Ruleset Update Summary - 2024/02/13 - v10531

rulesbot · February 13, 2024, 10:43pm

Summary:

17 new OPEN, 25 new PRO (17 + 8)

Thanks @Bitdefender, @malwrhunterteam, @rapid7, @rivitna2

Added rules:

Open:

2050799 - ET MALWARE MacOS RustDoor Related Activity M1 (POST) (malware.rules)
2050800 - ET MALWARE MacOS RustDoor Related Activity M2 (POST) (malware.rules)
2050801 - ET MALWARE MacOS RustDoor Related CnC Domain in DNS Lookup (serviceicloud .com) (malware.rules)
2050802 - ET MALWARE Observed MacOS RustDoor Related Domain (serviceicloud .com in TLS SNI) (malware.rules)
2050803 - ET INFO DNS Query to a *giize.com DYNAMIC_DNS Domain (info.rules)
2050804 - ET INFO Observed DYNAMIC_DNS Domain (giize .com in TLS SNI) (info.rules)
2050805 - ET MALWARE Observed Malicious Domain (ewbjr2h375tjz5fh3wvohsetk .com in TLS SNI) (malware.rules)
2050806 - ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2 (malware.rules)
2050807 - ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP) (malware.rules)
2050808 - ET HUNTING Redirect to Wikipedia with Hackernoon GIF (hunting.rules)
2050809 - ET MALWARE Synapse/Lambda Ransomware CnC Checkin (malware.rules)
2050810 - ET MALWARE Java/Unknown CnC Checkin (malware.rules)
2050811 - ET WEB_SPECIFIC_APPS QNAP quick.cgi uploaf_firmware_image Command Injection Attempt (CVE-2023-47218) (web_specific_apps.rules)
2050812 - ET INFO Encrypted Messaging Service in DNS Lookup (getsession .org) (info.rules)
2050813 - ET INFO Encrypted Messaging Service in TLS SNI (getsession .org) (info.rules)
2050814 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (vfxfilmschool .com) (exploit_kit.rules)
2050815 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (vfxfilmschool .com) (exploit_kit.rules)

Pro:

2856351 - ETPRO MALWARE Win32/FakeJami Stealer Geo Info Inbound (malware.rules)
2856352 - ETPRO PHISHING Zimbra Phishing Domain in DNS Lookup (phishing.rules)
2856353 - ETPRO PHISHING Observed Zimbra Phishing Domain in TLS SNI (phishing.rules)
2856354 - ETPRO EXPLOIT_KIT Fake Chrome Browser Update Malware Download Request (exploit_kit.rules)
2856355 - ETPRO EXPLOIT_KIT Fake Firefox Browser Update Malware Download Request (exploit_kit.rules)
2856356 - ETPRO EXPLOIT_KIT Fake IE Browser Update Malware Download Request (exploit_kit.rules)
2856357 - ETPRO EXPLOIT_KIT Fake Edge Browser Update Malware Download Request (exploit_kit.rules)
2856358 - ETPRO EXPLOIT_KIT Fake Opera Browser Update Malware Download Request (exploit_kit.rules)

Modified inactive rules:

2002859 - ET MALWARE PassSickle Reporting User Activity (malware.rules)
2003431 - ET MALWARE Unnamed Generic.Malware http get (malware.rules)
2003649 - ET MALWARE Hupigon User Agent Detected (SykO) (malware.rules)
2003932 - ET MALWARE Hupigon User Agent Detected (IE_7.0) (malware.rules)
2009443 - ET MALWARE NoBo Downloader Dropper GET (malware.rules)
2009811 - ET MALWARE KillAV/Dropper/Mdrop/Hupigon - HTTP GET (malware.rules)
2010282 - ET MALWARE Generic Trojan Checkin (double Content-Type headers) (malware.rules)
2011103 - ET EXPLOIT_KIT Exploit kit download payload likely Hiloti Gozi FakeAV etc (exploit_kit.rules)
2011104 - ET EXPLOIT_KIT Exploit kit attack activity likely hostile (exploit_kit.rules)

Disabled and modified rules:

2016855 - ET MALWARE Embedded ZIP/APK File With Fake Windows Executable Header - Possible AV Bypass Attempt (malware.rules)
2025187 - ET MALWARE MedusaHTTP CnC Checkin (malware.rules)
2025458 - ET MALWARE [PTsecurity] Win32/SocStealer.Socelars C2 Response (malware.rules)
2049671 - ET EXPLOIT_KIT RogueRaticate Domain in DNS Lookup (kokokakalala .com) (exploit_kit.rules)
2049672 - ET EXPLOIT_KIT RogueRaticate Domain in TLS SNI (kokokakalala .com) (exploit_kit.rules)
2049674 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (mitchvandenborn .com) (exploit_kit.rules)
2049675 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (mindsnatchers .com) (exploit_kit.rules)
2049676 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (mitchvandenborn .com) (exploit_kit.rules)
2049677 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (mindsnatchers .com) (exploit_kit.rules)
2049693 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (marybskitchen .com) (exploit_kit.rules)
2049695 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (marybskitchen .com) (exploit_kit.rules)
2050022 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (recessionconceptjetwe .pwc) (malware.rules)
2050023 - ET MALWARE Observed Lumma Stealer Related Domain (recessionconceptjetwe .pwc in TLS SNI) (malware.rules)
2050026 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (copyexpertisesausewaverw .site) (malware.rules)
2050027 - ET MALWARE Observed Lumma Stealer Related Domain (copyexpertisesausewaverw .site in TLS SNI) (malware.rules)
2050031 - ET INFO Observed DNS Over HTTPS Domain (ns .sblnetwork .co .id in TLS SNI) (info.rules)
2050035 - ET INFO Observed DNS Over HTTPS Domain (surt .ovh in TLS SNI) (info.rules)
2050036 - ET INFO Observed DNS Over HTTPS Domain (ad .257053 .xyz in TLS SNI) (info.rules)
2050038 - ET INFO Observed DNS Over HTTPS Domain (shijiu .asia in TLS SNI) (info.rules)
2050039 - ET INFO Observed DNS Over HTTPS Domain (dns .sbstructure .ir in TLS SNI) (info.rules)
2050042 - ET INFO Observed DNS Over HTTPS Domain (d2 .shabi .icu in TLS SNI) (info.rules)
2050043 - ET INFO Observed DNS Over HTTPS Domain (free .sootoon .xyz in TLS SNI) (info.rules)
2050044 - ET INFO Observed DNS Over HTTPS Domain (dns .trifanov-online .ru in TLS SNI) (info.rules)
2050045 - ET INFO Observed DNS Over HTTPS Domain (res .zijji .com in TLS SNI) (info.rules)
2050047 - ET INFO Observed DNS Over HTTPS Domain (dns .sainternet .xyz in TLS SNI) (info.rules)
2050050 - ET INFO Observed DNS Over HTTPS Domain (ymjx .shimmerl .top in TLS SNI) (info.rules)
2828056 - ETPRO MALWARE Win32/Agent.YZF Variant CnC Activity (malware.rules)
2828069 - ETPRO MALWARE Oiram CnC Beacon (malware.rules)
2828107 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 5 (malware.rules)
2828115 - ETPRO MALWARE MSIL/Injector.BSL CnC Activity (Start) (malware.rules)
2828117 - ETPRO MALWARE ZBot.BW/Injector.KA CnC Activity (malware.rules)
2828445 - ETPRO POLICY External IP Address Lookup (howtofindmyipaddress .com) (policy.rules)
2829733 - ETPRO MALWARE MSIL/CTUA.Miner Retrieving Config (malware.rules)
2829924 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Checkin (Microsoft|Windows) (malware.rules)
2830181 - ETPRO MALWARE MSIL/Mail Harvester CnC Activity (malware.rules)
2856268 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2023/09/18 - v10419 Ruleset Updates	227	September 18, 2023
Ruleset Update Summary - 2023/04/27 - v10309 Ruleset Updates	249	April 27, 2023
Ruleset Update Summary - 2023/04/24 - v10305 Ruleset Updates	235	April 24, 2023
Ruleset Update Summary - 2023/07/17 - v10373 Ruleset Updates	211	July 17, 2023
Ruleset Update Summary - 2024/04/16 - v10576 Ruleset Updates	192	April 16, 2024

Ruleset Update Summary - 2024/02/13 - v10531

Summary:

Added rules:

Open:

Pro:

Modified inactive rules:

Disabled and modified rules:

Related Topics