Daily Ruleset Update Summary
Daily Ruleset Update Summary 2021/04/09

[***] Summary: [***]

96 new OPEN, 119 new PRO (96 + 23). Lots of PHISH moved from PRO to
OPEN, Mitsubishi Electric smartRTU RCE, OilRig, AsyncRAT, Remcos.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2032544 - ET CURRENT_EVENTS Successful Linkedin Phish 2016-09-27
(current_events.rules)
2032545 - ET CURRENT_EVENTS Successful National Australia Bank
2016-09-28 (current_events.rules)
2032546 - ET CURRENT_EVENTS Successful Made In China Phish
2016-09-28 (current_events.rules)
2032547 - ET CURRENT_EVENTS Successful Google Docs Phish 2016-09-28
(current_events.rules)
2032548 - ET CURRENT_EVENTS Successful Paypal Phish M1 2016-09-29
(current_events.rules)
2032549 - ET CURRENT_EVENTS Successful Paypal Phish M2 2016-09-29
(current_events.rules)
2032550 - ET CURRENT_EVENTS Successful Paypal Phish M3 2016-09-29
(current_events.rules)
2032551 - ET CURRENT_EVENTS Successful Keybank Phish 2016-09-29
(current_events.rules)
2032552 - ET CURRENT_EVENTS Successful Gmail Phish M2 2016-09-29
(current_events.rules)
2032553 - ET CURRENT_EVENTS Successful Facebook Payment Phish M1
2016-09-29 (current_events.rules)
2032554 - ET CURRENT_EVENTS Successful Emirate Phish 2016-09-29
(current_events.rules)
2032555 - ET CURRENT_EVENTS Successful Hotmail Phish 2016-09-29
(current_events.rules)
2032556 - ET CURRENT_EVENTS Successful Wells Fargo Phish M1
2016-09-30 (current_events.rules)
2032557 - ET CURRENT_EVENTS Successful Facebook Phish M2 2016-09-30
(current_events.rules)
2032558 - ET CURRENT_EVENTS Successful Outlook Phish 2016-10-03
(current_events.rules)
2032559 - ET CURRENT_EVENTS Successful Sparkasse Phish 2016-10-03
(current_events.rules)
2032560 - ET CURRENT_EVENTS Successful Apple ID Phish M2 2016-10-04
(current_events.rules)
2032561 - ET CURRENT_EVENTS Successful Paypal (DE) Phish 2016-10-04
(current_events.rules)
2032562 - ET CURRENT_EVENTS Successful Adobe Personalized Phish
2016-10-04 (current_events.rules)
2032563 - ET CURRENT_EVENTS Successful Personalized Webmail Phish
2016-10-05 (current_events.rules)
2032564 - ET CURRENT_EVENTS Successful Wells Fargo Phish 2016-10-05
(current_events.rules)
2032565 - ET CURRENT_EVENTS Successful Wells Fargo Phish 2016-10-05
(current_events.rules)
2032566 - ET CURRENT_EVENTS Successful Paypal Phish M1 2016-10-05
(current_events.rules)
2032567 - ET CURRENT_EVENTS Successful Paypal Phish M3 2016-10-05
(current_events.rules)
2032568 - ET CURRENT_EVENTS Successful Excel Online Phish 2016-10-05
(current_events.rules)
2032569 - ET CURRENT_EVENTS Successful View Invoice Phish M1
2016-10-05 (current_events.rules)
2032570 - ET CURRENT_EVENTS Successful View Invoice Phish M2
2016-10-05 (current_events.rules)
2032571 - ET CURRENT_EVENTS Successful Facebook Phish 2016-10-06
(current_events.rules)
2032572 - ET CURRENT_EVENTS Successful Paypal Phish M4 2016-10-06
(current_events.rules)
2032573 - ET CURRENT_EVENTS Successful FreeMobile (FR) Phish M1
2016-10-06 (current_events.rules)
2032574 - ET CURRENT_EVENTS Successful FreeMobile (FR) Phish M2
2016-10-06 (current_events.rules)
2032575 - ET CURRENT_EVENTS Successful FreeMobile (FR) Phish M3
2016-10-06 (current_events.rules)
2032576 - ET CURRENT_EVENTS Successful Wells Fargo Phish 2016-10-06
(current_events.rules)
2032577 - ET CURRENT_EVENTS Successful Paypal Phish M2 2016-10-06
(current_events.rules)
2032578 - ET CURRENT_EVENTS Successful Paypal Phish M3 2016-10-06
(current_events.rules)
2032579 - ET CURRENT_EVENTS Successful HM Revenue Phish 2016-10-06
(current_events.rules)
2032580 - ET CURRENT_EVENTS Successful Personalized DHL Phish
2016-10-12 (current_events.rules)
2032581 - ET CURRENT_EVENTS Successful Linkedin Phish 2016-10-12
(current_events.rules)
2032582 - ET CURRENT_EVENTS Successful Netflix Phish 2016-10-12
(current_events.rules)
2032583 - ET CURRENT_EVENTS Successful HBL Bank Phish M1 2016-10-12
(current_events.rules)
2032584 - ET CURRENT_EVENTS Successful HBL Bank Phish M2 2016-10-12
(current_events.rules)
2032585 - ET CURRENT_EVENTS Successful Facebook Phish 2016-10-12
(current_events.rules)
2032586 - ET CURRENT_EVENTS Successful Dropbox Phish 2016-10-14
(current_events.rules)
2032587 - ET CURRENT_EVENTS Successful Yahoo Mail Phish 2016-10-14
(current_events.rules)
2032588 - ET CURRENT_EVENTS Successful PNC Bank Phish M1 2016-10-14
(current_events.rules)
2032589 - ET CURRENT_EVENTS Successful PNC Bank Phish M2 2016-10-14
(current_events.rules)
2032590 - ET CURRENT_EVENTS Successful Bank of America Phish (set)
M1 2016-10-14 (current_events.rules)
2032591 - ET CURRENT_EVENTS Successful Bank of America Phish (set)
M2 2016-10-14 (current_events.rules)
2032592 - ET CURRENT_EVENTS Successful Bank of America Phish (set)
M3 2016-10-14 (current_events.rules)
2032593 - ET CURRENT_EVENTS Successful Paypal Phish M2 2016-10-17
(current_events.rules)
2032594 - ET CURRENT_EVENTS Successful Outlook Phish 2016-10-18
(current_events.rules)
2032595 - ET CURRENT_EVENTS Successful Chase Phish 2016-10-18
(current_events.rules)
2032596 - ET CURRENT_EVENTS Successful Microsoft Live Email Account
Phish 2016-10-18 (current_events.rules)
2032597 - ET CURRENT_EVENTS Successful NatWest Bank Phish M3
2016-10-19 (current_events.rules)
2032598 - ET CURRENT_EVENTS Successful Google Docs Phish M1
2016-10-19 (current_events.rules)
2032599 - ET CURRENT_EVENTS Successful NAB Bank Phish M1 2016-10-19
(current_events.rules)
2032600 - ET CURRENT_EVENTS Successful NAB Bank Phish M2 2016-10-19
(current_events.rules)
2032601 - ET CURRENT_EVENTS Successful Credit Agricole Bank (FR)
Phish M2 2016-10-19 (current_events.rules)
2032602 - ET CURRENT_EVENTS Successful Credit Agricole Bank (FR)
Phish M3 2016-10-19 (current_events.rules)
2032603 - ET CURRENT_EVENTS Successful Personalized DHL Phish
2016-10-20 (current_events.rules)
2032604 - ET CURRENT_EVENTS Successful EC21 B2B Phish 2016-10-21
(current_events.rules)
2032605 - ET CURRENT_EVENTS Successful Earthlink Phish 2016-10-21
(current_events.rules)
2032606 - ET CURRENT_EVENTS Successful UBS Phish 2016-10-21
(current_events.rules)
2032607 - ET CURRENT_EVENTS Successful iTunes Connect Phish M1
2016-10-21 (current_events.rules)
2032608 - ET CURRENT_EVENTS Successful Paypal Phish 2016-10-21
(current_events.rules)
2032609 - ET CURRENT_EVENTS Successful LCL Banque et Assurance (FR)
Phish 2016-10-22 (current_events.rules)
2032610 - ET CURRENT_EVENTS Successful Impots.gouv.fr Phish
2016-10-24 (current_events.rules)
2032611 - ET CURRENT_EVENTS Successful AOL Phish 2016-10-24
(current_events.rules)
2032612 - ET CURRENT_EVENTS Successful Dropbox Phish 2016-10-25
(current_events.rules)
2032613 - ET CURRENT_EVENTS Successful Outlook Phish 2016-10-26
(current_events.rules)
2032614 - ET CURRENT_EVENTS Successful Personalized Outlook Phish
2016-10-26 (current_events.rules)
2032615 - ET CURRENT_EVENTS Successful Paypal Phish M3 2016-10-26
(current_events.rules)
2032616 - ET CURRENT_EVENTS Successful Danske Bank Phish (DA)
2016-10-27 (current_events.rules)
2032617 - ET CURRENT_EVENTS Successful Chase Phish 2016-10-31
(current_events.rules)
2032618 - ET CURRENT_EVENTS Successful DHL Phish 2016-11-15
(current_events.rules)
2032619 - ET CURRENT_EVENTS Successful Netflix Phish 2016-11-15
(current_events.rules)
2032620 - ET CURRENT_EVENTS Successful WhatsApp Payment Phish M1
2016-11-15 (current_events.rules)
2032621 - ET CURRENT_EVENTS Successful WhatsApp Payment Phish M2
2016-11-15 (current_events.rules)
2032622 - ET CURRENT_EVENTS Successful Paypal Phish M1 2016-11-17
(current_events.rules)
2032623 - ET CURRENT_EVENTS Successful Paypal Phish M2 2016-11-17
(current_events.rules)
2032624 - ET CURRENT_EVENTS Successful Docusign Phish 2016-11-17
(current_events.rules)
2032625 - ET CURRENT_EVENTS Successful Excel Phish 2016-11-17
(current_events.rules)
2032626 - ET CURRENT_EVENTS Successful Email Settings Error Phish
2016-11-17 (current_events.rules)
2032627 - ET CURRENT_EVENTS Successful Wells Fargo Phish M1
2016-11-18 (current_events.rules)
2032628 - ET CURRENT_EVENTS Successful Wells Fargo Phish M2
2016-11-18 (current_events.rules)
2032629 - ET CURRENT_EVENTS Successful Google Drive Phish 2016-11-18
(current_events.rules)
2032630 - ET CURRENT_EVENTS Successful Office 365 Phish 2016-11-18
(current_events.rules)
2032632 - ET CURRENT_EVENTS Successful Sparkasse (DE) Phish
2016-11-28 (current_events.rules)
2032633 - ET CURRENT_EVENTS Successful Western Union Phish
2016-09-27 (current_events.rules)
2032634 - ET WEB_CLIENT Generic Webshell Accessed on External
Compromised Server (web_client.rules)
2032635 - ET WEB_SERVER Generic Webshell Accessed on Internal
Compromised Server (web_server.rules)
2032636 - ET EXPLOIT Mitsubishi Electric smartRTU RCE Inbound
(CVE-2019-14931) (exploit.rules)
2032637 - ET EXPLOIT Mitsubishi Electric smartRTU RCE Outbound
(CVE-2019-14931) (exploit.rules)
2032638 - ET EXPLOIT Klog Server Command Injection Inbound
(CVE-2021-3317) (exploit.rules)
2032639 - ET TROJAN Observed Win32.Raccoon Stealer CnC Domain
(lomhasnopryiyome .top in TLS SNI) (trojan.rules)
2032640 - ET TROJAN OilRig SideTwist CnC Domain in DNS Lookup
(sarmsoftware .com) (trojan.rules)

Pro:

2848101 - ETPRO TROJAN MSIL/Browsstl.GA!MTB Stealer CnC Exfil (trojan.rules)
2848102 - ETPRO TROJAN Win32/Tnega!ml Stealer CnC Exfil (trojan.rules)
2848103 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2848104 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2848105 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2848106 - ETPRO CURRENT_EVENTS Successful Generic Credit Card
Information Phish 2021-04-09 (current_events.rules)
2848107 - ETPRO CURRENT_EVENTS Successful Castle Trust Bank Phish
2021-04-09 (current_events.rules)
2848108 - ETPRO CURRENT_EVENTS Successful Generic Secured Form Phish
2021-04-09 (current_events.rules)
2848109 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-09 1) (trojan.rules)
2848110 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-09 2) (trojan.rules)
2848111 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-09 3) (trojan.rules)
2848112 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-09 4) (trojan.rules)
2848113 - ETPRO CURRENT_EVENTS Successful Sparkasse Phish 2021-04-09
(current_events.rules)
2848114 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2021-04-09 (current_events.rules)
2848115 - ETPRO CURRENT_EVENTS Successful Suncorp Phish 2021-04-09
(current_events.rules)
2848116 - ETPRO CURRENT_EVENTS Successful Generic Credential Phish
2021-04-09 (current_events.rules)
2848117 - ETPRO CURRENT_EVENTS Successful Chase Phish 2021-04-09
(current_events.rules)
2848118 - ETPRO CURRENT_EVENTS Successful Amazon JP Phish 2021-04-09
(current_events.rules)
2848120 - ETPRO TROJAN Win32/Remcos RAT Checkin 704 (trojan.rules)
2848121 - ETPRO TROJAN Observed Malicious SSL Cert (AZORult CnC)
(trojan.rules)
2848122 - ETPRO INFO Windows System Information in UA (info.rules)
2848123 - ETPRO TROJAN Win32/Ymacco.AA48 Activity (POST) (trojan.rules)

[///] Modified active rules: [///]

2031193 - ET TROJAN Suspected Snugy DNS Backdoor Initial Beacon (trojan.rules)
2847936 - ETPRO TROJAN MSIL/BloodyStealer CnC Activity (trojan.rules)

Date:
Summary title:
96 new OPEN, 119 new PRO (96 + 23). Lots of PHISH moved from PRO to OPEN, Mitsubishi Electric smartRTU RCE, OilRig, AsyncRAT, Remcos.