Daily Ruleset Update Summary 2017/09/27

[***]            Summary:            [***]

11 new Open, 23 new Pro (11 + 12). Upatre Downloader, Oiram CnC, Various Phishing, Mobile.

Thanks: @AttackDetection

[+++]          Added rules:          [+++]

Open:

2024769 - ET WEB_CLIENT Suspicious Possible Zip DL containing single VBS script (web_client.rules)
2024770 - ET CURRENT_EVENTS Possible Raiffeisen Bank Phishing Landing - Title over non SSL (current_events.rules)
2024771 - ET TROJAN [PTsecurity] Possible Cobalt Strike payload (trojan.rules)
2024772 - ET TROJAN [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) cert (trojan.rules)
2024773 - ET TROJAN [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 0 (trojan.rules)
2024774 - ET TROJAN [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 1 (trojan.rules)
2024775 - ET TROJAN [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 2 (trojan.rules)
2024776 - ET TROJAN [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 3 (trojan.rules)
2024777 - ET TROJAN [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 4 (trojan.rules)
2024778 - ET TROJAN [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 5 (trojan.rules)
2024779 - ET TROJAN DNS Query For Browser Cryptocurrency Mining Domain (trojan.rules)

Pro:

2828049 - ETPRO CURRENT_EVENTS Malicious Domain in SNI Observed - Possible Browser Coin Mining (current_events.rules)
2828069 - ETPRO TROJAN Oiram CnC Beacon (trojan.rules)
2828070 - ETPRO CURRENT_EVENTS Successful Office 365 Phish Sep 27 2017 (current_events.rules)
2828071 - ETPRO CURRENT_EVENTS Successful IDBI Bank Phish Sep 27 2017 (current_events.rules)
2828072 - ETPRO CURRENT_EVENTS Successful Chase Phish Sep 27 2017 (current_events.rules)
2828073 - ETPRO CURRENT_EVENTS Successful Raiffeisen Bank Phish / Fake Android App Landing Sep 27 2017 (current_events.rules)
2828074 - ETPRO TROJAN Malicious Raiffeisen Bank Android App Download via Phish Sep 27 2017 (trojan.rules)
2828075 - ETPRO CURRENT_EVENTS Successful Swiss Post Phish Sep 27 2017 (current_events.rules)
2828076 - ETPRO CURRENT_EVENTS Successful Commerzbank Phish M1 Sep 27 2017 (current_events.rules)
2828077 - ETPRO CURRENT_EVENTS Successful Commerzbank Phish M2 Sep 27 2017 (current_events.rules)
2828078 - ETPRO MOBILE_MALWARE Android-Trojan/Marcher.5ad46 SSL CnC Cert (mobile_malware.rules)
2828079 - ETPRO MOBILE_MALWARE Android-Trojan/Marcher.5ad46 DNS Lookup (mobile_malware.rules)

[///]     Modified active rules:     [///]

2022217 - ET CURRENT_EVENTS Successful Google Drive Phish Dec 4 2015 M1 (current_events.rules)
2810290 - ETPRO TROJAN NanoCore RAT Keepalive Response 1 (trojan.rules)
2814780 - ETPRO CURRENT_EVENTS Google Drive Phishing Landing Nov 6 2015 M1 (current_events.rules)
2814781 - ETPRO CURRENT_EVENTS Google Drive Phishing Landing Nov 6 2015 M2 (current_events.rules)
2814782 - ETPRO CURRENT_EVENTS Google Drive Phishing Landing Nov 6 2015 M3 (current_events.rules)
2823337 - ETPRO TROJAN Nanocore Checkin Pattern (trojan.rules)
2823393 - ETPRO TROJAN Possible CobaltStrike CnC Beacon (HTTP POST) (trojan.rules)
2828050 - ETPRO TROJAN Corebot DNS Lookup (Dropper) (trojan.rules)
2828060 - ETPRO TROJAN W32/Emotet.v4 Checkin Fake 404 Payload Response (trojan.rules)
2828061 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.PornVideo.ao / ZNIU Checkin (mobile_malware.rules)

[---]  Disabled and modified rules:  [---]

2024756 - ET TROJAN [PTsecurity] Backdoor.Java.Adwind.cu (trojan.rules)

[---]         Removed rules:         [---]

2014198 - ET TROJAN ZeuS - ICE-IX cid= in cookie (trojan.rules)
2828049 - ETPRO TROJAN Malicious Domain in SNI Observed - Possible Browser Coin Mining (trojan.rules)

Date: 
Wednesday, September 27, 2017 - 00:00