Daily Ruleset Update Summary
Daily Ruleset Update Summary 2018/04/03

[***]            Summary:            [***]

7 new Open, 22 new Pro (7 + 15). GandCrab, CVE-2013-2618, W32/Rodecap.StealRat, Various Phishing, Various Mobile.

Thanks: @AttackDetection

[+++]          Added rules:          [+++]

Open:

2025455 - ET TROJAN Win32/GandCrab Ransomware CnC Activity M2 (trojan.rules)
2025456 - ET USER_AGENTS Suspicious User-Agent (=Mozilla) (user_agents.rules)
2025457 - ET TROJAN [PTsecurity] W32/Rodecap.StealRat C2 Payload (GIF) (trojan.rules)
2025458 - ET TROJAN [PTsecurity] Win32/SocStealer.Socelars C2 Response (trojan.rules)
2025459 - ET WEB_SPECIFIC_APPS Possible CVE-2013-2618 Attempt (PHP Weathermap Persistent XSS) (web_specific_apps.rules)
2025460 - ET INFO NYU Internet HTTP/SSL Census Scan (info.rules)
2025461 - ET SCAN NYU Internet Census UA Inbound (scan.rules)

Pro:

2830230 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2018-04-02 (current_events.rules)
2830231 - ETPRO TROJAN ELF/CoinMiner_MALXMR.SM DNS Lookup 1 (trojan.rules)
2830232 - ETPRO TROJAN ELF/CoinMiner_MALXMR.SM DNS Lookup 2 (trojan.rules)
2830233 - ETPRO TROJAN URLZone C2 Domain (rebinodar .com in TLS SNI) (trojan.rules)
2830234 - ETPRO TROJAN URLZone C2 Domain (vafersoma .com in TLS SNI) (trojan.rules)
2830235 - ETPRO TROJAN URLZone C2 Domain (bergesoma .com in TLS SNI) (trojan.rules)
2830236 - ETPRO TROJAN MSIL/Agent.BIN CnC Activity (trojan.rules)
2830237 - ETPRO TROJAN MSIL.Miner Retrieving TXT Config (trojan.rules)
2830238 - ETPRO TROJAN Observed LiteHTTP Bot Default User-Agent (trojan.rules)
2830239 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-04-03 1) (trojan.rules)
2830240 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-04-03 2) (trojan.rules)
2830241 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-04-03 3) (trojan.rules)
2830242 - ETPRO MALWARE Win32/ProxyThorn PUA Conn Check (malware.rules)
2830243 - ETPRO TROJAN W32/Trickbot C2 (networkDll module) (trojan.rules)
2830244 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2018-04-03 (current_events.rules)

[///]     Modified active rules:     [///]

2007994 - ET MALWARE Suspicious User-Agent (1 space) (malware.rules)
2024422 - ET CURRENT_EVENTS Amazon Phish Landing Jun 22 2017 (current_events.rules)
2024969 - ET TROJAN OceanLotus System Profiling JavaScript HTTP Request (trojan.rules)
2025005 - ET CURRENT_EVENTS Possible Successful Generic Phish Jan 14 2016 (current_events.rules)
2025451 - ET POLICY Monero Mining Pool DNS Lookup (policy.rules)
2804292 - ETPRO TROJAN Win32/Xtrat.B CnC Traffic (trojan.rules)
2814787 - ETPRO POLICY External IP Check (checkip.amazonaws.com) (policy.rules)
2822941 - ETPRO CURRENT_EVENTS Successful Amazon Phish Oct 27 2016 (current_events.rules)
2823937 - ETPRO CURRENT_EVENTS Successful Generic Phish (302) Dec 16 2016 (current_events.rules)
2828823 - ETPRO TROJAN Observed Possible Malicious SSL Cert (Powershell Empire) (trojan.rules)
2829691 - ETPRO TROJAN MuddyWater APT POWERSTAT CnC M3 (trojan.rules)
2830222 - ETPRO MOBILE_MALWARE Android/Spy.Agent.KK SMS/Contact Exfil via SMTP 2 (mobile_malware.rules)

[---]  Disabled and modified rules:  [---]

2016104 - ET TROJAN DNS Reply for unallocated address space - Potentially Malicious 1.1.1.0/24 (trojan.rules)
2021638 - ET CURRENT_EVENTS CottonCastle/Niteris EK Landing Aug 17 2015 (current_events.rules)
2025364 - ET CURRENT_EVENTS Google Docs Phishing Landing 2018-02-15 (current_events.rules)

[---]         Disabled rules:        [---]

2012696 - ET TROJAN FakeAV InstallInternetProtection Download (trojan.rules)
2012714 - ET TROJAN FakeAV BestAntivirus2011 Download (trojan.rules)
2012828 - ET TROJAN Win32/Rimecud download (trojan.rules)
2012839 - ET TROJAN Trojan-Downloader.Win32.Small Checkin (trojan.rules)
2012867 - ET TROJAN Clicker.Win32.AutoIt.ai Checkin (trojan.rules)
2012871 - ET TROJAN Gozi posting form data (trojan.rules)
2012908 - ET TROJAN Backdoor Win32/Begman.A Checkin (trojan.rules)
2012918 - ET TROJAN Possible TDSS Trojan GET with xxxx_ string (trojan.rules)
2012934 - ET TROJAN Generic adClicker Checkin (trojan.rules)
2012961 - ET TROJAN Trojan.Vaklik.kku Checkin Response (trojan.rules)
2013034 - ET TROJAN WebToolbar.Win32.WhenU.r Reporting (trojan.rules)
2013046 - ET TROJAN DLoader PWS Module Data Upload Activity (trojan.rules)
2013062 - ET TROJAN MacShield FakeAV CnC Communication (trojan.rules)
2013071 - ET TROJAN Dropper.MSIL.Agent.ate Checkin (trojan.rules)
2013092 - ET TROJAN VBKrypt.cmtp Login to Server (trojan.rules)
2013122 - ET TROJAN Vilsel.ayjv Checkin (aid) (trojan.rules)
2013136 - ET TROJAN FakeAV FakeAlertRena.n Checkin Response from Server (trojan.rules)
2013154 - ET TROJAN Backdoor.Win32.Gbod.dv Checkin (trojan.rules)
2801987 - ETPRO TROJAN Stage 3 Indicator Black Hole Exploit Kit dropper (trojan.rules)
2801995 - ETPRO TROJAN Buzus/Bifrost Checkin (trojan.rules)
2801996 - ETPRO TROJAN Buzus/Bifrost Checkin Response (trojan.rules)
2801997 - ETPRO TROJAN Ardamax Keylogger Reporting (trojan.rules)
2802001 - ETPRO TROJAN Generic Downloader.x!fdi Checkin (trojan.rules)
2802003 - ETPRO TROJAN Backdoor.Win32.Refpron.I Checkin (trojan.rules)
2802004 - ETPRO TROJAN Backdoor.Win32.Gootkit.A HTTP Checkin (trojan.rules)
2802011 - ETPRO TROJAN Trojan.Win32.Fisp.A Chinese Bootkit Checkin 2 (trojan.rules)
2802014 - ETPRO TROJAN Trojan.Win32.Banker.qmd Runtime Detection (trojan.rules)
2802052 - ETPRO TROJAN Backdoor.Win32.WhiteGBlgr.A Checkin (trojan.rules)
2802053 - ETPRO TROJAN Trojan.Win32.SharkQWT.A Checkin 1 (trojan.rules)
2802054 - ETPRO TROJAN Trojan.Win32.SharkQWT.A Checkin 2 (trojan.rules)
2802055 - ETPRO TROJAN Trojan.Win32.SharkQWT.A Checkin 3 (trojan.rules)
2802056 - ETPRO TROJAN backdoor.Win32.Knockwxp.A Checkin (trojan.rules)
2802057 - ETPRO TROJAN Backdoor.Win32.Knockwxp.A Checkin (trojan.rules)
2802058 - ETPRO TROJAN Win32.AutoRun.cftw Checkin (trojan.rules)
2802059 - ETPRO TROJAN Win32.Bankwabfoto.A Checkin (trojan.rules)
2802070 - ETPRO TROJAN Backdoor.Win32.Cyspetel.A Checkin (trojan.rules)
2802076 - ETPRO TROJAN Trojan.Win32.KLCCs.A Checkin (trojan.rules)
2802077 - ETPRO TROJAN Backdoor.Win32.Komrye.A Checkin 1 (trojan.rules)
2802078 - ETPRO TROJAN Backdoor.Win32.Komrye.A Checkin 2 (trojan.rules)
2802079 - ETPRO TROJAN Backdoor.Win32.Komrye.A Checkin 3 (trojan.rules)
2802080 - ETPRO TROJAN Trojan.Win32.Funcoes.A Checkin (trojan.rules)
2802086 - ETPRO TROJAN Keylogger Win32.SMTP-Mailer.eqX at aK!Aqep Logging Start Email Sent (trojan.rules)
2802094 - ETPRO TROJAN Trojan.Win32.TMaquina.A Checkin (trojan.rules)
2802097 - ETPRO TROJAN Trojan.MSIL.Qhost.ajb checkin (trojan.rules)
2802098 - ETPRO TROJAN Trojan.MSIL.Qhost.ajb Activity (trojan.rules)
2802099 - ETPRO TROJAN Backdoor.Win32.Rewdulon.A/Win32.Graybird Checkin (trojan.rules)
2802101 - ETPRO TROJAN Backdoor.Win32.Bewymbot.A Checkin (trojan.rules)
2802110 - ETPRO TROJAN Trojan.Win32.Banker.bgcp Checkin (trojan.rules)
2802111 - ETPRO TROJAN Trojan.Win32.TAvesto.A Checkin (trojan.rules)
2802112 - ETPRO TROJAN Worm.Win32.Autorun.BPT Checkin (trojan.rules)
2802157 - ETPRO TROJAN Vundo/Cryptic/Backdoor.24 Checkin (trojan.rules)
2802160 - ETPRO TROJAN Delf/Hupigon/PWS.Banker.54377 Checkin Response from Client (trojan.rules)
2802170 - ETPRO TROJAN Backdoor.Win32.Wergimog.A Checkin 2 (trojan.rules)
2802172 - ETPRO TROJAN Trojan.Win32.Tspsl.C Checkin (trojan.rules)
2802178 - ETPRO TROJAN Trojan.Win32.Banload.BIYB Checkin (trojan.rules)
2802182 - ETPRO TROJAN Backdoor.Win32.Prinisakat.A checkin (trojan.rules)
2802184 - ETPRO TROJAN Trojan.Win32.Dibhoad.A Activity (trojan.rules)
2802194 - ETPRO TROJAN Win32.Kifloo Checkin (trojan.rules)
2802195 - ETPRO TROJAN Backdoor.Win32.Muhaltick.A Checkin (trojan.rules)
2802198 - ETPRO TROJAN Trojan.Win32.Banker.bkvd (sending info) (trojan.rules)
2802200 - ETPRO TROJAN Backdoor.Win32.VB.Alsci Checkin (sending driver info) (trojan.rules)
2802207 - ETPRO TROJAN Backdoor.Win32.Jinto.A Checkin (trojan.rules)
2802208 - ETPRO TROJAN Backdoor.Win32.Tashxmgr.A Checkin (trojan.rules)
2802585 - ETPRO TROJAN Backdoor.Win32.Kadrbot.A Checkin (trojan.rules)
2802826 - ETPRO TROJAN Trojan.Win32.Chowspy.A Checkin 1 (trojan.rules)
2802827 - ETPRO TROJAN Trojan.Win32.Chowspy.A Checkin 2 (trojan.rules)
2802829 - ETPRO TROJAN Win32.Fibbit.ax Checkin 2 (trojan.rules)
2802830 - ETPRO TROJAN Win32.Banksun.A Checkin (trojan.rules)
2802831 - ETPRO TROJAN Win32.Vilsel.baqb Checkin (trojan.rules)
2802840 - ETPRO TROJAN Generic Checkin/Trojan.VAJO (trojan.rules)
2802847 - ETPRO TROJAN Trojan.W32.Qakbot Checkin 1 (trojan.rules)
2802866 - ETPRO TROJAN Trojan.Win32.Vodvit.A Checkin 1 (trojan.rules)
2802867 - ETPRO TROJAN Trojan.Win32.Vodvit.A Checkin 2 (trojan.rules)
2802870 - ETPRO TROJAN RogueSoftware.Win32.MacDefender Buy Screen (trojan.rules)
2802871 - ETPRO TROJAN RogueSoftware.Win32.WinWebSec Buy Screen (trojan.rules)
2802900 - ETPRO TROJAN Trojan-PSW.Win32.QQShou.ape Checkin (trojan.rules)
2802967 - ETPRO TROJAN Backdoor.Win32.Hassar.A Checkin (trojan.rules)
2803015 - ETPRO TROJAN Backdoor.Win32.Briewots.A Checkin (trojan.rules)
2803060 - ETPRO TROJAN Win32.Coinbit.A Reporting (trojan.rules)

[---]         Removed rules:         [---]

2829893 - ETPRO TROJAN Win32/GandCrab Ransomware CnC Activity M2 (trojan.rules)
2830136 - ETPRO USER_AGENTS Suspicious User-Agent (=Mozilla) (user_agents.rules)

Date:
Summary title:
7 new Open, 22 new Pro (7 + 15). GandCrab, CVE-2013-2618, W32/Rodecap.StealRat, Various Phishing, Various Mobile.