Ruleset Update Summary - 2024/03/20 - v10556

rulesbot · March 20, 2024, 8:37pm

Summary:

63 new OPEN, 66 new PRO (63 + 3)

Thanks @metabaseq, @morphisec, @unit42_intel, @briankrebs

Added rules:

Open:

2051698 - ET MALWARE Win32/IDAT Loader Related Activity (malware.rules)
2051699 - ET MALWARE Suspected Agent Racoon Backdoor DNS Related Activity (malware.rules)
2051700 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (peanutclutchlowwow .shop) (malware.rules)
2051701 - ET MALWARE Observed Lumma Stealer Related Domain (peanutclutchlowwow .shop in TLS SNI) (malware.rules)
2051702 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (ndapromovideoslittle .pro) (malware.rules)
2051703 - ET MALWARE Observed Lumma Stealer Related Domain (ndapromovideoslittle .pro in TLS SNI) (malware.rules)
2051704 - ET MALWARE Pure Logs Stealer/Fenix Botnet CnC Activity (GET) M1 (malware.rules)
2051705 - ET MALWARE Pure Logs Stealer/Fenix Botnet CnC Activity (GET) M2 (malware.rules)
2051706 - ET MALWARE Pure Logs Stealer/Fenix Botnet CnC Activity (GET) M3 (malware.rules)
2051707 - ET MALWARE DNS Query to Fenix Botnet Domain (citas-sregob-mexico .com) (malware.rules)
2051708 - ET MALWARE DNS Query to Fenix Botnet Domain (mexico-curp .com) (malware.rules)
2051709 - ET MALWARE DNS Query to Fenix Botnet Domain (citasatmx2023 .lat) (malware.rules)
2051710 - ET MALWARE DNS Query to Fenix Botnet Domain (sre-curpmexico .com) (malware.rules)
2051711 - ET MALWARE DNS Query to Fenix Botnet Domain (fja .com .mx) (malware.rules)
2051712 - ET MALWARE DNS Query to Fenix Botnet Domain (citas-satmx .com) (malware.rules)
2051713 - ET MALWARE DNS Query to Fenix Botnet Domain (citas-sat2023 .com .mx) (malware.rules)
2051714 - ET MALWARE DNS Query to Fenix Botnet Domain (tramites-sat .com .mx) (malware.rules)
2051715 - ET MALWARE DNS Query to Fenix Botnet Domain (lbci-seguro .com) (malware.rules)
2051716 - ET MALWARE DNS Query to Fenix Botnet Domain (d1kv9jqywn0dfi .cloudfront .net) (malware.rules)
2051717 - ET MALWARE DNS Query to Fenix Botnet Domain (grafoce .com) (malware.rules)
2051718 - ET MALWARE DNS Query to Fenix Botnet Domain (whatsapp .website) (malware.rules)
2051719 - ET MALWARE DNS Query to Fenix Botnet Domain (annydesk .website) (malware.rules)
2051720 - ET MALWARE DNS Query to Fenix Botnet Domain (2repuvegobmx .com .mx) (malware.rules)
2051721 - ET MALWARE DNS Query to Fenix Botnet Domain (russiancl .top) (malware.rules)
2051722 - ET MALWARE DNS Query to Fenix Botnet Domain (zlvsiexj6d .d3vilsgg .xyz) (malware.rules)
2051723 - ET MALWARE DNS Query to Fenix Botnet Domain (siii-chile .com) (malware.rules)
2051724 - ET MALWARE DNS Query to Fenix Botnet Domain (consultacurp-gobmx .com .mx) (malware.rules)
2051725 - ET MALWARE Observed Fenix Botnet Domain (citas-sregob-mexico .com in TLS SNI) (malware.rules)
2051726 - ET MALWARE Observed Fenix Botnet Domain (mexico-curp .com in TLS SNI) (malware.rules)
2051727 - ET MALWARE Observed Fenix Botnet Domain (citasatmx2023 .lat in TLS SNI) (malware.rules)
2051728 - ET MALWARE Observed Fenix Botnet Domain (sre-curpmexico .com in TLS SNI) (malware.rules)
2051729 - ET MALWARE Observed Fenix Botnet Domain (fja .com .mx in TLS SNI) (malware.rules)
2051730 - ET MALWARE Observed Fenix Botnet Domain (citas-satmx .com in TLS SNI) (malware.rules)
2051731 - ET MALWARE Observed Fenix Botnet Domain (citas-sat2023 .com .mx in TLS SNI) (malware.rules)
2051732 - ET MALWARE Observed Fenix Botnet Domain (tramites-sat .com .mx in TLS SNI) (malware.rules)
2051733 - ET MALWARE Observed Fenix Botnet Domain (lbci-seguro .com in TLS SNI) (malware.rules)
2051734 - ET MALWARE Observed Fenix Botnet Domain (d1kv9jqywn0dfi .cloudfront .net in TLS SNI) (malware.rules)
2051735 - ET MALWARE Observed Fenix Botnet Domain (grafoce .com in TLS SNI) (malware.rules)
2051736 - ET MALWARE Observed Fenix Botnet Domain (whatsapp .website in TLS SNI) (malware.rules)
2051737 - ET MALWARE Observed Fenix Botnet Domain (annydesk .website in TLS SNI) (malware.rules)
2051738 - ET MALWARE Observed Fenix Botnet Domain (2repuvegobmx .com .mx in TLS SNI) (malware.rules)
2051739 - ET MALWARE Observed Fenix Botnet Domain (russiancl .top in TLS SNI) (malware.rules)
2051740 - ET MALWARE Observed Fenix Botnet Domain (zlvsiexj6d .d3vilsgg .xyz in TLS SNI) (malware.rules)
2051741 - ET MALWARE Observed Fenix Botnet Domain (siii-chile .com in TLS SNI) (malware.rules)
2051742 - ET MALWARE Observed Fenix Botnet Domain (consultacurp-gobmx .com .mx in TLS SNI) (malware.rules)
2051743 - ET INFO DNS Query to File Sharing Domain (egnyte .com) (info.rules)
2051744 - ET INFO DNS Query to File Sharing Domain (freeupload .store) (info.rules)
2051745 - ET INFO DNS Query to File Sharing Domain (sync .com) (info.rules)
2051746 - ET INFO Observed File Sharing Domain (egnyte .com in TLS SNI) (info.rules)
2051747 - ET INFO Observed File Sharing Domain (freeupload .store in TLS SNI) (info.rules)
2051748 - ET INFO Observed File Sharing Domain (sync .com in TLS SNI) (info.rules)
2051749 - ET INFO DNS Query to File Sharing Domain (terabox .com) (info.rules)
2051750 - ET INFO Observed File Sharing Domain (terabox .com in TLS SNI) (info.rules)
2051751 - ET PHISHING Fake Crypto Investing Domain in DNS Lookup (cryptowave .capital) (phishing.rules)
2051752 - ET PHISHING Fake Crypto Investing Domain (cryptowave .capital in TLS SNI) (phishing.rules)
2051753 - ET PHISHING Fake IRS Scam Domain in DNS Lookup (ustaxnumber .org) (phishing.rules)
2051754 - ET PHISHING Fake IRS Scam Domain in DNS Lookup (ustaxnumber .com) (phishing.rules)
2051755 - ET PHISHING Fake IRS Scam Domain in DNS Lookup (irs-ein-gov .us) (phishing.rules)
2051756 - ET PHISHING Fake IRS Scam Domain (ustaxnumber .org in TLS SNI) (phishing.rules)
2051757 - ET PHISHING Fake IRS Scam Domain (ustaxnumber .com in TLS SNI) (phishing.rules)
2051758 - ET PHISHING Fake IRS Scam Domain (irs-ein-gov .us in TLS SNI) (phishing.rules)
2051759 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (nowordshere .org) (exploit_kit.rules)
2051760 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (nowordshere .org) (exploit_kit.rules)

Pro:

2856505 - ETPRO EXPLOIT_KIT Malicious Keitaro TDS Domain in DNS Lookup (exploit_kit.rules)
2856506 - ETPRO EXPLOIT_KIT Malicious Keitaro TDS Domain in TLS SNI (exploit_kit.rules)
2856507 - ETPRO EXPLOIT_KIT Evil Keitaro Set-Cookie Inbound (1875f) (exploit_kit.rules)

Disabled and modified rules:

2018878 - ET POLICY tor4u tor2web .onion Proxy domain in SNI (policy.rules)
2018888 - ET MOBILE_MALWARE Android/Spy.Kasandra.A Checkin (mobile_malware.rules)
2018892 - ET MALWARE Zbot .onion Proxy domain in SNI Aug 04 2014 (malware.rules)
2018979 - ET MALWARE Miras C2 Activity (malware.rules)
2808576 - ETPRO MALWARE Win32/Rovnix.H GET (malware.rules)
2808608 - ETPRO MOBILE_MALWARE Android.Riskware.SMSPay.AO Checkin 3 (mobile_malware.rules)
2808698 - ETPRO MALWARE Win32/Paskod.B Downloading Files (malware.rules)
2808711 - ETPRO MALWARE W32/VBCheMan.A Checkin 2 (malware.rules)
2808845 - ETPRO MALWARE Backdoor.Win32.Bifrose.agn Checkin (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/02/20 - v10536 Ruleset Updates	343	February 20, 2024
Ruleset Update Summary - 2024/02/16 - v10534 Ruleset Updates	207	February 16, 2024
Ruleset Update Summary - 2024/03/08 - v10548 Ruleset Updates	190	March 8, 2024
Ruleset Update Summary - 2024/01/25 - v10514 Ruleset Updates	216	January 25, 2024
Ruleset Update Summary - 2024/03/27 - v10561 Ruleset Updates	122	March 27, 2024

Ruleset Update Summary - 2024/03/20 - v10556

Summary:

Added rules:

Open:

Pro:

Disabled and modified rules:

Related Topics