Ruleset Update Summary - 2024/01/31 - v10520

Summary:

51 new OPEN, 52 new PRO (51 + 1)

Thanks @Synacktiv, @zscaler, @Mandiant


Added rules:

Open:

  • 2050607 - ET INFO Observed DNS Over HTTPS Domain (filter .das .sch .id in TLS SNI) (info.rules)
  • 2050608 - ET INFO Observed DNS Over HTTPS Domain (tienpham .id .vn in TLS SNI) (info.rules)
  • 2050609 - ET INFO Observed DNS Over HTTPS Domain (dns .tryk .app in TLS SNI) (info.rules)
  • 2050610 - ET INFO Observed DNS Over HTTPS Domain in TLS SNI (info.rules)
  • 2050611 - ET INFO Observed DNS Over HTTPS Domain (dns-fr-psv1 .cloudsides .com in TLS SNI) (info.rules)
  • 2050612 - ET INFO Observed DNS Over HTTPS Domain (los .conana .info in TLS SNI) (info.rules)
  • 2050613 - ET INFO Observed DNS Over HTTPS Domain (block .coconut .id in TLS SNI) (info.rules)
  • 2050614 - ET INFO Observed DNS Over HTTPS Domain (fezgate .ovh in TLS SNI) (info.rules)
  • 2050615 - ET INFO Observed DNS Over HTTPS Domain (quic .lol in TLS SNI) (info.rules)
  • 2050616 - ET INFO Observed DNS Over HTTPS Domain (uradoori .org in TLS SNI) (info.rules)
  • 2050617 - ET INFO Observed DNS Over HTTPS Domain (jp .conana .info in TLS SNI) (info.rules)
  • 2050618 - ET INFO Observed DNS Over HTTPS Domain (adguard .gewete .cloud in TLS SNI) (info.rules)
  • 2050619 - ET INFO Observed DNS Over HTTPS Domain (www .chungocoai .name .vn in TLS SNI) (info.rules)
  • 2050620 - ET INFO Observed DNS Over HTTPS Domain (takhtakh .domyah .net in TLS SNI) (info.rules)
  • 2050621 - ET INFO Observed DNS Over HTTPS Domain (dns .haboy .top in TLS SNI) (info.rules)
  • 2050622 - ET INFO Observed DNS Over HTTPS Domain (dns .skrep .in in TLS SNI) (info.rules)
  • 2050623 - ET INFO Observed DNS Over HTTPS Domain (naganohara-yoimiya .momokko .moe in TLS SNI) (info.rules)
  • 2050624 - ET INFO Observed DNS Over HTTPS Domain (socolov .home .ro in TLS SNI) (info.rules)
  • 2050625 - ET INFO Observed DNS Over HTTPS Domain (shield1 .eranext .net in TLS SNI) (info.rules)
  • 2050626 - ET INFO Observed DNS Over HTTPS Domain (ikarosalpha .xyz in TLS SNI) (info.rules)
  • 2050627 - ET INFO Observed DNS Over HTTPS Domain (dns .354688 .xyz in TLS SNI) (info.rules)
  • 2050628 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (fantasticabnormally .shop) (malware.rules)
  • 2050629 - ET MALWARE Observed Lumma Stealer Related Domain (fantasticabnormally .shop in TLS SNI) (malware.rules)
  • 2050630 - ET MALWARE DNS Query to Malicious Domain (pdfmicrosoft .ddns .net) (malware.rules)
  • 2050631 - ET MALWARE Observed Malicious Domain (pdfmicrosoft .ddns .net in TLS SNI) (malware.rules)
  • 2050632 - ET INFO Observed File Hosting Service Domain (zohopublic .eu) in DNS Lookup (info.rules)
  • 2050633 - ET INFO Observed File Hosting Service Domain (zohopublic .eu) in TLS SNI (info.rules)
  • 2050634 - ET MALWARE KrustyLoader CnC Domain in DNS Lookup (farstream .org) (malware.rules)
  • 2050635 - ET MALWARE KrustyLoader CnC Domain in DNS Lookup (sysupdates .org) (malware.rules)
  • 2050636 - ET MALWARE Observed KrustyLoader Domain (farstream .org) in TLS SNI (malware.rules)
  • 2050637 - ET MALWARE Observed KrustyLoader Domain (sysupdates .org) in TLS SNI (malware.rules)
  • 2050638 - ET MALWARE KrustyLoader CnC Domain in DNS Lookup (be-at-home .s3 .ap-northeast-2 .amazonaws .com) (malware.rules)
  • 2050639 - ET MALWARE KrustyLoader CnC Domain in DNS Lookup (bbr-promo .s3 .amazonaws .com) (malware.rules)
  • 2050640 - ET MALWARE KrustyLoader CnC Domain in DNS Lookup (bigtimeassets .s3 .amazonaws .com) (malware.rules)
  • 2050641 - ET MALWARE KrustyLoader CnC Domain in DNS Lookup (acapros-app .s3-us-west-2 .amazonaws .com) (malware.rules)
  • 2050642 - ET MALWARE KrustyLoader CnC Domain in DNS Lookup (beansdeals-static .s3 .amazonaws .com) (malware.rules)
  • 2050643 - ET MALWARE KrustyLoader CnC Domain in DNS Lookup (bringthenoiseappnew .s3 .amazonaws .com) (malware.rules)
  • 2050644 - ET MALWARE KrustyLoader CnC Domain in DNS Lookup (2261992 .s3 .amazonaws .com) (malware.rules)
  • 2050645 - ET MALWARE KrustyLoader CnC Domain in DNS Lookup (ahha-asset .s3 .ap-northeast-2 .amazonaws .com) (malware.rules)
  • 2050646 - ET MALWARE KrustyLoader CnC Domain in DNS Lookup (breaknlinks .s3 .amazonaws .com) (malware.rules)
  • 2050647 - ET MALWARE HTTP POST with Suspicious User-Agent Observed - Possible ZLoader Activity M1 (malware.rules)
  • 2050648 - ET MALWARE HTTP POST with Suspicious User-Agent Observed - Possible ZLoader Activity M2 (malware.rules)
  • 2050649 - ET MALWARE LIGHTWIRE Web Shell Activity Observed (malware.rules)
  • 2050650 - ET MALWARE CHAINLINE Web Shell Activity Observed (malware.rules)
  • 2050651 - ET MALWARE FRAMEREST Web Shell Activity Observed (malware.rules)
  • 2050652 - ET EXPLOIT_KIT Balada Domain in DNS Lookup (statisticsong .com) (exploit_kit.rules)
  • 2050653 - ET EXPLOIT_KIT Balada Domain in TLS SNI (statisticsong .com) (exploit_kit.rules)
  • 2050654 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (gigeconomycase .com) (exploit_kit.rules)
  • 2050655 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (pngairservices .com) (exploit_kit.rules)
  • 2050656 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (gigeconomycase .com) (exploit_kit.rules)
  • 2050657 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (pngairservices .com) (exploit_kit.rules)

Pro:

  • 2856275 - ETPRO INFO StellaBrowser User-Agent (info.rules)

Modified inactive rules:

  • 2050597 - ET MALWARE [ANY.RUN] ToneShell FakeTLS Check-In (APT Mustang Panda / Earth Preta) M1 (malware.rules)

Disabled and modified rules:

  • 2049268 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (gpksanfrancisco .com) (exploit_kit.rules)
  • 2049269 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (forumsecrets .com) (exploit_kit.rules)
  • 2049270 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (gpksanfrancisco .com) (exploit_kit.rules)
  • 2049271 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (forumsecrets .com) (exploit_kit.rules)
  • 2049289 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (midatlanticlabel .com) (exploit_kit.rules)
  • 2049290 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (midatlanticlabel .com) (exploit_kit.rules)
  • 2049291 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (thebestthings1337 .online) (exploit_kit.rules)
  • 2049292 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (thebestthings1337 .online) (exploit_kit.rules)
  • 2049310 - ET EXPLOIT_KIT RogueRaticate Domain in DNS Lookup (jagernaut .com) (exploit_kit.rules)
  • 2049311 - ET EXPLOIT_KIT RogueRaticate Domain in TLS SNI (jagernaut .com) (exploit_kit.rules)
  • 2049312 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (excellentpatterns .com) (exploit_kit.rules)
  • 2049313 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (excellentpatterns .com) (exploit_kit.rules)
  • 2049381 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (nelubelei .com) (exploit_kit.rules)
  • 2049382 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (informativosatelital .com) (exploit_kit.rules)
  • 2049383 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (nelubelei .com) (exploit_kit.rules)
  • 2049384 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (informativosatelital .com) (exploit_kit.rules)
  • 2049414 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (paradoxmarine .com) (exploit_kit.rules)
  • 2049415 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (paradoxmarine .com) (exploit_kit.rules)
  • 2855353 - ETPRO MALWARE Malicious Chrome Extension CnC Domain in DNS Lookup (malware.rules)
  • 2855354 - ETPRO MALWARE Observed Malicious Chrome Extension Domain in TLS SNI (malware.rules)
  • 2856100 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2856155 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)