Daily Ruleset Update Summary 2018/02/01

[***]            Summary:            [***]

7 new Open, 24 new Pro (7 + 17). Backdoor.Elise, Operation EvilTraffic Redirect, Win32/Ghost419, Various Mobile, Various Phishing.

Thanks: MS-ISAC (@CISecurity)

[+++]          Added rules:          [+++]

Open:

2025282 - ET CURRENT_EVENTS Cloned Website Phishing Landing - Mirrored Website Comment Observed (current_events.rules)
2025283 - ET TROJAN Trojan-Dropper.Delf Checkin (trojan.rules)
2025284 - ET CURRENT_EVENTS Microsoft Live Login Phishing Landing 2018-02-01 (current_events.rules)
2025285 - ET CURRENT_EVENTS TSB Bank / Lloyds Bank Phishing Landing 2018-02-01 (current_events.rules)
2025286 - ET CURRENT_EVENTS Wells Fargo Phishing Landing 2018-02-01 (current_events.rules)
2025287 - ET TROJAN Operation EvilTraffic Initial Redirect M1 (trojan.rules)
2025288 - ET TROJAN Operation EvilTraffic Initial Redirect M2 (trojan.rules)
2025289 - ET TROJAN Backdoor.Elise Style IP Check (trojan.rules)

Pro:

2829515 - ETPRO INFO LaZagne EXE Download (info.rules)
2829516 - ETPRO TROJAN Observed Malicious SSL Cert (APT32 Cobalt Strike Beacon) (trojan.rules)
2829517 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 271 (mobile_malware.rules)
2829518 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 272 (mobile_malware.rules)
2829519 - ETPRO TROJAN AU3/Axtrit.BR Domain Detected (rhcobrancasfd .com .br in DNS Lookup) (trojan.rules)
2829520 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 273 (mobile_malware.rules)
2829521 - ETPRO TROJAN AU3/Axtrit.BR Domain Detected (rhcobrancasfd .com .br in TLS SNI) (trojan.rules)
2829522 - ETPRO TROJAN DDoS Win32/Nitol.A Checkin (trojan.rules)
2829523 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 274 (mobile_malware.rules)
2829526 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-02-01 1) (trojan.rules)
2829527 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-02-01 2) (trojan.rules)
2829528 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-02-01 3) (trojan.rules)
2829529 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-02-01 4) (trojan.rules)
2829530 - ETPRO TROJAN MSIL/Kuqa CnC Checkin (trojan.rules)
2829531 - ETPRO TROJAN Win32/Ghost419 CnC Data Exfil (trojan.rules)
2829532 - ETPRO TROJAN SSL/TLS Certificate Observed (Dreamsmasher) (trojan.rules)

[///]     Modified active rules:     [///]

2025135 - ET TROJAN [PTsecurity] Botnet Nitol.B Checkin (trojan.rules)
2025244 - ET CURRENT_EVENTS AT&T Phishing Landing 2018-01-23 (current_events.rules)
2811446 - ETPRO TROJAN uWarrior RAT CnC Beacon (trojan.rules)
2819671 - ETPRO TROJAN W32/Overflow Stealer Lazagne DL (trojan.rules)
2828853 - ETPRO CURRENT_EVENTS Successful TSB Bank / Lloyds Bank Phish 2017-12-12 M3 (current_events.rules)
2829216 - ETPRO TROJAN APT32 DNS Tunneling Domain 2 (trojan.rules)

[---]         Disabled rules:        [---]

2003641 - ET TROJAN Downloader.Small User Agent Detected (NetScafe) (trojan.rules)
2003648 - ET TROJAN Clicker.BC User Agent Detected (linkrunner) (trojan.rules)
2006377 - ET TROJAN Downloader.Win32.Agent.bwr CnC Beacon (trojan.rules)
2006401 - ET TROJAN Downloader.26001 Url Pattern Detected (lunch_id) (trojan.rules)
2007284 - ET TROJAN Downloader.Win32.Agent.cav Url Pattern Detected (ping) (trojan.rules)
2007587 - ET TROJAN General Downloader or Virut C&C Ack (trojan.rules)
2007595 - ET TROJAN Downloader.Dluca HTTP Checkin (trojan.rules)
2007644 - ET TROJAN Win32.Agent.cah Checkin Request (trojan.rules)
2007646 - ET TROJAN Farfli User Agent Detected (trojan.rules)
2007700 - ET TROJAN ExplorerHijack Trojan HTTP Checkin (trojan.rules)
2007838 - ET TROJAN Delf HTTP Checkin (1) (trojan.rules)
2007858 - ET TROJAN Delf Keylog FTP Upload (trojan.rules)
2007918 - ET TROJAN Dropper-497 (Yumato) System Stats Report (trojan.rules)
2007919 - ET TROJAN Dropper-497 Yumato Reply from server (trojan.rules)
2007939 - ET TROJAN Delf Checkin via HTTP (up) (trojan.rules)
2007952 - ET TROJAN Downloader.49651 Checkin (trojan.rules)
2007953 - ET TROJAN Downloader.49651 Install Report (trojan.rules)
2007954 - ET TROJAN Downloader.49651 Online Report (trojan.rules)
2007955 - ET TROJAN Cygo Checkin (trojan.rules)
2007986 - ET TROJAN Emogen Reporting via HTTP (trojan.rules)
2007987 - ET TROJAN Dropper.Win32.VB.on Keylog/System Info Report via HTTP (trojan.rules)
2008031 - ET TROJAN Dorf/Win32.Inject.adt C&C Communication Outbound (trojan.rules)
2008032 - ET TROJAN Dorf/Win32.Inject.adt C&C Communication Inbound (trojan.rules)
2008047 - ET TROJAN Egspy Infection Report via HTTP (trojan.rules)
2008071 - ET TROJAN Delf Checkin via HTTP (6) (trojan.rules)
2008087 - ET TROJAN Downloader.VB.CEJ HTTP Checkin (trojan.rules)
2008090 - ET TROJAN Delf Checkin via HTTP (7) (trojan.rules)
2008136 - ET TROJAN Egspy Install Report via HTTP (trojan.rules)
2008144 - ET TROJAN Proxy.Corpes.j Infection Report (trojan.rules)
2008195 - ET TROJAN Dropper mdodo.com Related Trojan (trojan.rules)
2008196 - ET TROJAN Dropper 6dzone.com Related Trojan (trojan.rules)
2008237 - ET TROJAN Pass Stealer FTP Upload (trojan.rules)
2008397 - ET TROJAN Fullspace.cc or Related Checkin (1) (trojan.rules)
2008430 - ET TROJAN Win32.Dialer.buv Sending Information Home (trojan.rules)
2008431 - ET TROJAN PWS.Gamania Checkin (trojan.rules)
2008451 - ET TROJAN Donbot Report to CnC (trojan.rules)
2008490 - ET TROJAN Dialer.Win32.E-Group.n Checkin (trojan.rules)
2008523 - ET TROJAN Proxy.Win32.Fackemo.g/Katusha/FakeAlert Checkin (trojan.rules)
2008674 - ET TROJAN Likely eCard Malware Laden Email Inbound (trojan.rules)
2008807 - ET TROJAN DNS Changer.bnm/Downloader.bnm Second CnC Channel Start (trojan.rules)
2008808 - ET TROJAN DNS Changer.bnm/Downloader.bnm Second CnC Channel Traffic (trojan.rules)
2008906 - ET TROJAN Trojan.Delf-5496 Egg Request (trojan.rules)
2008907 - ET TROJAN Trojan.Delf-5496 File Manager Access Report (trojan.rules)
2008940 - ET TROJAN DNSChanger.AT or related Infection Checkin Post (trojan.rules)
2008984 - ET TROJAN Trojan-GameThief.Win32.OnLineGames infection report (trojan.rules)
2009204 - ET TROJAN Crypt.CFI.Gen Checkin (trojan.rules)
2009209 - ET TROJAN Rogue A/V Win32/FakeXPA GET Request (trojan.rules)
2009470 - ET TROJAN Generic Info Stealer - HTTP POST (trojan.rules)
2009514 - ET TROJAN FAKE/ROGUE AV HTTP Post (trojan.rules)
2009539 - ET TROJAN Downloader Infostealer - GET Checkin (trojan.rules)
2009824 - ET TROJAN Downloader.Win32.Delf followon POST Data PUSH Packet (trojan.rules)
2010007 - ET TROJAN Potential Gemini Malware Download (trojan.rules)
2010138 - ET TROJAN Possible Win32/Agent.QBY CnC Post (trojan.rules)
2010164 - ET TROJAN Daonol C&C Communication (trojan.rules)
2010221 - ET TROJAN Possible Fake-Rean Installer Activity (Malwareurl.com Top 30) (trojan.rules)
2010248 - ET TROJAN Eleonore Exploit Pack activity (trojan.rules)
2010347 - ET TROJAN Fake/Rogue AV Landing Page Encountered (trojan.rules)
2010450 - ET TROJAN Potential Gemini/Fake AV Download URL Detected (trojan.rules)
2011086 - ET TROJAN Trojan-Dropper.Win32.Flystud (trojan.rules)
2011128 - ET TROJAN Eleonore Exploit Pack activity variant May 2010 (trojan.rules)
2011234 - ET TROJAN Cosmu Process Dump Report (trojan.rules)
2011693 - ET TROJAN Fragus Exploit Kit Landing (trojan.rules)

Date: 
Thursday, February 1, 2018 - 00:00