Ruleset Update Summary - 2023/07/05 - v10365

rulesbot · July 5, 2023, 8:44pm

Summary:

16 new OPEN, 19 new PRO (16 + 3)

Thanks @Jane_0sint, @jpcert_en, @SentinelOne, @Cyber0verload

Added rules:

Open:

2046723 - ET EXPLOIT Fortigate VPN - Repeated POST Requests to /remote/error (CVE-2023-27997) (exploit.rules)
2046724 - ET INFO DYNAMIC_DNS Query to nip .io Domain (info.rules)
2046725 - ET INFO DYNAMIC_DNS Query to local .gd Domain (info.rules)
2046726 - ET MALWARE [ANY.RUN] Hydrochasma Fast Reverse Proxy (malware.rules)
2046727 - ET MALWARE Gamaredon Domain in DNS Lookup (hanotip .ru) (malware.rules)
2046728 - ET MALWARE Gamaredon Domain in DNS Lookup (ideolot .ru) (malware.rules)
2046729 - ET MALWARE [ANY.RUN] Remcos RAT Checkin 861 (malware.rules)
2046730 - ET MALWARE GobRAT CnC Domain in DNS Lookup (ktlvz .dnsfailover .net) (malware.rules)
2046731 - ET MALWARE GobRAT CnC Domain in DNS Lookup (wpksi .mefound .com) (malware.rules)
2046732 - ET MALWARE GobRAT CnC Domain in DNS Lookup (su .vealcat .com) (malware.rules)
2046733 - ET MALWARE Observed GobRAT Domain (ktlvz .dnsfailover .net) in TLS SNI (malware.rules)
2046734 - ET MALWARE Observed GobRAT Domain (wpksi .mefound .com) in TLS SNI (malware.rules)
2046735 - ET MALWARE Observed GobRAT Domain (su .vealcat .com) in TLS SNI (malware.rules)
2046736 - ET MALWARE MacOS/RustBucket CnC Domain in DNS Lookup (cloud .dnx .capital) (malware.rules)
2046737 - ET MALWARE MacOS/RustBucket CnC Domain in DNS Lookup (crypto .hondchain .com) (malware.rules)
2046738 - ET MALWARE Win32/Ramgex.D Checkin (malware.rules)

Pro:

2814243 - ETPRO ADWARE_PUP 7+ Taskbar Tweaker Checkin (adware_pup.rules)
2820207 - ETPRO ADWARE_PUP Android ADAD Client Checkin (adware_pup.rules)
2854745 - ETPRO MALWARE Remcos RAT Checkin 862 (malware.rules)

Disabled and modified rules:

2015473 - ET WEB_SPECIFIC_APPS WordPress CataBlog plugin category parameter Cross-Site Scripting Attempt (web_specific_apps.rules)
2020774 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 73 (malware.rules)
2020776 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 75 (malware.rules)
2020791 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 90 (malware.rules)
2020792 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 91 (malware.rules)
2022533 - ET POLICY HotSpotShield Activity (policy.rules)
2022749 - ET MALWARE Win32/Agent.XST/UP007 Checkin 2 (malware.rules)
2022827 - ET ADWARE_PUP PUP/DriverRestore Sending System Information to Affiliate (adware_pup.rules)
2032426 - ET PHISHING Successful USAA Phish M1 2016-02-06 (phishing.rules)
2032427 - ET PHISHING Successful USAA Phish M2 2016-02-06 (phishing.rules)
2034171 - ET MALWARE Android/AhMyth RAT Command Inbound (Camera Manager) (malware.rules)
2034757 - ET EXPLOIT Apache log4j RCE Attempt (http ldap) (Outbound) (CVE-2021-44228) (exploit.rules)
2035291 - ET MALWARE Malicious Downloader Activity (GET) (malware.rules)
2035805 - ET MALWARE Observed DNS Query to TA455 Domain (supportskype .com) (malware.rules)
2035819 - ET MALWARE Observed DNS Query to TA455 Domain (khaleejtimes .co) (malware.rules)
2035820 - ET MALWARE Observed DNS Query to TA455 Domain (microsoftdefender .info) (malware.rules)
2035821 - ET MALWARE Observed DNS Query to TA455 Domain (outlookde .live) (malware.rules)
2035822 - ET MALWARE Observed DNS Query to TA455 Domain (lukoil .in) (malware.rules)
2035826 - ET MALWARE Observed DNS Query to TA455 Domain (saipem .org) (malware.rules)
2035829 - ET MALWARE Observed DNS Query to TA455 Domain (listen-books .com) (malware.rules)
2035834 - ET MALWARE Observed DNS Query to TA455 Domain (globaltalent .in) (malware.rules)
2035844 - ET MALWARE Observed DNS Query to TA455 Domain (elecresearch .org) (malware.rules)
2035847 - ET MALWARE Observed DNS Query to TA455 Domain (mideasthiring .com) (malware.rules)
2035849 - ET MALWARE Observed DNS Query to TA455 Domain (apply-jobs .com) (malware.rules)
2035878 - ET MALWARE Observed DNS Query to Winnti Domain (malware.rules)
2043783 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (sagutxustech .com) (info.rules)
2043797 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (firewall .darknet .bg) (info.rules)
2043811 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns .alloxr .info) (info.rules)
2043834 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (pcornet .freeboxos .fr) (info.rules)
2043837 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns1 .luan .contact) (info.rules)
2043839 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns .techcpu .net) (info.rules)
2043867 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns1 .adrianion .eu) (info.rules)
2043869 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (adguard .beliefanx .cn) (info.rules)
2043884 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (vpn-tw .teng .sh) (info.rules)
2043892 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (adguard .mulu .at) (info.rules)
2043899 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (pihole .datamatter .co .za) (info.rules)
2043904 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dart .kpsn .org) (info.rules)
2043940 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (myhottiemama .de) (info.rules)
2043942 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (addns .jpr .space) (info.rules)
2043957 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (admin .dotls .org) (info.rules)
2043966 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (adguard1 .kapuyhome .hu) (info.rules)
2043985 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (bcandrade .ml) (info.rules)
2044826 - ET MALWARE Observed DNS Query to Gamaredon Domain (same .gleaming8 .battleras .ru) (malware.rules)
2044836 - ET MALWARE Observed DNS Query to Gamaredon Domain (saadipo .ru) (malware.rules)
2044837 - ET MALWARE Observed DNS Query to Gamaredon Domain (sabirpo .ru) (malware.rules)
2044838 - ET MALWARE Observed DNS Query to Gamaredon Domain (rufatpo .ru) (malware.rules)
2044839 - ET MALWARE Observed DNS Query to Gamaredon Domain (raidla .ru) (malware.rules)
2804136 - ETPRO NETBIOS peerdist.dll Insecure Library Loading - SMB-DS ASCII (netbios.rules)
2804138 - ETPRO NETBIOS peerdist.dll Insecure Library Loading - SMB ASCII (netbios.rules)
2810759 - ETPRO MALWARE ReactorBot HTTP POST CnC Beacon 2 (malware.rules)
2812862 - ETPRO MOBILE_MALWARE Android Unknown Trojan Checkin (mobile_malware.rules)
2815447 - ETPRO MALWARE DeputyDog CnC Beacon (malware.rules)
2820379 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Guerrilla.g Checkin (mobile_malware.rules)
2820602 - ETPRO EXPLOIT Internet Explorer Memory Corruption Vulnerability (CVE-2016-3211) (exploit.rules)
2825362 - ETPRO MALWARE Bancos Variant CnC Beacon (malware.rules)
2825762 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 19 (mobile_malware.rules)
2825820 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 33 (mobile_malware.rules)
2825946 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 46 (mobile_malware.rules)
2827906 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 201 (mobile_malware.rules)
2829758 - ETPRO MALWARE Shifr/Shurl0cker Ransomware Onion Domain in SNI (u4hp32ms2u6s4x7q) (malware.rules)
2829777 - ETPRO MALWARE AridViper Domain Observed (katesacker .club in TLS SNI) (malware.rules)
2831252 - ETPRO EXPLOIT Flash Player Integer Overflow Inbound (CVE-2018-5000) (exploit.rules)
2831412 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 371 (mobile_malware.rules)
2832289 - ETPRO MALWARE Win32/Remcos RAT Checkin 39 (malware.rules)
2832431 - ETPRO MALWARE Win32/Remcos RAT Checkin 46 (malware.rules)
2832745 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 431 (mobile_malware.rules)
2832746 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 432 (mobile_malware.rules)
2832974 - ETPRO MALWARE MSIL/MarioFTPStealer Requesting CoinMiner Config Command (malware.rules)
2833853 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 453 (mobile_malware.rules)
2836424 - ETPRO PHISHING Successful Telekom / Tmobile Phish 2019-05-21 (phishing.rules)
2836985 - ETPRO PHISHING Successful Microsoft Account Phish 2019-06-24 (phishing.rules)
2837030 - ETPRO PHISHING Successful Microsoft Account Phish 2019-06-25 (phishing.rules)
2841583 - ETPRO PHISHING Successful Telekom/Tmobile Phish 2020-03-18 (phishing.rules)
2845816 - ETPRO MOBILE_MALWARE Android/Plankton.I Checkin (mobile_malware.rules)
2846841 - ETPRO MALWARE Magecart/Skimmer Data Exfil (malware.rules)
2847151 - ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT) (malware.rules)
2848200 - ETPRO MALWARE RedLine - GetUpdates Request (malware.rules)
2848460 - ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT) (malware.rules)
2849840 - ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT) (malware.rules)
2850150 - ETPRO PHISHING Successful Generic Credential Phish POST M2 (phishing.rules)
2851526 - ETPRO MOBILE_MALWARE Observed Android/Spy.Agent.BWC Domain in TLS SNI (mobile_malware.rules)
2853885 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2853886 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2853887 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2853888 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2853889 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
2853890 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2853891 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
2853892 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2853893 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
2853894 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2853895 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2853896 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
2853897 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2853952 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2853953 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
2853954 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2854119 - ETPRO MALWARE Observed DNS Query to CrDatLoader Domain (malware.rules)
2854120 - ETPRO MALWARE Observed DNS Query to CrDatLoader Domain (malware.rules)
2854121 - ETPRO MALWARE Observed DNS Query to CrDatLoader Domain (malware.rules)

Removed rules:

2042755 - ET INFO DYNAMIC_DNS HTTP Request to a *.hopto .org Domain (info.rules)
2814243 - ETPRO POLICY 7+ Taskbar Tweaker Checkin (policy.rules)
2820207 - ETPRO POLICY Android ADAD Client Checkin (policy.rules)

Topic	Replies	Views
Ruleset Update Summary - 2023/05/03 - v10315 Ruleset Updates	377	May 3, 2023
Ruleset Update Summary - 2023/06/05 - v10340 Ruleset Updates	377	June 5, 2023
Ruleset Update Summary - 2023/04/06 - v10286 Ruleset Updates	301	April 6, 2023
Ruleset Update Summary - 2023/08/09 - v10390 Ruleset Updates	319	August 9, 2023
Ruleset Update Summary - 2023/04/27 - v10309 Ruleset Updates	292	April 27, 2023

Ruleset Update Summary - 2023/07/05 - v10365

Summary:

Added rules:

Open:

Pro:

Disabled and modified rules:

Removed rules:

Related topics