[***]            Summary:            [***]

16 new Open, 34 new Pro (16 + 18). PoohMilk, ThrowBack, APT28, Various Phishing.

Thanks: Kevin Ross, Pablo Rincon, James Brown, Orion Poplawski, Jose Vila

[+++]          Added rules:          [+++]

Open:

2027402 - ET TROJAN Executable contained in DICOM Medical Image SMB File Transfer (trojan.rules)
2027403 - ET TROJAN Executable contained in DICOM Medical Image PACS DICOM Protocol Transfer (trojan.rules)
2027404 - ET TROJAN Executable contained in DICOM Medical Image Received from PACS DICOM Device (trojan.rules)
2027405 - ET TROJAN Possible APT28 Xtunnel Activity (trojan.rules)
2027406 - ET TROJAN APT28 CnC Domain DNS Lookup (trojan.rules)
2027407 - ET TROJAN APT28 CnC Domain DNS Lookup (trojan.rules)
2027408 - ET TROJAN APT28 CnC Domain DNS Lookup (trojan.rules)
2027409 - ET TROJAN APT28 CnC Domain DNS Lookup (trojan.rules)
2027410 - ET TROJAN APT28 CnC Domain DNS Lookup (trojan.rules)
2027411 - ET TROJAN APT28 CnC Domain DNS Lookup (trojan.rules)
2027412 - ET POLICY Inbound RDP Connection with TLS Security Protocol Requested (policy.rules)
2027413 - ET POLICY Inbound RDP Connection with Minimal Security Protocol Requested (policy.rules)
2027414 - ET CURRENT_EVENTS Observed Malicious SSL Cert (BrushaLoader CnC) 2019-05-30 (current_events.rules)
2027415 - ET CURRENT_EVENTS Brushaloader Domain in DNS Lookup 2019-05-30 (current_events.rules)
2027416 - ET WEB_SPECIFIC_APPS ECSHOP user.php SQL INJECTION via Referer (web_specific_apps.rules)
2027417 - ET GAMES Wolfteam HileYapak Server Response (games.rules)

Pro:

2836595 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Server) (trojan.rules)
2836596 - ETPRO CURRENT_EVENTS Successful Banco Inter Phish 2019-05-31 (current_events.rules)
2836597 - ETPRO CURRENT_EVENTS Successful Adobe Phish 2019-05-31 (current_events.rules)
2836598 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information Phish 2019-05-31 (current_events.rules)
2836599 - ETPRO CURRENT_EVENTS Successful Telekom / Tmobile Phish 2019-05-31 (current_events.rules)
2836600 - ETPRO CURRENT_EVENTS Successful CIBC Phish 2019-05-31 (current_events.rules)
2836601 - ETPRO CURRENT_EVENTS Successful QNB Finansbank Phish 2019-05-31 (current_events.rules)
2836602 - ETPRO CURRENT_EVENTS Successful Fidelity Phish 2019-05-31 (current_events.rules)
2836603 - ETPRO CURRENT_EVENTS Successful Postbank Phish 2019-05-31 (current_events.rules)
2836604 - ETPRO CURRENT_EVENTS Successful Maybank Phish 2019-05-31 (current_events.rules)
2836605 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-05-31 1) (trojan.rules)
2836606 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-05-31 2) (trojan.rules)
2836607 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2019-05-31 3) (trojan.rules)
2836608 - ETPRO TROJAN APT37 PoohMilk CnC Checkin (trojan.rules)
2836609 - ETPRO TROJAN Observed Malicious SSL Cert (ThrowBack CnC) (trojan.rules)
2836610 - ETPRO TROJAN Observed Malicious SSL Cert (ThrowBack CnC) (trojan.rules)
2836611 - ETPRO TROJAN Observed Malicious SSL Cert (ThrowBack CnC) (trojan.rules)
2836612 - ETPRO TROJAN Throwback Related DNS Lookup (trojan.rules) 

[///]     Modified active rules:     [///]

2008420 - ET TROJAN HTTP GET Request on port 53 - Very Likely Hostile (trojan.rules)
2017948 - ET TROJAN LDPinch Checkin Post (trojan.rules)
2020181 - ET TROJAN WIN32/KOVTER.B Checkin (trojan.rules)
2027395 - ET TROJAN Linux/HiddenWasp CnC Request (set) (trojan.rules)
2027396 - ET TROJAN Linux/HiddenWasp CnC Response (trojan.rules)
2809547 - ETPRO TROJAN Symmi payload download (trojan.rules)
2814978 - ETPRO EXPLOIT SSL Certificate With Directory Traversal (exploit.rules)
2821642 - ETPRO TROJAN Win32.Shakti Checkin (trojan.rules)
2821643 - ETPRO TROJAN Win32.Shakti Sending Process List (trojan.rules)
2821644 - ETPRO TROJAN Win32.Shakti Uploading Files (trojan.rules)
2828008 - ETPRO TROJAN W32/Emotet.v4 Checkin 3 (trojan.rules)

Date: 
Thursday, May 30, 2019 - 22:00