Ruleset Update Summary - 2024/02/16 - v10534

Ruleset Updates
1

Summary:

48 new OPEN, 49 new PRO (48 + 1)

Thanks @talossecurity, Kevin, Ross

Added rules:

Open:

  • 2050896 - ET MALWARE DOILoader Activity M2 (GET) (malware.rules)
  • 2050897 - ET MALWARE JS/GootLoader Activity M2 (GET) (malware.rules)
  • 2050898 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (healthproline .pro) (malware.rules)
  • 2050899 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (theoryapparatusjuko .funr) (malware.rules)
  • 2050900 - ET MALWARE Observed Lumma Stealer Related Domain (healthproline .pro in TLS SNI) (malware.rules)
  • 2050901 - ET MALWARE Observed Lumma Stealer Related Domain (theoryapparatusjuko .funr in TLS SNI) (malware.rules)
  • 2050902 - ET MALWARE TinyTurlaNG Turla APT Initial Client Beacon (malware.rules)
  • 2050903 - ET MALWARE TinyTurlaNG Turla APT GetTask Request (malware.rules)
  • 2050904 - ET MALWARE DNS Query to TinyTurla Domain (caduff-sa .ch) (malware.rules)
  • 2050905 - ET MALWARE DNS Query to TinyTurla Domain (jeepcarlease .com) (malware.rules)
  • 2050906 - ET MALWARE DNS Query to TinyTurla Domain (carleasingguru .com) (malware.rules)
  • 2050907 - ET MALWARE DNS Query to TinyTurla Domain (buy-new-car .com) (malware.rules)
  • 2050908 - ET MALWARE DNS Query to TinyTurla Domain (thefinetreats .com) (malware.rules)
  • 2050909 - ET MALWARE DNS Query to TinyTurla Domain (hanagram .jp) (malware.rules)
  • 2050910 - ET MALWARE Observed TinyTurla Domain (caduff-sa .ch in TLS SNI) (malware.rules)
  • 2050911 - ET MALWARE Observed TinyTurla Domain (jeepcarlease .com in TLS SNI) (malware.rules)
  • 2050912 - ET MALWARE Observed TinyTurla Domain (carleasingguru .com in TLS SNI) (malware.rules)
  • 2050913 - ET MALWARE Observed TinyTurla Domain (buy-new-car .com in TLS SNI) (malware.rules)
  • 2050914 - ET MALWARE Observed TinyTurla Domain (thefinetreats .com in TLS SNI) (malware.rules)
  • 2050915 - ET MALWARE Observed TinyTurla Domain (hanagram .jp in TLS SNI) (malware.rules)
  • 2050916 - ET MOBILE_MALWARE GoldDigger CnC Domain in DNS Lookup (ks8cb .cc) (mobile_malware.rules)
  • 2050917 - ET MOBILE_MALWARE Observed GoldDigger Domain (ks8cb .cc in TLS SNI) (mobile_malware.rules)
  • 2050918 - ET MOBILE_MALWARE GoldDigger CnC Domain in DNS Lookup (bv8k .xyz) (mobile_malware.rules)
  • 2050919 - ET MOBILE_MALWARE GoldDigger CnC Domain in DNS Lookup (t8bc .xyz) (mobile_malware.rules)
  • 2050920 - ET MOBILE_MALWARE GoldDigger CnC Domain in DNS Lookup (hzc5 .xyz) (mobile_malware.rules)
  • 2050921 - ET MOBILE_MALWARE GoldDigger CnC Domain in DNS Lookup (ms2ve .cc) (mobile_malware.rules)
  • 2050922 - ET MOBILE_MALWARE GoldDigger CnC Domain in DNS Lookup (zu7kt .cc) (mobile_malware.rules)
  • 2050923 - ET MOBILE_MALWARE Observed GoldDigger Domain (bv8k .xyz in TLS SNI) (mobile_malware.rules)
  • 2050924 - ET MOBILE_MALWARE Observed GoldDigger Domain (t8bc .xyz in TLS SNI) (mobile_malware.rules)
  • 2050925 - ET MOBILE_MALWARE Observed GoldDigger Domain (hzc5 .xyz in TLS SNI) (mobile_malware.rules)
  • 2050926 - ET MOBILE_MALWARE Observed GoldDigger Domain (ms2ve .cc in TLS SNI) (mobile_malware.rules)
  • 2050927 - ET MOBILE_MALWARE Observed GoldDigger Domain (zu7kt .cc in TLS SNI) (mobile_malware.rules)
  • 2050928 - ET MOBILE_MALWARE Gigabud CnC Domain in DNS Lookup (blsdk5 .cc) (mobile_malware.rules)
  • 2050929 - ET MOBILE_MALWARE Gigabud CnC Domain in DNS Lookup (nnzf1 .cc) (mobile_malware.rules)
  • 2050930 - ET MOBILE_MALWARE Gigabud CnC Domain in DNS Lookup (bweri6 .cc) (mobile_malware.rules)
  • 2050931 - ET MOBILE_MALWARE Gigabud CnC Domain in DNS Lookup (bc2k .xyz) (mobile_malware.rules)
  • 2050932 - ET MOBILE_MALWARE Gigabud CnC Domain in DNS Lookup (re6s .xyz) (mobile_malware.rules)
  • 2050933 - ET MOBILE_MALWARE Gigabud CnC Domain in DNS Lookup (js6kk .xyz) (mobile_malware.rules)
  • 2050934 - ET MOBILE_MALWARE Observed Gigabud Domain (re6s .xyz in TLS SNI) (mobile_malware.rules)
  • 2050935 - ET MOBILE_MALWARE Observed Gigabud Domain (js6kk .xyz in TLS SNI) (mobile_malware.rules)
  • 2050936 - ET MOBILE_MALWARE Observed Gigabud Domain (bc2k .xyz in TLS SNI) (mobile_malware.rules)
  • 2050937 - ET MOBILE_MALWARE Observed Gigabud Domain (bweri6 .cc in TLS SNI) (mobile_malware.rules)
  • 2050938 - ET MOBILE_MALWARE Observed Gigabud Domain (nnzf1 .cc in TLS SNI) (mobile_malware.rules)
  • 2050939 - ET MOBILE_MALWARE Observed Gigabud Domain (blsdk5 .cc in TLS SNI) (mobile_malware.rules)
  • 2050940 - ET INFO Observed DNS Query to Webhook/HTTP Request Inspection Service (insomnia .rest) (info.rules)
  • 2050941 - ET INFO Observed DNS Query to Webhook/HTTP Request Inspection Service (mockbin .io) (info.rules)
  • 2050942 - ET INFO Observed Webhook/HTTP Request Inspection Service Domain (insomnia .rest) in TLS SNI (info.rules)
  • 2050943 - ET INFO Observed Webhook/HTTP Request Inspection Service Domain (mockbin .io) in TLS SNI (info.rules)

Pro:

  • 2856375 - ETPRO EXPLOIT Microsoft Outlook Remote Code Execution Attempt (CVE-2024-21413) (exploit.rules)

Modified inactive rules:

  • 2007646 - ET MALWARE Farfli User Agent Detected (malware.rules)
  • 2013348 - ET MALWARE Zeus Bot Request to CnC 2 (malware.rules)
  • 2013975 - ET EXPLOIT_KIT Neosploit Java Exploit Kit request to /? plus hex 32 (exploit_kit.rules)
  • 2014114 - ET MALWARE Delf/Troxen/Zema Reporting 1 (malware.rules)
  • 2014115 - ET MALWARE Delf/Troxen/Zema Reporting 2 (malware.rules)
  • 2014223 - ET MALWARE UPDATE Protocol Trojan Communication detected on http ports (malware.rules)
  • 2014224 - ET MALWARE UPDATE Protocol Trojan Communication detected on non-http ports (malware.rules)
  • 2014230 - ET MALWARE Karagany/Kazy Obfuscated Payload Download (malware.rules)
  • 2014464 - ET MALWARE DwnLdr-JMZ Downloading Binary (malware.rules)
  • 2014467 - ET MALWARE Win32.Datamaikon Checkin NewAgent (malware.rules)
  • 2014476 - ET MALWARE HTTP Request to Zaletelly CnC Domain zaletellyxx.be (malware.rules)
  • 2014477 - ET MALWARE HTTP Request to Zaletelly CnC Domain atserverxx.info (malware.rules)
  • 2014578 - ET MALWARE Win32.Winwebsec.B Checkin (malware.rules)
  • 2014723 - ET MALWARE Suspicious lcon http header in response seen with Medfos/Midhos downloader (malware.rules)
  • 2014826 - ET MALWARE Virus.Win32.Sality.aa Checkin (malware.rules)
  • 2801402 - ETPRO MALWARE Generic Gui Trojan Hacker Tool Request to Controller (malware.rules)
  • 2803484 - ETPRO MALWARE Trojan-Dropper.Win32.Agent.eydk Checkin (malware.rules)
  • 2803981 - ETPRO MALWARE Win32/Banload.ACI Checkin (malware.rules)
  • 2804092 - ETPRO MALWARE Trojan-Banker.Win32.Agent.gbq Checkin (malware.rules)
  • 2804162 - ETPRO MALWARE Win32/Spy.Bancos.OBT Checkin (malware.rules)
  • 2804167 - ETPRO INFO DYNAMIC_DNS HTTP Request to a *.ddns.me.uk Domain (info.rules)
  • 2804225 - ETPRO MALWARE Win32/FtpSteal.gen!A Checkin (malware.rules)
  • 2804252 - ETPRO MALWARE Bat/sdel Checkin (malware.rules)
  • 2804262 - ETPRO MALWARE Trojan-Banker.Win32.Banbra.anpq Checkin (malware.rules)
  • 2804320 - ETPRO MALWARE Trojan/Invader.ciy Checkin (malware.rules)
  • 2804440 - ETPRO MALWARE Downloader.a!kw Checkin (malware.rules)
  • 2804443 - ETPRO MALWARE Win32/Banload.gen!B Checkin (malware.rules)
  • 2804450 - ETPRO MALWARE Virus.Win32.Virut.ce Install (malware.rules)
  • 2804483 - ETPRO MALWARE PWS-Zbot.gen.di Connectivity Check (malware.rules)
  • 2804590 - ETPRO MALWARE Trojan-Dropper.Win32.Agent.ficz Checkin (malware.rules)
  • 2804683 - ETPRO MALWARE FakeCloudAV2012 Checkin (malware.rules)
  • 2804684 - ETPRO MALWARE Trojan-Downloader.Win32.Agent.ujgh Checkin (malware.rules)
  • 2804685 - ETPRO MALWARE Trojan-Downloader.Win32.Geral.xit Checkin (malware.rules)
  • 2804699 - ETPRO EXPLOIT Google Talk gaiaserver Parameter Injection (exploit.rules)
  • 2804710 - ETPRO MALWARE Trojan-Banker.Win32.Banz.jpb Checkin 1 (malware.rules)
  • 2804714 - ETPRO MALWARE Backdoor.Win32.Bredolab.ugk Checkin (malware.rules)
  • 2804716 - ETPRO MALWARE Trojan-Downloader.Win32.Dapato.fxd Checkin (malware.rules)
  • 2804717 - ETPRO MALWARE Backdoor.Win32.Koutodoor.aihc Checkin (malware.rules)
  • 2804730 - ETPRO MALWARE Trojan-Downloader.Win32.Hacyayu.ep Checkin (malware.rules)
  • 2804738 - ETPRO MALWARE Trojan-Dropper.Win32.Dapato.afwq Checkin (malware.rules)
  • 2804739 - ETPRO MALWARE Win32/Spy.Banker.VER Checkin (malware.rules)
  • 2804741 - ETPRO MALWARE BScope.Trojan.Banker Checkin (malware.rules)
  • 2804748 - ETPRO MALWARE W32/Banker.JGT Checkin 2 (malware.rules)
  • 2804751 - ETPRO MALWARE Win32/Bancos.AGN Checkin (malware.rules)
  • 2804767 - ETPRO MALWARE Trojan-Spy.Win32.Agent.bxuh Checkin (malware.rules)
  • 2804788 - ETPRO MALWARE Win32/Pilrurl.A Checkin (malware.rules)
  • 2804801 - ETPRO MALWARE Win32/Bancos.AGP Checkin (malware.rules)
  • 2804804 - ETPRO MALWARE Trojan.Win32.Swisyn.chxm Checkin (malware.rules)
  • 2804818 - ETPRO MALWARE Win32/TrojanDownloader.Banload.QWQ Checkin (malware.rules)
  • 2804822 - ETPRO MALWARE Trojan.DownLoader Checkin (malware.rules)
  • 2804828 - ETPRO MALWARE Trojan/Buzus.hgv Checkin (malware.rules)
  • 2804841 - ETPRO MALWARE Win32/Opachki.F Checkin (malware.rules)
  • 2804842 - ETPRO MALWARE Trojan-FakeAV.Win32.SmartFortress2012.lw Checkin (malware.rules)
  • 2804844 - ETPRO MALWARE Trojan.Downloader.Agent-1187 Checkin (malware.rules)
  • 2804847 - ETPRO MALWARE Ransom.EJ/Winlock.5857 Checkin (malware.rules)
  • 2804866 - ETPRO MALWARE Trojan-Banker.Win32.Banbra.alvy Checkin (malware.rules)
  • 2804867 - ETPRO MALWARE Trojan-Banker.Win32.Banker.srjp Checkin (malware.rules)
  • 2804873 - ETPRO MALWARE Trojan-Dropper.Win32.Dapato.axvi Checkin (malware.rules)
  • 2804881 - ETPRO MALWARE Trojan.Agent-275138 Checkin (malware.rules)
  • 2804884 - ETPRO MALWARE Win32/Bancos.DV Checkin (malware.rules)
  • 2804885 - ETPRO MALWARE Win32/TrojanDownloader.Banload.QYJ Checkin (malware.rules)
  • 2804903 - ETPRO MALWARE W32/Troj_Generic.BNJME Checkin (malware.rules)
  • 2804905 - ETPRO MALWARE Win32/Horst.gen!C Checkin (malware.rules)
  • 2804929 - ETPRO MALWARE TrojanDownloader.Win32/Banload.ACI Checkin 2 (malware.rules)
  • 2804934 - ETPRO MALWARE Dropper-FQE Checkin (malware.rules)
  • 2804940 - ETPRO MALWARE TrojanDownloader.Win32/Begger.A Checkin (malware.rules)
  • 2804941 - ETPRO MALWARE Win32/Karagany.E Checkin 1 (malware.rules)
  • 2804943 - ETPRO MALWARE Backdoor/Buterat.abl Checkin (malware.rules)
  • 2804945 - ETPRO MALWARE W32/Banload.XPX!tr Checkin (malware.rules)
  • 2804946 - ETPRO MALWARE WinNT/Nagyo.C!rootkit Checkin (malware.rules)
  • 2804954 - ETPRO MALWARE Trojan.Fadedoor.10B-1 Checkin (malware.rules)
  • 2804955 - ETPRO MALWARE Trojan-Downloader.Win32.Banload.arqa Checkin (malware.rules)
  • 2804961 - ETPRO MALWARE W32/Karagany.TK Checkin (malware.rules)
  • 2804969 - ETPRO MALWARE Mal/ZboCheMan-D Checkin (malware.rules)
  • 2804970 - ETPRO MALWARE Trojan.Win32.Inse.c Checkin (malware.rules)
  • 2804975 - ETPRO MALWARE Trojan-Banker.Win32.Bancos.tge Checkin (malware.rules)
  • 2804976 - ETPRO MALWARE Trojan.Win32.Diple.deyt Checkin (malware.rules)
  • 2804985 - ETPRO MALWARE PSW.Banker6.ZXK Checkin (malware.rules)
  • 2804989 - ETPRO MALWARE Trojan-Dropper.Win32.Bina.f Checkin (malware.rules)
  • 2804990 - ETPRO MALWARE Trojan.FirewallBypass.VqX@aCTjNMlb Checkin (malware.rules)
  • 2804998 - ETPRO MALWARE Trojan.Downloader.gen.h Checkin (malware.rules)
  • 2805000 - ETPRO MALWARE HackTool.Win32.VKTools.na Checkin 2 (malware.rules)

Disabled and modified rules:

  • 2026581 - ET MALWARE JavaRAT CnC Checkin (malware.rules)
  • 2026584 - ET MALWARE JavaRAT Sending Screen Size (malware.rules)
  • 2026587 - ET MALWARE JavaRAT Requesting Screenshot (malware.rules)
  • 2832094 - ETPRO MALWARE Possible More_eggs Connectivity Check (malware.rules)
  • 2832632 - ETPRO MALWARE MalDoc Requesting Ursnif Payload 2018-09-17 (malware.rules)
  • 2833200 - ETPRO MALWARE Win32/BR.Banload CnC Checkin Activity (malware.rules)
  • 2833284 - ETPRO MALWARE XpertRAT CnC Requesting Passwords (malware.rules)
  • 2833400 - ETPRO MALWARE EvilVNC Backdoor CnC Checkin (malware.rules)