Ruleset Update Summary - 2024/02/09 - v10528

Summary:

9 new OPEN, 11 new PRO (9 + 2)


Added rules:

Open:

  • 2050778 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (flexibleagttypoceo .shop) (malware.rules)
  • 2050779 - ET MALWARE Observed Lumma Stealer Related Domain (flexibleagttypoceo .shop in TLS SNI) (malware.rules)
  • 2050780 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (exitassumebangpastcone .shop) (malware.rules)
  • 2050781 - ET MALWARE Observed Lumma Stealer Related Domain (exitassumebangpastcone .shop in TLS SNI) (malware.rules)
  • 2050782 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (vatleaflettrusteeooj .shop) (malware.rules)
  • 2050783 - ET MALWARE Observed Lumma Stealer Related Domain (vatleaflettrusteeooj .shop in TLS SNI) (malware.rules)
  • 2050784 - ET WEB_SPECIFIC_APPS Ivanti Connect Secure XXE Attempt (CVE-2024-22024) (web_specific_apps.rules)
  • 2050785 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (ronreznick .com) (exploit_kit.rules)
  • 2050786 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (ronreznick .com) (exploit_kit.rules)

Pro:

  • 2856328 - ETPRO INFO Observed DNS Query to Commonly Abused Content Domain (info.rules)
  • 2856329 - ETPRO INFO Observed Commonly Abused Content Domain in TLS SNI (info.rules)

Modified inactive rules:

  • 2003648 - ET MALWARE Clicker.BC User Agent Detected (linkrunner) (malware.rules)
  • 2003937 - ET MALWARE Bandook iwebho/BBB-phish trojan leaking user data (malware.rules)
  • 2007686 - ET MALWARE E-Jihad 3.0 DDoS HTTP Activity OUTBOUND (malware.rules)
  • 2007687 - ET MALWARE E-Jihad 3.0 DDoS HTTP Activity INBOUND (malware.rules)
  • 2007911 - ET MALWARE Delf Download via HTTP (malware.rules)
  • 2008195 - ET MALWARE Dropper mdodo.com Related Trojan (malware.rules)
  • 2008196 - ET MALWARE Dropper 6dzone.com Related Trojan (malware.rules)
  • 2008263 - ET MALWARE DNS Changer HTTP Post Checkin (malware.rules)
  • 2008267 - ET MALWARE Banker.JU Related HTTP Post-infection Checkin (malware.rules)
  • 2008283 - ET MALWARE Banload HTTP Checkin Detected (quem=) (malware.rules)
  • 2009204 - ET MALWARE Crypt.CFI.Gen Checkin (malware.rules)
  • 2009360 - ET MALWARE Bredolab Check In (malware.rules)
  • 2009539 - ET MALWARE Downloader Infostealer - GET Checkin (malware.rules)
  • 2009553 - ET MALWARE FAKE/ROGUE AV Encoded data= HTTP POST (malware.rules)
  • 2009677 - ET WEB_SERVER Possible BASE Authentication Bypass Attempt (web_server.rules)
  • 2013487 - ET EXPLOIT Likely Generic Java Exploit Attempt Request for Java to decimal host (exploit.rules)
  • 2014200 - ET MALWARE Dapato/Cleaman Checkin (malware.rules)
  • 2014357 - ET MALWARE W32/Kazy Checkin (malware.rules)
  • 2014387 - ET MALWARE Generic Dropper User-Agent (XXXwww) (malware.rules)
  • 2804665 - ETPRO MALWARE Backdoor.Win32.Hupigon.pdqt Checkin (malware.rules)
  • 2804689 - ETPRO MALWARE Win32/Stoberox.A Checkin (malware.rules)

Disabled and modified rules:

  • 2018004 - ET MOBILE_MALWARE Android/HeHe.Spy ReportMessageRequest CnC Beacon (mobile_malware.rules)
  • 2018015 - ET MALWARE Limitless Logger Sending Data over SMTP (malware.rules)
  • 2018017 - ET MALWARE Predator Logger Sending Data over SMTP (malware.rules)
  • 2018018 - ET MALWARE Win32/Antilam.2_0 Sending Data over SMTP (malware.rules)
  • 2018575 - ET MALWARE Possible Andromeda download with fake Zip header (1) (malware.rules)
  • 2018576 - ET MALWARE Possible Andromeda download with fake Zip header (2) (malware.rules)
  • 2807424 - ETPRO MALWARE Trojan-Dropper.Win32.Dorifel.hlu Checkin (malware.rules)
  • 2807426 - ETPRO MALWARE Trojan.Win32.Badur.gboh Download (malware.rules)
  • 2807467 - ETPRO MALWARE TrojanDownloader.Win32/Unruy.C checkin - SET 2 (malware.rules)
  • 2807468 - ETPRO MALWARE TrojanDownloader Win32/Unruy.C Checkin 3 (malware.rules)
  • 2807474 - ETPRO MALWARE Miniduke Checkin 2 (malware.rules)
  • 2807476 - ETPRO MALWARE Win32/TrojanDownloader.Onkods.V Download (malware.rules)
  • 2807482 - ETPRO MALWARE Win32/Startpage.JT Checkin (malware.rules)
  • 2807501 - ETPRO MALWARE Win32/Spy.Banker.ZSX Download (malware.rules)
  • 2807507 - ETPRO MALWARE Win32.Foreign.jowy 2 (malware.rules)
  • 2807532 - ETPRO MALWARE W32/Banker.YNL!tr.spy sending info about infection via SMTP (malware.rules)
  • 2826940 - ETPRO MALWARE AgentTesla Reporting Infection via FTP (malware.rules)
  • 2826941 - ETPRO MALWARE AgentTesla Sending Screenshot via FTP (malware.rules)
  • 2827070 - ETPRO ADWARE_PUP PUP/AdwareTesting24.B Checkin (adware_pup.rules)