Ruleset Update Summary - 2024/02/26 - v10540

Summary:

37 new OPEN, 51 new PRO (37 + 14)

Thanks @StratosphereIPS, @Unit42_Intel


Added rules:

Open:

  • 2051079 - ET MALWARE PyRation Variant - Command Sent to Client (malware.rules)
  • 2051080 - ET MALWARE PyRation Variant - Action Sent to Client (malware.rules)
  • 2051081 - ET MALWARE PyRation Variant - Configuration Response (malware.rules)
  • 2051082 - ET MALWARE PyRation Variant - Configuration Request (malware.rules)
  • 2051083 - ET MALWARE DNS Query to Lactrodectus Domain (malware.rules)
  • 2051084 - ET MALWARE DNS Query to Lactrodectus Domain (malware.rules)
  • 2051085 - ET MALWARE Observed Lactrodectus Domain in TLS SNI (malware.rules)
  • 2051086 - ET MALWARE Observed Lactrodectus Domain in TLS SNI (malware.rules)
  • 2051087 - ET MALWARE Malvertising Domain in DNS Lookup (parsic .org) (malware.rules)
  • 2051088 - ET MALWARE Malvertising Domain in DNS Lookup (reclaimmycredit .com) (malware.rules)
  • 2051089 - ET MALWARE Observed Malvertising Domain (parsic .org) in TLS SNI (malware.rules)
  • 2051090 - ET MALWARE Observed Malvertising Domain (reclaimmycredit .com) in TLS SNI (malware.rules)
  • 2051091 - ET MALWARE Unknown Malvertising Payload CnC Checkin (PSecWin) (malware.rules)
  • 2051092 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (varinspector .com) (exploit_kit.rules)
  • 2051093 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (asyncfunctionapi .com) (exploit_kit.rules)
  • 2051094 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (varinspector .com) (exploit_kit.rules)
  • 2051095 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (asyncfunctionapi .com) (exploit_kit.rules)
  • 2051096 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .collection .aixpirts .com) (malware.rules)
  • 2051097 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .collection .aixpirts .com) (malware.rules)
  • 2051098 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (aljannatquranteach .com) (exploit_kit.rules)
  • 2051099 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (bbsupplyandsalon .com) (exploit_kit.rules)
  • 2051100 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (betsmovepiyango47 .com) (exploit_kit.rules)
  • 2051101 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (bigcuda .com) (exploit_kit.rules)
  • 2051102 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (eduvationgroup .com) (exploit_kit.rules)
  • 2051103 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (eoskinec .com) (exploit_kit.rules)
  • 2051104 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ezwhatsappp .com) (exploit_kit.rules)
  • 2051105 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (growcalm .com) (exploit_kit.rules)
  • 2051106 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (grupodistribuidora .com) (exploit_kit.rules)
  • 2051107 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (aljannatquranteach .com) (exploit_kit.rules)
  • 2051108 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (bbsupplyandsalon .com) (exploit_kit.rules)
  • 2051109 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (betsmovepiyango47 .com) (exploit_kit.rules)
  • 2051110 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (bigcuda .com) (exploit_kit.rules)
  • 2051111 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (eduvationgroup .com) (exploit_kit.rules)
  • 2051112 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (eoskinec .com) (exploit_kit.rules)
  • 2051113 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ezwhatsappp .com) (exploit_kit.rules)
  • 2051114 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (growcalm .com) (exploit_kit.rules)
  • 2051115 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (grupodistribuidora .com) (exploit_kit.rules)

Pro:

  • 2856398 - ETPRO MALWARE DNS Query to Hello2Malware Domain (malware.rules)
  • 2856399 - ETPRO MALWARE DNS Query to Hello2Malware Domain (malware.rules)
  • 2856400 - ETPRO MALWARE DNS Query to Hello2Malware Domain (malware.rules)
  • 2856401 - ETPRO MALWARE Observed Hello2Malware Domain (malware.rules)
  • 2856402 - ETPRO MALWARE Observed Hello2Malware Domain (malware.rules)
  • 2856403 - ETPRO MALWARE Observed Hello2Malware Domain (malware.rules)
  • 2856404 - ETPRO PHISHING TA407 Domain in DNS Lookup (phishing.rules)
  • 2856405 - ETPRO PHISHING Observed TA407 Domain in TLS SNI (phishing.rules)
  • 2856406 - ETPRO MALWARE Possible Metamorfo Payload Retrieval Attempt (malware.rules)
  • 2856407 - ETPRO MALWARE Suspected Metamorfo Domain in DNS Lookup (malware.rules)
  • 2856408 - ETPRO MALWARE Suspected Metamorfo Domain in TLS SNI (malware.rules)
  • 2856409 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2856410 - ETPRO EXPLOIT_KIT ZPHP Lure Request M6 (exploit_kit.rules)
  • 2856411 - ETPRO EXPLOIT_KIT ZPHP Lure Request M7 (exploit_kit.rules)

Modified inactive rules:

  • 2022341 - ET EXPLOIT_KIT Evil Redirector Leading to EK Jan 6th 2016 M2 (exploit_kit.rules)
  • 2815652 - ETPRO PHISHING Mailbox Update Phish Landing Page Jan 7 (phishing.rules)
  • 2815673 - ETPRO PHISHING Adobe Phishing Landing Jan 8 (phishing.rules)
  • 2815700 - ETPRO PHISHING Adobe Phishing Landing Jan 8 (phishing.rules)
  • 2815748 - ETPRO EXPLOIT_KIT Nuclear EK Payload Jan 12 2016 M1 (exploit_kit.rules)

Disabled and modified rules:

  • 2049846 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .places .creeksidehuntingpreserve .com) (malware.rules)
  • 2049847 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .places .creeksidehuntingpreserve .com) (malware.rules)
  • 2049848 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (proexbit .com) (exploit_kit.rules)
  • 2049849 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (onlinesavingsjournal .com) (exploit_kit.rules)
  • 2049850 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (proximaideia .com) (exploit_kit.rules)
  • 2049851 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (realestateagentnorfolkvirginia .com) (exploit_kit.rules)
  • 2049852 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (polatliems .com) (exploit_kit.rules)
  • 2049853 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (proexbit .com) (exploit_kit.rules)
  • 2049854 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (onlinesavingsjournal .com) (exploit_kit.rules)
  • 2049855 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (proximaideia .com) (exploit_kit.rules)
  • 2049856 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (realestateagentnorfolkvirginia .com) (exploit_kit.rules)
  • 2049857 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (polatliems .com) (exploit_kit.rules)
  • 2855858 - ETPRO EXPLOIT_KIT Keitaro Set-Cookie Inbound to RogueRaticate (03fe2) (exploit_kit.rules)
  • 2856348 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)