Daily Ruleset Update Summary 2017/07/19

10 new Open, 46 new Pro (10 + 36). CDT Credphish/Netwire, MSIL/XBBX, Various Phishing, Various Mobile.

Thanks: Erik Clark

[+++]          Added rules:          [+++]

Open:

2024472 - ET TROJAN CDT Credphish/Netwire Campaign DNS Lookup (trojan.rules)
2024473 - ET TROJAN CDT Credphish/Netwire Campaign DNS Lookup (trojan.rules)
2024474 - ET TROJAN CDT Credphish/Netwire Campaign DNS Lookup (trojan.rules)
2024475 - ET TROJAN CDT Credphish/Netwire Campaign DNS Lookup (trojan.rules)
2024476 - ET TROJAN CDT Credphish/Netwire Campaign DNS Lookup (trojan.rules)
2024477 - ET TROJAN CDT Credphish/Netwire Campaign DNS Lookup (trojan.rules)
2024478 - ET TROJAN CDT Credphish/Netwire Campaign DNS Lookup (trojan.rules)
2024479 - ET TROJAN CDT Credphish/Netwire Campaign DNS Lookup (trojan.rules)
2024480 - ET CURRENT_EVENTS Tech Support Scam Landing Jul 19 2017 (current_events.rules)
2024481 - ET TFTP Outbound TFTP Data Transfer With Cisco Config 2 (tftp.rules)

Pro:

2827212 - ETPRO CURRENT_EVENTS Successful Apple Phish M1 Jul 19 2017 (current_events.rules)
2827213 - ETPRO CURRENT_EVENTS Successful Apple Phish M2 Jul 19 2017 (current_events.rules)
2827214 - ETPRO CURRENT_EVENTS Successful Apple Phish M3 Jul 19 2017 (current_events.rules)
2827215 - ETPRO CURRENT_EVENTS Successful Apple Phish M4 Jul 19 2017 (current_events.rules)
2827216 - ETPRO CURRENT_EVENTS Successful Apple Phish M5 Jul 19 2017 (current_events.rules)
2827217 - ETPRO CURRENT_EVENTS Successful Etrade Phish M1 Jul 18 2017 (current_events.rules)
2827218 - ETPRO CURRENT_EVENTS Successful Etrade Phish M2 Jul 18 2017 (current_events.rules)
2827219 - ETPRO TROJAN Winnti Related PcClient CnC 1 (trojan.rules)
2827220 - ETPRO TROJAN MSIL/XBBX CnC Activity (trojan.rules)
2827221 - ETPRO CURRENT_EVENTS Successful Successful PHOEN!X Apple Phish Jul 19 2017 (current_events.rules)
2827222 - ETPRO CURRENT_EVENTS Successful Santander Phish Jul 19 2017 (current_events.rules)
2827223 - ETPRO CURRENT_EVENTS Successful Docusign Phish Jul 19 2017 (current_events.rules)
2827224 - ETPRO CURRENT_EVENTS Successful Account Verification Phish Jul 19 2017 (current_events.rules)
2827225 - ETPRO CURRENT_EVENTS Successful University of Illinois at Chicago Phish Jul 19 2017 (current_events.rules)
2827226 - ETPRO TROJAN Win32/Reconyc.iddk CnC DNS Query (trojan.rules)
2827227 - ETPRO TROJAN Observed Malicious SSL Cert (Upatre Downloader CnC - maitikio . com) (trojan.rules)
2827228 - ETPRO TROJAN Observed Malicious SSL Cert (Upatre Downloader CnC - cry-havok . org) (trojan.rules)
2827229 - ETPRO TROJAN Win32.Reconyc.iddk Retrieving Payload (trojan.rules)
2827230 - ETPRO TROJAN Win32.Reconyc.iddk Receiving Payload (trojan.rules)
2827231 - ETPRO TROJAN ELF.Shellbind.A Backdoor Access (trojan.rules)
2827232 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-07-19 1) (trojan.rules)
2827233 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-07-19 2) (trojan.rules)
2827234 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-07-19 3) (trojan.rules)
2827235 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-07-19 4) (trojan.rules)
2827236 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-07-19 5) (trojan.rules)
2827237 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-07-19 6) (trojan.rules)
2827238 - ETPRO TROJAN Bitcoin Miner Known Malicious Basic Auth (c25penphcmQucW16OjEyMzQ1Ng==) (trojan.rules)
2827239 - ETPRO TROJAN MSIL/Unk.CoinMiner/PWS CnC Checkin (trojan.rules)
2827240 - ETPRO TROJAN MSIL/Unk.CoinMiner/PWS Password Exfil (trojan.rules)
2827241 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Hqwar.jck Contact Exfil (mobile_malware.rules)
2827242 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Hqwar.jck CnC Beacon (mobile_malware.rules)
2827243 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc DL) (current_events.rules)
2827244 - ETPRO TROJAN Observed Malicious SSL Cert (URLZone CnC) (trojan.rules)
2827245 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.ic SMS/Contact Exfil via SMTP 8 (mobile_malware.rules)
2827246 - ETPRO TROJAN DNS Query matching Cerber Domain Format (.bid TLD) (trojan.rules)
2827247 - ETPRO TROJAN Imminent Monitor Style IP Check freegeoip.net (trojan.rules)

[///]     Modified active rules:     [///]

2015857 - ET TFTP Outbound TFTP Data Transfer with Cisco config (tftp.rules)
2018558 - ET TROJAN Win32/Ramnit Checkin (trojan.rules)
2020746 - ET TROJAN Win32.Chroject.B Retrieving encoded payload (trojan.rules)
2021195 - ET POLICY Possible External IP Lookup whoer.net (policy.rules)
2023472 - ET POLICY OpenDNS IP Lookup (policy.rules)
2023553 - ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.a Checkin (mobile_malware.rules)
2024428 - ET TROJAN InstallCore Variant CnC Checkin (trojan.rules)
2024429 - ET TROJAN Win32/Parite.B Checkin 3 (trojan.rules)
2807826 - ETPRO TROJAN Win32/Parite.B Checkin 1 (trojan.rules)
2809951 - ETPRO POLICY Possible External IP Lookup pijoto.net (policy.rules)
2812875 - ETPRO POLICY External IP Lookup - iplocation.com (policy.rules)
2814489 - ETPRO POLICY External IP Lookup - ip.taobao.com (policy.rules)
2814801 - ETPRO CURRENT_EVENTS Successful Amazon Phish Nov 6 (current_events.rules)
2815503 - ETPRO CURRENT_EVENTS Successful PHOEN!X Apple Phish M2 Dec 28 2015 (current_events.rules)
2820451 - ETPRO POLICY External IP Lookup freehostedscripts.net (policy.rules)
2820539 - ETPRO POLICY External IP Lookup whereisip.net (policy.rules)
2821200 - ETPRO POLICY Observed External IP (wtfismyip) Lookup SSL Cert (Server Hello) (policy.rules)
2822665 - ETPRO CURRENT_EVENTS Successful Amazon (UK) Phish Oct 17 2016 (current_events.rules)
2822941 - ETPRO CURRENT_EVENTS Successful Amazon Phish Oct 27 2016 (current_events.rules)
2824684 - ETPRO POLICY External IP Lookup localize.pdfforge.org (policy.rules)
2826518 - ETPRO TROJAN DNS Query matching Cerber Domain Format (.top TLD) (trojan.rules)
2826600 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.ar SMS Exfil via SMTP 2 (mobile_malware.rules)
2826694 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.lg SMS Exfil via SMTP (mobile_malware.rules)

[---]         Disabled rules:        [---]

2812795 - ETPRO CURRENT_EVENTS Successful Amazon Phish Aug 28 (current_events.rules)
2814007 - ETPRO CURRENT_EVENTS Successful Amazon Phish Sept 21 M2 (current_events.rules)
2814008 - ETPRO CURRENT_EVENTS Successful Amazon Phish Sept 21 M3 (current_events.rules)
2814010 - ETPRO CURRENT_EVENTS Successful Amazon Phish Sept 21 M5 (current_events.rules)
2814124 - ETPRO CURRENT_EVENTS Successful Ebay Phish Sept 28 (current_events.rules)
2820878 - ETPRO CURRENT_EVENTS Successful Amazon.com Phish Jun 27 M2 (current_events.rules)

[---]         Removed rules:         [---]

2808546 - ETPRO TROJAN ZeroAccess3 Checkin (trojan.rules)
2821693 - ETPRO TROJAN W32/Ramnit Initial CnC Connection (trojan.rules)

Date: 
Wednesday, July 19, 2017 - 00:00