Daily Ruleset Update Summary
Daily Ruleset Update Summary 2021/04/02

[***] Summary: [***]

56 new OPEN, 74 new PRO (56 + 18). Tons o' phishing moved to
OPEN, AsyncRAT, W32/Unk.CryptoStealer, MSIL/PSW.Agent.RXP, Glupteba,
VARIOUS PHISHING.

Today it is Friday.

tks: @james_inthe_box

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2032363 - ET CURRENT_EVENTS DHL Phishing Landing 2016-01-07
(current_events.rules)
2032364 - ET CURRENT_EVENTS Successful Formbuddy Credential Phish
Submission 2016-01-15 (current_events.rules)
2032365 - ET CURRENT_EVENTS Phishing Landing via Weebly.com (set)
2016-02-02 (current_events.rules)
2032366 - ET INFO Phishing Landing via Weebly.com M1 2016-02-02
(info.rules)
2032367 - ET INFO Phishing Landing via Weebly.com M2 2016-02-02
(info.rules)
2032368 - ET INFO Phishing Landing via Weebly.com M3 2016-02-02
(info.rules)
2032369 - ET INFO Phishing Landing via Weebly.com M4 2016-02-02
(info.rules)
2032370 - ET WEB_CLIENT Common /mpp/ Phishing URI Structure 2016-02-08
(web_client.rules)
2032371 - ET CURRENT_EVENTS Am3Refh Obfuscated Phishing Landing
2016-02-23 (current_events.rules)
2032372 - ET CURRENT_EVENTS Possible Phishing Landing Obfuscation
2016-02-26 (current_events.rules)
2032373 - ET CURRENT_EVENTS Adobe Phishing Landing 2016-03-10
(current_events.rules)
2032374 - ET CURRENT_EVENTS Successful Free.fr Phish 2016-03-10
(current_events.rules)
2032375 - ET CURRENT_EVENTS Obfuscated Chase Phishing Landing 2016-03-23
(current_events.rules)
2032376 - ET CURRENT_EVENTS L33bo Phishing Landing 2016-03-29
(current_events.rules)
2032377 - ET CURRENT_EVENTS Possible Successful Phish to Hostinger
Domains M1 2016-04-04 (current_events.rules)
2032378 - ET CURRENT_EVENTS Possible Successful Phish to Hostinger
Domains M2 2016-04-04 (current_events.rules)
2032379 - ET CURRENT_EVENTS Possible Successful Phish to Hostinger
Domains M3 2016-04-04 (current_events.rules)
2032380 - ET CURRENT_EVENTS Possible Successful Phish to Hostinger
Domains M5 2016-04-04 (current_events.rules)
2032381 - ET CURRENT_EVENTS Adobe Online Document Phishing Landing
2016-05-02 (current_events.rules)
2032382 - ET CURRENT_EVENTS Successful Mailbox Shutdown Phish M1
2016-05-16 (current_events.rules)
2032383 - ET CURRENT_EVENTS Successful Mailbox Shutdown Phish M2
2016-05-16 (current_events.rules)
2032384 - ET CURRENT_EVENTS Successful Mailbox Shutdown Phish M3
2016-05-16 (current_events.rules)
2032385 - ET CURRENT_EVENTS Successful Wells Fargo Phish 2016-05-26
(current_events.rules)
2032386 - ET CURRENT_EVENTS Adobe Cloud Phishing Landing 2016-06-02
(current_events.rules)
2032387 - ET CURRENT_EVENTS Possible HMRC Phishing Domain 2016-06-08
(current_events.rules)
2032388 - ET WEB_CLIENT Suspicious Compound Refresh - Possible Phishing
Redirect 2016-06-09 (web_client.rules)
2032389 - ET CURRENT_EVENTS Possible Apple Phishing Domain 2016-06-14
(current_events.rules)
2032390 - ET CURRENT_EVENTS Successful Chase Phish 2016-06-15
(current_events.rules)
2032391 - ET CURRENT_EVENTS Successful Apple Phish 2016-06-15
(current_events.rules)
2032392 - ET CURRENT_EVENTS Successful USAA Phish 2016-06-15
(current_events.rules)
2032393 - ET CURRENT_EVENTS Successful Paypal Phish 2016-06-15
(current_events.rules)
2032394 - ET CURRENT_EVENTS Phishing Landing via Weebly.com 2016-06-22
(current_events.rules)
2032395 - ET CURRENT_EVENTS Shipping Document Phishing Landing 2016-06-23
(current_events.rules)
2032396 - ET CURRENT_EVENTS Successful Amazon.com Phish M1 2016-06-27
(current_events.rules)
2032397 - ET INFO Data Submitted to ukit domain - Possible Phishing M1
2016-06-29 (info.rules)
2032398 - ET INFO Data Submitted to ukit domain - Possible Phishing M2
2016-06-29 (info.rules)
2032399 - ET CURRENT_EVENTS Successful DHL Phish 2016-07-11
(current_events.rules)
2032400 - ET CURRENT_EVENTS Successful Yahoo Phish 2016-07-11
(current_events.rules)
2032401 - ET CURRENT_EVENTS Successful Intuit Phish 2016-07-21
(current_events.rules)
2032402 - ET CURRENT_EVENTS Successful Generic Phish - JS Redirect to PDF
2016-08-24 (current_events.rules)
2032403 - ET CURRENT_EVENTS Successful FR Carte Bleue / BCP Phish
2016-09-06 (current_events.rules)
2032404 - ET CURRENT_EVENTS Successful Gmail Phish M1 2016-10-12
(current_events.rules)
2032405 - ET CURRENT_EVENTS Successful Banco de la Nacion Phish
2016-10-18 (current_events.rules)
2032406 - ET CURRENT_EVENTS Successful Generic Phish - Observed in
Apple/Bank of America/Amazon 2016-10-26 (current_events.rules)
2032407 - ET CURRENT_EVENTS Successful Generic Phish 2016-10-27
(current_events.rules)
2032408 - ET CURRENT_EVENTS Successful Generic Phish M2 2016-10-27
(current_events.rules)
2032409 - ET CURRENT_EVENTS Successful Email Settings Phish 2016-10-28
(current_events.rules)
2032410 - ET CURRENT_EVENTS Successful Dropbox/Docusign Phish 2016-10-28
(current_events.rules)
2032411 - ET CURRENT_EVENTS Successful Linkedin Phish 2016-11-17
(current_events.rules)
2032412 - ET CURRENT_EVENTS Successful Generic Wembail Phish M2
2016-11-18 (current_events.rules)
2032413 - ET CURRENT_EVENTS Successful Bank of America Phish 2016-12-05
(current_events.rules)
2032414 - ET CURRENT_EVENTS Successful Microsoft Phish 2016-12-08
(current_events.rules)
2032415 - ET CURRENT_EVENTS Obfuscated Phishing Landing 2016-12-19
(current_events.rules)
2032416 - ET CURRENT_EVENTS Successful Poste Italiane Phish 2016-12-23
(current_events.rules)
2032417 - ET TROJAN Win32/NitroStealer CnC Exfil (trojan.rules)
2032418 - ET TROJAN Nitro Stealer Exfil Activity (Response) (trojan.rules)

Pro:

2847981 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT)
(trojan.rules)
2847982 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT)
(trojan.rules)
2847983 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-02 1) (trojan.rules)
2847984 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-02 2) (trojan.rules)
2847985 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-02 3) (trojan.rules)
2847986 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-02 4) (trojan.rules)
2847987 - ETPRO CURRENT_EVENTS Successful Generic Email Settings Phish
2021-04-02 (current_events.rules)
2847988 - ETPRO CURRENT_EVENTS Successful Generic Multibrand Aipr Phish
2021-04-02 (current_events.rules)
2847989 - ETPRO CURRENT_EVENTS Successful Facebook Messenger Phish
2021-04-02 (current_events.rules)
2847990 - ETPRO CURRENT_EVENTS Successful Galicia Online Bank Phish
2021-04-02 (current_events.rules)
2847991 - ETPRO CURRENT_EVENTS Successful Generic xResult Phish
2021-04-02 (current_events.rules)
2847992 - ETPRO CURRENT_EVENTS Successful Generic myCloud for Business
Phish 2021-04-02 (current_events.rules)
2847993 - ETPRO TROJAN W32/Unk.CryptoStealer CnC Activity (trojan.rules)
2847994 - ETPRO TROJAN MSIL/PSW.Agent.RXP Variant Exfil CnC Activity
(trojan.rules)
2847995 - ETPRO TROJAN MSIL/Spy.Agent.CCD Variant Exfil CnC Activity
(trojan.rules)
2847996 - ETPRO TROJAN Win32/Remcos RAT Checkin 702 (trojan.rules)
2847997 - ETPRO TROJAN Observed Glupteba CnC Domain in TLS SNI
(trojan.rules)
2847998 - ETPRO TROJAN Observed Glupteba CnC Domain in TLS SNI
(trojan.rules)

[///] Modified active rules: [///]

2018087 - ET INFO Control Panel Applet File Download (info.rules)
2847940 - ETPRO TROJAN DTLoader Activity (trojan.rules)
2847964 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2021-04-01 (current_events.rules)

[---] Disabled rules: [---]

2810188 - ETPRO MALWARE MultiPlug Code Signing Certificate Seen
(malware.rules)

[---] Removed rules: [---]

2815601 - ETPRO CURRENT_EVENTS DHL Phishing Landing Jan 05 2016
(current_events.rules)
2815801 - ETPRO CURRENT_EVENTS Successful Formbuddy Credential Phish
Submission Jan 15 (current_events.rules)
2816039 - ETPRO CURRENT_EVENTS Phishing Landing via Weebly.com (set) Feb
2 (current_events.rules)
2816040 - ETPRO INFO Phishing Landing via Weebly.com Feb 2 M1 (info.rules)
2816041 - ETPRO INFO Phishing Landing via Weebly.com Feb 2 M2 (info.rules)
2816042 - ETPRO INFO Phishing Landing via Weebly.com Feb 2 M3 (info.rules)
2816043 - ETPRO INFO Phishing Landing via Weebly.com Feb 2 M4 (info.rules)
2816111 - ETPRO WEB_CLIENT Common /mpp/ Phishing URI Structure Feb 08
2016 (web_client.rules)
2816346 - ETPRO CURRENT_EVENTS Am3Refh Obfuscated Phishing Landing Feb 22
2016 (current_events.rules)
2816393 - ETPRO CURRENT_EVENTS Possible Phishing Landing Obfuscation
2016-02-26 (current_events.rules)
2816601 - ETPRO CURRENT_EVENTS Adobe Phishing Landing March 08 2016
(current_events.rules)
2816609 - ETPRO CURRENT_EVENTS Successful Free.fr Phish Mar 10 2016
(current_events.rules)
2816734 - ETPRO CURRENT_EVENTS Obfuscated Chase Phishing Landing
2016-03-23 (current_events.rules)
2816790 - ETPRO CURRENT_EVENTS L33bo Phishing Landing 2016-03-29
(current_events.rules)
2816883 - ETPRO CURRENT_EVENTS Possible Successful Phish to Hostinger
Domains M1 Apr 4 2016 (current_events.rules)
2816884 - ETPRO CURRENT_EVENTS Possible Successful Phish to Hostinger
Domains M2 Apr 4 2016 (current_events.rules)
2816885 - ETPRO CURRENT_EVENTS Possible Successful Phish to Hostinger
Domains M3 Apr 4 2016 (current_events.rules)
2816887 - ETPRO CURRENT_EVENTS Possible Successful Phish to Hostinger
Domains M5 Apr 4 2016 (current_events.rules)
2820001 - ETPRO CURRENT_EVENTS Adobe Online Document Phishing Landing May
02 2016 (current_events.rules)
2820241 - ETPRO CURRENT_EVENTS Successful Mailbox Shutdown Phish M1 May
16 2016 (current_events.rules)
2820242 - ETPRO CURRENT_EVENTS Successful Mailbox Shutdown Phish M2 May
16 2016 (current_events.rules)
2820243 - ETPRO CURRENT_EVENTS Successful Mailbox Shutdown Phish M3 May
16 2016 (current_events.rules)
2820371 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish May 26 2016
(current_events.rules)
2820453 - ETPRO CURRENT_EVENTS Adobe Cloud Phishing Landing Jun 02 2016
(current_events.rules)
2820534 - ETPRO CURRENT_EVENTS Possible HMRC Phishing Domain Jun 08 2016
(current_events.rules)
2820557 - ETPRO WEB_CLIENT Suspicious Compound Refresh - Possible
Phishing Redirect 2016-06-09 (web_client.rules)
2820614 - ETPRO CURRENT_EVENTS Possible Apple Phishing Domain Jun 14 2016
(current_events.rules)
2820683 - ETPRO CURRENT_EVENTS Successful Chase Phish Jun 15 2016
(current_events.rules)
2820684 - ETPRO CURRENT_EVENTS Successful Apple Phish Jun 15 2016
(current_events.rules)
2820685 - ETPRO CURRENT_EVENTS Successful USAA Phish Jun 15
(current_events.rules)
2820686 - ETPRO CURRENT_EVENTS Successful Paypal Phish Jun 15 2016
(current_events.rules)
2820804 - ETPRO CURRENT_EVENTS Phishing Landing via Weebly.com June 21
(current_events.rules)
2820843 - ETPRO CURRENT_EVENTS Shipping Document Phishing Landing Jun 23
2016 (current_events.rules)
2820877 - ETPRO CURRENT_EVENTS Successful Amazon.com Phish M1 Jun 27 2016
(current_events.rules)
2820920 - ETPRO INFO Data Submitted to ukit domain - Possible Phishing M1
Jun 29 2016 (info.rules)
2820921 - ETPRO INFO Data Submitted to ukit domain - Possible Phishing M2
Jun 29 2016 (info.rules)
2821041 - ETPRO CURRENT_EVENTS Successful DHL Phish Jul 11 2016
(current_events.rules)
2821043 - ETPRO CURRENT_EVENTS Successful Yahoo Phish Jul 11 2016
(current_events.rules)
2821311 - ETPRO CURRENT_EVENTS Successful Intuit Phish Jul 21 2016
(current_events.rules)
2821846 - ETPRO CURRENT_EVENTS Successful Generic Phish - JS Redirect to
PDF 2016-08-24 (current_events.rules)
2822006 - ETPRO CURRENT_EVENTS Successful FR Carte Bleue / BCP Phish Sept
6 2016 (current_events.rules)
2822567 - ETPRO CURRENT_EVENTS Successful Gmail Phish M1 Oct 11 2016
(current_events.rules)
2822712 - ETPRO CURRENT_EVENTS Successful Banco de la Nacion Phish Oct 18
2016 (current_events.rules)
2822901 - ETPRO CURRENT_EVENTS Successful Generic Phish - Observed in
Apple/Bank of America/Amazon Oct 26 2016 (current_events.rules)
2822953 - ETPRO CURRENT_EVENTS Successful Generic Phish Oct 27 2016
(current_events.rules)
2822954 - ETPRO CURRENT_EVENTS Successful Generic Phish M2 Oct 27 2016
(current_events.rules)
2822980 - ETPRO CURRENT_EVENTS Successful Email Settings Phish Oct 28
2016 (current_events.rules)
2822981 - ETPRO CURRENT_EVENTS Successful Dropbox/Docusign Phish Oct 28
2016 (current_events.rules)
2823311 - ETPRO CURRENT_EVENTS Successful Linkedin Phish Nov 16 2016
(current_events.rules)
2823361 - ETPRO CURRENT_EVENTS Successful Generic Wembail Phish M2 Nov 18
2016 (current_events.rules)
2823641 - ETPRO CURRENT_EVENTS Successful Bank of America Phish Dec 05
2016 (current_events.rules)
2823700 - ETPRO CURRENT_EVENTS Successful Microsoft Phish Dec 07 2016
(current_events.rules)
2823939 - ETPRO CURRENT_EVENTS Obfuscated Phishing Landing Dec 18 2016
(current_events.rules)
2824047 - ETPRO CURRENT_EVENTS Successful Poste Italiane Phish Dec 23
2016 (current_events.rules)

Date:
Summary title:
56 new OPEN, 74 new PRO (56 + 18). Tons o' phishing moved to OPEN, AsyncRAT, W32/Unk.CryptoStealer, MSIL/PSW.Agent.RXP, Glupteba, VARIOUS PHISHING.