Daily Ruleset Update Summary 2018/03/27

[***]            Summary:            [***]

4 new Open, 28 new Pro (4 + 24). Sharik/Smoke Loader Updates, Win32/Glupteba, MSIL/BackdoorAgent.BBT, Various Mobile, Various Phishing.

Thanks: Nathan Fowler

[+++]          Added rules:          [+++]

Open:

2025439 - ET TROJAN Possible Sharik/Smoke Loader Microsoft Connectivity check M2 (trojan.rules)
2025440 - ET TROJAN Possible Sharik/Smoke Loader Microsoft Connectivity check M3 (trojan.rules)
2025441 - ET TROJAN Sharik/Smoke CnC Beacon 10 (trojan.rules)
2025442 - ET CURRENT_EVENTS Adobe PDF Reader Phishing Landing 2018-03-27 (current_events.rules)

Pro:

2830131 - ETPRO TROJAN Observed Malicious SSL Cert (Smokeloader DL) (trojan.rules)
2830132 - ETPRO TROJAN Win32/Glupteba Updating CnC with System Info (trojan.rules)
2830133 - ETPRO TROJAN Win32/Glupteba IP Lookup M2 (trojan.rules)
2830134 - ETPRO POLICY External IP Lookup Domain (adspy .mobi) (policy.rules)
2830135 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2018-03-26 (current_events.rules)
2830136 - ETPRO USER_AGENTS Suspicious User-Agent (=Mozilla) (user_agents.rules)
2830137 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-03-27 1) (trojan.rules)
2830138 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-03-27 2) (trojan.rules)
2830139 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-03-27 3) (trojan.rules)
2830140 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-03-27 4) (trojan.rules)
2830141 - ETPRO TROJAN Malicious PS Dropper Domain (dns .relogh .com in DNS Lookup) (trojan.rules)
2830142 - ETPRO TROJAN Malicious PS Dropper Domain (dns .relogh .com in TLS SNI) (trojan.rules)
2830143 - ETPRO TROJAN Malicious PS Dropper Domain (sec .osteem .com in DNS Lookup) (trojan.rules)
2830144 - ETPRO TROJAN Malicious PS Dropper Domain (sec .osteem .com in TLS SNI) (trojan.rules)
2830145 - ETPRO TROJAN Malicious PS Dropper Domain (security .upesse .com in DNS Lookup) (trojan.rules)
2830146 - ETPRO TROJAN Malicious PS Dropper Domain (security .upesse .com in TLS SNI) (trojan.rules)
2830147 - ETPRO TROJAN MSIL/B64 EXE Download Domain (vengeful .club in TLS SNI) (trojan.rules)
2830148 - ETPRO TROJAN MSIL/BackdoorAgent.BBT CnC Checkin (trojan.rules)
2830149 - ETPRO TROJAN MSIL/BackdoorAgent.BBT CnC Initial Beacon (Inbound) (trojan.rules)
2830150 - ETPRO TROJAN MSIL/BackdoorAgent.BBT CnC Keep-Alive (trojan.rules)
2830151 - ETPRO MOBILE_MALWARE Android.Trojan.HiddenApp.CV Checkin (mobile_malware.rules)
2830152 - ETPRO TROJAN TROJAN njRAT/Bladabindi Variant CnC Checkin (trojan.rules)
2830153 - ETPRO CURRENT_EVENTS Successful Blackboard Phish 2018-03-27 (current_events.rules)
2830154 - ETPRO CURRENT_EVENTS Successful Email Recovery Download Document Phish 2018-03-27 (current_events.rules)

[///]     Modified active rules:     [///]

2815494 - ETPRO CURRENT_EVENTS AES Crypto Observed in Javascript - Possible Phishing Landing M1 Dec 28 2015 (current_events.rules)
2825163 - ETPRO CURRENT_EVENTS Successful Generic Phish (Redirect to Download PDF) Feb 28 2017 (current_events.rules)
2828069 - ETPRO TROJAN Oiram CnC Beacon (trojan.rules)
2828324 - ETPRO TROJAN Gh0st Variant CnC Beacon (trojan.rules)
2830128 - ETPRO TROJAN Win32/Glupteba Communicating with CnC (trojan.rules)
2830129 - ETPRO TROJAN Win32/Glupteba IP Lookup M1 (trojan.rules)

[---]         Removed rules:         [---]

2021421 - ET TROJAN APT CozyCar SSL Cert 4 (trojan.rules)

Date: 
Tuesday, March 27, 2018 - 00:00