Ruleset Update Summary - 2024/03/18 - v10554

rulesbot · March 18, 2024, 9:31pm

Summary:

27 new OPEN, 28 new PRO (27 + 1)

Thanks @BushidoToken, @Unit42_Intel

Added rules:

Open:

2051669 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (deadpanstupiddyjjuwk .shop) (malware.rules)
2051670 - ET MALWARE Observed Lumma Stealer Related Domain (deadpanstupiddyjjuwk .shop in TLS SNI) (malware.rules)
2051671 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (doughmebinnybunio .shop) (malware.rules)
2051672 - ET MALWARE Observed Lumma Stealer Related Domain (doughmebinnybunio .shop in TLS SNI) (malware.rules)
2051673 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (combinationconventiwov .shop) (malware.rules)
2051674 - ET MALWARE Observed Lumma Stealer Related Domain (combinationconventiwov .shop in TLS SNI) (malware.rules)
2051675 - ET MALWARE Win32/Spyderv2 Related Activity (POST) (malware.rules)
2051676 - ET MALWARE BunnyLoader Initial Connection (GET) (malware.rules)
2051677 - ET MALWARE BunnyLoader Stealer Module Activity (POST) (malware.rules)
2051678 - ET PHISHING Generic Phish Landing Page 2024-03-18 (phishing.rules)
2051679 - ET PHISHING Malicious SSL Certificate detected (Generic Phish Activity) (phishing.rules)
2051680 - ET MALWARE Hello2Malware (H2MLoader) get_base64 Payload Retrieval Attempt (malware.rules)
2051681 - ET HUNTING Base64 Encoded Executable over Raw TCP (hunting.rules)
2051682 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .policy .donnafrey .com) (malware.rules)
2051683 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .policy .donnafrey .com) (malware.rules)
2051684 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (apifunctioncall .com) (exploit_kit.rules)
2051685 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (apifunctioncall .com) (exploit_kit.rules)
2051686 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (worldofmantas .com) (exploit_kit.rules)
2051687 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ausgov .pro) (exploit_kit.rules)
2051688 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (edulokam .com) (exploit_kit.rules)
2051689 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (worldofmantas .com) (exploit_kit.rules)
2051690 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ausgov .pro) (exploit_kit.rules)
2051691 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (edulokam .com) (exploit_kit.rules)
2051692 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (7commbeta .com) (exploit_kit.rules)
2051693 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (7commbeta .com) (exploit_kit.rules)
2051694 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ezshipsy .com) (exploit_kit.rules)
2051695 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ezshipsy .com) (exploit_kit.rules)

Pro:

2856494 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Modified inactive rules:

2001867 - ET ADWARE_PUP Search Engine 2000 Spyware User-Agent (searchengine) (adware_pup.rules)
2003190 - ET MALWARE Win32.Lager Trojan Reporting Spam (malware.rules)
2007566 - ET MALWARE Downloader.MisleadApp Fake Security Product Install (malware.rules)
2009514 - ET MALWARE FAKE/ROGUE AV HTTP Post (malware.rules)
2011085 - ET POLICY HTTP Redirect to IPv4 Address (policy.rules)
2014025 - ET EXPLOIT_KIT Probable Scalaxy exploit kit Java or PDF exploit request (exploit_kit.rules)
2018591 - ET WEB_CLIENT Trojan-Banker.JS.Banker fraudulent redirect boleto payment code (web_client.rules)
2022770 - ET EXPLOIT_KIT Evil Redirector Leading to EK Apr 27 2016 (fbset) (exploit_kit.rules)
2023048 - ET PHISHING Successful Generic Adobe Shared Document Phish Aug 11 2016 (phishing.rules)
2800535 - ETPRO EXPLOIT HP OpenView Network Node Manager snmp.exe Oid Variable Buffer Overflow (exploit.rules)
2800918 - ETPRO EXPLOIT Novell GroupWise Agents HTTP Request Remote Code Execution (exploit.rules)
2801302 - ETPRO MALWARE RogueSoftware.Win32.WindowsOptimizationAndSecurity Sending stolen info (malware.rules)
2801547 - ETPRO NETBIOS Microsoft Powerpoint digest.dll Insecure Library Loading - SMB-DS ASCII (netbios.rules)
2805650 - ETPRO MALWARE Downloader.Win32.Agent.afrw Checkin (malware.rules)
2815220 - ETPRO EXPLOIT_KIT Possible Nuclear EK Flash Exploit Dec 03 2015 (exploit_kit.rules)
2820776 - ETPRO WEB_CLIENT Evil Redirector Leading to EK Keitaro Jun 21 2016 T2 (web_client.rules)
2827261 - ETPRO MALWARE PoshC2 SSL Cert Observed (malware.rules)

Disabled and modified rules:

2001444 - ET ADWARE_PUP Overpro Spyware Bundle Install (adware_pup.rules)
2014234 - ET MALWARE Fareit/Pony Downloader Checkin 3 (malware.rules)
2048599 - ET INFO Observed DNS Over HTTPS Domain (blackhole .myon .lu in TLS SNI) (info.rules)
2048600 - ET INFO Observed DNS Over HTTPS Domain (doh .ccb-net .it in TLS SNI) (info.rules)
2048604 - ET INFO Observed DNS Over HTTPS Domain (xray .krnl .eu in TLS SNI) (info.rules)
2048605 - ET INFO Observed DNS Over HTTPS Domain (dns .syaifullah .com in TLS SNI) (info.rules)
2048607 - ET INFO Observed DNS Over HTTPS Domain (doh .futa .gg in TLS SNI) (info.rules)
2048611 - ET INFO Observed DNS Over HTTPS Domain (mail .data .haus in TLS SNI) (info.rules)
2048613 - ET INFO Observed DNS Over HTTPS Domain (dns .reckoningslug .name in TLS SNI) (info.rules)
2048614 - ET INFO Observed DNS Over HTTPS Domain (dns .vinnyp .xyz in TLS SNI) (info.rules)
2048618 - ET INFO Observed DNS Over HTTPS Domain (dns .rin .sh in TLS SNI) (info.rules)
2048620 - ET INFO Observed DNS Over HTTPS Domain (dns .kamilszczepanski .com in TLS SNI) (info.rules)
2049728 - ET MALWARE CloudAtlas APT Related DNS Lookup (avito-service .net) (malware.rules)
2049729 - ET MALWARE Observed CloudAtlas APT Related Domain (avito-service .net in TLS SNI) (malware.rules)
2049731 - ET MALWARE CloudAtlas APT Related Domain in DNS Lookup (network-list .com) (malware.rules)
2050878 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (cattilecodereowop .pw) (malware.rules)
2050879 - ET MALWARE Observed Lumma Stealer Related Domain (cattilecodereowop .pw in TLS SNI) (malware.rules)
2050880 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (thinrecordsunrjisow .pw) (malware.rules)
2050881 - ET MALWARE Observed Lumma Stealer Related Domain (thinrecordsunrjisow .pw in TLS SNI) (malware.rules)
2050899 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (theoryapparatusjuko .funr) (malware.rules)
2050901 - ET MALWARE Observed Lumma Stealer Related Domain (theoryapparatusjuko .funr in TLS SNI) (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/02/20 - v10536 Ruleset Updates	463	February 20, 2024
Ruleset Update Summary - 2024/03/27 - v10561 Ruleset Updates	185	March 27, 2024
Ruleset Update Summary - 2024/05/15 - v10596 Ruleset Updates	187	May 15, 2024
Ruleset Update Summary - 2024/03/11 - v10549 Ruleset Updates	910	March 11, 2024
Ruleset Update Summary - 2024/03/05 - v10545 Ruleset Updates	636	March 5, 2024

Ruleset Update Summary - 2024/03/18 - v10554

Summary:

Added rules:

Open:

Pro:

Modified inactive rules:

Disabled and modified rules:

Related Topics