Ruleset Update Summary - 2024/02/05 - v10524

Summary:

25 new OPEN, 26 new PRO (25 + 1)

Thanks @Unit42_Intel


Added rules:

Open:

  • 2050701 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (feturepoudbicchteo .shop) (malware.rules)
  • 2050702 - ET MALWARE Observed Lumma Stealer Related Domain (feturepoudbicchteo .shop in TLS SNI) (malware.rules)
  • 2050703 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (pavementpreferencewjiao .site) (malware.rules)
  • 2050704 - ET MALWARE Observed Lumma Stealer Related Domain (pavementpreferencewjiao .site in TLS SNI) (malware.rules)
  • 2050705 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (despairphtsograpgp .shop) (malware.rules)
  • 2050706 - ET MALWARE Observed Lumma Stealer Related Domain (despairphtsograpgp .shop in TLS SNI) (malware.rules)
  • 2050707 - ET INFO AnyDesk Revoked Code Signing Certificate Observed (info.rules)
  • 2050708 - ET MALWARE Mispadu Stealer CnC Checkin M1 (malware.rules)
  • 2050709 - ET MALWARE Mispadu Stealer CnC Checkin M2 (malware.rules)
  • 2050710 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (mysticselect .com) (exploit_kit.rules)
  • 2050711 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (oemmasters .com) (exploit_kit.rules)
  • 2050712 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (mysticselect .com) (exploit_kit.rules)
  • 2050713 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (oemmasters .com) (exploit_kit.rules)
  • 2050714 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (webdatacache .com) (exploit_kit.rules)
  • 2050715 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (share .clickstat360 .com) (exploit_kit.rules)
  • 2050716 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (webdatacache .com) (exploit_kit.rules)
  • 2050717 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (share .clickstat360 .com) (exploit_kit.rules)
  • 2050718 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (tnoodlezy .com) (exploit_kit.rules)
  • 2050719 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (gspiceyl .com) (exploit_kit.rules)
  • 2050720 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (snackfunp .com) (exploit_kit.rules)
  • 2050721 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (tnoodlezy .com) (exploit_kit.rules)
  • 2050722 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (gspiceyl .com) (exploit_kit.rules)
  • 2050723 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (snackfunp .com) (exploit_kit.rules)
  • 2050724 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .our .openarmscv .org) (malware.rules)
  • 2050725 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .our .openarmscv .org) (malware.rules)

Pro:

  • 2856288 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Modified inactive rules:

  • 2001907 - ET POLICY eBay Placing Item for sale (policy.rules)
  • 2007639 - ET POLICY FOX,ABC On-demand UA (policy.rules)
  • 2009896 - ET MALWARE Win32/Winwebsec User-Agent Detected (malware.rules)
  • 2010823 - ET MALWARE Torpig Related Fake User-Agent (Apache (compatible‚Ķ)) (malware.rules)
  • 2011752 - ET GAMES TrackMania Request Connect (games.rules)
  • 2050599 - ET MALWARE [ANY.RUN] ToneShell FakeTLS Response (APT Mustang Panda / Earth Preta) M1 (malware.rules)

Disabled and modified rules:

  • 2049100 - ET INFO Observed DNS Over HTTPS Domain (adg .tshost .no in TLS SNI) (info.rules)
  • 2050678 - ET MALWARE Suspected TA451 Related FalseFont Backdoor Response (malware.rules)