[***] Summary: [***]

72 new OPEN, 99 new PRO (72 + 27). ZHtrap CnC, Haxermen, KhonsariLoader,
Various PHISH.

Thanks: @travisbgreen

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2032014 - ET WEB_CLIENT Possible Websc Phishing Page 2016-02-05
(web_client.rules)
2032015 - ET POLICY Tripod/Lycos Form Submission - Possible Successful
Phish (policy.rules)
2032016 - ET CURRENT_EVENTS Successful US Bank Phish 2016-06-09 M1
(current_events.rules)
2032017 - ET CURRENT_EVENTS Successful US Bank Phish 2016-06-09 M2
(current_events.rules)
2032018 - ET CURRENT_EVENTS Email Termination Phishing Landing 2016-06-22
(current_events.rules)
2032019 - ET CURRENT_EVENTS Webmail Phishing Landing 2016-06-22
(current_events.rules)
2032020 - ET CURRENT_EVENTS Microsoft Encrypted Email Phishing Landing
2016-06-23 (current_events.rules)
2032021 - ET WEB_CLIENT Possible Phishing Data Submitted to yolasite.com
(web_client.rules)
2032022 - ET CURRENT_EVENTS Mailbox Upgrade Phishing Landing 2016-06-27
(current_events.rules)
2032023 - ET CURRENT_EVENTS Successful Mailbox Upgrade Phish 2016-06-27
M1 (current_events.rules)
2032024 - ET CURRENT_EVENTS Successful Mailbox Upgrade Phish 2016-06-27
M2 (current_events.rules)
2032025 - ET INFO Data Submitted to MyFreeSites.com - Possible Phishing
(info.rules)
2032026 - ET CURRENT_EVENTS Possible USAA Phishing Landing 2016-07-05
(current_events.rules)
2032027 - ET CURRENT_EVENTS Successful Hotmail Phish 2016-07-14
(current_events.rules)
2032028 - ET CURRENT_EVENTS Synchronize Email Account Phishing Landing
2016-07-15 (current_events.rules)
2032029 - ET CURRENT_EVENTS Webmail Account Upgrade Phishing Landing
2016-07-15 (current_events.rules)
2032030 - ET CURRENT_EVENTS Successful Generic Webmail Account Phish
2016-07-15 (current_events.rules)
2032031 - ET CURRENT_EVENTS Webmail Account Upgrade Phishing Landing
2016-07-20 (current_events.rules)
2032032 - ET CURRENT_EVENTS Successful Wells Fargo Mobile Phish
2016-08-01 M1 (current_events.rules)
2032033 - ET CURRENT_EVENTS Successful Wells Fargo Mobile Phish
2016-08-01 M2 (current_events.rules)
2032034 - ET CURRENT_EVENTS Successful Wells Fargo Mobile Phish
2016-08-01 M3 (current_events.rules)
2032035 - ET CURRENT_EVENTS DHL/EMS Documents Phishing Landing 2016-08-10
(current_events.rules)
2032036 - ET WEB_CLIENT Suspicious Credential POST to FormBuddy.com -
Possible Phishing Aug 10 2016 (web_client.rules)
2032037 - ET CURRENT_EVENTS Possible Phishing Landing - Tectite Web Form
Abuse (current_events.rules)
2032038 - ET INFO Successful Tectite Web Form Submission - Possible
Phishing (info.rules)
2032039 - ET CURRENT_EVENTS Adobe Shared Document Phishing Landing Common
CSS 2016-08-10 (current_events.rules)
2032040 - ET CURRENT_EVENTS Successful Gmail Phish M1 2016-08-12
(current_events.rules)
2032041 - ET CURRENT_EVENTS Successful Phish OWA Credentials 2016-08-16
(current_events.rules)
2032042 - ET CURRENT_EVENTS Adobe Phishing Landing M1 2016-08-16
(current_events.rules)
2032043 - ET CURRENT_EVENTS Successful Docusign Phish M1 2016-08-17
(current_events.rules)
2032044 - ET CURRENT_EVENTS Adobe Shared Document Phishing Landing
2016-08-19 (current_events.rules)
2032045 - ET CURRENT_EVENTS Universal Webmail Phishing Landing 2016-08-19
(current_events.rules)
2032046 - ET WEB_CLIENT Possible Phishing Data Submitted to yolasite.com
M2 (web_client.rules)
2032047 - ET CURRENT_EVENTS Blocked Email Account Phishing Landing
2016-08-23 (current_events.rules)
2032048 - ET CURRENT_EVENTS Successful Blocked Email Account Phish M2
2016-08-23 (current_events.rules)
2032049 - ET CURRENT_EVENTS Targeted Office 365 Phishing Landing
2016-08-23 (current_events.rules)
2032050 - ET CURRENT_EVENTS Yahoo Password Strength Phishing Landing
2016-08-24 (current_events.rules)
2032051 - ET CURRENT_EVENTS Successful Yahoo Password Strength Phish M1
2016-08-24 (current_events.rules)
2032052 - ET CURRENT_EVENTS Successful Team IPwned Phish 2016-08-24
(current_events.rules)
2032053 - ET CURRENT_EVENTS Successful Yahoo Password Strength Phish M2
2016-08-24 (current_events.rules)
2032054 - ET CURRENT_EVENTS Google Drive Phishing Landing 2016-08-25
(current_events.rules)
2032055 - ET CURRENT_EVENTS Successful Chase Phish M1 2016-08-26
(current_events.rules)
2032056 - ET CURRENT_EVENTS Successful Chase Phish M3 2016-08-26
(current_events.rules)
2032057 - ET CURRENT_EVENTS Successful Chase Phish M4 2016-08-26
(current_events.rules)
2032058 - ET INFO Suspicious Yahoo Page - Possible Phishing Landing
(info.rules)
2032059 - ET CURRENT_EVENTS Successful Paypal Phish 2016-08-30
(current_events.rules)
2032060 - ET CURRENT_EVENTS TeamIPwned/Hellion Phishing Landing
2016-08-30 (current_events.rules)
2032061 - ET CURRENT_EVENTS Successful CIBC Phish 2016-08-30
(current_events.rules)
2032062 - ET CURRENT_EVENTS Successful Paypal Phish 2016-08-31
(current_events.rules)
2032063 - ET CURRENT_EVENTS DHL Phishing Landing 2016-08-31
(current_events.rules)
2032064 - ET CURRENT_EVENTS Successful Dropbox Phish 2016-08-31
(current_events.rules)
2032065 - ET CURRENT_EVENTS Adobe Shared Document Phishing Landing
2016-08-30 (current_events.rules)
2032066 - ET CURRENT_EVENTS Adobe Shared Document Phishing Landing M2
2016-08-31 (current_events.rules)
2032067 - ET CURRENT_EVENTS Alibaba Phishing Landing 2016-08-31
(current_events.rules)
2032068 - ET CURRENT_EVENTS Outlook 365 Encrypted Email Phishing Landing
M1 2016-08-31 (current_events.rules)
2032069 - ET INFO Data Submitted to Webeden.co.uk - Possible Phishing
(info.rules)
2032070 - ET INFO Data Submitted to Weebly.com - Possible Phishing
(info.rules)
2032071 - ET CURRENT_EVENTS Successful Google Docs Phish 2016-09-01
(current_events.rules)
2032072 - ET CURRENT_EVENTS Successful Outlook Password Update Phish M1
2016-09-01 (current_events.rules)
2032073 - ET CURRENT_EVENTS Successful Outlook Password Update Phish M2
2016-09-01 (current_events.rules)
2032074 - ET CURRENT_EVENTS Successful Outlook Password Update Phish M3
2016-09-01 (current_events.rules)
2032075 - ET CURRENT_EVENTS Facebook Phishing Landing 2016-09-02
(current_events.rules)
2032076 - ET CURRENT_EVENTS Successful Facebook Phish 2016-09-02
(current_events.rules)
2032077 - ET EXPLOIT ZTE Cable Modem RCE Attempt (CVE-2014-2321)
(exploit.rules)
2032078 - ET WEB_CLIENT Leaf PHPMailer Accessed on External Server
(web_client.rules)
2032079 - ET WEB_SERVER Leaf PHPMailer Accessed on Internal Server
(web_server.rules)
2032080 - ET TROJAN ELF/Gafgyt Variant CnC Activity (Response)
(trojan.rules)
2032081 - ET USER_AGENTS Suspicious User-Agent (HaxerMen)
(user_agents.rules)
2032082 - ET INFO Possible Phishing Page - Page Saved with SingleFile
Extension (info.rules)
2032083 - ET TROJAN ZHtrap CnC Checkin (trojan.rules)
2032084 - ET TROJAN ZHtrap CnC Response - Connection Successfully
Established (trojan.rules)
2032085 - ET TROJAN Win32.Raccoon Stealer CnC Domain in TLS SNI
(followmeasap13 .top) (trojan.rules)

Pro:

2847621 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT)
(trojan.rules)
2847622 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT)
(trojan.rules)
2847623 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT)
(trojan.rules)
2847624 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT)
(trojan.rules)
2847625 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT)
(trojan.rules)
2847626 - ETPRO TROJAN Suspected KhonsariLoader Activity (trojan.rules)
2847627 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-03-16 1) (trojan.rules)
2847628 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-03-16 2) (trojan.rules)
2847629 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-03-16 3) (trojan.rules)
2847630 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-03-16 4) (trojan.rules)
2847631 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-03-16 5) (trojan.rules)
2847632 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-03-16 6) (trojan.rules)
2847633 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish 2021-03-16
(current_events.rules)
2847634 - ETPRO CURRENT_EVENTS Possible Successful Generic Custom Logo
Phish 2021-03-16 M1 (current_events.rules)
2847635 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2021-03-16
(current_events.rules)
2847636 - ETPRO CURRENT_EVENTS Successful Zimbra Phish 2021-03-16
(current_events.rules)
2847637 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2021-03-16
(current_events.rules)
2847638 - ETPRO CURRENT_EVENTS Successful SF Express Phish 2021-03-16
(current_events.rules)
2847639 - ETPRO CURRENT_EVENTS Successful Adobe Phish 2021-03-16
(current_events.rules)
2847640 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2021-03-16
(current_events.rules)
2847641 - ETPRO TROJAN Win32/Agent.ACUD Variant CnC Activity
(trojan.rules)
2847642 - ETPRO TROJAN Win32/Injector.EOJC Variant Stealer CnC Activity
(trojan.rules)
2847643 - ETPRO TROJAN Win32/Agent.RLQ Variant CnC Activity (trojan.rules)
2847644 - ETPRO CURRENT_EVENTS Successful Orange FR Phish 2021-03-16
(current_events.rules)
2847645 - ETPRO CURRENT_EVENTS Successful Yahoo Phish 2021-03-16
(current_events.rules)
2847646 - ETPRO CURRENT_EVENTS Successful WeTransfer Phish 2021-03-16
(current_events.rules)
2847647 - ETPRO CURRENT_EVENTS Possible Successful Generic Custom Logo
Phish 2021-03-16 M2 (current_events.rules)

[///] Modified active rules: [///]

2024689 - ET WEB_CLIENT Download of Multimedia Content flowbit set
(web_client.rules)
2024690 - ET WEB_CLIENT Download of .MOV Content flowbit set
(web_client.rules)

[---] Removed rules: [---]

2816096 - ETPRO WEB_CLIENT Possible Websc Phishing Page 2016-02-05
(web_client.rules)
2820334 - ETPRO POLICY Tripod/Lycos Form Submission - Possible Successful
Phish (policy.rules)
2820558 - ETPRO CURRENT_EVENTS Successful US Bank Phish 2016-06-09 M1
(current_events.rules)
2820559 - ETPRO CURRENT_EVENTS Successful US Bank Phish 2016-06-09 M2
(current_events.rules)
2820805 - ETPRO CURRENT_EVENTS Email Termination Phishing Landing
2016-06-22 (current_events.rules)
2820832 - ETPRO CURRENT_EVENTS Webmail Phishing Landing 2016-06-22
(current_events.rules)
2820846 - ETPRO CURRENT_EVENTS Microsoft Encrypted Email Phishing Landing
2016-06-23 (current_events.rules)
2820861 - ETPRO WEB_CLIENT Possible Phishing Data Submitted to
yolasite.com (web_client.rules)
2820879 - ETPRO CURRENT_EVENTS Mailbox Upgrade Phishing Landing
2016-06-27 (current_events.rules)
2820880 - ETPRO CURRENT_EVENTS Successful Mailbox Upgrade Phish
2016-06-27 M1 (current_events.rules)
2820881 - ETPRO CURRENT_EVENTS Successful Mailbox Upgrade Phish
2016-06-27 M2 (current_events.rules)
2820905 - ETPRO INFO Data Submitted to MyFreeSites.com - Possible
Phishing (info.rules)
2820964 - ETPRO CURRENT_EVENTS Possible USAA Phishing Landing 2016-07-05
(current_events.rules)
2821136 - ETPRO CURRENT_EVENTS Successful Hotmail Phish 2016-07-14
(current_events.rules)
2821164 - ETPRO CURRENT_EVENTS Synchronize Email Account Phishing Landing
2016-07-15 (current_events.rules)
2821171 - ETPRO CURRENT_EVENTS Webmail Account Upgrade Phishing Landing
2016-07-15 (current_events.rules)
2821173 - ETPRO CURRENT_EVENTS Successful Generic Webmail Account Phish
2016-07-15 (current_events.rules)
2821233 - ETPRO CURRENT_EVENTS Webmail Account Upgrade Phishing Landing
2016-07-20 (current_events.rules)
2821391 - ETPRO CURRENT_EVENTS Successful Wells Fargo Mobile Phish
2016-08-01 M1 (current_events.rules)
2821392 - ETPRO CURRENT_EVENTS Successful Wells Fargo Mobile Phish
2016-08-01 M2 (current_events.rules)
2821393 - ETPRO CURRENT_EVENTS Successful Wells Fargo Mobile Phish
2016-08-01 M3 (current_events.rules)
2821592 - ETPRO CURRENT_EVENTS DHL/EMS Documents Phishing Landing
2016-08-10 (current_events.rules)
2821593 - ETPRO WEB_CLIENT Suspicious Credential POST to FormBuddy.com -
Possible Phishing Aug 10 2016 (web_client.rules)
2821595 - ETPRO CURRENT_EVENTS Possible Phishing Landing - Tectite Web
Form Abuse (current_events.rules)
2821597 - ETPRO INFO Successful Tectite Web Form Submission - Possible
Phishing (info.rules)
2821599 - ETPRO CURRENT_EVENTS Adobe Shared Document Phishing Landing
Common CSS 2016-08-10 (current_events.rules)
2821632 - ETPRO CURRENT_EVENTS Successful Gmail Phish M1 2016-08-12
(current_events.rules)
2821702 - ETPRO CURRENT_EVENTS Successful Phish OWA Credentials
2016-08-16 (current_events.rules)
2821703 - ETPRO CURRENT_EVENTS Adobe Phishing Landing M1 2016-08-16
(current_events.rules)
2821709 - ETPRO CURRENT_EVENTS Successful Docusign Phish M1 2016-08-17
(current_events.rules)
2821769 - ETPRO CURRENT_EVENTS Adobe Shared Document Phishing Landing
2016-08-19 (current_events.rules)
2821771 - ETPRO CURRENT_EVENTS Universal Webmail Phishing Landing
2016-08-19 (current_events.rules)
2821798 - ETPRO WEB_CLIENT Possible Phishing Data Submitted to
yolasite.com M2 (web_client.rules)
2821800 - ETPRO CURRENT_EVENTS Blocked Email Account Phishing Landing
2016-08-23 (current_events.rules)
2821801 - ETPRO CURRENT_EVENTS Successful Blocked Email Account Phish M2
2016-08-23 (current_events.rules)
2821815 - ETPRO CURRENT_EVENTS Targeted Office 365 Phishing Landing
2016-08-23 (current_events.rules)
2821829 - ETPRO CURRENT_EVENTS Yahoo Password Strength Phishing Landing
2016-08-24 (current_events.rules)
2821830 - ETPRO CURRENT_EVENTS Successful Yahoo Password Strength Phish
M1 2016-08-24 (current_events.rules)
2821831 - ETPRO CURRENT_EVENTS Successful Team IPwned Phish 2016-08-24
(current_events.rules)
2821832 - ETPRO CURRENT_EVENTS Successful Yahoo Password Strength Phish
M2 2016-08-24 (current_events.rules)
2821851 - ETPRO CURRENT_EVENTS Google Drive Phishing Landing 2016-08-25
(current_events.rules)
2821863 - ETPRO CURRENT_EVENTS Successful Chase Phish M1 2016-08-26
(current_events.rules)
2821865 - ETPRO CURRENT_EVENTS Successful Chase Phish M3 2016-08-26
(current_events.rules)
2821866 - ETPRO CURRENT_EVENTS Successful Chase Phish M4 2016-08-26
(current_events.rules)
2821882 - ETPRO INFO Suspicious Yahoo Page - Possible Phishing Landing
(info.rules)
2821887 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2016-08-30
(current_events.rules)
2821912 - ETPRO CURRENT_EVENTS TeamIPwned/Hellion Phishing Landing
2016-08-30 (current_events.rules)
2821915 - ETPRO CURRENT_EVENTS Successful CIBC Phish 2016-08-30
(current_events.rules)
2821935 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2016-08-31
(current_events.rules)
2821943 - ETPRO CURRENT_EVENTS DHL Phishing Landing 2016-08-31
(current_events.rules)
2821944 - ETPRO CURRENT_EVENTS Successful Dropbox Phish 2016-08-31
(current_events.rules)
2821960 - ETPRO CURRENT_EVENTS Adobe Shared Document Phishing Landing
2016-08-30 (current_events.rules)
2821962 - ETPRO CURRENT_EVENTS Adobe Shared Document Phishing Landing M2
2016-08-31 (current_events.rules)
2821963 - ETPRO CURRENT_EVENTS Alibaba Phishing Landing 2016-08-31
(current_events.rules)
2821965 - ETPRO CURRENT_EVENTS Outlook 365 Encrypted Email Phishing
Landing M1 2016-08-31 (current_events.rules)
2821967 - ETPRO INFO Data Submitted to Webeden.co.uk - Possible Phishing
(info.rules)
2821968 - ETPRO INFO Data Submitted to Weebly.com - Possible Phishing
(info.rules)
2821974 - ETPRO CURRENT_EVENTS Successful Google Docs Phish 2016-09-01
(current_events.rules)
2821975 - ETPRO CURRENT_EVENTS Successful Outlook Password Update Phish
M1 2016-09-01 (current_events.rules)
2821976 - ETPRO CURRENT_EVENTS Successful Outlook Password Update Phish
M2 2016-09-01 (current_events.rules)
2821977 - ETPRO CURRENT_EVENTS Successful Outlook Password Update Phish
M3 2016-09-01 (current_events.rules)
2821982 - ETPRO CURRENT_EVENTS Facebook Phishing Landing 2016-09-02
(current_events.rules)
2821983 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2016-09-02
(current_events.rules)