Daily Ruleset Update Summary 2018/09/19

[***]            Summary:            [***]

102 new Open, 126 new Pro (102 + 24). APT-C-23 C2 Domains, Win32.ActiveAgent, MSIL/Acrux Miner Stealer, MSIL/MinerLoader, Various Phishing.

[+++]          Added rules:          [+++]

Open:

2026115 - ET MOBILE_MALWARE Android APT-C-23 (1jve .com in DNS Lookup) (mobile_malware.rules)
2026116 - ET MOBILE_MALWARE Android APT-C-23 (1jve .com in TLS SNI) (mobile_malware.rules)
2026117 - ET MOBILE_MALWARE Android APT-C-23 (clarke-taylor .life in DNS Lookup) (mobile_malware.rules)
2026118 - ET MOBILE_MALWARE Android APT-C-23 (clarke-taylor .life in TLS SNI) (mobile_malware.rules)
2026119 - ET MOBILE_MALWARE Android APT-C-23 (hcttmail .com in DNS Lookup) (mobile_malware.rules)
2026120 - ET MOBILE_MALWARE Android APT-C-23 (hcttmail .com in TLS SNI) (mobile_malware.rules)
2026121 - ET MOBILE_MALWARE Android APT-C-23 (mail-presidency .com in DNS Lookup) (mobile_malware.rules)
2026122 - ET MOBILE_MALWARE Android APT-C-23 (mail-presidency .com in TLS SNI) (mobile_malware.rules)
2026123 - ET MOBILE_MALWARE Android APT-C-23 (aamir-khan .site in DNS Lookup) (mobile_malware.rules)
2026124 - ET MOBILE_MALWARE Android APT-C-23 (aamir-khan .site in TLS SNI) (mobile_malware.rules)
2026125 - ET MOBILE_MALWARE Android APT-C-23 (daario-naharis .info in DNS Lookup) (mobile_malware.rules)
2026126 - ET MOBILE_MALWARE Android APT-C-23 (daario-naharis .info in TLS SNI) (mobile_malware.rules)
2026127 - ET MOBILE_MALWARE Android APT-C-23 (help-live .club in DNS Lookup) (mobile_malware.rules)
2026128 - ET MOBILE_MALWARE Android APT-C-23 (help-live .club in TLS SNI) (mobile_malware.rules)
2026129 - ET MOBILE_MALWARE Android APT-C-23 (margaery-tyrell .info in DNS Lookup) (mobile_malware.rules)
2026130 - ET MOBILE_MALWARE Android APT-C-23 (margaery-tyrell .info in TLS SNI) (mobile_malware.rules)
2026131 - ET MOBILE_MALWARE Android APT-C-23 (accaunts-googlc .com in DNS Lookup) (mobile_malware.rules)
2026132 - ET MOBILE_MALWARE Android APT-C-23 (accaunts-googlc .com in TLS SNI) (mobile_malware.rules)
2026133 - ET MOBILE_MALWARE Android APT-C-23 (dachfunny .club in DNS Lookup) (mobile_malware.rules)
2026134 - ET MOBILE_MALWARE Android APT-C-23 (dachfunny .club in TLS SNI) (mobile_malware.rules)
2026135 - ET MOBILE_MALWARE Android APT-C-23 (help-sec .club in DNS Lookup) (mobile_malware.rules)
2026136 - ET MOBILE_MALWARE Android APT-C-23 (help-sec .club in TLS SNI) (mobile_malware.rules)
2026137 - ET MOBILE_MALWARE Android APT-C-23 (maria-bouchard .website in DNS Lookup) (mobile_malware.rules)
2026138 - ET MOBILE_MALWARE Android APT-C-23 (maria-bouchard .website in TLS SNI) (mobile_malware.rules)
2026139 - ET MOBILE_MALWARE Android APT-C-23 (account-gocgle .com in DNS Lookup) (mobile_malware.rules)
2026140 - ET MOBILE_MALWARE Android APT-C-23 (account-gocgle .com in TLS SNI) (mobile_malware.rules)
2026141 - ET MOBILE_MALWARE Android APT-C-23 (dachfunny .us in DNS Lookup) (mobile_malware.rules)
2026142 - ET MOBILE_MALWARE Android APT-C-23 (dachfunny .us in TLS SNI) (mobile_malware.rules)
2026143 - ET MOBILE_MALWARE Android APT-C-23 (heyapp .website in DNS Lookup) (mobile_malware.rules)
2026144 - ET MOBILE_MALWARE Android APT-C-23 (heyapp .website in TLS SNI) (mobile_malware.rules)
2026145 - ET MOBILE_MALWARE Android APT-C-23 (marklavi .com in DNS Lookup) (mobile_malware.rules)
2026146 - ET MOBILE_MALWARE Android APT-C-23 (marklavi .com in TLS SNI) (mobile_malware.rules)
2026147 - ET MOBILE_MALWARE Android APT-C-23 (account-googlc .com in DNS Lookup) (mobile_malware.rules)
2026148 - ET MOBILE_MALWARE Android APT-C-23 (account-googlc .com in TLS SNI) (mobile_malware.rules)
2026149 - ET MOBILE_MALWARE Android APT-C-23 (dardash .club in DNS Lookup) (mobile_malware.rules)
2026150 - ET MOBILE_MALWARE Android APT-C-23 (dardash .club in TLS SNI) (mobile_malware.rules)
2026151 - ET MOBILE_MALWARE Android APT-C-23 (hitmesanjjoy .pro in DNS Lookup) (mobile_malware.rules)
2026152 - ET MOBILE_MALWARE Android APT-C-23 (hitmesanjjoy .pro in TLS SNI) (mobile_malware.rules)
2026153 - ET MOBILE_MALWARE Android APT-C-23 (mary-crawley .com in DNS Lookup) (mobile_malware.rules)
2026154 - ET MOBILE_MALWARE Android APT-C-23 (mary-crawley .com in TLS SNI) (mobile_malware.rules)
2026155 - ET MOBILE_MALWARE Android APT-C-23 (accountforuser .website in DNS Lookup) (mobile_malware.rules)
2026156 - ET MOBILE_MALWARE Android APT-C-23 (accountforuser .website in TLS SNI) (mobile_malware.rules)
2026157 - ET MOBILE_MALWARE Android APT-C-23 (dardash .fun in DNS Lookup) (mobile_malware.rules)
2026158 - ET MOBILE_MALWARE Android APT-C-23 (dardash .fun in TLS SNI) (mobile_malware.rules)
2026159 - ET MOBILE_MALWARE Android APT-C-23 (hoopoechat .com in DNS Lookup) (mobile_malware.rules)
2026160 - ET MOBILE_MALWARE Android APT-C-23 (hoopoechat .com in TLS SNI) (mobile_malware.rules)
2026161 - ET MOBILE_MALWARE Android APT-C-23 (masuka .club in DNS Lookup) (mobile_malware.rules)
2026162 - ET MOBILE_MALWARE Android APT-C-23 (masuka .club in TLS SNI) (mobile_malware.rules)
2026163 - ET MOBILE_MALWARE Android APT-C-23 (accountforusers .website in DNS Lookup) (mobile_malware.rules)
2026164 - ET MOBILE_MALWARE Android APT-C-23 (accountforusers .website in TLS SNI) (mobile_malware.rules)
2026165 - ET MOBILE_MALWARE Android APT-C-23 (dardash .info in DNS Lookup) (mobile_malware.rules)
2026166 - ET MOBILE_MALWARE Android APT-C-23 (dardash .info in TLS SNI) (mobile_malware.rules)
2026167 - ET MOBILE_MALWARE Android APT-C-23 (hotimael .com in DNS Lookup) (mobile_malware.rules)
2026168 - ET MOBILE_MALWARE Android APT-C-23 (hotimael .com in TLS SNI) (mobile_malware.rules)
2026169 - ET MOBILE_MALWARE Android APT-C-23 (matthew-stevens .club in DNS Lookup) (mobile_malware.rules)
2026170 - ET MOBILE_MALWARE Android APT-C-23 (matthew-stevens .club in TLS SNI) (mobile_malware.rules)
2026171 - ET MOBILE_MALWARE Android APT-C-23 (accounts-gocgle .com in DNS Lookup) (mobile_malware.rules)
2026172 - ET MOBILE_MALWARE Android APT-C-23 (accounts-gocgle .com in TLS SNI) (mobile_malware.rules)
2026173 - ET MOBILE_MALWARE Android APT-C-23 (dardash .live in DNS Lookup) (mobile_malware.rules)
2026174 - ET MOBILE_MALWARE Android APT-C-23 (dardash .live in TLS SNI) (mobile_malware.rules)
2026175 - ET MOBILE_MALWARE Android APT-C-23 (hotmailme .website in DNS Lookup) (mobile_malware.rules)
2026176 - ET MOBILE_MALWARE Android APT-C-23 (hotmailme .website in TLS SNI) (mobile_malware.rules)
2026177 - ET MOBILE_MALWARE Android APT-C-23 (mauricefischer .club in DNS Lookup) (mobile_malware.rules)
2026178 - ET MOBILE_MALWARE Android APT-C-23 (mauricefischer .club in TLS SNI) (mobile_malware.rules)
2026179 - ET MOBILE_MALWARE Android APT-C-23 (accounts-googlc .com in DNS Lookup) (mobile_malware.rules)
2026180 - ET MOBILE_MALWARE Android APT-C-23 (accounts-googlc .com in TLS SNI) (mobile_malware.rules)
2026181 - ET MOBILE_MALWARE Android APT-C-23 (david-mclean .club in DNS Lookup) (mobile_malware.rules)
2026182 - ET MOBILE_MALWARE Android APT-C-23 (david-mclean .club in TLS SNI) (mobile_malware.rules)
2026183 - ET MOBILE_MALWARE Android APT-C-23 (italk-chat .com in DNS Lookup) (mobile_malware.rules)
2026184 - ET MOBILE_MALWARE Android APT-C-23 (italk-chat .com in TLS SNI) (mobile_malware.rules)
2026185 - ET MOBILE_MALWARE Android APT-C-23 (max-eleanor .info in DNS Lookup) (mobile_malware.rules)
2026186 - ET MOBILE_MALWARE Android APT-C-23 (max-eleanor .info in TLS SNI) (mobile_malware.rules)
2026187 - ET MOBILE_MALWARE Android APT-C-23 (accountusers .website in DNS Lookup) (mobile_malware.rules)
2026188 - ET MOBILE_MALWARE Android APT-C-23 (accountusers .website in TLS SNI) (mobile_malware.rules)
2026189 - ET MOBILE_MALWARE Android APT-C-23 (david-moris .website in DNS Lookup) (mobile_malware.rules)
2026190 - ET MOBILE_MALWARE Android APT-C-23 (david-moris .website in TLS SNI) (mobile_malware.rules)
2026191 - ET MOBILE_MALWARE Android APT-C-23 (italk-chat .info in DNS Lookup) (mobile_malware.rules)
2026192 - ET MOBILE_MALWARE Android APT-C-23 (italk-chat .info in TLS SNI) (mobile_malware.rules)
2026193 - ET MOBILE_MALWARE Android APT-C-23 (max-mayfield .com in DNS Lookup) (mobile_malware.rules)
2026194 - ET MOBILE_MALWARE Android APT-C-23 (max-mayfield .com in TLS SNI) (mobile_malware.rules)
2026195 - ET MOBILE_MALWARE Android APT-C-23 (accuant-googlc .com in DNS Lookup) (mobile_malware.rules)
2026196 - ET MOBILE_MALWARE Android APT-C-23 (accuant-googlc .com in TLS SNI) (mobile_malware.rules)
2026197 - ET MOBILE_MALWARE Android APT-C-23 (davina-claire .xyz in DNS Lookup) (mobile_malware.rules)
2026198 - ET MOBILE_MALWARE Android APT-C-23 (davina-claire .xyz in TLS SNI) (mobile_malware.rules)
2026199 - ET MOBILE_MALWARE Android APT-C-23 (jack-wagner .website in DNS Lookup) (mobile_malware.rules)
2026200 - ET MOBILE_MALWARE Android APT-C-23 (jack-wagner .website in TLS SNI) (mobile_malware.rules)
2026201 - ET MOBILE_MALWARE Android APT-C-23 (maxlight .us in DNS Lookup) (mobile_malware.rules)
2026202 - ET MOBILE_MALWARE Android APT-C-23 (maxlight .us in TLS SNI) (mobile_malware.rules)
2026203 - ET MOBILE_MALWARE Android APT-C-23 (activedardash .club in DNS Lookup) (mobile_malware.rules)
2026204 - ET MOBILE_MALWARE Android APT-C-23 (activedardash .club in TLS SNI) (mobile_malware.rules)
2026205 - ET MOBILE_MALWARE Android APT-C-23 (davos-seaworth .info in DNS Lookup) (mobile_malware.rules)
2026206 - ET MOBILE_MALWARE Android APT-C-23 (davos-seaworth .info in TLS SNI) (mobile_malware.rules)
2026207 - ET MOBILE_MALWARE Android APT-C-23 (james-charles .club in DNS Lookup) (mobile_malware.rules)
2026208 - ET MOBILE_MALWARE Android APT-C-23 (james-charles .club in TLS SNI) (mobile_malware.rules)
2026209 - ET MOBILE_MALWARE Android APT-C-23 (mediauploader .info in DNS Lookup) (mobile_malware.rules)
2026210 - ET MOBILE_MALWARE Android APT-C-23 (mediauploader .info in TLS SNI) (mobile_malware.rules)
2026211 - ET MOBILE_MALWARE Android APT-C-23 (alain .ps in DNS Lookup) (mobile_malware.rules)
2026212 - ET MOBILE_MALWARE Android APT-C-23 (alain .ps in TLS SNI) (mobile_malware.rules)
2026213 - ET MOBILE_MALWARE Android APT-C-23 (debra-morgan .com in DNS Lookup) (mobile_malware.rules)
2026214 - ET MOBILE_MALWARE Android APT-C-23 (debra-morgan .com in TLS SNI) (mobile_malware.rules)
2026215 - ET CURRENT_EVENTS Observed Malicious SSL Cert (MageCart Exfil Domain) (current_events.rules)
2026216 - ET INFO External IP Lookup Domain (up .jkc8 .com) (info.rules)

Pro:

2832636 - ETPRO TROJAN Suspicious UA (sjd32DSKJF9Ssf) (trojan.rules)
2832674 - ETPRO TROJAN Win32.ActiveAgent CnC Checkin (trojan.rules)
2832675 - ETPRO TROJAN Win32.ActiveAgent CnC Create (trojan.rules)
2832676 - ETPRO TROJAN Win32.ActiveAgent CnC Config/Tasks DL (trojan.rules)
2832677 - ETPRO TROJAN Win32.ActiveAgent CnC Screenshot Upload (trojan.rules)
2832678 - ETPRO TROJAN Win32.ActiveAgent CnC app_data Upload (trojan.rules)
2832679 - ETPRO TROJAN W32/Kutaki Checkin M2 (trojan.rules)
2832680 - ETPRO EXPLOIT NUUO NVR Peekaboo Vulnerability Check Inbound (exploit.rules)
2832681 - ETPRO EXPLOIT NUUO NVRMini2 3.8 RCE Inbound (exploit.rules)
2832682 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-09-19 1) (trojan.rules)
2832683 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-09-19 2) (trojan.rules)
2832684 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-09-19 3) (trojan.rules)
2832685 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-09-19 4) (trojan.rules)
2832686 - ETPRO TROJAN MSIL/Acrux Miner Stealer CnC Checkin (trojan.rules)
2832687 - ETPRO TROJAN MSIL/Acrux Miner Stealer Sending Logs to CnC (trojan.rules)
2832688 - ETPRO TROJAN MSIL/MinerLoader CnC Checkin (trojan.rules)
2832689 - ETPRO CURRENT_EVENTS Successful Linkedin Phish 2018-09-19 (current_events.rules)
2832690 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish 2018-09-19 (current_events.rules)
2832691 - ETPRO CURRENT_EVENTS Successful Apple Phish 2018-09-19 (current_events.rules)
2832692 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish 2018-09-19 (current_events.rules)
2832693 - ETPRO CURRENT_EVENTS Successful New File Phish 2018-09-19 (current_events.rules)
2832694 - ETPRO CURRENT_EVENTS Successful DHL Phish 2018-09-19 (current_events.rules)
2832695 - ETPRO CURRENT_EVENTS Successful Yahoo Phish 2018-09-19 (current_events.rules)
2832696 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information Phish 2018-09-19 (current_events.rules)

[///]     Modified active rules:     [///]

2810382 - ETPRO TROJAN CoinMiner Known malicious stratum authline (3d812000) (trojan.rules)
2828574 - ETPRO TROJAN ProjectHook POS CnC Checkin (trojan.rules)
2832461 - ETPRO INFO EXE Download From HFS (info.rules)
2832599 - ETPRO TROJAN Win32/Phorpiex VNC Worm Module CnC Checkin (trojan.rules)

[---]  Disabled and modified rules:  [---]

2812067 - ETPRO TROJAN SOGU DNS CnC Channel TXT Lookup (trojan.rules)

[---]         Removed rules:         [---]

2832636 - ETPRO USER_AGENTS Suspicious UA (sjd32DSKJF9Ssf) (user_agents.rules)

Date: 
Wednesday, September 19, 2018 - 00:00