Summary:
17 new OPEN, 25 new PRO (17 + 8)
Thanks @Bitdefender, @malwrhunterteam, @rapid7, @rivitna2
Added rules:
Open:
- 2050799 - ET MALWARE MacOS RustDoor Related Activity M1 (POST) (malware.rules)
- 2050800 - ET MALWARE MacOS RustDoor Related Activity M2 (POST) (malware.rules)
- 2050801 - ET MALWARE MacOS RustDoor Related CnC Domain in DNS Lookup (serviceicloud .com) (malware.rules)
- 2050802 - ET MALWARE Observed MacOS RustDoor Related Domain (serviceicloud .com in TLS SNI) (malware.rules)
- 2050803 - ET INFO DNS Query to a *giize.com DYNAMIC_DNS Domain (info.rules)
- 2050804 - ET INFO Observed DYNAMIC_DNS Domain (giize .com in TLS SNI) (info.rules)
- 2050805 - ET MALWARE Observed Malicious Domain (ewbjr2h375tjz5fh3wvohsetk .com in TLS SNI) (malware.rules)
- 2050806 - ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2 (malware.rules)
- 2050807 - ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP) (malware.rules)
- 2050808 - ET HUNTING Redirect to Wikipedia with Hackernoon GIF (hunting.rules)
- 2050809 - ET MALWARE Synapse/Lambda Ransomware CnC Checkin (malware.rules)
- 2050810 - ET MALWARE Java/Unknown CnC Checkin (malware.rules)
- 2050811 - ET WEB_SPECIFIC_APPS QNAP quick.cgi uploaf_firmware_image Command Injection Attempt (CVE-2023-47218) (web_specific_apps.rules)
- 2050812 - ET INFO Encrypted Messaging Service in DNS Lookup (getsession .org) (info.rules)
- 2050813 - ET INFO Encrypted Messaging Service in TLS SNI (getsession .org) (info.rules)
- 2050814 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (vfxfilmschool .com) (exploit_kit.rules)
- 2050815 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (vfxfilmschool .com) (exploit_kit.rules)
Pro:
- 2856351 - ETPRO MALWARE Win32/FakeJami Stealer Geo Info Inbound (malware.rules)
- 2856352 - ETPRO PHISHING Zimbra Phishing Domain in DNS Lookup (phishing.rules)
- 2856353 - ETPRO PHISHING Observed Zimbra Phishing Domain in TLS SNI (phishing.rules)
- 2856354 - ETPRO EXPLOIT_KIT Fake Chrome Browser Update Malware Download Request (exploit_kit.rules)
- 2856355 - ETPRO EXPLOIT_KIT Fake Firefox Browser Update Malware Download Request (exploit_kit.rules)
- 2856356 - ETPRO EXPLOIT_KIT Fake IE Browser Update Malware Download Request (exploit_kit.rules)
- 2856357 - ETPRO EXPLOIT_KIT Fake Edge Browser Update Malware Download Request (exploit_kit.rules)
- 2856358 - ETPRO EXPLOIT_KIT Fake Opera Browser Update Malware Download Request (exploit_kit.rules)
Modified inactive rules:
- 2002859 - ET MALWARE PassSickle Reporting User Activity (malware.rules)
- 2003431 - ET MALWARE Unnamed Generic.Malware http get (malware.rules)
- 2003649 - ET MALWARE Hupigon User Agent Detected (SykO) (malware.rules)
- 2003932 - ET MALWARE Hupigon User Agent Detected (IE_7.0) (malware.rules)
- 2009443 - ET MALWARE NoBo Downloader Dropper GET (malware.rules)
- 2009811 - ET MALWARE KillAV/Dropper/Mdrop/Hupigon - HTTP GET (malware.rules)
- 2010282 - ET MALWARE Generic Trojan Checkin (double Content-Type headers) (malware.rules)
- 2011103 - ET EXPLOIT_KIT Exploit kit download payload likely Hiloti Gozi FakeAV etc (exploit_kit.rules)
- 2011104 - ET EXPLOIT_KIT Exploit kit attack activity likely hostile (exploit_kit.rules)
Disabled and modified rules:
- 2016855 - ET MALWARE Embedded ZIP/APK File With Fake Windows Executable Header - Possible AV Bypass Attempt (malware.rules)
- 2025187 - ET MALWARE MedusaHTTP CnC Checkin (malware.rules)
- 2025458 - ET MALWARE [PTsecurity] Win32/SocStealer.Socelars C2 Response (malware.rules)
- 2049671 - ET EXPLOIT_KIT RogueRaticate Domain in DNS Lookup (kokokakalala .com) (exploit_kit.rules)
- 2049672 - ET EXPLOIT_KIT RogueRaticate Domain in TLS SNI (kokokakalala .com) (exploit_kit.rules)
- 2049674 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (mitchvandenborn .com) (exploit_kit.rules)
- 2049675 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (mindsnatchers .com) (exploit_kit.rules)
- 2049676 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (mitchvandenborn .com) (exploit_kit.rules)
- 2049677 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (mindsnatchers .com) (exploit_kit.rules)
- 2049693 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (marybskitchen .com) (exploit_kit.rules)
- 2049695 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (marybskitchen .com) (exploit_kit.rules)
- 2050022 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (recessionconceptjetwe .pwc) (malware.rules)
- 2050023 - ET MALWARE Observed Lumma Stealer Related Domain (recessionconceptjetwe .pwc in TLS SNI) (malware.rules)
- 2050026 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (copyexpertisesausewaverw .site) (malware.rules)
- 2050027 - ET MALWARE Observed Lumma Stealer Related Domain (copyexpertisesausewaverw .site in TLS SNI) (malware.rules)
- 2050031 - ET INFO Observed DNS Over HTTPS Domain (ns .sblnetwork .co .id in TLS SNI) (info.rules)
- 2050035 - ET INFO Observed DNS Over HTTPS Domain (surt .ovh in TLS SNI) (info.rules)
- 2050036 - ET INFO Observed DNS Over HTTPS Domain (ad .257053 .xyz in TLS SNI) (info.rules)
- 2050038 - ET INFO Observed DNS Over HTTPS Domain (shijiu .asia in TLS SNI) (info.rules)
- 2050039 - ET INFO Observed DNS Over HTTPS Domain (dns .sbstructure .ir in TLS SNI) (info.rules)
- 2050042 - ET INFO Observed DNS Over HTTPS Domain (d2 .shabi .icu in TLS SNI) (info.rules)
- 2050043 - ET INFO Observed DNS Over HTTPS Domain (free .sootoon .xyz in TLS SNI) (info.rules)
- 2050044 - ET INFO Observed DNS Over HTTPS Domain (dns .trifanov-online .ru in TLS SNI) (info.rules)
- 2050045 - ET INFO Observed DNS Over HTTPS Domain (res .zijji .com in TLS SNI) (info.rules)
- 2050047 - ET INFO Observed DNS Over HTTPS Domain (dns .sainternet .xyz in TLS SNI) (info.rules)
- 2050050 - ET INFO Observed DNS Over HTTPS Domain (ymjx .shimmerl .top in TLS SNI) (info.rules)
- 2828056 - ETPRO MALWARE Win32/Agent.YZF Variant CnC Activity (malware.rules)
- 2828069 - ETPRO MALWARE Oiram CnC Beacon (malware.rules)
- 2828107 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 5 (malware.rules)
- 2828115 - ETPRO MALWARE MSIL/Injector.BSL CnC Activity (Start) (malware.rules)
- 2828117 - ETPRO MALWARE ZBot.BW/Injector.KA CnC Activity (malware.rules)
- 2828445 - ETPRO POLICY External IP Address Lookup (howtofindmyipaddress .com) (policy.rules)
- 2829733 - ETPRO MALWARE MSIL/CTUA.Miner Retrieving Config (malware.rules)
- 2829924 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Checkin (Microsoft|Windows) (malware.rules)
- 2830181 - ETPRO MALWARE MSIL/Mail Harvester CnC Activity (malware.rules)
- 2856268 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)