Daily Ruleset Update Summary 2018/01/05

[***]            Summary:            [***]

1 new Open, 18 new Pro (1 + 17). MSIL.NepaCollector, Weblogic XMLDecoder RCE (CVE-2017-10271), Various Phishing.

[+++]          Added rules:          [+++]

Open:

2025187 - ET TROJAN MedusaHTTP CnC Checkin (trojan.rules)

Pro:

2829177 - ETPRO CURRENT_EVENTS Successful Bank of America Phish2018-01-05 (current_events.rules)
2829178 - ETPRO CURRENT_EVENTS Successful Paypal Phish2018-01-05 (current_events.rules)
2829179 - ETPRO CURRENT_EVENTS Successful Paypal Phish2018-01-05 (current_events.rules)
2829180 - ETPRO TROJAN iSpy Keylogger Reporting Infection via SMTP M3 (trojan.rules)
2829181 - ETPRO CURRENT_EVENTS Successful Generic Financial Phish (BR)2018-01-05 (current_events.rules)
2829182 - ETPRO WEB_CLIENT Weblogic XMLDecoder RCE (CVE-2017-10271) (web_client.rules)
2829183 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-01-05 1) (trojan.rules)
2829184 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-01-05 2) (trojan.rules)
2829185 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-01-05 3) (trojan.rules)
2829186 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-01-05 4) (trojan.rules)
2829187 - ETPRO TROJAN MSIL.NepaCollector CnC M1 (buildInfo) (trojan.rules)
2829188 - ETPRO TROJAN MSIL.NepaCollector CnC M2 (isMaster) (trojan.rules)
2829189 - ETPRO TROJAN MSIL.NepaCollector CnC M3 (getLastError) (trojan.rules)
2829190 - ETPRO TROJAN MSIL.NepaCollector CnC M4 (saslStart) (trojan.rules)
2829191 - ETPRO TROJAN MSIL.NepaCollector CnC M5 (saslContinue) (trojan.rules)
2829192 - ETPRO TROJAN MSIL.NepaCollector CnC M6 (insert) (trojan.rules)
2829193 - ETPRO TROJAN MSIL.NepaCollector CnC M7 (count) (trojan.rules)

[///]     Modified active rules:     [///]

2828647 - ETPRO POLICY Observed XMRig Coinminer json Config Inbound (policy.rules)
2829005 - ETPRO CURRENT_EVENTS Successful Generic Phish2017-12-20 (current_events.rules)

[---]         Disabled rules:        [---]

2011412 - ET ACTIVEX Apple QuickTime _Marshaled_pUnk Backdoor Param Arbitrary Code Execution Attempt (activex.rules)
2012095 - ET ACTIVEX J-Integra Remote Code Execution (activex.rules)
2012102 - ET ACTIVEX Image Viewer CP Gold Image2PDF Buffer Overflow (activex.rules)
2012145 - ET ACTIVEX Netcraft Toolbar Remote Code Execution (activex.rules)
2012146 - ET ACTIVEX ImageShack Toolbar Remote Code Execution (activex.rules)
2012192 - ET ACTIVEX NewV SmartClient NewvCommon.ocx DelFile Method Arbitrary File Deletion Attempt (activex.rules)
2012194 - ET ACTIVEX Real Networks RealPlayer SP RecordClip Method Remote Code Execution Attempt (activex.rules)
2012218 - ET ACTIVEX Possible UserManager SelectServer method Buffer Overflow Attempt (activex.rules)
2012231 - ET ACTIVEX Oracle Document Capture Insecure Read Method File Access Attempt (activex.rules)
2012232 - ET ACTIVEX Oracle Document Capture File Deletion Attempt (activex.rules)
2012233 - ET ACTIVEX Oracle Document Capture File Overwrite Attempt (activex.rules)
2012543 - ET ACTIVEX RealPlayer CDDA URI Overflow Uninitialized Pointer Attempt (activex.rules)
2012636 - ET ACTIVEX RealNetworks RealGames StubbyUtil.ProcessMgr.1 InstallerDlg.dll Remote Command Execution Attempt (activex.rules)
2012637 - ET ACTIVEX RealNetworks RealGames StubbyUtil.ProcessMgr.1 InstallerDlg.dll Remote Command Execution Attempt (activex.rules)
2012638 - ET ACTIVEX RealNetworks RealGames StubbyUtil.ShellCtl.1 InstallerDlg.dll Remote Command Execution Attempt (activex.rules)
2012639 - ET ACTIVEX RealNetworks RealGames StubbyUtil.ShellCtl.1 InstallerDlg.dll Remote Command Execution Attempt (activex.rules)
2012640 - ET ACTIVEX RealNetworks RealGames StubbyUtil.ShellCtl.1 InstallerDlg.dll Remote Command Execution Attempt (activex.rules)
2012641 - ET ACTIVEX Sun Java Runtime New Plugin Docbase Buffer Overflow Attempt (activex.rules)
2012929 - ET ACTIVEX Cisco AnyConnect VPN Secure Mobility Client Arbitrary Program Execution Attempt (activex.rules)
2013130 - ET ACTIVEX Black Ice Cover Page SDK DownloadImageFileURL Method Exploit (activex.rules)
2013131 - ET ACTIVEX Black Ice Fax Voice SDK GetItemQueue Method Remote Code Execution Exploit (activex.rules)
2013132 - ET ACTIVEX Black Ice Fax Voice SDK GetFirstItem Method Remote Code Execution Exploit (activex.rules)
2013565 - ET ACTIVEX Tom Sawyer Software Possible Memory Corruption Attempt (activex.rules)
2013750 - ET ACTIVEX DivX Plus Web Player DivXPlaybackModule File URL Buffer Overflow Attempt (activex.rules)
2014151 - ET CURRENT_EVENTS Known Malicious Link Leading to Exploit Kits (t.php?id=is1) (current_events.rules)
2014155 - ET CURRENT_EVENTS JavaScript Obfuscation JSXX Script (current_events.rules)
2014197 - ET CURRENT_EVENTS Yang Pack Exploit Kit Landing Page Known JavaScript Function Detected (current_events.rules)
2014203 - ET CURRENT_EVENTS CUTE-IE.html CutePack Exploit Kit Landing Page Request (current_events.rules)
2014204 - ET CURRENT_EVENTS CutePack Exploit Kit JavaScript Variable Detected (current_events.rules)
2014205 - ET CURRENT_EVENTS CUTE-IE.html CutePack Exploit Kit Iframe for Landing Page Detected (current_events.rules)
2014206 - ET CURRENT_EVENTS CutePack Exploit Kit Landing Page Detected (current_events.rules)
2014308 - ET CURRENT_EVENTS Obfuscated Content Using Dadongs JSXX 0.41 VIP Obfuscation Script (current_events.rules)
2014318 - ET CURRENT_EVENTS Clickpayz redirection to *.clickpayz.com (current_events.rules)
2014319 - ET CURRENT_EVENTS Dadong Java Exploit Requested (current_events.rules)
2014429 - ET CURRENT_EVENTS Java Rhino Exploit Attempt - evilcode.class (current_events.rules)
2014458 - ET CURRENT_EVENTS Italian Spam Campaign (current_events.rules)
2014561 - ET CURRENT_EVENTS landing page with malicious Java applet (current_events.rules)
2014565 - ET CURRENT_EVENTS JavaScript Determining OS MAC and Serving Java Archive File (current_events.rules)
2014568 - ET CURRENT_EVENTS Unkown exploit kit jar download (current_events.rules)
2014569 - ET CURRENT_EVENTS Unkown exploit kit version check (current_events.rules)
2014577 - ET CURRENT_EVENTS ET CURRENT_EVENTS Italian Spam Campaign ZIP with EXE Containing Many Underscores (current_events.rules)
2014607 - ET CURRENT_EVENTS Nikjju Mass Injection Compromised Site Served To Local Client (current_events.rules)
2014608 - ET CURRENT_EVENTS Nikjju Mass Injection Internal WebServer Compromised (current_events.rules)
2014615 - ET CURRENT_EVENTS Jembot PHP Webshell (hell.php) (current_events.rules)
2014619 - ET ACTIVEX Possible McAfee SaaS MyCioScan ShowReport Method Call Remote Command Execution (activex.rules)
2014620 - ET ACTIVEX Possible McAfee SaaS MyCioScan ShowReport Method Call Remote Command Execution 2 (activex.rules)
2014710 - ET ACTIVEX Possible Samsung NET-i Viewer Active-X SEH Overwrite (activex.rules)
2014805 - ET CURRENT_EVENTS Unknown java_ara Bin Download (current_events.rules)
2014827 - ET CURRENT_EVENTS FedEX Spam Inbound (current_events.rules)
2014829 - ET CURRENT_EVENTS Post Express Spam Inbound (current_events.rules)
2014831 - ET ACTIVEX Possible Wireless Manager Sony VAIO SetTmpProfileOption Method Access Buffer Overflow (activex.rules)
2014832 - ET ACTIVEX Possible Wireless Manager Sony VAIO ConnectToNetwork Method Access Buffer Overflow (activex.rules)
2014848 - ET CURRENT_EVENTS webshell used In timthumb attacks GIF98a 16129xX with PHP (current_events.rules)
2014891 - ET CURRENT_EVENTS RedKit - Java Exploit Requested - 5 digit jar (current_events.rules)
2014892 - ET CURRENT_EVENTS RedKit - Jar File Naming Algorithm (current_events.rules)
2014895 - ET CURRENT_EVENTS RedKit - Landing Page Received - applet and code (current_events.rules)
2014927 - ET CURRENT_EVENTS Unknown Java Malicious Jar /eeltff.jar (current_events.rules)
2014928 - ET CURRENT_EVENTS Unknown - Java Request .jar from dl.dropbox.com (current_events.rules)
2014930 - ET CURRENT_EVENTS Obfuscated Javascript redirecting to badness 21 June2012 (current_events.rules)
2014935 - ET CURRENT_EVENTS FoxxySoftware - Landing Page Received - foxxysoftware (current_events.rules)
2014936 - ET CURRENT_EVENTS FoxxySoftware - Landing Page Received - applet and 0px (current_events.rules)
2014959 - ET CURRENT_EVENTS Base64 - Java Exploit Requested - /1Digit (current_events.rules)
2014960 - ET CURRENT_EVENTS Base64 - Landing Page Received - base64encode(GetOs() (current_events.rules)
2014966 - ET CURRENT_EVENTS Generic - PDF with NEW PDF EXPLOIT (current_events.rules)
2014969 - ET CURRENT_EVENTS Unknown - Java Exploit Requested - 13-14Alpha.jar (current_events.rules)
2014970 - ET CURRENT_EVENTS Runforestrun Malware Campaign Infected Website (current_events.rules)
2014971 - ET CURRENT_EVENTS JS.Runfore Malware Campaign Request (current_events.rules)
2014972 - ET CURRENT_EVENTS HeapLib JS Library (current_events.rules)
2014982 - ET CURRENT_EVENTS Googlebot UA POST to /uploadify.php (current_events.rules)
2014983 - ET CURRENT_EVENTS Scalaxy Jar file (current_events.rules)
2014991 - ET ACTIVEX Possible SonciWALL Aventail AuthCredential Format String Exploit 2 (activex.rules)
2014992 - ET ACTIVEX Possible SonciWALL Aventail AuthCredential Format String Exploit (activex.rules)
2014998 - ET CURRENT_EVENTS Runforestrun Malware Campaign Infected Website Landing Page Obfuscated String JavaScript DGA (current_events.rules)
2015024 - ET CURRENT_EVENTS Incognito - Malicious PDF Requested - /getfile.php (current_events.rules)
2015030 - ET CURRENT_EVENTS Incognito - Java Exploit Requested - /gotit.php by Java Client (current_events.rules)
2015031 - ET CURRENT_EVENTS Incognito - Payload Request - /load.php by Java Client (current_events.rules)
2015042 - ET CURRENT_EVENTS g01pack - 32Char.php by Java Client (current_events.rules)
2015053 - ET CURRENT_EVENTS Unknown_s=1 - Landing Page - 10HexChar Title and applet (current_events.rules)
2015054 - ET CURRENT_EVENTS Unknown_s=1 - Landing Page - 100HexChar value and applet (current_events.rules)
2015055 - ET CURRENT_EVENTS Unknown_s=1 - Payload Requested - 32AlphaNum?s=1 Java Request (current_events.rules)
2015516 - ET CURRENT_EVENTS RedKit PluginDetect Rename Saigon (current_events.rules)
2015517 - ET CURRENT_EVENTS .HTM being served from WP 1-flash-gallery Upload DIR (likely malicious) (current_events.rules)
2015553 - ET CURRENT_EVENTS Fake-AV Conditional Redirect (Blackmuscats) (current_events.rules)
2015578 - ET CURRENT_EVENTS Obfuscated Javascript redirecting to badness August 62012 (current_events.rules)
2015583 - ET CURRENT_EVENTS FoxxySoftware - Comments (current_events.rules)
2015584 - ET CURRENT_EVENTS FoxxySoftware - Comments(2) (current_events.rules)
2015585 - ET CURRENT_EVENTS FoxxySoftware - Hit Counter Access (current_events.rules)
2015646 - ET CURRENT_EVENTS Unknown Exploit Kit seen with O1/O2.class /form (current_events.rules)
2015647 - ET CURRENT_EVENTS Unknown Exploit Kit seen with O1/O2.class /search (current_events.rules)
2015666 - ET CURRENT_EVENTS NeoSploit - Version Enumerated - Java (current_events.rules)
2015667 - ET CURRENT_EVENTS NeoSploit - Version Enumerated - null (current_events.rules)
2015668 - ET CURRENT_EVENTS FlimKit/Other - Landing Page - 100HexChar value and applet (current_events.rules)
2015669 - ET CURRENT_EVENTS Malicious Redirect n.php h=*&s=* (current_events.rules)
2015672 - ET CURRENT_EVENTS Unknown Exploit Kit redirect (current_events.rules)
2015676 - ET CURRENT_EVENTS Unknown Java Exploit Kit Payload Download Request - Sep 042012 (current_events.rules)
2015682 - ET CURRENT_EVENTS Unknown Java Exploit Kit with fast-flux like behavior static initial landing - Sep 052012 (current_events.rules)
2015683 - ET CURRENT_EVENTS Unknown Java Exploit Kit with fast-flux like behavior hostile java archive - Sep 052012 (current_events.rules)
2015688 - ET CURRENT_EVENTS Possible Remote PHP Code Execution (php.pjpg) (current_events.rules)
2800624 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption (activex.rules)
2800625 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption Imjpcksid.dll (activex.rules)
2800626 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption Imjpskdic.dll (activex.rules)
2800780 - ETPRO ACTIVEX Microsoft Design Tools msdds.dll Memory Corruption (activex.rules)
2801179 - ETPRO ACTIVEX Microsoft Internet Explorer HTML Object Memory Corruption (activex.rules)
2801256 - ETPRO ACTIVEX Microsoft Windows Data Access Components ADO Record Code Execution  (activex.rules)
2801917 - ETPRO ACTIVEX Cisco Secure Desktop CSDWebInstaller Code Execution 2 (activex.rules)
2801918 - ETPRO ACTIVEX Cisco Secure Desktop CSDWebInstaller Code Execution (activex.rules)
2801964 - ETPRO ACTIVEX Microsoft Office Web Components Remote Code Execution 1 (activex.rules)
2801965 - ETPRO ACTIVEX Microsoft Office Web Components Remote Code Execution 2 (activex.rules)
2802023 - ETPRO ACTIVEX Vulnerable IE8 Developer Toolkit COM Object Use (activex.rules)
2802024 - ETPRO ACTIVEX Vulnerable WBEM.SingleView.1 Object clsid Access (activex.rules)
2802030 - ETPRO ACTIVEX Vulnerable Windows Messenger Service clsid Access (activex.rules)

Date: 
Friday, January 5, 2018 - 00:00