Ruleset Update Summary - 2024/02/28 - v10542

rulesbot · February 28, 2024, 9:36pm

Summary:

19 new OPEN, 19 new PRO (19 + 0)

Thanks @jpcert_en, @suyog41, ahnlab_secuinfo

To all Emerging Threats customers: Please be aware that Friday, March 1st, 2024 is a Proofpoint company holiday. As a result, there will be no new rule release that day. Rule releases will commence the next business day, Monday, March 4th, 2024.

Added rules:

Open:

2051134 - ET MALWARE Suspected TA430/Andariel AndarLoader Related CnC Domain in DNS Lookup (malware.rules)
2051135 - ET MALWARE Suspected TA430/Andariel AndarLoader Related Domain in TLS SNI (malware.rules)
2051136 - ET MALWARE TA430/Andariel AndarLoader Related Activity M1 (malware.rules)
2051137 - ET MALWARE TA430/Andariel Related Domain in DNS Lookup (malware.rules)
2051138 - ET MALWARE TA430/Andariel AndarLoader Related Activity M2 (malware.rules)
2051139 - ET MALWARE TA430/Andariel AndarLoader Related Activity M3 (malware.rules)
2051140 - ET MALWARE DuckTail APT CnC Activity (GET) (malware.rules)
2051141 - ET MALWARE DNS Query to Ducktail APT Domain (123online .uk) (malware.rules)
2051142 - ET MALWARE DNS Query to Ducktail APT Domain (mountainseagroup3 .top) (malware.rules)
2051143 - ET MALWARE DNS Query to Ducktail APT Domain (mafiakorea .com) (malware.rules)
2051144 - ET MALWARE DNS Query to Ducktail APT Domain (dailyfasterauto .info) (malware.rules)
2051145 - ET MALWARE Observed Ducktail Domain (123online .uk in TLS SNI) (malware.rules)
2051146 - ET MALWARE Observed Ducktail Domain (mountainseagroup3 .top in TLS SNI) (malware.rules)
2051147 - ET MALWARE Observed Ducktail Domain (mafiakorea .com in TLS SNI) (malware.rules)
2051148 - ET MALWARE Observed Ducktail Domain (dailyfasterauto .info in TLS SNI) (malware.rules)
2051149 - ET MALWARE Lazarus Group Comebacker Backdoor CnC Checkin (malware.rules)
2051150 - ET MALWARE Lazarus Group Combacker CnC Domain in DNS Lookup (blockchain-newtech .com) (malware.rules)
2051151 - ET MALWARE Lazarus Group Combacker CnC Domain in DNS Lookup (chaingrown .com) (malware.rules)
2051152 - ET MALWARE Lazarus Group Combacker CnC Domain in DNS Lookup (fasttet .com) (malware.rules)

Modified inactive rules:

2006406 - ET MALWARE Proxy.Win32.Agent.mx (2) (malware.rules)
2022574 - ET WEB_CLIENT Possible Fake AV Phone Scam Landing Feb 26 (web_client.rules)
2022955 - ET WEB_CLIENT Tech Support Phone Scam Landing M2 Jul 7 (web_client.rules)
2022964 - ET EXPLOIT_KIT Evil Redirector Leading to EK Jul 13 2016 2 (exploit_kit.rules)
2022981 - ET WEB_CLIENT Tech Support Phone Scam Landing Jul 21 M2 (web_client.rules)
2022991 - ET WEB_CLIENT Tech Support Phone Scam Landing Jul 29 M1 (web_client.rules)
2022994 - ET WEB_CLIENT Tech Support Phone Scam Landing Jul 29 M4 (web_client.rules)
2023038 - ET WEB_CLIENT Tech Support Phone Scam Landing Aug 10 M2 (web_client.rules)
2023041 - ET WEB_CLIENT Tech Support Phone Scam Landing Aug 10 M5 (web_client.rules)
2023052 - ET WEB_CLIENT Tech Support Phone Scam Landing Aug 12 M2 (web_client.rules)
2023069 - ET WEB_CLIENT SMS Fake Mobile Virus Scam Aug 16 2016 (web_client.rules)
2023079 - ET WEB_CLIENT Fake Mobile Virus Scam M1 Aug 18 2016 (web_client.rules)
2023150 - ET EXPLOIT_KIT Possible Evil Redirector Leading to EK EITest Sep 02 M2 (exploit_kit.rules)
2023238 - ET WEB_CLIENT PC Support Tech Support Scam Sept 15 2016 (web_client.rules)
2023270 - ET EXPLOIT_KIT SunDown EK Flash Exploit Sep 22 2016 (exploit_kit.rules)
2023290 - ET MALWARE BleedingLife EK Payload Request (malware.rules)
2044214 - ET MALWARE Likely APT29 Retrieving Payload Embedded In PNG 3 (malware.rules)
2807120 - ETPRO MALWARE Downloader/Win32.Zlob Checkin Response (malware.rules)
2815954 - ETPRO PHISHING Phishing Landing via Sitey.me Jan 25 M1 (phishing.rules)
2815955 - ETPRO PHISHING Phishing Landing via Sitey.me Jan 25 M2 (phishing.rules)
2815956 - ETPRO PHISHING Phishing Landing via Sitey.me Jan 25 M3 (phishing.rules)
2815961 - ETPRO PHISHING Phishing Landing via Sitey.me Jan 26 M2 (phishing.rules)
2815978 - ETPRO PHISHING Phishing Landing via Sitey.me Jan 26 M1 (phishing.rules)
2815979 - ETPRO PHISHING Phishing Landing via Webeden.co.uk Jan 26 M1 (phishing.rules)
2821203 - ETPRO PHISHING Earthlink Phishing Landing Jul 19 (phishing.rules)
2821226 - ETPRO PHISHING Phishing Landing via Webydo.com (set) Jul 21 (phishing.rules)
2821227 - ETPRO PHISHING Phishing Landing via Webydo.com Jul 21 M1 (phishing.rules)
2821228 - ETPRO PHISHING Phishing Landing via Webydo.com Jul 21 M2 (phishing.rules)
2821229 - ETPRO PHISHING Phishing Landing via Webydo.com Jul 21 M3 (phishing.rules)
2821230 - ETPRO PHISHING Phishing Landing via Webydo.com Jul 21 M4 (phishing.rules)
2821231 - ETPRO PHISHING Phishing Landing via Webydo.com Jul 21 M5 (phishing.rules)
2821310 - ETPRO EXPLOIT_KIT Evil Redirect Leading to EK (AdGholas Sending Link in Header) (exploit_kit.rules)
2821321 - ETPRO PHISHING Phishing Landing via imcreator.com (set) Jul 22 (phishing.rules)
2821322 - ETPRO PHISHING Phishing Landing via imxprs.com (set) Jul 22 (phishing.rules)
2821323 - ETPRO PHISHING Phishing Landing via imcreator.com / imxprs.com Jul 22 M1 (phishing.rules)
2821324 - ETPRO PHISHING Phishing Landing via imcreator.com / imxprs.com Jul 22 M2 (phishing.rules)
2821325 - ETPRO PHISHING Phishing Landing via imcreator.com / imxprs.com Jul 22 M3 (phishing.rules)
2821326 - ETPRO PHISHING Phishing Landing via imcreator.com / imxprs.com Jul 22 M4 (phishing.rules)
2821327 - ETPRO PHISHING Phishing Landing via imcreator.com / imxprs.com Jul 22 M5 (phishing.rules)
2821566 - ETPRO MALWARE Unknown CnC Beacon (malware.rules)
2821629 - ETPRO PHISHING Stripe Phishing Landing Aug 12 2016 (phishing.rules)
2821645 - ETPRO PHISHING Phishing Landing via webnode.fr (set) Aug 15 2016 (phishing.rules)
2821646 - ETPRO PHISHING Phishing Landing via webnode.fr Aug 15 2016 M1 (phishing.rules)
2821647 - ETPRO PHISHING Phishing Landing via webnode.fr Aug 15 2016 M2 (phishing.rules)
2821648 - ETPRO PHISHING Phishing Landing via webnode.fr Aug 15 2016 M3 (phishing.rules)
2821649 - ETPRO PHISHING Phishing Landing via webnode.fr Aug 15 2016 M4 (phishing.rules)
2821650 - ETPRO PHISHING Phishing Landing via webnode.fr Aug 15 2016 M5 (phishing.rules)
2821651 - ETPRO PHISHING Phishing Landing via webnode.fr Aug 15 2016 M6 (phishing.rules)
2821705 - ETPRO PHISHING Adobe Phishing Landing M2 Aug 16 2016 (phishing.rules)
2821746 - ETPRO PHISHING Possible Successful Phish via Wix.com M1 Aug 18 2016 (phishing.rules)
2821873 - ETPRO PHISHING Google Drive Phish Landing Aug 26 2016 (phishing.rules)
2821959 - ETPRO PHISHING Successful Chase Phish M2 Sept 1 2016 (phishing.rules)
2822041 - ETPRO PHISHING Paypal Javascript Phishing Landing Sept 8 2016 (phishing.rules)
2822290 - ETPRO PHISHING Byet Free Webhost Adobe Phishing Cookie Sept 29 2016 (phishing.rules)
2822366 - ETPRO PHISHING Phishing Landing via urest.org Oct 03 M1 (phishing.rules)
2822367 - ETPRO PHISHING Phishing Landing via urest.org Oct 03 M2 (phishing.rules)
2822463 - ETPRO PHISHING Dynamic Folder Phishing Redirect Oct 06 2016 (phishing.rules)
2822505 - ETPRO PHISHING Successful Bank of America Phish Oct 07 M1 (phishing.rules)
2822507 - ETPRO PHISHING Successful Bank of America Phish Oct 07 M3 (phishing.rules)
2822526 - ETPRO MALWARE Quant Loader Download Request 2 (malware.rules)
2822602 - ETPRO PHISHING Phishing Landing via Webeden.net (set) Oct 13 (phishing.rules)
2822635 - ETPRO PHISHING Successful Bank of America Phish M1 Oct 14 2016 (phishing.rules)
2822636 - ETPRO PHISHING Successful Bank of America Phish M2 Oct 14 2016 (phishing.rules)
2822643 - ETPRO PHISHING Successful Outlook Phish Oct 14 2016 (phishing.rules)
2822672 - ETPRO MALWARE Unknown Backdoor Client Checkin (malware.rules)
2822695 - ETPRO MALWARE MSIL/ApolloHTTP Bot CnC Checkin (malware.rules)
2822696 - ETPRO MALWARE MSIL/ApolloHTTP Bot CnC Keep-Alive (malware.rules)

Disabled and modified rules:

2000026 - ET ADWARE_PUP Gator Agent Traffic (adware_pup.rules)
2003062 - ET ADWARE_PUP 180 Solutions (Zango Installer) User Agent (adware_pup.rules)
2010875 - ET MALWARE Blackenergy Bot Checkin to C&C (2) (malware.rules)
2050522 - ET INFO Observed DNS Over HTTPS Domain (adguard .eoghan-net .com in TLS SNI) (info.rules)
2050523 - ET INFO Observed DNS Over HTTPS Domain (agh .fltn .us in TLS SNI) (info.rules)
2050524 - ET INFO Observed DNS Over HTTPS Domain (dns01 .enginyring .com in TLS SNI) (info.rules)
2050525 - ET INFO Observed DNS Over HTTPS Domain (doh .fatucloud .gosprout .org in TLS SNI) (info.rules)
2050526 - ET INFO Observed DNS Over HTTPS Domain (dns .huizegunsing .nl in TLS SNI) (info.rules)
2050527 - ET INFO Observed DNS Over HTTPS Domain (dns .freddys .my .id in TLS SNI) (info.rules)
2050528 - ET INFO Observed DNS Over HTTPS Domain (jp1 .f7b6h9 .tk in TLS SNI) (info.rules)
2050529 - ET INFO Observed DNS Over HTTPS Domain (dns .timboeh .me in TLS SNI) (info.rules)
2050534 - ET INFO Observed DNS Over HTTPS Domain (adguard .darrenhizon .com in TLS SNI) (info.rules)
2050536 - ET INFO Observed DNS Over HTTPS Domain (faradns .net in TLS SNI) (info.rules)
2050537 - ET INFO Observed DNS Over HTTPS Domain (dns .frguthrie .app in TLS SNI) (info.rules)
2050539 - ET INFO Observed DNS Over HTTPS Domain (dot .dns-ga .de in TLS SNI) (info.rules)
2839851 - ETPRO MALWARE Win32/AgentTesla FTP STOR Command (malware.rules)
2839972 - ETPRO MALWARE Win32/njRAT Variant CnC Activity (GPL) (malware.rules)
2840166 - ETPRO MALWARE Powershell Empire Get-ChromeDump Code Inbound (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2023/05/11 - v10321 Ruleset Updates	198	May 11, 2023
Ruleset Update Summary - 2023/09/05 - v10410 Ruleset Updates	239	September 5, 2023
Ruleset Update Summary - 2024/02/27 - v10541 Ruleset Updates	164	February 27, 2024
Ruleset Update Summary - 2024/02/16 - v10534 Ruleset Updates	207	February 16, 2024
Ruleset Update Summary - 2023/12/27 - v10494 Ruleset Updates	234	December 27, 2023