Ruleset Update Summary - 2024/01/22 - v10511

Summary:

86 new OPEN, 88 new PRO (86 + 2)

Thanks @rmceoin, @malwarebytes


Added rules:

Open:

  • 2050254 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (benddiscoleideasbridrew .site) (malware.rules)
  • 2050255 - ET MALWARE Observed Lumma Stealer Related Domain (benddiscoleideasbridrew .site in TLS SNI) (malware.rules)
  • 2050256 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (lastbishopmultiplyeow .site) (malware.rules)
  • 2050257 - ET MALWARE Observed Lumma Stealer Related Domain (lastbishopmultiplyeow .site in TLS SNI) (malware.rules)
  • 2050258 - ET INFO Observed DNS Over HTTPS Domain (agh-yz .russel053 .com in TLS SNI) (info.rules)
  • 2050259 - ET INFO Observed DNS Over HTTPS Domain (dns .lgprk .com in TLS SNI) (info.rules)
  • 2050260 - ET INFO Observed DNS Over HTTPS Domain (dns1 .pietjacobs .be in TLS SNI) (info.rules)
  • 2050261 - ET INFO Observed DNS Over HTTPS Domain (dns .mikrotikrumahan .my .id in TLS SNI) (info.rules)
  • 2050262 - ET INFO Observed DNS Over HTTPS Domain (5g .o0o .re in TLS SNI) (info.rules)
  • 2050263 - ET INFO Observed DNS Over HTTPS Domain (query .mobyds .com in TLS SNI) (info.rules)
  • 2050264 - ET INFO Observed DNS Over HTTPS Domain (dns .sac .rebl .eu .org in TLS SNI) (info.rules)
  • 2050265 - ET INFO Observed DNS Over HTTPS Domain (dns .lvolland .fr in TLS SNI) (info.rules)
  • 2050266 - ET INFO Observed DNS Over HTTPS Domain (ns .ral9005 .org in TLS SNI) (info.rules)
  • 2050267 - ET INFO Observed DNS Over HTTPS Domain (ns .mtsoln .com in TLS SNI) (info.rules)
  • 2050268 - ET INFO Observed DNS Over HTTPS Domain (adblock .leenit .kr in TLS SNI) (info.rules)
  • 2050269 - ET INFO Observed DNS Over HTTPS Domain (home .wriedts .de in TLS SNI) (info.rules)
  • 2050270 - ET INFO Observed DNS Over HTTPS Domain (dns1 .lothuscorp .com .br in TLS SNI) (info.rules)
  • 2050271 - ET INFO Observed DNS Over HTTPS Domain (adguard .marto .si in TLS SNI) (info.rules)
  • 2050272 - ET INFO Observed DNS Over HTTPS Domain (id .local .v .ua in TLS SNI) (info.rules)
  • 2050273 - ET INFO Observed DNS Over HTTPS Domain (adguard .londonwebnerd .cloud in TLS SNI) (info.rules)
  • 2050274 - ET INFO Observed DNS Over HTTPS Domain (netcup .mismat .ch in TLS SNI) (info.rules)
  • 2050275 - ET INFO Observed DNS Over HTTPS Domain (adguard .mattiafenzi .uk in TLS SNI) (info.rules)
  • 2050276 - ET INFO Observed DNS Over HTTPS Domain (locaweb .moleniuk .com in TLS SNI) (info.rules)
  • 2050277 - ET INFO Observed DNS Over HTTPS Domain (emby .rasp .tv in TLS SNI) (info.rules)
  • 2050278 - ET MALWARE Atomic Stealer Related Activity (POST) (malware.rules)
  • 2050279 - ET MALWARE [ANY.RUN] ZharkBOT HTTP CnC Checkin (malware.rules)
  • 2050280 - ET WEB_SPECIFIC_APPS Possible Ivanti Pulse Secure Authentication Bypass and Command Injection Attempt M2 (CVE-2023-46805, CVE-2024-21887) (web_specific_apps.rules)
  • 2050281 - ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com) (info.rules)
  • 2050282 - ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI (info.rules)
  • 2050283 - ET MALWARE Brosql Stealer Screenshot Exfil (malware.rules)
  • 2050284 - ET MALWARE Brosql Stealer Browser Login Exfil (malware.rules)
  • 2050285 - ET MALWARE Brosql Stealer Browser Cookie Exfil (malware.rules)
  • 2050286 - ET EXPLOIT_KIT Balada Domain in DNS Lookup (flyspecialline .com) (exploit_kit.rules)
  • 2050287 - ET EXPLOIT_KIT Balada Domain in TLS SNI (flyspecialline .com) (exploit_kit.rules)
  • 2050288 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (app .documentoffice .club) (malware.rules)
  • 2050289 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (benefitinfo .live) (malware.rules)
  • 2050290 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (benefitinfo .pro) (malware.rules)
  • 2050291 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (benefiturl .pro) (malware.rules)
  • 2050292 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (careagency .online) (malware.rules)
  • 2050293 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (cra-receivenow .online) (malware.rules)
  • 2050294 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (crareceive .site) (malware.rules)
  • 2050295 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (depositurl .co) (malware.rules)
  • 2050296 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (depositurl .lat) (malware.rules)
  • 2050297 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (direct .traderfree .online) (malware.rules)
  • 2050298 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (forex .traderfree .online) (malware.rules)
  • 2050299 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (groceryrebate .online) (malware.rules)
  • 2050300 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (groceryrebate .site) (malware.rules)
  • 2050301 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (gstcreceive .online) (malware.rules)
  • 2050302 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (instantreceive .org) (malware.rules)
  • 2050303 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (nav .offlinedocument .site) (malware.rules)
  • 2050304 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (receive .bio) (malware.rules)
  • 2050305 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (receiveinstant .online) (malware.rules)
  • 2050306 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (rentsubsidy .help) (malware.rules)
  • 2050307 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (rentsubsidy .online) (malware.rules)
  • 2050308 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (tinyurlinstant .co) (malware.rules)
  • 2050309 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (urldepost .co) (malware.rules)
  • 2050310 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (verifyca .online) (malware.rules)
  • 2050311 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (visiononline .store) (malware.rules)
  • 2050312 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (app .documentoffice .club) (malware.rules)
  • 2050313 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (benefitinfo .live) (malware.rules)
  • 2050314 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (benefitinfo .pro) (malware.rules)
  • 2050315 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (benefiturl .pro) (malware.rules)
  • 2050316 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (careagency .online) (malware.rules)
  • 2050317 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (cra-receivenow .online) (malware.rules)
  • 2050318 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (crareceive .site) (malware.rules)
  • 2050319 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (depositurl .co) (malware.rules)
  • 2050320 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (depositurl .lat) (malware.rules)
  • 2050321 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (direct .traderfree .online) (malware.rules)
  • 2050322 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (forex .traderfree .online) (malware.rules)
  • 2050323 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (groceryrebate .online) (malware.rules)
  • 2050324 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (groceryrebate .site) (malware.rules)
  • 2050325 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (gstcreceive .online) (malware.rules)
  • 2050326 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (instantreceive .org) (malware.rules)
  • 2050327 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (nav .offlinedocument .site) (malware.rules)
  • 2050328 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (receive .bio) (malware.rules)
  • 2050329 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (receiveinstant .online) (malware.rules)
  • 2050330 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (rentsubsidy .help) (malware.rules)
  • 2050331 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (rentsubsidy .online) (malware.rules)
  • 2050332 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (tinyurlinstant .co) (malware.rules)
  • 2050333 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (urldepost .co) (malware.rules)
  • 2050334 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (verifyca .online) (malware.rules)
  • 2050335 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (visiononline .store) (malware.rules)
  • 2050336 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (suezey .com) (exploit_kit.rules)
  • 2050337 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (appboltonik .com) (exploit_kit.rules)
  • 2050338 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (suezey .com) (exploit_kit.rules)
  • 2050339 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (appboltonik .com) (exploit_kit.rules)

Pro:

  • 2856214 - ETPRO MALWARE Generic Windows Loader Activity (GET) (malware.rules)
  • 2856216 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Disabled and modified rules:

  • 2047679 - ET MALWARE Python Stealer/Clipper Related Domain in DNS Lookup (kekwltd .ru) (malware.rules)
  • 2047680 - ET MALWARE Observed Python Stealer/Clipper Related Domain (kekwltd .ru in TLS SNI) (malware.rules)