[***] Summary: [***]

52 new OPEN, 81 new PRO (52 + 29). PlugX/Korplug, ShadowPad,
Raccoon Stealer, HydraRAT, Various Phish, Others.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2031952 - ET CURRENT_EVENTS Successful WZ-REKLAMA Phish 2016-01-08
(current_events.rules)
2031953 - ET CURRENT_EVENTS Successful Adobe Phish M3 2016-07-11
(current_events.rules)
2031954 - ET CURRENT_EVENTS Email Account Exceeded Quota Phishing
Landing 2016-07-11 (current_events.rules)
2031955 - ET INFO Base64 Data URI Javascript Refresh - Possible
Phishing Landing (info.rules)
2031956 - ET CURRENT_EVENTS Wells Fargo Phishing Landing 2016-01-07
(current_events.rules)
2031957 - ET CURRENT_EVENTS Successful Wells Fargo Phish Loading
Page 2016-01-07 (current_events.rules)
2031958 - ET CURRENT_EVENTS IRS Phishing Landing 2016-01-15
(current_events.rules)
2031959 - ET CURRENT_EVENTS Webmail Update Phishing Landing
2016-01-15 (current_events.rules)
2031960 - ET CURRENT_EVENTS Successful Paypal Phish M1 2016-01-19
(current_events.rules)
2031961 - ET CURRENT_EVENTS Successful Paypal Phish 2016-01-15 M2
(current_events.rules)
2031962 - ET CURRENT_EVENTS Successful Paypal Phish 2016-01-15 M3
(current_events.rules)
2031963 - ET CURRENT_EVENTS Phishing Landing via Webeden.co.uk (set)
2016-01-22 (current_events.rules)
2031964 - ET CURRENT_EVENTS Phishing Landing via Webeden.co.uk M1
2016-01-22 (current_events.rules)
2031965 - ET CURRENT_EVENTS Canada Revenue Agency Phishing Landing
2016-01-25 (current_events.rules)
2031966 - ET CURRENT_EVENTS Navy Federal Credit Union Phishing
Landing 2016-01-30 (current_events.rules)
2031967 - ET CURRENT_EVENTS USPS Phishing Landing 2016-02-10
(current_events.rules)
2031968 - ET CURRENT_EVENTS Successful Mailbox Update Phish
2016-02-17 M2 (current_events.rules)
2031969 - ET CURRENT_EVENTS Google Maps Phishing Landing 2016-02-17
(current_events.rules)
2031970 - ET CURRENT_EVENTS Possible Phishing Landing - Data URI
Inline Javascript 2016-02-09 (current_events.rules)
2031971 - ET CURRENT_EVENTS USAA Phishing Landing 2016-02-26
(current_events.rules)
2031972 - ET CURRENT_EVENTS Successful Apple Phishing 2016-03-01 M3
(current_events.rules)
2031973 - ET CURRENT_EVENTS Apple Phishing Landing 2016-03-01 M2
(current_events.rules)
2031974 - ET CURRENT_EVENTS Apple Phishing Landing 2016-03-01 M3
(current_events.rules)
2031975 - ET CURRENT_EVENTS Successful Apple Phishing 2016-03-01 M5
(current_events.rules)
2031976 - ET CURRENT_EVENTS Phishing Landing via MyFreeSites.com
(set) 2016-03-31 (current_events.rules)
2031977 - ET CURRENT_EVENTS Phishing Landing via MyFreeSites.com M2
2016-03-31 (current_events.rules)
2031978 - ET CURRENT_EVENTS Phishing Landing via Tripod.com M1
2016-03-31 (current_events.rules)
2031979 - ET CURRENT_EVENTS Phishing Landing via Tripod.com M2
2016-03-31 (current_events.rules)
2031980 - ET CURRENT_EVENTS Possible Successful Tripod.com Phish
2016-03-31 (current_events.rules)
2031981 - ET CURRENT_EVENTS OWA Phishing Landing 2016-04-04 M2
(current_events.rules)
2031982 - ET CURRENT_EVENTS Email System Manager Phishing Landing
2016-04-12 (current_events.rules)
2031983 - ET CURRENT_EVENTS Adobe Online Document Phishing Landing
M1 2016-04-25 (current_events.rules)
2031984 - ET CURRENT_EVENTS Adobe Online Document Phishing Landing
M2 2016-04-25 (current_events.rules)
2031985 - ET CURRENT_EVENTS Successful Adobe Online Document Phish
2016-04-25 (current_events.rules)
2031986 - ET CURRENT_EVENTS Successful Craigslist Phish 2016-04-25
(current_events.rules)
2031987 - ET CURRENT_EVENTS Successful Citizenbank Phish 2016-05-24
M1 (current_events.rules)
2031988 - ET CURRENT_EVENTS Successful Citizenbank Phish 2016-05-24
M2 (current_events.rules)
2031989 - ET CURRENT_EVENTS Phishing Fake Mailbox Quota Increase
Messages 2016-05-25 (current_events.rules)
2031990 - ET CURRENT_EVENTS Suspicious File Download Post-Phishing
2016-05-25 (current_events.rules)
2031991 - ET CURRENT_EVENTS Successful Paypal Phish 2016-05-26
(current_events.rules)
2031992 - ET CURRENT_EVENTS Avast Phishing Landing 2016-06-02
(current_events.rules)
2031993 - ET CURRENT_EVENTS Generic Email Login Phishing Landing
2016-06-02 (current_events.rules)
2031994 - ET CURRENT_EVENTS DrSpam Phishing Landing 2016-06-08
(current_events.rules)
2031995 - ET CURRENT_EVENTS DrSpam Phishing Landing CSS 2016-06-08
(current_events.rules)
2031996 - ET CURRENT_EVENTS Successful DrSpam Phish 2016-06-08 M1
(current_events.rules)
2031997 - ET CURRENT_EVENTS Successful DrSpam Phish 2016-06-08 M2
(current_events.rules)
2031998 - ET CURRENT_EVENTS DHL Phishing Landing 2016-07-11
(current_events.rules)
2031999 - ET TROJAN Win32.Raccoon Stealer CnC Domain in TLS SNI
(pleaseletmesleep .fun) (trojan.rules)
2032000 - ET TROJAN Win32.Raccoon Stealer CnC Domain in TLS SNI
(return2monkey .fun) (trojan.rules)
2032001 - ET TROJAN PlugX/Korplug CnC Activity (trojan.rules)
2032002 - ET TROJAN ShadowPad CnC Domain in DNS Lookup (ns .rtechs
.org) (trojan.rules)
2032003 - ET TROJAN ShadowPad CnC Domain in DNS Lookup (soft
.mssysinfo .xyz) (trojan.rules)

Pro:

2847554 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2847555 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2847556 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2847557 - ETPRO TROJAN Observed Malicious SSL Cert (OrcusRAT) (trojan.rules)
2847558 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-03-12 1) (trojan.rules)
2847559 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-03-12 2) (trojan.rules)
2847560 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-03-12 3) (trojan.rules)
2847561 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-03-12 4) (trojan.rules)
2847562 - ETPRO CURRENT_EVENTS Successful ATT Phish 2021-03-12
(current_events.rules)
2847563 - ETPRO CURRENT_EVENTS Successful MyBell CA Phish 2021-03-12
(current_events.rules)
2847564 - ETPRO CURRENT_EVENTS Successful MyBell CA Phish 2021-03-12
(current_events.rules)
2847565 - ETPRO CURRENT_EVENTS Successful BRED Banque FR Phish
2021-03-12 (current_events.rules)
2847566 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2021-03-12
(current_events.rules)
2847567 - ETPRO CURRENT_EVENTS Successful Navy Federal Credit Union
Phish 2021-03-12 (current_events.rules)
2847568 - ETPRO CURRENT_EVENTS Successful Generic Credit Card
Information Phish 2021-03-12 (current_events.rules)
2847569 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2021-03-12
(current_events.rules)
2847570 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2021-03-12 (current_events.rules)
2847571 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2021-03-12 (current_events.rules)
2847572 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2021-03-12 (current_events.rules)
2847573 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2021-03-12
(current_events.rules)
2847574 - ETPRO CURRENT_EVENTS Successful RBC Royal Bank Phish
2021-03-12 (current_events.rules)
2847575 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2021-03-12
(current_events.rules)
2847576 - ETPRO CURRENT_EVENTS Successful Commonwealth Bank Phish
2021-03-12 (current_events.rules)
2847577 - ETPRO CURRENT_EVENTS Successful Paxful Phish 2021-03-12
(current_events.rules)
2847578 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2021-03-12
(current_events.rules)
2847579 - ETPRO CURRENT_EVENTS Successful Yahoo Phish 2021-03-12
(current_events.rules)
2847580 - ETPRO TROJAN Win32/Remcos RAT Checkin 689 (trojan.rules)
2847581 - ETPRO TROJAN Win32/Remcos RAT Checkin 690 (trojan.rules)
2847582 - ETPRO TROJAN HydraRAT CnC Checkin (trojan.rules)

[///] Modified active rules: [///]

2031926 - ET TROJAN Win32/CopperStealer CnC Activity M2 (trojan.rules)

[---] Removed rules: [---]

2815638 - ETPRO CURRENT_EVENTS Successful WZ-REKLAMA Phish Jan 6
(current_events.rules)
2815649 - ETPRO CURRENT_EVENTS Wells Fargo Phishing Landing
2016-01-07 (current_events.rules)
2815650 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish Loading
Page 2016-01-07 (current_events.rules)
2815799 - ETPRO CURRENT_EVENTS IRS Phishing Landing Jan 15
(current_events.rules)
2815802 - ETPRO CURRENT_EVENTS Webmail Update Phishing Landing
2016-01-15 (current_events.rules)
2815832 - ETPRO CURRENT_EVENTS Successful Paypal Phish Jan 15 M1
(current_events.rules)
2815833 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2016-01-15 M2
(current_events.rules)
2815834 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2016-01-15 M3
(current_events.rules)
2815904 - ETPRO CURRENT_EVENTS Phishing Landing via Webeden.co.uk
(set) 2016-01-22 (current_events.rules)
2815905 - ETPRO CURRENT_EVENTS Phishing Landing via Webeden.co.uk
Jan 22 M1 (current_events.rules)
2815933 - ETPRO CURRENT_EVENTS Canada Revenue Agency Phishing
Landing Jan 22 (current_events.rules)
2816013 - ETPRO CURRENT_EVENTS Navy Federal Credit Union Phishing
Landing 2016-01-30 (current_events.rules)
2816191 - ETPRO CURRENT_EVENTS USPS Phishing Landing 2016-02-10
(current_events.rules)
2816285 - ETPRO CURRENT_EVENTS Successful Mailbox Update Phish
2016-02-17 M2 (current_events.rules)
2816289 - ETPRO CURRENT_EVENTS Google Maps Phishing Landing
2016-02-17 (current_events.rules)
2816292 - ETPRO CURRENT_EVENTS Possible Phishing Landing - Data URI
Inline Javascript 2016-02-09 (current_events.rules)
2816421 - ETPRO CURRENT_EVENTS USAA Phishing Landing 2016-02-26
(current_events.rules)
2816453 - ETPRO CURRENT_EVENTS Successful Apple Phishing 2016-03-01
M3 (current_events.rules)
2816456 - ETPRO CURRENT_EVENTS Apple Phishing Landing 2016-03-01 M2
(current_events.rules)
2816457 - ETPRO CURRENT_EVENTS Apple Phishing Landing 2016-03-01 M3
(current_events.rules)
2816458 - ETPRO CURRENT_EVENTS Successful Apple Phishing 2016-03-01
M5 (current_events.rules)
2816839 - ETPRO CURRENT_EVENTS Phishing Landing via MyFreeSites.com
(set) Mar 31 (current_events.rules)
2816841 - ETPRO CURRENT_EVENTS Phishing Landing via MyFreeSites.com
Mar 31 M2 (current_events.rules)
2816850 - ETPRO CURRENT_EVENTS Phishing Landing via Tripod.com Mar
31 M1 (current_events.rules)
2816851 - ETPRO CURRENT_EVENTS Phishing Landing via Tripod.com Mar
31 M2 (current_events.rules)
2816853 - ETPRO CURRENT_EVENTS Possible Successful Tripod.com Phish
Mar 31 (current_events.rules)
2816903 - ETPRO CURRENT_EVENTS OWA Phishing Landing 2016-04-04 M2
(current_events.rules)
2819695 - ETPRO CURRENT_EVENTS Email System Manager Phishing Landing
2016-04-12 (current_events.rules)
2819924 - ETPRO CURRENT_EVENTS Adobe Online Document Phishing
Landing Apr 25 M1 (current_events.rules)
2819925 - ETPRO CURRENT_EVENTS Adobe Online Document Phishing
Landing Apr 25 M2 (current_events.rules)
2819926 - ETPRO CURRENT_EVENTS Successful Adobe Online Document
Phish Apr 25 (current_events.rules)
2819976 - ETPRO CURRENT_EVENTS Successful Craigslist Phish
2016-04-25 (current_events.rules)
2820329 - ETPRO CURRENT_EVENTS Successful Citizenbank Phish
2016-05-24 M1 (current_events.rules)
2820330 - ETPRO CURRENT_EVENTS Successful Citizenbank Phish
2016-05-24 M2 (current_events.rules)
2820351 - ETPRO CURRENT_EVENTS Phishing Fake Mailbox Quota Increase
Messages May 25 2016 (current_events.rules)
2820354 - ETPRO CURRENT_EVENTS Suspicious File Download
Post-Phishing 2016-05-25 (current_events.rules)
2820373 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2016-05-26
(current_events.rules)
2820450 - ETPRO CURRENT_EVENTS Avast Phishing Landing 2016-06-02
(current_events.rules)
2820466 - ETPRO CURRENT_EVENTS Generic Email Login Phishing Landing
2016-06-02 (current_events.rules)
2820530 - ETPRO CURRENT_EVENTS DrSpam Phishing Landing 2016-06-08
(current_events.rules)
2820531 - ETPRO CURRENT_EVENTS DrSpam Phishing Landing CSS
2016-06-08 (current_events.rules)
2820532 - ETPRO CURRENT_EVENTS Successful DrSpam Phish 2016-06-08 M1
(current_events.rules)
2820533 - ETPRO CURRENT_EVENTS Successful DrSpam Phish 2016-06-08 M2
(current_events.rules)
2821034 - ETPRO CURRENT_EVENTS Successful Adobe Phish Jul 11 M3
(current_events.rules)
2821035 - ETPRO CURRENT_EVENTS Email Account Exceeded Quota Phishing
Landing Jul 11 (current_events.rules)
2821040 - ETPRO CURRENT_EVENTS DHL Phishing Landing Jul 11 2016
(current_events.rules)
2821174 - ETPRO INFO Base64 Data URI Javascript Refresh - Possible
Phishing Landing (info.rules)

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:
Summary title:
52 new OPEN, 81 new PRO (52 + 29). PlugX/Korplug, ShadowPad, Raccoon Stealer, HydraRAT, Various Phish, Others.