Daily Ruleset Update Summary 2018/09/26

[***]            Summary:            [***]

52 new Open, 81 new Pro (52 + 29). APT-C-23 Domains, CVE-2018-8373, Various Phish, Various Mobile.

[+++]          Added rules:          [+++]

Open:

2026364 - ET MOBILE_MALWARE Android APT-C-23 (nightchat .live in TLS SNI) (mobile_malware.rules)
2026365 - ET MOBILE_MALWARE Android APT-C-23 (bob-turco .website in DNS Lookup) (mobile_malware.rules)
2026366 - ET MOBILE_MALWARE Android APT-C-23 (bob-turco .website in TLS SNI) (mobile_malware.rules)
2026367 - ET MOBILE_MALWARE Android APT-C-23 (flirtymania .fun in DNS Lookup) (mobile_malware.rules)
2026368 - ET MOBILE_MALWARE Android APT-C-23 (flirtymania .fun in TLS SNI) (mobile_malware.rules)
2026369 - ET MOBILE_MALWARE Android APT-C-23 (lexi-branson .website in DNS Lookup) (mobile_malware.rules)
2026370 - ET MOBILE_MALWARE Android APT-C-23 (lexi-branson .website in TLS SNI) (mobile_malware.rules)
2026371 - ET MOBILE_MALWARE Android APT-C-23 (nissour-beton .com in DNS Lookup) (mobile_malware.rules)
2026372 - ET MOBILE_MALWARE Android APT-C-23 (nissour-beton .com in TLS SNI) (mobile_malware.rules)
2026373 - ET MOBILE_MALWARE Android APT-C-23 (buymicrosft .com in DNS Lookup) (mobile_malware.rules)
2026374 - ET MOBILE_MALWARE Android APT-C-23 (buymicrosft .com in TLS SNI) (mobile_malware.rules)
2026375 - ET MOBILE_MALWARE Android APT-C-23 (freya .miranda-barlow .website in DNS Lookup) (mobile_malware.rules)
2026376 - ET MOBILE_MALWARE Android APT-C-23 (freya .miranda-barlow .website in TLS SNI) (mobile_malware.rules)
2026377 - ET MOBILE_MALWARE Android APT-C-23 (lincoln-blake .website in DNS Lookup) (mobile_malware.rules)
2026378 - ET MOBILE_MALWARE Android APT-C-23 (lincoln-blake .website in TLS SNI) (mobile_malware.rules)
2026379 - ET MOBILE_MALWARE Android APT-C-23 (octavia-blake .world in DNS Lookup) (mobile_malware.rules)
2026380 - ET MOBILE_MALWARE Android APT-C-23 (octavia-blake .world in TLS SNI) (mobile_malware.rules)
2026381 - ET MOBILE_MALWARE Android APT-C-23 (camilleoconnell .website in DNS Lookup) (mobile_malware.rules)
2026382 - ET MOBILE_MALWARE Android APT-C-23 (camilleoconnell .website in TLS SNI) (mobile_malware.rules)
2026383 - ET MOBILE_MALWARE Android APT-C-23 (geny-wise .com in DNS Lookup) (mobile_malware.rules)
2026384 - ET MOBILE_MALWARE Android APT-C-23 (geny-wise .com in TLS SNI) (mobile_malware.rules)
2026385 - ET MOBILE_MALWARE Android APT-C-23 (lindamullins .info in DNS Lookup) (mobile_malware.rules)
2026386 - ET MOBILE_MALWARE Android APT-C-23 (lindamullins .info in TLS SNI) (mobile_malware.rules)
2026387 - ET MOBILE_MALWARE Android APT-C-23 (olivia-hartman .info in DNS Lookup) (mobile_malware.rules)
2026388 - ET MOBILE_MALWARE Android APT-C-23 (olivia-hartman .info in TLS SNI) (mobile_malware.rules)
2026389 - ET MOBILE_MALWARE Android APT-C-23 (caroline-nina .com in DNS Lookup) (mobile_malware.rules)
2026390 - ET MOBILE_MALWARE Android APT-C-23 (caroline-nina .com in TLS SNI) (mobile_malware.rules)
2026391 - ET MOBILE_MALWARE Android APT-C-23 (gmailservice .us in DNS Lookup) (mobile_malware.rules)
2026392 - ET MOBILE_MALWARE Android APT-C-23 (gmailservice .us in TLS SNI) (mobile_malware.rules)
2026393 - ET MOBILE_MALWARE Android APT-C-23 (liz-keen .website in DNS Lookup) (mobile_malware.rules)
2026394 - ET MOBILE_MALWARE Android APT-C-23 (liz-keen .website in TLS SNI) (mobile_malware.rules)
2026395 - ET MOBILE_MALWARE Android APT-C-23 (oriential .website in DNS Lookup) (mobile_malware.rules)
2026396 - ET MOBILE_MALWARE Android APT-C-23 (oriential .website in TLS SNI) (mobile_malware.rules)
2026397 - ET MOBILE_MALWARE Android APT-C-23 (cassy-gray .club in DNS Lookup) (mobile_malware.rules)
2026398 - ET MOBILE_MALWARE Android APT-C-23 (cassy-gray .club in TLS SNI) (mobile_malware.rules)
2026399 - ET MOBILE_MALWARE Android APT-C-23 (graceygretchen .info in DNS Lookup) (mobile_malware.rules)
2026400 - ET MOBILE_MALWARE Android APT-C-23 (graceygretchen .info in TLS SNI) (mobile_malware.rules)
2026401 - ET MOBILE_MALWARE Android APT-C-23 (login-yohoo .com in DNS Lookup) (mobile_malware.rules)
2026402 - ET MOBILE_MALWARE Android APT-C-23 (login-yohoo .com in TLS SNI) (mobile_malware.rules)
2026403 - ET MOBILE_MALWARE Android APT-C-23 (ososezo .club in DNS Lookup) (mobile_malware.rules)
2026404 - ET MOBILE_MALWARE Android APT-C-23 (ososezo .club in TLS SNI) (mobile_malware.rules)
2026405 - ET MOBILE_MALWARE Android APT-C-23 (cecilia-dobrev .com in DNS Lookup) (mobile_malware.rules)
2026406 - ET MOBILE_MALWARE Android APT-C-23 (cecilia-dobrev .com in TLS SNI) (mobile_malware.rules)
2026407 - ET MOBILE_MALWARE Android APT-C-23 (hareyupnow .club in DNS Lookup) (mobile_malware.rules)
2026408 - ET MOBILE_MALWARE Android APT-C-23 (hareyupnow .club in TLS SNI) (mobile_malware.rules)
2026409 - ET MOBILE_MALWARE Android APT-C-23 (lord-varys .info in DNS Lookup) (mobile_malware.rules)
2026410 - ET MOBILE_MALWARE Android APT-C-23 (lord-varys .info in TLS SNI) (mobile_malware.rules)
2026411 - ET WEB_CLIENT VBscript UAF (CVE-2018-8373) (web_client.rules)
2026412 - ET CURRENT_EVENTS Successful Generic Phish (set) 2018-09-26 (current_events.rules)
2026413 - ET INFO Possible System Enumeration via WMI Queries (AntiVirusProduct) (info.rules)
2026414 - ET INFO Possible System Enumeration via WMI Queries (AntiSpywareProduct) (info.rules)
2026415 - ET INFO Possible System Enumeration via WMI Queries (FirewallProduct) (info.rules)

Pro:

2832798 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 433 (mobile_malware.rules)
2832799 - ETPRO TROJAN MSIL/Quasar RAT Checkin (trojan.rules)
2832800 - ETPRO TROJAN MSIL/Quasar RAT Checkin Response (trojan.rules)
2832801 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-09-26 1) (trojan.rules)
2832802 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-09-26 2) (trojan.rules)
2832803 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-09-26 3) (trojan.rules)
2832804 - ETPRO TROJAN Observed Malicious SSL Cert (Cobalt Strike CnC) (trojan.rules)
2832805 - ETPRO TROJAN Observed MalDoc DL 2018-09-26 Domain (share .dmca .gripe in TLS SNI) (trojan.rules)
2832806 - ETPRO CURRENT_EVENTS Successful TD Bank Phish 2018-09-26 (current_events.rules)
2832807 - ETPRO CURRENT_EVENTS Successful ATB Bank Phish 2018-09-26 (current_events.rules)
2832808 - ETPRO CURRENT_EVENTS Successful ANB AMRO Bank Phish 2018-09-26 (current_events.rules)
2832809 - ETPRO CURRENT_EVENTS Successful Cox Phish 2018-09-26 (current_events.rules)
2832810 - ETPRO CURRENT_EVENTS Successful Poloniex Phish 2018-09-26 (current_events.rules)
2832811 - ETPRO CURRENT_EVENTS Successful My Softbank Phish 2018-09-26 M1 (current_events.rules)
2832812 - ETPRO CURRENT_EVENTS Successful Softbank Phish 2018-09-26 M2 (current_events.rules)
2832813 - ETPRO CURRENT_EVENTS Successful Poloniex Phish 2018-09-26 (current_events.rules)
2832814 - ETPRO CURRENT_EVENTS Successful DHL Phish 2018-09-26 (current_events.rules)
2832815 - ETPRO TROJAN Parasite/Spytector PWS FTP Exfil M2 (trojan.rules)
2832816 - ETPRO CURRENT_EVENTS Win32/DanaBot CnC Checkin (affid 11) (current_events.rules)
2832817 - ETPRO CURRENT_EVENTS Win32/DanaBot CnC Checkin (affid 12) (current_events.rules)
2832818 - ETPRO CURRENT_EVENTS Win32/DanaBot CnC Checkin (affid 13) (current_events.rules)
2832819 - ETPRO CURRENT_EVENTS Win32/DanaBot CnC Checkin (affid 14) (current_events.rules)
2832820 - ETPRO CURRENT_EVENTS Win32/DanaBot CnC Checkin (affid 15) (current_events.rules)
2832821 - ETPRO CURRENT_EVENTS Win32/DanaBot CnC Checkin (affid 16) (current_events.rules)
2832822 - ETPRO CURRENT_EVENTS Win32/DanaBot CnC Checkin (affid 17) (current_events.rules)
2832823 - ETPRO CURRENT_EVENTS Win32/DanaBot CnC Checkin (affid 18) (current_events.rules)
2832824 - ETPRO CURRENT_EVENTS Win32/DanaBot CnC Checkin (affid 19) (current_events.rules)
2832825 - ETPRO CURRENT_EVENTS Win32/DanaBot CnC Checkin (affid 20) (current_events.rules)
2832826 - ETPRO TROJAN VBS/Frauder.brg Replace Windows Hosts File Inbound (trojan.rules)

[///]     Modified active rules:     [///]

2830701 - ETPRO TROJAN W32/Emotet CnC Checkin (trojan.rules)
2832704 - ETPRO TROJAN Win32/ZeroEvil Stealer CnC Checkin (trojan.rules)
2832774 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MageCart Group 4 Staging Domain) (current_events.rules)
2832775 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MageCart Group 4 Staging Domain) (current_events.rules)
2832776 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MageCart Group 4 Staging Domain) (current_events.rules)
2832777 - ETPRO TROJAN Observed Malicious SSL Cert (MageCart Group 4 Staging Domain) (trojan.rules)
2832778 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MageCart Group 4 Staging Domain) (current_events.rules)
2832779 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MageCart Group 4 Staging Domain) (current_events.rules)
2832780 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MageCart Group 4 Staging Domain) (current_events.rules)
2832781 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MageCart Group 4 Staging Domain) (current_events.rules)
2832782 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MageCart Group 4 Staging Domain) (current_events.rules)

Date: 
Wednesday, September 26, 2018 - 00:00