Daily Ruleset Update Summary 2018/09/20

[***]            Summary:            [***]

122 new Open, 133 new Pro (122 + 11). APT-C-23 C2 Domains, Fbot/Satori CnC, Xbash, JSP.SJavaWebManage WebShell Access.

[+++]          Added rules:          [+++]

Open:

2026217 - ET MOBILE_MALWARE Android APT-C-23 (jimmykudo .online in DNS Lookup) (mobile_malware.rules)
2026218 - ET MOBILE_MALWARE Android APT-C-23 (jimmykudo .online in TLS SNI) (mobile_malware.rules)
2026219 - ET MOBILE_MALWARE Android APT-C-23 (meet-me .chat in DNS Lookup) (mobile_malware.rules)
2026220 - ET MOBILE_MALWARE Android APT-C-23 (meet-me .chat in TLS SNI) (mobile_malware.rules)
2026221 - ET MOBILE_MALWARE Android APT-C-23 (alisonparker .club in DNS Lookup) (mobile_malware.rules)
2026222 - ET MOBILE_MALWARE Android APT-C-23 (alisonparker .club in TLS SNI) (mobile_malware.rules)
2026223 - ET MOBILE_MALWARE Android APT-C-23 (donna-paulsen .info in DNS Lookup) (mobile_malware.rules)
2026224 - ET MOBILE_MALWARE Android APT-C-23 (donna-paulsen .info in TLS SNI) (mobile_malware.rules)
2026225 - ET MOBILE_MALWARE Android APT-C-23 (android-settings .info in TLS SNI) (mobile_malware.rules)
2026226 - ET MOBILE_MALWARE Android APT-C-23 (android-settings .info in DNS Lookup) (mobile_malware.rules)
2026227 - ET MOBILE_MALWARE Android APT-C-23 (easyshow .fun in DNS Lookup) (mobile_malware.rules)
2026228 - ET MOBILE_MALWARE Android APT-C-23 (easyshow .fun in TLS SNI) (mobile_malware.rules)
2026229 - ET MOBILE_MALWARE Android APT-C-23 (jon-snow .pro in DNS Lookup) (mobile_malware.rules)
2026230 - ET MOBILE_MALWARE Android APT-C-23 (jon-snow .pro in TLS SNI) (mobile_malware.rules)
2026231 - ET MOBILE_MALWARE Android APT-C-23 (men-ana .fun in DNS Lookup) (mobile_malware.rules)
2026232 - ET MOBILE_MALWARE Android APT-C-23 (men-ana .fun in TLS SNI) (mobile_malware.rules)
2026233 - ET MOBILE_MALWARE Android APT-C-23 (apkapps .pro in DNS Lookup) (mobile_malware.rules)
2026234 - ET MOBILE_MALWARE Android APT-C-23 (apkapps .pro in TLS SNI) (mobile_malware.rules)
2026235 - ET MOBILE_MALWARE Android APT-C-23 (eleanor-guthrie .info in DNS Lookup) (mobile_malware.rules)
2026236 - ET MOBILE_MALWARE Android APT-C-23 (eleanor-guthrie .info in TLS SNI) (mobile_malware.rules)
2026237 - ET MOBILE_MALWARE Android APT-C-23 (jorah-mormont .info in DNS Lookup) (mobile_malware.rules)
2026238 - ET MOBILE_MALWARE Android APT-C-23 (jorah-mormont .info in TLS SNI) (mobile_malware.rules)
2026239 - ET MOBILE_MALWARE Android APT-C-23 (michael-keaton .info in DNS Lookup) (mobile_malware.rules)
2026240 - ET MOBILE_MALWARE Android APT-C-23 (michael-keaton .info in TLS SNI) (mobile_malware.rules)
2026241 - ET MOBILE_MALWARE Android APT-C-23 (apkapps .site in DNS Lookup) (mobile_malware.rules)
2026242 - ET MOBILE_MALWARE Android APT-C-23 (apkapps .site in TLS SNI) (mobile_malware.rules)
2026243 - ET MOBILE_MALWARE Android APT-C-23 (eleanorguthrie .site in DNS Lookup) (mobile_malware.rules)
2026244 - ET MOBILE_MALWARE Android APT-C-23 (eleanorguthrie .site in TLS SNI) (mobile_malware.rules)
2026245 - ET MOBILE_MALWARE Android APT-C-23 (joycebyers .club in DNS Lookup) (mobile_malware.rules)
2026246 - ET MOBILE_MALWARE Android APT-C-23 (joycebyers .club in TLS SNI) (mobile_malware.rules)
2026247 - ET MOBILE_MALWARE Android APT-C-23 (miranda-barlow .website in DNS Lookup) (mobile_malware.rules)
2026248 - ET MOBILE_MALWARE Android APT-C-23 (miranda-barlow .website in TLS SNI) (mobile_malware.rules)
2026249 - ET MOBILE_MALWARE Android APT-C-23 (appchecker .us in DNS Lookup) (mobile_malware.rules)
2026250 - ET MOBILE_MALWARE Android APT-C-23 (appchecker .us in TLS SNI) (mobile_malware.rules)
2026251 - ET MOBILE_MALWARE Android APT-C-23 (engin-altan .website in DNS Lookup) (mobile_malware.rules)
2026252 - ET MOBILE_MALWARE Android APT-C-23 (engin-altan .website in TLS SNI) (mobile_malware.rules)
2026253 - ET MOBILE_MALWARE Android APT-C-23 (juana .fun in DNS Lookup) (mobile_malware.rules)
2026254 - ET MOBILE_MALWARE Android APT-C-23 (juana .fun in TLS SNI) (mobile_malware.rules)
2026255 - ET MOBILE_MALWARE Android APT-C-23 (miwakosato .club in DNS Lookup) (mobile_malware.rules)
2026256 - ET MOBILE_MALWARE Android APT-C-23 (miwakosato .club in TLS SNI) (mobile_malware.rules)
2026257 - ET MOBILE_MALWARE Android APT-C-23 (appuree .info in DNS Lookup) (mobile_malware.rules)
2026258 - ET MOBILE_MALWARE Android APT-C-23 (appuree .info in TLS SNI) (mobile_malware.rules)
2026259 - ET MOBILE_MALWARE Android APT-C-23 (esofiezo .website in DNS Lookup) (mobile_malware.rules)
2026260 - ET MOBILE_MALWARE Android APT-C-23 (esofiezo .website in TLS SNI) (mobile_malware.rules)
2026261 - ET MOBILE_MALWARE Android APT-C-23 (kaniel-outis .info in DNS Lookup) (mobile_malware.rules)
2026262 - ET MOBILE_MALWARE Android APT-C-23 (kaniel-outis .info in TLS SNI) (mobile_malware.rules)
2026263 - ET MOBILE_MALWARE Android APT-C-23 (mofa-help .site in DNS Lookup) (mobile_malware.rules)
2026264 - ET MOBILE_MALWARE Android APT-C-23 (mofa-help .site in TLS SNI) (mobile_malware.rules)
2026265 - ET MOBILE_MALWARE Android APT-C-23 (arthursaito .club in DNS Lookup) (mobile_malware.rules)
2026266 - ET MOBILE_MALWARE Android APT-C-23 (arthursaito .club in TLS SNI) (mobile_malware.rules)
2026267 - ET MOBILE_MALWARE Android APT-C-23 (everyservices .space in DNS Lookup) (mobile_malware.rules)
2026268 - ET MOBILE_MALWARE Android APT-C-23 (everyservices .space in TLS SNI) (mobile_malware.rules)
2026269 - ET MOBILE_MALWARE Android APT-C-23 (karenwheeler .club in DNS Lookup) (mobile_malware.rules)
2026270 - ET MOBILE_MALWARE Android APT-C-23 (karenwheeler .club in TLS SNI) (mobile_malware.rules)
2026271 - ET MOBILE_MALWARE Android APT-C-23 (moneymotion .club in DNS Lookup) (mobile_malware.rules)
2026272 - ET MOBILE_MALWARE Android APT-C-23 (moneymotion .club in TLS SNI) (mobile_malware.rules)
2026273 - ET MOBILE_MALWARE Android APT-C-23 (aryastark .info in DNS Lookup) (mobile_malware.rules)
2026274 - ET MOBILE_MALWARE Android APT-C-23 (aryastark .info in TLS SNI) (mobile_malware.rules)
2026275 - ET MOBILE_MALWARE Android APT-C-23 (exvsnomy .club in DNS Lookup) (mobile_malware.rules)
2026276 - ET MOBILE_MALWARE Android APT-C-23 (exvsnomy .club in TLS SNI) (mobile_malware.rules)
2026277 - ET MOBILE_MALWARE Android APT-C-23 (kate-austen .info in DNS Lookup) (mobile_malware.rules)
2026278 - ET MOBILE_MALWARE Android APT-C-23 (kate-austen .info in TLS SNI) (mobile_malware.rules)
2026279 - ET MOBILE_MALWARE Android APT-C-23 (myboon .website in DNS Lookup) (mobile_malware.rules)
2026280 - ET MOBILE_MALWARE Android APT-C-23 (myboon .website in TLS SNI) (mobile_malware.rules)
2026281 - ET MOBILE_MALWARE Android APT-C-23 (aslaug-sigurd .info in DNS Lookup) (mobile_malware.rules)
2026282 - ET MOBILE_MALWARE Android APT-C-23 (aslaug-sigurd .info in TLS SNI) (mobile_malware.rules)
2026283 - ET MOBILE_MALWARE Android APT-C-23 (ezofiezo .website in DNS Lookup) (mobile_malware.rules)
2026284 - ET MOBILE_MALWARE Android APT-C-23 (ezofiezo .website in TLS SNI) (mobile_malware.rules)
2026285 - ET MOBILE_MALWARE Android APT-C-23 (katesacker .club in DNS Lookup) (mobile_malware.rules)
2026286 - ET MOBILE_MALWARE Android APT-C-23 (katesacker .club in TLS SNI) (mobile_malware.rules)
2026287 - ET MOBILE_MALWARE Android APT-C-23 (mygift .site in DNS Lookup) (mobile_malware.rules)
2026288 - ET MOBILE_MALWARE Android APT-C-23 (mygift .site in TLS SNI) (mobile_malware.rules)
2026289 - ET MOBILE_MALWARE Android APT-C-23 (assets-acc .club in DNS Lookup) (mobile_malware.rules)
2026290 - ET MOBILE_MALWARE Android APT-C-23 (assets-acc .club in TLS SNI) (mobile_malware.rules)
2026291 - ET MOBILE_MALWARE Android APT-C-23 (face-book-support .email in DNS Lookup) (mobile_malware.rules)
2026292 - ET MOBILE_MALWARE Android APT-C-23 (face-book-support .email in TLS SNI) (mobile_malware.rules)
2026293 - ET MOBILE_MALWARE Android APT-C-23 (katie .party in DNS Lookup) (mobile_malware.rules)
2026294 - ET MOBILE_MALWARE Android APT-C-23 (katie .party in TLS SNI) (mobile_malware.rules)
2026295 - ET MOBILE_MALWARE Android APT-C-23 (mygift .website in DNS Lookup) (mobile_malware.rules)
2026296 - ET MOBILE_MALWARE Android APT-C-23 (mygift .website in TLS SNI) (mobile_malware.rules)
2026297 - ET MOBILE_MALWARE Android APT-C-23 (bbc-learning .com in DNS Lookup) (mobile_malware.rules)
2026298 - ET MOBILE_MALWARE Android APT-C-23 (bbc-learning .com in TLS SNI) (mobile_malware.rules)
2026299 - ET MOBILE_MALWARE Android APT-C-23 (fasebcck .com in DNS Lookup) (mobile_malware.rules)
2026300 - ET MOBILE_MALWARE Android APT-C-23 (fasebcck .com in TLS SNI) (mobile_malware.rules)
2026301 - ET MOBILE_MALWARE Android APT-C-23 (kik-com .com in DNS Lookup) (mobile_malware.rules)
2026302 - ET MOBILE_MALWARE Android APT-C-23 (kik-com .com in TLS SNI) (mobile_malware.rules)
2026303 - ET MOBILE_MALWARE Android APT-C-23 (namybotter .info in DNS Lookup) (mobile_malware.rules)
2026304 - ET MOBILE_MALWARE Android APT-C-23 (namybotter .info in TLS SNI) (mobile_malware.rules)
2026305 - ET MOBILE_MALWARE Android APT-C-23 (bellamy-bob .life in DNS Lookup) (mobile_malware.rules)
2026306 - ET MOBILE_MALWARE Android APT-C-23 (bellamy-bob .life in TLS SNI) (mobile_malware.rules)
2026307 - ET MOBILE_MALWARE Android APT-C-23 (fasebock .info in DNS Lookup) (mobile_malware.rules)
2026308 - ET MOBILE_MALWARE Android APT-C-23 (fasebock .info in TLS SNI) (mobile_malware.rules)
2026309 - ET MOBILE_MALWARE Android APT-C-23 (kristy-milligan .website in DNS Lookup) (mobile_malware.rules)
2026310 - ET MOBILE_MALWARE Android APT-C-23 (kristy-milligan .website in TLS SNI) (mobile_malware.rules)
2026311 - ET MOBILE_MALWARE Android APT-C-23 (namyyeatop .club in DNS Lookup) (mobile_malware.rules)
2026312 - ET MOBILE_MALWARE Android APT-C-23 (namyyeatop .club in TLS SNI) (mobile_malware.rules)
2026313 - ET MOBILE_MALWARE Android APT-C-23 (bestbitloly .website in DNS Lookup) (mobile_malware.rules)
2026314 - ET MOBILE_MALWARE Android APT-C-23 (bestbitloly .website in TLS SNI) (mobile_malware.rules)
2026315 - ET MOBILE_MALWARE Android APT-C-23 (fasebook .cam in DNS Lookup) (mobile_malware.rules)
2026316 - ET MOBILE_MALWARE Android APT-C-23 (fasebook .cam in TLS SNI) (mobile_malware.rules)
2026317 - ET MOBILE_MALWARE Android APT-C-23 (lagertha-lothbrok .info in DNS Lookup) (mobile_malware.rules)
2026318 - ET MOBILE_MALWARE Android APT-C-23 (lagertha-lothbrok .info in TLS SNI) (mobile_malware.rules)
2026319 - ET MOBILE_MALWARE Android APT-C-23 (natemunson .com in DNS Lookup) (mobile_malware.rules)
2026320 - ET MOBILE_MALWARE Android APT-C-23 (natemunson .com in TLS SNI) (mobile_malware.rules)
2026321 - ET MOBILE_MALWARE Android APT-C-23 (billy-bones .info in DNS Lookup) (mobile_malware.rules)
2026322 - ET MOBILE_MALWARE Android APT-C-23 (billy-bones .info in TLS SNI) (mobile_malware.rules)
2026323 - ET TROJAN Fbot Blockchain Based CnC DNS Lookup (musl .lib) (trojan.rules)
2026324 - ET TROJAN Fbot/Satori CnC DNS Lookup (ukrainianhorseriding .com) (trojan.rules)
2026325 - ET TROJAN Fbot/Satori CnC DNS Lookup (rippr .cc) (trojan.rules)
2026326 - ET TROJAN Xbash CnC DNS Lookup (censys .xyz) (trojan.rules)
2026327 - ET TROJAN Xbash CnC DNS Lookup (leakingprivacy .tk) (trojan.rules)
2026328 - ET TROJAN Xbash CnC DNS Lookup (realnewstime .xyz) (trojan.rules)
2026329 - ET TROJAN Xbash CnC DNS Lookup (scanaan .tk) (trojan.rules)
2026330 - ET TROJAN Xbash CnC DNS Lookup (blockbitcoin .com) (trojan.rules)
2026331 - ET TROJAN HTML/Xbash Hex Encoded PowerShell Args Inbound - Stage 1 (trojan.rules)
2026332 - ET TROJAN HTML/Xbash Hex Encoded WScript.Shell Inbound - Stage 1 (trojan.rules)
2026333 - ET TROJAN HTML/Xbash Hex Encoded PS WebClient Object Inbound - Stage 1 (trojan.rules)
2026334 - ET TROJAN Xbash CnC DNS Lookup (vfk2k5s5tfjr27tz .tk) (trojan.rules)
2026335 - ET TROJAN Xbash CnC DNS Lookup (3g2upl4pq6kufc4m .tk) (trojan.rules)
2026336 - ET WEB_SERVER JSP.SJavaWebManage WebShell Access (web_server.rules)
2026337 - ET WEB_SERVER JSP.SJavaWebManage WebShell Pass 20-09-2018 1 (web_server.rules)
2026338 - ET WEB_SERVER JSP.SJavaWebManage WebShell Pass 20-09-2018 2 (web_server.rules)

Pro:

2832697 - ETPRO TROJAN Zebrocy CnC Checkin M2 (trojan.rules)
2832698 - ETPRO TROJAN WinChePro Checkin (trojan.rules)
2832699 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-09-19 1) (trojan.rules)
2832700 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-09-19 2) (trojan.rules)
2832701 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-09-19 3) (trojan.rules)
2832702 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-09-19 4) (trojan.rules)
2832703 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc DL 2018-09-20) (current_events.rules)
2832704 - ETPRO TROJAN Win32/ZeroEvil Stealer CnC Activity (trojan.rules)
2832705 - ETPRO TROJAN Win32/ELF Xbash CnC Checkin (trojan.rules)
2832706 - ETPRO CURRENT_EVENTS Known Malicious AdsTerra Publisher (current_events.rules)
2832707 - ETPRO CURRENT_EVENTS Unknown Adfraud/BlackSEO Redirector (aff 027ed88f05536b6c1a41df968c0abb52) (current_events.rules)

[///]     Modified active rules:     [///]

2832636 - ETPRO TROJAN Suspicious UA (sjd32DSKJF9Ssf) (trojan.rules)

[---]         Removed rules:         [---]

2832624 - ETPRO SCAN Potential VNC Scanning - Inbound Traffic (scan.rules)

Date: 
Thursday, September 20, 2018 - 00:00