Ruleset Update Summary - 2023/05/22 - v10329

Summary:

33 new OPEN, 52 new PRO (33 + 19)

Thanks Kevin, Ross, @h2jazi, @500mk500, @MavericksInt, @dslab_ukraine


Added rules:

Open:

  • 2013042 - ET MOBILE_MALWARE Android.Plankton/Tonclank Successful Installation Device Information POST (mobile_malware.rules)
  • 2014341 - ET INFO Installshield One Click Install User-Agent Toys File (info.rules)
  • 2020105 - ET INFO HTTP Request for External IP Check (ip-addr .es) (info.rules)
  • 2030166 - ET INFO HTTP Request to Lockbit Ransomware Payment Domain (info.rules)
  • 2045792 - ET INFO DYNAMIC_DNS Query to a *.neurogine .com Domain (info.rules)
  • 2045793 - ET INFO DYNAMIC_DNS HTTP Request to a *.neurogine .com Domain (info.rules)
  • 2045794 - ET INFO Observed IP Tracker Domain in TLS SNI (info.rules)
  • 2045795 - ET MALWARE SparkRAT Related Domain in DNS Lookup (gwekekccef .webull .day) (malware.rules)
  • 2045796 - ET MALWARE TA427 Related Domain in DNS Lookup (com-people .click) (malware.rules)
  • 2045797 - ET MALWARE TA427 Related Domain in DNS Lookup (com-price .space) (malware.rules)
  • 2045798 - ET MALWARE TA427 Related Domain in DNS Lookup (com-www .click) (malware.rules)
  • 2045799 - ET MALWARE TA427 Related Domain in DNS Lookup (com-def .asia) (malware.rules)
  • 2045800 - ET MALWARE TA427 Related Domain in DNS Lookup (com-otp .click) (malware.rules)
  • 2045801 - ET MALWARE TA427 Related Domain in DNS Lookup (de-file .online) (malware.rules)
  • 2045802 - ET MALWARE TA427 Related Domain in DNS Lookup (kr-me .click) (malware.rules)
  • 2045803 - ET MALWARE TA427 Related Domain in DNS Lookup (com-port .space) (malware.rules)
  • 2045804 - ET MALWARE TA427 Related Domain in DNS Lookup (cf-health .click) (malware.rules)
  • 2045805 - ET MALWARE TA427 Related Domain in DNS Lookup (kr-angry .click) (malware.rules)
  • 2045806 - ET MALWARE Suspected Kimsuky Related Actvity (GET) (malware.rules)
  • 2045807 - ET MALWARE Suspected Gamaredon Related Maldoc Activity M1 (malware.rules)
  • 2045808 - ET MALWARE Suspected Gamaredon Related Maldoc Activity M2 (malware.rules)
  • 2045809 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
  • 2045810 - ET MALWARE SocGholish Domain in DNS Lookup (vip .dueprocess .us) (malware.rules)
  • 2045811 - ET MALWARE SocGholish Domain in DNS Lookup (tube .saltminecomics .com) (malware.rules)
  • 2045812 - ET MALWARE SocGholish Domain in DNS Lookup (broadcast .ninemuses .io) (malware.rules)
  • 2045813 - ET MALWARE SocGholish Domain in DNS Lookup (commercial .tedgorka .com) (malware.rules)
  • 2045814 - ET MALWARE SocGholish Domain in DNS Lookup (forum .leewhitman-raymond .com) (malware.rules)
  • 2045815 - ET MALWARE SocGholish Domain in DNS Lookup (teaching .eduvisuo .com) (malware.rules)
  • 2045816 - ET MALWARE SocGholish Domain in DNS Lookup (round .macayafoundation .org) (malware.rules)
  • 2045817 - ET MALWARE SocGholish Domain in DNS Lookup (trademark .iglesiaelarca .com) (malware.rules)
  • 2045818 - ET MALWARE SocGholish Domain in DNS Lookup (friends .foflib .org) (malware.rules)
  • 2045819 - ET MALWARE SocGholish Domain in DNS Lookup (training .defcon1 .us) (malware.rules)
  • 2045820 - ET MALWARE SocGholish Domain in DNS Lookup (assist .cabinetelcea .com) (malware.rules)

Pro:

  • 2804466 - ETPRO INFO Direct Support for Applications Remote Control Session (info.rules)
  • 2806170 - ETPRO ADWARE_PUP file sharing service software112.com installer download (adware_pup.rules)
  • 2806844 - ETPRO INFO Online Proxy Service 1 (info.rules)
  • 2806845 - ETPRO INFO Online Proxy Service 2 (info.rules)
  • 2809019 - ETPRO INFO IP Tracker online service (info.rules)
  • 2854375 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2854376 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2854377 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2854378 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2854379 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2854380 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2854381 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2854382 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2854383 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2854384 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2854385 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2854386 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2854387 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2854388 - ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 (malware.rules)

Removed rules:

  • 2013042 - ET POLICY Android.Plankton/Tonclank Successful Installation Device Information POST (policy.rules)
  • 2014341 - ET POLICY Installshield One Click Install User-Agent Toys File (policy.rules)
  • 2020105 - ET POLICY Possible IP Check ip-addr.es (policy.rules)
  • 2030166 - ET POLICY HTTP Request to Lockbit Ransomware Payment Domain (policy.rules)
  • 2804466 - ETPRO POLICY Direct Support for Applications Remote control session (policy.rules)
  • 2806170 - ETPRO POLICY file sharing service software112.com installer download (policy.rules)
  • 2806844 - ETPRO POLICY Online Proxy Service 1 (policy.rules)
  • 2806845 - ETPRO POLICY Online Proxy Service 2 (policy.rules)
  • 2809019 - ETPRO POLICY IP Tracker online service (policy.rules)