Daily Ruleset Update Summary 2018/04/16

[***]            Summary:            [***]

18 new Open, 49 new Pro (18 + 31). p0wny Shell Upload, Backdoor.Win32.Volt, Various Phishing, Various Mobile.

Thanks: @illegalfawn

[+++]          Added rules:          [+++]

2025495 - ET INFO Possible EXE Download From Suspicious TLD (.men) - set (info.rules)
2025496 - ET TROJAN Observed GandCrab Payment Domain (gandcrab2pie73et in DNS Lookup) (trojan.rules)
2025497 - ET INFO Possible EXE Download From Suspicious TLD (.webcam) - set (info.rules)
2025498 - ET INFO Possible EXE Download From Suspicious TLD (.yokohama) - set (info.rules)
2025499 - ET INFO Possible EXE Download From Suspicious TLD (.tokyo) - set (info.rules)
2025500 - ET INFO Possible EXE Download From Suspicious TLD (.gq) - set (info.rules)
2025501 - ET INFO Possible EXE Download From Suspicious TLD (.work) - set (info.rules)
2025502 - ET CURRENT_EVENTS Google Drive Phishing Landing 2018-04-14 (current_events.rules)
2025503 - ET CURRENT_EVENTS Successful Halkbank Phish M1 2018-04-16 (current_events.rules)
2025504 - ET CURRENT_EVENTS Successful Halkbank Phish M2 2018-04-16 (current_events.rules)
2025505 - ET CURRENT_EVENTS Successful Facebook Phish 2018-04-16 (current_events.rules)
2025506 - ET CURRENT_EVENTS Successful DenizBank Phish 2018-04-16 (current_events.rules)
2025507 - ET TROJAN ABUSE.CH Locky C2 Domain (dyoravdkiavfkbkx in DNS Lookup) (trojan.rules)
2025508 - ET TROJAN ABUSE.CH Locky C2 Domain (dypmoywmjrevboat in DNS Lookup) (trojan.rules)
2025509 - ET TROJAN ABUSE.CH Locky C2 Domain (jjjooyeohgghgtwn in DNS Lookup) (trojan.rules)
2025510 - ET TROJAN ABUSE.CH Locky C2 Domain (lvanwwbyabcfevyi in DNS Lookup) (trojan.rules)
2025511 - ET TROJAN ABUSE.CH Locky C2 Domain (uxwavkmttywsuynt in DNS Lookup) (trojan.rules)
2025512 - ET TROJAN ABUSE.CH Locky C2 Domain (yaynawvtuqcarjwc in DNS Lookup) (trojan.rules)

Pro:

2830389 - ETPRO TROJAN Xtrat/xRAT CnC DNS Lookup (tautiaos .com) (trojan.rules)
2830390 - ETPRO POLICY Suspicious Dynamic DNS Update Request (policy.rules)
2830391 - ETPRO TROJAN Win32/CoinMiner.Downloader Payload Request (trojan.rules)
2830392 - ETPRO WEB_SERVER Possible p0wny Shell Upload (web_server.rules)
2830393 - ETPRO TROJAN Observed AgentTesla CnC in SNI (trojan.rules)
2830394 - ETPRO TROJAN Observed Malicious SSL Cert (Agent Tesla CnC) (trojan.rules)
2830395 - ETPRO TROJAN AgentTesla CnC DNS Lookup (0ffice365-seccure-email .bid) (trojan.rules)
2830396 - ETPRO TROJAN MSIL/HawkEye.Keylogger CnC Checkin via ESMTP (base64 encoded) (trojan.rules)
2830397 - ETPRO MOBILE_MALWARE Android/RedDrop SmsPay Module Request (mobile_malware.rules)
2830398 - ETPRO MOBILE_MALWARE Android/RedDrop CnC Checkin (mobile_malware.rules)
2830399 - ETPRO CURRENT_EVENTS Successful Email Upgrade Phish 2018-04-16 (current_events.rules)
2830400 - ETPRO CURRENT_EVENTS Successful 000webhostapp Secure Signin Phish 2018-04-16 (current_events.rules)
2830401 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc DL 2018-04-16) (current_events.rules)
2830402 - ETPRO CURRENT_EVENTS Observed MalDoc DL 2018-04-16 Domain (datalogin .support in TLS SNI) (current_events.rules)
2830403 - ETPRO TROJAN Backdoor.Win32.Volt Checkin (trojan.rules)
2830404 - ETPRO CURRENT_EVENTS Successful OneDrive Phish 2018-04-16 (current_events.rules)
2830405 - ETPRO TROJAN Backdoor.Win32.Volt IP Style Check (trojan.rules)
2830406 - ETPRO POLICY Suspicious .wbk File Being Retrieved via MS Office (policy.rules)
2830407 - ETPRO CURRENT_EVENTS Successful Excel/Adobe Online Phish 2018-04-16 (current_events.rules)
2830408 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc DL 2018-04-16 2) (current_events.rules)
2830409 - ETPRO CURRENT_EVENTS Observed MalDoc DL 2018-04-16 2 Domain (trekcon .de in TLS SNI) (current_events.rules)
2830410 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Wroba.al Checkin (mobile_malware.rules)
2830411 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-04-16 1) (trojan.rules)
2830412 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-04-16 2) (trojan.rules)
2830413 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-04-16 3) (trojan.rules)
2830414 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-04-16 4) (trojan.rules)
2830415 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-04-16 5) (trojan.rules)
2830416 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-04-16 6) (trojan.rules)
2830417 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-04-16 7) (trojan.rules)
2830418 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-04-16 8) (trojan.rules)
2830419 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-04-16 9) (trojan.rules)

[///]     Modified active rules:     [///]

2016754 - ET POLICY Internal Host Retrieving External IP via myip.dnsomatic.com (policy.rules)
2021641 - ET TROJAN LokiBot User-Agent (Charon/Inferno) (trojan.rules)
2024184 - ET CURRENT_EVENTS Successful HM Revenue & Customs Phish M1 Apr 07 2017 (current_events.rules)
2024311 - ET TROJAN LokiBot Cryptocurrency Wallet Exfiltration Detected (trojan.rules)
2024312 - ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 (trojan.rules)
2024313 - ET TROJAN LokiBot Request for C2 Commands Detected M1 (trojan.rules)
2024314 - ET TROJAN LokiBot File Exfiltration Detected (trojan.rules)
2024315 - ET TROJAN LokiBot Keylogger Data Exfiltration Detected M1 (trojan.rules)
2024316 - ET TROJAN LokiBot Screenshot Exfiltration Detected (trojan.rules)
2024317 - ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 (trojan.rules)
2024318 - ET TROJAN LokiBot Request for C2 Commands Detected M2 (trojan.rules)
2024319 - ET TROJAN LokiBot Keylogger Data Exfiltration Detected M2 (trojan.rules)
2025381 - ET TROJAN LokiBot Checkin (trojan.rules)
2025483 - ET TROJAN LokiBot Fake 404 Response (trojan.rules)
2025487 - ET MALWARE Observed Win32/Foniad Domain (maraukog .info in TLS SNI) (malware.rules)
2825766 - ETPRO TROJAN LokiBot Checkin M2 (trojan.rules)
2829455 - ETPRO MOBILE_MALWARE Android/Agent.IW SMS Exfil (mobile_malware.rules)
2830173 - ETPRO TROJAN IcedID/Emotet Certificate Observed M1 (trojan.rules)
2830344 - ETPRO USER_AGENTS LokiBot PowerShell Downloader User-Agent (USR-KL) (user_agents.rules)
2830359 - ETPRO TROJAN LokiBot PowerShell Downloader Domain in SNI (trojan.rules)
2830383 - ETPRO POLICY IP Check DnsStuff (policy.rules)

[---]  Disabled and modified rules:  [---]

2830381 - ETPRO POLICY IP Check Domain (www .dnsstuff .com in DNS Lookup) (policy.rules)
2830382 - ETPRO POLICY IP Check Domain (www .dnsstuff .com in TLS SNI) (policy.rules)

Date: 
Monday, April 16, 2018 - 00:00