Daily Ruleset Update Summary 2021/03/18

[***] Summary: [***]

79 new OPEN, 100 new PRO (79 + 21). CVE-2021-22991, Raccoon Stealer,
Various Powershell Hunting, VARIOUS PHISH.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2032096 - ET INFO Possible Phishing Landing via MoonFruit.com (set)
(info.rules)
2032097 - ET INFO Possible Phishing Landing via MoonFruit.com M1
2016-01-22 (info.rules)
2032098 - ET INFO Possible Phishing Landing via MoonFruit.com M2
2016-01-22 (info.rules)
2032099 - ET INFO Possible Phishing Landing via MoonFruit.com M3
2016-01-22 (info.rules)
2032100 - ET INFO Possible Phishing Landing via Moonfruit M2 2016-01-26
(info.rules)
2032101 - ET CURRENT_EVENTS Successful Google Drive Phish 2016-09-02
(current_events.rules)
2032102 - ET CURRENT_EVENTS Successful Chase Phish 2016-09-02
(current_events.rules)
2032103 - ET CURRENT_EVENTS Successful Webmail Validator Phish M2
2016-09-02 (current_events.rules)
2032104 - ET CURRENT_EVENTS Webmail Validator Phishing Landing 2016-09-02
(current_events.rules)
2032105 - ET CURRENT_EVENTS Account Update Phishing Landing 2016-09-06
(current_events.rules)
2032106 - ET CURRENT_EVENTS Successful Paypal Phish 2016-09-06
(current_events.rules)
2032107 - ET INFO Suspicious Minimal HTTP Refresh to Googledrive.com -
Possible Phishing (info.rules)
2032108 - ET CURRENT_EVENTS Fedex Javascript Phishing Landing 2016-09-08
(current_events.rules)
2032109 - ET CURRENT_EVENTS Successful Microsoft Live Email Account Phish
2016-09-08 (current_events.rules)
2032110 - ET CURRENT_EVENTS Successful Paypal Phish 2016-09-09
(current_events.rules)
2032111 - ET CURRENT_EVENTS Successful SeniorPeopleMeet Phish M1
2016-09-14 (current_events.rules)
2032112 - ET CURRENT_EVENTS Successful SeniorPeopleMeet Phish M2
2016-09-14 (current_events.rules)
2032113 - ET CURRENT_EVENTS Successful View Samples Phish 2016-09-09
(current_events.rules)
2032114 - ET CURRENT_EVENTS Successful Wells Fargo Phish M1 2016-09-16
(current_events.rules)
2032115 - ET CURRENT_EVENTS Successful Wells Fargo Phish M2 2016-09-16
(current_events.rules)
2032116 - ET CURRENT_EVENTS Successful US Bank Phish 2016-09-20
(current_events.rules)
2032117 - ET CURRENT_EVENTS Successful Excel Phish 2016-09-26
(current_events.rules)
2032118 - ET CURRENT_EVENTS Successful Apple Phish 2016-09-27
(current_events.rules)
2032119 - ET CURRENT_EVENTS Successful FreeMobile (FR) Phish 2016-09-28
(current_events.rules)
2032120 - ET CURRENT_EVENTS Successful Dropbox Phish 2016-09-29
(current_events.rules)
2032121 - ET CURRENT_EVENTS Successful Apple Phish M1 2016-09-29
(current_events.rules)
2032122 - ET CURRENT_EVENTS Successful Facebook Phish M1 2016-09-30
(current_events.rules)
2032123 - ET CURRENT_EVENTS Successful Postbank Online Banking Phish M1
2016-09-30 (current_events.rules)
2032124 - ET CURRENT_EVENTS Successful Postbank Online Banking Phish M2
2016-09-30 (current_events.rules)
2032125 - ET INFO Possible Phishing Landing via Moonfruit M1 2016-10-03
(info.rules)
2032126 - ET INFO Possible Phishing Landing via Moonfruit M2 2016-10-03
(info.rules)
2032127 - ET WEB_CLIENT Suspicious Byethost Phishing Redirect 2016-10-04
(web_client.rules)
2032128 - ET CURRENT_EVENTS Successful Generic OWA Phish 2016-10-04
(current_events.rules)
2032129 - ET CURRENT_EVENTS Paypal Phishing Landing (DE) 2016-10-04
(current_events.rules)
2032130 - ET CURRENT_EVENTS Successful Amazon Phish M1 2016-10-05
(current_events.rules)
2032131 - ET CURRENT_EVENTS Successful Paypal Phish M2 2016-10-05
(current_events.rules)
2032132 - ET CURRENT_EVENTS Successful Orange (FR) Phish 2016-10-06
(current_events.rules)
2032133 - ET CURRENT_EVENTS Successful Supplier Portal Phish 2016-10-07
(current_events.rules)
2032134 - ET CURRENT_EVENTS Successful DHL Phish 2016-10-07
(current_events.rules)
2032135 - ET CURRENT_EVENTS Successful Apple Phish (FR) M1 2016-10-07
(current_events.rules)
2032136 - ET CURRENT_EVENTS Successful Apple Phish (FR) M2 2016-10-07
(current_events.rules)
2032137 - ET CURRENT_EVENTS Successful Bank of America Phish M2
2016-10-10 (current_events.rules)
2032138 - ET CURRENT_EVENTS Successful Google Drive Phish 2016-10-11
(current_events.rules)
2032139 - ET CURRENT_EVENTS Successful Gmail Phish M2 2016-10-12
(current_events.rules)
2032140 - ET CURRENT_EVENTS Phishing Landing via Webeden.net 2016-10-13
(current_events.rules)
2032141 - ET CURRENT_EVENTS Successful Yahoo Phish 2016-10-14
(current_events.rules)
2032142 - ET CURRENT_EVENTS Successful Paypal Phish M1 2016-10-17
(current_events.rules)
2032143 - ET CURRENT_EVENTS Successful DHL Phish 2016-10-18
(current_events.rules)
2032144 - ET CURRENT_EVENTS Successful Generic Webmail Phish 2016-10-21
(current_events.rules)
2032145 - ET CURRENT_EVENTS Successful Wells Fargo Phish 2016-10-21
(current_events.rules)
2032146 - ET CURRENT_EVENTS Successful Yahoo Phish 2016-10-25
(current_events.rules)
2032147 - ET CURRENT_EVENTS Successful Banco do Brasil Phish M2
2016-10-25 (current_events.rules)
2032148 - ET CURRENT_EVENTS Successful Outlook Phish 2016-10-25
(current_events.rules)
2032149 - ET CURRENT_EVENTS Successful Apple ID Phish 2016-10-25
(current_events.rules)
2032150 - ET CURRENT_EVENTS Successful Chase Phish 2016-10-25
(current_events.rules)
2032151 - ET CURRENT_EVENTS Successful 163.com Email Account Phish
2016-10-26 (current_events.rules)
2032152 - ET CURRENT_EVENTS Successful Office 365 Phish 2016-10-31
(current_events.rules)
2032153 - ET CURRENT_EVENTS Successful American Express Phish M1
2016-10-31 (current_events.rules)
2032154 - ET CURRENT_EVENTS Successful American Express Phish M2
2016-10-31 (current_events.rules)
2032155 - ET CURRENT_EVENTS Successful Impots.gouv.fr Phish 2016-10-31
(current_events.rules)
2032156 - ET CURRENT_EVENTS Successful Paypal Phish 2016-10-31
(current_events.rules)
2032157 - ET CURRENT_EVENTS Successful Apple Phish M1 2016-11-15
(current_events.rules)
2032158 - ET CURRENT_EVENTS Successful Apple Phish M2 2016-11-15
(current_events.rules)
2032159 - ET CURRENT_EVENTS Successful Dropbox Business Phish 2016-11-17
(current_events.rules)
2032160 - ET CURRENT_EVENTS Successful Personalized Email Update Phish
2016-11-17 (current_events.rules)
2032161 - ET CURRENT_EVENTS Possible Successful Generic Phish (set)
2021-03-18 (current_events.rules)
2032162 - ET INFO PS1 Powershell File Request (info.rules)
2032163 - ET INFO PSM1 Powershell File Request (info.rules)
2032164 - ET INFO PSD1 Powershell File Request (info.rules)
2032165 - ET INFO PS1XML Powershell File Request (info.rules)
2032166 - ET INFO PSSC Powershell File Request (info.rules)
2032167 - ET INFO PSRC Powershell File Request (info.rules)
2032168 - ET INFO CDXML Powershell File Request (info.rules)
2032169 - ET INFO Generic Powershell DownloadString Command (info.rules)
2032170 - ET INFO Generic Powershell DownloadFile Command (info.rules)
2032171 - ET INFO Generic Powershell Starting Wscript Process (info.rules)
2032172 - ET INFO Generic Powershell Launching Hidden Window (info.rules)
2032173 - ET EXPLOIT Possible F5 BIG-IP Infoleak and Out-of-Bounds Write
Inbound (CVE-2021-22991) (exploit.rules)
2032174 - ET TROJAN Win32.Raccoon Stealer CnC Domain in TLS SNI
(finalcountdown .top) (trojan.rules)

Pro:

2847676 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT)
(trojan.rules)
2847677 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT)
(trojan.rules)
2847678 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT)
(trojan.rules)
2847679 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT)
(trojan.rules)
2847680 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT)
(trojan.rules)
2847681 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT)
(trojan.rules)
2847682 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-03-18 1) (trojan.rules)
2847683 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-03-18 2) (trojan.rules)
2847684 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-03-18 3) (trojan.rules)
2847685 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-03-18 4) (trojan.rules)
2847686 - ETPRO CURRENT_EVENTS Successful Chase Phish 2021-03-18
(current_events.rules)
2847687 - ETPRO CURRENT_EVENTS Successful Blockchain Phish 2021-03-18
(current_events.rules)
2847688 - ETPRO CURRENT_EVENTS Successful TalkTalk Phish 2021-03-18
(current_events.rules)
2847689 - ETPRO CURRENT_EVENTS Successful Sharepoint Phish 2021-03-18
(current_events.rules)
2847690 - ETPRO CURRENT_EVENTS Successful Suntrust Phish 2021-03-18
(current_events.rules)
2847691 - ETPRO CURRENT_EVENTS Successful Verified by Visa Phish
2021-03-18 (current_events.rules)
2847692 - ETPRO CURRENT_EVENTS Successful Chase Phish 2021-03-18
(current_events.rules)
2847696 - ETPRO TROJAN MSIL/PSW.CoinStealer.CC Variant CnC Activity
(trojan.rules)
2847697 - ETPRO TROJAN Win32/Remcos RAT Checkin 693 (trojan.rules)
2847698 - ETPRO TROJAN W32/Staser!tr CnC Activity (trojan.rules)

[///] Modified active rules: [///]

2847674 - ETPRO TROJAN Blue Eagle XPR RAT Checkin (Java) (trojan.rules)

[---] Disabled and modified rules: [---]

2027259 - ET INFO Dotted Quad Host PS1 Request (info.rules)

[---] Removed rules: [---]

2815900 - ETPRO INFO Possible Phishing Landing via MoonFruit.com (set)
Jan 22 (info.rules)
2815901 - ETPRO INFO Possible Phishing Landing via MoonFruit.com Jan 22
M1 (info.rules)
2815902 - ETPRO INFO Possible Phishing Landing via MoonFruit.com Jan 22
M2 (info.rules)
2815903 - ETPRO INFO Possible Phishing Landing via MoonFruit.com Jan 22
M3 (info.rules)
2815963 - ETPRO INFO Possible Phishing Landing via Moonfruit Jan 26 M2
(info.rules)
2821984 - ETPRO CURRENT_EVENTS Successful Google Drive Phish 2016-09-02
(current_events.rules)
2821990 - ETPRO CURRENT_EVENTS Successful Chase Phish 2016-09-02
(current_events.rules)
2821993 - ETPRO CURRENT_EVENTS Successful Webmail Validator Phish M2
2016-09-02 (current_events.rules)
2821994 - ETPRO CURRENT_EVENTS Webmail Validator Phishing Landing
2016-09-02 (current_events.rules)
2822003 - ETPRO CURRENT_EVENTS Account Update Phishing Landing 2016-09-06
(current_events.rules)
2822005 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2016-09-06
(current_events.rules)
2822038 - ETPRO INFO Suspicious Minimal HTTP Refresh to Googledrive.com -
Possible Phishing (info.rules)
2822040 - ETPRO CURRENT_EVENTS Fedex Javascript Phishing Landing
2016-09-08 (current_events.rules)
2822056 - ETPRO CURRENT_EVENTS Successful Microsoft Live Email Account
Phish 2016-09-08 (current_events.rules)
2822068 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2016-09-09
(current_events.rules)
2822108 - ETPRO CURRENT_EVENTS Successful SeniorPeopleMeet Phish M1
2016-09-14 (current_events.rules)
2822109 - ETPRO CURRENT_EVENTS Successful SeniorPeopleMeet Phish M2
2016-09-14 (current_events.rules)
2822145 - ETPRO CURRENT_EVENTS Successful View Samples Phish 2016-09-09
(current_events.rules)
2822147 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish M1 2016-09-16
(current_events.rules)
2822148 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish M2 2016-09-16
(current_events.rules)
2822185 - ETPRO CURRENT_EVENTS Successful US Bank Phish 2016-09-20
(current_events.rules)
2822226 - ETPRO CURRENT_EVENTS Successful Excel Phish 2016-09-26
(current_events.rules)
2822254 - ETPRO CURRENT_EVENTS Successful Apple Phish Sept 27 2016
(current_events.rules)
2822285 - ETPRO CURRENT_EVENTS Successful FreeMobile (FR) Phish Sept 28
2016 (current_events.rules)
2822305 - ETPRO CURRENT_EVENTS Successful Dropbox Phish Sept 29 2016
(current_events.rules)
2822311 - ETPRO CURRENT_EVENTS Successful Apple Phish M1 Sept 29 2016
(current_events.rules)
2822334 - ETPRO CURRENT_EVENTS Successful Facebook Phish M1 Sep 30 2016
(current_events.rules)
2822340 - ETPRO CURRENT_EVENTS Successful Postbank Online Banking Phish
M1 Sep 30 2016 (current_events.rules)
2822341 - ETPRO CURRENT_EVENTS Successful Postbank Online Banking Phish
M2 Sep 30 2016 (current_events.rules)
2822360 - ETPRO INFO Possible Phishing Landing via Moonfruit Oct 3 M1
(info.rules)
2822361 - ETPRO INFO Possible Phishing Landing via Moonfruit Oct 3 M2
(info.rules)
2822368 - ETPRO WEB_CLIENT Suspicious Byethost Phishing Redirect Oct 04
2016 (web_client.rules)
2822373 - ETPRO CURRENT_EVENTS Successful Generic OWA Phish Oct 04 2016
(current_events.rules)
2822381 - ETPRO CURRENT_EVENTS Paypal Phishing Landing (DE) Oct 04 2016
(current_events.rules)
2822418 - ETPRO CURRENT_EVENTS Successful Amazon Phish M1 Oct 05 2016
(current_events.rules)
2822422 - ETPRO CURRENT_EVENTS Successful Paypal Phish M2 Oct 05 2016
(current_events.rules)
2822464 - ETPRO CURRENT_EVENTS Successful Orange (FR) Phish Oct 06 2016
(current_events.rules)
2822489 - ETPRO CURRENT_EVENTS Successful Supplier Portal Phish Oct 07
2016 (current_events.rules)
2822490 - ETPRO CURRENT_EVENTS Successful DHL Phish Oct 07 2016
(current_events.rules)
2822494 - ETPRO CURRENT_EVENTS Successful Apple Phish (FR) M1 Oct 07 2016
(current_events.rules)
2822495 - ETPRO CURRENT_EVENTS Successful Apple Phish (FR) M2 Oct 07 2016
(current_events.rules)
2822506 - ETPRO CURRENT_EVENTS Successful Bank of America Phish Oct 07 M2
(current_events.rules)
2822551 - ETPRO CURRENT_EVENTS Successful Google Drive Phish Oct 10 2016
(current_events.rules)
2822568 - ETPRO CURRENT_EVENTS Successful Gmail Phish M2 Oct 11 2016
(current_events.rules)
2822603 - ETPRO CURRENT_EVENTS Phishing Landing via Webeden.net Oct 13
2016 (current_events.rules)
2822642 - ETPRO CURRENT_EVENTS Successful Yahoo Phish Oct 14 2016
(current_events.rules)
2822662 - ETPRO CURRENT_EVENTS Successful Paypal Phish M1 Oct 17 2016
(current_events.rules)
2822711 - ETPRO CURRENT_EVENTS Successful DHL Phish Oct 18 2016
(current_events.rules)
2822782 - ETPRO CURRENT_EVENTS Successful Generic Webmail Phish Oct 20
2016 (current_events.rules)
2822789 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish Oct 20 2016
(current_events.rules)
2822850 - ETPRO CURRENT_EVENTS Successful Yahoo Phish Oct 25 2016
(current_events.rules)
2822853 - ETPRO CURRENT_EVENTS Successful Banco do Brasil Phish M2 Oct 25
2016 (current_events.rules)
2822856 - ETPRO CURRENT_EVENTS Successful Outlook Phish Oct 25 2016
(current_events.rules)
2822857 - ETPRO CURRENT_EVENTS Successful Apple ID Phish Oct 25 2016
(current_events.rules)
2822858 - ETPRO CURRENT_EVENTS Successful Chase Phish Oct 25 2016
(current_events.rules)
2822898 - ETPRO CURRENT_EVENTS Successful 163.com Email Account Phish Oct
26 2016 (current_events.rules)
2823007 - ETPRO CURRENT_EVENTS Successful Office 365 Phish Oct 31 2016
(current_events.rules)
2823010 - ETPRO CURRENT_EVENTS Successful American Express Phish M1 Oct
31 2016 (current_events.rules)
2823011 - ETPRO CURRENT_EVENTS Successful American Express Phish M2 Oct
31 2016 (current_events.rules)
2823014 - ETPRO CURRENT_EVENTS Successful Impots.gouv.fr Phish Oct 31
2016 (current_events.rules)
2823016 - ETPRO CURRENT_EVENTS Successful Paypal Phish Oct 31 2016
(current_events.rules)
2823267 - ETPRO CURRENT_EVENTS Successful Apple Phish M1 Nov 15 2016
(current_events.rules)
2823268 - ETPRO CURRENT_EVENTS Successful Apple Phish M2 Nov 15 2016
(current_events.rules)
2823306 - ETPRO CURRENT_EVENTS Successful Dropbox Business Phish Nov 16
2016 (current_events.rules)
2823307 - ETPRO CURRENT_EVENTS Successful Personalized Email Update Phish
Nov 16 2016 (current_events.rules)
2847566 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2021-03-12
(current_events.rules)

Date:

Thursday, March 18, 2021

Summary title:

79 new OPEN, 100 new PRO (79 + 21). CVE-2021-22991, Raccoon Stealer, Various Powershell Hunting, VARIOUS PHISH.