Daily Ruleset Update Summary 2021/01/27

[***] Summary: [***]

20 new OPEN, 54 new PRO (20 + 34). Android/Clicker.JV, AsyncRAT,
DCRAT, Unicorn Stealer, Remcos, Various Phish.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2031561 - ET CURRENT_EVENTS Terse POST to Wordpress Folder -
Probable Successful Phishing M5 (current_events.rules)
2031562 - ET EXPLOIT Zimbra <8.8.11 - XML External Entity
Injection/SSRF Attempt (CVE-2019-9621) (exploit.rules)
2031563 - ET EXPLOIT PHP-CGI Query String Parameter Vuln Inbound
(CVE-2012-2311) (exploit.rules)
2031564 - ET CURRENT_EVENTS Possible Successful Credential Phish Oct
1 2015 (current_events.rules)
2031565 - ET CURRENT_EVENTS Successful Paypal Phish M1 Dec 8 2015
(current_events.rules)
2031566 - ET CURRENT_EVENTS Terse POST to Wordpress Folder -
Probable Successful Phishing (current_events.rules)
2031567 - ET WEB_CLIENT Suspicious Redirect - Possible Phishing May
25 2016 (web_client.rules)
2031568 - ET CURRENT_EVENTS Terse POST to Wordpress Folder -
Probable Successful Phishing M3 (current_events.rules)
2031569 - ET CURRENT_EVENTS Successful Dynamic Folder Phishing Oct
06 2016 (current_events.rules)
2031570 - ET CURRENT_EVENTS Successful Dynamic Folder Phish Oct 07
2016 (current_events.rules)
2031571 - ET CURRENT_EVENTS Terse POST to Wordpress Folder -
Probable Successful Phishing M4 (current_events.rules)
2031572 - ET CURRENT_EVENTS Terse POST to Wordpress Folder -
Probable Successful Phishing M6 (current_events.rules)
2031573 - ET CURRENT_EVENTS Successful Chase Phish Dec 29 2016
(current_events.rules)
2031574 - ET CURRENT_EVENTS Successful Generic Phish (Meta
HTTP-Equiv Refresh) Dec 29 2016 (current_events.rules)
2031575 - ET CURRENT_EVENTS Successful Chase Phish M1 Aug 15 2017
(current_events.rules)
2031576 - ET CURRENT_EVENTS Successful Paypal Phish M1 Sep 15 2017
(current_events.rules)
2031577 - ET CURRENT_EVENTS Successful Paypal Phish M2 Sep 15 2017
(current_events.rules)
2031578 - ET CURRENT_EVENTS Generic 302 Redirect to Phishing Landing
(current_events.rules)
2031579 - ET CURRENT_EVENTS Terse POST to Wordpress Folder -
Probable Successful Phishing M7 (current_events.rules)
2031581 - ET INFO HTTP POST Request to DuckDNS Domain (info.rules)

Pro:

2846774 - ETPRO MOBILE_MALWARE Android/Clicker.JV Checkin
(mobile_malware.rules)
2846775 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2846776 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2846777 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2846778 - ETPRO TROJAN Observed Possible Malicious SSL Cert
(AsyncRAT) (trojan.rules)
2846779 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-01-26 1) (trojan.rules)
2846780 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-01-26 2) (trojan.rules)
2846781 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-01-26 3) (trojan.rules)
2846782 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-01-26 4) (trojan.rules)
2846783 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-01-26 5) (trojan.rules)
2846784 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-01-26 6) (trojan.rules)
2846785 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-01-26 7) (trojan.rules)
2846786 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-01-26 8) (trojan.rules)
2846787 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-01-26 9) (trojan.rules)
2846788 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-01-26 10) (trojan.rules)
2846789 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-01-26 11) (trojan.rules)
2846790 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-01-26 12) (trojan.rules)
2846791 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-01-26 13) (trojan.rules)
2846792 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-01-26 14) (trojan.rules)
2846793 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-01-26 15) (trojan.rules)
2846794 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-01-26 16) (trojan.rules)
2846795 - ETPRO CURRENT_EVENTS Successful Desjardins Phish
2021-01-27 (current_events.rules)
2846796 - ETPRO CURRENT_EVENTS Successful Desjardins Phish
2021-01-27 (current_events.rules)
2846797 - ETPRO TROJAN Win32/Jacard Variant CnC Acvitity (trojan.rules)
2846798 - ETPRO TROJAN Observed Unicorn Stealer CnC Domain in TLS
SNI (trojan.rules)
2846799 - ETPRO TROJAN Unicorn Stealer CnC Activity M2 (trojan.rules)
2846800 - ETPRO TROJAN DCRat Initial Checkin Server Resposne M3 (trojan.rules)
2846801 - ETPRO TROJAN Win32/Remcos RAT Checkin 662 (trojan.rules)
2846802 - ETPRO TROJAN Win32/Remcos RAT Checkin 663 (trojan.rules)
2846803 - ETPRO TROJAN Win32/Remcos RAT Checkin 664 (trojan.rules)
2846804 - ETPRO TROJAN Win32/Remcos RAT Checkin 665 (trojan.rules)
2846806 - ETPRO INFO Terse Download PsExec (info.rules)
2846807 - ETPRO INFO Terse Download PaExec (info.rules)

[///] Modified active rules: [///]

2025713 - ET POLICY SMB2 Remote AT Scheduled Job Create Request (policy.rules)

[---] Removed rules: [---]

2814201 - ETPRO CURRENT_EVENTS Possible Successful Credential Phish
Oct 1 2015 (current_events.rules)
2815245 - ETPRO CURRENT_EVENTS Successful Paypal Phish M1 Dec 8 2015
(current_events.rules)
2815469 - ETPRO CURRENT_EVENTS Terse POST to Wordpress Folder -
Probable Successful Phishing (current_events.rules)
2820350 - ETPRO WEB_CLIENT Suspicious Redirect - Possible Phishing
May 25 2016 (web_client.rules)
2820696 - ETPRO CURRENT_EVENTS Terse POST to Wordpress Folder -
Probable Successful Phishing M3 (current_events.rules)
2822458 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phishing
Oct 06 2016 (current_events.rules)
2822492 - ETPRO CURRENT_EVENTS Successful Dynamic Folder Phish Oct
07 2016 (current_events.rules)
2823399 - ETPRO CURRENT_EVENTS Terse POST to Wordpress Folder -
Probable Successful Phishing M4 (current_events.rules)
2823485 - ETPRO CURRENT_EVENTS Terse POST to Wordpress Folder -
Probable Successful Phishing M5 (current_events.rules)
2823491 - ETPRO CURRENT_EVENTS Terse POST to Wordpress Folder -
Probable Successful Phishing M6 (current_events.rules)
2824126 - ETPRO CURRENT_EVENTS Successful Chase Phish Dec 29 2016
(current_events.rules)
2824134 - ETPRO CURRENT_EVENTS Successful Generic Phish (Meta
HTTP-Equiv Refresh) Dec 29 2016 (current_events.rules)
2827535 - ETPRO CURRENT_EVENTS Successful Chase Phish M1 Aug 15 2017
(current_events.rules)
2827969 - ETPRO CURRENT_EVENTS Successful Paypal Phish M1 Sep 15
2017 (current_events.rules)
2827970 - ETPRO CURRENT_EVENTS Successful Paypal Phish M2 Sep 15
2017 (current_events.rules)
2838038 - ETPRO CURRENT_EVENTS Generic 302 Redirect to Phishing
Landing (current_events.rules)
2840754 - ETPRO CURRENT_EVENTS Terse POST to Wordpress Folder -
Probable Successful Phishing M7 (current_events.rules)
2843518 - ETPRO INFO HTTP POST Request to DuckDNS Domain (info.rules)

Date:

Wednesday, January 27, 2021

Summary title:

20 new OPEN, 54 new PRO (20 + 34). Android/Clicker.JV, AsyncRAT, DCRAT, Unicorn Stealer, Remcos, Various Phish.