Daily Ruleset Update Summary 2017/09/08

[***]            Summary:            [***]

11 new Open, 50 new Pro (11 + 39). Locky VB/JS Loader, Win32/Unk.Bot, Various Phishing, Mobile.

Thanks: @abuse_ch

[+++]          Added rules:          [+++]

Open:

2024678 - ET CURRENT_EVENTS Possible Locky VB/JS Loader Download Sep 08 2017 (current_events.rules)
2024679 - ET TROJAN Win32/Unk.Bot CnC Checkin (trojan.rules)
2024680 - ET TROJAN ABUSE.CH Zloader CnC Domain Detected (trojan.rules)
2024681 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (URLzone) (trojan.rules)
2024682 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Adwind) (trojan.rules)
2024683 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM) (trojan.rules)
2024684 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM) (trojan.rules)
2024685 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM) (trojan.rules)
2024686 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM) (trojan.rules)
2024687 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM) (trojan.rules)
2024688 - ET CURRENT_EVENTS Tech Support Scam Sep 08 2017 (current_events.rules)

Pro:

2827841 - ETPRO CURRENT_EVENTS Credphish Domain in SNI (current_events.rules)
2827842 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.iz SMS Exfil via SMTP 21 (mobile_malware.rules)
2827843 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.iz Contact Exfil via SMTP 22 (mobile_malware.rules)
2827844 - ETPRO MOBILE_MALWARE Android.Riskware.SmsPay.PO SMS Exfil (mobile_malware.rules)
2827845 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.fs SMS Exfil via SMTP (mobile_malware.rules)
2827846 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.fs Contact/SMS Exfil via SMTP 2 (mobile_malware.rules)
2827847 - ETPRO CURRENT_EVENTS Credphish Domain in SNI (current_events.rules)
2827849 - ETPRO CURRENT_EVENTS Credphish Domain in SNI (current_events.rules)
2827850 - ETPRO CURRENT_EVENTS Credphish Domain in SNI (current_events.rules)
2827851 - ETPRO CURRENT_EVENTS Credphish Domain in SNI (current_events.rules)
2827852 - ETPRO CURRENT_EVENTS Credphish Domain in SNI (current_events.rules)
2827853 - ETPRO CURRENT_EVENTS Credphish Domain in SNI (current_events.rules)
2827854 - ETPRO CURRENT_EVENTS Credphish Domain in SNI (current_events.rules)
2827855 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.iz SMS Exfil via SMTP 23 (mobile_malware.rules)
2827856 - ETPRO CURRENT_EVENTS Credphish Domain in SNI (current_events.rules)
2827857 - ETPRO CURRENT_EVENTS Credphish Domain in SNI (current_events.rules)
2827858 - ETPRO TROJAN Unknown Downloader DNS Query (kekeoffer . com) (trojan.rules)
2827859 - ETPRO TROJAN DNS Query to Cerber Domain (1kh9ct . top) (trojan.rules)
2827860 - ETPRO TROJAN DNS Query to Cerber Domain (1hbdbx . top) (trojan.rules)
2827861 - ETPRO TROJAN DNS Query to Cerber Domain (13gpqd . top) (trojan.rules)
2827862 - ETPRO TROJAN DNS Query to Cerber Domain (1fs9pz . top) (trojan.rules)
2827863 - ETPRO TROJAN DNS Query to Cerber Domain (14jqyo . top) (trojan.rules)
2827864 - ETPRO TROJAN DNS Query to Cerber Domain (13rdvu . top) (trojan.rules)
2827865 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.iz Contact Exfil via SMTP 24 (mobile_malware.rules)
2827866 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-09-08 1) (trojan.rules)
2827867 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.san SMS/Contact Exfil via SMTP 4 (mobile_malware.rules)
2827868 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-09-08 2) (trojan.rules)
2827869 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-09-08 3) (trojan.rules)
2827870 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-09-08 4) (trojan.rules)
2827871 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-09-08 5) (trojan.rules)
2827872 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-09-08 6) (trojan.rules)
2827873 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-09-08 7) (trojan.rules)
2827874 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-09-08 8) (trojan.rules)
2827875 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-09-08 9) (trojan.rules)
2827876 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-09-08 10) (trojan.rules)
2827877 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-09-08 11) (trojan.rules)
2827878 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-09-08 12) (trojan.rules)
2827879 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-09-08 13) (trojan.rules)
2827880 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-09-08 14) (trojan.rules)

[///]     Modified active rules:     [///]

2823624 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.iz Contacts Exfil via SMTP (mobile_malware.rules)
2823722 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw Checkin via SMTP (mobile_malware.rules)

[---]  Disabled and modified rules:  [---]

2010517 - ET WEB_SERVER Possible HTTP 404 XSS Attempt (Local Source) (web_server.rules)
2012089 - ET SHELLCODE Possible Call with No Offset UDP Shellcode (shellcode.rules)
2013273 - ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 41414141 (shellcode.rules)
2015783 - ET CURRENT_EVENTS BegOp Exploit Kit Payload (current_events.rules)
2016715 - ET SHELLCODE Possible Backslash Escaped UTF-16 0c0c Heap Spray (shellcode.rules)
2100651 - GPL SHELLCODE x86 stealth NOOP (shellcode.rules)
2101390 - GPL SHELLCODE x86 inc ebx NOOP (shellcode.rules)

Date: 
Friday, September 8, 2017 - 00:00