Ruleset Update Summary - 2024/03/18 - v10554

Summary:

27 new OPEN, 28 new PRO (27 + 1)

Thanks @BushidoToken, @Unit42_Intel


Added rules:

Open:

  • 2051669 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (deadpanstupiddyjjuwk .shop) (malware.rules)
  • 2051670 - ET MALWARE Observed Lumma Stealer Related Domain (deadpanstupiddyjjuwk .shop in TLS SNI) (malware.rules)
  • 2051671 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (doughmebinnybunio .shop) (malware.rules)
  • 2051672 - ET MALWARE Observed Lumma Stealer Related Domain (doughmebinnybunio .shop in TLS SNI) (malware.rules)
  • 2051673 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (combinationconventiwov .shop) (malware.rules)
  • 2051674 - ET MALWARE Observed Lumma Stealer Related Domain (combinationconventiwov .shop in TLS SNI) (malware.rules)
  • 2051675 - ET MALWARE Win32/Spyderv2 Related Activity (POST) (malware.rules)
  • 2051676 - ET MALWARE BunnyLoader Initial Connection (GET) (malware.rules)
  • 2051677 - ET MALWARE BunnyLoader Stealer Module Activity (POST) (malware.rules)
  • 2051678 - ET PHISHING Generic Phish Landing Page 2024-03-18 (phishing.rules)
  • 2051679 - ET PHISHING Malicious SSL Certificate detected (Generic Phish Activity) (phishing.rules)
  • 2051680 - ET MALWARE Hello2Malware (H2MLoader) get_base64 Payload Retrieval Attempt (malware.rules)
  • 2051681 - ET HUNTING Base64 Encoded Executable over Raw TCP (hunting.rules)
  • 2051682 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .policy .donnafrey .com) (malware.rules)
  • 2051683 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .policy .donnafrey .com) (malware.rules)
  • 2051684 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (apifunctioncall .com) (exploit_kit.rules)
  • 2051685 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (apifunctioncall .com) (exploit_kit.rules)
  • 2051686 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (worldofmantas .com) (exploit_kit.rules)
  • 2051687 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ausgov .pro) (exploit_kit.rules)
  • 2051688 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (edulokam .com) (exploit_kit.rules)
  • 2051689 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (worldofmantas .com) (exploit_kit.rules)
  • 2051690 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ausgov .pro) (exploit_kit.rules)
  • 2051691 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (edulokam .com) (exploit_kit.rules)
  • 2051692 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (7commbeta .com) (exploit_kit.rules)
  • 2051693 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (7commbeta .com) (exploit_kit.rules)
  • 2051694 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ezshipsy .com) (exploit_kit.rules)
  • 2051695 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ezshipsy .com) (exploit_kit.rules)

Pro:

  • 2856494 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Modified inactive rules:

  • 2001867 - ET ADWARE_PUP Search Engine 2000 Spyware User-Agent (searchengine) (adware_pup.rules)
  • 2003190 - ET MALWARE Win32.Lager Trojan Reporting Spam (malware.rules)
  • 2007566 - ET MALWARE Downloader.MisleadApp Fake Security Product Install (malware.rules)
  • 2009514 - ET MALWARE FAKE/ROGUE AV HTTP Post (malware.rules)
  • 2011085 - ET POLICY HTTP Redirect to IPv4 Address (policy.rules)
  • 2014025 - ET EXPLOIT_KIT Probable Scalaxy exploit kit Java or PDF exploit request (exploit_kit.rules)
  • 2018591 - ET WEB_CLIENT Trojan-Banker.JS.Banker fraudulent redirect boleto payment code (web_client.rules)
  • 2022770 - ET EXPLOIT_KIT Evil Redirector Leading to EK Apr 27 2016 (fbset) (exploit_kit.rules)
  • 2023048 - ET PHISHING Successful Generic Adobe Shared Document Phish Aug 11 2016 (phishing.rules)
  • 2800535 - ETPRO EXPLOIT HP OpenView Network Node Manager snmp.exe Oid Variable Buffer Overflow (exploit.rules)
  • 2800918 - ETPRO EXPLOIT Novell GroupWise Agents HTTP Request Remote Code Execution (exploit.rules)
  • 2801302 - ETPRO MALWARE RogueSoftware.Win32.WindowsOptimizationAndSecurity Sending stolen info (malware.rules)
  • 2801547 - ETPRO NETBIOS Microsoft Powerpoint digest.dll Insecure Library Loading - SMB-DS ASCII (netbios.rules)
  • 2805650 - ETPRO MALWARE Downloader.Win32.Agent.afrw Checkin (malware.rules)
  • 2815220 - ETPRO EXPLOIT_KIT Possible Nuclear EK Flash Exploit Dec 03 2015 (exploit_kit.rules)
  • 2820776 - ETPRO WEB_CLIENT Evil Redirector Leading to EK Keitaro Jun 21 2016 T2 (web_client.rules)
  • 2827261 - ETPRO MALWARE PoshC2 SSL Cert Observed (malware.rules)

Disabled and modified rules:

  • 2001444 - ET ADWARE_PUP Overpro Spyware Bundle Install (adware_pup.rules)
  • 2014234 - ET MALWARE Fareit/Pony Downloader Checkin 3 (malware.rules)
  • 2048599 - ET INFO Observed DNS Over HTTPS Domain (blackhole .myon .lu in TLS SNI) (info.rules)
  • 2048600 - ET INFO Observed DNS Over HTTPS Domain (doh .ccb-net .it in TLS SNI) (info.rules)
  • 2048604 - ET INFO Observed DNS Over HTTPS Domain (xray .krnl .eu in TLS SNI) (info.rules)
  • 2048605 - ET INFO Observed DNS Over HTTPS Domain (dns .syaifullah .com in TLS SNI) (info.rules)
  • 2048607 - ET INFO Observed DNS Over HTTPS Domain (doh .futa .gg in TLS SNI) (info.rules)
  • 2048611 - ET INFO Observed DNS Over HTTPS Domain (mail .data .haus in TLS SNI) (info.rules)
  • 2048613 - ET INFO Observed DNS Over HTTPS Domain (dns .reckoningslug .name in TLS SNI) (info.rules)
  • 2048614 - ET INFO Observed DNS Over HTTPS Domain (dns .vinnyp .xyz in TLS SNI) (info.rules)
  • 2048618 - ET INFO Observed DNS Over HTTPS Domain (dns .rin .sh in TLS SNI) (info.rules)
  • 2048620 - ET INFO Observed DNS Over HTTPS Domain (dns .kamilszczepanski .com in TLS SNI) (info.rules)
  • 2049728 - ET MALWARE CloudAtlas APT Related DNS Lookup (avito-service .net) (malware.rules)
  • 2049729 - ET MALWARE Observed CloudAtlas APT Related Domain (avito-service .net in TLS SNI) (malware.rules)
  • 2049731 - ET MALWARE CloudAtlas APT Related Domain in DNS Lookup (network-list .com) (malware.rules)
  • 2050878 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (cattilecodereowop .pw) (malware.rules)
  • 2050879 - ET MALWARE Observed Lumma Stealer Related Domain (cattilecodereowop .pw in TLS SNI) (malware.rules)
  • 2050880 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (thinrecordsunrjisow .pw) (malware.rules)
  • 2050881 - ET MALWARE Observed Lumma Stealer Related Domain (thinrecordsunrjisow .pw in TLS SNI) (malware.rules)
  • 2050899 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (theoryapparatusjuko .funr) (malware.rules)
  • 2050901 - ET MALWARE Observed Lumma Stealer Related Domain (theoryapparatusjuko .funr in TLS SNI) (malware.rules)