Ruleset Update Summary - 2023/12/21 - v10491

Summary:

25 new OPEN, 42 new PRO (25 + 17)

Thanks @OleVilladsen, @g0njxa, @Malwarebytes, @James_inthe_box


Added rules:

Open:

  • 2030992 - ET INFO Lucy Phishing Admin Panel Accessed on Internal Server (info.rules)
  • 2030993 - ET INFO Lucy Phishing Panel Accessed on External Server (info.rules)
  • 2042970 - ET INFO Lucy Security Phishing Server Reply (info.rules)
  • 2042971 - ET INFO Lucy Security Phishing Awareness Landing Page (info.rules)
  • 2049807 - ET MALWARE Brute Ratel Framework Related Domain in DNS Lookup (azureclouder .com) (malware.rules)
  • 2049808 - ET MALWARE Observed Brute Ratel Framework Related Domain (azureclouder .com in TLS SNI) (malware.rules)
  • 2049809 - ET MALWARE YoroTrooper APT Related Activty (GET) (malware.rules)
  • 2049810 - ET INFO DNS Query to Suspicious Domain (vultrobjects .com) (info.rules)
  • 2049811 - ET INFO Observed Suspicious Domain (vultrobjects .com in TLS SNI) (info.rules)
  • 2049812 - ET MALWARE Lumma Stealer Related Activity M2 (malware.rules)
  • 2049813 - ET MALWARE Win32/Doina Loader CnC Checkin M1 (malware.rules)
  • 2049814 - ET MALWARE Win32/Doina Loader CnC Checkin M2 (malware.rules)
  • 2049815 - ET MALWARE Win32/Doina Loader CnC Checkin M3 (malware.rules)
  • 2049816 - ET MALWARE Win32/Doina Stealer CnC Checkin (malware.rules)
  • 2049817 - ET MALWARE Win32/Unknown Stealer Data Exfiltration Attempt (malware.rules)
  • 2049818 - ET MALWARE Win32/Unknown Stealer CnC Domain in DNS Lookup (webvideoshareonline .com) (malware.rules)
  • 2049819 - ET MALWARE Suspicious Domain (webvideoshareonline .com) in TLS SNI (malware.rules)
  • 2049820 - ET MALWARE Win32/Doina Loader/Stealer CnC Domain in DNS Lookup (podologie-werne .de) (malware.rules)
  • 2049821 - ET MALWARE Observed Win32/Doina Loader/Stealer Domain (podologie-werne .de) in TLS SNI (malware.rules)
  • 2049822 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (biggerfun .org) (exploit_kit.rules)
  • 2049823 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (froggysnow .org) (exploit_kit.rules)
  • 2049824 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (confirmapply .org) (exploit_kit.rules)
  • 2049825 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (biggerfun .org) (exploit_kit.rules)
  • 2049826 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (froggysnow .org) (exploit_kit.rules)
  • 2049827 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (confirmapply .org) (exploit_kit.rules)

Pro:

  • 2855993 - ETPRO MALWARE Win32/BlueWindow Loader Actvity M1 (GET) (malware.rules)
  • 2855994 - ETPRO MALWARE Win32/BlueWindow Loader Actvity M2 (malware.rules)
  • 2855995 - ETPRO MALWARE Observed TA453 Domain in TLS SNI (malware.rules)
  • 2855996 - ETPRO MALWARE DNS Query to TA453 Domain (malware.rules)
  • 2855997 - ETPRO MALWARE DNS Query to TA453 Domain (malware.rules)
  • 2855998 - ETPRO MALWARE DNS Query to TA453 Domain (malware.rules)
  • 2855999 - ETPRO MALWARE DNS Query to TA453 Domain (malware.rules)
  • 2856000 - ETPRO MALWARE DNS Query to TA453 Domain (malware.rules)
  • 2856001 - ETPRO MALWARE DNS Query to TA453 Domain (malware.rules)
  • 2856002 - ETPRO MALWARE DNS Query to TA453 Domain (malware.rules)
  • 2856003 - ETPRO MALWARE Observed TA453 Domain in TLS SNI (malware.rules)
  • 2856004 - ETPRO MALWARE Observed TA453 Domain in TLS SNI (malware.rules)
  • 2856005 - ETPRO MALWARE Observed TA453 Domain in TLS SNI (malware.rules)
  • 2856006 - ETPRO MALWARE Observed TA453 Domain in TLS SNI (malware.rules)
  • 2856007 - ETPRO MALWARE Observed TA453 Domain in TLS SNI (malware.rules)
  • 2856008 - ETPRO MALWARE Observed TA453 Domain in TLS SNI (malware.rules)
  • 2856009 - ETPRO MALWARE Observed TA453 Domain in TLS SNI (malware.rules)

Disabled and modified rules:

  • 2028984 - ET MALWARE Win32/1xxbot CnC Checkin (malware.rules)
  • 2031217 - ET MALWARE Win32/SDBbot CnC Checkin (malware.rules)
  • 2838194 - ETPRO MALWARE Observed Malicious SSL Cert (PsiXBot CnC) (malware.rules)
  • 2838513 - ETPRO MALWARE Win32/Ke3chang Ke3chang CnC Activity (malware.rules)
  • 2838514 - ETPRO MALWARE Win32/Bitrep.B CnC Checkin (malware.rules)
  • 2838730 - ETPRO MALWARE EvilVBS Loader Retrieving Payload (malware.rules)
  • 2839018 - ETPRO MALWARE Win32/WinLoader Requesting Payload (malware.rules)
  • 2839051 - ETPRO MALWARE Win32/Unk.Loader Retrieving Payload (malware.rules)

Removed rules:

  • 2030992 - ET PHISHING Lucy Phishing Panel Accessed on Internal Server (phishing.rules)
  • 2030993 - ET PHISHING Lucy Phishing Panel Accessed on External Server (phishing.rules)
  • 2042970 - ET PHISHING Lucy Security Phishing Server Reply (phishing.rules)
  • 2042971 - ET PHISHING Lucy Security Phishing Awareness Landing Page (phishing.rules)