Daily Ruleset Update Summary 2022/09/20

Summary:

8 new OPEN, 13 new PRO (10 + 3)

Please share issues, feedback, and requests at Feedback

Added rules:

Open:

2038903 - ET MOBILE_MALWARE XX-Net VPN Client CnC Checkin (mobile_malware.rules)
2038906 - ET INFO Observed DNS Query to xsph .ru Domain (info.rules)
2038907 - ET MALWARE Gamaredon Information Stealer Data Exfiltration Attempt (malware.rules)
2038908 - ET MALWARE Gamaredon Payload Delivery Domain (heato .ru) in DNS Lookup (malware.rules)
2038909 - ET MALWARE Gamaredon Payload Delivery Domain (motoristo .ru) in DNS Lookup (malware.rules)
2038910 - ET MALWARE Gamaredon CnC Domain (kuckuduk .ru) in DNS Lookup (malware.rules)
2038911 - ET MALWARE Gamaredon CnC Domain (pasamart .ru) in DNS Lookup (malware.rules)
2038912 - ET MALWARE Gamaredon CnC Domain (celticso .ru) in DNS Lookup (malware.rules)

Pro:

2824801 - ETPRO PHISHING Lets Encrypt Free SSL Cert Observed in Possible Paypal Phishing (phishing.rules)
2852387 - ETPRO MALWARE Jege6bot Checkin via Telegram (malware.rules)
2852388 - ETPRO MALWARE BluStealer - SysInfo Exfil via Telegram M4 (malware.rules)

Modified active rules:

2037261 - ET MALWARE BluStealer - SysInfo Exfil via Telegram M2 (malware.rules)
2038781 - ET EXPLOIT D-Link Remote Code Execution Attempt (CVE-2022-26258) (exploit.rules)
2801029 - ETPRO SCADA GE (Event 24) View Device Status (scada.rules)
2801060 - ETPRO SCADA DIRECTLOGIC (Event 50) Feature Request (scada.rules)
2801065 - ETPRO SCADA DIRECTLOGIC (Event 10) Lock PLC Attempt (scada.rules)
2801066 - ETPRO SCADA DIRECTLOGIC (Event 10) Lock PLC Attempt (scada.rules)
2801067 - ETPRO SCADA DIRECTLOGIC (Event 11) Unlock PLC Attempt (scada.rules)
2801068 - ETPRO SCADA DIRECTLOGIC (Event 11) Unlock PLC Attempt (scada.rules)
2801069 - ETPRO SCADA DIRECTLOGIC (Event 31) Reboot or Restart (scada.rules)
2801070 - ETPRO SCADA DIRECTLOGIC (Event 47) Device Poll All (scada.rules)
2801071 - ETPRO SCADA DIRECTLOGIC (Event 50) Feature Request (scada.rules)
2801076 - ETPRO SCADA DIRECTLOGIC (Event 10) Lock PLC Attempt (scada.rules)
2801077 - ETPRO SCADA DIRECTLOGIC (Event 10) Lock PLC Attempt (scada.rules)
2801078 - ETPRO SCADA DIRECTLOGIC (Event 11) Unlock PLC Attempt (scada.rules)
2801079 - ETPRO SCADA DIRECTLOGIC (Event 11) Unlock PLC Attempt (scada.rules)
2801080 - ETPRO SCADA DIRECTLOGIC (Event 31) Reboot or Restart (scada.rules)
2801091 - ETPRO SCADA DIRECTLOGIC (Event 45) Software Download (scada.rules)
2801092 - ETPRO SCADA DIRECTLOGIC (Event 45) Software Download (scada.rules)
2812116 - ETPRO POLICY External IP Address/Location Disclosure - geoplugin .net (policy.rules)
2849995 - ETPRO MALWARE BluStealer - SysInfo Exfil via Telegram M1 (malware.rules)
2851959 - ETPRO MALWARE BluStealer - SysInfo Exfil via Telegram M3 (malware.rules)

Disabled and modified rules:

2033338 - ET SCAN Baidu Spider Webcrawler User Agent - inbound (scan.rules)

Removed rules:

2824801 - ETPRO MALWARE Lets Encrypt Free SSL Cert Observed in Possible Paypal Phishing (malware.rules)