Ruleset Update Summary - 2023/04/26 - v10308

Summary:

6 new OPEN, 14 new PRO (6 + 8)

Thanks @nao_sec


Added rules:

Open:

  • 2040353 - ET COINMINER Observed DNS Query to Cryptocurrency Mining Pool Domain (xmr .2miners .com) (coinminer.rules)
  • 2045123 - ET MALWARE Jasmin Ransomware Panel Activity (Response) (malware.rules)
  • 2045203 - ET PHISHING W3LL STORE Phish Kit Landing Page 2023-04-26 (phishing.rules)
  • 2045204 - ET MALWARE Themedata Embedded OLE Object Maldoc Related Domain in DNS Lookup (support-zabbix .com) (malware.rules)
  • 2045205 - ET MALWARE Win32/Spy.Banker.ZZN Variant Checkin (malware.rules)
  • 2045206 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (waterlinesheet .org) (exploit_kit.rules)

Pro:

  • 2854279 - ETPRO PHISHING Generic Phish Landing Page 2023-04-25 (Request) (phishing.rules)
  • 2854280 - ETPRO PHISHING Generic Phish Landing Page 2023-04-25 (Response) (phishing.rules)
  • 2854281 - ETPRO ATTACK_RESPONSE Win32/Agent Tesla CnC Response Inbound (attack_response.rules)
  • 2854282 - ETPRO MALWARE Win32/MathType-Obfs Variant Payload Request (GET) (malware.rules)
  • 2854283 - ETPRO MALWARE Win32/FingerPrint_Disable Loader Payload Request (GET) M1 (malware.rules)
  • 2854284 - ETPRO MALWARE Win32/FingerPrint_Disable Loader Payload Request (GET) M2 (malware.rules)
  • 2854285 - ETPRO ATTACK_RESPONSE Win32/FingerPrint_Disable Loader Payload Inbound (attack_response.rules)
  • 2854286 - ETPRO MALWARE Win32/Spy.Mekotio.GR Data Exfiltration Attempt (malware.rules)

Removed rules:

  • 2025460 - ET INFO NYU Internet HTTP/SSL Census Scan (info.rules)
  • 2040353 - ET INFO Observed DNS Query to Cryptocurrency Mining Pool Domain (xmr .2miners .com) (info.rules)
  • 2045123 - ET INFO Jasmin Ransomware Panel Activity (Response) (info.rules)

Hi, the rule 2045203 - ET PHISHING W3LL STORE Phish Kit Landing Page 2023-04-26 (phishing.rules) is blocking all URLs that contain /ov in it.

This is bad since there are legit URLs that contain ov. For instance if you install the ovmf package in Ubuntu it’ll be blocked since it’s calling http://us.archive.ubuntu.com/ubuntu/pool/main/e/edk2/ovmf_2022.02-3ubuntu0.22.04.1_all.deb.

I.e. any package that starts with ov will block Ubuntu servers from updating since the entire IP is blocked.

This rule should be modified or deleted entirely.

Here’s the rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS W3LL STORE Phish Kit Landing Page 2023-04-24"; flow:established,to_server; content:"GET"; http_meth
od; content:"/ov"; http_uri; nocase; fast_pattern; pcre:"/\d\//Ui"; reference:md5,587c61ff29e5033527dd0ae79b61bbe7; classtype:trojan-activity; sid:2045173; rev:2; metadata:atta
ck_target Client_Endpoint, created_at 2023_04_24, deployment Perimeter, former_category PHISHING, confidence Medium, signature_severity Major, updated_at 2023_04_26;)

Tagging someone on the team for visibility @ishaughnessy, thanks!

hey @felakuti, thanks for the tag, we’ve disabled the sig in today’s release and will review it to see there’s anything we can do to fix it up.

Have a great weekend! :sunny: :sunglasses:

1 Like