[***]            Summary:            [***]

 8 new Open, 27 new Pro (8 + 20). Legion Loader, GoLang Discord Token
Grabber, Win32/Presenoker, Win32/Vidar/Arkei/Oski Variant, Various
Phishing, Ongoing Rule Pruning (192 disabled rules).

 Thanks: @sysopfb

 Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback


[+++]          Added rules:          [+++]

Open:

  2029541 - ET TROJAN Legion Loader Activity Observed (heil_satan)
(trojan.rules)
  2029542 - ET TROJAN GoLang Discord Token Grabber Exfil (trojan.rules)
  2029543 - ET MALWARE Ads2Srv Bundle Installer Offer Request
(malware.rules)
  2029544 - ET USER_AGENTS Suspicious User-Agent (VB OpenUrl)
(user_agents.rules)
  2029545 - ET MALWARE Win32/Adware.YoutubeDownloaderGuru.A Variant CnC
Activity (malware.rules)
  2029546 - ET MALWARE Win32/YTDDownloader.F Variant CnC Activity
(malware.rules)
  2029547 - ET TROJAN Observed Ursnif Domain in TLS SNI (trojan.rules)
  2029548 - ET TROJAN Observed Ursnif Domain in TLS SNI (trojan.rules)

Pro:

  2841237 - ETPRO TROJAN Win32/Vidar/Arkei/Oski Variant Stealer Uploading
System Information (trojan.rules)
  2841238 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (Cookies/MozillaFirefox) (trojan.rules)
  2841239 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (Screensh0t.) (trojan.rules)
  2841240 - ETPRO INFO Suspicious Zipped Filename in Outbound POST Request
(wallet.dat) (info.rules)
  2841241 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (Cookies_List.txt) (trojan.rules)
  2841242 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-02-27 1) (trojan.rules)
  2841243 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-02-27 2) (trojan.rules)
  2841244 - ETPRO CURRENT_EVENTS Successful Verizon Phish 2020-02-27
(current_events.rules)
  2841245 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-02-27
(current_events.rules)
  2841246 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2020-02-27
(current_events.rules)
  2841247 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-02-27 (current_events.rules)
  2841248 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-02-27 (current_events.rules)
  2841249 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-02-27 (current_events.rules)
  2841250 - ETPRO CURRENT_EVENTS Successful Linkedin Phish 2020-02-27
(current_events.rules)
  2841251 - ETPRO CURRENT_EVENTS Successful Adobe PDF Cloud Phish
2020-02-27 (current_events.rules)
  2841252 - ETPRO TROJAN AvatarLoader CnC Download and Execute Request
(trojan.rules)
  2841253 - ETPRO TROJAN Legion Loader Activity Observed (trojan.rules)
  2841254 - ETPRO TROJAN Win32/Presenoker Requesting Batch File M8
(trojan.rules)
  2841255 - ETPRO TROJAN STATUSCREW Downloader Activity (trojan.rules)
  2841256 - ETPRO TROJAN STATUSCREW Downloader Activity M2 (trojan.rules)


[///]     Modified active rules:     [///]

  2025134 - ET POLICY OnePlus phone data leakage (policy.rules)
  2026007 - ET TROJAN [PTsecurity] MSIL/Biskvit.A Check-in (trojan.rules)
  2029539 - ET TROJAN JS/Ostap Maldoc Check-in (trojan.rules)
  2810581 - ETPRO TROJAN Win32/Vflooder.C CnC Beacon (trojan.rules)
  2821811 - ETPRO TROJAN Win32/Banload Variant Connectivity Check
(trojan.rules)
  2825767 - ETPRO TROJAN Stolich Gen Ransomware CnC Create Key
(trojan.rules)
  2825768 - ETPRO TROJAN Stolich Gen Ransomware CnC Save Key (trojan.rules)
  2825789 - ETPRO MOBILE_MALWARE Android.Trojan.InfoStealer.IC CnC Beacon
(mobile_malware.rules)
  2825791 - ETPRO MOBILE_MALWARE Android.Trojan.InfoStealer.IC Contacts
Exfil (mobile_malware.rules)
  2828791 - ETPRO MOBILE_MALWARE Android/Guerrilla.AM Checkin
(mobile_malware.rules)
  2828878 - ETPRO MOBILE_MALWARE Android/DroidDream.D Checkin 2
(mobile_malware.rules)
  2828879 - ETPRO MOBILE_MALWARE Android/DroidDream.D Checkin 3
(mobile_malware.rules)
  2828880 - ETPRO MOBILE_MALWARE Android/DroidDream.D Checkin 4
(mobile_malware.rules)
  2829003 - ETPRO MOBILE_MALWARE ANDROIDOS_ANUBISSPY Checkin
(mobile_malware.rules)
  2829618 - ETPRO TROJAN Chthonic CnC Beacon 13 (trojan.rules)
  2829620 - ETPRO TROJAN Chthonic CnC Beacon Generic M1 (trojan.rules)
  2829625 - ETPRO TROJAN Chthonic CnC Beacon 14 (trojan.rules)
  2831162 - ETPRO TROJAN BKDR_QULKONWI.GHR Checkin M2 (trojan.rules)
  2831202 - ETPRO TROJAN W32.PP2018.CN Stealer Checkin (trojan.rules)
  2831258 - ETPRO MALWARE Win32/SoftExperts.A PUP/PUA Checkin
(malware.rules)
  2831780 - ETPRO TROJAN W32.Gamaredon.Variant Checkin (trojan.rules)
  2831782 - ETPRO TROJAN Win32.Ursu.Variant Checkin (trojan.rules)
  2831888 - ETPRO MOBILE_MALWARE Android/Agent-MJK CnC Beacon
(mobile_malware.rules)
  2833279 - ETPRO TROJAN W32.SpyBanker.BR Variant Checkin (trojan.rules)
  2833295 - ETPRO TROJAN W32.YBomeMiner Checkin M2 (trojan.rules)
  2835216 - ETPRO TROJAN Win32/Agent.RNS Requesting New Payload CnC Address
(trojan.rules)
  2838440 - ETPRO TROJAN AvatarLoader CnC Checkin (trojan.rules)
  2840985 - ETPRO POLICY Wscript Being Retrieved from Pastebin
(policy.rules)


[---]  Disabled and modified rules:  [---]

  2820814 - ETPRO CURRENT_EVENTS Phishing Landing via my-free.website Jun
21 M4 (current_events.rules)
  2820855 - ETPRO CURRENT_EVENTS Phishing Landing via yolasite.com Jun 24
M1 (current_events.rules)
  2820856 - ETPRO CURRENT_EVENTS Phishing Landing via yolasite.com Jun 24
M2 (current_events.rules)
  2820857 - ETPRO CURRENT_EVENTS Phishing Landing via yolasite.com Jun 24
M3 (current_events.rules)
  2820858 - ETPRO CURRENT_EVENTS Phishing Landing via yolasite.com Jun 24
M4 (current_events.rules)
  2820859 - ETPRO CURRENT_EVENTS Phishing Landing via yolasite.com Jun 24
M5 (current_events.rules)
  2820923 - ETPRO CURRENT_EVENTS Phishing Landing via udo.photo Jun 28 M1
(current_events.rules)
  2820924 - ETPRO CURRENT_EVENTS Phishing Landing via udo.photo Jun 28 M2
(current_events.rules)
  2820926 - ETPRO CURRENT_EVENTS Phishing Landing via ulcraft.com Jun 28 M1
(current_events.rules)
  2820928 - ETPRO CURRENT_EVENTS Phishing Landing via biennale.info Jun 28
M1 (current_events.rules)
  2820929 - ETPRO CURRENT_EVENTS Phishing Landing via biennale.info Jun 28
M2 (current_events.rules)
  2820931 - ETPRO CURRENT_EVENTS Phishing Landing via topstyle.me Jun 28 M1
(current_events.rules)
  2821228 - ETPRO CURRENT_EVENTS Phishing Landing via Webydo.com Jul 21 M2
(current_events.rules)
  2821323 - ETPRO CURRENT_EVENTS Phishing Landing via imcreator.com /
imxprs.com Jul 22 M1 (current_events.rules)
  2821324 - ETPRO CURRENT_EVENTS Phishing Landing via imcreator.com /
imxprs.com Jul 22 M2 (current_events.rules)
  2821325 - ETPRO CURRENT_EVENTS Phishing Landing via imcreator.com /
imxprs.com Jul 22 M3 (current_events.rules)
  2821326 - ETPRO CURRENT_EVENTS Phishing Landing via imcreator.com /
imxprs.com Jul 22 M4 (current_events.rules)
  2821634 - ETPRO CURRENT_EVENTS Successful Gmail Phish M2 Aug 12 2016
(current_events.rules)
  2822366 - ETPRO CURRENT_EVENTS Phishing Landing via urest.org Oct 03 M1
(current_events.rules)
  2822367 - ETPRO CURRENT_EVENTS Phishing Landing via urest.org Oct 03 M2
(current_events.rules)


 [---]         Disabled rules:        [---]

  2015981 - ET CURRENT_EVENTS Zuponcic Hostile Jar (current_events.rules)
  2016542 - ET CURRENT_EVENTS Possible Portal TDS Kit GET
(current_events.rules)
  2016718 - ET CURRENT_EVENTS BHEK q.php iframe outbound
(current_events.rules)
  2016817 - ET CURRENT_EVENTS Possible Java Applet JNLP
applet_ssv_validated in Base64 2 (current_events.rules)
  2016818 - ET CURRENT_EVENTS Possible Java Applet JNLP
applet_ssv_validated in Base64 3 (current_events.rules)
  2017187 - ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 1
(current_events.rules)
  2017189 - ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 3
(current_events.rules)
  2018568 - ET CURRENT_EVENTS Possible Inbound SNMP Router DoS (TTL 1)
(current_events.rules)
  2018569 - ET CURRENT_EVENTS Possible Inbound SNMP Router DoS (Disable
Forwarding) (current_events.rules)
  2019194 - ET CURRENT_EVENTS Nuclear EK Redirect Sept 18 2014
(current_events.rules)
  2019610 - ET TROJAN Possible EITest Flash Redirect (trojan.rules)
  2019634 - ET CURRENT_EVENTS Sweet Orange Landing Nov 3 2014
(current_events.rules)
  2019775 - ET CURRENT_EVENTS Possible Internet Explorer CVE-2014-6332
Common Construct b64 3 (Observed in Archie EK) (current_events.rules)
  2019894 - ET CURRENT_EVENTS Probable malicious download from e-mail link
/1.php (current_events.rules)
  2019989 - ET CURRENT_EVENTS Evil Redirector Leading to EK Dec 22 2014
Video (current_events.rules)
  2019991 - ET CURRENT_EVENTS Evil Redirector Leading to EK Dec 22 2014
Search (current_events.rules)
  2020091 - ET CURRENT_EVENTS Cushion Redirection URI Struct Mon Jan 05
2015 (current_events.rules)
  2020318 - ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Jan 27 2015 M1
(current_events.rules)
  2020392 - ET CURRENT_EVENTS KaiXin Secondary Landing Page
(current_events.rules)
  2020584 - ET CURRENT_EVENTS Sweet Orange EK Flash Exploit IE March 03
2015 (current_events.rules)
  2020626 - ET CURRENT_EVENTS Fiesta EK Landing URI Struct March 6 2015
(current_events.rules)
  2020824 - ET CURRENT_EVENTS VBScript Driveby Related TDS MAR 31 2015
(current_events.rules)
  2020838 - ET CURRENT_EVENTS Malicious Doc Downloading EXE
(current_events.rules)
  2021156 - ET CURRENT_EVENTS Evil JS iframe Embedded In GIF
(current_events.rules)
  2021364 - ET CURRENT_EVENTS Magnitude CVE-2015-3113 Jun 29 2015 M1
(current_events.rules)
  2021429 - ET CURRENT_EVENTS Possible IE MSMXL Detection of Local DLL
(Likely Malicious) (current_events.rules)
  2021430 - ET CURRENT_EVENTS Possible IE MSMXL Detection of Local SYS
(Likely Malicious) (current_events.rules)
  2021762 - ET CURRENT_EVENTS Spartan EK Secondary Flash Exploit DL
(current_events.rules)
  2022349 - ET CURRENT_EVENTS CoinMiner Malicious Authline Seen in JAR
Backdoor (current_events.rules)
  2022604 - ET CURRENT_EVENTS Successful Enom Phish Mar 08 2016
(current_events.rules)
  2805070 - ETPRO TROJAN Trojan.Downloader receiving config for
spearphishing campaign (trojan.rules)
  2809795 - ETPRO CURRENT_EVENTS Possible Magnitude exploit payload contype
check Feb 12 2015 (current_events.rules)
  2810583 - ETPRO CURRENT_EVENTS DRIVEBY Magnitude Landing Dec 03 2014 M2
(current_events.rules)
  2810910 - ETPRO CURRENT_EVENTS .zip Download from GoogleAPI with Minimal
headers Possible Trojan.MSIL.Banload.DD Dropping Spy.Banker (Download)
(current_events.rules)
  2811604 - ETPRO CURRENT_EVENTS Likely Evil JS ECS Shop With Various
Crypto Primatives In Page (Observed in Unknown EK) (current_events.rules)
  2811762 - ETPRO CURRENT_EVENTS Evil Redirector Leading to EK (Anti-AV
Check) (current_events.rules)
  2812062 - ETPRO CURRENT_EVENTS Adfraud Redirector (current_events.rules)
  2812124 - ETPRO MALWARE Win32/Adware.FileTour Variant PUP - IE Redirect
(malware.rules)
  2812603 - ETPRO TROJAN Win32/Genasom.FO Malicious Redirect (trojan.rules)
  2813049 - ETPRO CURRENT_EVENTS File Enum Image Res (Observed in Magnitude
EK Landing) Sept 16 2015 (current_events.rules)
  2814480 - ETPRO CURRENT_EVENTS Generic Mix Alpha-Numeric Encoded HTML
Entity in Object (Observed in SunDown/Xer EK) (current_events.rules)
  2814712 - ETPRO CURRENT_EVENTS Ursnif Payload via Document Macro
(current_events.rules)
  2814756 - ETPRO CURRENT_EVENTS Ursnif Payload via Document Macro Nov 4
(current_events.rules)
  2814804 - ETPRO CURRENT_EVENTS Ursnif Payload via Document Macro Nov 5
(current_events.rules)
  2815006 - ETPRO CURRENT_EVENTS Successful Jimdo Outlook Web App Phishing
Nov 19 (current_events.rules)
  2815831 - ETPRO CURRENT_EVENTS Form Submission to Ezweb123.com - Possible
Successful Phish Jan 15 (current_events.rules)
  2815897 - ETPRO CURRENT_EVENTS Phishing Landing via Jimdo.com Jan 22 M1
(current_events.rules)
  2815898 - ETPRO CURRENT_EVENTS Phishing Landing via Jimdo.com Jan 22 M2
(current_events.rules)
  2815954 - ETPRO CURRENT_EVENTS Phishing Landing via Sitey.me Jan 25 M1
(current_events.rules)
  2815956 - ETPRO CURRENT_EVENTS Phishing Landing via Sitey.me Jan 25 M3
(current_events.rules)
  2815964 - ETPRO CURRENT_EVENTS Phishing Landing via Jimdo.com Jan 26 M2
(current_events.rules)
  2815967 - ETPRO CURRENT_EVENTS Successful Jimdo Phishing Jan 26
(current_events.rules)
  2816078 - ETPRO CURRENT_EVENTS TorrentLocker Localization Redirect Feb 3
(current_events.rules)
  2816330 - ETPRO CURRENT_EVENTS Possible Nuclear EK Payload VarLen XOR
(Nulls) M2 (current_events.rules)
  2816450 - ETPRO CURRENT_EVENTS Apple Phishing Landing Mar 1
(current_events.rules)
  2816490 - ETPRO CURRENT_EVENTS Apple Phishing Landing Redirect M1 Mar 02
2016 (current_events.rules)
  2816725 - ETPRO TROJAN Win32/Unknown CnC (upload) (trojan.rules)
  2816765 - ETPRO CURRENT_EVENTS Apple Phishing Landing Obfuscation Mar 28
(current_events.rules)
  2816843 - ETPRO CURRENT_EVENTS Successful MyFreeSites.com Phish Mar 31
(current_events.rules)
  2816943 - ETPRO TROJAN Possible Derusbi SSL Cert (trojan.rules)
  2819670 - ETPRO TROJAN Unknown Keylogger Checkin (trojan.rules)
  2819819 - ETPRO TROJAN Ransomware/Poshcoder Onion Domain Lookup
(trojan.rules)
  2819913 - ETPRO TROJAN Jupiter Banker Injects DNS Lookup (trojan.rules)
  2819914 - ETPRO TROJAN Jupiter Banker Injects Domain in SSL Client Hello
(trojan.rules)
  2819960 - ETPRO TROJAN Malicious SSL certificate detected (Ursnif
Injects) (trojan.rules)
  2820004 - ETPRO TROJAN Malicious SSL Certificate Detected (Social
Engineering Kit) (trojan.rules)
  2820010 - ETPRO TROJAN Observerd Malvertising Domain SSL Cert
(trojan.rules)
  2820013 - ETPRO CURRENT_EVENTS Possible XML Phishing Landing May 2
(current_events.rules)
  2820036 - ETPRO CURRENT_EVENTS Generic Email Credential Theft Phishing
Landing May 3 (current_events.rules)
  2820094 - ETPRO CURRENT_EVENTS Sundown/Xer EK Landing May 05 2016 M2
(b642) (current_events.rules)
  2820155 - ETPRO CURRENT_EVENTS French Gmail Account Update Phishing
Landing May 10 (current_events.rules)
  2820173 - ETPRO TROJAN Malicious SSL certificate detected (Gozi CnC)
(trojan.rules)
  2820178 - ETPRO TROJAN Unknown Locker C2 domain (trojan.rules)
  2820292 - ETPRO TROJAN Bolek/Kbot CnC DNS Lookup (cibc-security.com)
(trojan.rules)
  2820452 - ETPRO CURRENT_EVENTS Versobank Phishing Landing Jun 2
(current_events.rules)
  2820491 - ETPRO CURRENT_EVENTS Northwell Health Phishing Landing Jun 6
(current_events.rules)
  2820511 - ETPRO TROJAN Dridex Injects SSL Cert (trojan.rules)
  2820547 - ETPRO TROJAN Malicious SSL certificate detected (Ursnif
Injects) (trojan.rules)
  2820548 - ETPRO TROJAN Malicious SSL certificate detected (Ursnif
Injects) (trojan.rules)
  2820593 - ETPRO TROJAN Zeus Panda Banker Malicious SSL Certificate
Detected (trojan.rules)
  2820594 - ETPRO TROJAN Zeus Panda Banker Malicious SSL Certificate
Detected (trojan.rules)
  2820615 - ETPRO WEB_CLIENT Suspicious Domain - Possible Apple Phishing
Jun 14 (web_client.rules)
  2820733 - ETPRO CURRENT_EVENTS Dropbox Shared Document Phishing Landing
Jun 17 (current_events.rules)
  2820738 - ETPRO TROJAN Malicious SSL certificate detected (Ursnif
Injects) (trojan.rules)
  2820789 - ETPRO TROJAN Malicious SSL certificate detected (Ursnif
Injects) (trojan.rules)
  2820790 - ETPRO TROJAN Malicious SSL certificate detected (Gootkit
Injects) (trojan.rules)
  2820792 - ETPRO TROJAN Ursnif Injects Domain in SNI (trojan.rules)
  2820793 - ETPRO TROJAN Ursnif Injects Domain in SNI (trojan.rules)
  2820794 - ETPRO TROJAN Ursnif Injects Domain in SNI (trojan.rules)
  2820810 - ETPRO CURRENT_EVENTS Phishing Landing via my-free.website (set)
Jun 21 2016 (current_events.rules)
  2820811 - ETPRO CURRENT_EVENTS Phishing Landing via my-free.website Jun
21 M1 (current_events.rules)
  2820812 - ETPRO CURRENT_EVENTS Phishing Landing via my-free.website Jun
21 M2 (current_events.rules)
  2820813 - ETPRO CURRENT_EVENTS Phishing Landing via my-free.website Jun
21 M3 (current_events.rules)
  2820815 - ETPRO CURRENT_EVENTS Phishing Landing via my-free.website Jun
21 M5 (current_events.rules)
  2820816 - ETPRO INFO Data Submitted to my-free.website - Possible
Phishing (info.rules)
  2820817 - ETPRO TROJAN Malicious SSL certificate detected (Ursnif
Injects) (trojan.rules)
  2820854 - ETPRO CURRENT_EVENTS Phishing Landing via yolasite.com (set)
Jun 24 2016 (current_events.rules)
  2820860 - ETPRO CURRENT_EVENTS Phishing Landing via yolasite.com Jun 24
M6 (current_events.rules)
  2820922 - ETPRO CURRENT_EVENTS Phishing Landing via udo.photo (set) Jun
28 2016 (current_events.rules)
  2820925 - ETPRO CURRENT_EVENTS Phishing Landing via ulcraft.com (set) Jun
28 (current_events.rules)
  2820927 - ETPRO CURRENT_EVENTS Phishing Landing via biennale.info (set)
Jun 28 (current_events.rules)
  2820930 - ETPRO CURRENT_EVENTS Phishing Landing via topstyle.me (set) Jun
28 2016 (current_events.rules)
  2820932 - ETPRO CURRENT_EVENTS Phishing Landing via topstyle.me Jun 28 M2
(current_events.rules)
  2820936 - ETPRO TROJAN Ransomware WildFire Locker .onion Payment Domain
(gsxrmcgsygcxfkbb) (trojan.rules)
  2820944 - ETPRO TROJAN Dridex Injects SSL Cert (trojan.rules)
  2820945 - ETPRO TROJAN Dridex Injects SSL Cert (trojan.rules)
  2821037 - ETPRO CURRENT_EVENTS Generic Email Account Phishing Landing Jul
11 (current_events.rules)
  2821042 - ETPRO CURRENT_EVENTS Yahoo Phishing Landing Jul 11
(current_events.rules)
  2821055 - ETPRO TROJAN Possible Gootkit CnC Domain in SNI (trojan.rules)
  2821056 - ETPRO TROJAN Possible Gootkit CnC Domain in SNI (trojan.rules)
  2821141 - ETPRO TROJAN Malicious SSL certificate detected (Gootkit
Injects) (trojan.rules)
  2821203 - ETPRO CURRENT_EVENTS Earthlink Phishing Landing Jul 19
(current_events.rules)
  2821209 - ETPRO TROJAN Malicious SSL certificate detected (Malware C2)
(trojan.rules)
  2821226 - ETPRO CURRENT_EVENTS Phishing Landing via Webydo.com (set) Jul
21 (current_events.rules)
  2821227 - ETPRO CURRENT_EVENTS Phishing Landing via Webydo.com Jul 21 M1
(current_events.rules)
  2821229 - ETPRO CURRENT_EVENTS Phishing Landing via Webydo.com Jul 21 M3
(current_events.rules)
  2821230 - ETPRO CURRENT_EVENTS Phishing Landing via Webydo.com Jul 21 M4
(current_events.rules)
  2821231 - ETPRO CURRENT_EVENTS Phishing Landing via Webydo.com Jul 21 M5
(current_events.rules)
  2821310 - ETPRO CURRENT_EVENTS Evil Redirect Leading to EK (AdGholas
Sending Link in Header) (current_events.rules)
  2821321 - ETPRO CURRENT_EVENTS Phishing Landing via imcreator.com (set)
Jul 22 (current_events.rules)
  2821322 - ETPRO CURRENT_EVENTS Phishing Landing via imxprs.com (set) Jul
22 (current_events.rules)
  2821327 - ETPRO CURRENT_EVENTS Phishing Landing via imcreator.com /
imxprs.com Jul 22 M5 (current_events.rules)
  2821528 - ETPRO TROJAN Pony CnC Domain in SSL Client Hello SNI
(trojan.rules)
  2821529 - ETPRO TROJAN Pony CnC Domain in SSL Client Hello SNI
(trojan.rules)
  2821530 - ETPRO TROJAN Pony CnC Domain in SSL Client Hello SNI
(trojan.rules)
  2821531 - ETPRO TROJAN Pony CnC Domain in SSL Client Hello SNI
(trojan.rules)
  2821567 - ETPRO TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Ursnif Injects) (trojan.rules)
  2821568 - ETPRO TROJAN Possible Ursnif Injects Domain in SNI
(trojan.rules)
  2821613 - ETPRO TROJAN Observed Malicious SSL Cert (Zeus Panda Banker)
(trojan.rules)
  2821624 - ETPRO TROJAN Observed Malicious SSL Cert (Zeus Panda Injects)
(trojan.rules)
  2821625 - ETPRO TROJAN Observed Malicious SSL Cert (Zeus Panda Injects)
(trojan.rules)
  2821629 - ETPRO CURRENT_EVENTS Stripe Phishing Landing Aug 12 2016
(current_events.rules)
  2821633 - ETPRO CURRENT_EVENTS Successful Gmail Phish M2 (set) Aug 12
2016 (current_events.rules)
  2821645 - ETPRO CURRENT_EVENTS Phishing Landing via webnode.fr (set) Aug
15 2016 (current_events.rules)
  2821647 - ETPRO CURRENT_EVENTS Phishing Landing via webnode.fr Aug 15
2016 M2 (current_events.rules)
  2821648 - ETPRO CURRENT_EVENTS Phishing Landing via webnode.fr Aug 15
2016 M3 (current_events.rules)
  2821650 - ETPRO CURRENT_EVENTS Phishing Landing via webnode.fr Aug 15
2016 M5 (current_events.rules)
  2822041 - ETPRO CURRENT_EVENTS Paypal Javascript Phishing Landing Sept 8
2016 (current_events.rules)
  2822042 - ETPRO CURRENT_EVENTS Paypal Phishing Landing Sept 8 2016
(current_events.rules)
  2822167 - ETPRO TROJAN Malicious SSL certificate detected (Ursnif
Injects) (trojan.rules)
  2822168 - ETPRO TROJAN Malicious SSL certificate detected (Ursnif
Injects) (trojan.rules)
  2822193 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.l DNS
Lookup 12 (mobile_malware.rules)
  2822249 - ETPRO CURRENT_EVENTS Evil Redirector to EK - Observed Malicious
SSL Cert (current_events.rules)
  2822256 - ETPRO TROJAN Unlock92 Ransomware .onion Proxy Payment Domain
(ezulxxtwqos5g736) (trojan.rules)
  2822272 - ETPRO TROJAN Ransomware Domain Detected (TorrentLocker C2)
(trojan.rules)
  2822290 - ETPRO WEB_CLIENT Byet Free Webhost Adobe Phishing Cookie Sept
29 2016 (web_client.rules)
  2822365 - ETPRO CURRENT_EVENTS Phishing Landing via urest.org (set) Oct
03 (current_events.rules)
  2822414 - ETPRO TROJAN Zloader Malicious SSL Cert Observed (trojan.rules)
  2822442 - ETPRO CURRENT_EVENTS Multibank Phishing Landing/Redirect (NL)
M1 2016-10-06 (current_events.rules)
  2822443 - ETPRO CURRENT_EVENTS SNS Bank Phishing Landing/Redirect (NL) M1
2016-10-06 (current_events.rules)
  2822444 - ETPRO CURRENT_EVENTS SNS Bank Phishing Landing/Redirect/ (NL)
M2 2016-10-06 (current_events.rules)
  2822445 - ETPRO CURRENT_EVENTS ASN/Regio Bank Phishing Landing/Redirect
(NL) M1 2016-10-06 (current_events.rules)
  2822446 - ETPRO CURRENT_EVENTS ASN/Regio Bank Phishing Landing/Redirect
(NL) M2 2016-10-06 (current_events.rules)
  2822447 - ETPRO CURRENT_EVENTS Multibank Phishing Landing/Redirect (NL)
M2 2016-10-06 (current_events.rules)
  2822479 - ETPRO CURRENT_EVENTS Bizarro SunDown EK Landing Oct 07 2016 M4
(current_events.rules)
  2822481 - ETPRO CURRENT_EVENTS Bizarro SunDown EK Landing Oct 07 2016 M6
(current_events.rules)
  2822482 - ETPRO CURRENT_EVENTS SunDown/Xer Payload (URL Primer)
(current_events.rules)
  2822602 - ETPRO CURRENT_EVENTS Phishing Landing via Webeden.net (set) Oct
13 (current_events.rules)
  2822923 - ETPRO TROJAN DNS Query to Cerber Domain (gio6f6 . bid)
(trojan.rules)
  2822933 - ETPRO CURRENT_EVENTS Paypal Phishing Landing M1 Oct 26 2016
(current_events.rules)
  2822935 - ETPRO CURRENT_EVENTS Paypal Phishing Landing M2 Oct 26 2016
(current_events.rules)
  2822969 - ETPRO TROJAN Observed Malicious SSL Cert (Shifu CnC)
(trojan.rules)
  2823057 - ETPRO TROJAN Ransomware Domain Detected (TorrentLocker C2)
(trojan.rules)
  2823062 - ETPRO TROJAN DNS Query to Cerber Domain (3do9h1 . bid)
(trojan.rules)
  2823122 - ETPRO TROJAN DNS Query to Cerber Domain (t0su8p . bid)
(trojan.rules)
  2823128 - ETPRO TROJAN DNS Query to Cerber Domain (69ju9u . bid)
(trojan.rules)
  2823276 - ETPRO TROJAN DNS Query to Cerber Domain (51a47u . bid)
(trojan.rules)
  2823281 - ETPRO TROJAN DNS Query to Cerber Domain (v9y6z8 . bid)
(trojan.rules)
  2823284 - ETPRO TROJAN DNS Query to Cerber Domain (j5spvw . bid)
(trojan.rules)
  2823294 - ETPRO TROJAN DNS Query to Cerber Domain (1pr9as . top)
(trojan.rules)
  2823340 - ETPRO TROJAN Zloader CnC SSL Cert (trojan.rules)
  2823341 - ETPRO TROJAN Ransomware/Princess Onion Domain Lookup
(trojan.rules)
  2823342 - ETPRO TROJAN Ransomware/Princess Onion Domain Lookup
(trojan.rules)
  2823404 - ETPRO TROJAN Win32/Ranscrape Ransomware Onion Domain Lookup
(trojan.rules)
  2823427 - ETPRO TROJAN DNS Query to Cerber Domain (1p5lyh . top)
(trojan.rules)
  2823444 - ETPRO TROJAN Malicious SSL Certificate Detected (Ursnif
Injects) (trojan.rules)
  2823445 - ETPRO TROJAN Malicious SSL Certificate Detected (Ursnif
Injects) (trojan.rules)
  2823446 - ETPRO TROJAN Malicious SSL Certificate Detected (Ursnif
Injects) (trojan.rules)
  2823453 - ETPRO CURRENT_EVENTS Astrum EK Landing Nov 23 2016 M1
(current_events.rules)
  2823522 - ETPRO TROJAN DNS Query to Cerber Domain (19jmfr . top)
(trojan.rules)
  2823600 - ETPRO TROJAN Zeus Panda Banker Malicious SSL Certificate
Detected (trojan.rules)
  2823602 - ETPRO CURRENT_EVENTS Possible Successful Phish via imcreator.com
/ imxprs.com Dec 02 2016 (current_events.rules)
  2823619 - ETPRO TROJAN DNS Query to Cerber Domain (1k1dxt . top)
(trojan.rules)
  2823634 - ETPRO TROJAN Ransomware Domain Detected (TorrentLocker C2)
(trojan.rules)
  2823658 - ETPRO TROJAN Malicious SSL Certificate Detected (Dreambot)
(trojan.rules)
  2823673 - ETPRO TROJAN Observed Malicious SSL Cert (MalDoc DL)
(trojan.rules)
  2823750 - ETPRO TROJAN Likely Phishing DNS Lookup (Fake MS Service)
(trojan.rules)
  2823846 - ETPRO TROJAN DNS Query to Cerber Domain (g0lpnj . bid)
(trojan.rules)
  2823881 - ETPRO MOBILE_MALWARE Possible Malvertising Redirection for iOS
(mobile_malware.rules)
  2823912 - ETPRO CURRENT_EVENTS Google Drive Phishing Landing Redirect Dec
15 2016 (current_events.rules)
  2824029 - ETPRO TROJAN Observed Malvertising Domain SSL Cert
(trojan.rules)
  2828275 - ETPRO WEB_CLIENT Anonisma Phishing CSS M3 Oct 12 2017
(web_client.rules)

Date:
Summary title:
8 new Open, 27 new Pro (8 + 20). Legion Loader, GoLang Discord Token Grabber, Win32/Presenoker, Win32/Vidar/Arkei/Oski Variant, Various Phishing, Ongoing Rule Pruning (192 disabled rules).