Daily Ruleset Update Summary 2018/10/04

[***]            Summary:            [***]

9 new Open, 28 new Pro (9 + 19). MnuBot, W32.Fack3r, MSIL/Agent.FAO (PTEyes), Win32/DanaBot.

[+++]          Added rules:          [+++]

Open:

2008975 - ET POLICY Suspicious Malformed Double Accept Header (policy.rules)
2026434 - ET TROJAN VBScript Redirect Style Exe File Download (trojan.rules)
2026435 - ET TROJAN Win32.YordanyanActiveAgent CnC Reporting (trojan.rules)
2026436 - ET TROJAN Win32.YordanyanActiveAgent Generic CnC Pattern (trojan.rules)
2026437 - ET TROJAN NCSC XAgent Beacon (trojan.rules)
2026438 - ET TROJAN NCSC XAgent itwm beacon v1 (trojan.rules)
2026439 - ET TROJAN NCSC XAgent itwm beacon v2 (trojan.rules)
2026440 - ET TROJAN NCSC APT28 - CompuTrace_Beacon_UserAgent (trojan.rules)
2026441 - ET TROJAN NCSC APT28 - Web/request -FILE- contenttype (trojan.rules)

Pro:

2832953 - ETPRO TROJAN MnuBot Checkin via MySQL (trojan.rules)
2832954 - ETPRO TROJAN W32.Fack3r Checkin via MySQL (trojan.rules)
2832955 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc DL 2018-10-04) (current_events.rules)
2832956 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (CobInt Downloader) (current_events.rules)
2832957 - ETPRO TROJAN Observed Malicious SSL Cert (CobInt CnC) (trojan.rules)
2832958 - ETPRO TROJAN MSIL/Agent.FAO (PTEyes) MySQL CnC Login Attempt (trojan.rules)
2832960 - ETPRO TROJAN MSIL/Agent.FAO (PTEyes) FTP CnC Activity (MKD ScreenPicture) (trojan.rules)
2832961 - ETPRO TROJAN MSIL/Agent.FAO (PTEyes) FTP CnC Activity (MKD WebcamPicture) (trojan.rules)
2832962 - ETPRO TROJAN MSIL/Agent.FAO (PTEyes) Requesting Commands from MySQL CnC (trojan.rules)
2832963 - ETPRO TROJAN MSIL/Agent.FAO (PTEyes) MySQL CnC Requesting Screenshot of Infected System (trojan.rules)
2832964 - ETPRO TROJAN Observed Malicious SSL Cert (Win32/Downloader.Agent.BH CnC Domain) (trojan.rules)
2832965 - ETPRO TROJAN Win32/Remcos RAT Checkin 52 (trojan.rules)
2832966 - ETPRO POLICY Observed Free File Hosting Domain SSL Cert (a .doko .moe) (policy.rules)
2832967 - ETPRO TROJAN Win32/DanaBot Modules Hex Digest Check (trojan.rules)
2832968 - ETPRO TROJAN Win32/DanaBot Post-Checkin Initial Beacon (trojan.rules)
2832969 - ETPRO TROJAN Win32/DanaBot Requesting Modules (trojan.rules)
2832970 - ETPRO TROJAN Win32/DanaBot Requesting Encrypted Config (trojan.rules)
2832971 - ETPRO TROJAN Win32/DanaBot Sending Data to CnC (trojan.rules)
2832972 - ETPRO TROJAN Win32/DanaBot Sending Screenshot to CnC (screenshot.bmp) (trojan.rules)

[///]     Modified active rules:     [///]

2832674 - ETPRO TROJAN Win32.YordanyanActiveAgent CnC Checkin (trojan.rules)
2832675 - ETPRO TROJAN Win32.YordanyanActiveAgent CnC Create (trojan.rules)
2832676 - ETPRO TROJAN Win32.YordanyanActiveAgent CnC Config/Tasks DL (trojan.rules)
2832677 - ETPRO TROJAN Win32.YordanyanActiveAgent CnC Screenshot Upload (trojan.rules)
2832678 - ETPRO TROJAN Win32.YordanyanActiveAgent CnC app_data Upload (trojan.rules)
2832935 - ETPRO TROJAN MSIL/Agent.FAO (PTEyes) DNS Lookup (cannotjavac .com) (trojan.rules)

[---]         Removed rules:         [---]

2008975 - ET TROJAN Suspicious Malformed Double Accept Header (trojan.rules)
2819694 - ETPRO TROJAN Possible Locky JS Executable Payload Download (trojan.rules)

Date: 
Thursday, October 4, 2018 - 00:00