Daily Ruleset Update Summary 2017/05/17

[***]            Summary:            [***]

15 new Open, 36 new Pro (15 + 21). NetBackup RCE, MWI Maldoc, Loki Bot, Adylkuzz CnC, Various Mobile.

Thanks: MS-iSAC (@CISecurity), @R3MRUM

[+++]          Added rules:          [+++]

Open:

2024305 - ET CURRENT_EVENTS Multibrowser Resource Exhaustion observed in Tech Support Scam (current_events.rules)
2024306 - ET TROJAN MWI Maldoc Load Payload (trojan.rules)
2024307 - ET TROJAN MWI Maldoc Posting Host Data (trojan.rules)
2024308 - ET EXPLOIT NB8-01 - Unauthed RCE via bprd (exploit.rules)
2024309 - ET EXPLOIT NB8-02 - Possible Unauthed RCE via nbbsdtar (exploit.rules)
2024310 - ET EXPLOIT NB8-04 - Possible Unauthed RCE via whitelist bypass (exploit.rules)
2024311 - ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected (trojan.rules)
2024312 - ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M1 (trojan.rules)
2024313 - ET TROJAN Loki Bot Request for C2 Commands Detected M1 (trojan.rules)
2024314 - ET TROJAN Loki Bot File Exfiltration Detected (trojan.rules)
2024315 - ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M1 (trojan.rules)
2024316 - ET TROJAN Loki Bot Screenshot Exfiltration Detected (trojan.rules)
2024317 - ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M2 (trojan.rules)
2024318 - ET TROJAN Loki Bot Request for C2 Commands Detected M2 (trojan.rules)
2024319 - ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2 (trojan.rules)

Pro:

2826410 - ETPRO TROJAN Maktub Ransomware XOR'd Binary Downloaded (trojan.rules)
2826411 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-05-17 1) (trojan.rules)
2826412 - ETPRO TROJAN DNS Query to Cerber Domain (15mwt4 . top) (trojan.rules)
2826413 - ETPRO TROJAN DNS Query to Cerber Domain (1lqrja . top) (trojan.rules)
2826414 - ETPRO TROJAN DNS Query to Cerber Domain (1kw51p . top) (trojan.rules)
2826415 - ETPRO TROJAN MSIL/Unk.RAT CnC Checkin (l/i) (trojan.rules)
2826416 - ETPRO TROJAN DNS Query to Cerber Domain (1eetmp . top) (trojan.rules)
2826417 - ETPRO TROJAN DNS Query to Cerber Domain (13ydzv . top) (trojan.rules)
2826418 - ETPRO TROJAN DNS Query to Cerber Domain (1mfakx . top) (trojan.rules)
2826419 - ETPRO TROJAN DNS Query to Cerber Domain (17kc8y . top) (trojan.rules)
2826420 - ETPRO TROJAN MSIL/Unk.RAT CnC Sending Screenshot (cp) (trojan.rules)
2826421 - ETPRO TROJAN MSIL/Unk.RAT CnC Command (ac) (trojan.rules)
2826422 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 117 (mobile_malware.rules)
2826423 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 118 (mobile_malware.rules)
2826424 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 119 (mobile_malware.rules)
2826425 - ETPRO TROJAN Sinkhole.tech Sinkhole Reply (trojan.rules)
2826426 - ETPRO TROJAN inThreat/Sekoia Sinkhole Reply (trojan.rules)
2826427 - ETPRO TROJAN Adylkuzz CnC Beacon 1 (trojan.rules)
2826428 - ETPRO TROJAN Adylkuzz CnC Beacon 2 (trojan.rules)
2826429 - ETPRO TROJAN Adylkuzz CnC Beacon 3 (trojan.rules)
2826430 - ETPRO TROJAN Adylkuzz CnC Beacon 4 (trojan.rules)

[///]     Modified active rules:     [///]

2019891 - ET TROJAN W32/Dridex POST CnC Beacon (trojan.rules)
2825280 - ETPRO TROJAN DNS Query to Sage Domain (k5hjej9 . com) (trojan.rules)
2825281 - ETPRO TROJAN DNS Query to Sage Domain (io23zc . com) (trojan.rules)
2825282 - ETPRO TROJAN DNS Query to Sage Domain (p0alj2 . com) (trojan.rules)
2825283 - ETPRO TROJAN DNS Query to Sage Domain (2kzm0f . com) (trojan.rules)
2825284 - ETPRO TROJAN DNS Query to Sage Domain (3io74zx . com) (trojan.rules)
2825285 - ETPRO TROJAN DNS Query to Sage Domain (er29sl . in) (trojan.rules)
2825287 - ETPRO TROJAN DNS Query to Sage Domain (rzunt3u2 . com) (trojan.rules)
2825500 - ETPRO TROJAN DNS Query to Sage Domain (jktew0 . com) (trojan.rules)
2825501 - ETPRO TROJAN DNS Query to Sage Domain (jpo2z1 . net) (trojan.rules)
2825592 - ETPRO TROJAN DNS Query to Sage Domain (we0sgd . com) (trojan.rules)
2825593 - ETPRO TROJAN DNS Query to Sage Domain (lfsjkad . net) (trojan.rules)
2825594 - ETPRO TROJAN DNS Query to Sage Domain (yio3lvx . com) (trojan.rules)
2825749 - ETPRO TROJAN DNS Query to Sage Domain (y8lkjg5 . net) (trojan.rules)
2826120 - ETPRO TROJAN DNS Query to Sage Domain (qlkrwn . com) (trojan.rules)
2826169 - ETPRO TROJAN DNS Query to Sage Domain (xcvkjet . com) (trojan.rules)
2826258 - ETPRO TROJAN DNS Query to Sage Domain (xcvkjet . net) (trojan.rules)
2826375 - ETPRO TROJAN DNS Query to Sage Domain (eho23d . net) (trojan.rules)
 

Date: 
Wednesday, May 17, 2017 - 00:00