Daily Ruleset Update Summary
Daily Ruleset Update Summary 2018/07/24

[***]            Summary:            [***]

3 new Open, 10 new Pro (3 + 7). ADB RCE, MSIL/ps3Logger, MalDocs.

Thanks: @eSentire

[+++]          Added rules:          [+++]

Open:

2025886 - ET CURRENT_EVENTS [eSentire] DHL Phish Landing July 242018 (current_events.rules)
2025887 - ET EXPLOIT Remote Command Execution via Android Debug Bridge (exploit.rules)
2025888 - ET EXPLOIT Remote Command Execution via Android Debug Bridge 2 (exploit.rules)

Pro:

2831953 - ETPRO TROJAN Likely Evil PowerShell Commands via DNS TXT M2 (trojan.rules)
2831954 - ETPRO USER_AGENTS Nullsoft Mozilla UA (NSISDL) (user_agents.rules)
2831955 - ETPRO TROJAN MSIL/ps3Logger CnC Checkin (trojan.rules)
2831956 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc DL2018-07-24) (current_events.rules)
2831957 - ETPRO CURRENT_EVENTS Observed MalDoc DL2018-07-24 2 Domain (uploader .sx in TLS SNI) (current_events.rules)
2831958 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-24 1) (trojan.rules)
2831959 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-24 2) (trojan.rules)

[///]     Modified active rules:     [///]

2402000 - ET DROP Dshield Block Listed Source group 1 (dshield.rules)
2403300 - ET CINS Active Threat Intelligence Poor Reputation IP group 1 (ciarmy.rules)
2403301 - ET CINS Active Threat Intelligence Poor Reputation IP group 2 (ciarmy.rules)
2403302 - ET CINS Active Threat Intelligence Poor Reputation IP group 3 (ciarmy.rules)
2403303 - ET CINS Active Threat Intelligence Poor Reputation IP group 4 (ciarmy.rules)
2403304 - ET CINS Active Threat Intelligence Poor Reputation IP group 5 (ciarmy.rules)
2403305 - ET CINS Active Threat Intelligence Poor Reputation IP group 6 (ciarmy.rules)
2403306 - ET CINS Active Threat Intelligence Poor Reputation IP group 7 (ciarmy.rules)
2403307 - ET CINS Active Threat Intelligence Poor Reputation IP group 8 (ciarmy.rules)
2403308 - ET CINS Active Threat Intelligence Poor Reputation IP group 9 (ciarmy.rules)
2403309 - ET CINS Active Threat Intelligence Poor Reputation IP group 10 (ciarmy.rules)
2403310 - ET CINS Active Threat Intelligence Poor Reputation IP group 11 (ciarmy.rules)
2403311 - ET CINS Active Threat Intelligence Poor Reputation IP group 12 (ciarmy.rules)
2403312 - ET CINS Active Threat Intelligence Poor Reputation IP group 13 (ciarmy.rules)
2403313 - ET CINS Active Threat Intelligence Poor Reputation IP group 14 (ciarmy.rules)
2403314 - ET CINS Active Threat Intelligence Poor Reputation IP group 15 (ciarmy.rules)
2403315 - ET CINS Active Threat Intelligence Poor Reputation IP group 16 (ciarmy.rules)
2403316 - ET CINS Active Threat Intelligence Poor Reputation IP group 17 (ciarmy.rules)
2403317 - ET CINS Active Threat Intelligence Poor Reputation IP group 18 (ciarmy.rules)
2403318 - ET CINS Active Threat Intelligence Poor Reputation IP group 19 (ciarmy.rules)
2403319 - ET CINS Active Threat Intelligence Poor Reputation IP group 20 (ciarmy.rules)
2403320 - ET CINS Active Threat Intelligence Poor Reputation IP group 21 (ciarmy.rules)
2403321 - ET CINS Active Threat Intelligence Poor Reputation IP group 22 (ciarmy.rules)
2403322 - ET CINS Active Threat Intelligence Poor Reputation IP group 23 (ciarmy.rules)
2403323 - ET CINS Active Threat Intelligence Poor Reputation IP group 24 (ciarmy.rules)
2403324 - ET CINS Active Threat Intelligence Poor Reputation IP group 25 (ciarmy.rules)
2403325 - ET CINS Active Threat Intelligence Poor Reputation IP group 26 (ciarmy.rules)
2403326 - ET CINS Active Threat Intelligence Poor Reputation IP group 27 (ciarmy.rules)
2403327 - ET CINS Active Threat Intelligence Poor Reputation IP group 28 (ciarmy.rules)
2403328 - ET CINS Active Threat Intelligence Poor Reputation IP group 29 (ciarmy.rules)
2403329 - ET CINS Active Threat Intelligence Poor Reputation IP group 30 (ciarmy.rules)
2403330 - ET CINS Active Threat Intelligence Poor Reputation IP group 31 (ciarmy.rules)
2403331 - ET CINS Active Threat Intelligence Poor Reputation IP group 32 (ciarmy.rules)
2403332 - ET CINS Active Threat Intelligence Poor Reputation IP group 33 (ciarmy.rules)
2403333 - ET CINS Active Threat Intelligence Poor Reputation IP group 34 (ciarmy.rules)
2403334 - ET CINS Active Threat Intelligence Poor Reputation IP group 35 (ciarmy.rules)
2403335 - ET CINS Active Threat Intelligence Poor Reputation IP group 36 (ciarmy.rules)
2403336 - ET CINS Active Threat Intelligence Poor Reputation IP group 37 (ciarmy.rules)
2403337 - ET CINS Active Threat Intelligence Poor Reputation IP group 38 (ciarmy.rules)
2403338 - ET CINS Active Threat Intelligence Poor Reputation IP group 39 (ciarmy.rules)
2403339 - ET CINS Active Threat Intelligence Poor Reputation IP group 40 (ciarmy.rules)
2403340 - ET CINS Active Threat Intelligence Poor Reputation IP group 41 (ciarmy.rules)
2403341 - ET CINS Active Threat Intelligence Poor Reputation IP group 42 (ciarmy.rules)
2403342 - ET CINS Active Threat Intelligence Poor Reputation IP group 43 (ciarmy.rules)
2403343 - ET CINS Active Threat Intelligence Poor Reputation IP group 44 (ciarmy.rules)
2403344 - ET CINS Active Threat Intelligence Poor Reputation IP group 45 (ciarmy.rules)
2403345 - ET CINS Active Threat Intelligence Poor Reputation IP group 46 (ciarmy.rules)
2403346 - ET CINS Active Threat Intelligence Poor Reputation IP group 47 (ciarmy.rules)
2403347 - ET CINS Active Threat Intelligence Poor Reputation IP group 48 (ciarmy.rules)
2403348 - ET CINS Active Threat Intelligence Poor Reputation IP group 49 (ciarmy.rules)
2403349 - ET CINS Active Threat Intelligence Poor Reputation IP group 50 (ciarmy.rules)
2403350 - ET CINS Active Threat Intelligence Poor Reputation IP group 51 (ciarmy.rules)
2403351 - ET CINS Active Threat Intelligence Poor Reputation IP group 52 (ciarmy.rules)
2403352 - ET CINS Active Threat Intelligence Poor Reputation IP group 53 (ciarmy.rules)
2403353 - ET CINS Active Threat Intelligence Poor Reputation IP group 54 (ciarmy.rules)
2403354 - ET CINS Active Threat Intelligence Poor Reputation IP group 55 (ciarmy.rules)
2403355 - ET CINS Active Threat Intelligence Poor Reputation IP group 56 (ciarmy.rules)
2403356 - ET CINS Active Threat Intelligence Poor Reputation IP group 57 (ciarmy.rules)
2403357 - ET CINS Active Threat Intelligence Poor Reputation IP group 58 (ciarmy.rules)
2403358 - ET CINS Active Threat Intelligence Poor Reputation IP group 59 (ciarmy.rules)
2403359 - ET CINS Active Threat Intelligence Poor Reputation IP group 60 (ciarmy.rules)
2403360 - ET CINS Active Threat Intelligence Poor Reputation IP group 61 (ciarmy.rules)
2403361 - ET CINS Active Threat Intelligence Poor Reputation IP group 62 (ciarmy.rules)
2403362 - ET CINS Active Threat Intelligence Poor Reputation IP group 63 (ciarmy.rules)
2403363 - ET CINS Active Threat Intelligence Poor Reputation IP group 64 (ciarmy.rules)
2403364 - ET CINS Active Threat Intelligence Poor Reputation IP group 65 (ciarmy.rules)
2403365 - ET CINS Active Threat Intelligence Poor Reputation IP group 66 (ciarmy.rules)
2403366 - ET CINS Active Threat Intelligence Poor Reputation IP group 67 (ciarmy.rules)
2403367 - ET CINS Active Threat Intelligence Poor Reputation IP group 68 (ciarmy.rules)
2403368 - ET CINS Active Threat Intelligence Poor Reputation IP group 69 (ciarmy.rules)
2403369 - ET CINS Active Threat Intelligence Poor Reputation IP group 70 (ciarmy.rules)
2403370 - ET CINS Active Threat Intelligence Poor Reputation IP group 71 (ciarmy.rules)
2403371 - ET CINS Active Threat Intelligence Poor Reputation IP group 72 (ciarmy.rules)
2403372 - ET CINS Active Threat Intelligence Poor Reputation IP group 73 (ciarmy.rules)
2403373 - ET CINS Active Threat Intelligence Poor Reputation IP group 74 (ciarmy.rules)
2403374 - ET CINS Active Threat Intelligence Poor Reputation IP group 75 (ciarmy.rules)
2403375 - ET CINS Active Threat Intelligence Poor Reputation IP group 76 (ciarmy.rules)
2403376 - ET CINS Active Threat Intelligence Poor Reputation IP group 77 (ciarmy.rules)
2403377 - ET CINS Active Threat Intelligence Poor Reputation IP group 78 (ciarmy.rules)
2403378 - ET CINS Active Threat Intelligence Poor Reputation IP group 79 (ciarmy.rules)
2403379 - ET CINS Active Threat Intelligence Poor Reputation IP group 80 (ciarmy.rules)
2403380 - ET CINS Active Threat Intelligence Poor Reputation IP group 81 (ciarmy.rules)
2403381 - ET CINS Active Threat Intelligence Poor Reputation IP group 82 (ciarmy.rules)
2403382 - ET CINS Active Threat Intelligence Poor Reputation IP group 83 (ciarmy.rules)
2403383 - ET CINS Active Threat Intelligence Poor Reputation IP group 84 (ciarmy.rules)
2403384 - ET CINS Active Threat Intelligence Poor Reputation IP group 85 (ciarmy.rules)
2403385 - ET CINS Active Threat Intelligence Poor Reputation IP group 86 (ciarmy.rules)
2403386 - ET CINS Active Threat Intelligence Poor Reputation IP group 87 (ciarmy.rules)
2403387 - ET CINS Active Threat Intelligence Poor Reputation IP group 88 (ciarmy.rules)
2403388 - ET CINS Active Threat Intelligence Poor Reputation IP group 89 (ciarmy.rules)
2403389 - ET CINS Active Threat Intelligence Poor Reputation IP group 90 (ciarmy.rules)
2403390 - ET CINS Active Threat Intelligence Poor Reputation IP group 91 (ciarmy.rules)
2403391 - ET CINS Active Threat Intelligence Poor Reputation IP group 92 (ciarmy.rules)
2403392 - ET CINS Active Threat Intelligence Poor Reputation IP group 93 (ciarmy.rules)
2403393 - ET CINS Active Threat Intelligence Poor Reputation IP group 94 (ciarmy.rules)
2403394 - ET CINS Active Threat Intelligence Poor Reputation IP group 95 (ciarmy.rules)
2403395 - ET CINS Active Threat Intelligence Poor Reputation IP group 96 (ciarmy.rules)
2403396 - ET CINS Active Threat Intelligence Poor Reputation IP group 97 (ciarmy.rules)
2403397 - ET CINS Active Threat Intelligence Poor Reputation IP group 98 (ciarmy.rules)
2403398 - ET CINS Active Threat Intelligence Poor Reputation IP group 99 (ciarmy.rules)
2403399 - ET CINS Active Threat Intelligence Poor Reputation IP group 100 (ciarmy.rules)
2405000 - ET CNC Shadowserver Reported CnC Server Port 80 Group 1 (botcc.portgrouped.rules)
2405001 - ET CNC Shadowserver Reported CnC Server Port 81 Group 1 (botcc.portgrouped.rules)
2405002 - ET CNC Shadowserver Reported CnC Server Port 443 Group 1 (botcc.portgrouped.rules)
2405003 - ET CNC Shadowserver Reported CnC Server Port 1337 Group 1 (botcc.portgrouped.rules)
2405004 - ET CNC Shadowserver Reported CnC Server Port 2319 Group 1 (botcc.portgrouped.rules)
2405005 - ET CNC Shadowserver Reported CnC Server Port 4042 Group 1 (botcc.portgrouped.rules)
2405006 - ET CNC Shadowserver Reported CnC Server Port 4244 Group 1 (botcc.portgrouped.rules)
2405007 - ET CNC Shadowserver Reported CnC Server Port 6556 Group 1 (botcc.portgrouped.rules)
2405008 - ET CNC Shadowserver Reported CnC Server Port 6667 Group 1 (botcc.portgrouped.rules)
2405009 - ET CNC Shadowserver Reported CnC Server Port 6668 Group 1 (botcc.portgrouped.rules)
2405010 - ET CNC Shadowserver Reported CnC Server Port 6768 Group 1 (botcc.portgrouped.rules)
2405011 - ET CNC Shadowserver Reported CnC Server Port 7000 Group 1 (botcc.portgrouped.rules)
2405012 - ET CNC Shadowserver Reported CnC Server Port 8585 Group 1 (botcc.portgrouped.rules)
2405013 - ET CNC Shadowserver Reported CnC Server Port 9000 Group 1 (botcc.portgrouped.rules)
2405014 - ET CNC Shadowserver Reported CnC Server Port 10324 Group 1 (botcc.portgrouped.rules)
2405015 - ET CNC Shadowserver Reported CnC Server Port 11830 Group 1 (botcc.portgrouped.rules)
2405016 - ET CNC Shadowserver Reported CnC Server Port 13001 Group 1 (botcc.portgrouped.rules)
2405017 - ET CNC Shadowserver Reported CnC Server Port 33333 Group 1 (botcc.portgrouped.rules)

[---]         Disabled rules:        [---]

2007914 - ET WORM SDBot HTTP Checkin (worm.rules)
2014401 - ET WORM W32/Rimecud /qvod/ff.txt Checkin (worm.rules)
2015489 - ET TROJAN W32/OnlineGame.DaGame Variant CnC Checkin (trojan.rules)
2015521 - ET TROJAN Pakes2 - Server Hello (trojan.rules)
2015528 - ET TROJAN Win32.Agent2.fher Related User-Agent (Microsoft Internet Updater) (trojan.rules)
2015530 - ET TROJAN HTTP Request to RunForestRun DGA Domain 16-alpha.waw.pl (trojan.rules)
2015531 - ET TROJAN DNS Query to RunForestRun DGA Domain 16-alpha.waw.pl (trojan.rules)
2015532 - ET TROJAN Generic - ProxyJudge Reverse Proxy Scoring Activity (trojan.rules)
2015533 - ET TROJAN Karagany checkin (sid5 1) (trojan.rules)
2015534 - ET TROJAN Karagany checkin (sid5 2) (trojan.rules)
2015535 - ET TROJAN ZeroAccess HTTP GET request (trojan.rules)
2015546 - ET TROJAN Trojan Cridex checkin (trojan.rules)
2015587 - ET TROJAN MP-FormGrabber Checkin (trojan.rules)
2015616 - ET TROJAN DOCHTML C&C http directive in HTML comments (trojan.rules)
2015617 - ET TROJAN Smardf/Boaxxe GET to cc.php3 (trojan.rules)
2015635 - ET TROJAN Backdoor.Briba Checkin (trojan.rules)
2015713 - ET TROJAN Dapato Checkin 8 (trojan.rules)
2015719 - ET TROJAN DNS Query to Unknown CnC DGA Domain palauone.com 09/20/12 (trojan.rules)
2015720 - ET TROJAN DNS Query to Unknown CnC DGA Domain traindiscover.com 09/20/12 (trojan.rules)
2015721 - ET TROJAN DNS Query to Unknown CnC DGA Domain manymanyd.com 09/20/12 (trojan.rules)
2015722 - ET TROJAN DNS Query to Unknown CnC DGA Domain whatandwhyeh.com 09/20/12 (trojan.rules)
2015728 - ET TROJAN DNS Query to Unknown CnC DGA Domain bktwenty.com 09/20/12 (trojan.rules)
2015730 - ET TROJAN DNS Query to Unknown CnC DGA Domain sleeveblouse.com 09/20/12 (trojan.rules)
2015736 - ET TROJAN DNS Query to Unknown CnC DGA Domain defmaybe.com 09/25/12 (trojan.rules)
2015741 - ET TROJAN DNS Query to Unknown CnC DGA Domain adbullion.com 09/26/12 (trojan.rules)
2015748 - ET TROJAN Fake Anti-Hacking Tool (trojan.rules)
2015753 - ET TROJAN Pincav.cjvb Checkin (trojan.rules)
2015805 - ET TROJAN Mini-Flame v 4.x C2 HTTP request (trojan.rules)
2015806 - ET TROJAN Mini-Flame v 5.x C2 HTTP request (trojan.rules)
2015824 - ET TROJAN GeckaSeka User-Agent (trojan.rules)
2015825 - ET TROJAN Zeus/Citadel Control Panel Access (Outbound) (trojan.rules)
2015826 - ET TROJAN Zeus/Citadel Control Panel Access (Inbound) (trojan.rules)
2015827 - ET TROJAN Citadel API Access Iframer Controller (Outbound) (trojan.rules)
2015828 - ET TROJAN Citadel API Access IFramer Controller (Inbound) (trojan.rules)
2015829 - ET TROJAN Citadel API Access VNC Controller (Outbound) (trojan.rules)
2015830 - ET TROJAN Citadel API Access VNC Controller (Inbound) (trojan.rules)
2015831 - ET TROJAN Citadel API Access Bot Controller (Outbound) (trojan.rules)
2015832 - ET TROJAN Citadel API Access Bot Controller (Inbound) (trojan.rules)
2015834 - ET TROJAN Citadel API Access Video Controller (Inbound) (trojan.rules)
2015835 - ET TROJAN Smoke Loader C2 Response (trojan.rules)
2015868 - ET TROJAN Backdoor.ADDNEW (DarKDdoser) CnC 1 (trojan.rules)
2015869 - ET TROJAN Backdoor.ADDNEW (DarKDdoser) CnC 2 (trojan.rules)
2015894 - ET TROJAN Unknown FakeAV - /get/*.crp (trojan.rules)
2015902 - ET TROJAN Win32/Kuluoz.B CnC (trojan.rules)
2015903 - ET TROJAN Win32/Kuluoz.B CnC 2 (trojan.rules)
2015904 - ET TROJAN Win32/Kuluoz.B CnC 3 (trojan.rules)
2015999 - ET TROJAN W32/Quarian HTTP Proxy Header (trojan.rules)
2016047 - ET TROJAN W32/Prinimalka Get Task CnC Beacon (trojan.rules)
2016048 - ET TROJAN W32/Prinimalka Configuration Update Request (trojan.rules)
2016049 - ET TROJAN W32/Prinimalka Prinimalka.py Script In CnC Beacon (trojan.rules)
2016051 - ET TROJAN W32.Daws/Sanny CnC POST (trojan.rules)
2016062 - ET TROJAN Linux/Chapro.A Malicious Apache Module CnC Beacon (trojan.rules)
2016087 - ET TROJAN TROJAN Unk_Banker - Check In (trojan.rules)
2016103 - ET TROJAN DNS Reply Sinkhole - Microsoft - 207.46.90.0/24 (trojan.rules)
2016110 - ET TROJAN FakeAV Download antivirus-installer.exe (trojan.rules)
2016124 - ET TROJAN W32/Downloader.FakeFlashPlayer Clientregister.php CnC Beacon (trojan.rules)
2016126 - ET TROJAN W32/Downloader.FakeFlashPlayer Bitensiteler CnC Beacon (trojan.rules)
2016127 - ET TROJAN W32/Downloader.FakeFlashPlayer Kelimeid CnC Beacon (trojan.rules)
2018766 - ET TROJAN DNS Query to Pseudo Random Domain for Web Malware (. mynumber.org) (trojan.rules)
2800819 - ETPRO WORM Worm.Win32.Carrier.ih (infection) (worm.rules)
2801224 - ETPRO WORM Worm.Win32.Soglueda.A Checkin (worm.rules)
2801287 - ETPRO WORM Worm.Win32.Autorun.AAV Checkin (worm.rules)
2801289 - ETPRO WORM Worm.Win32.Slenfbot.G Checkin 1 (worm.rules)
2801291 - ETPRO WORM Worm.Win32.Slenfbot.G Checkin 3 (worm.rules)
2801384 - ETPRO WORM Worm.Win32.Imamihong.A Activity 1 (worm.rules)
2801386 - ETPRO WORM Worm.Win32.Imamihong.A Activity 2 (worm.rules)
2805176 - ETPRO TROJAN Backdoor.Zemra Checkin (trojan.rules)
2805199 - ETPRO TROJAN TrojanDownloader.Win32/Banload.AMU checkin (trojan.rules)
2805461 - ETPRO TROJAN Backdoor.Java.KBP  Checkin (trojan.rules)
2805466 - ETPRO TROJAN Tilon Checkin (trojan.rules)
2805470 - ETPRO TROJAN Win32/Zbot Checkin (trojan.rules)
2805510 - ETPRO TROJAN Zeus Checkin (trojan.rules)
2805512 - ETPRO TROJAN PWS-Zbot.gen.anq Checkin (trojan.rules)
2805579 - ETPRO TROJAN Trojan-Spy.Win32.Perfloger.ai Checkin (trojan.rules)
2805581 - ETPRO TROJAN W32.Theals.A at mm Checkin (trojan.rules)
2805586 - ETPRO TROJAN Trojan.Win32.Genome.aaxmm Checkin 1 (trojan.rules)
2805602 - ETPRO TROJAN Mal/Banspy-K sending info via SMTP (trojan.rules)
2805621 - ETPRO TROJAN Trojan-Clicker.Win32.VB.gby Checkin (trojan.rules)
2805654 - ETPRO TROJAN Trojan.Win32.Scar.gqqs Checkin (trojan.rules)
2805671 - ETPRO TROJAN Variant.Barys.1820 Checkin (trojan.rules)
2805721 - ETPRO TROJAN Win32.Winoff Checkin (trojan.rules)
2805842 - ETPRO TROJAN Troj/Ransom-KS / Troj/Matsu-A Checkin (trojan.rules)

[---]         Removed rules:         [---]

2013739 - ET TROJAN Zeus P2P CnC (trojan.rules)

Date:
Summary title:
3 new Open, 10 new Pro (3 + 7). ADB RCE, MSIL/ps3Logger, MalDocs.