Summary:
7 new OPEN, 7 new PRO (7 + 0)
Thanks @Jane_0sint, @g0njxa, @James_inthe_box, @0xToxin
Added rules:
Open:
- 2048093 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In (malware.rules)
- 2048094 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration (malware.rules)
- 2048095 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) (malware.rules)
- 2048096 - ET MALWARE DarkGate CnC Domain in DNS Lookup (zochao .com) (malware.rules)
- 2048097 - ET MALWARE Observed DarkGate Domain (zochao .com in TLS SNI) (malware.rules)
- 2048098 - ET MALWARE DarkGate AutoIt Downloader (malware.rules)
- 2048099 - ET MALWARE DCRAT CnC Domain in DNS Lookup (akamaitechcdns .com) (malware.rules)
Enabled and modified rules:
- 2047059 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (chestedband .org) (exploit_kit.rules)
- 2047061 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (chestedband .org) (exploit_kit.rules)
- 2047160 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (bluegaslamp .org) (exploit_kit.rules)
- 2047161 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (bluegaslamp .org) (exploit_kit.rules)
Disabled and modified rules:
- 2045861 - ET MALWARE SocGholish Domain in DNS Lookup (initiatives .ayitiexpo .com) (malware.rules)
- 2045978 - ET MALWARE SocGholish Domain in DNS Lookup (background .bodyguardchicago .com) (malware.rules)
- 2046100 - ET MALWARE SocGholish Domain in DNS Lookup (prepare .dawarel3mda .com) (malware.rules)
- 2046172 - ET MALWARE SocGholish Domain in DNS Lookup (cosplay .univisuo .com) (malware.rules)
- 2047661 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .workout .oystergardener .net) (malware.rules)
- 2047662 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .workout .oystergardener .net) (malware.rules)
- 2047663 - ET EXPLOIT_KIT RogueRaticate Domain in DNS Lookup (analytics-google-x91 .com) (exploit_kit.rules)
- 2047664 - ET EXPLOIT_KIT RogueRaticate Domain in TLS SNI (analytics-google-x91 .com) (exploit_kit.rules)