Daily Ruleset Update Summary 2018/02/21

[***]            Summary:            [***]

3 new Open, 18 new Pro (3 + 15). BestaBid, Evrial Stealer, Jenkins RCE, Various Mobile, Various Phishing.

Thanks: @deependresearch

[+++]          Added rules:          [+++]

Open:

2025374 - ET CURRENT_EVENTS [Deepend Research] BestaBid FakeFlash Redirect (current_events.rules)
2025375 - ET TROJAN Evrial Stealer CnC Activity M2 (trojan.rules)
2025376 - ET WEB_SPECIFIC_APPS Possible Jenkins CLI RCE (CVE-2017-1000353) (web_specific_apps.rules)

Pro:

2829750 - ETPRO TROJAN APT37 ZUMKONG CnC Beacon (trojan.rules)
2829751 - ETPRO TROJAN APT37 ZUMKONG Fake User-Agent (trojan.rules)
2829752 - ETPRO CURRENT_EVENTS Successful Apple Phish2018-02-21 (current_events.rules)
2829753 - ETPRO CURRENT_EVENTS Successful ING Phish2018-02-21 (current_events.rules)
2829754 - ETPRO CURRENT_EVENTS Successful Banco Bradesco Phish2018-02-21 (current_events.rules)
2829755 - ETPRO CURRENT_EVENTS Successful Caixa Phish2018-02-21 (current_events.rules)
2829756 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.jz Reporting Infection via SMTP (mobile_malware.rules)
2829757 - ETPRO MOBILE_MALWARE Android/Agent.ATW Checkin (mobile_malware.rules)
2829758 - ETPRO TROJAN Shifr/Shurl0cker Ransomware Onion Domain in SNI (u4hp32ms2u6s4x7q) (trojan.rules)
2829759 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 287 (mobile_malware.rules)
2829760 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 288 (mobile_malware.rules)
2829761 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-02-21 1) (trojan.rules)
2829762 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-02-21 2) (trojan.rules)
2829763 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-02-21 3) (trojan.rules)
2829764 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-02-21 4) (trojan.rules)

[///]     Modified active rules:     [///]

2809907 - ETPRO TROJAN Win32/Jinupd.B Cnc Beacon (trojan.rules)
2821692 - ETPRO TROJAN ZeusPOS Payload M2 (trojan.rules)
2828212 - ETPRO TROJAN AgentTesla Communicating with CnC Server (trojan.rules)
2828641 - ETPRO TROJAN Reypston Ransomware Onion Domain in SNI (dphux5xrwuaf4yey) (trojan.rules)
2829626 - ETPRO TROJAN NameCoin .bit DNS Sinkhole Response (trojan.rules)
2829732 - ETPRO TROJAN Shifr/Shurl0cker Ransomware CnC DNS Lookup (trojan.rules)
2829737 - ETPRO TROJAN MSIL/CrabbMiner CnC Activity (trojan.rules)

[---]         Disabled rules:        [---]

2003180 - ET TROJAN Possible Warezov/Stration Data Post to Controller (trojan.rules)
2003436 - ET TROJAN Warezov/Stration Communicating with Controller 2 (trojan.rules)
2006448 - ET TROJAN Win32.Agent.ajx Trojan Reporting to Server (trojan.rules)
2007573 - ET TROJAN Vundo.dam http Update (trojan.rules)
2007608 - ET TROJAN Win32.Agent.bea C&C connection (trojan.rules)
2007610 - ET TROJAN Win32.Small.qh/xSock Checkin URL Detected (trojan.rules)
2007620 - ET TROJAN Zlob Updating via HTTP (v2) (trojan.rules)
2007769 - ET TROJAN Zhelatin Update Detected (trojan.rules)
2007989 - ET TROJAN Vundo HTTP Pre-Install Checkin (trojan.rules)
2007990 - ET TROJAN Vundo HTTP Post-Install Checkin (trojan.rules)
2008004 - ET TROJAN Win32.Agent.cyt (Or variant) HTTP POST Checkin (2) (trojan.rules)
2008082 - ET TROJAN Vundo HTTP Post-Install Checkin (2) (trojan.rules)
2008250 - ET TROJAN Winspywareprotect.com Fake AV/Anti-Spyware Install Checkin (trojan.rules)
2008319 - ET TROJAN Win32.Small.wpx or Related Downloader Posting Data (trojan.rules)
2008386 - ET TROJAN Zlob HTTP Checkin (trojan.rules)
2008396 - ET TROJAN Zlob Initial Check-in Version 2 (confirm.php?sid=) (trojan.rules)
2008482 - ET TROJAN thespybot.com installation download detected (trojan.rules)
2008573 - ET TROJAN Viruscatch.co.kr/Win32.Small.hvd Mysql Command and Control Connection (user viruscatch) (trojan.rules)
2008949 - ET TROJAN Win32.Small.yml or Related HTTP Checkin (trojan.rules)
2008950 - ET TROJAN Trojan.Win32.Small.yml client registration (trojan.rules)
2008951 - ET TROJAN Trojan.Win32.Small.yml client command (trojan.rules)
2008952 - ET TROJAN Win32.Small.yml or Related HTTP Command (trojan.rules)
2008976 - ET TROJAN Vundo Variant reporting to Controller via HTTP (1) (trojan.rules)
2008977 - ET TROJAN Vundo Variant reporting to Controller via HTTP (2) (trojan.rules)
2009174 - ET TROJAN Possible Vundo EXE Download Attempt (trojan.rules)
2009457 - ET TROJAN Virut Counter/Check-in  (trojan.rules)
2009518 - ET TROJAN s4t4n1c Trojan Check-in (trojan.rules)
2009829 - ET TROJAN Virut/Virutas/Virtob/QQHelper Dropper Family - HTTP GET (trojan.rules)
2009896 - ET TROJAN Win32/Winwebsec User-Agent Detected (trojan.rules)
2010240 - ET TROJAN WindowsEnterpriseSuite FakeAV check-in HEAD (trojan.rules)
2010246 - ET TROJAN WindowsEnterpriseSuite FakeAV Reporting via POST initial check-in (trojan.rules)
2011294 - ET TROJAN Trojan.Win32.FraudPack.aweo (trojan.rules)
2011357 - ET TROJAN FakeAV SetupSecure Download Attempt SetupSecure (trojan.rules)
2011370 - ET TROJAN Stupid Stealer C&C Communication (1) (trojan.rules)
2011371 - ET TROJAN Stupid Stealer C&C Communication (2) (trojan.rules)
2011395 - ET TROJAN wisp backdoor detected reporting (trojan.rules)
2011397 - ET TROJAN FakeYak or Related Infection Checkin 2 (trojan.rules)
2011398 - ET TROJAN Yoyo-DDoS Bot Execute DDoS Command From CnC Server (trojan.rules)
2011399 - ET TROJAN Yoyo-DDoS Bot Download and Launch Executable Message >From CnC Server (trojan.rules)
2011402 - ET TROJAN Yoyo-DDoS Bot HTTP Flood Attack Inbound (trojan.rules)
2011403 - ET TROJAN Yoyo-DDoS Bot HTTP Flood Attack Outbound (trojan.rules)
2011414 - ET TROJAN Win32/Small.gen!AQ Communication with Controller (trojan.rules)
2011419 - ET TROJAN FAKEAV landing page - sector.hdd.png no-repeat (trojan.rules)
2011470 - ET TROJAN Daurso FTP Credential Theft Reported (trojan.rules)
2011471 - ET TROJAN Daurso Checkin (trojan.rules)
2011473 - ET TROJAN Antivirus2010 Checkin port 8082 (trojan.rules)
2011490 - ET TROJAN Downloader.Win32.Zlob.bgs Checkin(1) (trojan.rules)
2011491 - ET TROJAN Downloader.Win32.Zlob.bgs Checkin(2) (trojan.rules)
2011591 - ET TROJAN Potential-Hiloti/FakeAV site access (trojan.rules)
2011592 - ET TROJAN Yoyo-DDoS Bot Download and Launch Executable Message >From CnC Server (trojan.rules)
2011767 - ET TROJAN Avzhan DDOS Bot Inbound Hardcoded Malformed GET Request Denial Of Service Attack Detected (trojan.rules)
2011769 - ET TROJAN Shiz/Rohimafo Binary Download Request (trojan.rules)
2011820 - ET TROJAN Fake AV CnC Checkin cycle_report (trojan.rules)
2011849 - ET TROJAN Win32/Comotor.A!dll Reporting 2 (trojan.rules)
2011851 - ET TROJAN Carberp CnC Reply no tasks (trojan.rules)
2011862 - ET TROJAN Feodo Banking Trojan Account Details Post (trojan.rules)
2800809 - ETPRO TROJAN Backdoor.Win32.VBKrypt.dxe Bong (trojan.rules)
2800810 - ETPRO TROJAN Trojan.Win32.Chif.A Checkin (trojan.rules)
2800811 - ETPRO TROJAN Trojan.Win32.Infostealer.Nimkey (load) (trojan.rules)
2800812 - ETPRO TROJAN Trojan.Win32.Infostealer.Nimkey (upload) (trojan.rules)
2800815 - ETPRO TROJAN Trojan.Win32.Slagent Checkin (trojan.rules)
2800817 - ETPRO TROJAN Win32.Banker.QO Checkin (trojan.rules)
2800824 - ETPRO TROJAN Backdoor.Win32.Mexbank.A Response (trojan.rules)
2800830 - ETPRO TROJAN Backdoor.Win32.Omexo.C Checkin (trojan.rules)

[---]         Removed rules:         [---]

2022246 - ET TROJAN Backdoor User-Agent (InstallCapital) (trojan.rules)
2829749 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-02-20 9) (trojan.rules)

Date: 
Wednesday, February 21, 2018 - 00:00