Ruleset Update Summary - 2024/01/30 - v10519

Ruleset Updates
1

Summary:

47 new OPEN, 48 new PRO (47 + 1)

Added rules:

Open:

  • 2050560 - ET PHISHING [TW] Possible Crypto Wallet Drainer JS M1 (phishing.rules)
  • 2050561 - ET PHISHING [TW] Possible Crypto Wallet Drainer JS M2 (phishing.rules)
  • 2050562 - ET PHISHING [TW] Possible Crypto Wallet Drainer Domain Observed (phishing.rules)
  • 2050563 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (culturesketchfinanciall .shop) (malware.rules)
  • 2050564 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (secretionsuitcasenioise .shop) (malware.rules)
  • 2050565 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (claimconcessionrebe .shop) (malware.rules)
  • 2050566 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (liabilityarrangemenyit .shop) (malware.rules)
  • 2050567 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (gemcreedarticulateod .shop) (malware.rules)
  • 2050568 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (modestessayevenmilwek .shop) (malware.rules)
  • 2050569 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (sofahuntingslidedine .shop) (malware.rules)
  • 2050570 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (triangleseasonbenchwj .shop) (malware.rules)
  • 2050571 - ET MALWARE Observed Lumma Stealer Related Domain (triangleseasonbenchwj .shop in TLS SNI) (malware.rules)
  • 2050572 - ET MALWARE Observed Lumma Stealer Related Domain (claimconcessionrebe .shop in TLS SNI) (malware.rules)
  • 2050573 - ET MALWARE Observed Lumma Stealer Related Domain (culturesketchfinanciall .shop in TLS SNI) (malware.rules)
  • 2050574 - ET MALWARE Observed Lumma Stealer Related Domain (gemcreedarticulateod .shop in TLS SNI) (malware.rules)
  • 2050575 - ET MALWARE Observed Lumma Stealer Related Domain (sofahuntingslidedine .shop in TLS SNI) (malware.rules)
  • 2050576 - ET MALWARE Observed Lumma Stealer Related Domain (modestessayevenmilwek .shop in TLS SNI) (malware.rules)
  • 2050577 - ET MALWARE Observed Lumma Stealer Related Domain (secretionsuitcasenioise .shop in TLS SNI) (malware.rules)
  • 2050578 - ET MALWARE Observed Lumma Stealer Related Domain (liabilityarrangemenyit .shop in TLS SNI) (malware.rules)
  • 2050579 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (nationalistvetecanve .shop) (malware.rules)
  • 2050580 - ET MALWARE Observed Lumma Stealer Related Domain (nationalistvetecanve .shop in TLS SNI) (malware.rules)
  • 2050581 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (cakecoldsplurgrewe .pw) (malware.rules)
  • 2050582 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (bombertublestylebanws .fun) (malware.rules)
  • 2050583 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (diagramfiremonkeyowwa .fun) (malware.rules)
  • 2050584 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (dayfarrichjwclik .fun) (malware.rules)
  • 2050585 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (ratefacilityframw .fun) (malware.rules)
  • 2050586 - ET MALWARE Observed Lumma Stealer Related Domain (cakecoldsplurgrewe .pw in TLS SNI) (malware.rules)
  • 2050587 - ET MALWARE Observed Lumma Stealer Related Domain (bombertublestylebanws .fun in TLS SNI) (malware.rules)
  • 2050588 - ET MALWARE Observed Lumma Stealer Related Domain (diagramfiremonkeyowwa .fun in TLS SNI) (malware.rules)
  • 2050589 - ET MALWARE Observed Lumma Stealer Related Domain (dayfarrichjwclik .fun in TLS SNI) (malware.rules)
  • 2050590 - ET MALWARE Observed Lumma Stealer Related Domain (ratefacilityframw .fun in TLS SNI) (malware.rules)
  • 2050591 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (healthrankunderow .fun) (malware.rules)
  • 2050592 - ET MALWARE Observed Lumma Stealer Related Domain (healthrankunderow .fun in TLS SNI) (malware.rules)
  • 2050593 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (cakecoldsplurgrewe .pw) (malware.rules)
  • 2050594 - ET MALWARE Observed Lumma Stealer Related Domain (cakecoldsplurgrewe .pw in TLS SNI) (malware.rules)
  • 2050595 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (offerimagefancine .shop) (malware.rules)
  • 2050596 - ET MALWARE Observed Lumma Stealer Related Domain (offerimagefancine .shop in TLS SNI) (malware.rules)
  • 2050597 - ET MALWARE [ANY.RUN] BACKDOOR [ANY.RUN] ToneShell FakeTLS Check-In (APT Mustang Panda / Earth Preta) M1 (malware.rules)
  • 2050598 - ET MALWARE [ANY.RUN] BACKDOOR [ANY.RUN] ToneShell FakeTLS Check-In (APT Mustang Panda / Earth Preta) M2 (malware.rules)
  • 2050599 - ET MALWARE [ANY.RUN] ToneShell FakeTLS Response (APT Mustang Panda / Earth Preta) M1 (malware.rules)
  • 2050600 - ET MALWARE [ANY.RUN] ToneShell FakeTLS Response (APT Mustang Panda / Earth Preta) M2 (malware.rules)
  • 2050601 - ET MALWARE [ANY.RUN] WhiteSnake Stealer HTTP Request (malware.rules)
  • 2050602 - ET MALWARE [ANY.RUN] WhiteSnake Stealer HTTP POST Report Exfiltration (malware.rules)
  • 2050603 - ET MALWARE Allakore RAT CnC Checkin M2 (malware.rules)
  • 2050604 - ET WEB_SPECIFIC_APPS Ivanti Avalanche Directory Traversal Attempt (CVE-2023-41474) (web_specific_apps.rules)
  • 2050605 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (followcache .com) (exploit_kit.rules)
  • 2050606 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (followcache .com) (exploit_kit.rules)

Pro:

  • 2856270 - ETPRO MALWARE TA422 Payload Inbound (malware.rules)

Disabled and modified rules:

  • 2016837 - ET MALWARE Alina Checkin (malware.rules)
  • 2017371 - ET MALWARE Win32/Neurevt.A/Betabot checkin (malware.rules)
  • 2807918 - ETPRO MALWARE Trojan-Ransom.Win32.Blocker.avsx Checkin Response (malware.rules)
  • 2807919 - ETPRO MALWARE Trojan-Ransom.Win32.Blocker.avsx Checkin Response 2 (malware.rules)