Daily Ruleset Update Summary 2018/09/28

[***]            Summary:            [***]

7 new Open, 33 new Pro (7 + 26). Underminer EK, Danabot, KJw0rm, VARIOUS Phishing.

[+++]          Added rules:          [+++]

Open:

2026421 - ET CURRENT_EVENTS Underminer EK Key POST (current_events.rules)
2026422 - ET CURRENT_EVENTS Underminer EK Resource File Download M1 (current_events.rules)
2026423 - ET CURRENT_EVENTS Underminer EK Resource File Download M2 (current_events.rules)
2026424 - ET CURRENT_EVENTS Underminer EK Plugin Check (current_events.rules)
2026425 - ET CURRENT_EVENTS Underminer EK Flash/WAV Loader (current_events.rules)
2026426 - ET CURRENT_EVENTS Underminer EK SWF Request (current_events.rules)
2026427 - ET INFO Possibly Malicious VBS Writing to Persistence Registry Location (info.rules)

Pro:

2832377 - ETPRO INFO Possibly Malicious VBScript Executing WScript.Shell Run M2 (info.rules)
2832777 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MageCart Group 4 Staging Domain) (current_events.rules)
2832816 - ETPRO TROJAN Win32/DanaBot CnC Checkin (affid 11) (trojan.rules)
2832817 - ETPRO TROJAN Win32/DanaBot CnC Checkin (affid 12) (trojan.rules)
2832818 - ETPRO TROJAN Win32/DanaBot CnC Checkin (affid 13) (trojan.rules)
2832819 - ETPRO TROJAN Win32/DanaBot CnC Checkin (affid 14) (trojan.rules)
2832820 - ETPRO TROJAN Win32/DanaBot CnC Checkin (affid 15) (trojan.rules)
2832821 - ETPRO TROJAN Win32/DanaBot CnC Checkin (affid 16) (trojan.rules)
2832822 - ETPRO TROJAN Win32/DanaBot CnC Checkin (affid 17) (trojan.rules)
2832823 - ETPRO TROJAN Win32/DanaBot CnC Checkin (affid 18) (trojan.rules)
2832824 - ETPRO TROJAN Win32/DanaBot CnC Checkin (affid 19) (trojan.rules)
2832825 - ETPRO TROJAN Win32/DanaBot CnC Checkin (affid 20) (trojan.rules)
2832849 - ETPRO TROJAN MSIL/Ben Miner Retrieving Config (trojan.rules)
2832850 - ETPRO TROJAN MSIL/TrojanDownloader.Agent.ESU Checkin via FTP (trojan.rules)
2832851 - ETPRO TROJAN MSIL/Agent.BLB Checkin via FTP (trojan.rules)
2832852 - ETPRO CURRENT_EVENTS Successful USAA Phish 2018-09-28 (current_events.rules)
2832853 - ETPRO CURRENT_EVENTS Successful Generic Webmail Phish 2018-09-28 (current_events.rules)
2832854 - ETPRO CURRENT_EVENTS Successful Uber Phish 2018-09-28 (current_events.rules)
2832855 - ETPRO CURRENT_EVENTS Successful Netflix Payment Information Phish 2018-09-28 (current_events.rules)
2832856 - ETPRO CURRENT_EVENTS Successful Credit Card Information Phish 2018-09-28 (current_events.rules)
2832857 - ETPRO CURRENT_EVENTS Successful Credit Card Information Phish 2018-09-28 (current_events.rules)
2832858 - ETPRO CURRENT_EVENTS Suspicious PAYMENT Word Document Downloaded (current_events.rules)
2832859 - ETPRO TROJAN Ursnif Variant CnC Checkin (trojan.rules)
2832860 - ETPRO TROJAN VBS/KJw0rm Inbound (trojan.rules)
2832861 - ETPRO TROJAN KJw0rm CnC DNS Lookup (win32server .ddns .net) (trojan.rules)
2832862 - ETPRO TROJAN Win32/DanaBot CnC Checkin (affid 10) (trojan.rules)

[///]     Modified active rules:     [///]

2025916 - ET CURRENT_EVENTS Possible Underminer EK Landing (current_events.rules)
2026413 - ET INFO Possible System Enumeration via WMI Queries (AntiVirusProduct) (info.rules)
2026414 - ET INFO Possible System Enumeration via WMI Queries (AntiSpywareProduct) (info.rules)
2026415 - ET INFO Possible System Enumeration via WMI Queries (FirewallProduct) (info.rules)
2829398 - ETPRO INFO Possibly Malicious VBScript Executing WScript.Shell Run M1 (info.rules)
2830216 - ETPRO CURRENT_EVENTS Successful Generic Window.Location Phish 2018-04-02 (current_events.rules)
2832438 - ETPRO TROJAN Win32/DanaBot CnC Checkin (affid 3) (trojan.rules)
2832542 - ETPRO TROJAN Win32/DanaBot CnC Checkin (affid 4) (trojan.rules)
2832594 - ETPRO TROJAN Win32/DanaBot CnC Checkin (affid 9) (trojan.rules)
2832774 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MageCart Group 4 Staging Domain) (current_events.rules)
2832775 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MageCart Group 4 Staging Domain) (current_events.rules)
2832776 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MageCart Group 4 Staging Domain) (current_events.rules)
2832778 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MageCart Group 4 Staging Domain) (current_events.rules)
2832779 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MageCart Group 4 Staging Domain) (current_events.rules)
2832780 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MageCart Group 4 Staging Domain) (current_events.rules)
2832781 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MageCart Group 4 Staging Domain) (current_events.rules)
2832782 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MageCart Group 4 Staging Domain) (current_events.rules)
2832783 - ETPRO TROJAN Win32/DanaBot CnC Checkin (affid 8) (trojan.rules)
2832784 - ETPRO TROJAN Win32/DanaBot CnC Checkin (affid 1) (trojan.rules)
2832785 - ETPRO TROJAN Win32/DanaBot CnC Checkin (affid 2) (trojan.rules)
2832786 - ETPRO TROJAN Win32/DanaBot CnC Checkin (affid 5) (trojan.rules)
2832787 - ETPRO TROJAN Win32/DanaBot CnC Checkin (affid 6) (trojan.rules)
2832788 - ETPRO TROJAN Win32/DanaBot CnC Checkin (affid 7) (trojan.rules)
2832794 - ETPRO TROJAN Observed Malicious SSL Cert (N40 CnC) (trojan.rules)
2832847 - ETPRO TROJAN Win32/Remcos RAT Checkin 49 (trojan.rules)
2832848 - ETPRO TROJAN Win32/Remcos RAT Checkin 50 (trojan.rules)

Date: 
Friday, September 28, 2018 - 00:00