Daily Ruleset Update Summary
Daily Ruleset Update Summary 2018/07/31

[***]            Summary:            [***]

1 new Open, 26 new Pro (1 + 25). Win32/Bisonal, Remcos RAT, Win32/Slimware, Various Mobile.

Thanks: @eSentire

[+++]          Added rules:          [+++]

Open:

2025920 - ET POLICY IP Check Domain (showmyipaddress .com in HTTP Host) (policy.rules)
2025921 - ET TROJAN [eSentire] Remcos RAT Checkin 24 (trojan.rules)
2025922 - ET TROJAN Win32/Bisonal CnC Checkin (trojan.rules)
2025923 - ET TROJAN Win32/Bisonal RC4 Encrypted 8 Byte Static CnC Checkin (trojan.rules)
2025924 - ET TROJAN Win32/Bisonal DNS Lookup 1 (trojan.rules)
2025925 - ET TROJAN Win32/Bisonal DNS Lookup 2 (trojan.rules)
2025926 - ET TROJAN Win32/Bisonal DNS Lookup 3 (trojan.rules)
2025927 - ET TROJAN Win32/Bisonal DNS Lookup 4 (trojan.rules)
2025928 - ET TROJAN Win32/Bisonal DNS Lookup 5 (trojan.rules)

Pro:

2832018 - ETPRO TROJAN Win32/FlyStudio/Agent.EW Variant CnC Checkin (trojan.rules)
2832019 - ETPRO MALWARE Win32/Slimware PUA CnC Checkin (malware.rules)
2832020 - ETPRO TROJAN Observed Ursnif CnC 2018-07-30 Domain (bybybaby .top in TLS SNI) (trojan.rules)
2832021 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc DL 2018-07-31) (current_events.rules)
2832022 - ETPRO POLICY Observed Suspicious SSL Cert (External IP Address Lookup) (policy.rules)
2832023 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Handda.san Checkin (mobile_malware.rules)
2832024 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Handda.san CnC Beacon (mobile_malware.rules)

[///]     Modified active rules:     [///]

2008985 - ET POLICY IP Check whatismyip.com Automation Page (policy.rules)
2008986 - ET POLICY IP Check Domain (whatismyip in HTTP Host) (policy.rules)
2008987 - ET POLICY IP Check Domain (showip in HTTP Host) (policy.rules)
2008988 - ET POLICY IP Check Domain (cmyip.com in HTTP Host) (policy.rules)
2008989 - ET POLICY IP Check Domain (showmyip in HTTP Host) (policy.rules)
2009020 - ET POLICY IP Check Domain (whatismyip in HTTP Host) (policy.rules)
2017398 - ET POLICY IP Check Domain (icanhazip. com in HTTP Host) (policy.rules)
2024108 - ET TROJAN KHRAT DragonOK DNS Lookup (inter-ctrip .com) (trojan.rules)
2025880 - ET CURRENT_EVENTS Volexity - JS Sniffer Data Theft Beacon Detected (current_events.rules)
2805815 - ETPRO POLICY IP Check Domain (whatismyipaddress .com in HTTP Host) (policy.rules)
2814702 - ETPRO POLICY IP Check Domain (ip-address .ru in HTTP Host) (policy.rules)
2827749 - ETPRO TROJAN IDKEY/Ghoul Banker Checkin (trojan.rules)
2827750 - ETPRO TROJAN IDKEY/Ghoul Banker Exfil System Info (trojan.rules)
2831894 - ETPRO MOBILE_MALWARE Android/Spy.Agent.ANM CnC Beacon (mobile_malware.rules)

[---]         Removed rules:         [---]

2012691 - ET POLICY Internal Host visiting Showmyipaddress.com - Possible Trojan (policy.rules)
2805814 - ETPRO POLICY Internal Host Retrieving External IP via whatismyip.everdot.org - Possible Infection (policy.rules)
2805816 - ETPRO POLICY Internal Host Retrieving External IP via showmyipaddress.com - Possible Infection (policy.rules)

Date:
Summary title:
1 new Open, 26 new Pro (1 + 25). Win32/Bisonal, Remcos RAT, Win32/Slimware, Various Mobile.