Daily Ruleset Update Summary 2022/09/29

Summary:

27 new OPEN, 35 new PRO (27 + 8) Various Android Mobile Malware, Win32/Coldstealer, Chaos Botnet, and TA444.

Thanks @BlackLotusLabs

Please share issues, feedback, and requests at Feedback

Added rules:

Open:

2039037 - ET MALWARE Win32/NetDooka Framework Related Activity (POST) M2 (malware.rules)
2039038 - ET MALWARE Observed Malicious SSL Cert (Go/Chaos Botnet) (malware.rules)
2039039 - ET MALWARE Gamaredon APT Related Activity (GET) (malware.rules)
2039040 - ET MALWARE Win32/Coldstealer Sending System Information (POST) (malware.rules)
2039041 - ET MALWARE TA444 Domain in DNS Lookup (malware.rules)
2039042 - ET MALWARE TA444 Domain in DNS Lookup (malware.rules)
2039043 - ET MALWARE Observed TA444 Domain (mufg .ink in TLS SNI) (malware.rules)
2039044 - ET MALWARE Observed TA444 Domain (mufg .us .org in TLS SNI) (malware.rules)
2039045 - ET INFO External IP Lookup Domain (ip-api .io) in DNS Lookup (info.rules)
2039046 - ET INFO Free Web Hosting Domain (c1 .biz) in DNS Lookup (info.rules)
2039047 - ET MALWARE Chaos Botnet CnC Domain (ars1 .wemix .cc) in DNS Lookup (malware.rules)
2039048 - ET MALWARE Chaos Botnet CnC Domain (quanquandd .top) in DNS Lookup (malware.rules)
2039049 - ET MALWARE Chaos Botnet CnC Domain (tomca1 .com) in DNS Lookup (malware.rules)
2039050 - ET MALWARE Chaos Botnet CnC Domain (a .nqb001 .com) in DNS Lookup (malware.rules)
2039051 - ET MALWARE Chaos Botnet CnC Domain (js .wanpay1 .cn) in DNS Lookup (malware.rules)
2039052 - ET MALWARE Chaos Botnet CnC Domain (tf .xiaozhuddos .co) in DNS Lookup (malware.rules)
2039053 - ET MALWARE Chaos Botnet CnC Domain (abc .cfed .cc) in DNS Lookup (malware.rules)
2039054 - ET MALWARE Chaos Botnet CnC Domain (ai .nqb001 .com) in DNS Lookup (malware.rules)
2039055 - ET MALWARE Chaos Botnet CnC Domain (x .xlg360 .xyz) in DNS Lookup (malware.rules)
2039056 - ET MALWARE Chaos Botnet CnC Domain (kivspace .xyz) in DNS Lookup (malware.rules)
2039057 - ET MALWARE Chaos Botnet CnC Domain (bitantcoins .pro) in DNS Lookup (malware.rules)
2039058 - ET MALWARE Chaos Botnet CnC Domain (botnet .ddoswow .site) in DNS Lookup (malware.rules)
2039059 - ET MALWARE Chaos Botnet CnC Domain (skyeda .vip) in DNS Lookup (malware.rules)
2039060 - ET MALWARE Chaos Botnet CnC Domain (linuxddos .net) in DNS Lookup (malware.rules)
2039061 - ET MALWARE Chaos Botnet CnC Domain (xiaomai233 .f3322 .net) in DNS Lookup (malware.rules)
2039062 - ET MALWARE Chaos Botnet CnC Domain (bb .hash3688 .com) in DNS Lookup (malware.rules)
2039063 - ET MALWARE Chaos Botnet CnC Domain (are .nishabig .pro) in DNS Lookup (malware.rules)

Pro:

2852452 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Knobot.h CnC Domain in DNS Lookup (mobile_malware.rules)
2852453 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Knobot.h CnC Domain in DNS Lookup (mobile_malware.rules)
2852454 - ETPRO MOBILE_MALWARE Android/Spy.Agent.BUK CnC Domain in DNS Lookup (mobile_malware.rules)
2852455 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Piom.amxu CnC Domain in DNS Lookup (mobile_malware.rules)
2852456 - ETPRO MOBILE_MALWARE Trojan-Ransom.AndroidOS.Rkor.bg CnC Domain in DNS Lookup (mobile_malware.rules)
2852457 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.DZF Checkin (mobile_malware.rules)
2852458 - ETPRO MOBILE_MALWARE Android.Backdoor.690.origin CnC Domain in DNS Lookup (mobile_malware.rules)
2852459 - ETPRO MOBILE_MALWARE Android/Spy.Agent.CCM CnC Domain in DNS Lookup (mobile_malware.rules)

Enabled and modified rules:

2036613 - ET MALWARE Win32/NetDooka Framework RAT Sending Session ID (malware.rules)
2036614 - ET MALWARE Win32/NetDooka Framework RAT Sending System Information M1 (malware.rules)
2036615 - ET MALWARE Win32/NetDooka Framework RAT Sending File (malware.rules)

Modified active rules:

2036612 - ET MALWARE Win32/NetDooka Framework Related Activity (POST) (malware.rules)
2036616 - ET MALWARE Win32/NetDooka Framework RAT Sending System Information M2 (malware.rules)
2039011 - ET MALWARE LazyScripter Related Domain in DNS Lookup (hpsj .firewall-gateway .net) (malware.rules)
2039012 - ET MALWARE LazyScripter Related Activity (GET) (malware.rules)
2039013 - ET MALWARE Lazyscripter Related Activity (Inbound) (malware.rules)
2039014 - ET MALWARE Win32/Sephora Related Domain in DNS Lookup (sephus .me) (malware.rules)
2039015 - ET MALWARE Win32/Sephora Related Activity (GET) (malware.rules)
2039016 - ET MALWARE Win32/Sephora Related Activity (POST) (malware.rules)
2039018 - ET MALWARE DNSBin Demo (requestbin .net) - Data Exfil (malware.rules)
2039031 - ET MALWARE TA569 Fake Browser Update (malware.rules)

Disabled and modified rules:

2030876 - ET MALWARE DNSBin Demo (requestbin .net) - Data Exfil M1 (malware.rules)
2030877 - ET MALWARE DNSBin Demo (requestbin .net) - Data Inbound (malware.rules)
2036611 - ET MALWARE Win32/NetDooka Framework RAT CnC Activity (malware.rules)