Daily Ruleset Update Summary 2017/05/05

[***]            Summary:            [***]

3 new Open, 31 new Pro (3 + 28). Wordpress Host Header Injection, APT28 XAgent, IsmDoor DNS C2, Various Mobile.

Thanks: MS-ISAC (@CISecurity)

[+++]          Added rules:          [+++]

Open:

2024277 - ET WEB_SPECIFIC_APPS Wordpress Host Header Injection (CVE-2016-10033) M1 (web_specific_apps.rules)
2024278 - ET WEB_SPECIFIC_APPS Wordpress Host Header Injection (CVE-2016-10033) M2 (web_specific_apps.rules)
2024279 - ET WEB_SPECIFIC_APPS Wordpress Host Header Injection (CVE-2016-10033) M3 (web_specific_apps.rules)

Pro:

2826254 - ETPRO TROJAN Custom Cobalt Strike Beacon UA (trojan.rules)
2826255 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.pac CnC Beacon (mobile_malware.rules)
2826256 - ETPRO TROJAN Unknown Targeted PowerShell Retrieving Payload (trojan.rules)
2826257 - ETPRO TROJAN Unknown Targeted PowerShell CnC Beacon (trojan.rules)
2826258 - ETPRO TROJAN DNS Query to Sage Domain (xcvkjet . net) (trojan.rules)
2826259 - ETPRO TROJAN Likely APT28 XAgent or Uploader DNS Lookup (trojan.rules)
2826260 - ETPRO TROJAN DNS Query to Cerber Domain (1khwro . top) (trojan.rules)
2826261 - ETPRO TROJAN DNS Query to Cerber Domain (1pbfky . top) (trojan.rules)
2826262 - ETPRO TROJAN DNS Query to Cerber Domain (17gvad . top) (trojan.rules)
2826263 - ETPRO TROJAN DNS Query to Cerber Domain (19xvyd . top) (trojan.rules)
2826264 - ETPRO TROJAN DNS Query to Cerber Domain (15e8hv . top) (trojan.rules)
2826265 - ETPRO TROJAN DNS Query to Cerber Domain (1gvyo8 . top) (trojan.rules)
2826266 - ETPRO TROJAN DNS Query to Cerber Domain (1jzmjr . top) (trojan.rules)
2826267 - ETPRO TROJAN DNS Query to Cerber Domain (13bcem . top) (trojan.rules)
2826268 - ETPRO TROJAN DNS Query to Cerber Domain (1fzjn3 . top) (trojan.rules)
2826269 - ETPRO TROJAN DNS Query to Cerber Domain (12hxjv . top) (trojan.rules)
2826270 - ETPRO TROJAN DNS Query to Cerber Domain (1wmvk2 . top) (trojan.rules)
2826271 - ETPRO TROJAN APT28 Uploader DNS Lookup (trojan.rules)
2826272 - ETPRO TROJAN APT28 XTunnel DNS Lookup (trojan.rules)
2826273 - ETPRO TROJAN APT28 XAgent DNS Lookup (trojan.rules)
2826274 - ETPRO TROJAN APT28 XAgent DNS Lookup (trojan.rules)
2826275 - ETPRO TROJAN APT28 XAgent DNS Lookup (trojan.rules)
2826276 - ETPRO TROJAN APT28 XAgent DNS Lookup (trojan.rules)
2826277 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.dj Reporting via SMTP 3 (mobile_malware.rules)
2826278 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.dj Reporting via SMTP 4 (mobile_malware.rules)
2826279 - ETPRO TROJAN ZLoader Malicious SSL Cert Observed (trojan.rules)
2826280 - ETPRO MOBILE_MALWARE Android/Spy.SmsSpy.EQ SMS Exfil via SMTP (mobile_malware.rules)
2826281 - ETPRO TROJAN IsmDoor DNS C2 Initial Checkin (trojan.rules)

[///]     Modified active rules:     [///]

2808944 - ETPRO TROJAN Win32/Comame Checkin (trojan.rules)
2810654 - ETPRO POLICY Possibly Suspicious example.com SSL Cert (policy.rules)
2824781 - ETPRO TROJAN Win32/Necurs Checkin 3 (trojan.rules)
2825135 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.ac SMS Exfil via SMTP (mobile_malware.rules)
2825226 - ETPRO TROJAN Helminth/Oilrig CnC Beacon 2 (trojan.rules)

[---]         Removed rules:         [---]

2826212 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.dj SMS Exfil via SMTP 5 (mobile_malware.rules)
 

Date: 
Friday, May 5, 2017 - 00:00