[***]            Summary:            [***]

2 new Open, 26 new Pro (2 + 24). PS/TrojanDownloader.Agent.NNR, LabTechAgent/ConnectWise, Cobalt Group Loader, Various Mobile.

Thanks: @AttackDetection

[+++]          Added rules:          [+++]

Open:

2025583 - ET TROJAN [PTsecurity] PS/TrojanDownloader.Agent.NNR XORed Zip payload (key 0x91) (trojan.rules)
2025584 - ET POLICY HTTPie User-Agent Outbound (policy.rules)

Pro:

2828652 - ETPRO POLICY LabTechAgent/ConnectWise Automate Remote Admin Tool Checkin (policy.rules)
2830974 - ETPRO CURRENT_EVENTS Observed Coinhive In-Browser Mining Script M1 (current_events.rules)
2830975 - ETPRO CURRENT_EVENTS Observed Coinhive In-Browser Mining Script M2 (current_events.rules)
2830976 - ETPRO TROJAN SocketPlayer Yahoo Killswitch DNS Lookup (asdkajkjsdnddasakkkaksjdjndkjansdkswda) (trojan.rules)
2830977 - ETPRO TROJAN SocketPlayer Yahoo Killswitch DNS Lookup (swwdklalksdassssdlkasmkajksjsdnaasdskjndkjansdka) (trojan.rules)
2830978 - ETPRO TROJAN Trickbot Base64 Encoded strings - VirtualAllocEx ReadProcessMemory (trojan.rules)
2830979 - ETPRO CURRENT_EVENTS CoinHive URL Shortener DNS Lookup (current_events.rules)
2830980 - ETPRO CURRENT_EVENTS CoinHive URL Shortener in iframe (current_events.rules)
2830981 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Wroba.al Checkin (mobile_malware.rules)
2830982 - ETPRO TROJAN Cobalt Group Loader CnC DNS Lookup 1 (trojan.rules)
2830983 - ETPRO TROJAN Cobalt Group Loader CnC DNS Lookup 2 (trojan.rules)
2830984 - ETPRO TROJAN Cobalt Group Loader CnC Domain (foxsecit .com in TLS SNI) (trojan.rules)
2830985 - ETPRO TROJAN Observed Malicious SSL Cert (Cobalt Group Loader CnC Domain) (trojan.rules)
2830986 - ETPRO TROJAN Observed Malicious SSL Cert (Cobalt Group Loader CnC Domain) (trojan.rules)
2830987 - ETPRO TROJAN W32.Kuik Checkin (trojan.rules)
2830988 - ETPRO INFO Invalid Accept Header (text/txt) Outbound (info.rules)
2830989 - ETPRO TROJAN Win32/VBbot.M Checkin (trojan.rules)
2830990 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc DL 2018-05-23) (current_events.rules)
2830991 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-05-23 1) (trojan.rules)
2830992 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-05-23 2) (trojan.rules)
2830993 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 349 (mobile_malware.rules)
2830994 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 350 (mobile_malware.rules)
2830995 - ETPRO TROJAN MSIL/Supreme Miner CnC Checkin (trojan.rules)
2830996 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.SMSreg.pf CnC Beacon (mobile_malware.rules)

[///]     Modified active rules:     [///]

2022486 - ET CURRENT_EVENTS Possible Phishing Landing via GetGoPhish Phishing Tool (current_events.rules)
2022487 - ET CURRENT_EVENTS Successful Phishing Attempt via GetGoPhish Phishing Tool (current_events.rules)
2024779 - ET POLICY DNS Query For Browser Cryptocurrency Mining Domain (policy.rules)
2808656 - ETPRO POLICY LabTech/ConnectWise Automate PC remote control session setup (policy.rules)
2816716 - ETPRO USER_AGENTS LabTech/ConnectWise Automate MSP UA (user_agents.rules)
2816717 - ETPRO POLICY LabTech/ConnectWise Automate MSP Agent Checkin (policy.rules)
2821712 - ETPRO TROJAN LatentBot HTTP POST Checkin (trojan.rules)
2824763 - ETPRO POLICY LabTech/ConnectWise Automate Remote Control Session Activity (policy.rules)
2829351 - ETPRO TROJAN Win32/Downloader.Ursa/APosT.pm CnC Checkin (trojan.rules)
2830410 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Wroba.al Checkin - SET (mobile_malware.rules)

[---]         Removed rules:         [---]

2024868 - ET TROJAN Possible Winnti-related DNS Lookup (trojan.rules)
2803852 - ETPRO WEB_CLIENT Microsoft Internet Explorer use-after-free memory corruption (web_client.rules)
2809316 - ETPRO WEB_CLIENT Exchange URL Redirection Vulnerability link (CVE-2014-6336) (web_client.rules)
2828652 - ETPRO MALWARE LabTechAgent PUA CnC Checkin (malware.rules)

Date: 
Wednesday, May 23, 2018 - 00:00