Ruleset Update Summary - 2023/04/27 - v10309

Ruleset Updates
1

Summary:

22 new OPEN, 24 new PRO (22 + 2)

Thanks @elasticlabs, @Jane_0sint, @Bitdefender, @malPileDriver, @BushidoToken

Added rules:

Open:

  • 2045207 - ET INFO DYNAMIC_DNS Query to a *.surak .kz Domain (info.rules)
  • 2045208 - ET INFO DYNAMIC_DNS HTTP Request to a *.surak .kz Domain (info.rules)
  • 2045209 - ET MALWARE IcedID CnC Domain in DNS Lookup (zalikomanperis .com) (malware.rules)
  • 2045210 - ET MALWARE IcedID CnC Domain in DNS Lookup (alockajilly .com) (malware.rules)
  • 2045211 - ET MALWARE Suspected Win32/HMR RAT/LOBSHOT Initial Handshake (malware.rules)
  • 2045212 - ET MALWARE Possible Raspberry Robin Activity M2 (GET) (malware.rules)
  • 2045213 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M2 (malware.rules)
  • 2045214 - ET MALWARE Atomic macOS (AMOS) Stealer Domain in DNS Lookup (amos-malware .ru) (malware.rules)
  • 2045215 - ET MALWARE Atomic macOS (AMOS) Stealer Data Exfiltration Attempt (malware.rules)
  • 2045216 - ET MALWARE TA453 BellaCiao CnC Domain in DNS Lookup (msn-service .co) (malware.rules)
  • 2045217 - ET MALWARE TA453 BellaCiao CnC Domain in DNS Lookup (msn-center .uk) (malware.rules)
  • 2045218 - ET MALWARE TA453 BellaCiao CnC Domain in DNS Lookup (maill-support .com) (malware.rules)
  • 2045219 - ET MALWARE TA453 BellaCiao CnC Domain in DNS Lookup (mailupdate .info) (malware.rules)
  • 2045220 - ET MALWARE TA453 BellaCiao CnC Domain in DNS Lookup (twittsupport .com) (malware.rules)
  • 2045221 - ET MALWARE TA453 BellaCiao CnC Domain in DNS Lookup (mail-updateservice .info) (malware.rules)
  • 2045222 - ET MALWARE TA453 Modified IIS-Raid Backdoor Module Headers in HTTP Request (malware.rules)
  • 2045223 - ET MALWARE TA453 IIS Credential Stealer Module/Backdoor Headers in HTTP Request (malware.rules)
  • 2045224 - ET MALWARE TA453 BellaCiao ASPX Backdoor User-Agent in HTTP Request (malware.rules)
  • 2045225 - ET MALWARE IIS-Raid Module Backdoor Default Headers in HTTP Request (malware.rules)
  • 2045226 - ET MALWARE IIS-Raid Module Backdoor Ping in HTTP Request (malware.rules)
  • 2045227 - ET MALWARE Gamaredon APT Domain in DNS Lookup (nahalx .ru) (malware.rules)
  • 2045228 - ET MALWARE Gamaredon APT Domain in DNS Lookup (baraslx .ru) (malware.rules)

Pro:

  • 2854281 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound (malware.rules)
  • 2854285 - ETPRO MALWARE Win32/FingerPrint_Disable Loader Payload Inbound (malware.rules)

Disabled and modified rules:

  • 2027662 - ET MALWARE Observed Godlua Backdoor Domain (helegedada .github .io in TLS SNI) (malware.rules)
  • 2027663 - ET MALWARE Observed Godlua Backdoor Domain (dd .heheda .tk in TLS SNI) (malware.rules)
  • 2027666 - ET MALWARE Observed Godlua Backdoor Domain (dd .cloudappconfig .com in TLS SNI) (malware.rules)
  • 2027667 - ET MALWARE Observed Godlua Backdoor Domain (d .cloudappconfig .com in TLS SNI) (malware.rules)
  • 2027668 - ET MALWARE Observed Godlua Backdoor Domain (c .cloudappconfig .com in TLS SNI) (malware.rules)
  • 2044772 - ET MALWARE Observed DNS Query to Gamaredon Domain (cumbersome .ru) (malware.rules)
  • 2044773 - ET MALWARE Observed DNS Query to Gamaredon Domain (narutasx .ru) (malware.rules)
  • 2044774 - ET MALWARE Observed DNS Query to Gamaredon Domain (vohod .ru) (malware.rules)
  • 2044775 - ET MALWARE Observed DNS Query to Gamaredon Domain (highfalutin .ru) (malware.rules)
  • 2044776 - ET MALWARE Observed DNS Query to Gamaredon Domain (parsimonious .ru) (malware.rules)
  • 2044777 - ET MALWARE Observed DNS Query to Gamaredon Domain (caramelas .ru) (malware.rules)
  • 2044778 - ET MALWARE Observed DNS Query to Gamaredon Domain (quizzical .ru) (malware.rules)
  • 2044779 - ET MALWARE Observed DNS Query to Gamaredon Domain (heartbreaking .ru) (malware.rules)

Removed rules:

  • 2854281 - ETPRO ATTACK_RESPONSE Win32/Agent Tesla CnC Response Inbound (attack_response.rules)
  • 2854285 - ETPRO ATTACK_RESPONSE Win32/FingerPrint_Disable Loader Payload Inbound (attack_response.rules)