Ruleset Update Summary - 2023/09/15 - v10418

Summary:

7 new OPEN, 7 new PRO (7 + 0)

Thanks @Jane_0sint, @g0njxa, @James_inthe_box, @0xToxin


Added rules:

Open:

  • 2048093 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In (malware.rules)
  • 2048094 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration (malware.rules)
  • 2048095 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) (malware.rules)
  • 2048096 - ET MALWARE DarkGate CnC Domain in DNS Lookup (zochao .com) (malware.rules)
  • 2048097 - ET MALWARE Observed DarkGate Domain (zochao .com in TLS SNI) (malware.rules)
  • 2048098 - ET MALWARE DarkGate AutoIt Downloader (malware.rules)
  • 2048099 - ET MALWARE DCRAT CnC Domain in DNS Lookup (akamaitechcdns .com) (malware.rules)

Enabled and modified rules:

  • 2047059 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (chestedband .org) (exploit_kit.rules)
  • 2047061 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (chestedband .org) (exploit_kit.rules)
  • 2047160 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (bluegaslamp .org) (exploit_kit.rules)
  • 2047161 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (bluegaslamp .org) (exploit_kit.rules)

Disabled and modified rules:

  • 2045861 - ET MALWARE SocGholish Domain in DNS Lookup (initiatives .ayitiexpo .com) (malware.rules)
  • 2045978 - ET MALWARE SocGholish Domain in DNS Lookup (background .bodyguardchicago .com) (malware.rules)
  • 2046100 - ET MALWARE SocGholish Domain in DNS Lookup (prepare .dawarel3mda .com) (malware.rules)
  • 2046172 - ET MALWARE SocGholish Domain in DNS Lookup (cosplay .univisuo .com) (malware.rules)
  • 2047661 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .workout .oystergardener .net) (malware.rules)
  • 2047662 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .workout .oystergardener .net) (malware.rules)
  • 2047663 - ET EXPLOIT_KIT RogueRaticate Domain in DNS Lookup (analytics-google-x91 .com) (exploit_kit.rules)
  • 2047664 - ET EXPLOIT_KIT RogueRaticate Domain in TLS SNI (analytics-google-x91 .com) (exploit_kit.rules)