Ruleset Update Summary - 2024/02/07 - v10526

Ruleset Updates
1

Summary:

30 new OPEN, 34 new PRO (30 + 4)

Added rules:

Open:

  • 2050739 - ET INFO Suspicious Application Related Domain in DNS Lookup (info.rules)
  • 2050740 - ET INFO Observed Suspicious Application Related Domain in TLS SNI (info.rules)
  • 2050741 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (resergvearyinitiani .shop) (malware.rules)
  • 2050742 - ET MALWARE Observed Lumma Stealer Related Domain (resergvearyinitiani .shop in TLS SNI) (malware.rules)
  • 2050743 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (landgateindirectdangre .shop) (malware.rules)
  • 2050744 - ET MALWARE Observed Lumma Stealer Related Domain (landgateindirectdangre .shop in TLS SNI) (malware.rules)
  • 2050745 - ET MALWARE FormBook CnC Checkin (GET) M5 (malware.rules)
  • 2050746 - ET HUNTING Googlebot User-Agent Observed in Outbound HTTP Request (hunting.rules)
  • 2050747 - ET PHISHING ResumeLooter Domain in DNS Lookup (qu3 .cc) (phishing.rules)
  • 2050748 - ET PHISHING ResumeLooter Domain in DNS Lookup (7o .ae) (phishing.rules)
  • 2050749 - ET PHISHING ResumeLooter Domain in DNS Lookup (8t .ae) (phishing.rules)
  • 2050750 - ET PHISHING ResumeLooter Domain in DNS Lookup (cloudnetsofe .com) (phishing.rules)
  • 2050751 - ET PHISHING ResumeLooter Domain in DNS Lookup (foundit .asia) (phishing.rules)
  • 2050752 - ET PHISHING ResumeLooter Domain in DNS Lookup (xn–31-rha .me) (phishing.rules)
  • 2050753 - ET PHISHING ResumeLooter Domain in DNS Lookup (9gp .cc) (phishing.rules)
  • 2050754 - ET PHISHING ResumeLooter Domain in DNS Lookup (8r .ae) (phishing.rules)
  • 2050755 - ET PHISHING ResumeLooter Domain in DNS Lookup (iimjobs .asia) (phishing.rules)
  • 2050756 - ET PHISHING ResumeLooter Domain in DNS Lookup (sb8 .co) (phishing.rules)
  • 2050757 - ET PHISHING Observed ResumeLooter Domain (qu3 .cc in TLS SNI) (phishing.rules)
  • 2050758 - ET PHISHING Observed ResumeLooter Domain (7o .ae in TLS SNI) (phishing.rules)
  • 2050759 - ET PHISHING Observed ResumeLooter Domain (8t .ae in TLS SNI) (phishing.rules)
  • 2050760 - ET PHISHING Observed ResumeLooter Domain (cloudnetsofe .com in TLS SNI) (phishing.rules)
  • 2050761 - ET PHISHING Observed ResumeLooter Domain (foundit .asia in TLS SNI) (phishing.rules)
  • 2050762 - ET PHISHING Observed ResumeLooter Domain (xn–31-rha .me in TLS SNI) (phishing.rules)
  • 2050763 - ET PHISHING Observed ResumeLooter Domain (9gp .cc in TLS SNI) (phishing.rules)
  • 2050764 - ET PHISHING Observed ResumeLooter Domain (8r .ae in TLS SNI) (phishing.rules)
  • 2050765 - ET PHISHING Observed ResumeLooter Domain (iimjobs .asia in TLS SNI) (phishing.rules)
  • 2050766 - ET PHISHING Observed ResumeLooter Domain (sb8 .co in TLS SNI) (phishing.rules)
  • 2050767 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (aitcaid .com) (exploit_kit.rules)
  • 2050768 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (aitcaid .com) (exploit_kit.rules)

Pro:

  • 2856316 - ETPRO MALWARE Observed DNS Query to Sliver Related Domain (malware.rules)
  • 2856317 - ETPRO MALWARE Observed Sliver Related Domain in TLS SNI (malware.rules)
  • 2856318 - ETPRO MALWARE FormBook CnC Checkin (POST) M4 (malware.rules)
  • 2856319 - ETPRO EXPLOIT_KIT Fake Chrome Update Landing Page Requesting Unique Javascript Page M2 (exploit_kit.rules)

Modified inactive rules:

  • 2000037 - ET POLICY Hotmail Compose Message Access (policy.rules)
  • 2003121 - ET POLICY docs.google.com Activity (policy.rules)
  • 2007898 - ET MALWARE Sohanad Checkin via HTTP (malware.rules)
  • 2008347 - ET MALWARE Swizzor Checkin (malware.rules)
  • 2008374 - ET USER_AGENTS Suspicious User-Agent (InetURL) (user_agents.rules)
  • 2010065 - ET MALWARE SafeFighter Fake Scanner Installation in Progress (malware.rules)
  • 2011874 - ET POLICY NSPlayer User-Agent Windows Media Player streaming detected (policy.rules)
  • 2013116 - ET SCAN Potential muieblackcat scanner double-URI and HTTP library (scan.rules)
  • 2013135 - ET MALWARE FakeAV FakeAlert.Rena.n Checkin Flowbit set (malware.rules)
  • 2013259 - ET MALWARE Guagua Trojan Update Checkin (malware.rules)
  • 2013340 - ET MALWARE FakeAV/Application JPDesk/Delf checkin (malware.rules)
  • 2013377 - ET MALWARE W32/Alunik User Agent Detected (malware.rules)
  • 2013385 - ET MALWARE Accept-encode HTTP header with UA indicating infected host (malware.rules)
  • 2013390 - ET MALWARE Suspicious User Agent 3653Client (malware.rules)
  • 2013404 - ET MALWARE Suspicious User Agent ksdl_1_0 (malware.rules)
  • 2013458 - ET POLICY Facebook Like Button Clicked (1) (policy.rules)
  • 2013459 - ET POLICY Facebook Like Button Clicked (2) (policy.rules)
  • 2013461 - ET ADWARE_PUP Win32/Wizpop Initial Checkin (adware_pup.rules)
  • 2013544 - ET MALWARE TROJ_VB.FJP Generic Dowbnloader Connectivity Check to Google (malware.rules)
  • 2013560 - ET MALWARE Potentially Unwanted Program Storm3-607.exe Download Reporting (malware.rules)
  • 2013661 - ET EXPLOIT_KIT Exploit kit worms.jar (exploit_kit.rules)
  • 2013671 - ET MALWARE Win32.Riberow.A (touch) (malware.rules)
  • 2013696 - ET EXPLOIT_KIT Unknown Java Exploit Kit x.jar?o= (exploit_kit.rules)
  • 2013697 - ET EXPLOIT_KIT Unknown Java Exploit Kit lo.class (exploit_kit.rules)
  • 2013698 - ET EXPLOIT_KIT Unknown Java Exploit Kit lo2.jar (exploit_kit.rules)
  • 2803020 - ETPRO MALWARE Backdoor.Win32.Ferabsa.A Checkin 1 (malware.rules)
  • 2803099 - ETPRO MALWARE Win32.Rorpian.A Checkin 2 (malware.rules)
  • 2803163 - ETPRO MALWARE Win32.Nekill-Style Invalid Accept Header (malware.rules)
  • 2803171 - ETPRO MALWARE Tnega.WQD Checkin (malware.rules)
  • 2803193 - ETPRO MALWARE Win32.Agent.grdm Checkin 1 (malware.rules)
  • 2803194 - ETPRO MALWARE Win32.Agent.grdm Checkin 2 (malware.rules)
  • 2803268 - ETPRO MALWARE Dynamer.dtc/Keylog.km0/Uaneskeylogger.pl Keylogger Version Check (malware.rules)
  • 2803275 - ETPRO USER_AGENTS Suspicious User-Agent (mAgent) (user_agents.rules)
  • 2803300 - ETPRO MALWARE Win32.StripDance.b Checkin (malware.rules)
  • 2803354 - ETPRO MALWARE Backdoor.Win32.Sogu.A Checkin (malware.rules)
  • 2803369 - ETPRO MALWARE Downloader.Agent.TF Checkin (malware.rules)
  • 2803389 - ETPRO MALWARE Backdoor.Agent.AAXM Checkin (malware.rules)
  • 2803447 - ETPRO MALWARE Plusline.co.kr FakeAV Checkin (malware.rules)
  • 2803449 - ETPRO MALWARE Generic.6214699 Checkin (malware.rules)
  • 2803478 - ETPRO MALWARE Trojan.Win32.VB.alhq Checkin 1 (malware.rules)
  • 2803504 - ETPRO MALWARE Backdoor.Win32.Agobot.ast Checkin 1 (malware.rules)
  • 2803512 - ETPRO MALWARE Win32/Agent.QU Checkin (malware.rules)
  • 2803522 - ETPRO MALWARE Win32.Rorpian Checkin (malware.rules)
  • 2803548 - ETPRO MALWARE Win32/Bedobot.A Checkin (malware.rules)
  • 2803551 - ETPRO MALWARE Trojan.Generic.5475169 Checkin (malware.rules)
  • 2803568 - ETPRO MALWARE Trojan.Win32.Banload.ABY Checkin 1 (malware.rules)
  • 2803603 - ETPRO MALWARE Trojan.Win32.Agent.dcir Checkin (malware.rules)
  • 2803606 - ETPRO MALWARE Invalid Accept-Encode Header - Likely Hostile Request (malware.rules)
  • 2803623 - ETPRO MALWARE Backdoor.Win32.Doschald.A Checkin (malware.rules)
  • 2803710 - ETPRO MALWARE Trojan-Downloader.Win32.Diple.A Checkin 2 (malware.rules)
  • 2803711 - ETPRO MALWARE Trojan-Downloader.Win32.Diple.A Checkin 3 (malware.rules)
  • 2803733 - ETPRO MALWARE TrojanProxy.Ukstories.e Checkin (malware.rules)
  • 2803761 - ETPRO MALWARE Backdoor.Win32.Zapchast.qz Checkin 1 (malware.rules)
  • 2803771 - ETPRO MALWARE Backdoor.MacOS.Imuler.A Checkin 1 (malware.rules)
  • 2803772 - ETPRO MALWARE Backdoor.MacOS.Imuler.A Checkin 2 (malware.rules)

Disabled and modified rules:

  • 2017191 - ET MALWARE Win32/Kelihos.F Checkin (malware.rules)
  • 2047059 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (chestedband .org) (exploit_kit.rules)
  • 2047061 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (chestedband .org) (exploit_kit.rules)
  • 2047160 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (bluegaslamp .org) (exploit_kit.rules)
  • 2047161 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (bluegaslamp .org) (exploit_kit.rules)
  • 2048120 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (redsnowynose .org) (exploit_kit.rules)
  • 2048121 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (redsnowynose .org) (exploit_kit.rules)
  • 2049477 - ET EXPLOIT_KIT Fake WordPress CVE Plugin Domain in DNS Lookup (en-ca-wordpress .org) (exploit_kit.rules)
  • 2049478 - ET EXPLOIT_KIT Fake WordPress CVE Plugin Domain in DNS Lookup (en-za-wordpress .org) (exploit_kit.rules)
  • 2049479 - ET EXPLOIT_KIT Fake WordPress CVE Plugin Domain in DNS Lookup (en-nz-wordpress .org) (exploit_kit.rules)
  • 2049480 - ET EXPLOIT_KIT Fake WordPress CVE Plugin Domain in DNS Lookup (en-au-wordpress .org) (exploit_kit.rules)
  • 2049481 - ET EXPLOIT_KIT Fake WordPress CVE Plugin Domain in DNS Lookup (en-gb-wordpress .org) (exploit_kit.rules)
  • 2049482 - ET EXPLOIT_KIT Fake WordPress CVE Plugin Domain in DNS Lookup (en-us-wordpress .org) (exploit_kit.rules)
  • 2049483 - ET EXPLOIT_KIT Fake WordPress CVE Plugin Domain in DNS Lookup (wordpress .secureplatform .org) (exploit_kit.rules)
  • 2049484 - ET EXPLOIT_KIT Fake WordPress CVE Plugin Domain in DNS Lookup (wordpress .securityplugins .org) (exploit_kit.rules)
  • 2049485 - ET EXPLOIT_KIT Fake WordPress CVE Plugin Domain in DNS Lookup (wpgate .zip) (exploit_kit.rules)
  • 2049486 - ET EXPLOIT_KIT Fake WordPress CVE Plugin Domain in DNS Lookup (wpsrv .zip) (exploit_kit.rules)
  • 2049487 - ET EXPLOIT_KIT Fake WordPress CVE Plugin Domain in DNS Lookup (wpsys .zip) (exploit_kit.rules)
  • 2049488 - ET EXPLOIT_KIT Fake WordPress CVE Plugin Domain in DNS Lookup (wpops .zip) (exploit_kit.rules)
  • 2049489 - ET EXPLOIT_KIT Fake WordPress CVE Plugin Domain in TLS SNI (en-ca-wordpress .org) (exploit_kit.rules)
  • 2049490 - ET EXPLOIT_KIT Fake WordPress CVE Plugin Domain in TLS SNI (en-za-wordpress .org) (exploit_kit.rules)
  • 2049491 - ET EXPLOIT_KIT Fake WordPress CVE Plugin Domain in TLS SNI (en-nz-wordpress .org) (exploit_kit.rules)
  • 2049492 - ET EXPLOIT_KIT Fake WordPress CVE Plugin Domain in TLS SNI (en-au-wordpress .org) (exploit_kit.rules)
  • 2049493 - ET EXPLOIT_KIT Fake WordPress CVE Plugin Domain in TLS SNI (en-gb-wordpress .org) (exploit_kit.rules)
  • 2049494 - ET EXPLOIT_KIT Fake WordPress CVE Plugin Domain in TLS SNI (en-us-wordpress .org) (exploit_kit.rules)
  • 2049495 - ET EXPLOIT_KIT Fake WordPress CVE Plugin Domain in TLS SNI (wordpress .secureplatform .org) (exploit_kit.rules)
  • 2049496 - ET EXPLOIT_KIT Fake WordPress CVE Plugin Domain in TLS SNI (wordpress .securityplugins .org) (exploit_kit.rules)
  • 2049497 - ET EXPLOIT_KIT Fake WordPress CVE Plugin Domain in TLS SNI (wpgate .zip) (exploit_kit.rules)
  • 2049498 - ET EXPLOIT_KIT Fake WordPress CVE Plugin Domain in TLS SNI (wpsrv .zip) (exploit_kit.rules)
  • 2049499 - ET EXPLOIT_KIT Fake WordPress CVE Plugin Domain in TLS SNI (wpsys .zip) (exploit_kit.rules)
  • 2049500 - ET EXPLOIT_KIT Fake WordPress CVE Plugin Domain in TLS SNI (wpops .zip) (exploit_kit.rules)
  • 2049619 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (perfilcovid .com) (exploit_kit.rules)
  • 2049620 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (jokergame1 .com) (exploit_kit.rules)
  • 2049621 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (perfilcovid .com) (exploit_kit.rules)
  • 2049622 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (jokergame1 .com) (exploit_kit.rules)
  • 2806706 - ETPRO MALWARE Worm.Win32.Luder spreading via SMTP (malware.rules)
  • 2806737 - ETPRO MALWARE Trojan-Proxy.Win32.Small.ez Checkin (malware.rules)
  • 2806756 - ETPRO MALWARE Trojan.Win32.Agentb.jwp Checkin (malware.rules)
  • 2806759 - ETPRO MALWARE Virus.Win32.Kate.a .exe Request (malware.rules)
  • 2806761 - ETPRO MALWARE Worm.Win32.Luder.wja spreading via SMTP 2 (malware.rules)
  • 2856216 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)