[***] Summary: [***]

65 new OPEN, 96 new PRO (65 + 31). AsyncRAT, Meterpreter, Remcos,
Various Phish, Various rules moved to open, Others.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2031813 - ET CURRENT_EVENTS Successful Mailbox Renew Phish
2015-08-14 (current_events.rules)
2031814 - ET CURRENT_EVENTS Successful Apple ID Phish 2015-08-18
(current_events.rules)
2031815 - ET CURRENT_EVENTS Successful Wells Fargo Account Phish
2015-08-18 (current_events.rules)
2031816 - ET CURRENT_EVENTS Successful Commonwealth Bank Phish
2015-08-20 (current_events.rules)
2031817 - ET CURRENT_EVENTS Successful Amazon Account Phish M3
2015-08-21 (current_events.rules)
2031818 - ET CURRENT_EVENTS Successful Impots.gouv.fr Phish M1
2015-08-21 (current_events.rules)
2031819 - ET CURRENT_EVENTS Successful Impots.gouv.fr Phish M2
2015-08-21 (current_events.rules)
2031820 - ET CURRENT_EVENTS Successful OWA Account Phish 2015-08-21
(current_events.rules)
2031821 - ET CURRENT_EVENTS Successful Horde Webmail Phish
2015-08-21 (current_events.rules)
2031822 - ET CURRENT_EVENTS Successful Facebook Phish 2015-08-27
(current_events.rules)
2031823 - ET CURRENT_EVENTS Successful Woodforest Bank Phish M1
2015-08-31 (current_events.rules)
2031824 - ET CURRENT_EVENTS Successful SFR Account Phish 2015-09-01
(current_events.rules)
2031825 - ET CURRENT_EVENTS Successful Generic Phish - Phone Number
2015-09-02 (current_events.rules)
2031826 - ET CURRENT_EVENTS Successful Google Drive Phish Sept 1 M2
2015-09-02 (current_events.rules)
2031827 - ET CURRENT_EVENTS Successful Webmail Account Phish
2015-09-02 (current_events.rules)
2031828 - ET CURRENT_EVENTS Successful Telstra Phish M1 2015-09-05
(current_events.rules)
2031829 - ET CURRENT_EVENTS Successful USAA Phish 2015-09-05
(current_events.rules)
2031830 - ET CURRENT_EVENTS Successful ViewDocsOnline Phish
2015-09-15 (current_events.rules)
2031831 - ET CURRENT_EVENTS Successful LinkedIn Phish 2015-09-17
(current_events.rules)
2031832 - ET CURRENT_EVENTS Successful DHL Phish 2015-09-17
(current_events.rules)
2031833 - ET CURRENT_EVENTS Successful Google Drive Phish 2015-09-22
(current_events.rules)
2031834 - ET CURRENT_EVENTS Successful DHL Phish 2015-09-30
(current_events.rules)
2031835 - ET CURRENT_EVENTS Successful Phish Gmail Recovery
Information 2015-10-01 (current_events.rules)
2031836 - ET CURRENT_EVENTS Successful Mailbox Update Credential
Phish 2015-10-02 (current_events.rules)
2031837 - ET CURRENT_EVENTS Successful Generic Credential Phish
2015-10-03 (current_events.rules)
2031838 - ET CURRENT_EVENTS Successful Webmail Update Phish
2015-10-08 (current_events.rules)
2031839 - ET CURRENT_EVENTS Successful Samsung Portal Phish
2015-10-13 (current_events.rules)
2031840 - ET CURRENT_EVENTS Successful Paypal Account Phish
2015-10-16 (current_events.rules)
2031841 - ET CURRENT_EVENTS Successful USAA Phish 2015-10-20
(current_events.rules)
2031842 - ET CURRENT_EVENTS Successful Zimbra Account Phish
2015-10-23 (current_events.rules)
2031843 - ET CURRENT_EVENTS Successful Paypal Phish 2015-10-23
(current_events.rules)
2031844 - ET CURRENT_EVENTS Successful Paypal Phish 2015-10-23
(current_events.rules)
2031845 - ET CURRENT_EVENTS Successful Paypal Phish 2015-10-23
(current_events.rules)
2031846 - ET CURRENT_EVENTS Successful Paypal Phish 2015-10-23
(current_events.rules)
2031847 - ET CURRENT_EVENTS Successful Docusign Phish 2015-10-28
(current_events.rules)
2031848 - ET CURRENT_EVENTS Successful IBC Bank Phish 2015-10-29
(current_events.rules)
2031849 - ET CURRENT_EVENTS Successful Zimbra Phish 2015-10-30
(current_events.rules)
2031850 - ET CURRENT_EVENTS Successful NatWest Bank Phish 2015-11-03
(current_events.rules)
2031851 - ET CURRENT_EVENTS Successful Chase Phish 2015-11-03
(current_events.rules)
2031852 - ET CURRENT_EVENTS Successful Dropbox Phish 2015-11-04
(current_events.rules)
2031853 - ET CURRENT_EVENTS Successful UPS Phish 2015-11-05
(current_events.rules)
2031854 - ET CURRENT_EVENTS Successful LCL Bank Phish 2015-11-05
(current_events.rules)
2031855 - ET CURRENT_EVENTS Successful Bank of America Phish
2015-11-06 (current_events.rules)
2031856 - ET CURRENT_EVENTS Successful DHL Phish 2015-11-14
(current_events.rules)
2031857 - ET CURRENT_EVENTS Successful Tradekey Phish 2015-11-19
(current_events.rules)
2031858 - ET CURRENT_EVENTS Successful Hinet Phish 2015-11-19
(current_events.rules)
2031859 - ET CURRENT_EVENTS Successful Excel Online Phish 2015-12-08
(current_events.rules)
2031860 - ET CURRENT_EVENTS Successful Paypal Phish 2015-12-08 M3
(current_events.rules)
2031861 - ET WEB_CLIENT Anonisma Paypal Phishing Uri Structure
2015-12-29 (web_client.rules)
2031863 - ET CURRENT_EVENTS Successful Generic L33bo Phish - URI
Contents (set) (current_events.rules)
2031864 - ET CURRENT_EVENTS Possible Successful Generic Phish (set)
2017-12-19 (current_events.rules)
2031865 - ET CURRENT_EVENTS Possible Successful Generic Phish (set)
2017-12-20 (current_events.rules)
2031866 - ET CURRENT_EVENTS Successful Generic Phish 2018-02-26
(set) (current_events.rules)
2031867 - ET CURRENT_EVENTS Successful Generic Phish (set)
2018-03-08 (current_events.rules)
2031868 - ET CURRENT_EVENTS Possible Successful Generic Phish (set)
2019-01-30 (current_events.rules)
2031869 - ET CURRENT_EVENTS Successful Generic Phish (set)
2019-05-14 (current_events.rules)
2031870 - ET CURRENT_EVENTS Successful Generic Phish (set)
2019-07-09 (current_events.rules)
2031871 - ET CURRENT_EVENTS Successful Generic Phish (set)
2020-08-07 (current_events.rules)
2031872 - ET CURRENT_EVENTS Possible Successful Generic Phish (set)
2020-09-03 (current_events.rules)
2031873 - ET CURRENT_EVENTS Possible Successful Generic Phish (set)
2020-09-29 (current_events.rules)
2031874 - ET CURRENT_EVENTS Generic Credential Phish 2020-07-27
(set) (current_events.rules)
2031875 - ET ACTIVEX Possible Successful Generic Phish (set)
2021-03-08 (activex.rules)
2031876 - ET TROJAN Win32.Raccoon Stealer CnC Domain in TLS SNI
(thereisnoscheme .top) (trojan.rules)
2031877 - ET TROJAN Win32.Raccoon Stealer CnC Domain in TLS SNI
(nyqualitypizza .top) (trojan.rules)
2031878 - ET GAMES GameHouse License Check (games.rules)

Pro:

2847451 - ETPRO TROJAN Observed Malicious SSL Cert (Meterpreter)
(trojan.rules)
2847452 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2847453 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2847454 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2847455 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2847456 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2847457 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2847458 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2847459 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-03-05 1) (trojan.rules)
2847460 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-03-05 2) (trojan.rules)
2847461 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-03-05 3) (trojan.rules)
2847462 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-03-05 4) (trojan.rules)
2847463 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-03-05 5) (trojan.rules)
2847464 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-03-05 6) (trojan.rules)
2847465 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-03-05 7) (trojan.rules)
2847466 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-03-05 8) (trojan.rules)
2847467 - ETPRO CURRENT_EVENTS Successful Royal Mail Phish
2021-03-08 (current_events.rules)
2847468 - ETPRO CURRENT_EVENTS Successful Generic Credit Card
Information Phish 2021-03-08 (current_events.rules)
2847469 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-03-06 1) (trojan.rules)
2847470 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-03-06 2) (trojan.rules)
2847471 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-03-06 3) (trojan.rules)
2847472 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-03-06 4) (trojan.rules)
2847473 - ETPRO CURRENT_EVENTS Successful WOW ISP Phish 2021-03-08
(current_events.rules)
2847474 - ETPRO CURRENT_EVENTS Successful DHL Phish 2021-03-08
(current_events.rules)
2847475 - ETPRO CURRENT_EVENTS Successful WeTransfer Phish
2021-03-08 (current_events.rules)
2847476 - ETPRO CURRENT_EVENTS Successful DHL Phish 2021-03-08
(current_events.rules)
2847477 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2021-03-08
(current_events.rules)
2847478 - ETPRO CURRENT_EVENTS Successful Excel Online Phish
2021-03-08 (current_events.rules)
2847479 - ETPRO TROJAN Win32/Remcos RAT Checkin 686 (trojan.rules)
2847480 - ETPRO TROJAN Win32/Remcos RAT Checkin 687 (trojan.rules)
2847481 - ETPRO TROJAN Win32/Remcos RAT Checkin 688 (trojan.rules)

[///] Modified active rules: [///]

2017609 - ET WEB_SERVER PHP WebShell Embedded In PNG (INBOUND)
(web_server.rules)
2024199 - ET CURRENT_EVENTS EITest SocENG Inject M2 (current_events.rules)
2024386 - ET CURRENT_EVENTS Possible Google Docs Phishing Landing -
Title over non SSL (current_events.rules)
2024388 - ET CURRENT_EVENTS Possible Dropbox Phishing Landing -
Title over non SSL (current_events.rules)
2025986 - ET INFO MP3 with ID3 in HTTP Flowbit Set (info.rules)
2029336 - ET TROJAN Mimikatz x86 Mimidrv.sys Download Over HTTP (trojan.rules)
2029337 - ET TROJAN Mimikatz x64 Mimidrv.sys Download Over HTTP (trojan.rules)
2031533 - ET MALWARE VilnyNet VPN Install Started (malware.rules)
2800858 - ETPRO EXPLOIT Adobe Acrobat Reader ACE.dll ICC mluc
Integer Overflow (exploit.rules)
2806402 - ETPRO TROJAN TrojanDownloader Win32/Frethog.E (Response 2)
(trojan.rules)
2823391 - ETPRO TROJAN Possible CobaltStrike Shellcode over HTTP
(trojan.rules)
2826343 - ETPRO TROJAN XSLT/XML Raw Binary Executable Inbound (trojan.rules)
2826527 - ETPRO CURRENT_EVENTS Successful Bank of America Phish May
25 2017 (current_events.rules)
2826972 - ETPRO CURRENT_EVENTS Successful OWA Mail Phish - POST to
Title over non SSL (current_events.rules)

[---] Disabled and modified rules: [---]

2014651 - ET ACTIVEX Tracker Software pdfSaver ActiveX
InitFromRegistry Method Access Potential Buffer Overflow 2
(activex.rules)
2015849 - ET CURRENT_EVENTS Metasploit CVE-2012-1723 Path (Seen in
Unknown EK) 10/29/12 (current_events.rules)
2805428 - ETPRO WEB_CLIENT Adobe Reader Free Text Annotation With
Invalid Intent 4 (web_client.rules)
2805783 - ETPRO WEB_CLIENT Win32k TrueType Font Parsing
Vulnerability SearchRange (web_client.rules)
2806115 - ETPRO WEB_CLIENT Microsoft Internet Explorer onBeforeCopy
Use After Free (web_client.rules)
2807511 - ETPRO WEB_CLIENT PDF use after free (CVE-2014-0496) 1
(web_client.rules)
2808545 - ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free
CVE-2014-4063 (web_client.rules)

[---] Disabled rules: [---]

2015979 - ET CURRENT_EVENTS CritXPack - Landing Page (current_events.rules)
2024974 - ET WEB_CLIENT pshell dl/execute primitives in wideb64 4
(web_client.rules)

[---] Removed rules: [---]

2812401 - ETPRO CURRENT_EVENTS Successful Mailbox Renew Phish Aug 13
2015 (current_events.rules)
2812493 - ETPRO CURRENT_EVENTS Successful Apple ID Phish Aug 17 2015
(current_events.rules)
2812494 - ETPRO CURRENT_EVENTS Successful Wells Fargo Account Phish
Aug 17 2015 (current_events.rules)
2812536 - ETPRO CURRENT_EVENTS Successful Commonwealth Bank Phish
Aug 19 2015 (current_events.rules)
2812548 - ETPRO CURRENT_EVENTS Successful Amazon Account Phish M3
Aug 20 2015 (current_events.rules)
2812559 - ETPRO CURRENT_EVENTS Successful Impots.gouv.fr Phish M1
Aug 20 2015 (current_events.rules)
2812600 - ETPRO CURRENT_EVENTS Successful Impots.gouv.fr Phish M2
Aug 20 2015 (current_events.rules)
2812601 - ETPRO CURRENT_EVENTS Successful OWA Account Phish Aug 20
2015 (current_events.rules)
2812606 - ETPRO CURRENT_EVENTS Successful Horde Webmail Phish Aug 21
2015 (current_events.rules)
2812759 - ETPRO CURRENT_EVENTS Successful Facebook Phish Aug 27 2015
(current_events.rules)
2812797 - ETPRO CURRENT_EVENTS Successful Woodforest Bank Phish M1
Aug 28 2015 (current_events.rules)
2812829 - ETPRO CURRENT_EVENTS Successful SFR Account Phish Aug 31
(current_events.rules)
2812831 - ETPRO CURRENT_EVENTS Successful Generic Phish - Phone
Number Aug 11 (current_events.rules)
2812834 - ETPRO CURRENT_EVENTS Successful Google Drive Phish Sept 1
M2 (current_events.rules)
2812835 - ETPRO CURRENT_EVENTS Successful Webmail Account Phish Sept
1 (current_events.rules)
2812900 - ETPRO CURRENT_EVENTS Successful Telstra Phish M1 Sept 04
2015 (current_events.rules)
2812902 - ETPRO CURRENT_EVENTS Successful USAA Phish Sept 4
(current_events.rules)
2813011 - ETPRO CURRENT_EVENTS Successful ViewDocsOnline Phish Sept
14 (current_events.rules)
2813041 - ETPRO CURRENT_EVENTS Successful LinkedIn Phish Sept 16
(current_events.rules)
2813042 - ETPRO CURRENT_EVENTS Successful DHL Phish Sept 16 2015
(current_events.rules)
2814004 - ETPRO CURRENT_EVENTS Successful Google Drive Phish Sept 21
(current_events.rules)
2814151 - ETPRO CURRENT_EVENTS Successful DHL Phish Sept 29 2015
(current_events.rules)
2814185 - ETPRO CURRENT_EVENTS Successful Phish Gmail Recovery
Information Oct 1 (current_events.rules)
2814202 - ETPRO CURRENT_EVENTS Successful Mailbox Update Credential
Phish Oct 1 (current_events.rules)
2814206 - ETPRO CURRENT_EVENTS Successful Generic Credential Phish
Oct 2 (current_events.rules)
2814284 - ETPRO CURRENT_EVENTS Successful Webmail Update Phish Oct 8
(current_events.rules)
2814333 - ETPRO CURRENT_EVENTS Successful Samsung Portal Phish Oct
12 1 (current_events.rules)
2814395 - ETPRO CURRENT_EVENTS Successful Paypal Account Phish Oct
15 2 (current_events.rules)
2814437 - ETPRO CURRENT_EVENTS Successful USAA Phish Oct 20 2
(current_events.rules)
2814532 - ETPRO CURRENT_EVENTS Successful Zimbra Account Phish Oct
22 (current_events.rules)
2814551 - ETPRO CURRENT_EVENTS Successful Paypal Phish Oct 23 1
(current_events.rules)
2814552 - ETPRO CURRENT_EVENTS Successful Paypal Phish Oct 23 2
(current_events.rules)
2814553 - ETPRO CURRENT_EVENTS Successful Paypal Phish Oct 23 3
(current_events.rules)
2814554 - ETPRO CURRENT_EVENTS Successful Paypal Phish Oct 23 4
(current_events.rules)
2814616 - ETPRO CURRENT_EVENTS Successful Docusign Phish Oct 27
(current_events.rules)
2814644 - ETPRO CURRENT_EVENTS Successful IBC Bank Phish Oct 28
(current_events.rules)
2814662 - ETPRO CURRENT_EVENTS Successful Zimbra Phish Oct 29
(current_events.rules)
2814698 - ETPRO CURRENT_EVENTS Successful NatWest Bank Phish Nov 2 2
(current_events.rules)
2814699 - ETPRO CURRENT_EVENTS Successful Chase Phish Nov 2 1
(current_events.rules)
2814726 - ETPRO CURRENT_EVENTS Successful Dropbox Phish Nov 3
(current_events.rules)
2814740 - ETPRO CURRENT_EVENTS Successful UPS Phish Nov 4
(current_events.rules)
2814771 - ETPRO CURRENT_EVENTS Successful LCL Bank Phish Nov 5
(current_events.rules)
2814783 - ETPRO CURRENT_EVENTS Successful Bank of America Phish Nov
6 2015 (current_events.rules)
2814917 - ETPRO CURRENT_EVENTS Successful DHL Phish Nov 13 2015
(current_events.rules)
2814998 - ETPRO CURRENT_EVENTS Successful Tradekey Phish Nov 18
(current_events.rules)
2814999 - ETPRO CURRENT_EVENTS Successful Hinet Phish Nov 18
(current_events.rules)
2815247 - ETPRO CURRENT_EVENTS Successful Excel Online Phish
2015-12-08 (current_events.rules)
2815249 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2015-12-08 M3
(current_events.rules)
2815499 - ETPRO WEB_CLIENT Anonisma Paypal Phishing Uri Structure
Dec 28 2015 (web_client.rules)
2828889 - ETPRO CURRENT_EVENTS Successful Generic L33bo Phish - URI
Contents (set) (current_events.rules)
2828991 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish
(set) 2017-12-19 (current_events.rules)
2829006 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish
(set) 2017-12-20 (current_events.rules)
2829802 - ETPRO CURRENT_EVENTS Successful Generic Phish 2018-02-26
(set) (current_events.rules)
2829932 - ETPRO CURRENT_EVENTS Successful Generic Phish (set)
2018-03-08 (current_events.rules)
2834655 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish
(set) 2019-01-30 (current_events.rules)
2836309 - ETPRO CURRENT_EVENTS Successful Generic Phish (set)
2019-05-14 (current_events.rules)
2837345 - ETPRO CURRENT_EVENTS Successful Generic Phish (set)
2019-07-09 (current_events.rules)
2843704 - ETPRO CURRENT_EVENTS Generic Credential Phish 2020-07-27
(set) (current_events.rules)
2843912 - ETPRO CURRENT_EVENTS Successful Generic Phish (set)
2020-08-07 (current_events.rules)
2844273 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish
(set) 2020-09-03 (current_events.rules)
2844692 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish
(set) 2020-09-29 (current_events.rules)

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team