Ruleset Update Summary - 2024/03/08 - v10548

Ruleset Updates
1

Summary:

35 new OPEN, 35 new PRO (35 + 0)

Thanks @CheckPointSW

Added rules:

Open:

  • 2051543 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (fieldtrollyeowskwe .shop) (malware.rules)
  • 2051544 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (edurestunningcrackyow .fune) (malware.rules)
  • 2051545 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (lighterepisodeheighte .fune) (malware.rules)
  • 2051546 - ET MALWARE Observed Lumma Stealer Related Domain (fieldtrollyeowskwe .shop in TLS SNI) (malware.rules)
  • 2051547 - ET MALWARE Observed Lumma Stealer Related Domain (edurestunningcrackyow .fune in TLS SNI) (malware.rules)
  • 2051548 - ET MALWARE Observed Lumma Stealer Related Domain (lighterepisodeheighte .fune in TLS SNI) (malware.rules)
  • 2051549 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (lighterepisodeheighte .funs) (malware.rules)
  • 2051550 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (superemeboxlogosites .pro) (malware.rules)
  • 2051551 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (edurestunningcrackyow .funs) (malware.rules)
  • 2051552 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (pooreveningfuseor .pww) (malware.rules)
  • 2051553 - ET MALWARE Observed Lumma Stealer Related Domain (lighterepisodeheighte .funs in TLS SNI) (malware.rules)
  • 2051554 - ET MALWARE Observed Lumma Stealer Related Domain (superemeboxlogosites .pro in TLS SNI) (malware.rules)
  • 2051555 - ET MALWARE Observed Lumma Stealer Related Domain (edurestunningcrackyow .funs in TLS SNI) (malware.rules)
  • 2051556 - ET MALWARE Observed Lumma Stealer Related Domain (pooreveningfuseor .pww in TLS SNI) (malware.rules)
  • 2051557 - ET MALWARE Sidewinder APT Related Backdoor Activity (malware.rules)
  • 2051558 - ET MALWARE Suspected Sidewinder APT Related Activity (GET) (malware.rules)
  • 2051559 - ET INFO Geo IP lookup service (api .ipgeolocation .io) (info.rules)
  • 2051560 - ET INFO Geo IP lookup service (quan .suning .com) (info.rules)
  • 2051561 - ET MALWARE Magnet Goblin Linux Nerbian RAT Trigger Sequence from CnC Server (malware.rules)
  • 2051562 - ET MALWARE Magnet Goblin MiniNerbian CnC Domain in DNS Lookup (oncloud-analytics .com) (malware.rules)
  • 2051563 - ET MALWARE Magnet Goblin MiniNerbian CnC Domain in DNS Lookup (cloudflareaddons .com) (malware.rules)
  • 2051564 - ET MALWARE Magnet Goblin MiniNerbian CnC Domain in DNS Lookup (dev-clientservice .com) (malware.rules)
  • 2051565 - ET MALWARE Magnet Goblin MiniNerbian CnC Domain in DNS Lookup (prorecieve .com) (malware.rules)
  • 2051566 - ET MALWARE Magnet Goblin MiniNerbian CnC Domain in DNS Lookup (mailchimp-addons .com) (malware.rules)
  • 2051567 - ET MALWARE Magnet Goblin MiniNerbian CnC Domain in DNS Lookup (allsecurehosting .com) (malware.rules)
  • 2051568 - ET MALWARE Magnet Goblin MiniNerbian CnC Domain in DNS Lookup (textsmsonline .com) (malware.rules)
  • 2051569 - ET MALWARE Magnet Goblin MiniNerbian CnC Domain (oncloud-analytics .com) in TLS SNI (malware.rules)
  • 2051570 - ET MALWARE Magnet Goblin MiniNerbian CnC Domain (cloudflareaddons .com) in TLS SNI (malware.rules)
  • 2051571 - ET MALWARE Magnet Goblin MiniNerbian CnC Domain (dev-clientservice .com) in TLS SNI (malware.rules)
  • 2051572 - ET MALWARE Magnet Goblin MiniNerbian CnC Domain (prorecieve .com) in TLS SNI (malware.rules)
  • 2051573 - ET MALWARE Magnet Goblin MiniNerbian CnC Domain (mailchimp-addons .com) in TLS SNI (malware.rules)
  • 2051574 - ET MALWARE Magnet Goblin MiniNerbian CnC Domain (allsecurehosting .com) in TLS SNI (malware.rules)
  • 2051575 - ET MALWARE Magnet Goblin MiniNerbian CnC Domain (textsmsonline .com) in TLS SNI (malware.rules)
  • 2051576 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (advanceddataenterprise .com) (exploit_kit.rules)
  • 2051577 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (advanceddataenterprise .com) (exploit_kit.rules)

Modified inactive rules:

  • 2002158 - ET WEB_SERVER XML-RPC for PHP Remote Code Injection (web_server.rules)
  • 2008369 - ET MALWARE Keylogger Crack by bahman (malware.rules)
  • 2009096 - ET MALWARE Tigger.a/Syzor Control Checkin (malware.rules)
  • 2009287 - ET MALWARE CoreFlooder C&C Checkin (2) (malware.rules)
  • 2009347 - ET MALWARE Tigger.a/Syzor Checkin (malware.rules)
  • 2010246 - ET MALWARE WindowsEnterpriseSuite FakeAV Reporting via POST initial check-in (malware.rules)
  • 2012871 - ET MALWARE Gozi posting form data (malware.rules)
  • 2013768 - ET MALWARE Win32.Dropper.Wlock Checkin (malware.rules)
  • 2014040 - ET MALWARE Win32.PowerPointer checkin (malware.rules)
  • 2014044 - ET MALWARE SpyEye Checkin version 1.3.25 or later 2 (malware.rules)
  • 2014307 - ET MALWARE W32/SelfStarterInternet.InfoStealer Checkin (malware.rules)
  • 2014731 - ET MALWARE Snap Bot Checkin (malware.rules)
  • 2014804 - ET MALWARE VBS/Wimmie.A Checkin (malware.rules)
  • 2015635 - ET MALWARE Backdoor.Briba Checkin (malware.rules)
  • 2015825 - ET MALWARE Zeus/Citadel Control Panel Access (Outbound) (malware.rules)
  • 2015826 - ET MALWARE Zeus/Citadel Control Panel Access (Inbound) (malware.rules)
  • 2015963 - ET PHISHING PHISH Generic - Bank and Routing (phishing.rules)
  • 2016062 - ET MALWARE Linux/Chapro.A Malicious Apache Module CnC Beacon (malware.rules)
  • 2017797 - ET EXPLOIT_KIT HiMan EK - TDS - POST hyt= (exploit_kit.rules)
  • 2800866 - ETPRO SQL IBM Informix Dynamic Server oninit.exe EXPLAIN Stack Buffer Overflow (sql.rules)
  • 2801674 - ETPRO MALWARE Trojan.Win32.Banker.bhhc Checkin (malware.rules)
  • 2801926 - ETPRO MALWARE Trojan.Win32.Bancos.OBQ Checkin 2 (malware.rules)
  • 2802058 - ETPRO MALWARE Win32.AutoRun.cftw Checkin (malware.rules)
  • 2802059 - ETPRO MALWARE Win32.Bankwabfoto.A Checkin (malware.rules)
  • 2802076 - ETPRO MALWARE Trojan.Win32.KLCCs.A Checkin (malware.rules)
  • 2802080 - ETPRO MALWARE Trojan.Win32.Funcoes.A Checkin (malware.rules)
  • 2802094 - ETPRO MALWARE Trojan.Win32.TMaquina.A Checkin (malware.rules)
  • 2802110 - ETPRO MALWARE Trojan.Win32.Banker.bgcp Checkin (malware.rules)
  • 2802172 - ETPRO MALWARE Trojan.Win32.Tspsl.C Checkin (malware.rules)
  • 2802901 - ETPRO MALWARE Generic Dropper/Kryptic Checkin (malware.rules)
  • 2803751 - ETPRO MALWARE Backdoor.Win32.Ramagedos.A Checkin 2 (malware.rules)
  • 2804126 - ETPRO MALWARE TrojanSpy.Win32/Bancos.ADR Checkin (malware.rules)
  • 2804432 - ETPRO MALWARE Trojan-PSW.Win32.QQShou.aqr Checkin (malware.rules)
  • 2804601 - ETPRO MALWARE Win32/Klovbot.E Checkin (malware.rules)
  • 2804711 - ETPRO MALWARE Trojan-Banker.Win32.Banz.jpb Checkin 2 (malware.rules)
  • 2804750 - ETPRO MALWARE Backdoor.Win32.VB.hes Checkin (malware.rules)
  • 2804755 - ETPRO MALWARE Sus/BancDl-A Checkin (malware.rules)
  • 2805090 - ETPRO MALWARE Win32/Sality.AT Checkin 3 (malware.rules)
  • 2805167 - ETPRO MALWARE W32/Dapato.LUY!tr.dldr Checkin (malware.rules)
  • 2805441 - ETPRO MALWARE W32.Tinba/Zusy Checkin (malware.rules)
  • 2805471 - ETPRO MALWARE Win32/Opachki.I Checkin (malware.rules)
  • 2805521 - ETPRO MALWARE W32/Gpcode.NAI Checkin (malware.rules)
  • 2805556 - ETPRO WEB_SPECIFIC_APPS Zenworks RTRlet Applet Access With Harcoded Creds (web_specific_apps.rules)
  • 2805561 - ETPRO MALWARE W32/Banbra.AVBB!tr Checkin (malware.rules)
  • 2805562 - ETPRO MALWARE W32/VB.PGK!tr.dldr Checkin (malware.rules)
  • 2805584 - ETPRO SCADA Sinapsi eSolar Light Photovoltaic System Monitor Login with hard coded account (scada.rules)
  • 2805585 - ETPRO SCADA Sinapsi eSolar Light Photovoltaic System Monitor arbitrary command execution (scada.rules)
  • 2805697 - ETPRO MALWARE Backdoor.Win32.Shiz.dkg Checkin (malware.rules)
  • 2805715 - ETPRO MALWARE Trojan.Win32.Agent.angq / Worm.Win32.Koobface Checkin (malware.rules)

Disabled and modified rules:

  • 2018683 - ET MALWARE Dyreza RAT Checkin 2 (malware.rules)
  • 2018688 - ET MALWARE Predator Pain Sending Data over SMTP (malware.rules)
  • 2018749 - ET MALWARE Dyreza RAT Checkin 3 (malware.rules)
  • 2030697 - ET MALWARE Suspected REDCURL CnC Activity M1 (malware.rules)
  • 2034192 - ET MALWARE Win32/Spy.Socelars.S CnC Activity M3 (malware.rules)
  • 2050743 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (landgateindirectdangre .shop) (malware.rules)
  • 2050744 - ET MALWARE Observed Lumma Stealer Related Domain (landgateindirectdangre .shop in TLS SNI) (malware.rules)
  • 2808312 - ETPRO MALWARE Win32/Meac.A CnC (OUTBOUND) (malware.rules)
  • 2808318 - ETPRO MALWARE Trojan.MSIL.RapidStealer.A Checkin (malware.rules)
  • 2808336 - ETPRO MALWARE Win32/Isnev Download (malware.rules)
  • 2808348 - ETPRO MOBILE_MALWARE Android.Trojan.Voxv.A Checkin (mobile_malware.rules)
  • 2808357 - ETPRO MOBILE_MALWARE Android/TelMan.A Checkin (mobile_malware.rules)
  • 2808393 - ETPRO MOBILE_MALWARE Android/Fakeinst.HX Checkin (mobile_malware.rules)
  • 2808436 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Agent.aj Checkin (mobile_malware.rules)
  • 2849846 - ETPRO MALWARE Win32/Agent.mytwin CnC Command Inbound (malware.rules)
  • 2850032 - ETPRO MALWARE MSIL/TrojanDownloader.Agent.IUJ User-Agent (malware.rules)
  • 2850053 - ETPRO PHISHING Successful Generic Phish Hosted at pythonanywhere .com 2021-09-27 (phishing.rules)
  • 2850057 - ETPRO MALWARE Unk.MalDoc/PowerShell Loader CnC Checkin (malware.rules)
  • 2850103 - ETPRO MALWARE MalDoc Reporting Infection 2021-10-04 (malware.rules)