Daily Ruleset Update Summary
Daily Ruleset Update Summary 2018/11/28

[***]            Summary:            [***]

3 new Open, 22 new Pro (3 + 19). L0rdix, Sarwent, Ursnif, Various Phishing.

[+++]          Added rules:          [+++]

Open:

2026670 - ET TROJAN L0rdix Stealer CnC Sending Screenshot (trojan.rules)
2026671 - ET TROJAN L0rdix Stealer CnC Data Exfil (trojan.rules)
2026672 - ET TROJAN DNSpionage Commands Embedded in Webpage Inbound (trojan.rules)

Pro:

2833683 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 449 (mobile_malware.rules)
2833684 - ETPRO POLICY WebDav Auth Request Outbound M2 (Possible NTLM Hash Theft) (policy.rules)
2833685 - ETPRO TROJAN W32.Sarwent Checkin -- count (trojan.rules)
2833686 - ETPRO TROJAN W32.Sarwent Checkin -- add_bot (trojan.rules)
2833687 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-11-28 1) (trojan.rules)
2833688 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-11-28 2) (trojan.rules)
2833689 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-11-28 3) (trojan.rules)
2833690 - ETPRO CURRENT_EVENTS MalDoc Retrieving Evil exe/msi/doc (current_events.rules)
2833691 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC) (trojan.rules)
2833692 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC) (trojan.rules)
2833693 - ETPRO POLICY Observed SSL Cert (External IP Address Lookup (ip .sb)) (policy.rules)
2833694 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc DL 2018-11-28 2) (current_events.rules)
2833695 - ETPRO CURRENT_EVENTS Observed MalDoc DL 2018-11-28 Domain (vevete22 .pw in TLS SNI) (current_events.rules)
2833696 - ETPRO CURRENT_EVENTS Successful DHL Phish 2018-11-28 (current_events.rules)
2833697 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2018-11-28 (current_events.rules)
2833698 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information Phish 2018-11-28 (current_events.rules)
2833699 - ETPRO CURRENT_EVENTS Obfuscated Wide PowerShell Script Inbound M1 2018-11-28 (current_events.rules)
2833700 - ETPRO CURRENT_EVENTS Obfuscated Wide PowerShell Script Inbound M2 2018-11-28 (current_events.rules)
2833701 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (Ursnif Domain) (current_events.rules)

[///]     Modified active rules:     [///]

2008438 - ET TROJAN Possible Windows executable sent when remote host claims to send a Text File (trojan.rules)
2026557 - ET TROJAN DNSpionage - Payload Communicating with CnC via DNS Tunneling (trojan.rules)

Date:
Summary title:
3 new Open, 22 new Pro (3 + 19). L0rdix, Sarwent, Ursnif, Various Phishing.