Daily Ruleset Update Summary 2017/08/11

[***] Summary: [***]

8 new Open signatures, 22 new Pro (8 + 14).  AMSI PowerShell, PowerShell/Ukodus, Locky.

Thanks:  @lowson and MS-iSAC (@CISecurity).

[+++]          Added rules:          [+++]

Open:

2024533 - ET TROJAN [PTsecurity] Gozi/Ursnif Payload v12 (trojan.rules)
2024534 - ET CURRENT_EVENTS Possible AMSI Powershell Bypass Attempt B641 (current_events.rules)
2024535 - ET CURRENT_EVENTS Possible AMSI Powershell Bypass Attempt B642 (current_events.rules)
2024536 - ET CURRENT_EVENTS Possible AMSI Powershell Bypass Attempt B643 (current_events.rules)
2024537 - ET CURRENT_EVENTS Possible AMSI Powershell Bypass Attempt (current_events.rules)
2024538 - ET CURRENT_EVENTS Possible Veil Powershell Encoder B641 (current_events.rules)
2024539 - ET CURRENT_EVENTS Possible Veil Powershell Encoder B642 (current_events.rules)
2024540 - ET CURRENT_EVENTS Possible Veil Powershell Encoder B643 (current_events.rules)

Pro:

2827492 - ETPRO TROJAN Win32/Fynloski.AA DNS query for CnC (trojan.rules)
2827493 - ETPRO TROJAN Possibly Malicious Base64 Compressed PowerShell Download 1 (trojan.rules)
2827494 - ETPRO TROJAN Possibly Malicious Base64 Compressed PowerShell Download 2 (trojan.rules)
2827495 - ETPRO TROJAN Possibly Malicious Base64 Compressed PowerShell Download 3 (trojan.rules)
2827496 - ETPRO TROJAN PowerShell/Ukodus CnC Beacon (base64 1) (trojan.rules)
2827497 - ETPRO TROJAN PowerShell/Ukodus CnC Beacon (base64 2) (trojan.rules)
2827498 - ETPRO TROJAN PowerShell/Ukodus CnC Beacon (base64 3) (trojan.rules)
2827499 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.iz SMS/Contact Exfil via SMTP 11 (mobile_malware.rules)
2827500 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-08-11 1) (trojan.rules)
2827501 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-08-11 2)  (trojan.rules)
2827502 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-08-11 3) (trojan.rules)
2827503 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.hs SMS/Contact via SMTP 4 (mobile_malware.rules)
2827504 - ETPRO CURRENT_EVENTS Tech Support Phone Scam M1 Aug 11 2017 (current_events.rules)
2827505 - ETPRO CURRENT_EVENTS Locky Payload DL 2017-08-11 (current_events.rules)

[///]     Modified active rules:     [///]

2807530 - ETPRO TROJAN Win32/Onkods.C User-Agent (g0g) (trojan.rules)
2826695 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.ic Contact Exfil via SMTP 4 (mobile_malware.rules)
2826845 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.dj SMS Exfil via SMTP 8 (mobile_malware.rules)
2827466 - ETPRO CURRENT_EVENTS Observed Malicious Malvertising SSL Cert 2018-08-09 (Storfin Redirect to EK) (current_events.rules)

[---]         Removed rules:         [---]

2811761 - ETPRO TROJAN MSIL/Injector.KJW .onion Proxy Domain (trojan.rules)
2824486 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher DNS Lookup (mobile_malware.rules)
2826810 - ETPRO TROJAN Mole Ransomware Onion Domain (trojan.rules)
2827028 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.ic Contact Exfil via SMTP 5 (mobile_malware.rules)

Date: 
Friday, August 11, 2017 - 00:00