Daily Ruleset Update Summary 2018/09/14

[***]            Summary:            [***]

3 new Open, 60 new Pro (3 + 57). Win32/Ramnit, MiniRat Websocket, STOP Ransomware, Various Mobile, Various Phishing.

Thanks: @AttackDetection

[+++]          Added rules:          [+++]

Open:

2026039 - ET MOBILE_MALWARE [PTsecurity] Spyware.BondPath (PathCall/Dingwe) Check-in (mobile_malware.rules)
2026112 - ET CURRENT_EVENTS Observed Malicious SSL Cert (MageCart Exfil) (current_events.rules)
2026113 - ET TROJAN [PTsecurity] Win32/Ramnit Stage 0 Communicating with CnC (trojan.rules)

Pro:

2832557 - ETPRO TROJAN Possible Win32/Zpevdo.A Firefox Exfiltration (trojan.rules)
2832558 - ETPRO TROJAN Possible MiniRat Websocket Init (trojan.rules)
2832566 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 406 (mobile_malware.rules)
2832567 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Shedun Checkin (mobile_malware.rules)
2832568 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Wapnor.a Checkin (mobile_malware.rules)
2832569 - ETPRO MOBILE_MALWARE Android.Riskware.SmsPay.gDITC Device Info Exfil (mobile_malware.rules)
2832570 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Piom.tqn Checkin (mobile_malware.rules)
2832571 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 407 (mobile_malware.rules)
2832572 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 408 (mobile_malware.rules)
2832573 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 409 (mobile_malware.rules)
2832574 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 410 (mobile_malware.rules)
2832575 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 411 (mobile_malware.rules)
2832576 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-09-12 3) (trojan.rules)
2832577 - ETPRO TROJAN Win32.Tofsee Variant Checkin (trojan.rules)
2832578 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-09-13 1) (trojan.rules)
2832579 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-09-13 2) (trojan.rules)
2832580 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-09-13 3) (trojan.rules)
2832581 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-09-13 4) (trojan.rules)
2832582 - ETPRO TROJAN Agent Tesla SSL/TLS Certificate Observed (trojan.rules)
2832583 - ETPRO TROJAN Revcode SSL/TLS Certificate Observed (trojan.rules)
2832584 - ETPRO CURRENT_EVENTS Successful Generic Personalized Phish 2018-09-13 (current_events.rules)
2832585 - ETPRO CURRENT_EVENTS Successful Poloniex Phish 2018-09-13 (current_events.rules)
2832586 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2018-09-13 M1 (current_events.rules)
2832587 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2018-09-13 M2 (current_events.rules)
2832588 - ETPRO CURRENT_EVENTS Successful Aruba Webmail Phish 2018-09-13 (current_events.rules)
2832589 - ETPRO CURRENT_EVENTS Successful Booking.com Phish 2018-09-13 M1 (current_events.rules)
2832590 - ETPRO CURRENT_EVENTS Successful Booking.com Phish 2018-09-13 M2 (current_events.rules)
2832591 - ETPRO CURRENT_EVENTS Successful Bank of America Phish 2018-09-13 (current_events.rules)
2832592 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2018-09-13 (current_events.rules)
2832593 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish 2018-09-13 (current_events.rules)
2832594 - ETPRO TROJAN Win32/DanaBot CnC Checkin (affid 9) (trojan.rules)
2832595 - ETPRO INFO External IP Lookup Domain (apps .game .qq .com) (info.rules)
2832596 - ETPRO TROJAN Win32/Agent.ZJL CnC Checkin (trojan.rules)
2832597 - ETPRO USER_AGENTS Win32/Agent.ZJL UA (CHM_MSDN) (user_agents.rules)
2832598 - ETPRO TROJAN Win32/Agent.XXYIUO CnC Checkin (trojan.rules)
2832599 - ETPRO TROJAN Win32/Phorpiex VNC Worm Module CnC Checkin (trojan.rules)
2832600 - ETPRO TROJAN STOP Ransomware CnC Checkin (trojan.rules)
2832601 - ETPRO TROJAN STOP Ransomware Response from CnC (trojan.rules)
2832602 - ETPRO POLICY Android Device (Marshmallow OS) Connectivity Check (policy.rules)
2832603 - ETPRO POLICY Android Device (KitKat OS) Connectivity Check (policy.rules)
2832604 - ETPRO TROJAN Win32/PSW.Agent.OFE CnC Checkin (trojan.rules)
2832605 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Agent.hf Checkin (mobile_malware.rules)
2832606 - ETPRO TROJAN Parasite PWS FTP Exfil (trojan.rules)
2832607 - ETPRO POLICY Suspicious Windows Installer UA for non-MSI (policy.rules)
2832608 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 412 (mobile_malware.rules)
2832609 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 413 (mobile_malware.rules)
2832610 - ETPRO CURRENT_EVENTS Successful QNB Finansbank Phish 2018-09-14 (current_events.rules)
2832611 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2018-09-14 (current_events.rules)
2832612 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information Phish 2018-09-14 (current_events.rules)
2832613 - ETPRO TROJAN Win32/PlugF CnC Checkin (trojan.rules)
2832614 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2018-09-14 (current_events.rules)
2832615 - ETPRO CURRENT_EVENTS Successful DHL Phish 2018-09-14 (current_events.rules)
2832616 - ETPRO TROJAN Observed Malicious SSL Cert (JadidBot CnC) (trojan.rules)
2832617 - ETPRO TROJAN W32.Bloat-A Checkin (trojan.rules)
2832618 - ETPRO TROJAN Win32.Unwaders.C Checkin (trojan.rules)
2832619 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-09-14 1) (trojan.rules)
2832620 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-09-14 2) (trojan.rules)

[///]     Modified active rules:     [///]

2812067 - ETPRO TROJAN SOGU DNS CnC Channel TXT Lookup (trojan.rules)
2830193 - ETPRO TROJAN Ursnif CnC Checkin (trojan.rules)
2830701 - ETPRO TROJAN W32/Emotet CnC Checkin (trojan.rules)
2832438 - ETPRO TROJAN Win32/DanaBot CnC Checkin (affid 3) (trojan.rules)
2832502 - ETPRO CURRENT_EVENTS PowerShell Decoding Potential Stage 2 (current_events.rules)
2832542 - ETPRO TROJAN Win32/DanaBot CnC Checkin (affid 4) (trojan.rules)

[---]  Disabled and modified rules:  [---]

2832410 - ETPRO CURRENT_EVENTS Fallout EK Landing 2018-08-30 M1 (current_events.rules)

[---]         Removed rules:         [---]

2026039 - ET TROJAN [PTsecurity] Spyware.BondPath (PathCall/Dingwe) Check-in (trojan.rules)
2832557 - ETPRO CURRENT_EVENTS Possible Win32/Zpevdo.A Firefox Exfiltration (current_events.rules)
2832558 - ETPRO CURRENT_EVENTS Possible MiniRat Websocket Init (current_events.rules)
2832564 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-09-12 3) (trojan.rules)

Date: 
Friday, September 14, 2018 - 00:00