Daily Ruleset Update Summary 2018/02/26

[***]            Summary:            [***]

14 new Open, 35 new Pro (14 + 21). SteamStealer, QRat.Java.RAT, OilRig, Various Phishing.

Try the new feedback tool: https://feedback.emergingthreats.net/feedback

Thanks: @TedDorosheff

[+++]          Added rules:          [+++]

Open:

2025386 - ET TROJAN SteamStealer DNS Lookup (steamdesktopauthenticator) (trojan.rules)
2025387 - ET TROJAN SteamStealer Domain in SNI (trojan.rules)
2025388 - ET TROJAN SteamStealer Malicious SSL Certificate Detected (trojan.rules)
2025389 - ET TROJAN SteamStealer DNS Lookup (lightalex) (trojan.rules)
2025390 - ET TROJAN SteamStealer DNS Lookup (steamdesktop) (trojan.rules)
2025391 - ET TROJAN [PTsecurity] QRat.Java.RAT (state_alive) (trojan.rules)
2025392 - ET TROJAN QRat.Java.RAT Checkin Response (trojan.rules)
2025393 - ET TROJAN QRat.Java.RAT Post-Checkin Request (trojan.rules)
2025394 - ET CURRENT_EVENTS Craigslist Phishing Landing 2018-02-26 (current_events.rules)
2025395 - ET CURRENT_EVENTS Credit Mutuel de Bretagne (FR) Phishing Landing 2018-02-26 (current_events.rules)
2025396 - ET CURRENT_EVENTS Facebook Mobile Phishing Landing 2018-02-26 (current_events.rules)
2025397 - ET CURRENT_EVENTS Mailbox Update Phishing Landing 2018-02-26 (current_events.rules)
2025398 - ET CURRENT_EVENTS Amazon Phishing Landing (DE) 2018-02-26 (current_events.rules)
2025399 - ET INFO Suspicious Browser Plugin Detect - Observed in Phish Landings (info.rules)

Pro:

2829790 - ETPRO TROJAN Sality.AE Checkin (trojan.rules)
2829791 - ETPRO TROJAN Sality.AE Checkin 2 (trojan.rules)
2829792 - ETPRO EXPLOIT Adobe Reader docID RCE (CVE-2018-4901) (exploit.rules)
2829793 - ETPRO TROJAN OilRig OopsIE CnC DNS Lookup (trojan.rules)
2829794 - ETPRO TROJAN OilRig Infrastructure DNS Lookup M1 (trojan.rules)
2829795 - ETPRO TROJAN OilRig Infrastructure DNS Lookup M2 (trojan.rules)
2829796 - ETPRO TROJAN OilRig OopsIE CnC Checkin (trojan.rules)
2829797 - ETPRO TROJAN OilRig OopsIE Sending Data to CnC (trojan.rules)
2829798 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2018-02-25 (current_events.rules)
2829799 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc Payload 2018-02-26) (current_events.rules)
2829800 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 291 (mobile_malware.rules)
2829801 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2018-02-26 (current_events.rules)
2829802 - ETPRO CURRENT_EVENTS Successful Generic Phish 2018-02-26 (set) (current_events.rules)
2829803 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2018-02-26 (current_events.rules)
2829804 - ETPRO CURRENT_EVENTS Successful MyBell.ca Phish 2018-02-26 (current_events.rules)
2829805 - ETPRO CURRENT_EVENTS Successful Craigslist Phish 2018-02-26 (current_events.rules)
2829806 - ETPRO TROJAN Icefog Domain Observed (uzwatersource .dynamic-dns .net in DNS Lookup) (trojan.rules)
2829807 - ETPRO TROJAN Icefog Domain Observed (uzwatersource .dynamic-dns .net in TLS SNI) (trojan.rules)
2829808 - ETPRO POLICY CoinMiner Mining Pool DNS Lookup (policy.rules)
2829809 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-02-26 1) (trojan.rules)
2829810 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-02-26 2) (trojan.rules)

[///]     Modified active rules:     [///]

2012801 - ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup (trojan.rules)
2803218 - ETPRO TROJAN W32/UFR_Stealer User-Agent (Trololo) (trojan.rules)
2804324 - ETPRO TROJAN W32/UFR_Stealer sending stolen data via FTP (trojan.rules)
2805133 - ETPRO TROJAN Win32/Zegost.Z CnC Traffic (trojan.rules)
2811695 - ETPRO TROJAN Win32/Onliner Spam Bot CnC Beacon (trojan.rules)
2811697 - ETPRO TROJAN Win32/Onliner Spam Bot CnC Beacon Response (trojan.rules)
2811698 - ETPRO TROJAN Win32/Onliner Spam Bot CnC (trojan.rules)

Date: 
Monday, February 26, 2018 - 00:00