Ruleset Update Summary - 2024/02/26 - v10540

rulesbot · February 26, 2024, 9:39pm

Summary:

37 new OPEN, 51 new PRO (37 + 14)

Thanks @StratosphereIPS, @Unit42_Intel

Added rules:

Open:

2051079 - ET MALWARE PyRation Variant - Command Sent to Client (malware.rules)
2051080 - ET MALWARE PyRation Variant - Action Sent to Client (malware.rules)
2051081 - ET MALWARE PyRation Variant - Configuration Response (malware.rules)
2051082 - ET MALWARE PyRation Variant - Configuration Request (malware.rules)
2051083 - ET MALWARE DNS Query to Lactrodectus Domain (malware.rules)
2051084 - ET MALWARE DNS Query to Lactrodectus Domain (malware.rules)
2051085 - ET MALWARE Observed Lactrodectus Domain in TLS SNI (malware.rules)
2051086 - ET MALWARE Observed Lactrodectus Domain in TLS SNI (malware.rules)
2051087 - ET MALWARE Malvertising Domain in DNS Lookup (parsic .org) (malware.rules)
2051088 - ET MALWARE Malvertising Domain in DNS Lookup (reclaimmycredit .com) (malware.rules)
2051089 - ET MALWARE Observed Malvertising Domain (parsic .org) in TLS SNI (malware.rules)
2051090 - ET MALWARE Observed Malvertising Domain (reclaimmycredit .com) in TLS SNI (malware.rules)
2051091 - ET MALWARE Unknown Malvertising Payload CnC Checkin (PSecWin) (malware.rules)
2051092 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (varinspector .com) (exploit_kit.rules)
2051093 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (asyncfunctionapi .com) (exploit_kit.rules)
2051094 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (varinspector .com) (exploit_kit.rules)
2051095 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (asyncfunctionapi .com) (exploit_kit.rules)
2051096 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .collection .aixpirts .com) (malware.rules)
2051097 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .collection .aixpirts .com) (malware.rules)
2051098 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (aljannatquranteach .com) (exploit_kit.rules)
2051099 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (bbsupplyandsalon .com) (exploit_kit.rules)
2051100 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (betsmovepiyango47 .com) (exploit_kit.rules)
2051101 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (bigcuda .com) (exploit_kit.rules)
2051102 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (eduvationgroup .com) (exploit_kit.rules)
2051103 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (eoskinec .com) (exploit_kit.rules)
2051104 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ezwhatsappp .com) (exploit_kit.rules)
2051105 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (growcalm .com) (exploit_kit.rules)
2051106 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (grupodistribuidora .com) (exploit_kit.rules)
2051107 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (aljannatquranteach .com) (exploit_kit.rules)
2051108 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (bbsupplyandsalon .com) (exploit_kit.rules)
2051109 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (betsmovepiyango47 .com) (exploit_kit.rules)
2051110 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (bigcuda .com) (exploit_kit.rules)
2051111 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (eduvationgroup .com) (exploit_kit.rules)
2051112 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (eoskinec .com) (exploit_kit.rules)
2051113 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ezwhatsappp .com) (exploit_kit.rules)
2051114 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (growcalm .com) (exploit_kit.rules)
2051115 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (grupodistribuidora .com) (exploit_kit.rules)

Pro:

2856398 - ETPRO MALWARE DNS Query to Hello2Malware Domain (malware.rules)
2856399 - ETPRO MALWARE DNS Query to Hello2Malware Domain (malware.rules)
2856400 - ETPRO MALWARE DNS Query to Hello2Malware Domain (malware.rules)
2856401 - ETPRO MALWARE Observed Hello2Malware Domain (malware.rules)
2856402 - ETPRO MALWARE Observed Hello2Malware Domain (malware.rules)
2856403 - ETPRO MALWARE Observed Hello2Malware Domain (malware.rules)
2856404 - ETPRO PHISHING TA407 Domain in DNS Lookup (phishing.rules)
2856405 - ETPRO PHISHING Observed TA407 Domain in TLS SNI (phishing.rules)
2856406 - ETPRO MALWARE Possible Metamorfo Payload Retrieval Attempt (malware.rules)
2856407 - ETPRO MALWARE Suspected Metamorfo Domain in DNS Lookup (malware.rules)
2856408 - ETPRO MALWARE Suspected Metamorfo Domain in TLS SNI (malware.rules)
2856409 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2856410 - ETPRO EXPLOIT_KIT ZPHP Lure Request M6 (exploit_kit.rules)
2856411 - ETPRO EXPLOIT_KIT ZPHP Lure Request M7 (exploit_kit.rules)

Modified inactive rules:

2022341 - ET EXPLOIT_KIT Evil Redirector Leading to EK Jan 6th 2016 M2 (exploit_kit.rules)
2815652 - ETPRO PHISHING Mailbox Update Phish Landing Page Jan 7 (phishing.rules)
2815673 - ETPRO PHISHING Adobe Phishing Landing Jan 8 (phishing.rules)
2815700 - ETPRO PHISHING Adobe Phishing Landing Jan 8 (phishing.rules)
2815748 - ETPRO EXPLOIT_KIT Nuclear EK Payload Jan 12 2016 M1 (exploit_kit.rules)

Disabled and modified rules:

2049846 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .places .creeksidehuntingpreserve .com) (malware.rules)
2049847 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .places .creeksidehuntingpreserve .com) (malware.rules)
2049848 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (proexbit .com) (exploit_kit.rules)
2049849 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (onlinesavingsjournal .com) (exploit_kit.rules)
2049850 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (proximaideia .com) (exploit_kit.rules)
2049851 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (realestateagentnorfolkvirginia .com) (exploit_kit.rules)
2049852 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (polatliems .com) (exploit_kit.rules)
2049853 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (proexbit .com) (exploit_kit.rules)
2049854 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (onlinesavingsjournal .com) (exploit_kit.rules)
2049855 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (proximaideia .com) (exploit_kit.rules)
2049856 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (realestateagentnorfolkvirginia .com) (exploit_kit.rules)
2049857 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (polatliems .com) (exploit_kit.rules)
2855858 - ETPRO EXPLOIT_KIT Keitaro Set-Cookie Inbound to RogueRaticate (03fe2) (exploit_kit.rules)
2856348 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2023/11/22 - v10471 Ruleset Updates	281	November 22, 2023
Ruleset Update Summary - 2023/09/19 - v10420 Ruleset Updates	213	September 19, 2023
Ruleset Update Summary - 2023/05/03 - v10315 Ruleset Updates	296	May 3, 2023
Ruleset Update Summary - 2023/12/19 - v10489 Ruleset Updates	211	December 19, 2023
Ruleset Update Summary - 2024/02/23 - v10539 Ruleset Updates	173	February 23, 2024

Ruleset Update Summary - 2024/02/26 - v10540

Summary:

Added rules:

Open:

Pro:

Modified inactive rules:

Disabled and modified rules:

Related Topics