Summary:
24 new OPEN, 26 new PRO (24 + 2)
Thanks @ahnlab_secuinfo, @jamfsoftware
Added rules:
Open:
- 2049873 - ET MALWARE Kimsuky APT Related Win32/RftRAT Activity (malware.rules)
- 2049874 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (politefrightenpowoa .pw) (malware.rules)
- 2049875 - ET MALWARE Observed Lumma Stealer Related Domain (politefrightenpowoa .pw in TLS SNI) (malware.rules)
- 2049876 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (carstirgapcheatdeposwte .pw) (malware.rules)
- 2049877 - ET MALWARE Observed Lumma Stealer Related Domain (carstirgapcheatdeposwte .pw in TLS SNI) (malware.rules)
- 2049878 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (recessionconceptjetwe .pw) (malware.rules)
- 2049879 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (opposesicknessopw .pw) (malware.rules)
- 2049880 - ET MALWARE Observed Lumma Stealer Related Domain (recessionconceptjetwe .pw in TLS SNI) (malware.rules)
- 2049881 - ET MALWARE Observed Lumma Stealer Related Domain (opposesicknessopw .pw in TLS SNI) (malware.rules)
- 2049882 - ET MALWARE BlueNoroff APT Related Activity M1 (POST) (malware.rules)
- 2049883 - ET MALWARE BlueNoroff APT Related Activity M2 (POST) (malware.rules)
- 2049884 - ET MALWARE DNS Query to Malicious Domain (steam-install .run) (malware.rules)
- 2049885 - ET MALWARE Win32/Sfuzuan Variant Payload Fetch (malware.rules)
- 2049886 - ET MALWARE Win32/Sfuzuan Variant Payload Fetch (malware.rules)
- 2049887 - ET MALWARE SocGholish Domain in DNS Lookup (ebooks .ferrelljoe .com) (malware.rules)
- 2049888 - ET MALWARE SocGholish Domain in TLS SNI (ebooks .ferrelljoe .com) (malware.rules)
- 2049889 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (jennifergalvin .com) (exploit_kit.rules)
- 2049890 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (kineticwing .com) (exploit_kit.rules)
- 2049891 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (jesusanaya .com) (exploit_kit.rules)
- 2049892 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (plannedtomatoes .com) (exploit_kit.rules)
- 2049893 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (jennifergalvin .com) (exploit_kit.rules)
- 2049894 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (kineticwing .com) (exploit_kit.rules)
- 2049895 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (jesusanaya .com) (exploit_kit.rules)
- 2049896 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (plannedtomatoes .com) (exploit_kit.rules)
Pro:
- 2856078 - ETPRO MALWARE JS/Fake Steam Installer Payload Request (malware.rules)
- 2856079 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
Disabled and modified rules:
- 2030625 - ET MALWARE Win32/PurpleWave Stealer Requesting Config (malware.rules)
- 2030626 - ET MALWARE Win32/PurpleWave Stealer CnC Exfil (malware.rules)
- 2030900 - ET MALWARE Moist Stealer CnC Exfil (malware.rules)
- 2045973 - ET WEB_CLIENT Suspected Credit Card Stealer Related Domain Domain in DNS Lookup (byvlsa .com) (web_client.rules)
- 2047814 - ET EXPLOIT_KIT ClearFake Fingerprinting Domain in DNS Lookup (stats-best .site) (exploit_kit.rules)
- 2047815 - ET EXPLOIT_KIT ClearFake Fingerprinting Domain in TLS SNI (stats-best .site) (exploit_kit.rules)
- 2047889 - ET MALWARE SocGholish Domain in DNS Lookup (standard .architech3 .com) (malware.rules)
- 2047890 - ET MALWARE SocGholish Domain in TLS SNI (standard .architech3 .com) (malware.rules)
- 2048131 - ET MALWARE DNS Query to TA444 Domain (swissborg .blog) (malware.rules)
- 2048703 - ET MALWARE HAMAS affiliated Domain in DNS Lookup (alqassam .ps) (malware.rules)
- 2048704 - ET MALWARE HAMAS affiliated Domain in DNS Lookup (nikanps .top) (malware.rules)
- 2048705 - ET MALWARE HAMAS affiliated Domain in DNS Lookup (hamrah .nikanps .top) (malware.rules)
- 2048706 - ET MALWARE HAMAS affiliated Domain in DNS Lookup (modir .nikanps .top) (malware.rules)
- 2048707 - ET MALWARE HAMAS affiliated Domain in DNS Lookup (admin .nikanps .top) (malware.rules)
- 2048708 - ET MALWARE HAMAS affiliated Domain in DNS Lookup (user .nikanps .top) (malware.rules)
- 2048709 - ET MALWARE HAMAS affiliated Domain in DNS Lookup (nikanpsx .top) (malware.rules)
- 2048710 - ET MALWARE HAMAS affiliated Domain in DNS Lookup (hz .nikanpsx .top) (malware.rules)
- 2048711 - ET MALWARE HAMAS affiliated Domain in DNS Lookup (nikanpsx .hopto .org) (malware.rules)
- 2048712 - ET MALWARE HAMAS affiliated Domain in TLS SNI (alqassam .ps) (malware.rules)
- 2048713 - ET MALWARE HAMAS affiliated Domain in TLS SNI (nikanps .top) (malware.rules)
- 2048714 - ET MALWARE HAMAS affiliated Domain in TLS SNI (hamrah .nikanps .top) (malware.rules)
- 2048715 - ET MALWARE HAMAS affiliated Domain in TLS SNI (modir .nikanps .top) (malware.rules)
- 2048716 - ET MALWARE HAMAS affiliated Domain in TLS SNI (admin .nikanps .top) (malware.rules)
- 2048717 - ET MALWARE HAMAS affiliated Domain in TLS SNI (user .nikanps .top) (malware.rules)
- 2048718 - ET MALWARE HAMAS affiliated Domain in TLS SNI (nikanpsx .top) (malware.rules)
- 2048719 - ET MALWARE HAMAS affiliated Domain in TLS SNI (hz .nikanpsx .top) (malware.rules)
- 2048720 - ET MALWARE HAMAS affiliated Domain in TLS SNI (nikanpsx .hopto .org) (malware.rules)
- 2048993 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (cinaprofilm .com) (exploit_kit.rules)
- 2048994 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (cinaprofilm .com) (exploit_kit.rules)
- 2048995 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (bingbuy .com) (exploit_kit.rules)
- 2048996 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (bingbuy .com) (exploit_kit.rules)
- 2049003 - ET EXPLOIT_KIT RogueRaticate Domain in DNS Lookup (updateadobeflash .com) (exploit_kit.rules)
- 2049004 - ET EXPLOIT_KIT RogueRaticate Domain in DNS Lookup (alsmgjk-igusj .com) (exploit_kit.rules)
- 2049005 - ET EXPLOIT_KIT RogueRaticate Domain in TLS SNI (updateadobeflash .com) (exploit_kit.rules)
- 2049006 - ET EXPLOIT_KIT RogueRaticate Domain in TLS SNI (alsmgjk-igusj .com) (exploit_kit.rules)
- 2049053 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (farmexpressmachine .com) (exploit_kit.rules)
- 2049054 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (pdfinfinity .com) (exploit_kit.rules)
- 2049055 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (farmexpressmachine .com) (exploit_kit.rules)
- 2049056 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (pdfinfinity .com) (exploit_kit.rules)
- 2049078 - ET EXPLOIT_KIT RogueRaticate Domain in DNS Lookup (koolstoredeluxe .com) (exploit_kit.rules)
- 2049079 - ET EXPLOIT_KIT RogueRaticate Domain in TLS SNI (koolstoredeluxe .com) (exploit_kit.rules)
- 2049418 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (tirechinecarpett .pw) (malware.rules)
- 2049419 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (hemispheredonkkl .pw) (malware.rules)
- 2049420 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (musclefarelongea .pw) (malware.rules)
- 2049421 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (ownerbuffersuperw .pw) (malware.rules)
- 2049422 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (freckletropsao .pw) (malware.rules)
- 2049423 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (fanlumpactiras .pw) (malware.rules)
- 2049424 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (medicinebuckerrysa .pw) (malware.rules)
- 2049425 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (helpfulsteepyi .pw) (malware.rules)
- 2049426 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (definefolkeloi .pw) (malware.rules)
- 2843730 - ETPRO POLICY AppWizard Installer (Possible PUP/PUA) Activity (policy.rules)
- 2843752 - ETPRO MALWARE Win32/Valak Stealer v51 CnC Activity M2 (malware.rules)
- 2843824 - ETPRO MALWARE Win32/BleazIT CnC Checkin (malware.rules)
- 2843895 - ETPRO MALWARE Win32/Randrew.A!bit CnC Checkin (malware.rules)
- 2844308 - ETPRO MALWARE Win32/Stealer.tnf CnC Exfil (malware.rules)
- 2844311 - ETPRO MALWARE Win64/Spy.Agent.CL CnC Activity (malware.rules)
- 2844730 - ETPRO MALWARE MalDoc Retrieving Payload 2020-10-02 (malware.rules)
- 2844884 - ETPRO MALWARE MSIL/Kryptik.YAP CnC Checkin (malware.rules)
- 2855991 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)