Ruleset Update Summary - 2024/02/02 - v10522

Ruleset Updates
1

Summary:

14 new OPEN, 20 new PRO (14 + 6)

Added rules:

Open:

  • 2050685 - ET INFO Observed DNS Over HTTPS Domain (ad-dns .lista .my .id in TLS SNI) (info.rules)
  • 2050686 - ET INFO Observed DNS Over HTTPS Domain (uf-dns .lista .my .id in TLS SNI) (info.rules)
  • 2050687 - ET MOBILE_MALWARE Android FastViewer Variant Check-In (GET) (mobile_malware.rules)
  • 2050688 - ET INFO URL Shortening Service Domain in DNS Lookup (fancli .com) (info.rules)
  • 2050689 - ET INFO Observed URL Shortening Service Domain (fancli .com in TLS SNI) (info.rules)
  • 2050690 - ET INFO URL Shortening Service Domain in DNS Lookup (pimlm .com) (info.rules)
  • 2050691 - ET INFO Observed URL Shortening Service Domain (pimlm .com in TLS SNI) (info.rules)
  • 2050692 - ET MALWARE RubySleet APT TrollAgent CnC Checkin (malware.rules)
  • 2050693 - ET MALWARE RubySleet APT TrollAgent CnC Domain in DNS Lookup (ol .negapa .p-e .kr) (malware.rules)
  • 2050694 - ET MALWARE RubySleet APT TrollAgent CnC Domain in DNS Lookup (ai .kostin .p-e .kr) (malware.rules)
  • 2050695 - ET INFO URL Shortener Service Domain (qrs .ly) in DNS Lookup (info.rules)
  • 2050696 - ET INFO Observed URL Shortening Service Domain (qrs .ly) in TLS SNI (info.rules)
  • 2050697 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (trust .resourcehost .net) (exploit_kit.rules)
  • 2050698 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (trust .resourcehost .net) (exploit_kit.rules)

Pro:

  • 2856280 - ETPRO INFO Suspicious Microsoft Teams Lookalike Domain in DNS Lookup (msteams .link) (info.rules)
  • 2856281 - ETPRO INFO Suspicious Microsoft Teams Lookalike Domain (msteams .link in TLS SNI) (info.rules)
  • 2856284 - ETPRO MALWARE Hello2Malware Downloader - Request (malware.rules)
  • 2856285 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2856286 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2856287 - ETPRO MALWARE Snake Keylogger CnC Activity (malware.rules)

Disabled and modified rules:

  • 2049061 - ET INFO Observed DNS Over HTTPS Domain (1a .ns .ozer .im in TLS SNI) (info.rules)

Removed rules:

  • 2856280 - ETPRO MALWARE Fake Microsoft Teams Domain in DNS Lookup (msteams .link) (malware.rules)
  • 2856281 - ETPRO MALWARE Observed Fake Microsoft Teams Domain (msteams .link in TLS SNI) (malware.rules)