Daily Ruleset Update Summary 2018/04/13

[***]            Summary:            [***]

8 new Open, 20 new Pro (8 + 12). Win32/Foniad, Drupalgeddon2, MSIL/Bosleo, Various Phishing, Various Mobile.

Thanks: @AttackDetection

[+++]          Added rules:          [+++]

Open:

2025487 - ET MALWARE Observed Win32/Foniad Domain (maraukog .info in TLS SNI) (malware.rules)
2025488 - ET MALWARE Observed Win32/Foniad Domain (acinster .info in TLS SNI) (malware.rules)
2025489 - ET MALWARE Observed Win32/Foniad Domain (aclassigned .info in TLS SNI) (malware.rules)
2025490 - ET MALWARE Observed Win32/Foniad Domain (efishedo .info in TLS SNI) (malware.rules)
2025491 - ET MALWARE Observed Win32/Foniad Domain (enclosely .info in TLS SNI) (malware.rules)
2025492 - ET MALWARE Observed Win32/Foniad Domain (insupposity .info in TLS SNI) (malware.rules)
2025493 - ET MALWARE Observed Win32/Foniad Domain (suggedin .info in TLS SNI) (malware.rules)
2025494 - ET WEB_SPECIFIC_APPS [PT OPEN] Drupalgeddon2 <8.3.9 <8.4.6 <8.5.1 RCE Through Registration Form (CVE-2018-7600) (web_specific_apps.rules)

Pro:

2830376 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc DL 2018-04-13) (current_events.rules)
2830377 - ETPRO TROJAN MSIL/Bosleo Miner CnC Checkin (trojan.rules)
2830378 - ETPRO TROJAN MSIL/MariaBot Checkin via MySQL (trojan.rules)
2830379 - ETPRO MOBILE_MALWARE Android/Inmobi.C PUA CnC Checkin (mobile_malware.rules)
2830381 - ETPRO POLICY IP Check Domain (www .dnsstuff .com in DNS Lookup) (policy.rules)
2830382 - ETPRO POLICY IP Check Domain (www .dnsstuff .com in TLS SNI) (policy.rules)
2830383 - ETPRO POLICY IP Check DnsStuff (policy.rules)
2830384 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-04-13 1) (trojan.rules)
2830385 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-04-13 2) (trojan.rules)
2830386 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-04-13 3) (trojan.rules)
2830387 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-04-13 4) (trojan.rules)
2830388 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-04-13 5) (trojan.rules)

[///]     Modified active rules:     [///]

2021641 - ET TROJAN LokiBot User-Agent (Charon/Inferno) (trojan.rules)
2024311 - ET TROJAN LokiBot Cryptocurrency Wallet Exfiltration Detected (trojan.rules)
2024312 - ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 (trojan.rules)
2024313 - ET TROJAN LokiBot Request for C2 Commands Detected M1 (trojan.rules)
2024314 - ET TROJAN LokiBot File Exfiltration Detected (trojan.rules)
2024315 - ET TROJAN LokiBot Keylogger Data Exfiltration Detected M1 (trojan.rules)
2024316 - ET TROJAN LokiBot Screenshot Exfiltration Detected (trojan.rules)
2024317 - ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 (trojan.rules)
2024318 - ET TROJAN LokiBot Request for C2 Commands Detected M2 (trojan.rules)
2024319 - ET TROJAN LokiBot Keylogger Data Exfiltration Detected M2 (trojan.rules)
2025381 - ET TROJAN LokiBot Checkin (trojan.rules)
2025483 - ET TROJAN LokiBot Fake 404 Response (trojan.rules)
2825766 - ETPRO TROJAN LokiBot Checkin M2 (trojan.rules)
2830344 - ETPRO USER_AGENTS LokiBot PowerShell Downloader User-Agent (USR-KL) (user_agents.rules)
2830359 - ETPRO TROJAN LokiBot PowerShell Downloader Domain in SNI (trojan.rules)

Date: 
Friday, April 13, 2018 - 00:00