Daily Ruleset Update Summary 2017/12/11

[***]            Summary:            [***]

3 new Open, 12 new Pro (3 + 9). GratefulPOS, NxRansomware, MagicHound, Various Mobile, Various Phishing.

Thanks: Arvind Kumar

[+++]          Added rules:          [+++]

Open:

2025143 - ET TROJAN MSIL/NxRansomware C2 Domain Detected (0cf5ff34 .ngrok .io in DNS Lookup) (trojan.rules)
2025144 - ET TROJAN GratefulPOS Covert DNS CnC Initial Checkin (trojan.rules)
2025145 - ET TROJAN Win32/Backdoor.Randrew.A CnC Checkin (trojan.rules)

Pro:

2828839 - ETPRO TROJAN MagicHound.Retriever CnC Check-in (trojan.rules)
2828840 - ETPRO TROJAN Rocket Kitten/MagicHound Stealer CnC Check-in (trojan.rules)
2828841 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 253 (mobile_malware.rules)
2828842 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.iz Contact Exfil via SMTP 34 (mobile_malware.rules)
2828843 - ETPRO TROJAN W32/Backdoor.Ratenjay C2 Domain Detected (printscreens .info in TLS SNI) (trojan.rules)
2828844 - ETPRO TROJAN RemoteAdmin/RMS RAT Variant CnC Requesting ID (trojan.rules)
2828845 - ETPRO TROJAN RemoteAdmin/RMS RAT Variant CnC Checkin (trojan.rules)
2828846 - ETPRO CURRENT_EVENTS Possible Successful Mailbox Shutdown Phish2017-12-11 (current_events.rules)
2828847 - ETPRO CURRENT_EVENTS Mailbox Shutdown Phishing Landing2017-12-11 (current_events.rules)

[///]     Modified active rules:     [///]

2008297 - ET CHAT GaduGadu Chat Server Welcome Packet (chat.rules)
2018281 - ET TROJAN Possible Netwire RAT Client HeartBeat C1 (no alert) (trojan.rules)
2018283 - ET TROJAN Possible Netwire RAT Client HeartBeat C2 (trojan.rules)
2822567 - ETPRO CURRENT_EVENTS Successful Gmail Phish M1 Oct 112016 (current_events.rules)

[---]  Disabled and modified rules:  [---]

2014828 - ET CURRENT_EVENTS UPS Spam Inbound (current_events.rules)
2014929 - ET CURRENT_EVENTS Request to .in FakeAV Campaign June 192012 exe or zip (current_events.rules)
2018282 - ET TROJAN Possible Netwire RAT Client HeartBeat S1 (no alert) (trojan.rules)
2020566 - ET TROJAN Netwire RAT Client HeartBeat (trojan.rules)
2021290 - ET TROJAN Netwire RAT Client Check-in 2 (trojan.rules)

[---]         Disabled rules:        [---]

2018099 - ET MALWARE W32/Safekeeper.Adware CnC Beacon (malware.rules)
2018149 - ET MALWARE W32/InstallMonetizer.Adware Beacon 2 (malware.rules)
2018338 - ET MALWARE W32/DownloadAdmin.Adware CnC Beacon (malware.rules)
2018339 - ET MALWARE W32/DownloadAdmin.Adware Executable Download Request (malware.rules)
2018441 - ET CURRENT_EVENTS Goon/Infinity URI Struct EK Landing May 052014 (current_events.rules)
2018442 - ET CURRENT_EVENTS 32-byte by 32-byte PHP EK Gate with HTTP POST (current_events.rules)
2018454 - ET CURRENT_EVENTS Possible Malvertising Redirect URI Struct (current_events.rules)
2018458 - ET MALWARE DomainIQ Check-in (malware.rules)
2018493 - ET CURRENT_EVENTS Sweet Orange WxH redirection (current_events.rules)
2018501 - ET CURRENT_EVENTS Gongda EK Secondary Landing (current_events.rules)
2018502 - ET CURRENT_EVENTS Gongda EK Landing 1 (current_events.rules)
2018503 - ET CURRENT_EVENTS Gongda EK Landing 2 (current_events.rules)
2018514 - ET CURRENT_EVENTS Possible Malicious Injected Redirect June 022014 (current_events.rules)
2018535 - ET CURRENT_EVENTS CottonCastle EK Landing June 052014 (current_events.rules)
2018536 - ET CURRENT_EVENTS CottonCastle EK Landing EK Struct (current_events.rules)
2018539 - ET CURRENT_EVENTS TorExplorer Certificate - Potentially Linked To W32/Cryptowall.Ransomware (current_events.rules)
2018544 - ET CURRENT_EVENTS CottonCastle EK Landing June 052014 2 (current_events.rules)
2018545 - ET CURRENT_EVENTS CottonCastle EK Jar Download Method 2 (current_events.rules)
2018562 - ET CURRENT_EVENTS BleedingLife Exploit Kit Landing Page Requested (current_events.rules)
2018563 - ET CURRENT_EVENTS BleedingLife Exploit Kit SWF Exploit Request (current_events.rules)
2018564 - ET CURRENT_EVENTS BleedingLife Exploit Kit JAR Exploit Request (current_events.rules)
2018573 - ET CURRENT_EVENTS Safe/CritX/FlashPack EK Secondary Landing (current_events.rules)
2018577 - ET CURRENT_EVENTS Safe/CritX/FlashPack EK Secondary Landing 2 (current_events.rules)
2018583 - ET CURRENT_EVENTS Sweet Orange EK Common Java Exploit (current_events.rules)
2018591 - ET CURRENT_EVENTS Trojan-Banker.JS.Banker fraudulent redirect boleto payment code (current_events.rules)
2018593 - ET CURRENT_EVENTS Safe/CritX/FlashPack EK CVE-2013-3918 (current_events.rules)
2018606 - ET CURRENT_EVENTS Safe/CritX/FlashPack EK Secondary Landing June 252014 (current_events.rules)
2018613 - ET CURRENT_EVENTS Evil EK Redirector Cookie June 272014 (current_events.rules)
2018668 - ET CURRENT_EVENTS Safe/CritX/FlashPack EK Secondary Landing Jul 112014 (current_events.rules)
2018686 - ET CURRENT_EVENTS Possible Malvertising Redirect URI Struct Jul 162014 (current_events.rules)
2018737 - ET CURRENT_EVENTS Fake CDN Sweet Orange Gate July 172014 (current_events.rules)
2018756 - ET CURRENT_EVENTS XMLDOM Check for Presence Kaspersky AV Observed in RIG EK (current_events.rules)
2018757 - ET CURRENT_EVENTS XMLDOM Check for Presence TrendMicro AV Observed in RIG EK (current_events.rules)
2018783 - ET CURRENT_EVENTS Likely Evil XMLDOM Detection of Local File (current_events.rules)
2018785 - ET CURRENT_EVENTS Possible ShellCode Passed as Argument to FlashVars (current_events.rules)
2018786 - ET CURRENT_EVENTS Sweet Orange EK CDN Landing Page (current_events.rules)
2018794 - ET CURRENT_EVENTS Safe/CritX/FlashPack EK Secondary Landing June 282014 (current_events.rules)
2018795 - ET CURRENT_EVENTS Safe/CritX/FlashPack EK Plugin Detect IE Exploit (current_events.rules)
2018796 - ET CURRENT_EVENTS Safe/CritX/FlashPack EK Plugin Detect Java Exploit (current_events.rules)
2018797 - ET CURRENT_EVENTS Safe/CritX/FlashPack EK Plugin Detect Flash Exploit (current_events.rules)
2018922 - ET CURRENT_EVENTS Turla/SPL EK Java Applet (current_events.rules)
2018923 - ET CURRENT_EVENTS Turla/SPL EK Java Exploit (current_events.rules)
2018924 - ET CURRENT_EVENTS Turla/SPL EK Java Exploit (current_events.rules)
2018925 - ET CURRENT_EVENTS Turla/SPL EK Java Exploit Requested - /spl/ (current_events.rules)
2018963 - ET CURRENT_EVENTS ZeroLocker EXE Download (current_events.rules)
2018965 - ET CURRENT_EVENTS Malvertising Leading to EK Aug 192014 M3 (current_events.rules)
2018966 - ET CURRENT_EVENTS Malvertising Leading to EK Aug 192014 M1 (current_events.rules)
2018967 - ET CURRENT_EVENTS Malvertising Leading to EK Aug 192014 M2 (current_events.rules)
2018987 - ET CURRENT_EVENTS Sweet Orange EK Thread Specific Java Exploit (current_events.rules)
2018988 - ET CURRENT_EVENTS Unknown Malvertising EK Landing Aug 222014 (current_events.rules)
2018989 - ET CURRENT_EVENTS Unknown Malvertising EK Landing URI Sruct Aug 222014 (current_events.rules)
2018990 - ET CURRENT_EVENTS Unknown Malvertising EK Payload URI Sruct Aug 222014 (current_events.rules)
2018991 - ET CURRENT_EVENTS Unknown Malvertising EK Silverlight URI Sruct Aug 222014 (current_events.rules)
2018992 - ET CURRENT_EVENTS Unknown Malvertising EK Flash URI Sruct Aug 222014 (current_events.rules)
2018993 - ET CURRENT_EVENTS Unknown Malvertising EK Payload URI Sruct Aug 222014 (current_events.rules)
2018995 - ET CURRENT_EVENTS Archie EK CVE-2014-0515 Aug 242014 (current_events.rules)
2018996 - ET CURRENT_EVENTS Archie EK CVE-2014-0497 Aug 242014 (current_events.rules)
2018997 - ET CURRENT_EVENTS Archie EK Secondary Landing Aug 242014 (current_events.rules)
2018998 - ET CURRENT_EVENTS Archie EK Landing Aug 242014 (current_events.rules)
2019004 - ET CURRENT_EVENTS FlashPack EK Exploit Flash Post Aug 252014 (current_events.rules)
2019005 - ET CURRENT_EVENTS FlashPack EK Redirect Aug 252014 (current_events.rules)
2019006 - ET CURRENT_EVENTS FlashPack EK Exploit Landing Aug 252014 (current_events.rules)
2019007 - ET CURRENT_EVENTS FlashPack EK JS Include Aug 252014 (current_events.rules)
2019008 - ET CURRENT_EVENTS Safe/CritX/FlashPack Java Payload (current_events.rules)
2019023 - ET CURRENT_EVENTS BleedingLife EK Variant Aug 262014 (current_events.rules)
2019024 - ET CURRENT_EVENTS Offensive Security EMET Bypass Observed in BleedingLife Variant Aug 262014 (current_events.rules)
2019071 - ET CURRENT_EVENTS NullHole EK Landing Aug 272014 (current_events.rules)
2019072 - ET CURRENT_EVENTS RIG EK Landing URI Struct (current_events.rules)
2019073 - ET CURRENT_EVENTS NullHole EK Landing Redirect Aug 272014 (current_events.rules)
2019093 - ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks (current_events.rules)
2019094 - ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks Intial (POST) (current_events.rules)
2019095 - ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks (POST) PluginData (current_events.rules)
2019096 - ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks KeepAlive (current_events.rules)
2019097 - ET CURRENT_EVENTS Archie EK SilverLight URI Struct (current_events.rules)
2019098 - ET CURRENT_EVENTS Archie EK Sending Plugin-Detect Data (current_events.rules)
2019100 - ET CURRENT_EVENTS FlashPack EK Redirect Sept 012014 (current_events.rules)
2019130 - ET CURRENT_EVENTS Astrum EK Landing (current_events.rules)
2019131 - ET CURRENT_EVENTS Astrum EK Landing (current_events.rules)
2019134 - ET CURRENT_EVENTS Flashpack Redirect Method 2 (current_events.rules)
2019146 - ET CURRENT_EVENTS Sweet Orange CDN Gate Sept 092014 Method 2 (current_events.rules)
2019154 - ET CURRENT_EVENTS Sweet Orange EK Java Exploit (current_events.rules)
2019180 - ET CURRENT_EVENTS Malvertising Leading to EK Aug 192014 M4 (current_events.rules)
2019183 - ET CURRENT_EVENTS Fiesta EK Gate (current_events.rules)
2019184 - ET CURRENT_EVENTS Fiesta EK Silverlight Based Redirect (current_events.rules)
2019193 - ET CURRENT_EVENTS RIG EK Landing Page Sept 172014 (current_events.rules)
2019375 - ET CURRENT_EVENTS Possible Sweet Orange redirection Oct 82014 (current_events.rules)
2019385 - ET CURRENT_EVENTS Possible TWiki RCE attempt (current_events.rules)
2019386 - ET CURRENT_EVENTS Possible TWiki Apache config file upload attempt (current_events.rules)
2019456 - ET CURRENT_EVENTS FlashPack Payload URI Struct Oct 162014 (current_events.rules)
2019461 - ET CURRENT_EVENTS BlackEnergy URI Struct Oct 172014 BE1 (current_events.rules)
2019462 - ET CURRENT_EVENTS BlackEnergy URI Struct Oct 172014 BE2 (current_events.rules)
2019463 - ET CURRENT_EVENTS BlackEnergy URI Struct Oct 172014 BE3 (current_events.rules)
2019464 - ET CURRENT_EVENTS BlackEnergy URI Struct Oct 172014 BE4 (current_events.rules)
2019465 - ET CURRENT_EVENTS BlackEnergy URI Struct Oct 172014 BE5 (current_events.rules)
2019479 - ET CURRENT_EVENTS Job314 EK URI Exploit/Payload Struct (current_events.rules)
2019480 - ET CURRENT_EVENTS Job314 EK URI Landing Struct (current_events.rules)
2019487 - ET CURRENT_EVENTS FlashPack Payload URI Struct Oct 222014 (current_events.rules)
2019503 - ET CURRENT_EVENTS SSL SinkHole Cert Possible Infected Host (current_events.rules)
2019543 - ET CURRENT_EVENTS Likely SweetOrange EK Flash Exploit URI Struct (current_events.rules)
2019594 - ET CURRENT_EVENTS FlashPack EK Plugin-Detect Post (current_events.rules)
2019595 - ET CURRENT_EVENTS FlashPack Payload Download Oct 29 (current_events.rules)
2019596 - ET CURRENT_EVENTS FlashPack Secondary Landing Oct 29 (current_events.rules)
2019600 - ET CURRENT_EVENTS Likely SweetOrange EK Java Exploit Struct (JNLP) (current_events.rules)
2019611 - ET CURRENT_EVENTS Fiesta Java Exploit/Payload URI Struct (current_events.rules)
2019623 - ET CURRENT_EVENTS Fiesta SilverLight 4.x Exploit URI Struct (current_events.rules)
2019638 - ET CURRENT_EVENTS Evil EK Redirector Cookie Nov 032014 (current_events.rules)
2019643 - ET CURRENT_EVENTS Possible Sweet Orange Landing Nov 32014 (current_events.rules)
2019647 - ET CURRENT_EVENTS Sweet Orange Landing Nov 042013 (current_events.rules)
2019656 - ET CURRENT_EVENTS Archie EK Exploit Flash URI Struct (current_events.rules)
2019657 - ET CURRENT_EVENTS Archie EK Exploit Flash URI Struct (current_events.rules)
2019658 - ET CURRENT_EVENTS Archie EK Exploit SilverLight URI Struct (current_events.rules)
2019659 - ET CURRENT_EVENTS Archie EK Exploit IE URI Struct (current_events.rules)
2019672 - ET CURRENT_EVENTS Possible HanJuan EK Flash Payload DL (current_events.rules)
2019673 - ET CURRENT_EVENTS Possible HanJuan EK URI Struct Actor Specific (current_events.rules)
2019674 - ET CURRENT_EVENTS Possible HanJuan Flash Exploit (current_events.rules)
2019675 - ET CURRENT_EVENTS Possible HanJuan EK Actor Specific Injected iframe (current_events.rules)
2019677 - ET CURRENT_EVENTS Archie EK Exploit Flash URI Struct (current_events.rules)
2019681 - ET CURRENT_EVENTS Operation Huyao Landing Page Nov 072014 (current_events.rules)
2019684 - ET CURRENT_EVENTS Evil EK Redirector Cookie Nov 072014 (current_events.rules)
2019685 - ET CURRENT_EVENTS Archie EK Landing URI Struct (current_events.rules)
2019689 - ET CURRENT_EVENTS Job314 EK Landing Nov 102014 (current_events.rules)
2019690 - ET CURRENT_EVENTS Archie EK Landing Nov 102014 (current_events.rules)
2019697 - ET CURRENT_EVENTS Possible Dridex Campaign Download Nov 112014 (current_events.rules)
2019722 - ET CURRENT_EVENTS Archie EK Landing Nov 172014 (current_events.rules)
2019723 - ET CURRENT_EVENTS Archie EK Landing Nov 172014 M2 (current_events.rules)
2019724 - ET CURRENT_EVENTS Archie EK Flash Exploit URI Struct Nov 172014 (current_events.rules)
2019725 - ET CURRENT_EVENTS Archie EK Flash Exploit URI Struct 2 Nov 172014 (current_events.rules)
2019726 - ET CURRENT_EVENTS Archie EK Landing URI Struct 2 Nov 172014 (current_events.rules)
2019727 - ET CURRENT_EVENTS NullHole EK Exploit URI Struct (current_events.rules)
2019742 - ET CURRENT_EVENTS SPL2 EK Landing Nov 182014 (current_events.rules)
2019743 - ET CURRENT_EVENTS SPL2 EK PluginDetect Data Hash Nov 182014 (current_events.rules)
2019744 - ET CURRENT_EVENTS SPL2 EK JS HashLib Nov 182014 (current_events.rules)
2019745 - ET CURRENT_EVENTS SPL2 EK Flash Exploit Nov 182014 (current_events.rules)
2019751 - ET CURRENT_EVENTS SweetOrange EK Landing Nov 192014 (current_events.rules)
2019753 - ET CURRENT_EVENTS Possible FlashPack (FlashOnly) Payload Struct Nov 192014 (current_events.rules)
2019761 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing Nov 202014 (current_events.rules)
2019762 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing Nov 202014 (current_events.rules)
2019763 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Flash Exploit Nov 202014 (current_events.rules)
2019766 - ET CURRENT_EVENTS FlashPack Flash Exploit Nov 202014 (current_events.rules)
2019768 - ET CURRENT_EVENTS Archie EK T2 PD Struct Nov 202014 (current_events.rules)
2019769 - ET CURRENT_EVENTS Archie EK T2 Landing Struct Nov 202014 (current_events.rules)
2019770 - ET CURRENT_EVENTS Archie EK T2 SWF Exploit Struct Nov 202014 (current_events.rules)
2019798 - ET CURRENT_EVENTS Malicious Iframe Leading to EK (current_events.rules)
2019799 - ET CURRENT_EVENTS Magnitude Flash Exploit (IE) (current_events.rules)
2019800 - ET CURRENT_EVENTS Magnitude Flash Payload (current_events.rules)
2019877 - ET CURRENT_EVENTS MS Office Macro Dridex Download URI Dec 52014 (current_events.rules)
2019892 - ET CURRENT_EVENTS Malicious Iframe Leading to EK Dec 082014 (current_events.rules)
2019895 - ET CURRENT_EVENTS Malicious Redirect Leading to EK Dec 082014 (current_events.rules)
2019908 - ET CURRENT_EVENTS Evil Flash Redirector to Job314/Neutrino Reboot EK (current_events.rules)
2019916 - ET CURRENT_EVENTS HanJuan Landing Dec 102014 (current_events.rules)
2019920 - ET CURRENT_EVENTS Malicious JS Leading to Fiesta EK (current_events.rules)
2019939 - ET CURRENT_EVENTS SoakSoak Malware GET request (current_events.rules)
2019940 - ET CURRENT_EVENTS DNS Query SoakSoak Malware (current_events.rules)
2019950 - ET CURRENT_EVENTS Malicious Referer Bulk Traffic Sometimes Leading to EKs (Possible Bedep infection) Dec 162014 (current_events.rules)
2019973 - ET CURRENT_EVENTS Archie EK T2 Activity Dec 182014 (current_events.rules)
2019977 - ET CURRENT_EVENTS W32/Dridex Distribution Campaign Dec 192014 (current_events.rules)

Date: 
Monday, December 11, 2017 - 00:00