Summary:
7 new OPEN, 11 new PRO (7 + 4)
Thanks @bridewellsec, @CISAgov, @Jane_0sint, @James_inthe_box, @Racco42
Added rules:
Open:
- 2048896 - ET MALWARE Golang Easy Stealer Activiy (POST) (malware.rules)
- 2048897 - ET MALWARE Golang Easy Stealer Activiy M2 (POST) (malware.rules)
- 2048898 - ET INFO Smocker Server Mock Tool Response (info.rules)
- 2048899 - ET MALWARE Volt Typhoon User-Agent (malware.rules)
- 2048900 - ET MALWARE [ANY.RUN] PureLogs Stealer Data Exfiltration Attempt (malware.rules)
- 2048901 - ET MALWARE [ANY.RUN] PureLogs Stealer C2 Connection M2 (malware.rules)
- 2048902 - ET MALWARE [ANY.RUN] PureLogs Stealer C2 Connection M1 (malware.rules)
Pro:
- 2855482 - ETPRO MALWARE Blehniandco Bank Stealer Exfil (OTP) (malware.rules)
- 2855483 - ETPRO MALWARE Blehniandco Bank Stealer Exfil (Card) (malware.rules)
- 2855484 - ETPRO MALWARE Blehniandco Bank Stealer Exfil (Billing) (malware.rules)
- 2855485 - ETPRO MALWARE Fake Israel Charity Stealer Exfil via Telegram (malware.rules)
Disabled and modified rules:
- 2048223 - ET CURRENT_EVENTS Predator Spyware Infection Chain Related Domain in DNS Lookup (verifyurl .me) (current_events.rules)
- 2048224 - ET CURRENT_EVENTS Predator Spyware Infection Chain Related Domain (verifyurl .me in TLS SNI) (current_events.rules)
- 2048225 - ET CURRENT_EVENTS Predator Spyware Infection Chain Related Domain in DNS Lookup (sec-flare .com) (current_events.rules)
- 2048226 - ET CURRENT_EVENTS Observed Predator Spyware Infection Chain Related Domain Domain (sec-flare .com in TLS SNI) (current_events.rules)