Ruleset Update Summary - 2024/02/22 - v10538

Ruleset Updates
1

Summary:

49 new OPEN, 49 new PRO (49 + 0)

Thanks @WithGENIANS, @suyog41

Added rules:

Open:

  • 2051027 - ET MALWARE DNS Query to Malicious Domain (countrysvc .pe .kr) (malware.rules)
  • 2051028 - ET MALWARE DNS Query to Malicious Domain (kakaoteam .site) (malware.rules)
  • 2051029 - ET MALWARE DNS Query to Malicious Domain (naverscorp .shop) (malware.rules)
  • 2051030 - ET MALWARE DNS Query to Malicious Domain (mofamail .shop) (malware.rules)
  • 2051031 - ET MALWARE DNS Query to Malicious Domain (ned .newnotification .server .korea) (malware.rules)
  • 2051032 - ET MALWARE DNS Query to Malicious Domain (cloudown .store) (malware.rules)
  • 2051033 - ET MALWARE DNS Query to Malicious Domain (navigation .cc) (malware.rules)
  • 2051034 - ET MALWARE DNS Query to Malicious Domain (nidnaver .info) (malware.rules)
  • 2051035 - ET MALWARE DNS Query to Malicious Domain (nmail .navermail .online .korea) (malware.rules)
  • 2051036 - ET MALWARE DNS Query to Malicious Domain (naveralarm .com) (malware.rules)
  • 2051037 - ET MALWARE DNS Query to Malicious Domain (navecorps .com) (malware.rules)
  • 2051038 - ET MALWARE DNS Query to Malicious Domain (naveralert .com) (malware.rules)
  • 2051039 - ET MALWARE DNS Query to Malicious Domain (nidnaver .help) (malware.rules)
  • 2051040 - ET MALWARE DNS Query to Malicious Domain (navercafe .info) (malware.rules)
  • 2051041 - ET MALWARE DNS Query to Malicious Domain (civilizations .store) (malware.rules)
  • 2051042 - ET MALWARE DNS Query to Malicious Domain (upbit-service .pe .kr) (malware.rules)
  • 2051043 - ET MALWARE DNS Query to Malicious Domain (akites .site) (malware.rules)
  • 2051044 - ET MALWARE DNS Query to Malicious Domain (taxservice .pe .kr) (malware.rules)
  • 2051045 - ET MALWARE DNS Query to Malicious Domain (mofamail .homes) (malware.rules)
  • 2051046 - ET MALWARE DNS Query to Malicious Domain (kakaoaccouts .store) (malware.rules)
  • 2051047 - ET MALWARE DNS Query to Malicious Domain (upbit2024 .re .kr) (malware.rules)
  • 2051048 - ET MALWARE DNS Query to Malicious Domain (nsvc .mail .server .korea) (malware.rules)
  • 2051049 - ET MALWARE Observed Malicious Domain (countrysvc .pe .kr in TLS SNI) (malware.rules)
  • 2051050 - ET MALWARE Observed Malicious Domain (kakaoteam .site in TLS SNI) (malware.rules)
  • 2051051 - ET MALWARE Observed Malicious Domain (naverscorp .shop in TLS SNI) (malware.rules)
  • 2051052 - ET MALWARE Observed Malicious Domain (mofamail .shop in TLS SNI) (malware.rules)
  • 2051053 - ET MALWARE Observed Malicious Domain (ned .newnotification .server .korea in TLS SNI) (malware.rules)
  • 2051054 - ET MALWARE Observed Malicious Domain (cloudown .store in TLS SNI) (malware.rules)
  • 2051055 - ET MALWARE Observed Malicious Domain (navigation .cc in TLS SNI) (malware.rules)
  • 2051056 - ET MALWARE Observed Malicious Domain (nidnaver .info in TLS SNI) (malware.rules)
  • 2051057 - ET MALWARE Observed Malicious Domain (nmail .navermail .online .korea in TLS SNI) (malware.rules)
  • 2051058 - ET MALWARE Observed Malicious Domain (naveralarm .com in TLS SNI) (malware.rules)
  • 2051059 - ET MALWARE Observed Malicious Domain (navecorps .com in TLS SNI) (malware.rules)
  • 2051060 - ET MALWARE Observed Malicious Domain (naveralert .com in TLS SNI) (malware.rules)
  • 2051061 - ET MALWARE Observed Malicious Domain (nidnaver .help in TLS SNI) (malware.rules)
  • 2051062 - ET MALWARE Observed Malicious Domain (navercafe .info in TLS SNI) (malware.rules)
  • 2051063 - ET MALWARE Observed Malicious Domain (civilizations .store in TLS SNI) (malware.rules)
  • 2051064 - ET MALWARE Observed Malicious Domain (upbit-service .pe .kr in TLS SNI) (malware.rules)
  • 2051065 - ET MALWARE Observed Malicious Domain (akites .site in TLS SNI) (malware.rules)
  • 2051066 - ET MALWARE Observed Malicious Domain (taxservice .pe .kr in TLS SNI) (malware.rules)
  • 2051067 - ET MALWARE Observed Malicious Domain (mofamail .homes in TLS SNI) (malware.rules)
  • 2051068 - ET MALWARE Observed Malicious Domain (kakaoaccouts .store in TLS SNI) (malware.rules)
  • 2051069 - ET MALWARE Observed Malicious Domain (upbit2024 .re .kr in TLS SNI) (malware.rules)
  • 2051070 - ET MALWARE Observed Malicious Domain (nsvc .mail .server .korea in TLS SNI) (malware.rules)
  • 2051071 - ET MALWARE Elusive Stealer CnC Exfil via Telegram (malware.rules)
  • 2051072 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (gitbrancher .com) (exploit_kit.rules)
  • 2051073 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (gitbrancher .com) (exploit_kit.rules)
  • 2051074 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (machineryideas .com) (exploit_kit.rules)
  • 2051075 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (machineryideas .com) (exploit_kit.rules)

Modified inactive rules:

  • 2002780 - ET MALWARE Goldun Reporting User Activity 2 (malware.rules)
  • 2008660 - ET MALWARE Torpig Infection Reporting (malware.rules)
  • 2009449 - ET MALWARE Trash Family - HTTP POST (malware.rules)
  • 2010268 - ET MALWARE W32.SillyFDC Checkin (malware.rules)
  • 2010821 - ET MALWARE Java Downloader likely malicious payload download src=xrun (malware.rules)
  • 2010872 - ET MALWARE Pragma hack Detected Outbound - Likely Infected Source (malware.rules)
  • 2011312 - ET POLICY hide-my-ip.com POST version check (policy.rules)
  • 2011999 - ET MALWARE Trojan.Spy.YEK MAC and IP POST (malware.rules)
  • 2012321 - ET POLICY HTTP Request to a *.cx.cc domain (policy.rules)
  • 2012521 - ET MALWARE Generic Win32 Banker Trojan CheckIn (malware.rules)
  • 2012650 - ET MALWARE HTTP Request to a Malware Related Numerical .cn Domain (malware.rules)
  • 2012689 - ET POLICY LoJack asset recovery/tracking - not malicious (policy.rules)
  • 2012736 - ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin (malware.rules)
  • 2012865 - ET MALWARE Vinself Backdoor Checkin (malware.rules)
  • 2013189 - ET MALWARE Unknown Dropper HTTP POST Check-in (malware.rules)
  • 2014028 - ET MALWARE Likely CryptMEN FakeAV Download vclean (malware.rules)
  • 2014172 - ET MALWARE TROJAN ClickCounter Connectivity Check (malware.rules)
  • 2014356 - ET MALWARE W32/ProxyChanger.InfoStealer Checkin (malware.rules)
  • 2014570 - ET MALWARE HTTP Request to a known malware domain (regicsgf.net) (malware.rules)
  • 2014755 - ET MALWARE W32/HupigonUser.Backdoor Rabclib UA Checkin (malware.rules)
  • 2015529 - ET INFO Googlebot User-Agent Outbound (likely malicious) (info.rules)
  • 2017031 - ET EXPLOIT_KIT Unknown_InIFRAME - In Referer (exploit_kit.rules)
  • 2017813 - ET CURRENT_EVENTS Safe/CritX/FlashPack Payload (current_events.rules)
  • 2018162 - ET WEB_CLIENT Malicious Redirect Evernote Spam Campaign Feb 19 2014 (web_client.rules)
  • 2018190 - ET CURRENT_EVENTS Possible FakeAV .exe.vbe HTTP Content-Disposition (current_events.rules)
  • 2018237 - ET CURRENT_EVENTS CritX/SafePack/FlashPack SilverLight file as eot (current_events.rules)
  • 2018362 - ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF (exploit_kit.rules)
  • 2018400 - ET MALWARE BitCrypt Ransomware Domain (malware.rules)
  • 2018595 - ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing May 23 2014 (exploit_kit.rules)
  • 2018737 - ET EXPLOIT_KIT Fake CDN Sweet Orange Gate July 17 2014 (exploit_kit.rules)
  • 2018873 - ET MALWARE Tor based locker Ransom Page (malware.rules)
  • 2018990 - ET EXPLOIT_KIT Unknown Malvertising EK Payload URI Sruct Aug 22 2014 (exploit_kit.rules)
  • 2018991 - ET EXPLOIT_KIT Unknown Malvertising EK Silverlight URI Sruct Aug 22 2014 (exploit_kit.rules)
  • 2018993 - ET EXPLOIT_KIT Unknown Malvertising EK Payload URI Sruct Aug 22 2014 (exploit_kit.rules)
  • 2019005 - ET EXPLOIT_KIT FlashPack EK Redirect Aug 25 2014 (exploit_kit.rules)
  • 2019073 - ET EXPLOIT_KIT NullHole EK Landing Redirect Aug 27 2014 (exploit_kit.rules)
  • 2019100 - ET EXPLOIT_KIT FlashPack EK Redirect Sept 01 2014 (exploit_kit.rules)
  • 2802971 - ETPRO MALWARE Killproc.5707/Generic Checkin Request 1 (malware.rules)
  • 2804240 - ETPRO MALWARE TrojanDownloader.Win32/Delf.NK (malware.rules)
  • 2804301 - ETPRO MALWARE Win32/TrojanDownloader.Banload.QOM Checkin (malware.rules)
  • 2804323 - ETPRO MALWARE Win32/Ransom.EJ checkin (malware.rules)
  • 2804446 - ETPRO MALWARE Win32/Votead Checkin (malware.rules)
  • 2804543 - ETPRO MALWARE Backdoor.Win32.Hupigon Checkin (malware.rules)
  • 2804577 - ETPRO MALWARE TrojanDownloader.Win32/Waledac.C Checkin (malware.rules)
  • 2804752 - ETPRO MALWARE Trojan-Banker.Win32.Banker2.bwv Checkin (malware.rules)
  • 2804753 - ETPRO MALWARE Win32/Wadolin.A Checkin (malware.rules)
  • 2804849 - ETPRO MALWARE Win32/Spy.Bancos.OMJ Checkin (malware.rules)
  • 2804876 - ETPRO MALWARE Win32/Coswid.A Checkin (malware.rules)
  • 2804901 - ETPRO MALWARE Trojan-Clicker.Win32.VB.alu Checkin (malware.rules)
  • 2805075 - ETPRO MALWARE W32/VBKrypt.LYKL!tr Checkin (malware.rules)
  • 2805186 - ETPRO MALWARE Madhi Trojan checkin (malware.rules)
  • 2805329 - ETPRO MALWARE Trojan Elirks cyber-espionage campaign microblogging service Plurk known account (malware.rules)
  • 2805345 - ETPRO MALWARE Troj/Mdrop-DXT checkin 1 (malware.rules)
  • 2805640 - ETPRO MALWARE Backdoor.Win32.PcClient.cqm Checkin (malware.rules)
  • 2805716 - ETPRO MALWARE Win32.Doldow Trojan Checkin (malware.rules)
  • 2807199 - ETPRO HUNTING SUSPICIOUS WordPerfect Document with .doc extension 2 (hunting.rules)
  • 2807975 - ETPRO MALWARE Trojan.DownLoader9.54232 Checkin (malware.rules)
  • 2808313 - ETPRO MALWARE Win32.Tavex.A Checkin 2 (malware.rules)
  • 2808774 - ETPRO MALWARE Win32.Sasfis Checkin (malware.rules)
  • 2808807 - ETPRO MALWARE Win32/PSWTool.WebBrowserPassView.B checkin (malware.rules)

Disabled and modified rules:

  • 2048761 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (metallife .org) (exploit_kit.rules)
  • 2048762 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (metallife .org) (exploit_kit.rules)
  • 2049722 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (lindarealtytulum .com) (exploit_kit.rules)
  • 2049723 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (fulfillityourself .com) (exploit_kit.rules)
  • 2049724 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (lindarealtytulum .com) (exploit_kit.rules)
  • 2049725 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (fulfillityourself .com) (exploit_kit.rules)
  • 2049727 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .scheme .corycabana .net) (malware.rules)
  • 2049823 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (froggysnow .org) (exploit_kit.rules)
  • 2049824 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (confirmapply .org) (exploit_kit.rules)
  • 2049826 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (froggysnow .org) (exploit_kit.rules)
  • 2049827 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (confirmapply .org) (exploit_kit.rules)
  • 2050288 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (app .documentoffice .club) (malware.rules)
  • 2050289 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (benefitinfo .live) (malware.rules)
  • 2050290 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (benefitinfo .pro) (malware.rules)
  • 2050291 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (benefiturl .pro) (malware.rules)
  • 2050292 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (careagency .online) (malware.rules)
  • 2050293 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (cra-receivenow .online) (malware.rules)
  • 2050294 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (crareceive .site) (malware.rules)
  • 2050295 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (depositurl .co) (malware.rules)
  • 2050296 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (depositurl .lat) (malware.rules)
  • 2050297 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (direct .traderfree .online) (malware.rules)
  • 2050298 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (forex .traderfree .online) (malware.rules)
  • 2050299 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (groceryrebate .online) (malware.rules)
  • 2050300 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (groceryrebate .site) (malware.rules)
  • 2050301 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (gstcreceive .online) (malware.rules)
  • 2050302 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (instantreceive .org) (malware.rules)
  • 2050303 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (nav .offlinedocument .site) (malware.rules)
  • 2050304 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (receive .bio) (malware.rules)
  • 2050305 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (receiveinstant .online) (malware.rules)
  • 2050306 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (rentsubsidy .help) (malware.rules)
  • 2050307 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (rentsubsidy .online) (malware.rules)
  • 2050308 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (tinyurlinstant .co) (malware.rules)
  • 2050309 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (urldepost .co) (malware.rules)
  • 2050310 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (verifyca .online) (malware.rules)
  • 2050311 - ET MALWARE ScarCruft TA409 Domain in DNS Lookup (visiononline .store) (malware.rules)
  • 2050312 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (app .documentoffice .club) (malware.rules)
  • 2050313 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (benefitinfo .live) (malware.rules)
  • 2050314 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (benefitinfo .pro) (malware.rules)
  • 2050315 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (benefiturl .pro) (malware.rules)
  • 2050316 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (careagency .online) (malware.rules)
  • 2050317 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (cra-receivenow .online) (malware.rules)
  • 2050318 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (crareceive .site) (malware.rules)
  • 2050319 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (depositurl .co) (malware.rules)
  • 2050320 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (depositurl .lat) (malware.rules)
  • 2050321 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (direct .traderfree .online) (malware.rules)
  • 2050322 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (forex .traderfree .online) (malware.rules)
  • 2050323 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (groceryrebate .online) (malware.rules)
  • 2050324 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (groceryrebate .site) (malware.rules)
  • 2050325 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (gstcreceive .online) (malware.rules)
  • 2050326 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (instantreceive .org) (malware.rules)
  • 2050327 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (nav .offlinedocument .site) (malware.rules)
  • 2050328 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (receive .bio) (malware.rules)
  • 2050329 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (receiveinstant .online) (malware.rules)
  • 2050330 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (rentsubsidy .help) (malware.rules)
  • 2050331 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (rentsubsidy .online) (malware.rules)
  • 2050332 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (tinyurlinstant .co) (malware.rules)
  • 2050333 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (urldepost .co) (malware.rules)
  • 2050334 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (verifyca .online) (malware.rules)
  • 2050335 - ET MALWARE ScarCruft TA409 Domain in TLS SNI (visiononline .store) (malware.rules)
  • 2856288 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)