Ruleset Update Summary - 2023/08/21 - v10399

Ruleset Updates
1

Summary:

4 new OPEN, 22 new PRO (4 + 18)

Thanks @suyog41

Added rules:

Open:

  • 2047678 - ET MALWARE Malicious Powershell Activity (GET) (malware.rules)
  • 2047679 - ET MALWARE Python Stealer/Clipper Related Domain in DNS Lookup (kekwltd .ru) (malware.rules)
  • 2047680 - ET MALWARE Observed Python Stealer/Clipper Related Domain (kekwltd .ru in TLS SNI) (malware.rules)
  • 2047681 - ET MALWARE Spark RAT CnC Checkin (POST) (malware.rules)

Pro:

  • 2855132 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2855133 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2855134 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2855135 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2855136 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2855137 - ETPRO MALWARE Win32/XWorm CnC Command - INFO Outbound (malware.rules)
  • 2855138 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2855139 - ETPRO MALWARE Win32/XWorm CnC Command - RD+ Inbound (malware.rules)
  • 2855140 - ETPRO MALWARE Win32/XWorm CnC Command - RD- Outbound (malware.rules)
  • 2855141 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2855142 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2855143 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2855144 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2855145 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2855146 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2855147 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2855148 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2855151 - ETPRO MALWARE Spark RAT User-Agent Observed (malware.rules)

Disabled and modified rules:

  • 2035771 - ET MALWARE Spytector Domain DNS Lookup (mail .spytector .com) (malware.rules)
  • 2035778 - ET MALWARE Pegasus Domain in DNS Lookup (al-taleanewsonline .net) (malware.rules)
  • 2035781 - ET MALWARE Pegasus Domain in DNS Lookup (alrainew .com) (malware.rules)
  • 2035944 - ET MALWARE Observed DNS Query to VBS/Agent.PUK Domain (malware.rules)
  • 2035945 - ET MALWARE Observed DNS Query to VBS/Agent.PUK Domain (malware.rules)
  • 2036321 - ET MALWARE 000Stealer Data Exfiltration M2 (malware.rules)
  • 2036322 - ET MALWARE Observed DNS Query to Certishell Domain (forummanazera .sk) (malware.rules)
  • 2036323 - ET MALWARE Observed DNS Query to Certishell Domain (reality .skarabeus .sk) (malware.rules)
  • 2036324 - ET MALWARE Observed DNS Query to Certishell Domain (msrousinov .cz) (malware.rules)
  • 2036364 - ET MALWARE Innostealer Domain in DNS Lookup (windows-11info .com) (malware.rules)
  • 2036366 - ET MALWARE Innostealer Domain (windows11-upgrade .com) in TLS SNI (malware.rules)
  • 2036367 - ET MALWARE Innostealer Domain (windows-11info .com) in TLS SNI (malware.rules)
  • 2036368 - ET MALWARE Innostealer Domain (windows11-infoserver .com) in TLS SNI (malware.rules)
  • 2036396 - ET MALWARE TraderTraitor CnC Domain (tokenais .com) in DNS Lookup (malware.rules)
  • 2036397 - ET MALWARE TraderTraitor CnC Domain (aideck .net) in DNS Lookup (malware.rules)
  • 2036398 - ET MALWARE TraderTraitor CnC Domain (www .esilet .com) in DNS Lookup (malware.rules)
  • 2036403 - ET MALWARE Observed TraderTraitor Domain (tokenais .com) in TLS SNI (malware.rules)
  • 2036404 - ET MALWARE Observed TraderTraitor Domain (aideck .net) in TLS SNI (malware.rules)
  • 2036405 - ET MALWARE Observed TraderTraitor Domain (www .esilet .com) in TLS SNI (malware.rules)
  • 2036480 - ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (shopingchina .net) (malware.rules)
  • 2036483 - ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (rootkit .tools) (malware.rules)
  • 2036495 - ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (linux .wy01 .com) (malware.rules)
  • 2036542 - ET MALWARE Eternity Stealer Data Exfiltration Activity (malware.rules)
  • 2036610 - ET MALWARE BlueShtorm Infostealer Data Exfiltration (malware.rules)
  • 2036958 - ET MALWARE Win32/Gomorrah Stealer Data Exfiltration (malware.rules)
  • 2037091 - ET HUNTING Suspicious Zipped Filename in Outbound POST Request (Steam_htmlcache.txt) (hunting.rules)
  • 2038585 - ET MALWARE DonotGroup APT Related Domain in DNS Lookup (worldpro .buzz) (malware.rules)
  • 2038586 - ET MALWARE DonotGroup APT Related Domain in DNS Lookup (doctorstrange .buzz) (malware.rules)
  • 2038664 - ET MALWARE Win32/Caypnamer.A RAT CnC Initial Checkin (malware.rules)
  • 2038703 - ET ADWARE_PUP MuLauncher Telemetry Gathering Attempt (adware_pup.rules)
  • 2038947 - ET MALWARE Win32/Cryptbot V2 Data Exfiltration Attempt (malware.rules)
  • 2039061 - ET MALWARE Chaos Botnet CnC Domain (xiaomai233 .f3322 .net) in DNS Lookup (malware.rules)
  • 2039062 - ET MALWARE Chaos Botnet CnC Domain (bb .hash3688 .com) in DNS Lookup (malware.rules)
  • 2039099 - ET MALWARE AllcomeClipper CnC Domain (dba692117be7b6d3480fe5220fdd58b38bf .xyz) in DNS Lookup (malware.rules)
  • 2039177 - ET MALWARE Mekotio Banking Trojan CnC Domain (zautoservice .eu) in DNS Lookup (malware.rules)
  • 2039415 - ET MALWARE MSSQL maggie backdoor Query Observed (other functions) (malware.rules)
  • 2039532 - ET MALWARE Observed DNS Query to ROMCOM RAT Domain (advanced-ip-scaner .com) (malware.rules)
  • 2039723 - ET MALWARE Win32\Cryptbot CnC Domain (towcqx32 .top) in DNS Lookup (malware.rules)
  • 2039725 - ET MALWARE Win32\Cryptbot CnC Domain (suqzyt03 .top) in DNS Lookup (malware.rules)
  • 2039733 - ET MALWARE Win32\Cryptbot CnC Domain (kyrjwt45 .top) in DNS Lookup (malware.rules)
  • 2039735 - ET MALWARE Win32\Cryptbot CnC Domain (suqycd05 .top) in DNS Lookup (malware.rules)
  • 2039736 - ET MALWARE Win32\Cryptbot CnC Domain (suqoyw07 .top) in DNS Lookup (malware.rules)
  • 2039775 - ET MALWARE Laplas Clipper - Regex CnC Request (malware.rules)
  • 2039776 - ET MALWARE Laplas Clipper - SetOnline CnC Checkin (malware.rules)
  • 2039777 - ET MALWARE Laplas Clipper - GetAddress CnC Checkin (malware.rules)
  • 2039796 - ET INFO External File Sharing Service in DNS Lookup (sharefile .com) (info.rules)
  • 2039829 - ET MOBILE_MALWARE Android/ShartBot CNC Domain (cdopea .store) in DNS Lookup (mobile_malware.rules)
  • 2041668 - ET MALWARE Bitter APT CnC Domain (mobisharestock .com) in DNS Lookup (malware.rules)
  • 2041669 - ET MALWARE Bitter APT CnC Domain (updnangelgroup .com) in DNS Lookup (malware.rules)
  • 2041929 - ET MALWARE Confucious APT CnC Domain (microsoftonedriver .com) in DNS Lookup (malware.rules)
  • 2042521 - ET MALWARE Observed BatLoader Domain (cloudsteamview .com) in TLS SNI (malware.rules)
  • 2042522 - ET MALWARE Observed BatLoader Domain (installationupgrade6 .com) in TLS SNI (malware.rules)
  • 2044052 - ET MALWARE Ice Breaker Backdoor CnC Domain (xn–screnshot-jib .net) in DNS Lookup (malware.rules)
  • 2044173 - ET MALWARE Cobalt Strike CnC Domain (cdcgov .us) in DNS Lookup (malware.rules)
  • 2044175 - ET MALWARE Havoc RAT CnC Domain (zh .googlecdnb .tk) in DNS Lookup (malware.rules)
  • 2044313 - ET MALWARE Cobalt Strike CnC Domain (csc .zte .com .cn .wswebpic .com) in DNS Lookup (malware.rules)
  • 2044343 - ET MALWARE EvilExtractor Stealer CnC Domain (evilextractor .com) in DNS Lookup (malware.rules)
  • 2044362 - ET MALWARE Win32/S1deload Stealer CnC Domain (shopproxy .live) in DNS Lookup (malware.rules)
  • 2044400 - ET MALWARE IcedID CnC Domain (neonmilkustaers .com) in DNS Lookup (malware.rules)
  • 2044451 - ET MALWARE Lockbit Ransomware Related Domain (poliovocalist .com) in DNS Lookup (malware.rules)
  • 2044511 - ET MALWARE SYS01 Information Stealer CnC Domain (makananwisata .com) in DNS Lookup (malware.rules)
  • 2044513 - ET MALWARE SYS01 Information Stealer CnC Domain (rapadtrai .com) in DNS Lookup (malware.rules)
  • 2044514 - ET MALWARE SYS01 Information Stealer CnC Domain (baglamanotalari .com) in DNS Lookup (malware.rules)
  • 2044583 - ET MALWARE Win32/Root Finder Stealer Sending System Information via Telegram (GET) (malware.rules)
  • 2044584 - ET MALWARE Win32/AMGO Keylogger - Keylogger Started Message via Telegram (POST) (malware.rules)
  • 2044656 - ET MALWARE Wintern Vivern CnC Domain (bugiplaysec .com) in DNS Lookup (malware.rules)
  • 2044657 - ET MALWARE Wintern Vivern CnC Domain (marakanas .com) in DNS Lookup (malware.rules)
  • 2044658 - ET MALWARE Wintern Vivern CnC Domain (ocs-romastassec .com) in DNS Lookup (malware.rules)
  • 2044659 - ET MALWARE Wintern Vivern CnC Domain (troadsecow .com) in DNS Lookup (malware.rules)
  • 2044661 - ET MALWARE Wintern Vivern CnC Domain (security-ocsp .com) in DNS Lookup (malware.rules)
  • 2044698 - ET MALWARE Observed DNS Query to Gamaredon Domain (makasd .ru) (malware.rules)
  • 2044699 - ET MALWARE Observed DNS Query to Gamaredon Domain (gojoxa .ru) (malware.rules)
  • 2044744 - ET MALWARE SOMNIRECORD Backdoor PROBE Command in DNS Query (malware.rules)
  • 2044746 - ET MALWARE SOMNIRECORD Backdoor DATA Command in DNS Query (malware.rules)
  • 2044842 - ET MALWARE DBatLoader CnC Domain (silverline .com .sg) in DNS Lookup (malware.rules)
  • 2045109 - ET MALWARE Observed DNS Query to TA444 Domain (nbright .best) (malware.rules)
  • 2045110 - ET MALWARE FROZENBARENTS (SANDWORM) APT Related Domain in DNS Lookup (cpcpipe .org) (malware.rules)
  • 2045111 - ET MALWARE FROZENBARENTS (SANDWORM) APT Related Domain in DNS Lookup (ukroboronprom .com .ukr .pm) (malware.rules)
  • 2045112 - ET MALWARE FROZENBARENTS (SANDWORM) APT Related Domain in DNS Lookup (cpcpipe .com) (malware.rules)
  • 2045188 - ET MALWARE Gamaredon APT Domain in DNS Lookup (ruizchris .ru) (malware.rules)
  • 2045189 - ET MALWARE Gamaredon APT Domain in DNS Lookup (valasati .ru) (malware.rules)
  • 2045190 - ET MALWARE Gamaredon APT Domain in DNS Lookup (ayarimar .ru) (malware.rules)
  • 2045191 - ET MALWARE Gamaredon APT Domain in DNS Lookup (nutriag .ru) (malware.rules)
  • 2045192 - ET MALWARE Gamaredon APT Domain in DNS Lookup (vilaverde .ru) (malware.rules)
  • 2045193 - ET MALWARE Gamaredon APT Domain in DNS Lookup (fortunyzo .ru) (malware.rules)
  • 2045194 - ET MALWARE Gamaredon APT Domain in DNS Lookup (dussaut .ru) (malware.rules)
  • 2045195 - ET MALWARE Gamaredon APT Domain in DNS Lookup (samiseto .ru) (malware.rules)
  • 2045196 - ET MALWARE Gamaredon APT Domain in DNS Lookup (boraito .ru) (malware.rules)
  • 2045197 - ET MALWARE Gamaredon APT Domain in DNS Lookup (enokida .ru) (malware.rules)
  • 2045198 - ET MALWARE Gamaredon APT Domain in DNS Lookup (kaigitang .ru) (malware.rules)
  • 2045227 - ET MALWARE Gamaredon APT Domain in DNS Lookup (nahalx .ru) (malware.rules)
  • 2045228 - ET MALWARE Gamaredon APT Domain in DNS Lookup (baraslx .ru) (malware.rules)
  • 2045248 - ET MALWARE Gamaredon APT Domain in DNS Lookup (decorous .ru) (malware.rules)
  • 2045249 - ET MALWARE Gamaredon APT Domain in DNS Lookup (judicious .ru) (malware.rules)
  • 2045250 - ET MALWARE Gamaredon APT Domain in DNS Lookup (succinct .ru) (malware.rules)
  • 2045251 - ET MALWARE Alloy Taurus APT Related Domain in DNS Lookup (yrhsywu2009 .zapto .org) (malware.rules)
  • 2045252 - ET MALWARE Alloy Taurus APT Related Domain in DNS Lookup (vpn729380678 .softether .net) (malware.rules)
  • 2045253 - ET MALWARE Alloy Taurus APT Related Domain in DNS Lookup (saspecialforces .co .za) (malware.rules)
  • 2045739 - ET MALWARE Fake Quickbooks Domain in DNS Lookup (quickbooks12 .hopto .org) (malware.rules)
  • 2045740 - ET MALWARE Fake Quickbooks Domain in DNS Lookup (findproadvisors .com) (malware.rules)
  • 2045741 - ET MALWARE Fake Quickbooks Domain in DNS Lookup (quickbooks149 .hopto .org) (malware.rules)
  • 2045834 - ET MALWARE Observed DNS Query to Gamaredon Domain (mbiziso .ru) (malware.rules)
  • 2045835 - ET MALWARE Observed DNS Query to Gamaredon Domain (kontarso .ru) (malware.rules)
  • 2045836 - ET MALWARE Observed DNS Query to Gamaredon Domain (koseyso .ru) (malware.rules)
  • 2045837 - ET MALWARE Observed DNS Query to Gamaredon Domain (menesso .ru) (malware.rules)
  • 2045838 - ET MALWARE Observed DNS Query to Gamaredon Domain (kuaashiso .ru) (malware.rules)
  • 2045839 - ET MALWARE Observed DNS Query to Gamaredon Domain (lizimbaso .ru) (malware.rules)
  • 2045840 - ET MALWARE Observed DNS Query to Gamaredon Domain (maatso .ru) (malware.rules)
  • 2045842 - ET MALWARE CloudWizard APT Related Domain in DNS Lookup (curveroad .com) (malware.rules)
  • 2046080 - ET MALWARE Gamaredon Domain in DNS Lookup (havxcq .ru) (malware.rules)
  • 2046081 - ET MALWARE Gamaredon Domain in DNS Lookup (ozaharso .ru) (malware.rules)
  • 2046082 - ET MALWARE Gamaredon Domain in DNS Lookup (okparaso .ru) (malware.rules)
  • 2046083 - ET MALWARE Gamaredon Domain in DNS Lookup (omariso .ru) (malware.rules)
  • 2046084 - ET MALWARE Gamaredon Domain in DNS Lookup (ozirisso .ru) (malware.rules)
  • 2046085 - ET MALWARE Gamaredon Domain in DNS Lookup (remmaoso .ru) (malware.rules)
  • 2046086 - ET MALWARE Gamaredon Domain in DNS Lookup (oddzhiso .ru) (malware.rules)
  • 2046087 - ET MALWARE Gamaredon Domain in DNS Lookup (itoram .ru) (malware.rules)
  • 2046088 - ET MALWARE Gamaredon Domain in DNS Lookup (rvawc .ru) (malware.rules)
  • 2046089 - ET MALWARE Gamaredon Domain in DNS Lookup (gajasx .ru) (malware.rules)
  • 2046090 - ET MALWARE Gamaredon Domain in DNS Lookup (xopekar .ru) (malware.rules)
  • 2046091 - ET MALWARE Gamaredon Domain in DNS Lookup (nalfas .ru) (malware.rules)
  • 2046092 - ET MALWARE Gamaredon Domain in DNS Lookup (blootundicht .ru) (malware.rules)
  • 2046093 - ET MALWARE Gamaredon Domain in DNS Lookup (tulocal .ru) (malware.rules)
  • 2046094 - ET MALWARE Gamaredon Domain in DNS Lookup (boptizol .ru) (malware.rules)
  • 2046095 - ET MALWARE Gamaredon Domain in DNS Lookup (yorisant .ru) (malware.rules)
  • 2046096 - ET MALWARE Gamaredon Domain in DNS Lookup (viratuk .ru) (malware.rules)
  • 2046097 - ET MALWARE Gamaredon Domain in DNS Lookup (reposant .ru) (malware.rules)
  • 2046213 - ET MALWARE Gamaredon Domain in DNS Lookup (gawsxc .ru) (malware.rules)
  • 2046214 - ET MALWARE Gamaredon Domain in DNS Lookup (perccottuspi .ru) (malware.rules)
  • 2046215 - ET MALWARE Gamaredon Domain in DNS Lookup (razuiso .ru) (malware.rules)
  • 2046216 - ET MALWARE Gamaredon Domain in DNS Lookup (dzhabrailho .ru) (malware.rules)
  • 2046217 - ET MALWARE Gamaredon Domain in DNS Lookup (tispai .ru) (malware.rules)
  • 2046218 - ET MALWARE Gamaredon Domain in DNS Lookup (reyyfadsf .ru) (malware.rules)
  • 2046219 - ET MALWARE Gamaredon Domain in DNS Lookup (dumerilipi .ru) (malware.rules)
  • 2046220 - ET MALWARE Gamaredon Domain in DNS Lookup (bladefishpi .ru) (malware.rules)
  • 2046221 - ET MALWARE Gamaredon Domain in DNS Lookup (spatulapi .ru) (malware.rules)
  • 2046222 - ET MALWARE Gamaredon Domain in DNS Lookup (gawcq .ru) (malware.rules)
  • 2046223 - ET MALWARE Gamaredon Domain in DNS Lookup (agonepi .ru) (malware.rules)
  • 2046224 - ET MALWARE Gamaredon Domain in DNS Lookup (albacorepi .ru) (malware.rules)
  • 2853775 - ETPRO MALWARE Observed DNS Query to TA444 Domain (malware.rules)
  • 2853776 - ETPRO MALWARE Observed DNS Query to TA444 Domain (malware.rules)
  • 2853777 - ETPRO MALWARE Observed DNS Query to TA444 Domain (malware.rules)
  • 2853781 - ETPRO MALWARE Observed DNS Query to TA444 Domain (malware.rules)
  • 2853798 - ETPRO MALWARE Observed DNS Query to TA444 Domain (malware.rules)
  • 2853799 - ETPRO MALWARE Observed DNS Query to TA444 Domain (malware.rules)
  • 2853800 - ETPRO MALWARE Observed DNS Query to TA444 Domain (malware.rules)