Ruleset Update Summary - 2024/01/22 - v10511

rulesbot · January 22, 2024, 10:15pm

Summary:

86 new OPEN, 88 new PRO (86 + 2)

Thanks @rmceoin, @malwarebytes

Added rules:

Open:

2050254 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (benddiscoleideasbridrew .site) (malware.rules)
2050255 - ET MALWARE Observed Lumma Stealer Related Domain (benddiscoleideasbridrew .site in TLS SNI) (malware.rules)
2050256 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (lastbishopmultiplyeow .site) (malware.rules)
2050257 - ET MALWARE Observed Lumma Stealer Related Domain (lastbishopmultiplyeow .site in TLS SNI) (malware.rules)
2050258 - ET INFO Observed DNS Over HTTPS Domain (agh-yz .russel053 .com in TLS SNI) (info.rules)
2050259 - ET INFO Observed DNS Over HTTPS Domain (dns .lgprk .com in TLS SNI) (info.rules)
2050260 - ET INFO Observed DNS Over HTTPS Domain (dns1 .pietjacobs .be in TLS SNI) (info.rules)
2050261 - ET INFO Observed DNS Over HTTPS Domain (dns .mikrotikrumahan .my .id in TLS SNI) (info.rules)
2050262 - ET INFO Observed DNS Over HTTPS Domain (5g .o0o .re in TLS SNI) (info.rules)
2050263 - ET INFO Observed DNS Over HTTPS Domain (query .mobyds .com in TLS SNI) (info.rules)
2050264 - ET INFO Observed DNS Over HTTPS Domain (dns .sac .rebl .eu .org in TLS SNI) (info.rules)
2050265 - ET INFO Observed DNS Over HTTPS Domain (dns .lvolland .fr in TLS SNI) (info.rules)
2050266 - ET INFO Observed DNS Over HTTPS Domain (ns .ral9005 .org in TLS SNI) (info.rules)
2050267 - ET INFO Observed DNS Over HTTPS Domain (ns .mtsoln .com in TLS SNI) (info.rules)
2050268 - ET INFO Observed DNS Over HTTPS Domain (adblock .leenit .kr in TLS SNI) (info.rules)
2050269 - ET INFO Observed DNS Over HTTPS Domain (home .wriedts .de in TLS SNI) (info.rules)
2050270 - ET INFO Observed DNS Over HTTPS Domain (dns1 .lothuscorp .com .br in TLS SNI) (info.rules)
2050271 - ET INFO Observed DNS Over HTTPS Domain (adguard .marto .si in TLS SNI) (info.rules)
2050272 - ET INFO Observed DNS Over HTTPS Domain (id .local .v .ua in TLS SNI) (info.rules)
2050273 - ET INFO Observed DNS Over HTTPS Domain (adguard .londonwebnerd .cloud in TLS SNI) (info.rules)
2050274 - ET INFO Observed DNS Over HTTPS Domain (netcup .mismat .ch in TLS SNI) (info.rules)
2050275 - ET INFO Observed DNS Over HTTPS Domain (adguard .mattiafenzi .uk in TLS SNI) (info.rules)
2050276 - ET INFO Observed DNS Over HTTPS Domain (locaweb .moleniuk .com in TLS SNI) (info.rules)
2050277 - ET INFO Observed DNS Over HTTPS Domain (emby .rasp .tv in TLS SNI) (info.rules)
2050278 - ET MALWARE Atomic Stealer Related Activity (POST) (malware.rules)
2050279 - ET MALWARE [ANY.RUN] ZharkBOT HTTP CnC Checkin (malware.rules)
2050280 - ET WEB_SPECIFIC_APPS Possible Ivanti Pulse Secure Authentication Bypass and Command Injection Attempt M2 (CVE-2023-46805, CVE-2024-21887) (web_specific_apps.rules)
2050281 - ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com) (info.rules)
2050282 - ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI (info.rules)
2050283 - ET MALWARE Brosql Stealer Screenshot Exfil (malware.rules)
2050284 - ET MALWARE Brosql Stealer Browser Login Exfil (malware.rules)
2050285 - ET MALWARE Brosql Stealer Browser Cookie Exfil (malware.rules)
2050286 - ET EXPLOIT_KIT Balada Domain in DNS Lookup (flyspecialline .com) (exploit_kit.rules)
2050287 - ET EXPLOIT_KIT Balada Domain in TLS SNI (flyspecialline .com) (exploit_kit.rules)
2050288 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (app .documentoffice .club) (malware.rules)
2050289 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (benefitinfo .live) (malware.rules)
2050290 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (benefitinfo .pro) (malware.rules)
2050291 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (benefiturl .pro) (malware.rules)
2050292 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (careagency .online) (malware.rules)
2050293 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (cra-receivenow .online) (malware.rules)
2050294 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (crareceive .site) (malware.rules)
2050295 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (depositurl .co) (malware.rules)
2050296 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (depositurl .lat) (malware.rules)
2050297 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (direct .traderfree .online) (malware.rules)
2050298 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (forex .traderfree .online) (malware.rules)
2050299 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (groceryrebate .online) (malware.rules)
2050300 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (groceryrebate .site) (malware.rules)
2050301 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (gstcreceive .online) (malware.rules)
2050302 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (instantreceive .org) (malware.rules)
2050303 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (nav .offlinedocument .site) (malware.rules)
2050304 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (receive .bio) (malware.rules)
2050305 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (receiveinstant .online) (malware.rules)
2050306 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (rentsubsidy .help) (malware.rules)
2050307 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (rentsubsidy .online) (malware.rules)
2050308 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (tinyurlinstant .co) (malware.rules)
2050309 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (urldepost .co) (malware.rules)
2050310 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (verifyca .online) (malware.rules)
2050311 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (visiononline .store) (malware.rules)
2050312 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (app .documentoffice .club) (malware.rules)
2050313 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (benefitinfo .live) (malware.rules)
2050314 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (benefitinfo .pro) (malware.rules)
2050315 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (benefiturl .pro) (malware.rules)
2050316 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (careagency .online) (malware.rules)
2050317 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (cra-receivenow .online) (malware.rules)
2050318 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (crareceive .site) (malware.rules)
2050319 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (depositurl .co) (malware.rules)
2050320 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (depositurl .lat) (malware.rules)
2050321 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (direct .traderfree .online) (malware.rules)
2050322 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (forex .traderfree .online) (malware.rules)
2050323 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (groceryrebate .online) (malware.rules)
2050324 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (groceryrebate .site) (malware.rules)
2050325 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (gstcreceive .online) (malware.rules)
2050326 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (instantreceive .org) (malware.rules)
2050327 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (nav .offlinedocument .site) (malware.rules)
2050328 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (receive .bio) (malware.rules)
2050329 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (receiveinstant .online) (malware.rules)
2050330 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (rentsubsidy .help) (malware.rules)
2050331 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (rentsubsidy .online) (malware.rules)
2050332 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (tinyurlinstant .co) (malware.rules)
2050333 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (urldepost .co) (malware.rules)
2050334 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (verifyca .online) (malware.rules)
2050335 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (visiononline .store) (malware.rules)
2050336 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (suezey .com) (exploit_kit.rules)
2050337 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (appboltonik .com) (exploit_kit.rules)
2050338 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (suezey .com) (exploit_kit.rules)
2050339 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (appboltonik .com) (exploit_kit.rules)

Pro:

2856214 - ETPRO MALWARE Generic Windows Loader Activity (GET) (malware.rules)
2856216 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Disabled and modified rules:

2047679 - ET MALWARE Python Stealer/Clipper Related Domain in DNS Lookup (kekwltd .ru) (malware.rules)
2047680 - ET MALWARE Observed Python Stealer/Clipper Related Domain (kekwltd .ru in TLS SNI) (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/01/25 - v10514 Ruleset Updates	250	January 25, 2024
Ruleset Update Summary - 2024/03/08 - v10548 Ruleset Updates	199	March 8, 2024
Ruleset Update Summary - 2024/03/11 - v10549 Ruleset Updates	489	March 11, 2024
Ruleset Update Summary - 2024/02/20 - v10536 Ruleset Updates	371	February 20, 2024
Ruleset Update Summary - 2024/02/14 - v10532 Ruleset Updates	229	February 14, 2024

Ruleset Update Summary - 2024/01/22 - v10511

Summary:

Added rules:

Open:

Pro:

Disabled and modified rules:

Related Topics