Ruleset Update Summary - 2023/05/05 - v10317

Summary:

10 new OPEN, 13 new PRO (10 + 3)

Thanks @500mk500, @AuCyble, @travisbgreen


Added rules:

Open:

  • 2045603 - ET MALWARE IcedID CnC Domain in DNS Lookup (joysaketshops .com) (malware.rules)
  • 2045604 - ET MALWARE W32/Snojan.BNQKZQH Payload Inbound (malware.rules)
  • 2045605 - ET MALWARE DNS Query to KEKW Variant Domain (blackcap .ru) (malware.rules)
  • 2045606 - ET MALWARE DNS Query to KEKW Variant Domain (kekwltd .ru) (malware.rules)
  • 2045607 - ET PHISHING W3LL STORE Phish Kit Landing Page 2023-05-05 (phishing.rules)
  • 2045608 - ET PHISHING W3LL STORE Credential Phish Landing Page (Capt) 2023-05-05 (phishing.rules)
  • 2045609 - ET PHISHING W3LL STORE Credential Phish Landing Page (Index) 2023-05-05 (phishing.rules)
  • 2045610 - ET PHISHING W3LL STORE Credential Phish Landing Page (Success) 2023-05-05 (phishing.rules)
  • 2045611 - ET MALWARE Papercut MF/NG User/Group Sync Python Backdoor Trigger (malware.rules)
  • 2045612 - ET MALWARE Papercut MF/NG User/Group Sync FTP Backdoor trigger (malware.rules)

Pro:

  • 2854315 - ETPRO MALWARE Win32/Lotok Variant Activity (GET) (malware.rules)
  • 2854316 - ETPRO MALWARE JS/Unknown Downloader Payload Request (GET) M3 (malware.rules)
  • 2854317 - ETPRO MALWARE Win64/TrojanDownloader.AHK.CH Checkin (malware.rules)

Modified inactive rules:

  • 2010068 - ET POLICY Data POST to an image file (jpeg) (policy.rules)
  • 2010069 - ET POLICY Data POST to an image file (bmp) (policy.rules)
  • 2010070 - ET POLICY Data POST to an image file (png) (policy.rules)
  • 2045203 - ET PHISHING W3LL STORE Phish Kit Landing Page 2023-04-26 (phishing.rules)

Disabled and modified rules:

  • 2033140 - ET MALWARE Observed APT41 Malicious SSL Cert (ColunmTK Campaign) (malware.rules)
  • 2035560 - ET MALWARE Win32/Pterodo Activity (POST) (malware.rules)
  • 2841439 - ETPRO MALWARE Observed Malicious SSL Cert (IcedID CnC) (malware.rules)
  • 2851319 - ETPRO MALWARE Win32/Orion Grabber/Stealer Related Domain in DNS Lookup (malware.rules)

Removed rules:

  • 2044749 - ET INFO Commonly Abused Content Delivery Network Domain in DNS Lookup (btloader .com) (info.rules)
  • 2044750 - ET INFO Observed Abused Content Delivery Network Domain (btloader .com in TLS SNI) (info.rules)