Ruleset Update Summary - 2024/02/06 - v10525

Ruleset Updates
1

Summary:

13 new OPEN, 38 new PRO (13 + 25)

Thanks @TheDFIRReport, @Cyber0verload

Added rules:

Open:

  • 2050726 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (samplepoisonbarryntj .shop) (malware.rules)
  • 2050727 - ET MALWARE Observed Lumma Stealer Related Domain (samplepoisonbarryntj .shop in TLS SNI) (malware.rules)
  • 2050728 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (decorousnumerousieo .shop) (malware.rules)
  • 2050729 - ET MALWARE Observed Lumma Stealer Related Domain (decorousnumerousieo .shop in TLS SNI) (malware.rules)
  • 2050730 - ET INFO DNS Query to ArvanCloud File Sharing Service Domain (arvanstorage .ir) (info.rules)
  • 2050731 - ET INFO Observed File Sharing Service Domain (arvanstorage .ir in TLS SNI) (info.rules)
  • 2050732 - ET ADWARE_PUP Muzcat Media Player User-Agent Observed (muzcat) (adware_pup.rules)
  • 2050733 - ET MALWARE DNS Query to Malware Delivery Domain (a0917004 .xsph .ru) (malware.rules)
  • 2050734 - ET MALWARE DNS Query to XWORM Domain (sponsored-ate .gl .at .ply .gg) (malware.rules)
  • 2050735 - ET MALWARE Observed Malware Delivery Domain (a0917004 .xsph .ru in TLS SNI) (malware.rules)
  • 2050736 - ET INFO Tencent Cloud Storage Domain in DNS Lookup (myqcloud .com) (info.rules)
  • 2050737 - ET INFO Observed Tencent Cloud Storage Domain (myqcloud .com in TLS SNI) (info.rules)
  • 2050738 - ET WEB_SPECIFIC_APPS Wordpress 3DPrint Lite Plugin Arbitrary File Upload Attempt - PHP webshell Payload (CVE-2021-4436) (web_specific_apps.rules)

Pro:

  • 2856291 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2856292 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2856293 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2856294 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2856295 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2856296 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2856297 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2856298 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2856299 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2856300 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2856301 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2856302 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2856303 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2856304 - ETPRO MALWARE DNS Query to VenomRat Domain (malware.rules)
  • 2856305 - ETPRO MALWARE Observed VenomRat Domain in TLS SNI (malware.rules)
  • 2856306 - ETPRO MALWARE Suspected Domestic Kitten APT CnC Domain in DNS Lookup (malware.rules)
  • 2856307 - ETPRO MALWARE Suspected Domestic Kitten APT Domain in TLS SNI (malware.rules)
  • 2856308 - ETPRO MALWARE Suspected Domestic Kitten APT CnC Checkin M1 (malware.rules)
  • 2856309 - ETPRO MALWARE Suspected Domestic Kitten APT CnC Checkin M2 (malware.rules)
  • 2856310 - ETPRO MALWARE Suspected Domestic Kitten APT CnC Checkin M3 (malware.rules)
  • 2856311 - ETPRO MALWARE Suspected Domestic Kitten APT CnC Checkin M4 (malware.rules)
  • 2856312 - ETPRO EXPLOIT_KIT Evil Keitaro Set-Cookie Inbound (208c9) (exploit_kit.rules)
  • 2856313 - ETPRO INAPPROPRIATE Evil Keitaro to Adult Websites Set-Cookie Inbound (43caa) (inappropriate.rules)
  • 2856314 - ETPRO EXPLOIT_KIT Evil Keitaro to VexTrio Set-Cookie Inbound (fe084) (exploit_kit.rules)
  • 2856315 - ETPRO EXPLOIT_KIT Evil Keitaro to VexTrio Set-Cookie Inbound (7e2ae) (exploit_kit.rules)

Modified inactive rules:

  • 2000035 - ET POLICY Hotmail Inbox Access (policy.rules)
  • 2000036 - ET POLICY Hotmail Message Access (policy.rules)
  • 2000038 - ET POLICY Hotmail Compose Message Submit (policy.rules)
  • 2001044 - ET POLICY Yahoo Briefcase Upload (policy.rules)
  • 2001114 - ET POLICY Mozilla XPI install files download (policy.rules)
  • 2001711 - ET MALWARE Likely Spambot Web-based Control Traffic (malware.rules)
  • 2001898 - ET POLICY eBay Bid Placed (policy.rules)
  • 2001908 - ET POLICY eBay View Item (policy.rules)
  • 2001909 - ET POLICY eBay Watch This Item (policy.rules)
  • 2002822 - ET POLICY Wget User Agent (policy.rules)
  • 2002824 - ET POLICY CURL User Agent (policy.rules)
  • 2002828 - ET POLICY Googlebot User Agent (policy.rules)
  • 2002830 - ET POLICY Msnbot User Agent (policy.rules)
  • 2002832 - ET POLICY Yahoo Crawler User Agent (policy.rules)
  • 2002833 - ET SCAN Yahoo Crawler Crawl (scan.rules)
  • 2002838 - ET POLICY Google Search Appliance browsing the Internet (policy.rules)
  • 2002934 - ET POLICY libwww-perl User Agent (policy.rules)
  • 2002944 - ET POLICY python.urllib User Agent (policy.rules)
  • 2002949 - ET POLICY Windows Update in Progress (policy.rules)
  • 2003168 - ET POLICY Winamp Streaming User Agent (policy.rules)
  • 2003179 - ET POLICY exe download without User Agent (policy.rules)
  • 2003214 - ET POLICY Pingdom.com Monitoring detected (policy.rules)
  • 2003238 - ET MALWARE W32.Downloader Tibs.jy Reporting to C&C (malware.rules)
  • 2003381 - ET POLICY McAfee Update User Agent (McAfee AutoUpdate) (policy.rules)
  • 2003454 - ET POLICY Yahoo 360 Social Site Access (policy.rules)
  • 2003455 - ET POLICY Hi5.com Social Site Access (policy.rules)
  • 2003515 - ET MALWARE Snatch Reporting User Activity (malware.rules)
  • 2003597 - ET POLICY Google Calendar in Use (policy.rules)
  • 2006369 - ET POLICY Rapidshare auth cookie download (policy.rules)
  • 2006779 - ET POLICY Nagios HTTP Monitoring Connection (policy.rules)
  • 2007627 - ET POLICY Hyves Login Attempt (policy.rules)
  • 2008155 - ET MALWARE Trats.a Post-Infection Checkin (malware.rules)
  • 2008395 - ET MALWARE 3alupKo/Win32.Socks.n Related Checkin URL (3) (malware.rules)
  • 2009095 - ET POLICY Newzbin Usenet Reader License Check (policy.rules)
  • 2009304 - ET POLICY Gigasize file download service access (policy.rules)
  • 2010348 - ET MALWARE - Possible Zeus/Perkesh (.bin) configuration download (malware.rules)
  • 2010441 - ET MALWARE Possible Storm Variant HTTP Post (S) (malware.rules)
  • 2010442 - ET MALWARE Possible Storm Variant HTTP Post (U) (malware.rules)
  • 2012541 - ET MALWARE Downloader.small Generic Checkin (malware.rules)
  • 2012644 - ET EXPLOIT Java Exploit Attempt Request for hostile binary (exploit.rules)
  • 2012732 - ET WEB_CLIENT Unknown .ru Exploit Redirect Page (web_client.rules)
  • 2012828 - ET MALWARE Win32/Rimecud download (malware.rules)
  • 2012850 - ET MOBILE_MALWARE SymbOS.Flexispy.a Commercial Spying App Sending User Information to Server (mobile_malware.rules)
  • 2012854 - ET MOBILE_MALWARE SymbOS/Merogo User Agent (mobile_malware.rules)
  • 2012861 - ET MOBILE_MALWARE SymbOS.Sagasi.a User Agent LARK/1.3.0 (mobile_malware.rules)
  • 2012868 - ET POLICY HTTP Outbound Request containing a password (policy.rules)
  • 2012869 - ET POLICY HTTP Outbound Request containing a pass field (policy.rules)
  • 2012904 - ET MOBILE_MALWARE SymbOS/SuperFairy.D Bookmarked Connection to Server (mobile_malware.rules)
  • 2013024 - ET EXPLOIT_KIT Exploit kit mario.jar (exploit_kit.rules)
  • 2013098 - ET EXPLOIT_KIT Driveby Exploit Kit Browser Progress Checkin - Binary Likely Previously Downloaded (exploit_kit.rules)
  • 2800344 - ETPRO EXPLOIT Openwsman HTTP Basic Authentication Buffer Overflow (exploit.rules)
  • 2800846 - ETPRO MALWARE Worm.Win32.Faketube Activity (update request) (malware.rules)
  • 2801295 - ETPRO WEB_SERVER Known Fraudulent UA inbound Likely Trojan (web_server.rules)
  • 2801344 - ETPRO EXPLOIT HP OpenView Performance Insight Server Backdoor Account Code Execution (exploit.rules)
  • 2801345 - ETPRO EXPLOIT HP OpenView Performance Insight Server Backdoor Account Code Execution (exploit.rules)
  • 2802011 - ETPRO MALWARE Trojan.Win32.Fisp.A Chinese Bootkit Checkin 2 (malware.rules)
  • 2802827 - ETPRO MALWARE Trojan.Win32.Chowspy.A Checkin 2 (malware.rules)
  • 2802829 - ETPRO MALWARE Win32.Fibbit.ax Checkin 2 (malware.rules)
  • 2802959 - ETPRO MALWARE Win32.Vaubeg.A Checkin (malware.rules)
  • 2802966 - ETPRO MALWARE Win32.Banker.IC Checkin (malware.rules)
  • 2803013 - ETPRO USER_AGENTS Suspicious user agent(hunter) (user_agents.rules)
  • 2803015 - ETPRO MALWARE Backdoor.Win32.Briewots.A Checkin (malware.rules)
  • 2803066 - ETPRO MALWARE Downloader.Win32.VBDetaColt.A Checkin (malware.rules)
  • 2803073 - ETPRO WEB_SERVER Oracle Web Server Expect Header Cross-Site Scripting (web_server.rules)

Disabled and modified rules:

  • 2806448 - ETPRO MALWARE Win32/Autoit.IT Checkin 2 (malware.rules)
  • 2806502 - ETPRO MALWARE Win32.Jorik.Agent.ppv GET (malware.rules)
  • 2806530 - ETPRO MALWARE Win32.PoniPatcher.A .exe Download (malware.rules)
  • 2806566 - ETPRO MALWARE Win32/C2Lop.B Download (malware.rules)
  • 2806657 - ETPRO MALWARE Win32.CCProxy.jk (proxy redirect) (malware.rules)