Summary:
45 new OPEN, 57 new PRO (45 + 12)
Thanks @huntandhackett, @asdasd13asbz, @jaydinbas, @foxit, @tgreen, @malwrhunterteam
Added rules:
Open:
- 2049955 - ET MALWARE TrollAgent CnC Domain in DNS Lookup (ar .kostin .p-e .kr) (malware.rules)
- 2049956 - ET MALWARE Test CnC Domain in DNS Lookup (test .com) (malware.rules)
- 2049957 - ET MALWARE X CnC Domain in DNS Lookup (test .com) (malware.rules)
- 2049958 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (sideindexfollowragelrew .pw) (malware.rules)
- 2049959 - ET MALWARE Observed Lumma Stealer Related Domain (sideindexfollowragelrew .pw in TLS SNI) (malware.rules)
- 2049960 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (lazittarl .com) (exploit_kit.rules)
- 2049961 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (lazittarl .com) (exploit_kit.rules)
- 2049962 - ET MALWARE TrollAgent CnC Domain in DNS Lookup (ar .kostin .p-e .kr) (malware.rules)
- 2049963 - ET MALWARE Suspected FalseFont Backdoor Activity M3 (malware.rules)
- 2049964 - ET MALWARE TrollAgent Checkin (malware.rules)
- 2049965 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (ranchguarrelguidewa .pw) (malware.rules)
- 2049966 - ET MALWARE Observed Lumma Stealer Related Domain (ranchguarrelguidewa .pw in TLS SNI) (malware.rules)
- 2049967 - ET MALWARE TrollAgent CnC Domain in DNS Lookup (ol .negapa .p-e .kr) (malware.rules)
- 2049968 - ET MALWARE TrollAgent CnC Domain in DNS Lookup (winters .r-e .kr) (malware.rules)
- 2049969 - ET MALWARE TrollAgent CnC Domain in DNS Lookup (ai .kostin .p-e .kr) (malware.rules)
- 2049970 - ET MALWARE Observed TrollAgent Domain (winters .r-e .kr in TLS SNI) (malware.rules)
- 2049971 - ET MALWARE Observed TrollAgent Domain (ai .kostin .p-e .kr in TLS SNI) (malware.rules)
- 2049972 - ET MALWARE Observed TrollAgent Domain (ol .negapa .p-e .kr in TLS SNI) (malware.rules)
- 2049973 - ET MALWARE Observed TrollAgent Domain (ar .kostin .p-e .kr in TLS SNI) (malware.rules)
- 2049974 - ET MALWARE Sea Turtle APT Checkin (malware.rules)
- 2049975 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M1 (malware.rules)
- 2049976 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M2 (malware.rules)
- 2049977 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M3 (malware.rules)
- 2049978 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M4 (malware.rules)
- 2049979 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M5 (malware.rules)
- 2049980 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M6 (malware.rules)
- 2049981 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M7 (malware.rules)
- 2049982 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M8 (malware.rules)
- 2049983 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M9 (malware.rules)
- 2049984 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M10 (malware.rules)
- 2049985 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M11 (malware.rules)
- 2049986 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M12 (malware.rules)
- 2049987 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M13 (malware.rules)
- 2049988 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M14 (malware.rules)
- 2049989 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M15 (malware.rules)
- 2049990 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M16 (malware.rules)
- 2049991 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M17 (malware.rules)
- 2049992 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M18 (malware.rules)
- 2049993 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M19 (malware.rules)
- 2049994 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M20 (malware.rules)
- 2049995 - ET MALWARE Blister Loader Cobalt Strike C2 Profile M21 (malware.rules)
- 2049996 - ET MALWARE Blister Loader Mythic C2 Profile M1 (malware.rules)
- 2049997 - ET MALWARE Blister Loader Mythic C2 Profile M2 (malware.rules)
- 2049998 - ET MALWARE Blister Loader Mythic C2 Profile M3 (malware.rules)
- 2049999 - ET MALWARE Blister Loader Mythic C2 Profile M4 (malware.rules)
Pro:
- 2856123 - ETPRO MALWARE FIN7/Carbanak Related Domain in DNS Lookup (malware.rules)
- 2856124 - ETPRO MALWARE Observed FIN7/Carbanak Domain in TLS SNI (malware.rules)
- 2856125 - ETPRO MALWARE FIN7/Carbanak Related Domain in DNS Lookup (malware.rules)
- 2856126 - ETPRO MALWARE Observed FIN7/Carbanak Domain in TLS SNI (malware.rules)
- 2856127 - ETPRO MALWARE FIN7/Carbanak Related Domain in DNS Lookup (malware.rules)
- 2856128 - ETPRO MALWARE Observed FIN7/Carbanak Domain in TLS SNI (malware.rules)
- 2856129 - ETPRO MALWARE FIN7/Carbanak Related Domain in DNS Lookup (malware.rules)
- 2856130 - ETPRO MALWARE Observed FIN7/Carbanak Domain in TLS SNI (malware.rules)
- 2856131 - ETPRO MALWARE FIN7/Carbanak Related Domain in DNS Lookup (malware.rules)
- 2856132 - ETPRO MALWARE Observed FIN7/Carbanak Domain in TLS SNI (malware.rules)
- 2856133 - ETPRO MALWARE FIN7/Carbanak Related Domain in DNS Lookup (malware.rules)
- 2856134 - ETPRO MALWARE Observed FIN7/Carbanak Domain in TLS SNI (malware.rules)
Disabled and modified rules:
- 2044030 - ET MALWARE SocGholish Domain in DNS Lookup (smiles .cahl4u .org) (malware.rules)
- 2049266 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .novelty .akibacreative .com) (malware.rules)
- 2049267 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .novelty .akibacreative .com) (malware.rules)
- 2803525 - ETPRO MALWARE Backdoor.Win32.Derusbi.A Checkin (malware.rules)
- 2803613 - ETPRO MALWARE Trojan.Generic.6200998 User-Agent (WT) (malware.rules)
- 2803681 - ETPRO MALWARE Trojan.Win32.Syswrt.dvd Checkin 1 (malware.rules)
- 2803739 - ETPRO MALWARE Backdoor.Win32.Shiz.ufj Checkin (malware.rules)
- 2803758 - ETPRO MALWARE Covert DNS Channel Query (ipcheker .com) (malware.rules)
- 2803766 - ETPRO MALWARE Possible Hiloti DNS Checkin Message cmd_exe (malware.rules)