Ruleset Update Summary - 2024/03/27 - v10561

Ruleset Updates
1

Summary:

20 new OPEN, 25 new PRO (20 + 5)

Added rules:

Open:

  • 2051807 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (diskretainvigorousiw .shop) (malware.rules)
  • 2051808 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (affordcharmcropwo .shop) (malware.rules)
  • 2051809 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (worryfillvolcawoi .shop) (malware.rules)
  • 2051810 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (dismissalcylinderhostw .shop) (malware.rules)
  • 2051811 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (pillowbrocccolipe .shop) (malware.rules)
  • 2051812 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (enthusiasimtitleow .shop) (malware.rules)
  • 2051813 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (cleartotalfisherwo .shop) (malware.rules)
  • 2051814 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (communicationgenerwo .shop) (malware.rules)
  • 2051815 - ET MALWARE Observed Lumma Stealer Related Domain (diskretainvigorousiw .shop in TLS SNI) (malware.rules)
  • 2051816 - ET MALWARE Observed Lumma Stealer Related Domain (affordcharmcropwo .shop in TLS SNI) (malware.rules)
  • 2051817 - ET MALWARE Observed Lumma Stealer Related Domain (worryfillvolcawoi .shop in TLS SNI) (malware.rules)
  • 2051818 - ET MALWARE Observed Lumma Stealer Related Domain (dismissalcylinderhostw .shop in TLS SNI) (malware.rules)
  • 2051819 - ET MALWARE Observed Lumma Stealer Related Domain (pillowbrocccolipe .shop in TLS SNI) (malware.rules)
  • 2051820 - ET MALWARE Observed Lumma Stealer Related Domain (enthusiasimtitleow .shop in TLS SNI) (malware.rules)
  • 2051821 - ET MALWARE Observed Lumma Stealer Related Domain (cleartotalfisherwo .shop in TLS SNI) (malware.rules)
  • 2051822 - ET MALWARE Observed Lumma Stealer Related Domain (communicationgenerwo .shop in TLS SNI) (malware.rules)
  • 2051823 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (sessionannoucemenwj .shop) (malware.rules)
  • 2051824 - ET MALWARE Observed Lumma Stealer Related Domain (sessionannoucemenwj .shop in TLS SNI) (malware.rules)
  • 2051825 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (wagechaircoupessaywu .shop) (malware.rules)
  • 2051826 - ET MALWARE Observed Lumma Stealer Related Domain (wagechaircoupessaywu .shop in TLS SNI) (malware.rules)

Pro:

  • 2856554 - ETPRO MALWARE xploit.im Credit Card Skimmer Payload Retrieval Attempt (malware.rules)
  • 2856555 - ETPRO MALWARE xploit.im Credit Card Skimmer Server Response (malware.rules)
  • 2856556 - ETPRO MALWARE xploit.im Credit Card Skimmer Data Exfiltration Attempt (malware.rules)
  • 2856557 - ETPRO MALWARE Observed DNS Query to (xploit .im) in DNS Lookup (malware.rules)
  • 2856558 - ETPRO MALWARE Suspicious Domain (xploit .im) in TLS SNI (malware.rules)

Modified inactive rules:

  • 2030520 - ET INFO Suspicious HTTP GET Request on Port 53 Outbound (info.rules)
  • 2030521 - ET INFO Suspicious HTTP GET Request on Port 53 Inbound (info.rules)
  • 2030522 - ET INFO Suspicious HTTP POST Request on Port 53 Outbound (info.rules)
  • 2030523 - ET INFO Suspicious HTTP POST Request on Port 53 Inbound (info.rules)
  • 2806888 - ETPRO POLICY DNS query to Dynamic Internet Technology Domains (Anti-Internet Censhorship) 2 (policy.rules)

Disabled and modified rules:

  • 2012115 - ET INFO DNS Query for a Suspicious Malware Related Numerical .in Domain (info.rules)
  • 2035043 - ET MALWARE Likely Geodo/Emotet Downloading PE (malware.rules)
  • 2810068 - ETPRO MALWARE Win32/HideProcess Retrieving config for likely click fraud (malware.rules)
  • 2810099 - ETPRO MALWARE Chthonic CnC Beacon 7 (malware.rules)