Ruleset Update Summary - 2023/12/27 - v10494

Ruleset Updates
1

Summary:

4 new OPEN, 6 new PRO (4 + 2)

Thanks @g0njxa

Added rules:

Open:

  • 2049858 - ET MALWARE TA451 FalseFont Backdoor Related Domain in DNS Lookup (digitalcodecrafters .com) (malware.rules)
  • 2049859 - ET MALWARE Observed TA451 FalseFont Backdoor Related Domain (digitalcodecrafters .com in TLS SNI) (malware.rules)
  • 2049860 - ET MALWARE Turla APT Kazuar Backdoor Related Activity (malware.rules)
  • 2049861 - ET MALWARE Suspected Turla APT Kazuar Backdoor Related Activity (malware.rules)

Pro:

  • 2847789 - ETPRO HUNTING Suspected Generic Cloned Website Phish 2021-03-24 (hunting.rules)
  • 2856012 - ETPRO MALWARE Win32/T34 Loader Configuration Download (malware.rules)

Disabled and modified rules:

  • 2029282 - ET MALWARE Win32/MillionLoader CnC Init Activity (malware.rules)
  • 2029293 - ET MALWARE MilkyBoy CnC Activity (malware.rules)
  • 2029298 - ET MALWARE Nexus Stealer CnC Data Exfil (malware.rules)
  • 2029306 - ET MALWARE Observed Thanatos Ransomware Variant Pico User-Agent (malware.rules)
  • 2029341 - ET MALWARE Amadey Stealer CnC - BotKiller Module Checkin (malware.rules)
  • 2029626 - ET MALWARE Observed DNS Query to Vicious Panda CnC Domain (malware.rules)
  • 2029631 - ET MALWARE Observed DNS Query to Vicious Panda CnC Domain (malware.rules)
  • 2029697 - ET MALWARE MSIL/Modi RAT CnC Command Inbound (aw) (malware.rules)
  • 2029813 - ET MALWARE Win32/MOOZ.THCCABO CoinMiner CnC Checkin (malware.rules)
  • 2046785 - ET MALWARE SocGholish Domain in DNS Lookup (creativity .kinchcorp .com) (malware.rules)
  • 2046867 - ET MALWARE SocGholish Domain in DNS Lookup (x64 .nvize .com) (malware.rules)
  • 2048926 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (cubicalwave .com) (exploit_kit.rules)
  • 2048927 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (defeatdiseasewithdata .com) (exploit_kit.rules)
  • 2048928 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (cubicalwave .com) (exploit_kit.rules)
  • 2048929 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (defeatdiseasewithdata .com) (exploit_kit.rules)
  • 2840194 - ETPRO MALWARE Win32/Unk.Stealer CnC Data Exfil (malware.rules)
  • 2840286 - ETPRO POLICY Observed PandaCoin P2P Activity (policy.rules)
  • 2840313 - ETPRO MALWARE Observed DNS Query to MuddyWater DNSClient Domain (malware.rules)
  • 2840358 - ETPRO MALWARE Win32/Agent.UAF Variant CnC M1 (malware.rules)
  • 2840362 - ETPRO MALWARE ChikonStealer CnC Data Exfil (malware.rules)
  • 2840619 - ETPRO MALWARE Win32/Fpox Data Exfil (malware.rules)
  • 2840657 - ETPRO MALWARE ELF/MooBot Variant CnC Checkin (malware.rules)
  • 2840785 - ETPRO MALWARE Unk.CoinMiner Requesting Config (malware.rules)
  • 2840891 - ETPRO MALWARE DarkRAT Variant CnC Checkin (malware.rules)
  • 2840910 - ETPRO ADWARE_PUP InstallCapital Request for Payload (adware_pup.rules)
  • 2841121 - ETPRO MALWARE MSIL/SeptemberRAT CnC Checkin (malware.rules)
  • 2841164 - ETPRO MALWARE Win32/Origin Logger Exfil via FTP (malware.rules)
  • 2841257 - ETPRO MALWARE MalDoc Retrieving Malicious Payload (malware.rules)
  • 2841440 - ETPRO MALWARE Win32/DiamondFox Variant CnC Checkin (malware.rules)
  • 2855342 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2855343 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2855344 - ETPRO MALWARE TA582 Domain in HTTP HOST (malware.rules)
  • 2855345 - ETPRO MALWARE TA582 Domain in HTTP HOST (malware.rules)
  • 2855919 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Removed rules:

  • 2847789 - ETPRO PHISHING Suspected Generic Cloned Website Phish 2021-03-24 (phishing.rules)