[***]            Summary:            [***]

1 new Open, 21 new Pro (1 + 20). Bateleur, VBScript Engine RCE CVE-2018-8174, TeleRAT.

[+++]          Added rules:          [+++]

Open:

2025585 - ET TROJAN Known Sinkhole Response Header INetSim (trojan.rules)

Pro:

2831027 - ETPRO TROJAN Observed Malicious SSL Cert (Bateleur CnC Domain) (trojan.rules)
2831028 - ETPRO TROJAN Bateleur CnC Domain (cdn-googleservice .com in TLS SNI) (trojan.rules)
2831029 - ETPRO CURRENT_EVENTS Generic PowerShell Downloader Structure Inbound - Possible Stage 2 Payload (current_events.rules)
2831030 - ETPRO POLICY MS Excel File Requested But PE EXE or DLL Returned (policy.rules)
2831031 - ETPRO CURRENT_EVENTS RIG EK DoubleKill IE/VBScript Engine RCE CVE-2018-8174 M1 (current_events.rules)
2831032 - ETPRO CURRENT_EVENTS RIG EK DoubleKill IE/VBScript Engine RCE CVE-2018-8174 M2 (current_events.rules)
2831033 - ETPRO CURRENT_EVENTS RIG EK DoubleKill IE/VBScript Engine RCE CVE-2018-8174 M3 (current_events.rules)
2831034 - ETPRO CURRENT_EVENTS RIG EK DoubleKill IE/VBScript Engine RCE CVE-2018-8174 M4 (current_events.rules)
2831035 - ETPRO CURRENT_EVENTS RIG EK DoubleKill IE/VBScript Engine RCE CVE-2018-8174 M5 (current_events.rules)
2831036 - ETPRO CURRENT_EVENTS RIG EK DoubleKill IE/VBScript Engine RCE CVE-2018-8174 M6 (current_events.rules)
2831037 - ETPRO MOBILE_MALWARE Android/TeleRAT Info Exfil via Telegram API 1 (mobile_malware.rules)
2831038 - ETPRO MOBILE_MALWARE Android/TeleRAT Info Exfil via Telegram API 2 (mobile_malware.rules)
2831039 - ETPRO MOBILE_MALWARE Android/TeleRAT Info Exfil via Telegram API 3 (mobile_malware.rules)
2831040 - ETPRO MOBILE_MALWARE Android/TeleRAT Info Exfil via Telegram API 4 (mobile_malware.rules)
2831041 - ETPRO MOBILE_MALWARE Android/TeleRAT Info Exfil via Telegram API 5 (mobile_malware.rules)
2831042 - ETPRO MOBILE_MALWARE Android/TeleRAT Info Exfil via Telegram API 6 (mobile_malware.rules)
2831043 - ETPRO MOBILE_MALWARE Android/TeleRAT Info Exfil via Telegram API 7 (mobile_malware.rules)
2831044 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-05-25 1) (trojan.rules)
2831045 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-05-25 2) (trojan.rules)
2831046 - ETPRO TROJAN Observed Malicious SSL Cert (Unk.Meterpreter CnC) (trojan.rules)

[///]     Modified active rules:     [///]

2829962 - ETPRO TROJAN APT15 RoyalDNS DNS Lookup 1 (trojan.rules)

[---]  Disabled and modified rules:  [---]

2821014 - ETPRO WEB_CLIENT suspicious .CAB containing single executable file inbound (observed in maldoc campaign) (web_client.rules)

Date: 
Thursday, May 24, 2018 - 22:00