[***] Summary: [***]

50 new OPEN, 86 new PRO (50 + 36). Ursnif, Async, Various Generic
Exfil, Various Phish, Others.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2031882 - ET CURRENT_EVENTS Possible Successful Phish
(Google/Dropbox/Netflix) 2015-07-11 (current_events.rules)
2031883 - ET CURRENT_EVENTS Successful Wells Fargo Account Phish
2015-08-14 (current_events.rules)
2031884 - ET CURRENT_EVENTS Successful Outlook Phish 2015-08-18
(current_events.rules)
2031885 - ET CURRENT_EVENTS Successful Key Bank Phish M1 2015-08-20
(current_events.rules)
2031886 - ET CURRENT_EVENTS Successful Key Bank Phish M2 2015-08-20
(current_events.rules)
2031887 - ET CURRENT_EVENTS Successful Wells Fargo/CIBC Bank Phish
M1 2015-08-25 (current_events.rules)
2031888 - ET CURRENT_EVENTS Successful Webmail Phish 2015-08-27
(current_events.rules)
2031889 - ET CURRENT_EVENTS Successful Google Drive Phish 2015-09-04
(current_events.rules)
2031890 - ET CURRENT_EVENTS Successful Telstra Phish M2 2015-09-05
(current_events.rules)
2031891 - ET CURRENT_EVENTS Successful Chase Phish 2015-09-23
(current_events.rules)
2031892 - ET CURRENT_EVENTS Successful Shipping Document Phish
2015-09-29 (current_events.rules)
2031893 - ET WEB_CLIENT APT SWC PluginDetect Landing Cookie
2015-10-15 (web_client.rules)
2031894 - ET CURRENT_EVENTS Successful Paypal Phish M2 2015-11-03
(current_events.rules)
2031895 - ET CURRENT_EVENTS Successful Gmail Phish 2015-11-05
(current_events.rules)
2031896 - ET CURRENT_EVENTS Successful Squirrelmail Phishing
2015-11-20 (current_events.rules)
2031897 - ET CURRENT_EVENTS Successful Natwest Bank Phish 2015-11-21
(current_events.rules)
2031898 - ET CURRENT_EVENTS Successful Wells Fargo Phish M1
2015-11-21 (current_events.rules)
2031899 - ET CURRENT_EVENTS Successful Wells Fargo Phish M2
2015-11-21 (current_events.rules)
2031900 - ET CURRENT_EVENTS Successful Outlook Webmail Phishing M2
2015-11-21 (current_events.rules)
2031901 - ET CURRENT_EVENTS Successful Wildblue Phishing M1
2015-11-24 (current_events.rules)
2031902 - ET CURRENT_EVENTS Successful Wildblue Phishing M2
2015-11-24 (current_events.rules)
2031903 - ET CURRENT_EVENTS Successful Xoom Phishing 2015-11-24
(current_events.rules)
2031904 - ET CURRENT_EVENTS Successful Trademe Phish M3 2015-11-26
(current_events.rules)
2031905 - ET CURRENT_EVENTS Successful Excel Online Phish 2015-11-26
(current_events.rules)
2031906 - ET CURRENT_EVENTS Possible Base64 Obfuscated Phishing
Landing 2015-11-30 (current_events.rules)
2031907 - ET CURRENT_EVENTS Successful Chase Phish M2 2015-12-01
(current_events.rules)
2031908 - ET CURRENT_EVENTS Successful Anonisma Phish 2015-12-01
(current_events.rules)
2031909 - ET CURRENT_EVENTS Successful Apple Phish M2 2015-12-02
(current_events.rules)
2031910 - ET CURRENT_EVENTS Successful Halifax Bank Phish M1
2015-12-10 (current_events.rules)
2031911 - ET CURRENT_EVENTS Successful Dropbox Phish M2 2015-12-10
(current_events.rules)
2031912 - ET CURRENT_EVENTS Successful US Bank Phish M1 2015-12-22
(current_events.rules)
2031913 - ET CURRENT_EVENTS Successful US Bank Phish M2 2015-12-22
(current_events.rules)
2031914 - ET CURRENT_EVENTS Successful PHOEN!X Apple Phish M1
2015-12-29 (current_events.rules)
2031915 - ET CURRENT_EVENTS Successful Gmail Account Update Phish
2016-05-10 (current_events.rules)
2031916 - ET TROJAN Win32/CopperStealer CnC Activity (trojan.rules)
2031917 - ET INFO Suspicious Glitch Hosted GET Request - Possible
Phishing Landing (info.rules)
2031918 - ET INFO Suspicious Glitch Hosted DNS Request - Possible
Phishing Landing (info.rules)
2031919 - ET INFO Suspicious Glitch Hosted TLS SNI Request -
Possible Phishing Landing (info.rules)
2031920 - ET CURRENT_EVENTS Microsoft Account Phishing Landing
2021-03-10 (current_events.rules)
2031921 - ET CURRENT_EVENTS Generic Redirector Phishing Landing
2021-03-10 (current_events.rules)
2031922 - ET CURRENT_EVENTS Generic Encoded Phishing Landing
2021-03-10 (current_events.rules)
2031923 - ET CURRENT_EVENTS Generic Custom Logo Phishing Landing
2021-03-10 (current_events.rules)
2031924 - ET CURRENT_EVENTS Generic NewInjection Phishing Landing
2021-03-10 (current_events.rules)
2031925 - ET CURRENT_EVENTS Generic NewInjection Phishing Landing
2021-03-10 (current_events.rules)
2031926 - ET TROJAN Win32/CopperStealer CnC Activity M2 (trojan.rules)
2031927 - ET TROJAN Win32/CopperStealer CnC Activity M3 (trojan.rules)
2031928 - ET TROJAN Win32/CopperStealer Installer Started (trojan.rules)
2031929 - ET TROJAN Win32.Raccoon Stealer CnC Domain in TLS SNI
(thelegendofberia .top) (trojan.rules)
2031930 - ET TROJAN Win32.Raccoon Stealer CnC Domain in TLS SNI
(hitfromthebong .top) (trojan.rules)
2031931 - ET TROJAN Win32.Raccoon Stealer CnC Domain in TLS SNI
(autopartslarry .top) (trojan.rules)

Pro:

2847504 - ETPRO MOBILE_MALWARE Android.Trojan.Marcher.AH (TLS SNI)
(mobile_malware.rules)
2847505 - ETPRO MOBILE_MALWARE Android.Trojan.Marcher.AH (TLS SNI) 2
(mobile_malware.rules)
2847506 - ETPRO MOBILE_MALWARE Android.Trojan.Marcher.AH (TLS SNI) 3
(mobile_malware.rules)
2847507 - ETPRO MOBILE_MALWARE Android.Trojan.SmsSpy.ABD Checkin
(mobile_malware.rules)
2847508 - ETPRO MOBILE_MALWARE Android/Spy.SmsSpy.QZ Checkin
(mobile_malware.rules)
2847509 - ETPRO MOBILE_MALWARE Android/Spy.SmsSpy.QZ Checkin 2
(mobile_malware.rules)
2847510 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Agent.ok
(TLS SNI) (mobile_malware.rules)
2847511 - ETPRO INFO Suspicious Filename in Outbound POST Request
(Screen_Desktop.jpeg) (info.rules)
2847512 - ETPRO TROJAN Suspicious Filename in Outbound POST Request
(AllCookies_list.txt) (trojan.rules)
2847513 - ETPRO TROJAN Suspicious Filename in Outbound POST Request
(AllPasswords_list.txt) (trojan.rules)
2847514 - ETPRO TROJAN Suspicious Filename in Outbound POST Request
(AllForms_list.txt) (trojan.rules)
2847515 - ETPRO INFO Suspicious Filename in Outbound POST Request
(Programms.txt) (info.rules)
2847516 - ETPRO INFO Suspicious Filename in Outbound POST Request
(stol.jpg) (info.rules)
2847517 - ETPRO TROJAN Suspicious Filename in Outbound POST Request
(ChromiumCookies.txt) (trojan.rules)
2847518 - ETPRO TROJAN Suspicious Filename in Outbound POST Request
(GeckoCookies.txt) (trojan.rules)
2847519 - ETPRO INFO Possible System Info Exfil in Outbound POST
Request M1 (info.rules)
2847520 - ETPRO INFO Possible System Info Exfil in Outbound POST
Request M2 (info.rules)
2847521 - ETPRO INFO Possible System Info Exfil in Outbound POST
Request M3 (info.rules)
2847522 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2847523 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2847524 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2847525 - ETPRO USER_AGENTS Suspicious User-Agent (user_agents.rules)
2847526 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2847527 - ETPRO TROJAN MalDoc Requesting Payload 2021-03-10 (trojan.rules)
2847528 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-03-10 1) (trojan.rules)
2847529 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-03-10 2) (trojan.rules)
2847530 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-03-10 3) (trojan.rules)
2847531 - ETPRO CURRENT_EVENTS Successful Generic Credit Card
Information Phish 2021-03-10 (current_events.rules)
2847532 - ETPRO CURRENT_EVENTS Successful Bank Triangle Phish
2021-03-10 (current_events.rules)
2847533 - ETPRO CURRENT_EVENTS Successful Sparda Bank Phish
2021-03-10 (current_events.rules)
2847534 - ETPRO CURRENT_EVENTS Successful Docusign Phish 2021-03-10
(current_events.rules)
2847535 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2021-03-10 (current_events.rules)
2847536 - ETPRO CURRENT_EVENTS Successful DHL Phish 2021-03-10
(current_events.rules)
2847537 - ETPRO CURRENT_EVENTS Successful Generic Bank Captcha
000webhostapp Hosted Phish 2021-03-10 (current_events.rules)
2847538 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC) (trojan.rules)
2847539 - ETPRO INFO Geolocation Check Redirect from Google (info.rules)

[///] Modified active rules: [///]

2845226 - ETPRO TROJAN Win32/Grimagent CnC Activity (trojan.rules)

[---] Disabled and modified rules: [---]

2807795 - ETPRO TROJAN Win32/Quervar.C Possible NetBIOS Query
(KASPERSKY) (trojan.rules)

[---] Removed rules: [---]

2811898 - ETPRO CURRENT_EVENTS Possible Successful Phish
(Google/Dropbox/Netflix) Jul 10 2015 (current_events.rules)
2812403 - ETPRO CURRENT_EVENTS Successful Wells Fargo Account Phish
Aug 13 2015 (current_events.rules)
2812489 - ETPRO CURRENT_EVENTS Successful Outlook Phish Aug 17 2015
(current_events.rules)
2812533 - ETPRO CURRENT_EVENTS Successful Key Bank Phish M1 Aug 19
2015 (current_events.rules)
2812534 - ETPRO CURRENT_EVENTS Successful Key Bank Phish M2 Aug 19
2015 (current_events.rules)
2812686 - ETPRO CURRENT_EVENTS Successful Wells Fargo/CIBC Bank
Phish Aug 25 2015 M1 (current_events.rules)
2812760 - ETPRO CURRENT_EVENTS Successful Webmail Phish Aug 27 2015
(current_events.rules)
2812884 - ETPRO CURRENT_EVENTS Successful Google Drive Phish Sept 3
(current_events.rules)
2812901 - ETPRO CURRENT_EVENTS Successful Telstra Phish M2 Sep 04
2015 (current_events.rules)
2814042 - ETPRO CURRENT_EVENTS Successful Chase Phish Sept 22 2015
(current_events.rules)
2814127 - ETPRO CURRENT_EVENTS Successful Shipping Document Phish
Sept 28 2015 (current_events.rules)
2814384 - ETPRO WEB_CLIENT APT SWC PluginDetect Landing Cookie Oct
14 2015 (web_client.rules)
2814715 - ETPRO CURRENT_EVENTS Successful Paypal Phish Nov 3 2015 M2
(current_events.rules)
2814770 - ETPRO CURRENT_EVENTS Successful Gmail Phish Nov 5
(current_events.rules)
2815035 - ETPRO CURRENT_EVENTS Successful Squirrelmail Phishing Nov
19 (current_events.rules)
2815053 - ETPRO CURRENT_EVENTS Successful Natwest Bank Phish Nov 20
(current_events.rules)
2815054 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish Nov 20
M1 (current_events.rules)
2815055 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish Nov 20
M2 (current_events.rules)
2815058 - ETPRO CURRENT_EVENTS Successful Outlook Webmail Phishing
Nov 20 M2 (current_events.rules)
2815083 - ETPRO CURRENT_EVENTS Successful Wildblue Phishing Nov 24
M1 (current_events.rules)
2815084 - ETPRO CURRENT_EVENTS Successful Wildblue Phishing Nov 24
M2 (current_events.rules)
2815087 - ETPRO CURRENT_EVENTS Successful Xoom Phishing Nov 24
(current_events.rules)
2815110 - ETPRO CURRENT_EVENTS Successful Trademe Phish Nov 25 M3
(current_events.rules)
2815113 - ETPRO CURRENT_EVENTS Successful Excel Online Phish Nov 25
(current_events.rules)
2815129 - ETPRO CURRENT_EVENTS Possible Base64 Obfuscated Phishing
Landing 2015-11-30 (current_events.rules)
2815147 - ETPRO CURRENT_EVENTS Successful Chase Phish Nov 30 M2
(current_events.rules)
2815153 - ETPRO CURRENT_EVENTS Successful Anonisma Phish Nov 30
(current_events.rules)
2815173 - ETPRO CURRENT_EVENTS Successful Apple Phish M2 Dec 2 2015
(current_events.rules)
2815307 - ETPRO CURRENT_EVENTS Successful Halifax Bank Phish Dec 10
M1 (current_events.rules)
2815311 - ETPRO CURRENT_EVENTS Successful Dropbox Phish Dec 10 M2
(current_events.rules)
2815435 - ETPRO CURRENT_EVENTS Successful US Bank Phish Dec 21 M1
(current_events.rules)
2815436 - ETPRO CURRENT_EVENTS Successful US Bank Phish Dec 21 M2
(current_events.rules)
2815501 - ETPRO CURRENT_EVENTS Successful PHOEN!X Apple Phish Dec 28
M1 (current_events.rules)
2820154 - ETPRO CURRENT_EVENTS Successful Gmail Account Update Phish
May 10 (current_events.rules)
2839422 - ETPRO TROJAN Win32/CopperStealer CnC Activity (trojan.rules)
2843261 - ETPRO TROJAN Win32/CopperStealer CnC Activity M2 (trojan.rules)
2846546 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Piom.ahnd Checkin
(mobile_malware.rules)
2846703 - ETPRO TROJAN Win32/CopperStealer CnC Activity M3 (trojan.rules)
2847002 - ETPRO TROJAN Win32/CopperStealer Installer Started (trojan.rules)

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team