Ruleset Update Summary - 2024/03/28 - v10562

Ruleset Updates
1

Summary:

15 new OPEN, 17 new PRO (15 + 2)

Added rules:

Open:

  • 2051827 - ET EXPLOIT Possible RoundCube Webmail Persistent XSS Attempt (CVE-2023-43770) (exploit.rules)
  • 2051828 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1 (malware.rules)
  • 2051829 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M2 (malware.rules)
  • 2051830 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M3 (malware.rules)
  • 2051831 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 (malware.rules)
  • 2051832 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M2 (malware.rules)
  • 2051833 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M3 (malware.rules)
  • 2051834 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (paintercrutcheniw .shop) (malware.rules)
  • 2051835 - ET MALWARE Observed Lumma Stealer Related Domain (paintercrutcheniw .shop in TLS SNI) (malware.rules)
  • 2051836 - ET INFO Observed DNS Over HTTPS Domain (resolver .sunet .se in TLS SNI) (info.rules)
  • 2051837 - ET MALWARE DinodasRAT Related CnC Domain in DNS Lookup (update .centos-yum .com) (malware.rules)
  • 2051838 - ET MALWARE DinodasRAT Related CnC Domain in DNS Lookup (update .microsoft-settings .com) (malware.rules)
  • 2051839 - ET MALWARE Suspected DinodasRAT Related Activity (UDP) (malware.rules)
  • 2051840 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (apiframeworknode .com) (exploit_kit.rules)
  • 2051841 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (apiframeworknode .com) (exploit_kit.rules)

Pro:

  • 2856563 - ETPRO MALWARE Phorpiex Domain in DNS Lookup (malware.rules)
  • 2856564 - ETPRO MALWARE TA582 Domain in HTTP HOST (malware.rules)

Modified inactive rules:

  • 2850313 - ETPRO PHISHING Successful Facebook Phish 2021-10-27 (phishing.rules)

Disabled and modified rules:

  • 2020885 - ET MALWARE Kriptovor Retrieving RAR Payload (malware.rules)
  • 2020889 - ET MALWARE Vobus/Beebone Sinkhole DNS Reply (malware.rules)
  • 2020966 - ET MALWARE CozyDuke APT Possible SSL Cert 1 (malware.rules)
  • 2021129 - ET MALWARE Blue Bot DDoS Blog Request (malware.rules)
  • 2021130 - ET MALWARE Blue Bot DDoS Target Request (malware.rules)
  • 2021131 - ET MALWARE Blue Bot DDoS Logger Request (malware.rules)
  • 2021424 - ET MALWARE APT CozyCar SSL Cert 7 (malware.rules)
  • 2021425 - ET MALWARE APT CozyCar SSL Cert 8 (malware.rules)
  • 2021441 - ET MALWARE KeyBase Keylogger Uploading Screenshots (malware.rules)
  • 2810192 - ETPRO MALWARE Linux.DDoS Variant Checkin (malware.rules)
  • 2810237 - ETPRO MALWARE Linux/Zanich.B Checkin (malware.rules)
  • 2810293 - ETPRO MALWARE Win32/Spy.Ranbyus.J CnC Beacon (malware.rules)
  • 2810509 - ETPRO MALWARE MSIL/ClickFraud Variant Retrieving Fake Referers (malware.rules)
  • 2810510 - ETPRO ADWARE_PUP BrowseFox CnC Beacon 1 (adware_pup.rules)
  • 2810511 - ETPRO ADWARE_PUP BrowseFox CnC Beacon 2 (adware_pup.rules)
  • 2810607 - ETPRO MALWARE Upatre Retrieving encoded payload (Common Header Struct) (malware.rules)
  • 2810655 - ETPRO MALWARE Trojan.Win32.SchwarzeSonne CnC Beacon (malware.rules)
  • 2810702 - ETPRO MALWARE Likely Upatre External IP Check (malware.rules)
  • 2810797 - ETPRO MALWARE Win32/Bancos.AMF CnC Beacon 6 (malware.rules)
  • 2810799 - ETPRO MALWARE Win32/Bancos.AMF CnC Beacon 8 (malware.rules)
  • 2810847 - ETPRO MALWARE AutoIt variant CnC Beacon (malware.rules)
  • 2811695 - ETPRO MALWARE Win32/Onliner Spam Bot CnC Beacon (malware.rules)
  • 2834135 - ETPRO MALWARE Request for Known Coinminer Binary via FTP (X64) (malware.rules)