Daily Ruleset Update Summary 2017/08/07

[***] Summary: [***]

2 new Open signatures, 28 new Pro (2 + 26).  Magnitude EK, Zyklon Ransomware, njRAT, VARIOUS PHISHING.

Thanks:  @attackdetection.

Quick reminder, the new rules are live for both OPEN and PRO sets.  The new rules have new metadata info.  I will write a more detailed description of this new data in a separate chain.

[+++]          Added rules:          [+++]

Open:

2024514 - ET CURRENT_EVENTS Magnitude EK Landing M1 Aug 05 2017 (current_events.rules)
2024515 - ET CURRENT_EVENTS Magnitude EK Landing M2 Aug 05 2017 (current_events.rules)

Pro:

2827396 - ETPRO POLICY Monero Coinminer Usage (policy.rules)
2827417 - ETPRO CURRENT_EVENTS Microsoft Tech Support Phone Scam M1 Aug 04 2017 (current_events.rules)
2827418 - ETPRO MALWARE Adware/WiseInstaller PUP Checkin (malware.rules)
2827419 - ETPRO CURRENT_EVENTS GlobeImposter Ransomware Note Counter Request (current_events.rules)
2827420 - ETPRO TROJAN Ransomware/Zyklon Onion Domain Lookup (trojan.rules)
2827421 - ETPRO CURRENT_EVENTS Successful Netflix (NL) Phish Aug 07 2017 (current_events.rules)
2827422 - ETPRO CURRENT_EVENTS Successful Boursorama Banque (FR) Phish Aug 07 2017 (current_events.rules)
2827423 - ETPRO TROJAN MSIL/njRAT/Bladabindi Variant (LeGendRat) CnC Checkin (trojan.rules)
2827424 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.e SMS Exfil via SMTP (mobile_malware.rules)
2827425 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.fe SMS Exfil via SMTP (mobile_malware.rules)
2827426 - ETPRO TROJAN W32/Unknown DNS Query for CnC Checkin via TOR (trojan.rules)
2827427 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.fe Contact Exfil via SMTP 2 (mobile_malware.rules)
2827428 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.fe Contact Exfil via SMTP 3 (mobile_malware.rules)
2827429 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish M1 Aug 07 2017 (current_events.rules)
2827430 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish M2 Aug 07 2017 (current_events.rules)
2827431 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.iz SMS/Contact Exfil via SMTP 8 (mobile_malware.rules)
2827432 - ETPRO CURRENT_EVENTS Successful Paypal Phish Aug 07 2017 (current_events.rules)
2827433 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.iz SMS/Contact Exfil via SMTP 9 (mobile_malware.rules)
2827434 - ETPRO TROJAN Bitcoin Miner Known Malicious Basic Auth (aGFyZGNvcmVzbWFzaGVyLmJvdDpyYXRl) (trojan.rules)
2827435 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-08-07 1) (trojan.rules)
2827436 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-08-07 2) (trojan.rules)
2827437 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-08-07 3) (trojan.rules)
2827438 - ETPRO CURRENT_EVENTS Successful YapiKredi Bank (TR) Phish Aug 07 2017 (current_events.rules)
2827439 - ETPRO TROJAN MSIL/BR.Banker CnC Checkin (trojan.rules)
2827440 - ETPRO POLICY Internal Host Retrieving External IP Address (ipgeoapi. com) (policy.rules)
2827441 - ETPRO TROJAN MSIL/njRAT/Bladabindi Variant CnC Checkin (trojan.rules)

[///]     Modified active rules:     [///]

2024192 - ET EXPLOIT Possible CVE-2017-0199 HTA Inbound (exploit.rules)
2024193 - ET EXPLOIT Possible CVE-2017-0199 HTA Inbound M2 (exploit.rules)
2024196 - ET WEB_CLIENT HTA File containing Wscript.Shell Call - Potential CVE-2017-0199 (web_client.rules)
2024197 - ET CURRENT_EVENTS SUSPICIOUS MSXMLHTTP DL of HTA (Observed in CVE-2017-0199) (current_events.rules)
2024487 - ET TROJAN LokiBot Related DNS query (trojan.rules)
2024488 - ET TROJAN LokiBot Related DNS query (trojan.rules)
2024513 - ET TROJAN [PTsecurity] Win32/TinyNuke Payload ACF40 Inbound (trojan.rules)
2823624 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.iz Contacts Exfil via SMTP (mobile_malware.rules)

[---]         Removed rules:         [---]

2827396 - ETPRO TROJAN W32/Unknown Coinminer Checkin (trojan.rules)

Date: 
Monday, August 7, 2017 - 00:00