Daily Ruleset Update Summary 2018/10/08

[***]            Summary:            [***]

18 new Open, 30 new Pro (18 + 22). Android APT-C-23 Domains, Win32.XpertRAT, Various Maldoc, Mobile.

[+++]          Added rules:          [+++]

Open:

2026442 - ET MOBILE_MALWARE Android APT-C-23 (ososezo .site in DNS Lookup) (mobile_malware.rules)
2026443 - ET MOBILE_MALWARE Android APT-C-23 (ososezo .site in TLS SNI) (mobile_malware.rules)
2026444 - ET MOBILE_MALWARE Android APT-C-23 (cecilia-gilbert .com in DNS Lookup) (mobile_malware.rules)
2026445 - ET MOBILE_MALWARE Android APT-C-23 (cecilia-gilbert .com in TLS SNI) (mobile_malware.rules)
2026446 - ET MOBILE_MALWARE Android APT-C-23 (harper-monty .site in DNS Lookup) (mobile_malware.rules)
2026447 - ET MOBILE_MALWARE Android APT-C-23 (harper-monty .site in TLS SNI) (mobile_malware.rules)
2026448 - ET MOBILE_MALWARE Android APT-C-23 (lyanna-stark .info in DNS Lookup) (mobile_malware.rules)
2026449 - ET MOBILE_MALWARE Android APT-C-23 (lyanna-stark .info in TLS SNI) (mobile_malware.rules)
2026450 - ET MOBILE_MALWARE Android APT-C-23 (parrotchat .co in DNS Lookup) (mobile_malware.rules)
2026451 - ET MOBILE_MALWARE Android APT-C-23 (parrotchat .co in TLS SNI) (mobile_malware.rules)
2026452 - ET MOBILE_MALWARE Android APT-C-23 (cerseilannister .info in DNS Lookup) (mobile_malware.rules)
2026453 - ET MOBILE_MALWARE Android APT-C-23 (cerseilannister .info in TLS SNI) (mobile_malware.rules)
2026454 - ET MOBILE_MALWARE Android APT-C-23 (harrykane .online in DNS Lookup) (mobile_malware.rules)
2026455 - ET MOBILE_MALWARE Android APT-C-23 (harrykane .online in TLS SNI) (mobile_malware.rules)
2026456 - ET MOBILE_MALWARE Android APT-C-23 (mail-accout .club in DNS Lookup) (mobile_malware.rules)
2026457 - ET MOBILE_MALWARE Android APT-C-23 (mail-accout .club in TLS SNI) (mobile_malware.rules)
2026458 - ET MOBILE_MALWARE Android APT-C-23 (pmi-pna .com in DNS Lookup) (mobile_malware.rules)
2026459 - ET MOBILE_MALWARE Android APT-C-23 (pmi-pna .com in TLS SNI) (mobile_malware.rules)

Pro:

2810909 - ETPRO INFO Suspicious .zip Download from GoogleAPI with Terse Headers (info.rules)
2832985 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 438 (mobile_malware.rules)
2832986 - ETPRO TROJAN Trojan.Win32.DownLoad3.fffcwd Checkin (trojan.rules)
2832987 - ETPRO TROJAN Win32.XpertRAT Checkin M1 (trojan.rules)
2832988 - ETPRO TROJAN Win32.XpertRAT Checkin M2 (trojan.rules)
2832989 - ETPRO TROJAN Win32.XpertRAT Checkin M3 (trojan.rules)
2832990 - ETPRO TROJAN Win32/Pterodo.IZ Checkins (trojan.rules)
2832991 - ETPRO TROJAN Win32/Pterodo.IZ Checkin M2 (trojan.rules)
2832992 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-10-08 1) (trojan.rules)
2832993 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-10-08 2) (trojan.rules)
2832994 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-10-08 3) (trojan.rules)
2832995 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-10-08 4) (trojan.rules)
2832996 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-10-08 5) (trojan.rules)
2832997 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-10-08 6) (trojan.rules)
2832998 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-10-08 7) (trojan.rules)
2832999 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc DL 2018-10-08) (current_events.rules)
2833000 - ETPRO CURRENT_EVENTS Observed MalDoc DL 2018-10-08 2 Domain (www .imperialpetco .com in TLS SNI) (current_events.rules)
2833001 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (Ursnif DL 2018-10-08) (current_events.rules)
2833002 - ETPRO CURRENT_EVENTS JS/BrushaLoader CnC Checkin M3 (current_events.rules)
2833003 - ETPRO TROJAN Win32/Remcos RAT Checkin 53 (trojan.rules)
2833004 - ETPRO POLICY CoinMiner Config Inbound (policy.rules)
2833005 - ETPRO TROJAN MSIL/Kryptik.OZN CnC Checkin (trojan.rules)

[///]     Modified active rules:     [///]

2026441 - ET TROJAN NCSC APT28 - Web/request -FILE- contenttype (trojan.rules)
2832704 - ETPRO TROJAN Win32/ZeroEvil Stealer CnC Checkin (trojan.rules)
2832973 - ETPRO TROJAN MSIL/MarioFTPStealer Requesting Screenshot Command (trojan.rules)
2832974 - ETPRO TROJAN MSIL/MarioFTPStealer Requesting CoinMiner Config Command (trojan.rules)

[---]         Removed rules:         [---]

2810909 - ETPRO CURRENT_EVENTS .zip Download from GoogleAPI with Minimal headers Possible Trojan.MSIL.Banload.DD Dropping Spy.Banker (current_events.rules)
2812297 - ETPRO TROJAN Trojan.MSIL.Banload.DD Dropping Spy.Banker from GoogleAPI Storage (SET) (trojan.rules)

Date: 
Monday, October 8, 2018 - 00:00