Daily Ruleset Update Summary 2018/02/07

[***]            Summary:            [***]

9 new Open, 19 new Pro (9 + 10). MSIL/mbobbRAT, Sneark, ELF/Lady.G, Various Mobile, Various Phishing.

Thanks: @illegalfawn

[+++]          Added rules:          [+++]

Open:

2025321 - ET CURRENT_EVENTS Ebay Phishing Landing2018-02-07 (current_events.rules)
2025322 - ET CURRENT_EVENTS Google Drive Phishing Landing2018-02-07 (current_events.rules)
2025323 - ET CURRENT_EVENTS Dropbox Business Phishing Landing2018-02-07 (current_events.rules)
2025324 - ET CURRENT_EVENTS Apple Phishing Landing2018-02-07 (current_events.rules)
2025325 - ET CURRENT_EVENTS Dropbox Business Phishing Landing2018-02-07 (current_events.rules)
2025326 - ET CURRENT_EVENTS Outlook Web App Phishing Landing2018-02-07 (current_events.rules)
2025327 - ET CURRENT_EVENTS Dropbox/OneDrive Phishing Landing2018-02-07 (current_events.rules)
2025328 - ET CURRENT_EVENTS Chase Phishing Landing2018-02-07 (current_events.rules)
2025329 - ET CURRENT_EVENTS Mailbox Verification Phishing Landing2018-02-07 (current_events.rules)

Pro:

2829582 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-02-07 1) (trojan.rules)
2829583 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-02-07 2) (trojan.rules)
2829584 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-02-07 3) (trojan.rules)
2829585 - ETPRO TROJAN MSIL/mbobbRAT Activity (trojan.rules)
2829586 - ETPRO TROJAN Trensil.B Checkin (trojan.rules)
2829587 - ETPRO TROJAN Sneark Checkin (trojan.rules)
2829588 - ETPRO MOBILE_MALWARE Android.Trojan.SmsSpy.TF Checkin (mobile_malware.rules)
2829589 - ETPRO TROJAN ELF/Lady.G Connectivity Check (trojan.rules)
2829590 - ETPRO CURRENT_EVENTS Generic DZNoob Phishing Landing2018-02-07 (current_events.rules)
2829591 - ETPRO TROJAN DanderSpritz Implant Communicating with PeddleCheap Module (trojan.rules)

[+++]  Enabled and modified rules:   [+++]

2025319 - ET POLICY [Fidelis] Abnormal x509v3 SubjectKeyIdentifier extension (policy.rules)
2025320 - ET POLICY [Fidelis] Abnormal Very Long x509v3 SubjectKeyIdentifier Extension (policy.rules)

[///]     Modified active rules:     [///]

2013293 - ET TROJAN Win32.Glupteba/ClIEcker CnC Checkin (trojan.rules)
2025278 - ET CURRENT_EVENTS Mailbox Verification Phishing Landing2018-01-31 (current_events.rules)
2025310 - ET CURRENT_EVENTS Mailbox Upgrade Phishing Landing2018-02-05 (current_events.rules)
2809682 - ETPRO TROJAN Andromeda/Gamarue Checkin (trojan.rules)
2827475 - ETPRO TROJAN Win32/Ilomo.I CnC Communications (trojan.rules)
2828913 - ETPRO TROJAN WIN32/KOVTER.B Checkin 2 M3 (trojan.rules)
2829548 - ETPRO TROJAN W32/Kimsuky Sending Encrypted System Information to CnC (trojan.rules)
2829552 - ETPRO TROJAN W32/Kimsuky Requesting Stage 2 Payload (trojan.rules)

[---]  Disabled and modified rules:  [---]

2805875 - ETPRO TROJAN Win32/Reveton.N Checkin (trojan.rules)
2829200 - ETPRO CURRENT_EVENTS Possible Successful Cyberplus (FR) Phish M12018-01-08 (current_events.rules)


[---]         Disabled rules:        [---]

2002776 - ET TROJAN SickleBot Reporting User Activity (trojan.rules)
2003296 - ET TROJAN Possible Web-based DDoS-command being issued (trojan.rules)
2003431 - ET TROJAN Unnamed Generic.Malware http get (trojan.rules)
2003932 - ET TROJAN Hupigon User Agent Detected (IE_7.0) (trojan.rules)
2006399 - ET TROJAN Socks666 Checkin Success Packet (trojan.rules)
2007142 - ET TROJAN Virtumonde Variant Reporting to Controller via HTTP (trojan.rules)
2007285 - ET TROJAN Virtumonde Variant Reporting to Controller via HTTP (2) (trojan.rules)
2007566 - ET TROJAN Downloader.MisleadApp Fake Security Product Install (trojan.rules)
2007613 - ET TROJAN Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 1 (trojan.rules)
2007614 - ET TROJAN Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 3 (trojan.rules)
2007618 - ET TROJAN Storm Worm ICMP DDOS Traffic (trojan.rules)
2007688 - ET TROJAN Prg Trojan HTTP POST v1 (trojan.rules)
2007698 - ET TROJAN Vanquish Trojan HTTP Checkin (trojan.rules)
2007724 - ET TROJAN Prg Trojan HTTP POST version 2 (trojan.rules)
2007752 - ET TROJAN Saturn Proxy Checkin Response (trojan.rules)
2007753 - ET TROJAN Saturn Proxy C&C Activity (trojan.rules)
2007780 - ET TROJAN Ssppyy.com Surveillance Agent Reporting via Email (trojan.rules)
2007807 - ET TROJAN Rcash.co.kr Bootup Checkin via HTTP (trojan.rules)
2007811 - ET TROJAN Metajuan trojan checkin (trojan.rules)
2007834 - ET TROJAN Renos/ssd.com HTTP Checkin (trojan.rules)
2007898 - ET TROJAN Sohanad Checkin via HTTP (trojan.rules)
2007949 - ET TROJAN Medbod UDP Phone Home Packet (trojan.rules)
2007965 - ET TROJAN Goldun Reporting Install (trojan.rules)
2007974 - ET TROJAN Perfect Keylogger FTP Log Upload (trojan.rules)
2008025 - ET TROJAN Turkojan C&C Logs Parse Response Response (LOGS1) (trojan.rules)
2008028 - ET TROJAN Turkojan C&C Browse Drive Command Response (metin) (trojan.rules)
2008030 - ET TROJAN Turkojan C&C nxt Command Response (nxt) (trojan.rules)
2008130 - ET TROJAN Win32.Lydra.hj HTTP Checkin (trojan.rules)
2008155 - ET TROJAN Trats.a Post-Infection Checkin (trojan.rules)
2008236 - ET TROJAN Fake.Googlebar or Softcash.org Related Post-Infection Checkin (trojan.rules)
2008261 - ET TROJAN Common Spambot HTTP Checkin (trojan.rules)
2008277 - ET TROJAN Pakes Winifixer.com Related Checkin URL (trojan.rules)
2008280 - ET TROJAN 3alupKo/Win32.Socks.n Related Checkin URL (trojan.rules)
2008285 - ET TROJAN RLPacked Binary - Likely Hostile (trojan.rules)
2008324 - ET TROJAN Zalupko/Koceg/Mandaph manda.php Checkin (trojan.rules)
2008341 - ET TROJAN Themida Packed Binary - Likely Hostile (trojan.rules)
2008347 - ET TROJAN Swizzor Checkin (trojan.rules)
2008358 - ET TROJAN Pakes/Cutwail/Kobcka Checkin Detected High Ports (trojan.rules)
2008369 - ET TROJAN Keylogger Crack by bahman (trojan.rules)
2008384 - ET TROJAN Piptea.a Related Trojan Checkin (3) (trojan.rules)
2008393 - ET TROJAN 3alupKo/Win32.Socks.n Related Checkin URL (2) (trojan.rules)
2008395 - ET TROJAN 3alupKo/Win32.Socks.n Related Checkin URL (3) (trojan.rules)
2008405 - ET TROJAN Obitel trojan calling home (trojan.rules)
2008449 - ET TROJAN Keylogger.ane Checkin (trojan.rules)
2008471 - ET TROJAN HotLan.C Spambot C&C download command (trojan.rules)
2008473 - ET TROJAN HotLan.C Spambot Trojan Activity (trojan.rules)
2008481 - ET TROJAN Trojan-PSW.Win32.Nilage.crg Checkin (trojan.rules)
2008493 - ET TROJAN Pushdo Checkin (trojan.rules)
2008506 - ET TROJAN Trojan-PWS.Win32.VB.tr Checkin Detected (trojan.rules)
2008515 - ET TROJAN Hupigon.AZG Checkin (trojan.rules)
2008521 - ET TROJAN Keylogger Infection Report via POST (trojan.rules)
2008522 - ET TROJAN Stpage Checkin (nomodem) (trojan.rules)
2008580 - ET TROJAN Trojan Sinowal/Torpig Phoning Home (trojan.rules)
2008642 - ET TROJAN Keylogger PRO GOLD Post (trojan.rules)
2008662 - ET TROJAN Generic PSW Agent server reply (trojan.rules)
2008689 - ET TROJAN Gimmiv.A.dll Infection (trojan.rules)
2008733 - ET TROJAN Trojan.Win32.Regrun.ro FTP connection detected (trojan.rules)
2008758 - ET TROJAN Mcboo.com/Bundlext.com related Trojan Checkin URL (trojan.rules)
2008760 - ET TROJAN Insidebar.co.kr Related Infection Checkin (trojan.rules)
2008841 - ET TROJAN Trojan-PWS.Win32.Small.gs Passwords leak over FTP (trojan.rules)
2008911 - ET TROJAN Spyguarder.com Fake AV Install Report (trojan.rules)
2008920 - ET TROJAN Backdoor.Win32/PcClient.ZL Checkin (trojan.rules)
2008972 - ET TROJAN Pointfree.co.kr Trojan/Spyware Infection Checkin (trojan.rules)
2008973 - ET TROJAN onmuz.com Infection Activity (trojan.rules)
2009003 - ET TROJAN Win32/Korklic.A (trojan.rules)
2009077 - ET TROJAN TROJ_INJECT.NI Update Request (trojan.rules)
2009094 - ET TROJAN Password Stealer (PSW.Win32.Magania Family) GET (trojan.rules)
2009096 - ET TROJAN Tigger.a/Syzor Control Checkin (trojan.rules)
2009126 - ET TROJAN Win32/Monkif Downloader Checkin (trojan.rules)
2009239 - ET TROJAN PcClient Backdoor Checkin (trojan.rules)
2009242 - ET TROJAN LDPinch Reporting infection via Email (trojan.rules)
2009300 - ET TROJAN Small.zon checkin (trojan.rules)
2009347 - ET TROJAN Tigger.a/Syzor Checkin (trojan.rules)
2009405 - ET TROJAN Personal Defender2009 - prinimalka.py (trojan.rules)
2009406 - ET TROJAN Personal Defender2009 - trash.py (trojan.rules)
2009443 - ET TROJAN NoBo Downloader Dropper GET (trojan.rules)
2009517 - ET TROJAN Qhosts Trojan Check-in (trojan.rules)
2009532 - ET TROJAN BackDoor-EGB Check-in (trojan.rules)
2009533 - ET TROJAN Keylogger Pro Update Check (trojan.rules)
2009694 - ET TROJAN Navipromo related update (trojan.rules)
2009752 - ET TROJAN Monkif/DlKroha Trojan Activity HTTP Outbound (trojan.rules)
2009811 - ET TROJAN KillAV/Dropper/Mdrop/Hupigon - HTTP GET (trojan.rules)
2009830 - ET TROJAN Win32/Wombot.A checkin Possible Bruteforcer for Web Forms and Accounts - HTTP POST (trojan.rules)
2010065 - ET TROJAN SafeFighter Fake Scanner Installation in Progress (trojan.rules)
2010158 - ET TROJAN Nanspy Bot Checkin (trojan.rules)
2010163 - ET TROJAN Glacial Dracon C&C Communication (trojan.rules)
2010201 - ET TROJAN Silon Encrypted Data POST to C&C (trojan.rules)
2010224 - ET TROJAN Opachki Link Hijacker Traffic Redirection (trojan.rules)
2010230 - ET TROJAN W32.Koblu (trojan.rules)
2010267 - ET TROJAN Sinowal/Torpig Checkin (trojan.rules)
2010268 - ET TROJAN W32.SillyFDC Checkin (trojan.rules)
2010282 - ET TROJAN Generic Trojan Checkin (double Content-Type headers) (trojan.rules)
2010283 - ET TROJAN Opachki Link Hijacker HTTP Header Injection (trojan.rules)
2010441 - ET TROJAN Possible Storm Variant HTTP Post (S) (trojan.rules)
2010442 - ET TROJAN Possible Storm Variant HTTP Post (U) (trojan.rules)
2010723 - ET TROJAN Oficla Russian Malware Bundle C&C instruction response with runurl (trojan.rules)
2010724 - ET TROJAN Oficla Russian Malware Bundle C&C instruction response (trojan.rules)
2010744 - ET TROJAN Oficla Russian Malware Bundle C&C instruction response (2) (trojan.rules)
2010822 - ET TROJAN smain?scout=acxc Generic Download landing (trojan.rules)
2010823 - ET TROJAN Torpig Related Fake User-Agent (Apache (compatible...)) (trojan.rules)
2010872 - ET TROJAN Pragma hack Detected Outbound - Likely Infected Source (trojan.rules)
2011104 - ET TROJAN Exploit kit attack activity likely hostile (trojan.rules)
2011186 - ET TROJAN Nine Ball Infection ya.ru Post (trojan.rules)
2011236 - ET TROJAN Trojan-Downloader Win32.Genome.avan (trojan.rules)

[---]         Removed rules:         [---]

2811272 - ETPRO CURRENT_EVENTS Angler EK Landing June 052015 M4 (current_events.rules)
2816512 - ETPRO CURRENT_EVENTS Angler EK Landing Mar 022016 M1 T3 (current_events.rules)

Date: 
Wednesday, February 7, 2018 - 00:00