[***]            Summary:            [***]

10 new Open, 46 new Pro (10 + 36). Win32/ProtonBot, Nodster CnC Activity, POSHC2 Cert, Various Phishing, Various User-Agents.

[+++]          Added rules:          [+++]

Open:

2027382 - ET TROJAN Win32/ProtonBot CnC Response (trojan.rules)
2027383 - ET TROJAN Win32/ProtonBot Stealer Activity (trojan.rules)
2027384 - ET TROJAN Observed ProtonBot User-Agent (trojan.rules)
2027385 - ET TROJAN Observed DNS Query to APT10 Related CnC Domain (trojan.rules)
2027386 - ET TROJAN Observed DNS Query to APT10 Related CnC Domain (trojan.rules)
2027387 - ET TROJAN Observed DNS Query to APT10 Related CnC Domain (trojan.rules)
2027388 - ET USER_AGENTS Node XMLHTTP User-Agent (user_agents.rules)
2027389 - ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW) (user_agents.rules)
2027390 - ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent (user_agents.rules)
2027391 - ET POLICY Possible EXE Download Request to ngrok (policy.rules)

Pro:

2836516 - ETPRO TROJAN Unk.Various IRC Bot Channel Keep-Alive (Inbound) (trojan.rules)
2836517 - ETPRO TROJAN Unk.Various IRC Bot Channel Keep-Alive (Outbound) (trojan.rules)
2836518 - ETPRO CURRENT_EVENTS Successful Bank of America Phish 2019-05-28 (current_events.rules)
2836519 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2019-05-28 (current_events.rules)
2836520 - ETPRO CURRENT_EVENTS Successful WhatsApp Group Invite Phish 2019-05-28 (current_events.rules)
2836521 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information Phish 2019-05-28 (current_events.rules)
2836522 - ETPRO CURRENT_EVENTS Successful Credit Mutuel Phish 2019-05-28 (current_events.rules)
2836523 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2019-05-28 (current_events.rules)
2836524 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information Phish 2019-05-28 (current_events.rules)
2836525 - ETPRO CURRENT_EVENTS Successful Alibaba Phish 2019-05-28 (current_events.rules)
2836526 - ETPRO CURRENT_EVENTS Successful Linkedin Phish 2019-05-28 (current_events.rules)
2836527 - ETPRO CURRENT_EVENTS Successful Microsoft Sharepoint Phish 2019-05-28 (current_events.rules)
2836528 - ETPRO CURRENT_EVENTS Successful Itscom Phish 2019-05-28 (current_events.rules)
2836529 - ETPRO CURRENT_EVENTS Successful Amazon JP Phish 2019-05-28 (current_events.rules)
2836530 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information Phish 2019-05-28 (current_events.rules)
2836531 - ETPRO CURRENT_EVENTS Successful Caixa Phish 2019-05-28 (current_events.rules)
2836532 - ETPRO CURRENT_EVENTS Successful Vmware Workspace Phish 2019-05-28 (current_events.rules)
2836533 - ETPRO CURRENT_EVENTS Successful Vmware Workspace Phish 2019-05-28 (current_events.rules)
2836534 - ETPRO CURRENT_EVENTS Successful 126 Phish 2019-05-28 (current_events.rules)
2836535 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-05-24 1) (trojan.rules)
2836536 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-05-24 2) (trojan.rules)
2836537 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-05-28 1) (trojan.rules)
2836538 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-05-28 2) (trojan.rules)
2836539 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-05-28 3) (trojan.rules)
2836540 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-05-28 4) (trojan.rules)
2836541 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-05-28 5) (trojan.rules)
2836542 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-05-28 6) (trojan.rules)
2836543 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-05-28 7) (trojan.rules)
2836544 - ETPRO TROJAN Nodster CnC Activity GET (trojan.rules)
2836545 - ETPRO TROJAN Nodster CnC Activity POST (trojan.rules)
2836546 - ETPRO TROJAN Nodster External IP Lookup (trojan.rules)
2836547 - ETPRO MALWARE AzzdServer User-Agent (malware.rules)
2836548 - ETPRO TROJAN Win32/Rootkit.BlackEnergy.AG Checkin 1 (trojan.rules)
2836549 - ETPRO TROJAN Win32/Rootkit.BlackEnergy.AG Checkin 2 (trojan.rules)
2836550 - ETPRO CURRENT_EVENTS Suspicious iframe Replacing Webpage Inbound (current_events.rules)
2836551 - ETPRO TROJAN SSL/TLS Certificate Observed (Default POSHC2 cert) (trojan.rules)

[///]     Modified active rules:     [///]

2023083 - ET TROJAN Alfa/Alpha Ransomware Checkin (trojan.rules)
2024178 - ET TROJAN MSIL/Matrix Ransomware Sending Encrypted Filelist (trojan.rules)
2806859 - ETPRO TROJAN Worm.Win32/Netsky.P at mm spreading via SMTP 1 (trojan.rules)
2809363 - ETPRO TROJAN PhaseBot Checkin (trojan.rules)
2826281 - ETPRO TROJAN IsmDoor DNS C2 Initial Checkin (trojan.rules)
2836501 - ETPRO EXPLOIT Observed Attempted Spring Data Commons RCE Inbound (CVE-2018-1273) (exploit.rules)
2836503 - ETPRO EXPLOIT Attempted THINKPHP < 5.2.x RCE Inbound (exploit.rules)

[---]  Disabled and modified rules:  [---]

2024650 - ET CURRENT_EVENTS HEX Payload DL with MSXMLHTP (Observed in Locky campaign) (current_events.rules)
2807793 - ETPRO TROJAN Win32/Rootkit.BlackEnergy.AG <http://rootkit.blackenergy.ag/> Checkin (trojan.rules)

Date: 
Monday, May 27, 2019 - 22:00