Ruleset Update Summary - 2024/01/02 - v10497

rulesbot · January 2, 2024, 9:45pm

Summary:

24 new OPEN, 26 new PRO (24 + 2)

Thanks @ahnlab_secuinfo, @jamfsoftware

Added rules:

Open:

2049873 - ET MALWARE Kimsuky APT Related Win32/RftRAT Activity (malware.rules)
2049874 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (politefrightenpowoa .pw) (malware.rules)
2049875 - ET MALWARE Observed Lumma Stealer Related Domain (politefrightenpowoa .pw in TLS SNI) (malware.rules)
2049876 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (carstirgapcheatdeposwte .pw) (malware.rules)
2049877 - ET MALWARE Observed Lumma Stealer Related Domain (carstirgapcheatdeposwte .pw in TLS SNI) (malware.rules)
2049878 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (recessionconceptjetwe .pw) (malware.rules)
2049879 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (opposesicknessopw .pw) (malware.rules)
2049880 - ET MALWARE Observed Lumma Stealer Related Domain (recessionconceptjetwe .pw in TLS SNI) (malware.rules)
2049881 - ET MALWARE Observed Lumma Stealer Related Domain (opposesicknessopw .pw in TLS SNI) (malware.rules)
2049882 - ET MALWARE BlueNoroff APT Related Activity M1 (POST) (malware.rules)
2049883 - ET MALWARE BlueNoroff APT Related Activity M2 (POST) (malware.rules)
2049884 - ET MALWARE DNS Query to Malicious Domain (steam-install .run) (malware.rules)
2049885 - ET MALWARE Win32/Sfuzuan Variant Payload Fetch (malware.rules)
2049886 - ET MALWARE Win32/Sfuzuan Variant Payload Fetch (malware.rules)
2049887 - ET MALWARE SocGholish Domain in DNS Lookup (ebooks .ferrelljoe .com) (malware.rules)
2049888 - ET MALWARE SocGholish Domain in TLS SNI (ebooks .ferrelljoe .com) (malware.rules)
2049889 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (jennifergalvin .com) (exploit_kit.rules)
2049890 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (kineticwing .com) (exploit_kit.rules)
2049891 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (jesusanaya .com) (exploit_kit.rules)
2049892 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (plannedtomatoes .com) (exploit_kit.rules)
2049893 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (jennifergalvin .com) (exploit_kit.rules)
2049894 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (kineticwing .com) (exploit_kit.rules)
2049895 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (jesusanaya .com) (exploit_kit.rules)
2049896 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (plannedtomatoes .com) (exploit_kit.rules)

Pro:

2856078 - ETPRO MALWARE JS/Fake Steam Installer Payload Request (malware.rules)
2856079 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Disabled and modified rules:

2030625 - ET MALWARE Win32/PurpleWave Stealer Requesting Config (malware.rules)
2030626 - ET MALWARE Win32/PurpleWave Stealer CnC Exfil (malware.rules)
2030900 - ET MALWARE Moist Stealer CnC Exfil (malware.rules)
2045973 - ET WEB_CLIENT Suspected Credit Card Stealer Related Domain Domain in DNS Lookup (byvlsa .com) (web_client.rules)
2047814 - ET EXPLOIT_KIT ClearFake Fingerprinting Domain in DNS Lookup (stats-best .site) (exploit_kit.rules)
2047815 - ET EXPLOIT_KIT ClearFake Fingerprinting Domain in TLS SNI (stats-best .site) (exploit_kit.rules)
2047889 - ET MALWARE SocGholish Domain in DNS Lookup (standard .architech3 .com) (malware.rules)
2047890 - ET MALWARE SocGholish Domain in TLS SNI (standard .architech3 .com) (malware.rules)
2048131 - ET MALWARE DNS Query to TA444 Domain (swissborg .blog) (malware.rules)
2048703 - ET MALWARE HAMAS affiliated Domain in DNS Lookup (alqassam .ps) (malware.rules)
2048704 - ET MALWARE HAMAS affiliated Domain in DNS Lookup (nikanps .top) (malware.rules)
2048705 - ET MALWARE HAMAS affiliated Domain in DNS Lookup (hamrah .nikanps .top) (malware.rules)
2048706 - ET MALWARE HAMAS affiliated Domain in DNS Lookup (modir .nikanps .top) (malware.rules)
2048707 - ET MALWARE HAMAS affiliated Domain in DNS Lookup (admin .nikanps .top) (malware.rules)
2048708 - ET MALWARE HAMAS affiliated Domain in DNS Lookup (user .nikanps .top) (malware.rules)
2048709 - ET MALWARE HAMAS affiliated Domain in DNS Lookup (nikanpsx .top) (malware.rules)
2048710 - ET MALWARE HAMAS affiliated Domain in DNS Lookup (hz .nikanpsx .top) (malware.rules)
2048711 - ET MALWARE HAMAS affiliated Domain in DNS Lookup (nikanpsx .hopto .org) (malware.rules)
2048712 - ET MALWARE HAMAS affiliated Domain in TLS SNI (alqassam .ps) (malware.rules)
2048713 - ET MALWARE HAMAS affiliated Domain in TLS SNI (nikanps .top) (malware.rules)
2048714 - ET MALWARE HAMAS affiliated Domain in TLS SNI (hamrah .nikanps .top) (malware.rules)
2048715 - ET MALWARE HAMAS affiliated Domain in TLS SNI (modir .nikanps .top) (malware.rules)
2048716 - ET MALWARE HAMAS affiliated Domain in TLS SNI (admin .nikanps .top) (malware.rules)
2048717 - ET MALWARE HAMAS affiliated Domain in TLS SNI (user .nikanps .top) (malware.rules)
2048718 - ET MALWARE HAMAS affiliated Domain in TLS SNI (nikanpsx .top) (malware.rules)
2048719 - ET MALWARE HAMAS affiliated Domain in TLS SNI (hz .nikanpsx .top) (malware.rules)
2048720 - ET MALWARE HAMAS affiliated Domain in TLS SNI (nikanpsx .hopto .org) (malware.rules)
2048993 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (cinaprofilm .com) (exploit_kit.rules)
2048994 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (cinaprofilm .com) (exploit_kit.rules)
2048995 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (bingbuy .com) (exploit_kit.rules)
2048996 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (bingbuy .com) (exploit_kit.rules)
2049003 - ET EXPLOIT_KIT RogueRaticate Domain in DNS Lookup (updateadobeflash .com) (exploit_kit.rules)
2049004 - ET EXPLOIT_KIT RogueRaticate Domain in DNS Lookup (alsmgjk-igusj .com) (exploit_kit.rules)
2049005 - ET EXPLOIT_KIT RogueRaticate Domain in TLS SNI (updateadobeflash .com) (exploit_kit.rules)
2049006 - ET EXPLOIT_KIT RogueRaticate Domain in TLS SNI (alsmgjk-igusj .com) (exploit_kit.rules)
2049053 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (farmexpressmachine .com) (exploit_kit.rules)
2049054 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (pdfinfinity .com) (exploit_kit.rules)
2049055 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (farmexpressmachine .com) (exploit_kit.rules)
2049056 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (pdfinfinity .com) (exploit_kit.rules)
2049078 - ET EXPLOIT_KIT RogueRaticate Domain in DNS Lookup (koolstoredeluxe .com) (exploit_kit.rules)
2049079 - ET EXPLOIT_KIT RogueRaticate Domain in TLS SNI (koolstoredeluxe .com) (exploit_kit.rules)
2049418 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (tirechinecarpett .pw) (malware.rules)
2049419 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (hemispheredonkkl .pw) (malware.rules)
2049420 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (musclefarelongea .pw) (malware.rules)
2049421 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (ownerbuffersuperw .pw) (malware.rules)
2049422 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (freckletropsao .pw) (malware.rules)
2049423 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (fanlumpactiras .pw) (malware.rules)
2049424 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (medicinebuckerrysa .pw) (malware.rules)
2049425 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (helpfulsteepyi .pw) (malware.rules)
2049426 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (definefolkeloi .pw) (malware.rules)
2843730 - ETPRO POLICY AppWizard Installer (Possible PUP/PUA) Activity (policy.rules)
2843752 - ETPRO MALWARE Win32/Valak Stealer v51 CnC Activity M2 (malware.rules)
2843824 - ETPRO MALWARE Win32/BleazIT CnC Checkin (malware.rules)
2843895 - ETPRO MALWARE Win32/Randrew.A!bit CnC Checkin (malware.rules)
2844308 - ETPRO MALWARE Win32/Stealer.tnf CnC Exfil (malware.rules)
2844311 - ETPRO MALWARE Win64/Spy.Agent.CL CnC Activity (malware.rules)
2844730 - ETPRO MALWARE MalDoc Retrieving Payload 2020-10-02 (malware.rules)
2844884 - ETPRO MALWARE MSIL/Kryptik.YAP CnC Checkin (malware.rules)
2855991 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/03/11 - v10549 Ruleset Updates	368	March 11, 2024
Ruleset Update Summary - 2024/03/08 - v10548 Ruleset Updates	191	March 8, 2024
Ruleset Update Summary - 2024/03/05 - v10545 Ruleset Updates	377	March 5, 2024
Ruleset Update Summary - 2024/01/22 - v10511 Ruleset Updates	280	January 22, 2024
Ruleset Update Summary - 2024/01/25 - v10514 Ruleset Updates	220	January 25, 2024

Ruleset Update Summary - 2024/01/02 - v10497

Summary:

Added rules:

Open:

Pro:

Disabled and modified rules:

Related Topics