Ruleset Update Summary - 2023/07/31 - v10384

Summary:

50 new OPEN, 54 new PRO (50 + 4)

Thanks @DrWeb_antivirus, @ViriBack, @SentinelOne

All ETOPEN and ETPRO customers, Please be aware that Friday, August 4th, 2023 is a ProofPoint company holiday. As such, there will be no rule release that day. Thank you for your continued patronage and support.


Added rules:

Open:

  • 2046958 - ET MALWARE Pupy DNS Request with SPI M1 (malware.rules)
  • 2046959 - ET MALWARE Pupy DNS Request with SPI M2 (malware.rules)
  • 2046960 - ET MALWARE Pupy DNS Request with SPI M3 (malware.rules)
  • 2046961 - ET MALWARE Pupy DNS Request with SPI M4 (malware.rules)
  • 2046962 - ET MALWARE Pupy DNS Request without SPI M1 (malware.rules)
  • 2046963 - ET MALWARE Pupy DNS Request without SPI M2 (malware.rules)
  • 2046964 - ET MALWARE Pupy DNS Request without SPI M3 (malware.rules)
  • 2046965 - ET MALWARE Pupy DNS Request without SPI M4 (malware.rules)
  • 2046966 - ET MALWARE WikiLoader Activity M1 (GET) (malware.rules)
  • 2046967 - ET MALWARE WikilLoader Activity M1 (Response) (malware.rules)
  • 2046968 - ET MALWARE WikilLoader Activity M2 (Response) (malware.rules)
  • 2046969 - ET MALWARE WikilLoader Activity M3 (Response) (malware.rules)
  • 2046970 - ET MALWARE WikiLoader Activity M2 (GET) (malware.rules)
  • 2046971 - ET HUNTING Possible WikiLoader Activity (GET) (hunting.rules)
  • 2046972 - ET MALWARE Win32/Trojan.Fruity Domain in DNS Lookup (polaris-bios-editor .ru) (malware.rules)
  • 2046973 - ET MALWARE Win32/Trojan.Fruity Domain in DNS Lookup (atiflash .ru) (malware.rules)
  • 2046974 - ET MALWARE Win32/Trojan.Fruity Domain in DNS Lookup (overdriventool .ru) (malware.rules)
  • 2046975 - ET MALWARE Win32/Trojan.Fruity Domain in DNS Lookup (balena-etcher .com) (malware.rules)
  • 2046976 - ET MALWARE Win32/Trojan.Fruity Domain in DNS Lookup (evga-precision .com) (malware.rules)
  • 2046977 - ET MALWARE Win32/Trojan.Fruity Domain in DNS Lookup (nvidiainspector .ru) (malware.rules)
  • 2046978 - ET MALWARE Win32/Trojan.Fruity Domain in DNS Lookup (ryzen-master .com) (malware.rules)
  • 2046979 - ET MALWARE Win32/Trojan.Fruity Domain in DNS Lookup (btc-tools .ru) (malware.rules)
  • 2046980 - ET MALWARE Win32/Trojan.Fruity Domain in DNS Lookup (more-power-tool .com) (malware.rules)
  • 2046981 - ET MALWARE Win32/Trojan.Fruity Domain in DNS Lookup (sapphiretrixx .com) (malware.rules)
  • 2046982 - ET MALWARE Win32/Trojan.Fruity Domain in DNS Lookup (clockgen64 .com) (malware.rules)
  • 2046983 - ET MALWARE Win32/Trojan.Fruity Domain in DNS Lookup (nvflash .ru) (malware.rules)
  • 2046984 - ET MALWARE Win32/Trojan.Fruity Domain in DNS Lookup (srbpolaris .ru) (malware.rules)
  • 2046985 - ET MALWARE Win32/Trojan.Fruity Domain in DNS Lookup (techpowerup-gpu-z .com) (malware.rules)
  • 2046986 - ET MALWARE Win32/Trojan.Fruity Domain in DNS Lookup (riva-tuner .com) (malware.rules)
  • 2046987 - ET MALWARE Win32/Trojan.Fruity Domain in DNS Lookup (atikmdagpatcher .com) (malware.rules)
  • 2046988 - ET MALWARE Win32/Trojan.Fruity Domain (polaris-bios-editor .ru) in TLS SNI (malware.rules)
  • 2046989 - ET MALWARE Win32/Trojan.Fruity Domain (atiflash .ru) in TLS SNI (malware.rules)
  • 2046990 - ET MALWARE Win32/Trojan.Fruity Domain (overdriventool .ru) in TLS SNI (malware.rules)
  • 2046991 - ET MALWARE Win32/Trojan.Fruity Domain (balena-etcher .com) in TLS SNI (malware.rules)
  • 2046992 - ET MALWARE Win32/Trojan.Fruity Domain (evga-precision .com) in TLS SNI (malware.rules)
  • 2046993 - ET MALWARE Win32/Trojan.Fruity Domain (nvidiainspector .ru) in TLS SNI (malware.rules)
  • 2046994 - ET MALWARE Win32/Trojan.Fruity Domain (ryzen-master .com) in TLS SNI (malware.rules)
  • 2046995 - ET MALWARE Win32/Trojan.Fruity Domain (btc-tools .ru) in TLS SNI (malware.rules)
  • 2046996 - ET MALWARE Win32/Trojan.Fruity Domain (more-power-tool .com) in TLS SNI (malware.rules)
  • 2046997 - ET MALWARE Win32/Trojan.Fruity Domain (sapphiretrixx .com) in TLS SNI (malware.rules)
  • 2046998 - ET MALWARE Win32/Trojan.Fruity Domain (clockgen64 .com) in TLS SNI (malware.rules)
  • 2046999 - ET MALWARE Win32/Trojan.Fruity Domain (nvflash .ru) in TLS SNI (malware.rules)
  • 2047000 - ET MALWARE Win32/Trojan.Fruity Domain (srbpolaris .ru) in TLS SNI (malware.rules)
  • 2047001 - ET MALWARE Win32/Trojan.Fruity Domain (techpowerup-gpu-z .com) in TLS SNI (malware.rules)
  • 2047002 - ET MALWARE Win32/Trojan.Fruity Domain (riva-tuner .com) in TLS SNI (malware.rules)
  • 2047003 - ET MALWARE Win32/Trojan.Fruity Domain (atikmdagpatcher .com) in TLS SNI (malware.rules)
  • 2047004 - ET MALWARE Win32/XKeyBot CnC Checkin (malware.rules)
  • 2047005 - ET MALWARE MacOS/Realst CnC Checkin (malware.rules)
  • 2047006 - ET EXPLOIT_KIT TA569 Keitaro TDS in DNS Lookup (surelytheme .org) (exploit_kit.rules)
  • 2047007 - ET EXPLOIT_KIT TA569 Keitaro TDS in TLS SNI (surelytheme .org) (exploit_kit.rules)

Pro:

  • 2854970 - ETPRO MALWARE TA402 CnC Domain in DNS Lookup (malware.rules)
  • 2854971 - ETPRO MALWARE Observed TA402 Domain in TLS SNI (malware.rules)
  • 2854972 - ETPRO MALWARE Win32/TA402 CnC Activity (POST) (malware.rules)
  • 2854973 - ETPRO MALWARE Win32/TA402 CnC Activity (GET) (malware.rules)

Disabled and modified rules:

  • 2036425 - ET MOBILE_MALWARE Android/FakeWallet.D Activity (GET) (mobile_malware.rules)
  • 2039094 - ET MALWARE Malicious Browser Installer Domain in DNS Lookup (torbrowser .io) (malware.rules)
  • 2039095 - ET MALWARE Malicious Browser Installer Domain in DNS Lookup (tor-browser .io) (malware.rules)
  • 2045157 - ET MALWARE TA444 Related Domain in DNS Lookup (malware.rules)
  • 2045236 - ET MALWARE Donot Group APT Related Domain in DNS Lookup (epiczplus .buzz) (malware.rules)
  • 2045268 - ET MALWARE Ducktail Stealer Related Domain in DNS Lookup (techvibeo .com) (malware.rules)
  • 2046634 - ET MALWARE Suspected Blackmoon Related Domain in DNS Lookup (malware.rules)
  • 2844467 - ETPRO ADWARE_PUP GKB Loader Config Download (adware_pup.rules)