Daily Ruleset Update Summary 2018/04/24

[***]            Summary:            [***]

2 new Open, 26 new Pro (2 + 24). Win32/Satan Cryptor 2.0, PHP/WSO.WebShell, W32/BitvoteMiner, Various Phishing, Various Mobile.

[+++]          Added rules:          [+++]

Open:

2017000 - ET POLICY Connection to previously unallocated address space 1.1.1.0/24 (policy.rules)
2025531 - ET MALWARE Observed Win32/Foniad Domain (suggedin .info in DNS Lookup) (malware.rules)

Pro:

2830529 - ETPRO CURRENT_EVENTS Successful Office 365 Phish 2018-04-23 (current_events.rules)
2830530 - ETPRO TROJAN Remcos RAT Checkin 16 (trojan.rules)
2830531 - ETPRO CURRENT_EVENTS Successful AOL Phish 2018-04-23 (current_events.rules)
2830532 - ETPRO CURRENT_EVENTS Successful Dynamic Paypal Phish 2018-04-23 (current_events.rules)
2830533 - ETPRO TROJAN Win32/Satan Cryptor 2.0 Ransomware Exe DL (trojan.rules)
2830534 - ETPRO WEB_SERVER PHP/WSO.WebShell Access (web_server.rules)
2830535 - ETPRO MOBILE_MALWARE Android Trojan-Spy Simpkol Call Log Exfil (mobile_malware.rules)
2830536 - ETPRO TROJAN W32/BitvoteMiner Checkin (trojan.rules)
2830537 - ETPRO TROJAN W32/BitvoteMiner User Agent (trojan.rules)
2830538 - ETPRO CURRENT_EVENTS Successful Adobe PDF Online Phish 2018-04-24 (current_events.rules)
2830539 - ETPRO CURRENT_EVENTS Successful Caixa Phish 2018-04-24 (current_events.rules)
2830540 - ETPRO CURRENT_EVENTS Successful Generic Phish (Chase/Paypal) 2018-04-24 (current_events.rules)
2830541 - ETPRO CURRENT_EVENTS Successful Chase Phish 2018-04-24 (current_events.rules)
2830542 - ETPRO TROJAN Cobalt Group SSL/TLS Certificate Observed (trojan.rules)
2830543 - ETPRO TROJAN W32.Gh0stRat.F Variant Checkin (trojan.rules)
2830544 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-04-24 1) (trojan.rules)
2830545 - ETPRO CURRENT_EVENTS MalDoc Retrieving Ursnif Payload 2018-04-24 (current_events.rules)
2830546 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-04-24 2) (trojan.rules)
2830547 - ETPRO TROJAN Remcos RAT Checkin 17 (trojan.rules)
2830548 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-04-24 3) (trojan.rules)
2830549 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-04-24 4) (trojan.rules)
2830550 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-04-24 5) (trojan.rules)
2830551 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-04-24 6) (trojan.rules)
2830552 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-04-24 7) (trojan.rules)

[///]     Modified active rules:     [///]

2009235 - ET TROJAN PWSteal.Bancos Generic Banker Trojan SCR Download (trojan.rules)
2009447 - ET TROJAN TSPY_BANKER.IDV/Infostealer.Bancos Module Download (trojan.rules)
2009471 - ET TROJAN Bancos/Banker Info Stealer Post (trojan.rules)
2009520 - ET TROJAN Urlzone/Bebloh Trojan Check-in (trojan.rules)
2013411 - ET TROJAN Bancos.DV MSSQL CnC Connection Outbound (trojan.rules)
2013513 - ET TROJAN W32/Bancos Reporting (trojan.rules)
2014070 - ET TROJAN Trojan Downloader.Bancos Reporting (trojan.rules)
2015512 - ET TROJAN Urlzone/Bebloh/Bublik Checkin /was/vas.php (trojan.rules)
2015560 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Likely Shylock/URLzone/Gootkit/Zeus Panda C2) (trojan.rules)
2015623 - ET TROJAN Urlzone/Bebloh/Bublik Checkin /was/uid.php (trojan.rules)
2018228 - ET TROJAN Possible PlugX Common Header Struct (trojan.rules)
2018646 - ET TROJAN Infostealer.Bancos Checkin via SMTP (trojan.rules)
2019938 - ET TROJAN Infostealer.Bancos Sending Stolen info SMTP (trojan.rules)
2020216 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (URLzone CnC) (trojan.rules)
2021142 - ET TROJAN Win32/Bancos URL Structure (trojan.rules)
2021439 - ET TROJAN Win32/Bancos.AMM CnC Beacon (trojan.rules)
2022209 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Bancos CnC) (trojan.rules)
2022211 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Bancos CnC) (trojan.rules)
2022888 - ET TROJAN Malicious SSL Certificate Detected (Bancos C2) (trojan.rules)
2024028 - ET TROJAN Infostealer.Bancos ProxyChanger Checkin (trojan.rules)
2024681 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (URLzone) (trojan.rules)
2025433 - ET TROJAN Observed Malicious SSL Cert (Bancos Variant CnC) (trojan.rules)
2803241 - ETPRO TROJAN Win32/Bancos.WO Reporting Infection (trojan.rules)
2803328 - ETPRO TROJAN Win32.Bancos.DI Reporting Infection via Email (trojan.rules)
2803923 - ETPRO TROJAN Troj/Bancos-BIO Checkin (trojan.rules)
2804030 - ETPRO TROJAN Win32/Bancos.DV Reporting via SMTP 1 (trojan.rules)
2804031 - ETPRO TROJAN Win32/Bancos.DV Reporting via SMTP 2 (trojan.rules)
2804032 - ETPRO TROJAN Win32/Bancos.DV Reporting via SMTP 3 (trojan.rules)
2804126 - ETPRO TROJAN TrojanSpy.Win32/Bancos.ADR Checkin (trojan.rules)
2804285 - ETPRO TROJAN TrojanSpy.Win32/Bancos.AAI Reporting via SMTP (trojan.rules)
2804457 - ETPRO TROJAN TrojanSpy.Win32/Bancos.gen!A sending info via smtp (trojan.rules)
2804884 - ETPRO TROJAN Win32/Bancos.DV Checkin (trojan.rules)
2804967 - ETPRO TROJAN Win32/Bancos.AEW Checkin (trojan.rules)
2805670 - ETPRO TROJAN Trojan-Spy.Win32.Bancos.zm!IK Checkin (trojan.rules)
2806037 - ETPRO TROJAN Trojan-Banker.Win32.Bancos.ulx Checkin (trojan.rules)
2806312 - ETPRO TROJAN Win32/Spy.Bancos.OUH Checkin (trojan.rules)
2806372 - ETPRO TROJAN Spy.Bancos.OQI Checkin (trojan.rules)
2807148 - ETPRO TROJAN Win32/Spy.Bancos.OGH Checkin (trojan.rules)
2807221 - ETPRO TROJAN Win32/Spy.Bancos.OUF Checkin via SMTP (trojan.rules)
2807322 - ETPRO TROJAN Win32/Bancos.gen!AJM Checkin (trojan.rules)
2808599 - ETPRO TROJAN Win32/Bancos.DI HTTP callback (trojan.rules)
2808932 - ETPRO TROJAN Win32/Bloodhound.Bancos Checkin (trojan.rules)
2808933 - ETPRO TROJAN TrojanSpy.Win32/Bancos.gen!B Checkin via SMTP (trojan.rules)
2808941 - ETPRO TROJAN Win32/Spy.Bancos.ACW Checkin (trojan.rules)
2809317 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Agent.b Checkin (mobile_malware.rules)
2810063 - ETPRO TROJAN Infostealer.Bancos Checkin via SQL (trojan.rules)
2810064 - ETPRO TROJAN Infostealer.Bancos Server Reply (trojan.rules)
2810076 - ETPRO TROJAN Infostealer.Bancos Checking (trojan.rules)
2810792 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 1 (trojan.rules)
2810793 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 2 (trojan.rules)
2810794 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 3 (trojan.rules)
2810795 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 4 (trojan.rules)
2810797 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 6 (trojan.rules)
2810798 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 7 (trojan.rules)
2810799 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 8 (trojan.rules)
2810800 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 9 (trojan.rules)
2810801 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 10 (trojan.rules)
2810802 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 11 (trojan.rules)
2810803 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 12 (trojan.rules)
2810804 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 13 (trojan.rules)
2810805 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 14 (trojan.rules)
2810806 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 15 (trojan.rules)
2810807 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 16 (trojan.rules)
2811000 - ETPRO TROJAN Win32/Bancos.YW Checkin (trojan.rules)
2812781 - ETPRO TROJAN VBE Bancos Download (trojan.rules)
2812961 - ETPRO TROJAN Trojan/Banker.Bancos.deq Checkin (trojan.rules)
2812967 - ETPRO TROJAN Trojan/Banker.Bancos.deq Retrieving C2 (trojan.rules)
2813093 - ETPRO TROJAN Infostealer.Bancos Variant SMTP Beacon (trojan.rules)
2814014 - ETPRO TROJAN Win32/Bancos.EC Activity (trojan.rules)
2814312 - ETPRO TROJAN Win32/Bancos.AMM CnC Beacon 2 (trojan.rules)
2815861 - ETPRO TROJAN URLzone/Bebloh/Shiotob Injects SSL Certificate Detected (trojan.rules)
2820555 - ETPRO TROJAN URLzone/Bebloh/Shiotob Injects SSL Certificate Detected (trojan.rules)
2821626 - ETPRO TROJAN MSIL/Bancos Variant CnC Checkin (trojan.rules)
2821695 - ETPRO TROJAN MSIL/Bancos Variant CnC Activity (trojan.rules)
2825341 - ETPRO TROJAN Bancos Variant CnC Beacon (trojan.rules)
2825362 - ETPRO TROJAN Bancos Variant CnC Beacon (trojan.rules)
2827244 - ETPRO TROJAN Observed Malicious SSL Cert (URLZone CnC) (trojan.rules)
2828062 - ETPRO TROJAN MSIL/Bancos Variant CnC Checkin (trojan.rules)
2828958 - ETPRO TROJAN Win32/Satan Cryptor 2.0 Ransomware CnC Activity (trojan.rules)
2829075 - ETPRO TROJAN Observed Malicious SSL Cert (URLZone CnC) (trojan.rules)
2829147 - ETPRO TROJAN MSIL/Bancos Variant CnC Checkin (trojan.rules)
2829262 - ETPRO TROJAN MSIL/Bancos Variant.DZO CnC Checkin (trojan.rules)
2829423 - ETPRO TROJAN RubyMiner CnC/Dropzone DNS Lookup 1 (trojan.rules)
2829424 - ETPRO TROJAN RubyMiner CnC/Dropzone DNS Lookup 2 (trojan.rules)
2829425 - ETPRO TROJAN RubyMiner CnC/Dropzone DNS Lookup 3 (trojan.rules)
2829540 - ETPRO TROJAN Observed Malicious SSL Cert (Bancos Variant Downloader) (trojan.rules)
2829541 - ETPRO TROJAN Observed Malicious SSL Cert (Bancos Variant Downloader M2) (trojan.rules)
2829784 - ETPRO TROJAN Observed Malicious SSL Cert (Bancos Variant CnC) (trojan.rules)
2829785 - ETPRO TROJAN Observed Malicious SSL Cert (Bancos Variant CnC 2) (trojan.rules)
2830005 - ETPRO TROJAN MSIL/Bancos Variant CnC Checkin (trojan.rules)
2830010 - ETPRO TROJAN MSIL/GhostFlower Ransomware CnC Checkin (trojan.rules)
2830023 - ETPRO TROJAN MSIL/FasTofu Miner CnC Checkin (trojan.rules)
2830050 - ETPRO TROJAN Observed Malicious SSL Cert (URLZone CnC) (trojan.rules)
2830051 - ETPRO TROJAN Observed Malicious SSL Cert (URLZone CnC) (trojan.rules)
2830052 - ETPRO TROJAN URLZone C2 Domain (donobiran .com in DNS Lookup) (trojan.rules)
2830053 - ETPRO TROJAN URLZone C2 Domain (wetareska .com in DNS Lookup) (trojan.rules)
2830054 - ETPRO TROJAN URLZone C2 Domain (donobiran .com in TLS SNI) (trojan.rules)
2830055 - ETPRO TROJAN URLZone C2 Domain (wetareska .com in TLS SNI) (trojan.rules)
2830089 - ETPRO TROJAN Win32/Ladon Ransomware CnC Checkin (trojan.rules)
2830233 - ETPRO TROJAN URLZone C2 Domain (rebinodar .com in TLS SNI) (trojan.rules)
2830234 - ETPRO TROJAN URLZone C2 Domain (vafersoma .com in TLS SNI) (trojan.rules)
2830235 - ETPRO TROJAN URLZone C2 Domain (bergesoma .com in TLS SNI) (trojan.rules)

[///]    Modified inactive rules:    [///]

2004114 - ET USER_AGENTS Bancos User-Agent Detected vb wininet (user_agents.rules)
2008519 - ET TROJAN Win32.Agent.zrm/Infostealer.Bancos Checkin (trojan.rules)
2009351 - ET TROJAN Urlzone/Bebloh Communication with Controller (trojan.rules)
2009750 - ET TROJAN Banker/Bancos/Infostealer Possible Rootkit - HTTP HEAD Request (trojan.rules)
2801926 - ETPRO TROJAN Trojan.Win32.Bancos.OBQ Checkin 2 (trojan.rules)
2803309 - ETPRO TROJAN Win32.Bancos.QSPN Checkin (trojan.rules)
2804033 - ETPRO TROJAN Win32/Bancos.DV Reporting via SMTP 4 (trojan.rules)
2804034 - ETPRO TROJAN Win32/Bancos.DV Reporting via SMTP 5 (trojan.rules)
2804162 - ETPRO TROJAN Win32/Spy.Bancos.OBT Checkin (trojan.rules)
2804273 - ETPRO TROJAN Win32/Bancos.ACM Checkin (trojan.rules)
2804751 - ETPRO TROJAN Win32/Bancos.AGN Checkin (trojan.rules)
2804801 - ETPRO TROJAN Win32/Bancos.AGP Checkin (trojan.rules)
2804849 - ETPRO TROJAN Win32/Spy.Bancos.OMJ Checkin (trojan.rules)
2804975 - ETPRO TROJAN Trojan-Banker.Win32.Bancos.tge Checkin (trojan.rules)
2805100 - ETPRO TROJAN Win32/Bancos.ACM Checkin 2 (trojan.rules)

[---]         Removed rules:         [---]

2017000 - ET TROJAN Connection to unallocated address space 1.1.1.0/24 (trojan.rules)
2830443 - ETPRO MALWARE Observed Win32/Foniad Domain (suggedin .info in DNS Lookup) (malware.rules)

Date: 
Tuesday, April 24, 2018 - 00:00