Ruleset Update Summary - 2023/12/19 - v10489

Ruleset Updates
1

Summary:

67 new OPEN, 68 new PRO (67 + 1)

Thanks @F_A_C_C_T_, @Jane_0sint, @_CERT_UA

Added rules:

Open:

  • 2049728 - ET MALWARE CloudAtlas APT Related DNS Lookup (avito-service .net) (malware.rules)
  • 2049729 - ET MALWARE Observed CloudAtlas APT Related Domain (avito-service .net in TLS SNI) (malware.rules)
  • 2049730 - ET MALWARE CloudAtlas APT Related Maldoc Activity M1 (GET) (malware.rules)
  • 2049731 - ET MALWARE CloudAtlas APT Related Domain in DNS Lookup (network-list .com) (malware.rules)
  • 2049732 - ET MALWARE Observed CloudAtlas APT Related Domain (network-list .com in TLS SNI) (malware.rules)
  • 2049733 - ET MALWARE CloudAtlas APT Related Maldoc Activity M3 (GET) (malware.rules)
  • 2049734 - ET MALWARE CloudAtlas APT Related Maldoc Activity M4 (GET) (malware.rules)
  • 2049735 - ET MALWARE CloudAtlas APT Related Maldoc Activity M5 (GET) (malware.rules)
  • 2049736 - ET MALWARE CloudAtlas APT Related Maldoc Activity M6 (GET) (malware.rules)
  • 2049737 - ET MALWARE DNS Query to Suspected APT Domain (idfleaks .info) (malware.rules)
  • 2049738 - ET MALWARE DNS Query to Suspected APT Domain (idf .pics) (malware.rules)
  • 2049739 - ET MALWARE DNS Query to Suspected APT Domain (idfinfo .pw) (malware.rules)
  • 2049740 - ET MALWARE Observed Suspected APT Domain (idfleaks .info in TLS SNI) (malware.rules)
  • 2049741 - ET MALWARE Observed Suspected APT Domain (idf .pics in TLS SNI) (malware.rules)
  • 2049742 - ET MALWARE Observed Suspected APT Domain (idfinfo .pw in TLS SNI) (malware.rules)
  • 2049743 - ET MALWARE DNS Query to UAC-0177 Domain (ssl2 .in) (malware.rules)
  • 2049744 - ET MALWARE DNS Query to UAC-0177 Domain (ssl4 .site) (malware.rules)
  • 2049745 - ET MALWARE DNS Query to UAC-0177 Domain (getssl .ink) (malware.rules)
  • 2049746 - ET MALWARE DNS Query to UAC-0177 Domain (personlog .in) (malware.rules)
  • 2049747 - ET MALWARE DNS Query to UAC-0177 Domain (ssl2 .link) (malware.rules)
  • 2049748 - ET MALWARE DNS Query to UAC-0177 Domain (authssl .online) (malware.rules)
  • 2049749 - ET MALWARE DNS Query to UAC-0177 Domain (ssl1 .site) (malware.rules)
  • 2049750 - ET MALWARE DNS Query to UAC-0177 Domain (hsts .online) (malware.rules)
  • 2049751 - ET MALWARE DNS Query to UAC-0177 Domain (authssl .in) (malware.rules)
  • 2049752 - ET MALWARE DNS Query to UAC-0177 Domain (ssl2 .online) (malware.rules)
  • 2049753 - ET MALWARE DNS Query to UAC-0177 Domain (authssl .site) (malware.rules)
  • 2049754 - ET MALWARE DNS Query to UAC-0177 Domain (goaccount .link) (malware.rules)
  • 2049755 - ET MALWARE DNS Query to UAC-0177 Domain (ssl2 .site) (malware.rules)
  • 2049756 - ET MALWARE DNS Query to UAC-0177 Domain (ssl1 .online) (malware.rules)
  • 2049757 - ET MALWARE DNS Query to UAC-0177 Domain (passport2 .zip) (malware.rules)
  • 2049758 - ET MALWARE DNS Query to UAC-0177 Domain (certifiedauth .in) (malware.rules)
  • 2049759 - ET MALWARE DNS Query to UAC-0177 Domain (authssl .link) (malware.rules)
  • 2049760 - ET MALWARE DNS Query to UAC-0177 Domain (connectssl .in) (malware.rules)
  • 2049761 - ET MALWARE DNS Query to UAC-0177 Domain (getssl .click) (malware.rules)
  • 2049762 - ET MALWARE DNS Query to UAC-0177 Domain (ssl3 .site) (malware.rules)
  • 2049763 - ET MALWARE DNS Query to UAC-0177 Domain (ssl3 .online) (malware.rules)
  • 2049764 - ET MALWARE DNS Query to UAC-0177 Domain (exmo .day) (malware.rules)
  • 2049765 - ET MALWARE DNS Query to UAC-0177 Domain (authcheck .in) (malware.rules)
  • 2049766 - ET MALWARE DNS Query to UAC-0177 Domain (ssl4 .online) (malware.rules)
  • 2049767 - ET MALWARE DNS Query to UAC-0177 Domain (authssl .org) (malware.rules)
  • 2049768 - ET MALWARE Observed UAC-0177 Domain (ssl2 .in in TLS SNI) (malware.rules)
  • 2049769 - ET MALWARE Observed UAC-0177 Domain (ssl4 .site in TLS SNI) (malware.rules)
  • 2049770 - ET MALWARE Observed UAC-0177 Domain (getssl .ink in TLS SNI) (malware.rules)
  • 2049771 - ET MALWARE Observed UAC-0177 Domain (personlog .in in TLS SNI) (malware.rules)
  • 2049772 - ET MALWARE Observed UAC-0177 Domain (ssl2 .link in TLS SNI) (malware.rules)
  • 2049773 - ET MALWARE Observed UAC-0177 Domain (authssl .online in TLS SNI) (malware.rules)
  • 2049774 - ET MALWARE Observed UAC-0177 Domain (ssl1 .site in TLS SNI) (malware.rules)
  • 2049775 - ET MALWARE Observed UAC-0177 Domain (hsts .online in TLS SNI) (malware.rules)
  • 2049776 - ET MALWARE Observed UAC-0177 Domain (authssl .in in TLS SNI) (malware.rules)
  • 2049777 - ET MALWARE Observed UAC-0177 Domain (ssl2 .online in TLS SNI) (malware.rules)
  • 2049778 - ET MALWARE Observed UAC-0177 Domain (authssl .site in TLS SNI) (malware.rules)
  • 2049779 - ET MALWARE Observed UAC-0177 Domain (goaccount .link in TLS SNI) (malware.rules)
  • 2049780 - ET MALWARE Observed UAC-0177 Domain (ssl2 .site in TLS SNI) (malware.rules)
  • 2049781 - ET MALWARE Observed UAC-0177 Domain (ssl1 .online in TLS SNI) (malware.rules)
  • 2049782 - ET MALWARE Observed UAC-0177 Domain (passport2 .zip in TLS SNI) (malware.rules)
  • 2049783 - ET MALWARE Observed UAC-0177 Domain (certifiedauth .in in TLS SNI) (malware.rules)
  • 2049784 - ET MALWARE Observed UAC-0177 Domain (authssl .link in TLS SNI) (malware.rules)
  • 2049785 - ET MALWARE Observed UAC-0177 Domain (connectssl .in in TLS SNI) (malware.rules)
  • 2049786 - ET MALWARE Observed UAC-0177 Domain (getssl .click in TLS SNI) (malware.rules)
  • 2049787 - ET MALWARE Observed UAC-0177 Domain (ssl3 .site in TLS SNI) (malware.rules)
  • 2049788 - ET MALWARE Observed UAC-0177 Domain (ssl3 .online in TLS SNI) (malware.rules)
  • 2049789 - ET MALWARE Observed UAC-0177 Domain (exmo .day in TLS SNI) (malware.rules)
  • 2049790 - ET MALWARE Observed UAC-0177 Domain (authcheck .in in TLS SNI) (malware.rules)
  • 2049791 - ET MALWARE Observed UAC-0177 Domain (ssl4 .online in TLS SNI) (malware.rules)
  • 2049792 - ET MALWARE Observed UAC-0177 Domain (authssl .org in TLS SNI) (malware.rules)
  • 2049793 - ET MALWARE Possible W4SP Stealer CnC Checkin (malware.rules)
  • 2049794 - ET MALWARE Possible KV Botnet CnC Checkin (malware.rules)

Pro:

  • 2855992 - ETPRO MALWARE Win32/KnockerBot CnC Activity (malware.rules)

Disabled and modified rules:

  • 2026946 - ET MALWARE GanDownloader CnC Checkin (malware.rules)
  • 2026987 - ET MALWARE JS/Agent.NZH CnC Response (malware.rules)
  • 2027024 - ET MALWARE Win32/Kribat-A Downloader Activity (malware.rules)
  • 2027273 - ET MALWARE Baldr Stealer Checkin M2 (malware.rules)
  • 2046916 - ET MALWARE NanoCore RAT CnC 26 (malware.rules)
  • 2833554 - ETPRO MALWARE MalDoc Retrieving Ursnif Payload 2018-11-14 (malware.rules)
  • 2833707 - ETPRO MALWARE SYSCON FTP Windows Log Exfil (malware.rules)
  • 2833708 - ETPRO MALWARE SYSCON FTP Process Log Exfil (malware.rules)
  • 2833709 - ETPRO MALWARE SYSCON FTP Screenshot Exfil (malware.rules)
  • 2833972 - ETPRO MALWARE Abadon Backdoor CnC Checkin (malware.rules)
  • 2834101 - ETPRO MALWARE MSIL/Murkios Bot CnC Keep-Alive (malware.rules)
  • 2834172 - ETPRO MALWARE Observed Malicious SSL Cert (MalDoc DL 2019-01-02) (malware.rules)
  • 2834235 - ETPRO MALWARE Goliath HTTP Bot CnC Confirm (malware.rules)
  • 2834236 - ETPRO MALWARE Goliath HTTP Bot CnC Key (malware.rules)
  • 2834273 - ETPRO MALWARE UnHuman Bot CnC Activity (malware.rules)
  • 2834315 - ETPRO MALWARE Unk.Backdoor CnC Checkin (malware.rules)
  • 2834394 - ETPRO MALWARE Ave Maria RAT Checkin (malware.rules)
  • 2834411 - ETPRO EXPLOIT_KIT Evil Keitaro Set-Cookie Inbound Leading to EK (fac27) (exploit_kit.rules)
  • 2834579 - ETPRO MALWARE Lucifers RAT CnC Checkin (malware.rules)
  • 2834800 - ETPRO MALWARE Supreme RAT CnC Response (malware.rules)
  • 2834848 - ETPRO MALWARE Azvaz Backdoor CnC Checkin (malware.rules)
  • 2835138 - ETPRO MALWARE FinderBot User-Agent (nnn/) (malware.rules)
  • 2835141 - ETPRO MALWARE FinderBot Login Exfil (malware.rules)
  • 2835299 - ETPRO MALWARE SCBP Stealer Harvesting Passwords (malware.rules)
  • 2835824 - ETPRO MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)