Summary:
22 new OPEN, 24 new PRO (22 + 2)
Thanks @elasticlabs, @Jane_0sint, @Bitdefender, @malPileDriver, @BushidoToken
Added rules:
Open:
- 2045207 - ET INFO DYNAMIC_DNS Query to a *.surak .kz Domain (info.rules)
- 2045208 - ET INFO DYNAMIC_DNS HTTP Request to a *.surak .kz Domain (info.rules)
- 2045209 - ET MALWARE IcedID CnC Domain in DNS Lookup (zalikomanperis .com) (malware.rules)
- 2045210 - ET MALWARE IcedID CnC Domain in DNS Lookup (alockajilly .com) (malware.rules)
- 2045211 - ET MALWARE Suspected Win32/HMR RAT/LOBSHOT Initial Handshake (malware.rules)
- 2045212 - ET MALWARE Possible Raspberry Robin Activity M2 (GET) (malware.rules)
- 2045213 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M2 (malware.rules)
- 2045214 - ET MALWARE Atomic macOS (AMOS) Stealer Domain in DNS Lookup (amos-malware .ru) (malware.rules)
- 2045215 - ET MALWARE Atomic macOS (AMOS) Stealer Data Exfiltration Attempt (malware.rules)
- 2045216 - ET MALWARE TA453 BellaCiao CnC Domain in DNS Lookup (msn-service .co) (malware.rules)
- 2045217 - ET MALWARE TA453 BellaCiao CnC Domain in DNS Lookup (msn-center .uk) (malware.rules)
- 2045218 - ET MALWARE TA453 BellaCiao CnC Domain in DNS Lookup (maill-support .com) (malware.rules)
- 2045219 - ET MALWARE TA453 BellaCiao CnC Domain in DNS Lookup (mailupdate .info) (malware.rules)
- 2045220 - ET MALWARE TA453 BellaCiao CnC Domain in DNS Lookup (twittsupport .com) (malware.rules)
- 2045221 - ET MALWARE TA453 BellaCiao CnC Domain in DNS Lookup (mail-updateservice .info) (malware.rules)
- 2045222 - ET MALWARE TA453 Modified IIS-Raid Backdoor Module Headers in HTTP Request (malware.rules)
- 2045223 - ET MALWARE TA453 IIS Credential Stealer Module/Backdoor Headers in HTTP Request (malware.rules)
- 2045224 - ET MALWARE TA453 BellaCiao ASPX Backdoor User-Agent in HTTP Request (malware.rules)
- 2045225 - ET MALWARE IIS-Raid Module Backdoor Default Headers in HTTP Request (malware.rules)
- 2045226 - ET MALWARE IIS-Raid Module Backdoor Ping in HTTP Request (malware.rules)
- 2045227 - ET MALWARE Gamaredon APT Domain in DNS Lookup (nahalx .ru) (malware.rules)
- 2045228 - ET MALWARE Gamaredon APT Domain in DNS Lookup (baraslx .ru) (malware.rules)
Pro:
- 2854281 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound (malware.rules)
- 2854285 - ETPRO MALWARE Win32/FingerPrint_Disable Loader Payload Inbound (malware.rules)
Disabled and modified rules:
- 2027662 - ET MALWARE Observed Godlua Backdoor Domain (helegedada .github .io in TLS SNI) (malware.rules)
- 2027663 - ET MALWARE Observed Godlua Backdoor Domain (dd .heheda .tk in TLS SNI) (malware.rules)
- 2027666 - ET MALWARE Observed Godlua Backdoor Domain (dd .cloudappconfig .com in TLS SNI) (malware.rules)
- 2027667 - ET MALWARE Observed Godlua Backdoor Domain (d .cloudappconfig .com in TLS SNI) (malware.rules)
- 2027668 - ET MALWARE Observed Godlua Backdoor Domain (c .cloudappconfig .com in TLS SNI) (malware.rules)
- 2044772 - ET MALWARE Observed DNS Query to Gamaredon Domain (cumbersome .ru) (malware.rules)
- 2044773 - ET MALWARE Observed DNS Query to Gamaredon Domain (narutasx .ru) (malware.rules)
- 2044774 - ET MALWARE Observed DNS Query to Gamaredon Domain (vohod .ru) (malware.rules)
- 2044775 - ET MALWARE Observed DNS Query to Gamaredon Domain (highfalutin .ru) (malware.rules)
- 2044776 - ET MALWARE Observed DNS Query to Gamaredon Domain (parsimonious .ru) (malware.rules)
- 2044777 - ET MALWARE Observed DNS Query to Gamaredon Domain (caramelas .ru) (malware.rules)
- 2044778 - ET MALWARE Observed DNS Query to Gamaredon Domain (quizzical .ru) (malware.rules)
- 2044779 - ET MALWARE Observed DNS Query to Gamaredon Domain (heartbreaking .ru) (malware.rules)
Removed rules:
- 2854281 - ETPRO ATTACK_RESPONSE Win32/Agent Tesla CnC Response Inbound (attack_response.rules)
- 2854285 - ETPRO ATTACK_RESPONSE Win32/FingerPrint_Disable Loader Payload Inbound (attack_response.rules)