Daily Ruleset Update Summary
Daily Ruleset Update Summary 2021/04/06

[***] Summary: [***]

42 new OPEN, 60 new PRO (42 + 18). Raccoon Stealer, Pult Downloader,
Zyxel Auth Bypass CVE, Android/Agent.BQX, Various PHISH.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2032484 - ET CURRENT_EVENTS Successful Docusign/Outlook Phish
2016-08-17 (current_events.rules)
2032485 - ET CURRENT_EVENTS Successful Docusign Phish M2 2016-08-17
(current_events.rules)
2032486 - ET CURRENT_EVENTS Successful Comcast Phish 2016-08-18
(current_events.rules)
2032487 - ET CURRENT_EVENTS Successful Gmail Phish 2016-08-18
(current_events.rules)
2032488 - ET CURRENT_EVENTS Successful Mailbox Renewal Phish
2016-08-19 (current_events.rules)
2032489 - ET CURRENT_EVENTS Successful Excel Phish 2016-08-19
(current_events.rules)
2032490 - ET CURRENT_EVENTS Successful Mailbox Deactivation Phish
2016-08-19 (current_events.rules)
2032491 - ET CURRENT_EVENTS Successful Universal Webmail Phish
2016-08-19 (current_events.rules)
2032492 - ET CURRENT_EVENTS Successful Tata Communications Phish
2016-08-19 (current_events.rules)
2032493 - ET CURRENT_EVENTS Successful Office 365 Phish 2016-08-24
(current_events.rules)
2032494 - ET CURRENT_EVENTS Successful USAA Phish 2016-08-30
(current_events.rules)
2032495 - ET CURRENT_EVENTS Successful Westpac Bank Phish 2016-08-31
(current_events.rules)
2032496 - ET CURRENT_EVENTS Successful Wells Fargo Phish 2016-08-31
(current_events.rules)
2032497 - ET CURRENT_EVENTS Successful HealthEquity Phish 2016-09-01
(current_events.rules)
2032498 - ET CURRENT_EVENTS Successful WhatsApp Payment Phish
2016-09-01 (current_events.rules)
2032499 - ET CURRENT_EVENTS Successful Outlook WebApp Phish
2016-09-02 (current_events.rules)
2032500 - ET CURRENT_EVENTS Successful Webmail Validator Phish M1
2016-09-02 (current_events.rules)
2032501 - ET CURRENT_EVENTS Successful iCloud Phish 2016-09-02
(current_events.rules)
2032502 - ET CURRENT_EVENTS Successful Webmail Mailbox Quota Phish
2016-09-02 (current_events.rules)
2032503 - ET CURRENT_EVENTS Successful Generic Phish 2016-09-08
(current_events.rules)
2032504 - ET CURRENT_EVENTS Successful Yahoo Phish M1 2016-09-08
(current_events.rules)
2032505 - ET CURRENT_EVENTS Successful DHL Phish 2016-09-16
(current_events.rules)
2032506 - ET CURRENT_EVENTS Successful Yahoo Phish 2016-09-27
(current_events.rules)
2032507 - ET CURRENT_EVENTS Successful Google Drive Phish 2016-09-27
(current_events.rules)
2032508 - ET CURRENT_EVENTS Successful Western Union Phish
2016-09-27 (current_events.rules)
2032509 - ET CURRENT_EVENTS Generic Bank Captcha Phishing Landing
(current_events.rules)
2032510 - ET CURRENT_EVENTS Generic Hidden Text - Possible Phishing
Landing (current_events.rules)
2032511 - ET CURRENT_EVENTS Generic Bank Captcha Phishing Landing
(current_events.rules)
2032512 - ET CURRENT_EVENTS Office Related Appspot Hosted Shared
Document Phishing Landing (current_events.rules)
2032513 - ET CURRENT_EVENTS Microsoft Account Redirect to Phishing
Landing (current_events.rules)
2032514 - ET CURRENT_EVENTS Generic Multibrand NewInjection Phishing
Landing Template (current_events.rules)
2032515 - ET CURRENT_EVENTS Generic Multibrand Ajax XHR CredPost
Phishing Landing (current_events.rules)
2032516 - ET CURRENT_EVENTS Generic Multibrand NewInjection Phishing
Landing Template (current_events.rules)
2032517 - ET CURRENT_EVENTS Generic Multibrand NewInjection Phishing
Landing Template (current_events.rules)
2032518 - ET CURRENT_EVENTS Generic Bank Captcha Phishing Landing
(current_events.rules)
2032519 - ET WEB_CLIENT Generic Webshell Accessed on External
Compromised Server (web_client.rules)
2032520 - ET WEB_SERVER Generic Webshell Accessed on Internal
Compromised Server (web_server.rules)
2032521 - ET WEB_CLIENT Generic Webshell Accessed on External
Compromised Server (web_client.rules)
2032522 - ET WEB_SERVER Generic Webshell Accessed on Internal
Compromised Server (web_server.rules)
2032523 - ET EXPLOIT Possible Zyxel Authentication Bypass Inbound
(CVE-2021-3297) (exploit.rules)
2032524 - ET TROJAN Win32.Raccoon Stealer CnC Domain in TLS SNI
(lifemaindecision .top) (trojan.rules)
2032525 - ET TROJAN Pult Downloader Activity (trojan.rules)

Pro:

2848030 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 6
(mobile_malware.rules)
2848031 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 7
(mobile_malware.rules)
2848032 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 8
(mobile_malware.rules)
2848033 - ETPRO MOBILE_MALWARE Android/Spy.KreditSpy.B (TLS SNI)
(mobile_malware.rules)
2848034 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 9
(mobile_malware.rules)
2848035 - ETPRO TROJAN Win32/FM.Backdoor CnC Activity (Inbound) (trojan.rules)
2848036 - ETPRO INFO Suspicious Filename in Outbound POST Request
(Google Chrome_Default.txt) (info.rules)
2848037 - ETPRO INFO Suspicious Filename in Outbound POST Request
(IE_Cookies.txt) (info.rules)
2848038 - ETPRO INFO Suspicious Filename in Outbound POST Request
(Edge_Cookies.txt) (info.rules)
2848039 - ETPRO CURRENT_EVENTS Successful Impots Gouv FR Phish
2021-04-06 (current_events.rules)
2848040 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish
2021-04-06 (current_events.rules)
2848041 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2021-04-06
(current_events.rules)
2848042 - ETPRO CURRENT_EVENTS Successful Generic Webmail Phish
2021-04-06 (current_events.rules)
2848043 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2021-04-06
(current_events.rules)
2848044 - ETPRO CURRENT_EVENTS Successful Shaw Webmail Phish
2021-04-06 (current_events.rules)
2848045 - ETPRO CURRENT_EVENTS Successful Generic DoLogin Function
Phish 2021-04-06 (current_events.rules)
2848046 - ETPRO CURRENT_EVENTS Successful Comcast Xfinity Phish
2021-04-06 (current_events.rules)
2848047 - ETPRO CURRENT_EVENTS Successful Generic Credential Phish
2021-04-06 (current_events.rules)

[///] Modified active rules: [///]

2011108 - ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter
SELECT FROM SQL Injection Attempt (web_specific_apps.rules)
2011109 - ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter
DELETE FROM SQL Injection Attempt (web_specific_apps.rules)
2011110 - ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter
UNION SELECT SQL Injection Attempt (web_specific_apps.rules)
2011111 - ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter
INSERT INTO SQL Injection Attempt (web_specific_apps.rules)
2011112 - ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter
UPDATE SET SQL Injection Attempt (web_specific_apps.rules)
2019236 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
Version Number (web_server.rules)
2847502 - ETPRO EXPLOIT Possible Internet Explorer Memory
Corruption/UAF (CVE-2021-26411) (exploit.rules)

Date:
Summary title:
42 new OPEN, 60 new PRO (42 + 18). Raccoon Stealer, Pult Downloader, Zyxel Auth Bypass CVE, Android/Agent.BQX, Various PHISH.