Ruleset Update Summary - 2023/10/16 - v10442

Summary:

15 new OPEN, 16 new PRO (15 + 1)

Thanks @g0njxa

Added rules:

Open:

• 2048564 - ET MALWARE Possible Win32/DarkWatchMan User Agent M2 (malware.rules)
• 2048565 - ET MALWARE Possible Win32/DarkWatchMan User Agent M1 (malware.rules)
• 2048568 - ET INFO IPFS File Service Domain in DNS Lookup (nftstorage .link) (info.rules)
• 2048569 - ET INFO Observed IPFS File Service Domain in TLS SNI (nftstorage .link) (info.rules)
• 2048570 - ET EXPLOIT_KIT Fake Chrome Update Landing Page Redirect to Payload (2023-10-26) (exploit_kit.rules)
• 2048571 - ET MALWARE DNS Query to Fake Chrome Landing Page (chromiumbase .site) (malware.rules)
• 2048572 - ET MALWARE DNS Query to Fake Chrome Landing Page (chromiumtxt .space) (malware.rules)
• 2048573 - ET MALWARE DNS Query to Fake Chrome Landing Page (chromiumlink .site) (malware.rules)
• 2048574 - ET MALWARE Observed Fake Chrome Landing Domain (chromiumbase .site in TLS SNI) (malware.rules)
• 2048575 - ET MALWARE Observed Fake Chrome Landing Domain (chromiumtxt .space in TLS SNI) (malware.rules)
• 2048576 - ET MALWARE Observed Fake Chrome Landing Domain (chromiumlink .site in TLS SNI) (malware.rules)
• 2048577 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (arauas .com) (exploit_kit.rules)
• 2048578 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (gamefllix .com) (exploit_kit.rules)
• 2048579 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (arauas .com) (exploit_kit.rules)
• 2048580 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (gamefllix .com) (exploit_kit.rules)

Pro:

• 2855362 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Disabled and modified rules:

• 2037000 - ET MALWARE Maldoc Retrieving Payload 2022-06-15 (malware.rules)
• 2037082 - ET ACTIVEX Possible Follina Payload Delivery Page (activex.rules)
• 2037798 - ET MALWARE HTML/TrojanDropper.Agent.T Payload Inbound (malware.rules)
• 2046199 - ET MALWARE Observed Maldoc Macro Request (GET) (malware.rules)
• 2047342 - ET CURRENT_EVENTS Observed Credit Card Scam Exfil Domain in DNS Lookup (current_events.rules)
• 2047343 - ET CURRENT_EVENTS Observed Credit Card Scam Exfil Domain (postasico .top in TLS SNI) (current_events.rules)
• 2047995 - ET MALWARE DNS Query to TA444 Domain (updatecheck .store) (malware.rules)
• 2047996 - ET MALWARE DNS Query to TA444 Domain (updatecheck .site) (malware.rules)
• 2047997 - ET MALWARE DNS Query to TA444 Domain (antiviruscheck .store) (malware.rules)
• 2047999 - ET MALWARE DNS Query to TA444 Domain (antifirmware .store) (malware.rules)
• 2048000 - ET MALWARE DNS Query to TA444 Domain (alwayswait .site) (malware.rules)
• 2048001 - ET MALWARE DNS Query to TA444 Domain (unbelievableresult .site) (malware.rules)
• 2048002 - ET MALWARE DNS Query to TA444 Domain (antiviruscheck .site) (malware.rules)
• 2048003 - ET MALWARE DNS Query to TA444 Domain (remoteproweb .cfd) (malware.rules)
• 2048004 - ET MALWARE DNS Query to TA444 Domain (auditprovidre .store) (malware.rules)
• 2048005 - ET MALWARE DNS Query to TA444 Domain (alwayswait .online) (malware.rules)
• 2048008 - ET MALWARE DNS Query to TA444 Domain (auditprovidre .online) (malware.rules)
• 2048009 - ET MALWARE DNS Query to TA444 Domain (unbelievableresult .store) (malware.rules)
• 2048011 - ET MALWARE DNS Query to TA444 Domain (newcoming .cfd) (malware.rules)
• 2048012 - ET MALWARE DNS Query to TA444 Domain (systemupdate .store) (malware.rules)
• 2048013 - ET MALWARE DNS Query to TA444 Domain (antifirmware .online) (malware.rules)
• 2048014 - ET MALWARE Observed TA444 Domain (updatecheck .store in TLS SNI) (malware.rules)
• 2048015 - ET MALWARE Observed TA444 Domain (updatecheck .site in TLS SNI) (malware.rules)
• 2048016 - ET MALWARE Observed TA444 Domain (antiviruscheck .store in TLS SNI) (malware.rules)
• 2048017 - ET MALWARE Observed TA444 Domain (waitingfor .cfd in TLS SNI) (malware.rules)
• 2048018 - ET MALWARE Observed TA444 Domain (antifirmware .store in TLS SNI) (malware.rules)
• 2048019 - ET MALWARE Observed TA444 Domain (alwayswait .site in TLS SNI) (malware.rules)
• 2048020 - ET MALWARE Observed TA444 Domain (unbelievableresult .site in TLS SNI) (malware.rules)
• 2048021 - ET MALWARE Observed TA444 Domain (antiviruscheck .site in TLS SNI) (malware.rules)
• 2048022 - ET MALWARE Observed TA444 Domain (remoteproweb .cfd in TLS SNI) (malware.rules)
• 2048023 - ET MALWARE Observed TA444 Domain (auditprovidre .store in TLS SNI) (malware.rules)
• 2048024 - ET MALWARE Observed TA444 Domain (alwayswait .online in TLS SNI) (malware.rules)
• 2048025 - ET MALWARE Observed TA444 Domain (auditprovidre .site in TLS SNI) (malware.rules)
• 2048026 - ET MALWARE Observed TA444 Domain (antifirmware .site in TLS SNI) (malware.rules)
• 2048027 - ET MALWARE Observed TA444 Domain (auditprovidre .online in TLS SNI) (malware.rules)
• 2048028 - ET MALWARE Observed TA444 Domain (unbelievableresult .store in TLS SNI) (malware.rules)
• 2048029 - ET MALWARE Observed TA444 Domain (systemupdate .site in TLS SNI) (malware.rules)
• 2048030 - ET MALWARE Observed TA444 Domain (newcoming .cfd in TLS SNI) (malware.rules)
• 2048031 - ET MALWARE Observed TA444 Domain (systemupdate .store in TLS SNI) (malware.rules)
• 2048032 - ET MALWARE Observed TA444 Domain (antifirmware .online in TLS SNI) (malware.rules)
• 2048044 - ET PHISHING [TW] CodeCrafters Phishkit Domain Observed (codecrafterspro .com) (phishing.rules)
• 2048045 - ET PHISHING [TW] CodeCrafters Phishkit Domain Observed (codecrafters .su) (phishing.rules)
• 2048046 - ET PHISHING [TW] CodeCrafters Phishkit Domain Observed (devcraftingsolutions .com) (phishing.rules)
• 2048047 - ET PHISHING [TW] CodeCrafters Phishkit Domain (devcraftingsolutions .com in TLS SNI) (phishing.rules)
• 2048048 - ET PHISHING [TW] CodeCrafters Phishkit Domain (codecrafterspro .com in TLS SNI) (phishing.rules)
• 2851705 - ETPRO MALWARE Possible MalDoc Retrieving Payload 2022-05-25 (malware.rules)

Removed rules:

• 2048564 - ET USER_AGENTS Possible Win32/DarkWatchMan User Agent M2 (user_agents.rules)
• 2048565 - ET USER_AGENTS Possible Win32/DarkWatchMan User Agent M1 (user_agents.rules)