Daily Ruleset Update Summary 2017/12/01

[***]            Summary:            [***]

4 new Open, 20 new Pro (4 + 16). UBoatRAT, Powerstats, Sigma Ransomware Domains, Trojan.AndroidOS.Guerrilla.l.

[+++]          Added rules:          [+++]

Open:

2025093 - ET TROJAN UBoatRAT CnC Check-in (trojan.rules)
2025094 - ET MALWARE Win32/Adware.Adposhel.A Checkin 5 (malware.rules)
2025095 - ET POLICY .onion proxy Domain (onion .plus in DNS Lookup) (policy.rules)
2025096 - ET POLICY .onion proxy Domain (onion .casa in DNS Lookup) (policy.rules)

Pro:

2828734 - ETPRO TROJAN Powerstats C2 (trojan.rules)
2828735 - ETPRO TROJAN Sidewinder.A C2 (trojan.rules)
2828736 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-12-01 1) (trojan.rules)
2828737 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-12-01 2) (trojan.rules)
2828738 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-12-01 3) (trojan.rules)
2828739 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-12-01 3) (trojan.rules)
2828740 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-12-01 4) (trojan.rules)
2828741 - ETPRO TROJAN Bitcoin Miner Known Malicious Basic Auth (dnJreGtpYmRueHg5OTl0aXo6ODduMnl6M2h1d2hlbmpnaHl3Zmdsa2w=) (trojan.rules)
2828742 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 248 (mobile_malware.rules)
2828743 - ETPRO TROJAN Malicious VBScript Inbound (trojan.rules)
2828744 - ETPRO TROJAN Sigma Ransomware Decryptor/Payment Domain (6uhryhsrr577vykz in DNS Lookup) (trojan.rules)
2828745 - ETPRO TROJAN Sigma Ransomware Decryptor/Payment Domain (yowl2ugopitfzzwb in DNS Lookup) (trojan.rules)
2828746 - ETPRO TROJAN Sigma Ransomware Decryptor/Payment Domain (ypg7rfjvfywj7jhp in DNS Lookup) (trojan.rules)
2828747 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Guerrilla.l Checkin (mobile_malware.rules)
2828748 - ETPRO TROJAN Win32/DarkKomet CnC Communicating with Infected Host (trojan.rules)
2828749 - ETPRO TROJAN MSIL/ReadMe Ransomware CnC Checkin (trojan.rules)

[///]     Modified active rules:     [///]

2003492 - ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) (info.rules)
2003658 - ET MALWARE qq.com related Spyware User-Agent (QQGame) (malware.rules)
2007860 - ET MALWARE User-Agent (Internet Explorer 6.0) - Possible Trojan Downloader (malware.rules)
2007866 - ET CHAT Gadu-Gadu Chat Client Checkin via HTTP (chat.rules)
2008295 - ET CHAT Gadu-Gadu IM Login Server Request (chat.rules)
2008538 - ET SCAN Sqlmap SQL Injection Scan (scan.rules)
2008570 - ET POLICY External Unencrypted Connection to BASE Console (policy.rules)
2009020 - ET POLICY Internal Host Retrieving External IP via ipchicken.com - Possible Infection (policy.rules)
2009362 - ET WEB_SERVER /system32/ in Uri - Possible Protected Directory Access Attempt (web_server.rules)
2009867 - ET TROJAN Suspicious User-Agent (Mozilla/3.0 (compatible)) (trojan.rules)
2010066 - ET POLICY Data POST to an image file (gif) (policy.rules)
2010592 - ET WEB_SERVER Possible Microsoft Internet Information Services (IIS) .asp Filename Extension Parsing File Upload Security Bypass Attempt (asp) (web_server.rules)
2010677 - ET MALWARE Suspicious User-Agent (My Session) (malware.rules)
2011037 - ET WEB_SERVER Possible Attempt to Get SQL Server Version in URI using SELECT VERSION (web_server.rules)
2011141 - ET WEB_SERVER PHP Easteregg Information-Disclosure (phpinfo) (web_server.rules)
2011161 - ET WEB_SPECIFIC_APPS HotNews hnmain.inc.php3 incdir Parameter Remote File Inclusion Attempt (web_specific_apps.rules)
2011341 - ET TROJAN Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection (trojan.rules)
2011719 - ET POLICY Win32/Sogou User-Agent (SOGOU_UPDATER) (policy.rules)
2012810 - ET POLICY HTTP Request to a *.tk domain (policy.rules)
2012870 - ET POLICY HTTP Outbound Request contains pw (policy.rules)
2013256 - ET POLICY Majestic12 User-Agent Request Outbound (policy.rules)
2013290 - ET POLICY MOBILE Apple device leaking UDID from SpringBoard via GET (policy.rules)
2013508 - ET USER_AGENTS Downloader User-Agent HTTPGET (user_agents.rules)
2013535 - ET INFO HTTP Request to a *.tc domain (info.rules)
2014473 - ET INFO JAVA - Java Archive Download By Vulnerable Client (info.rules)
2014799 - ET POLICY OpenVPN Update Check (policy.rules)
2016870 - ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5. (policy.rules)
2016871 - ET POLICY Unsupported/Fake Internet Explorer Version MSIE 4. (policy.rules)
2017398 - ET POLICY Internal Host Retrieving External IP via icanhazip.com - Possible Infection (policy.rules)
2017926 - ET POLICY External IP Lookup / Tor Checker Domain (check.torproject .org in DNS lookup) (policy.rules)
2017928 - ET POLICY check.torproject.org IP lookup/Tor Usage check over TLS with SNI (policy.rules)
2017933 - ET POLICY TraceMyIP IP lookup (policy.rules)
2018359 - ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 2 (info.rules)
2018766 - ET TROJAN DNS Query to Pseudo Random Domain for Web Malware (.mynumber .org) (trojan.rules)
2019714 - ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile (current_events.rules)
2019876 - ET SCAN SSH BruteForce Tool with fake PUTTY version (scan.rules)
2020475 - ET POLICY Metasploit Framework Checking For Update (policy.rules)
2020716 - ET POLICY Possible External IP Lookup ipinfo.io (policy.rules)
2020844 - ET TROJAN Win32/Teslacrypt Ransomware .onion domain (7hwr34n18.com) (trojan.rules)
2020869 - ET TROJAN Win32/Teslacrypt Ransomware .onion domain (wh47f2as19.com) (trojan.rules)
2020882 - ET TROJAN Win32/Teslacrypt Ransomware .onion domain (epmhyca5ol6plmx3) (trojan.rules)
2021062 - ET WEB_SPECIFIC_APPS WP Jetpack/Twentyfifteen Possible XSS Request (web_specific_apps.rules)
2022351 - ET POLICY External IP Lookup - ipecho.net (policy.rules)
2022452 - ET TROJAN Scarlet Mimic DNS Lookup 42 (trojan.rules)
2022769 - ET TROJAN Ransomware Locky CnC Beacon 2 (trojan.rules)
2022816 - ET WEB_SERVER Possible SQLi Attempt in User Agent (Inbound) (web_server.rules)
2022858 - ET CURRENT_EVENTS Suspicious BITS EXE DL Dotted Quad as Observed in Recent Cerber Campaign (current_events.rules)
2022986 - ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad (trojan.rules)
2023472 - ET POLICY External IP Lookup Domain (myip.opendns .com in DNS lookup) (policy.rules)
2023475 - ET MOBILE_MALWARE Adware.Adwo.A (mobile_malware.rules)
2023516 - ET POLICY Android Adups Firmware DNS Query 2 (policy.rules)
2023517 - ET POLICY Android Adups Firmware DNS Query 3 (policy.rules)
2024038 - ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) (web_specific_apps.rules)
2024044 - ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) M2 (web_specific_apps.rules)
2024106 - ET TROJAN Win32/Teslacrypt Ransomware .onion domain (7tno4hib47vlep5o) (trojan.rules)
2024291 - ET TROJAN Possible WannaCry DNS Lookup 1 (trojan.rules)
2024420 - ET TROJAN MalDoc Retrieving Malicious Payload (Possibly Ursnif) (trojan.rules)
2024527 - ET POLICY External IP Lookup Domain (ipapi .co in DNS lookup) (policy.rules)
2024788 - ET POLICY Request for Jsecoin Browser Miner M2 (policy.rules)
2024814 - ET EXPLOIT Likely Struts S2-053-CVE-2017-12611 Exploit Attempt M1 (exploit.rules)
2024831 - ET POLICY Observed IP Lookup Domain (l2 .io in DNS Lookup) (policy.rules)
2024833 - ET POLICY Observed IP Lookup Domain (l2 .io in TLS SNI) (policy.rules)
2024946 - ET CURRENT_EVENTS BankAustria Phishing Domain Nov 032017 (current_events.rules)
2024949 - ET CURRENT_EVENTS Successful BankAustria Phish Nov 032017 (current_events.rules)
2025005 - ET CURRENT_EVENTS Possible Successful Generic Phish Jan 142016 (current_events.rules)
2801300 - ETPRO USER_AGENTS  SUSPICIOUS UA Starting With IE6 (user_agents.rules)
2804336 - ETPRO INFO DYNAMIC_DNS Query to a *.1dumb.com Domain (info.rules)
2805815 - ETPRO POLICY Internal Host Retrieving External IP via whatismyipaddress.com - Possible Infection (policy.rules)
2805897 - ETPRO TROJAN Bifrose.IQ requesting setup.exe (trojan.rules)
2807216 - ETPRO TROJAN Orbit downloader checkin 3 (trojan.rules)
2809358 - ETPRO TROJAN Win32/Injector.BRLE Checkin (trojan.rules)
2809682 - ETPRO TROJAN Andromeda/Gamarue Checkin (trojan.rules)
2810481 - ETPRO TROJAN Possible zipped Windows executable sent when remote host claims to send an image (trojan.rules)
2810582 - ETPRO TROJAN WIN32/KOVTER.B Checkin 2 M1 (trojan.rules)
2812740 - ETPRO POLICY NetSupport Remote Admin Response (policy.rules)
2812918 - ETPRO TROJAN Cobalt Strike Beacon Observed (trojan.rules)
2814543 - ETPRO MALWARE WebBar PUA Checkin (malware.rules)
2816032 - ETPRO POLICY OSX/Potential Vulnerable Application using Sparkle Updater (policy.rules)
2816855 - ETPRO TROJAN Downloader Possibly Retrieving Locky (trojan.rules)
2819828 - ETPRO TROJAN Redyms/Ramdo CnC DGA DNS Lookup (yw//.org) (trojan.rules)
2821001 - ETPRO CURRENT_EVENTS PowerShell Empire Session via MSOffice Doc Macro (current_events.rules)
2821200 - ETPRO POLICY Observed External IP (wtfismyip) Lookup SSL Cert (Server Hello) (policy.rules)
2821367 - ETPRO MALWARE Adware.QkSee/WinSaber Checkin 2 (malware.rules)
2821585 - ETPRO MOBILE_MALWARE Trojan-Ransom.AndroidOS.Congur.al Checkin (mobile_malware.rules)
2821712 - ETPRO TROJAN LatentBot HTTP POST Checkin (trojan.rules)
2822392 - ETPRO MALWARE Win32/Xiazai Checkin (malware.rules)
2822817 - ETPRO TROJAN Terse HTTP Request to Pastebin Likely Malicious (trojan.rules)
2823423 - ETPRO TROJAN Unknown Bot CnC Beacon (trojan.rules)
2824844 - ETPRO MALWARE Win32/Rising.B PUP CnC Beacon (malware.rules)
2825610 - ETPRO TROJAN Lets Encrypt Free SSL Cert Observed in Possible Apple Phishing (trojan.rules)
2826184 - ETPRO TROJAN APT10 Redleaves/PlugX/ChChes DNS Lookup (app.lehigtapp .com) (trojan.rules)
2826296 - ETPRO TROJAN PowerShell/TrojanDownloader.Agent.AP - Powerstats Checkin  (trojan.rules)
2826824 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.AZQ / Android.Triada Checkin (mobile_malware.rules)
2827579 - ETPRO INFO .moe Domain in TLS SNI (info.rules)
2828162 - ETPRO MOBILE_MALWARE Android/HiddenApp.CE Checkin (mobile_malware.rules)
2828587 - ETPRO TROJAN APT19 Downloader SSL Cert (trojan.rules)

[---]  Disabled and modified rules:  [---]

2807133 - ETPRO MALWARE W32/Toolbar.WIDGI User-Agent(WidgiToolbar-) (malware.rules)

Date: 
Friday, December 1, 2017 - 00:00