Daily Ruleset Update Summary 2018/01/26

[***]            Summary:            [***]

4 new Open, 13 new Pro (4 + 9). Kuriyama Loader, GandCrab Ransomware, Various Mobile, Various Phishing.

Thanks: @AttackDetection

[+++]          Added rules:          [+++]

Open:

2025252 - ET TROJAN W32/SchwSonne CnC Beacon M2 (trojan.rules)
2025253 - ET TROJAN [PTsecurity] Kuriyama Loader Checkin (trojan.rules)
2025254 - ET TROJAN Win32/GandCrab Ransomware CnC Activity (trojan.rules)
2025255 - ET CURRENT_EVENTS Mailbox Phishing Landing 2018-01-29 (current_events.rules)

Pro:

2829449 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2018-01-26 (current_events.rules)
2829450 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2018-01-26 (current_events.rules)
2829451 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-01-26 1) (trojan.rules)
2829452 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-01-26 2) (trojan.rules)
2829453 - ETPRO TROJAN Observed Malicious SSL Cert (Dridex CnC) (trojan.rules)
2829454 - ETPRO CURRENT_EVENTS Successful Bank Username/Account Number Phish 2018-01-26 (current_events.rules)
2829455 - ETPRO MOBILE_MALWARE Android/Agent.IW SMS Exfil (mobile_malware.rules)
2829456 - ETPRO CURRENT_EVENTS Successful G-Suite Phish 2018-01-26 M1 (current_events.rules)
2829457 - ETPRO CURRENT_EVENTS Successful G-Suite Phish 2018-01-26 M2 (current_events.rules)

[///]     Modified active rules:     [///]

2024555 - ET CURRENT_EVENTS Possible Successful Generic Phish (set) Feb 26 2016 (current_events.rules)
2828145 - ETPRO CURRENT_EVENTS Successful Bank Username/Account Number Phish Oct 04 2017 (set) (current_events.rules)

[---]         Disabled rules:        [---]

2006403 - ET TROJAN General Trojan Checkin by MAC chkmac.php (trojan.rules)
2006404 - ET TROJAN DownLoader.30525 Checkin (trojan.rules)
2008153 - ET TROJAN Citi-bank.ru Related Trojan Checkin (trojan.rules)
2008283 - ET TROJAN Banload HTTP Checkin Detected (quem=) (trojan.rules)
2008353 - ET TROJAN CoreFlooder.Q C&C Checkin (trojan.rules)
2008442 - ET TROJAN Rootkit.Win32.Clbd.cz Checkin (trojan.rules)
2008443 - ET TROJAN Coreflood/AFcore Trojan Infection (2) (trojan.rules)
2008623 - ET TROJAN Cinmus.Checkin 1 (trojan.rules)
2008624 - ET TROJAN Cinmus.Checkin 2 (trojan.rules)
2009287 - ET TROJAN CoreFlooder C&C Checkin (2) (trojan.rules)
2009351 - ET TROJAN Urlzone/Bebloh Communication with Controller (trojan.rules)
2010055 - ET TROJAN Likely TDSS Download (pcdef.exe) (trojan.rules)
2010217 - ET TROJAN DownloaderExchanger/Cbeplay Variant Checkin (trojan.rules)
2010565 - ET TROJAN Bebloh C&C HTTP POST (trojan.rules)
2010973 - ET TROJAN Vobfus/Changeup/Chinky Download Command (trojan.rules)
2012054 - ET SMTP Potential Exim HeaderX with run exploit attempt (smtp.rules)
2012135 - ET SMTP IBM Lotus Domino iCalendar Email Address Stack Buffer Overflow Attempt (smtp.rules)
2012782 - ET MOBILE_MALWARE SymbOS SuperFairy.D StartUpdata.ini Missing File HTTP Request (mobile_malware.rules)
2012783 - ET MOBILE_MALWARE SymbOS SuperFairy.D BackgroundUpdata.ini Missing File HTTP Request (mobile_malware.rules)
2012784 - ET MOBILE_MALWARE SymbOS SuperFairy.D active.txt Missing File HTTP Request (mobile_malware.rules)
2012844 - ET MOBILE_MALWARE SymbOS/Yxes.B/E CnC Checkin Request (mobile_malware.rules)
2012845 - ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Request (mobile_malware.rules)
2012846 - ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Request 2 (mobile_malware.rules)
2012847 - ET MOBILE_MALWARE SymbOS/Yxes.F CnC Checkin Request 3 (mobile_malware.rules)
2012850 - ET MOBILE_MALWARE SymbOS.Flexispy.a Commercial Spying App Sending User Information to Server (mobile_malware.rules)
2012851 - ET MOBILE_MALWARE SymbOS/Yxes.I PropertyFile.jsp CnC Server Communication (mobile_malware.rules)
2012852 - ET MOBILE_MALWARE SymbOS/Yxes.I TipFile.jsp CnC Server Communication (mobile_malware.rules)
2012853 - ET MOBILE_MALWARE SymbOS/Yxes.I NumberFile.jsp CnC Server Communication (mobile_malware.rules)
2012854 - ET MOBILE_MALWARE SymbOS/Merogo User Agent (mobile_malware.rules)
2012855 - ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending Geographic Location Logs To Remote Server (mobile_malware.rules)
2012856 - ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending Call Logs to Remote Server (mobile_malware.rules)
2012857 - ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending SMS Logs to Remote Server (mobile_malware.rules)
2012858 - ET MOBILE_MALWARE SymbOS.Sagasi.a Worm Sending Data to Server (mobile_malware.rules)
2012859 - ET MOBILE_MALWARE SymbOS.Sagasi.a Worm Sending Data to Server (mobile_malware.rules)
2012861 - ET MOBILE_MALWARE SymbOS.Sagasi.a User Agent LARK/1.3.0 (mobile_malware.rules)
2012862 - ET MOBILE_MALWARE SslCrypt Server Communication (mobile_malware.rules)
2012864 - ET MOBILE_MALWARE SslCrypt Server Communication (mobile_malware.rules)
2012904 - ET MOBILE_MALWARE SymbOS/SuperFairy.D Bookmarked Connection to Server (mobile_malware.rules)
2013019 - ET MOBILE_MALWARE Iphone iKee.B Checkin (mobile_malware.rules)
2013020 - ET MOBILE_MALWARE DroidKungFu Checkin (mobile_malware.rules)
2013022 - ET MOBILE_MALWARE DroidKungFu Checkin 2 (mobile_malware.rules)
2013038 - ET MOBILE_MALWARE DNS Query For Known Mobile Malware Control Server Waplove.cn (mobile_malware.rules)
2013041 - ET MOBILE_MALWARE DNS Query For Known Mobile Malware Control Server Searchwebmobile.com (mobile_malware.rules)
2013063 - ET MOBILE_MALWARE DroidKungFu Checkin 3 (mobile_malware.rules)
2013140 - ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Message (mobile_malware.rules)
2013141 - ET MOBILE_MALWARE SymbOS/Yxes Plugucsrv.sisx File Download (mobile_malware.rules)
2013142 - ET MOBILE_MALWARE SymbOS/Yxes Jump.jsp CnC Checkin Message (mobile_malware.rules)
2013143 - ET MOBILE_MALWARE SymbOS/Yxes KernelPara.jsp CnC Checkin Message (mobile_malware.rules)
2013261 - ET MOBILE_MALWARE SymbOS/CommDN Downloading Second Stage Malware Binary (mobile_malware.rules)
2013265 - ET MOBILE_MALWARE SymbOS/SymGam CnC Checkin (mobile_malware.rules)
2013266 - ET MOBILE_MALWARE SymbOS/SymGam Receiving SMS Message Template from CnC Server (mobile_malware.rules)
2014406 - ET MOBILE_MALWARE iOS Keylogger iKeyMonitor access (mobile_malware.rules)
2014646 - ET MISC RuggedCom factory account backdoor (misc.rules)
2800833 - ETPRO SMTP IBM Lotus Domino nrouter.exe iCalendar MAILTO Stack Buffer Overflow (smtp.rules)
2800865 - ETPRO SQL IBM Informix Dynamic Server SQLEXEC oninit.exe EXPLAIN Stack Buffer Overflow (sql.rules)
2800866 - ETPRO SQL IBM Informix Dynamic Server oninit.exe EXPLAIN Stack Buffer Overflow  (sql.rules)
2800883 - ETPRO POP3 -ERR overflow attempt (pop3.rules)
2800884 - ETPRO POP3 Pegasus Mail error overflow attempt (pop3.rules)
2800933 - ETPRO SMTP Novell GroupWise Internet Agent RRULE Parsing Buffer Overflow smtp (smtp.rules)
2801262 - ETPRO SQL Objectivity/DB Code Execution Unauthenticated OOAMS Shutdown (sql.rules)
2801263 - ETPRO SQL Objectivity/DB Code Execution Unauthenticated Lock Server Shutdown (sql.rules)
2801305 - ETPRO POP3 Inetserv 3.23 POP3 DoS (RETR) (pop3.rules)
2801306 - ETPRO POP3 Inetserv 3.23 POP3 DoS (DELE) (pop3.rules)
2801632 - ETPRO SMTP Multiple Products STARTTLS Plaintext Command Injection (smtp.rules)
2802836 - ETPRO SMTP Postfix SASL AUTH Handle Reuse Memory Corruption(Published Exploit) 3 (smtp.rules)
2805284 - ETPRO MALWARE Win32/Pelfpoi.M Checkin (malware.rules)
2805668 - ETPRO MALWARE Generic PUP.x!vi!1B41AF78BF55 Checkin (malware.rules)
2805855 - ETPRO MALWARE Porn-Dialer.Win32.Agent.a / DIAL_RAS.IQ Checkin (malware.rules)

Date: 
Friday, January 26, 2018 - 00:00