURRENT_EVENTS Incognito Exploit Kit Java request to showthread.php?t= (current_events.rules)
2013955 - ET CURRENT_EVENTS Jupiter Exploit Kit Landing Page with Malicious Java Applets (current_events.rules)
2013975 - ET CURRENT_EVENTS Neosploit Java Exploit Kit request to /? plus hex 32 (current_events.rules)
2013978 - ET CURRENT_EVENTS Lilupophilupop Injected Script Being Served to Client (current_events.rules)
2013979 - ET CURRENT_EVENTS Lilupophilupop Injected Script Being Served from Local Server (current_events.rules)
2013996 - ET CURRENT_EVENTS Adobe PDF Universal 3D file corrupted download 1 (current_events.rules)
2013997 - ET CURRENT_EVENTS Adobe PDF Universal 3D file corrupted download 2 (current_events.rules)
2014024 - ET CURRENT_EVENTS Probable Scalaxy exploit kit secondary request (current_events.rules)
2014031 - ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested com.class (current_events.rules)
2014032 - ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested org.class (current_events.rules)
2014033 - ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested edu.class (current_events.rules)
2014034 - ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested net.class (current_events.rules)
2014035 - ET CURRENT_EVENTS DRIVEBY Blackhole PDF Exploit Request /fdp2.php (current_events.rules)
2014036 - ET CURRENT_EVENTS DRIVEBY Generic Java Exploit Obfuscated With Allatori (current_events.rules)
2014038 - ET CURRENT_EVENTS MALVERTISING OpenX BrowserDetect.init Download (current_events.rules)
2014039 - ET CURRENT_EVENTS MALVERTISING Alureon Malicious IFRAME (current_events.rules)
2014053 - ET CURRENT_EVENTS Blackhole Likely Flash exploit download request score.swf (current_events.rules)
2014054 - ET CURRENT_EVENTS User-Agent used in Injection Attempts (current_events.rules)
2802864 - ETPRO CURRENT_EVENTS Driveby Crimepack requesting load.php (current_events.rules)
2802865 - ETPRO CURRENT_EVENTS Crimepack Java exploit attempt(1) (current_events.rules)
2802882 - ETPRO CURRENT_EVENTS Driveby Crimepack Access cp.bat (current_events.rules)
2802883 - ETPRO CURRENT_EVENTS Driveby Crimepack CP-ENC-XXXX.php access (current_events.rules)
2803101 - ETPRO CURRENT_EVENTS Potential Hostile Flash File Exploit Exploit Specific Trigger SWF (current_events.rules)
2803102 - ETPRO CURRENT_EVENTS Potential Hostile Flash File Exploit Specific ActionScript3 REST Flags Set (current_events.rules)
 

Date: 
Tuesday, April 18, 2017 - 00:00