Ruleset Update Summary - 2024/02/20 - v10536

Ruleset Updates
1

Summary:

36 new OPEN, 36 new PRO (36 + 0)

Added rules:

Open:

  • 2050952 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (associationokeo .shop) (malware.rules)
  • 2050953 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (pooreveningfuseor .pw) (malware.rules)
  • 2050954 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (chocolatedepressofw .fun) (malware.rules)
  • 2050955 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (problemregardybuiwo .fun) (malware.rules)
  • 2050956 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (turkeyunlikelyofw .shop) (malware.rules)
  • 2050957 - ET MALWARE Observed Lumma Stealer Related Domain (associationokeo .shop in TLS SNI) (malware.rules)
  • 2050958 - ET MALWARE Observed Lumma Stealer Related Domain (pooreveningfuseor .pw in TLS SNI) (malware.rules)
  • 2050959 - ET MALWARE Observed Lumma Stealer Related Domain (chocolatedepressofw .fun in TLS SNI) (malware.rules)
  • 2050960 - ET MALWARE Observed Lumma Stealer Related Domain (problemregardybuiwo .fun in TLS SNI) (malware.rules)
  • 2050961 - ET MALWARE Observed Lumma Stealer Related Domain (turkeyunlikelyofw .shop in TLS SNI) (malware.rules)
  • 2050962 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (theoryapparatusjuko .funy) (malware.rules)
  • 2050963 - ET MALWARE Observed Lumma Stealer Related Domain (theoryapparatusjuko .funy in TLS SNI) (malware.rules)
  • 2050964 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (greenbowelsustainny .fun) (malware.rules)
  • 2050965 - ET MALWARE Observed Lumma Stealer Related Domain (greenbowelsustainny .fun in TLS SNI) (malware.rules)
  • 2050966 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (theoryapparatusjuko .funl) (malware.rules)
  • 2050967 - ET MALWARE Observed Lumma Stealer Related Domain (theoryapparatusjuko .funl in TLS SNI) (malware.rules)
  • 2050968 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (fikkeropendorwiw .pw) (malware.rules)
  • 2050969 - ET MALWARE Observed Lumma Stealer Related Domain (fikkeropendorwiw .pw in TLS SNI) (malware.rules)
  • 2050970 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (numberlesswortheiwol .shop) (malware.rules)
  • 2050971 - ET MALWARE Observed Lumma Stealer Related Domain (numberlesswortheiwol .shop in TLS SNI) (malware.rules)
  • 2050972 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (superiorhardwaerw .pw) (malware.rules)
  • 2050973 - ET MALWARE Observed Lumma Stealer Related Domain (superiorhardwaerw .pw in TLS SNI) (malware.rules)
  • 2050974 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (pooreveningfuseor .pwl) (malware.rules)
  • 2050975 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (villagemagneticcsa .fun) (malware.rules)
  • 2050976 - ET MALWARE Observed Lumma Stealer Related Domain (pooreveningfuseor .pwl in TLS SNI) (malware.rules)
  • 2050977 - ET MALWARE Observed Lumma Stealer Related Domain (villagemagneticcsa .fun in TLS SNI) (malware.rules)
  • 2050978 - ET MOBILE_MALWARE Android Kamran Malware Related CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2050979 - ET HUNTING - DNS Response containing multiple DNSSEC RRSIG Entries (Algorithm 14) - Possible CVE-2023-50387 Activity (hunting.rules)
  • 2050980 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (s14-nextjs .net) (exploit_kit.rules)
  • 2050981 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (donnows .com) (exploit_kit.rules)
  • 2050982 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (s14-nextjs .net) (exploit_kit.rules)
  • 2050983 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (donnows .com) (exploit_kit.rules)
  • 2050984 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (posiit .com) (exploit_kit.rules)
  • 2050985 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (posiit .com) (exploit_kit.rules)
  • 2050986 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (freegeneratorai .com) (exploit_kit.rules)
  • 2050987 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (freegeneratorai .com) (exploit_kit.rules)

Modified inactive rules:

  • 2010283 - ET MALWARE Opachki Link Hijacker HTTP Header Injection (malware.rules)
  • 2011403 - ET MALWARE Yoyo-DDoS Bot HTTP Flood Attack Outbound (malware.rules)
  • 2012609 - ET EXPLOIT Phoenix Java Exploit Attempt Request for .class from octal host (exploit.rules)
  • 2013154 - ET MALWARE Backdoor.Win32.Gbod.dv Checkin (malware.rules)
  • 2013384 - ET MALWARE W32/Siscos CnC Checkin (malware.rules)
  • 2013869 - ET P2P Torrent Client User-Agent (Solid Core/0.82) (p2p.rules)
  • 2013976 - ET MALWARE Zeus POST Request to CnC - URL agnostic (malware.rules)
  • 2014229 - ET MALWARE NfLog Checkin (malware.rules)
  • 2015526 - ET WEB_SERVER Fake Googlebot UA 1 Inbound (web_server.rules)
  • 2015676 - ET EXPLOIT_KIT Unknown Java Exploit Kit Payload Download Request - Sep 04 2012 (exploit_kit.rules)
  • 2015724 - ET EXPLOIT_KIT pamdql Exploit Kit 09/25/12 Sending Jar (exploit_kit.rules)
  • 2015970 - ET EXPLOIT_KIT Zuponcic EK Payload Request (exploit_kit.rules)
  • 2015999 - ET MALWARE W32/Quarian HTTP Proxy Header (malware.rules)
  • 2016051 - ET MALWARE W32.Daws/Sanny CnC POST (malware.rules)
  • 2016053 - ET EXPLOIT_KIT Unknown_gmf EK - Payload Download Received (exploit_kit.rules)
  • 2016054 - ET EXPLOIT_KIT Unknown_gmf EK - Server Response - Application Error (exploit_kit.rules)
  • 2016142 - ET EXPLOIT_KIT Sweet Orange Java payload request (2) (exploit_kit.rules)
  • 2016595 - ET INFO SUSPICIOUS Java Request to cd.am Dynamic DNS Domain (info.rules)
  • 2016598 - ET EXPLOIT_KIT CrimeBoss - Java Exploit - jmx.jar (exploit_kit.rules)
  • 2016784 - ET EXPLOIT_KIT Fiesta - Payload - flashplayer11 (exploit_kit.rules)
  • 2017027 - ET MALWARE Unknown Webserver Backdoor Domain (google-analytcs) (malware.rules)
  • 2017030 - ET EXPLOIT_KIT Unknown_InIFRAME - Redirect to /iniframe/ URI (exploit_kit.rules)
  • 2017146 - ET WEB_SERVER HTTP Request Smuggling Attempt - Double Content-Length Headers (web_server.rules)
  • 2017147 - ET WEB_SERVER HTTP Request Smuggling Attempt - Two Transfer-Encoding Values Specified (web_server.rules)
  • 2017154 - ET DOS Squid-3.3.5 DoS (dos.rules)
  • 2017200 - ET EXPLOIT_KIT Possible Sakura Jar Download (exploit_kit.rules)
  • 2017296 - ET MALWARE Possible CritX/SafePack/FlashPack Jar Download (malware.rules)
  • 2017297 - ET MALWARE Possible CritX/SafePack/FlashPack EXE Download (malware.rules)
  • 2017473 - ET EXPLOIT_KIT Possible CoolEK Variant Payload Download Sep 16 2013 (exploit_kit.rules)
  • 2017579 - ET HUNTING SUSPICIOUS Possible Secondary Indicator of Java Exploit (Artifact Observed mostly in EKs/a few mis-configured apps) (hunting.rules)
  • 2017580 - ET CURRENT_EVENTS DotkaChef Payload October 09 (current_events.rules)
  • 2017628 - ET MALWARE Possible Sakura Jar Download Oct 22 2013 (malware.rules)
  • 2017644 - ET CURRENT_EVENTS Host Domain .bit (current_events.rules)
  • 2017663 - ET EXPLOIT Fredcot campaign php5-cgi initial exploit (exploit.rules)
  • 2017696 - ET WEB_CLIENT FaceBook IM & Web Driven Facebook Trojan Download (web_client.rules)
  • 2017791 - ET CURRENT_EVENTS Polling/Check-in/Compromise from fake DHL mailing campaign (current_events.rules)
  • 2017811 - ET EXPLOIT_KIT Magnitude EK (formerly Popads) Java Jar Download (exploit_kit.rules)
  • 2017861 - ET EXPLOIT_KIT Grandsoft/SofosFO EK Java Payload URI Struct (exploit_kit.rules)
  • 2804085 - ETPRO MALWARE Trojan.Win32.Scar.febz Checkin (malware.rules)
  • 2805018 - ETPRO MALWARE Trojan.Win32.Buzus.liir Checkin (malware.rules)
  • 2805403 - ETPRO MALWARE Win32/Pift Drop/Checkin (malware.rules)
  • 2805406 - ETPRO MALWARE W32/DragonEye.C Checkin (malware.rules)
  • 2805414 - ETPRO MALWARE Win32/Vundo.HIY Checkin (malware.rules)
  • 2805416 - ETPRO MALWARE Unknown dnsd.me Related Trojan Checkin a (malware.rules)
  • 2805417 - ETPRO MALWARE Win32/Vobfus Checkin (malware.rules)
  • 2805420 - ETPRO MALWARE Sality.IK!/Tedroo.AE Checkin (malware.rules)
  • 2805421 - ETPRO MALWARE IEXPL0RE RAT Checkin (malware.rules)
  • 2805437 - ETPRO MALWARE Win32/PSW.VB.NIH Checkin (malware.rules)
  • 2805459 - ETPRO MALWARE Win32/Punad.G infected system ad retrieve (malware.rules)
  • 2805461 - ETPRO MALWARE Backdoor.Java.KBP Checkin (malware.rules)
  • 2805466 - ETPRO MALWARE Tilon Checkin (malware.rules)
  • 2805473 - ETPRO MALWARE Downloader.MSIL.Tiny.bs Checkin (malware.rules)
  • 2805490 - ETPRO MALWARE Ysreef Checkin 1 (malware.rules)
  • 2805491 - ETPRO MALWARE Ysreef Checkin 2 (malware.rules)
  • 2805498 - ETPRO MALWARE Backdoor.Win32.Rbot.gen Checkin (malware.rules)
  • 2805533 - ETPRO MALWARE updmgr Checkin (malware.rules)
  • 2805534 - ETPRO MALWARE updmgr Checkin 2 (malware.rules)
  • 2805545 - ETPRO MALWARE Trojan-Dropper.Win32.Smiscer.hf Checkin (malware.rules)
  • 2805547 - ETPRO MALWARE W32/Agent.SUTT!tr Checkin (malware.rules)
  • 2805579 - ETPRO MALWARE Trojan-Spy.Win32.Perfloger.ai Checkin (malware.rules)
  • 2805580 - ETPRO MALWARE Win32/Tufik.A Checkin (malware.rules)
  • 2805581 - ETPRO MALWARE W32.Theals.A@mm Checkin (malware.rules)
  • 2805589 - ETPRO MALWARE TR/Spy.Keylogg.AE.1 Checkin (malware.rules)
  • 2805590 - ETPRO MALWARE W32/AutoIt.OU!tr Checkin (malware.rules)
  • 2805594 - ETPRO MALWARE Exploit.PDF Checkin (malware.rules)
  • 2805595 - ETPRO MALWARE Banload.XP Checkin (malware.rules)
  • 2805604 - ETPRO MALWARE Win32/Dunik!rts Checkin (malware.rules)
  • 2805613 - ETPRO MALWARE Trojan-DDoS.MSIL.Arcdoor.n Proxy Registration (malware.rules)
  • 2805626 - ETPRO MALWARE Unknown Checkin (malware.rules)
  • 2805652 - ETPRO MALWARE Variant.Kazy.95254 Checkin (malware.rules)
  • 2805659 - ETPRO MALWARE Win32/Dofoil.R Checkin (malware.rules)
  • 2805671 - ETPRO MALWARE Variant.Barys.1820 Checkin (malware.rules)
  • 2805674 - ETPRO MALWARE Virus.Win32.Virut.a Proxy Registration (malware.rules)
  • 2805676 - ETPRO MALWARE Win32/FakeMSA.gen!A Checkin (malware.rules)
  • 2805701 - ETPRO MALWARE Win32/Phintok.A Checkin 1 (malware.rules)
  • 2805707 - ETPRO MALWARE Backdoor.Win32.DarkMoon.BE Checkin 1 (malware.rules)
  • 2805708 - ETPRO MALWARE Backdoor.Win32.DarkMoon.BE Checkin 2 (malware.rules)
  • 2805712 - ETPRO MALWARE W32/Banker.ULW!tr Checkin (malware.rules)
  • 2805733 - ETPRO MALWARE Win32/Virut.BN Checkin 3 (malware.rules)
  • 2805751 - ETPRO MALWARE Trojan-Proxy.Win32.Ranky Checkin (malware.rules)
  • 2805777 - ETPRO MALWARE Trojan-Proxy.Win32.Agent.di / TROJ_MSGINA.B Checkin (malware.rules)
  • 2805822 - ETPRO MALWARE Android/Gmaster.A Checkin (malware.rules)
  • 2805839 - ETPRO MALWARE Win32/Tibs.gen!G / Trojan-Downloader.Win32.Zlob.jsq Checkin (malware.rules)
  • 2806152 - ETPRO MALWARE TeamSpy Campaign module download (malware.rules)
  • 2807105 - ETPRO DOS Possible MS13-082 JSON Parsing Vulnerability CVE-2013-3861 Attempt 1 (dos.rules)
  • 2807106 - ETPRO DOS Possible MS13-082 JSON Parsing Vulnerability CVE-2013-3861 Attempt 2 (dos.rules)
  • 2807193 - ETPRO MALWARE Trojan-Ransom.Win32.Foreign.jcov Checkin (malware.rules)

Disabled and modified rules:

  • 2028597 - ET MALWARE Win32/Tflower Ransomware CnC Checkin (malware.rules)
  • 2050170 - ET INFO Observed DNS Over HTTPS Domain (dns2 .nhgnet .de in TLS SNI) (info.rules)
  • 2050176 - ET INFO Observed DNS Over HTTPS Domain (addns1 .m-it .ro in TLS SNI) (info.rules)
  • 2050177 - ET INFO Observed DNS Over HTTPS Domain (lv .long-nguyen .info in TLS SNI) (info.rules)
  • 2050178 - ET INFO Observed DNS Over HTTPS Domain (nilanjan .me in TLS SNI) (info.rules)
  • 2050179 - ET INFO Observed DNS Over HTTPS Domain (adguard .oms-ctr .ru in TLS SNI) (info.rules)
  • 2050180 - ET INFO Observed DNS Over HTTPS Domain (doh .niyaru .online in TLS SNI) (info.rules)
  • 2050181 - ET INFO Observed DNS Over HTTPS Domain (dns .netraptor .com .au in TLS SNI) (info.rules)
  • 2050182 - ET INFO Observed DNS Over HTTPS Domain (doh .mn-bonn .de in TLS SNI) (info.rules)
  • 2835109 - ETPRO MALWARE Observed Malicious JScript Downloader Inbound (malware.rules)
  • 2836766 - ETPRO MALWARE Possible Java/Unk.Backdoor Style IP Address Check (malware.rules)
  • 2837823 - ETPRO MALWARE Win32/Wexw Backdoor Checkin (malware.rules)
  • 2838020 - ETPRO MALWARE Zeropadypt/Limbo/Ouroboros Ransomware CnC Checkin (malware.rules)
  • 2838106 - ETPRO MALWARE Sharik/Smokeloader CnC Beacon 16 (malware.rules)
  • 2838349 - ETPRO MALWARE Win32/TrickBot CnC Initial Checkin (malware.rules)
  • 2838770 - ETPRO MALWARE MalDoc Requesting FTCode / Stealer Payload (malware.rules)
  • 2838771 - ETPRO MALWARE FTCode Ransomware VBS Inbound (malware.rules)