Daily Ruleset Update Summary 2018/09/05

[***]            Summary:            [***]

27 new Open, 38 new Pro (27 + 11). Various Inbound PowerShell, OilRig CnC, Ghostscript.

Thanks: @WorldUnruled

[+++]          Added rules:          [+++]

Open:

2026072 - ET TROJAN Malicious Mega Chrome Extension Exfil Domain (www .megaopac .host in DNS Lookup) (trojan.rules)
2026073 - ET TROJAN Malicious Mega Chrome Extension Exfil Domain (www .megaopac .host in TLS SNI) (trojan.rules)
2026074 - ET INFO Inbound PowerShell Checking for Virtual Host (Win32_Fan WMI) (info.rules)
2026075 - ET INFO Inbound PowerShell Checking for Virtual Host (MSAcpi_ThermalZoneTemperature WMI) (info.rules)
2026076 - ET INFO Inbound PowerShell Checking for Virtual Host (Win32_PointingDevice WMI) (info.rules)
2026077 - ET INFO Inbound PowerShell Checking for Virtual Host (Win32_DiskDevice WMI) (info.rules)
2026078 - ET INFO Inbound PowerShell Checking for Virtual Host (Win32_BaseBoard WMI) (info.rules)
2026079 - ET TROJAN OilRig CnC DNS Lookup (defender-update .com) (trojan.rules)
2026080 - ET TROJAN OilRig CnC DNS Lookup (windowspatch .com) (trojan.rules)
2026081 - ET TROJAN OilRig OopsIE CnC Checkin M2 (trojan.rules)
2026082 - ET TROJAN OilRig OopsIE CnC Checkin M3 (trojan.rules)
2026083 - ET TROJAN OilRig OopsIE CnC Checkin M4 (trojan.rules)
2026084 - ET EXPLOIT Ghostscript invalidcheck escape attempt (SMTP) (exploit.rules)
2026085 - ET EXPLOIT Ghostscript invalidcheck escape attempt (exploit.rules)
2026086 - ET EXPLOIT Ghostscript illegal read undefinedfilename attempt (SMTP) (exploit.rules)
2026087 - ET EXPLOIT Ghostscript illegal read undefinedfilename attempt (exploit.rules)
2026088 - ET EXPLOIT Ghostscript illegal delete bindnow attempt (SMTP) (exploit.rules)
2026089 - ET EXPLOIT Ghostscript illegal delete bindnow attempt (exploit.rules)
2026090 - ET EXPLOIT Ghostscript setpattern type confusion attempt (SMTP) (exploit.rules)
2026091 - ET EXPLOIT Ghostscript setpattern type confusion attempt (exploit.rules)
2026092 - ET EXPLOIT Ghostscript LockDistillerParams type confusion attempt (SMTP) (exploit.rules)
2026093 - ET EXPLOIT Ghostscript LockDistillerParams type confusion attempt (exploit.rules)
2026094 - ET EXPLOIT Apache Struts memberAccess and getWriter inbound OGNL injection remote code execution attempt (exploit.rules)
2026095 - ET EXPLOIT Apache Struts memberAccess and opensymphony inbound OGNL injection remote code execution attempt (exploit.rules)
2026096 - ET EXPLOIT Apache Struts getWriter and opensymphony inbound OGNL injection remote code execution attempt (exploit.rules)
2026097 - ET TROJAN Suspected Monero Miner CnC Channel TXT Lookup (trojan.rules)
2026098 - ET TROJAN Suspected Monero Miner CnC Channel Secondary Domain Lookup (trojan.rules)

Pro:

2832456 - ETPRO INFO Inbound PowerShell Checking for Virtual Host (Virtual string check) (info.rules)
2832457 - ETPRO INFO Inbound PowerShell Checking for Virtual Host (VM ware string check) (info.rules)
2832458 - ETPRO CURRENT_EVENTS GreenFlash Sundown EK Flash Exploit (current_events.rules)
2832459 - ETPRO MOBILE_MALWARE AndroidOS.Boogr Checkin 2 (mobile_malware.rules)
2832460 - ETPRO CURRENT_EVENTS GreenFlash Sundown EK Landing Sep 2018 (current_events.rules)
2832461 - ETPRO INFO EXE Download From HFS (info.rules)
2832462 - ETPRO MOBILE_MALWARE AndroidOS.Boogr Checkin 3 (mobile_malware.rules)
2832463 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-09-05 1) (trojan.rules)
2832464 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-09-05 2) (trojan.rules)
2832465 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-09-05 3) (trojan.rules)
2832466 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-09-05 4) (trojan.rules)

[///]     Modified active rules:     [///]

2024499 - ET TROJAN Win32/BanloadDownloader.XZY Retrieving Payload (trojan.rules)
2812067 - ETPRO TROJAN SOGU DNS CnC Channel TXT Lookup (trojan.rules)
2820289 - ETPRO TROJAN Win32/Spy.Banker.ACTW Checkin (trojan.rules)
2829796 - ETPRO TROJAN OilRig OopsIE CnC Checkin M1 (trojan.rules)

Date: 
Wednesday, September 5, 2018 - 00:00