Ruleset Update Summary - 2024/01/29 - v10518

Summary:

42 new OPEN, 48 new PRO (42 + 6)


Added rules:

Open:

  • 2050518 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (mealroomrallpassiveer .shop) (malware.rules)
  • 2050519 - ET MALWARE Observed Lumma Stealer Related Domain (mealroomrallpassiveer .shop in TLS SNI) (malware.rules)
  • 2050520 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (tonguehypnothesislan .shop) (malware.rules)
  • 2050521 - ET MALWARE Observed Lumma Stealer Related Domain (tonguehypnothesislan .shop in TLS SNI) (malware.rules)
  • 2050522 - ET INFO Observed DNS Over HTTPS Domain (adguard .eoghan-net .com in TLS SNI) (info.rules)
  • 2050523 - ET INFO Observed DNS Over HTTPS Domain (agh .fltn .us in TLS SNI) (info.rules)
  • 2050524 - ET INFO Observed DNS Over HTTPS Domain (dns01 .enginyring .com in TLS SNI) (info.rules)
  • 2050525 - ET INFO Observed DNS Over HTTPS Domain (doh .fatucloud .gosprout .org in TLS SNI) (info.rules)
  • 2050526 - ET INFO Observed DNS Over HTTPS Domain (dns .huizegunsing .nl in TLS SNI) (info.rules)
  • 2050527 - ET INFO Observed DNS Over HTTPS Domain (dns .freddys .my .id in TLS SNI) (info.rules)
  • 2050528 - ET INFO Observed DNS Over HTTPS Domain (jp1 .f7b6h9 .tk in TLS SNI) (info.rules)
  • 2050529 - ET INFO Observed DNS Over HTTPS Domain (dns .timboeh .me in TLS SNI) (info.rules)
  • 2050530 - ET INFO Observed DNS Over HTTPS Domain (dns .furrydns .de in TLS SNI) (info.rules)
  • 2050531 - ET INFO Observed DNS Over HTTPS Domain (ag .hostme .co .il in TLS SNI) (info.rules)
  • 2050532 - ET INFO Observed DNS Over HTTPS Domain (dns .hugo0 .moe in TLS SNI) (info.rules)
  • 2050533 - ET INFO Observed DNS Over HTTPS Domain (urology .wiki in TLS SNI) (info.rules)
  • 2050534 - ET INFO Observed DNS Over HTTPS Domain (adguard .darrenhizon .com in TLS SNI) (info.rules)
  • 2050535 - ET INFO Observed DNS Over HTTPS Domain (qual .cuprum .ru in TLS SNI) (info.rules)
  • 2050536 - ET INFO Observed DNS Over HTTPS Domain (faradns .net in TLS SNI) (info.rules)
  • 2050537 - ET INFO Observed DNS Over HTTPS Domain (dns .frguthrie .app in TLS SNI) (info.rules)
  • 2050538 - ET INFO Observed DNS Over HTTPS Domain (adguard .lista .my .id in TLS SNI) (info.rules)
  • 2050539 - ET INFO Observed DNS Over HTTPS Domain (dot .dns-ga .de in TLS SNI) (info.rules)
  • 2050540 - ET INFO Observed DNS Over HTTPS Domain (dns .lista .my .id in TLS SNI) (info.rules)
  • 2050541 - ET INFO Observed DNS Over HTTPS Domain (home .enjoymylife .net in TLS SNI) (info.rules)
  • 2050542 - ET ADWARE_PUP NBP Mac PUP User-Agent Observed (adware_pup.rules)
  • 2050543 - ET EXPLOIT Atlassian Confluence RCE Attempt Observed (CVE-2023-22527) M2 (exploit.rules)
  • 2050544 - ET MALWARE Allakore RAT CnC Domain in DNS Lookup (hhplaytom .com) (malware.rules)
  • 2050545 - ET MALWARE Allakore RAT CnC Domain in DNS Lookup (uperrunplay .com) (malware.rules)
  • 2050546 - ET MALWARE Allakore RAT CnC Domain in DNS Lookup (zulabra .com) (malware.rules)
  • 2050547 - ET MALWARE Allakore RAT CnC Domain in DNS Lookup (uplayground .online) (malware.rules)
  • 2050548 - ET MALWARE Allakore RAT CnC Domain in DNS Lookup (flapawer .com) (malware.rules)
  • 2050549 - ET MALWARE Allakore RAT CnC Domain in DNS Lookup (chaucheneguer .com) (malware.rules)
  • 2050550 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ripnoticebook .com) (exploit_kit.rules)
  • 2050551 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (andiandnoah .com) (exploit_kit.rules)
  • 2050552 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ghostcitygames .com) (exploit_kit.rules)
  • 2050553 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ripnoticebook .com) (exploit_kit.rules)
  • 2050554 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (andiandnoah .com) (exploit_kit.rules)
  • 2050555 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ghostcitygames .com) (exploit_kit.rules)
  • 2050556 - ET MALWARE SocGholish Domain in DNS Lookup (miner .eastestsite .com) (malware.rules)
  • 2050557 - ET MALWARE SocGholish Domain in TLS SNI (miner .eastestsite .com) (malware.rules)
  • 2050558 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .honors .howamerica .com) (malware.rules)
  • 2050559 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .honors .howamerica .com) (malware.rules)

Pro:

  • 2856264 - ETPRO MALWARE DNS Query to WikiLoader Domain (malware.rules)
  • 2856265 - ETPRO MALWARE Observed WikiLoader Domain in TLS SNI (malware.rules)
  • 2856266 - ETPRO MALWARE WikiLoader Host Details Exfil (malware.rules)
  • 2856267 - ETPRO MALWARE Win32/MetaStealer Related Activity (POST) M6 (malware.rules)
  • 2856268 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2856269 - ETPRO EXPLOIT_KIT RogueRaticate Fake Update Landing Page (exploit_kit.rules)

Disabled and modified rules:

  • 2014508 - ET INFO DNS Query to a *.slyip.net Dynamic DNS Domain (info.rules)
  • 2014509 - ET INFO DYNAMIC_DNS HTTP Request to a *.slyip.net Domain (info.rules)
  • 2016748 - ET MALWARE RansomCrypt Intial Check-in (malware.rules)
  • 2016794 - ET MALWARE Possible Linux/Cdorked.A Incoming Command (malware.rules)
  • 2016816 - ET MALWARE Variant.Zusy.45802 Checkin (malware.rules)
  • 2016820 - ET MALWARE DEEP PANDA Checkin 2 (malware.rules)
  • 2048904 - ET INFO Observed DNS Over HTTPS Domain (doh .killtw .im in TLS SNI) (info.rules)
  • 2048908 - ET INFO Observed DNS Over HTTPS Domain (adguard .shuting .idv .tw in TLS SNI) (info.rules)
  • 2048909 - ET INFO Observed DNS Over HTTPS Domain (free .shecan .ir in TLS SNI) (info.rules)
  • 2048910 - ET INFO Observed DNS Over HTTPS Domain (dns .meeo .win in TLS SNI) (info.rules)
  • 2048912 - ET INFO Observed DNS Over HTTPS Domain (doh .datacore .ch in TLS SNI) (info.rules)
  • 2048913 - ET INFO Observed DNS Over HTTPS Domain (dns .shecan .ir in TLS SNI) (info.rules)
  • 2048916 - ET INFO Observed DNS Over HTTPS Domain (pro .shecan .ir in TLS SNI) (info.rules)
  • 2048918 - ET INFO Observed DNS Over HTTPS Domain (ihctw .synology .me in TLS SNI) (info.rules)
  • 2806190 - ETPRO MALWARE Cridex dll download - SET (malware.rules)
  • 2806191 - ETPRO MALWARE Cridex dll download (malware.rules)
  • 2806235 - ETPRO MALWARE Trojan-Ransom.Win32.Blocker.avsx Checkin (malware.rules)
  • 2806312 - ETPRO MALWARE Win32/Spy.Bancos.OUH Checkin (malware.rules)
  • 2806324 - ETPRO ADWARE_PUP Trojan-Downloader.Win32.Agent.gzfw Checkin (adware_pup.rules)
  • 2806342 - ETPRO MALWARE Win32.ShipUp.boz Download (malware.rules)