Daily Ruleset Update Summary 2017/10/20

[***]            Summary:            [***]

10 new Open, 46 new Pro (10 + 36). PSHELL Downloader, CVE-2017-12629, Various Mobile.

Thanks: @secdsm

[+++]          Added rules:          [+++]

Open:

2024878 - ET CURRENT_EVENTS SUSPICIOUS PSHELL Downloader Primitives B641 Oct 19 2017 (current_events.rules)
2024879 - ET CURRENT_EVENTS SUSPICIOUS PSHELL Downloader Primitives B642 Oct 19 2017 (current_events.rules)
2024880 - ET CURRENT_EVENTS SUSPICIOUS PSHELL Downloader Primitives B643 Oct 19 2017 (current_events.rules)
2024881 - ET CURRENT_EVENTS SUSPICIOUS PSHELL Downloader Primitives B644W Oct 19 2017 (current_events.rules)
2024882 - ET CURRENT_EVENTS SUSPICIOUS PSHELL Downloader Primitives B645W Oct 19 2017 (current_events.rules)
2024883 - ET CURRENT_EVENTS SUSPICIOUS PSHELL Downloader Primitives B645W Oct 19 2017 (current_events.rules)
2024884 - ET EXPLOIT Possible CVE-2017-12629 RCE Exploit Attempt (HTTP POST) (exploit.rules)
2024885 - ET EXPLOIT Possible CVE-2017-12629 XXE Exploit Attempt (URI) (exploit.rules)
2024886 - ET EXPLOIT Possible CVE-2017-12629 RCE Exploit Attempt (HTTP GET 1) (exploit.rules)
2024887 - ET EXPLOIT Possible CVE-2017-12629 RCE Exploit Attempt (HTTP GET 2) (exploit.rules)

Pro:

2828326 - ETPRO USER_AGENTS myappname User-Agent (user_agents.rules)
2828328 - ETPRO USER_AGENTS NoBo User-Agent (user_agents.rules)
2828351 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 238 (mobile_malware.rules)
2828352 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher SSL CnC Cert 14 (mobile_malware.rules)
2828353 - ETPRO TROJAN Known Malicious Downloader Pattern 20 Oct 2017 (trojan.rules)
2828354 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-10-20 1) (trojan.rules)
2828355 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-10-20 2) (trojan.rules)
2828356 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-10-20 3) (trojan.rules)
2828357 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-10-20 4) (trojan.rules)
2828358 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-10-20 5) (trojan.rules)
2828359 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-10-20 6) (trojan.rules)
2828360 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-10-20 7) (trojan.rules)
2828361 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-10-20 8) (trojan.rules)
2828362 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-10-20 9) (trojan.rules)
2828363 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-10-20 10) (trojan.rules)
2828364 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-10-20 11) (trojan.rules)
2828365 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-10-20 12) (trojan.rules)
2828366 - ETPRO TROJAN Bitcoin Miner Known Malicious Basic Auth (ZnJhbmswOTU6M2oyazIz) (trojan.rules)
2828367 - ETPRO TROJAN Cerber Domain Observed (1mudaw .top in DNS Lookup) (trojan.rules)
2828368 - ETPRO TROJAN Cerber Domain Observed (1mudaw .top in TLS SNI) (trojan.rules)
2828369 - ETPRO TROJAN Cerber Domain Observed (1gam57 .top in DNS Lookup) (trojan.rules)
2828370 - ETPRO TROJAN Cerber Domain Observed (1gam57 .top in TLS SNI) (trojan.rules)
2828371 - ETPRO TROJAN Cerber Domain Observed (1ml94w .top in DNS Lookup) (trojan.rules)
2828372 - ETPRO TROJAN Cerber Domain Observed (1ml94w .top in TLS SNI) (trojan.rules)
2828373 - ETPRO TROJAN Cerber Domain Observed (crw57p .bid in DNS Lookup) (trojan.rules)
2828374 - ETPRO TROJAN Cerber Domain Observed (crw57p .bid in TLS SNI) (trojan.rules)
2828375 - ETPRO TROJAN Cerber Domain Observed (dmhl2o .bid in DNS Lookup) (trojan.rules)
2828376 - ETPRO TROJAN Cerber Domain Observed (dmhl2o .bid in TLS SNI) (trojan.rules)
2828377 - ETPRO TROJAN Cerber Domain Observed (12efwa .top in DNS Lookup) (trojan.rules)
2828378 - ETPRO TROJAN Cerber Domain Observed (12efwa .top in TLS SNI) (trojan.rules)
2828379 - ETPRO TROJAN Cerber Domain Observed (le6611 .bid in DNS Lookup) (trojan.rules)
2828380 - ETPRO TROJAN Cerber Domain Observed (le6611 .bid in TLS SNI) (trojan.rules)
2828381 - ETPRO TROJAN Cerber Domain Observed (1jquw7 .top in DNS Lookup) (trojan.rules)
2828382 - ETPRO TROJAN Cerber Domain Observed (1jquw7 .top in TLS SNI) (trojan.rules)
2828383 - ETPRO TROJAN Zeus Panda Domain (5c9cf1996510 .faith in DNS Lookup) (trojan.rules)
2828384 - ETPRO TROJAN Zeus Panda Domain (5c9cf1996510 .faith in TLS SNI) (trojan.rules)

[///]     Modified active rules:     [///]

2809258 - ETPRO EXPLOIT SChannel Possible Heap Overflow CVE-2014-6321 TLSv1.2 (exploit.rules)
2819978 - ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin (trojan.rules)

[---]         Removed rules:         [---]

2828326 - ETPRO TROJAN Possibly Malicious User-Agent (myappname) (trojan.rules)
2828328 - ETPRO TROJAN NoBo User-Agent (trojan.rules)

Date: 
Friday, October 20, 2017 - 00:00