Daily Ruleset Update Summary 2022/09/26

Summary:

32 new OPEN, 34 new PRO (32 + 2) Gamaredon, OSX/SHLAYER, Lazarus, and SocGholish

Thanks @1ZRR4H and @StopMalvertisin

Please share issues, feedback, and requests at Feedback

Added rules:

Open:

2038973 - ET MALWARE Gamaredon APT Backdoor Related Activity (malware.rules)
2038974 - ET MALWARE OSX/SHLAYER CnC Domain in DNS Lookup (malware.rules)
2038975 - ET MALWARE OSX/SHLAYER CnC Domain in DNS Lookup (malware.rules)
2038976 - ET MALWARE OSX/SHLAYER CnC Domain in DNS Lookup (malware.rules)
2038977 - ET MALWARE OSX/SHLAYER CnC Domain in DNS Lookup (malware.rules)
2038978 - ET MALWARE OSX/SHLAYER CnC Domain in DNS Lookup (malware.rules)
2038979 - ET MALWARE OSX/SHLAYER CnC Domain in DNS Lookup (malware.rules)
2038980 - ET MALWARE OSX/SHLAYER CnC Domain in DNS Lookup (malware.rules)
2038981 - ET MALWARE OSX/SHLAYER CnC Domain in DNS Lookup (malware.rules)
2038982 - ET MALWARE OSX/SHLAYER CnC Domain in DNS Lookup (malware.rules)
2038983 - ET MALWARE OSX/SHLAYER CnC Domain in DNS Lookup (malware.rules)
2038984 - ET MALWARE Golang/Webbfustator Related Domain in DNS Lookup (xmlschemeformat .com) (malware.rules)
2038985 - ET MALWARE Golang/Webbfustator Related Domain in DNS Lookup (updatesagent .com) (malware.rules)
2038986 - ET MALWARE Lazarus APT Related Domain in DNS Lookup (digiboxes .us) (malware.rules)
2038987 - ET MALWARE TA444 Related Domain in DNS Lookup (onlinecloud .cloud) (malware.rules)
2038988 - ET INFO Lockbit Ransomware Related Domain in DNS Lookup (lockbitapt) (info.rules)
2038989 - ET MALWARE Lockbit Ransomware Related Domain in DNS Lookup (ppaauuaa11232 .cc) (malware.rules)
2038990 - ET INFO Observed URL Shortener Service Domain (zshorten .com in TLS SNI) (info.rules)
2038991 - ET INFO Observed URL Shortener Service Domain Domain (zii .to in TLS SNI) (info.rules)
2038992 - ET INFO URL Shortener Service Domain DNS Lookup (zshorten .com) (info.rules)
2038993 - ET INFO URL Shortener Service Domain DNS Lookup (zii .to) (info.rules)
2038994 - ET INFO DYNAMIC_DNS Query to dynnamn .ru Domain (info.rules)
2038995 - ET INFO DYNAMIC_DNS Query to didns .ru Domain (info.rules)
2038996 - ET PHISHING Generic Credential Phish Landing Page 2022-09-26 (phishing.rules)
2038997 - ET PHISHING Successful Generic Credential Phish 2022-09-26 (phishing.rules)
2038998 - ET MALWARE Win32/Logger RAT CnC Checkin (malware.rules)
2038999 - ET MALWARE Win32/Spy.Delf.QTL Data Exfiltration Attempt (malware.rules)
2039000 - ET MALWARE Maldoc CnC Checkin (malware.rules)
2039001 - ET MALWARE SocGholish CnC Domain in DNS Lookup (jobs .registermegod .online) (malware.rules)
2039002 - ET MALWARE SocGholish Domain in DNS Lookup (logistics .socialtrendsmanagement .com) (malware.rules)
2039003 - ET MALWARE SocGholish Domain in DNS Lookup (football .4tosocial .com) (malware.rules)
2039004 - ET MALWARE SocGholish Domain in DNS Lookup (memorial .4tosocialprofessional .com) (malware.rules)

Pro:

2852402 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline (2022-09-09 1) (coinminer.rules)
2852403 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline (2022-09-09 2) (coinminer.rules)

Modified active rules:

2038898 - ET MALWARE Golang/Webbfustator DNS Tunneling Activity (malware.rules)
2038917 - ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response M2 (malware.rules)
2823044 - ETPRO MALWARE W32.Dreambot Checkin (malware.rules)

1 Like

image

5 Likes