Ruleset Update Summary - 2024/03/12 - v10550

Ruleset Updates
1

Summary:

18 new OPEN, 19 new PRO (18 + 1)

Thanks @bushidotoken

Added rules:

Open:

  • 2051618 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (herdbescuitinjurywu .shop) (malware.rules)
  • 2051619 - ET MALWARE Observed Lumma Stealer Related Domain (herdbescuitinjurywu .shop in TLS SNI) (malware.rules)
  • 2051620 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (theonlyreasonwhywe .pro) (malware.rules)
  • 2051621 - ET MALWARE Observed Lumma Stealer Related Domain (theonlyreasonwhywe .pro in TLS SNI) (malware.rules)
  • 2051622 - ET MALWARE Andariel/TA430 Related TigerRAT Client Checkin (malware.rules)
  • 2051623 - ET MALWARE Andariel/TA430 Related TigerRAT Client Checkin Response Activity (malware.rules)
  • 2051624 - ET INFO DNS Query to Baidu File Sharing Domain (pan .baidu .com) (info.rules)
  • 2051625 - ET INFO Observed Baidu File Sharing Domain Domain (pan .baidu .com in TLS SNI) (info.rules)
  • 2051626 - ET MALWARE UAC-0050 Domain in DNS Lookup (davincigroup .online) (malware.rules)
  • 2051627 - ET MALWARE UAC-0050 Domain in DNS Lookup (davinci-project .info) (malware.rules)
  • 2051628 - ET MALWARE UAC-0050 Domain in DNS Lookup (8161 .uk) (malware.rules)
  • 2051629 - ET MALWARE UAC-0050 Domain in DNS Lookup (groupdavinci .online) (malware.rules)
  • 2051630 - ET MALWARE UAC-0050 Domain (davincigroup .online in TLS SNI) (malware.rules)
  • 2051631 - ET MALWARE UAC-0050 Domain (davinci-project .info in TLS SNI) (malware.rules)
  • 2051632 - ET MALWARE UAC-0050 Domain (8161 .uk in TLS SNI) (malware.rules)
  • 2051633 - ET MALWARE UAC-0050 Domain (groupdavinci .online in TLS SNI) (malware.rules)
  • 2051634 - ET MALWARE SocGholish Domain in DNS Lookup (welcome .visionaryyouth .org) (malware.rules)
  • 2051635 - ET MALWARE SocGholish Domain in TLS SNI (welcome .visionaryyouth .org) (malware.rules)

Pro:

  • 2856485 - ETPRO MALWARE Generic Discord Stealer Exfil Activity (POST) (malware.rules)

Modified inactive rules:

  • 2002002 - ET ADWARE_PUP Better Internet Spyware User-Agent (thnall) (adware_pup.rules)
  • 2002071 - ET ADWARE_PUP XupiterToolbar Spyware User-Agent (XupiterToolbar) (adware_pup.rules)
  • 2002164 - ET ADWARE_PUP Hotbar Spyware User-Agent (host) (adware_pup.rules)
  • 2002808 - ET ADWARE_PUP Spyaxe Spyware User-Agent (spywareaxe) (adware_pup.rules)
  • 2003406 - ET ADWARE_PUP Mysearch.com Spyware User-Agent (iMeshBar) (adware_pup.rules)
  • 2003468 - ET ADWARE_PUP Oemji Spyware User-Agent (Oemji) (adware_pup.rules)
  • 2003475 - ET P2P ABC Torrent User-Agent (ABC/ABC-3.1.0) (p2p.rules)
  • 2003584 - ET USER_AGENTS Suspicious User-Agent (Updater) (user_agents.rules)
  • 2003749 - ET ADWARE_PUP QQHelper related Spyware User-Agent (H) (adware_pup.rules)
  • 2009094 - ET MALWARE Password Stealer (PSW.Win32.Magania Family) GET (malware.rules)
  • 2009295 - ET HUNTING Suspicious Mozilla User-Agent Likely Fake (Mozilla/5.0) (hunting.rules)
  • 2011759 - ET WEB_SERVER TIEHTTP User-Agent (web_server.rules)
  • 2014954 - ET INFO Vulnerable iTunes Version 10.6.x (set) (info.rules)
  • 2017713 - ET MALWARE Taidoor Checkin (malware.rules)
  • 2017903 - ET MALWARE Win32/Urausy.C Checkin 4 (malware.rules)
  • 2021352 - ET MALWARE ELF.DES.Downloader Request (malware.rules)
  • 2024275 - ET MALWARE W32/Emotet CnC Beacon 2 (malware.rules)
  • 2030626 - ET MALWARE Win32/PurpleWave Stealer CnC Exfil (malware.rules)
  • 2031435 - ET MALWARE AHK.CREDSTEALER.A CnC Exfil (malware.rules)
  • 2032937 - ET MALWARE Unk.CoinMiner Loader Checkin (malware.rules)
  • 2033033 - ET MALWARE BazaLoader CnC Activity (malware.rules)
  • 2033044 - ET MALWARE Malicious Second Stage Payload Inbound 2021-02-19 (malware.rules)
  • 2034752 - ET MALWARE Win32/BazarLoader Activity (GET) (malware.rules)
  • 2035370 - ET MALWARE Cobalt Strike Activity (GET) (malware.rules)
  • 2038772 - ET MALWARE Chinese Based APT Related Malware Sending System Information (POST) (malware.rules)
  • 2801330 - ETPRO MALWARE Trojan.Win32.Delf.MW Checkin 2 (malware.rules)
  • 2806104 - ETPRO MALWARE TROJ_AGENT.EVF checkin (malware.rules)
  • 2807719 - ETPRO MALWARE PSW.Win32.Agent.afag Checkin (malware.rules)
  • 2807900 - ETPRO MALWARE TrojanProxy.Wintu.B Checkin (malware.rules)
  • 2808504 - ETPRO MALWARE Bublik.sda pastebin Request (malware.rules)
  • 2808776 - ETPRO MALWARE Win32/ProxyChanger.EO Checkin 2 (malware.rules)
  • 2810919 - ETPRO ADWARE_PUP ZyngaTables Downloading Malicious Chrome Extension (adware_pup.rules)
  • 2820586 - ETPRO MALWARE Win32/TrojanDownloader.IndigoRose.R Checkin (malware.rules)
  • 2821333 - ETPRO MALWARE W32/Pislik Checkin (malware.rules)
  • 2827509 - ETPRO MALWARE Win32/Downloader.Banload.YAZ CnC Activity (malware.rules)
  • 2828056 - ETPRO MALWARE Win32/Agent.YZF Variant CnC Activity (malware.rules)
  • 2836553 - ETPRO MALWARE Win32/NPUS Backdoor Checkin (malware.rules)
  • 2839018 - ETPRO MALWARE Win32/WinLoader Requesting Payload (malware.rules)
  • 2842455 - ETPRO MALWARE Win64/Spy.Agent.CB CnC Activity (malware.rules)
  • 2843619 - ETPRO ADWARE_PUP Win32/Caypnamer CnC Activity M2 (adware_pup.rules)
  • 2843711 - ETPRO MALWARE MalDoc Requesting Payload 2020-07-27 (malware.rules)
  • 2845411 - ETPRO MALWARE Unk.MSI.Loader CnC Activity (malware.rules)
  • 2848808 - ETPRO MALWARE ZiggyStealer CnC Activity (malware.rules)
  • 2849516 - ETPRO MALWARE Win32/ZXRMCTROL CnC Activity (malware.rules)
  • 2850032 - ETPRO MALWARE MSIL/TrojanDownloader.Agent.IUJ User-Agent (malware.rules)

Disabled and modified rules:

  • 2044245 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config (malware.rules)
  • 2044247 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config (malware.rules)
  • 2803831 - ETPRO ADWARE_PUP Adware.Win32/Clickspring.C Checkin (adware_pup.rules)
  • 2803915 - ETPRO ADWARE_PUP Win32/Adware.OpenInstall (adware_pup.rules)
  • 2803924 - ETPRO POLICY Request to IP Geolocation Service (maxmind .com) (policy.rules)
  • 2855076 - ETPRO MALWARE Suspected Pen Testing Related Domain in DNS Lookup (malware.rules)
  • 2855077 - ETPRO MALWARE Suspected Pen Testing Related Domain in TLS SNI (malware.rules)
  • 2855356 - ETPRO CURRENT_EVENTS Observed Intermediate Malware Delivery Domain in DNS Lookup (current_events.rules)
  • 2855359 - ETPRO INFO PenTesting Related Domain in DNS Lookup (info.rules)