Ruleset Update Summary - 2024/03/29 - v10563

Ruleset Updates
1

Summary:

28 new OPEN, 28 new PRO (28 + 0)

Thanks @cyfirma, @Securelist, @TrendMicro

Added rules:

Open:

  • 2051842 - ET MALWARE Win32/Sync-Scheduler Stealer Activity (POST) (malware.rules)
  • 2051843 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (wagonglidemonkywo .shop) (malware.rules)
  • 2051844 - ET MALWARE Observed Lumma Stealer Related Domain (wagonglidemonkywo .shop in TLS SNI) (malware.rules)
  • 2051845 - ET MALWARE DNS Query to Earth Krahang APT Domain (support .helpkaspersky .top) (malware.rules)
  • 2051846 - ET MALWARE DNS Query to Earth Krahang APT Domain (update .centos-yum .com) (malware.rules)
  • 2051847 - ET MALWARE DNS Query to Earth Krahang APT Domain (security-microsoft .net) (malware.rules)
  • 2051848 - ET MALWARE DNS Query to Earth Krahang APT Domain (happy .gitweb .cloudns .nz) (malware.rules)
  • 2051849 - ET MALWARE DNS Query to Earth Krahang APT Domain (data-dev .helpkaspersky .top) (malware.rules)
  • 2051850 - ET MALWARE DNS Query to Earth Krahang APT Domain (update .microsoft-setting .com) (malware.rules)
  • 2051851 - ET MALWARE DNS Query to Earth Krahang APT Domain (tfirstdaily .store) (malware.rules)
  • 2051852 - ET MALWARE DNS Query to Earth Krahang APT Domain (update .windows .server-microsoft .com) (malware.rules)
  • 2051853 - ET MALWARE DNS Query to Earth Krahang APT Domain (cdn-dev .helpkaspersky .top) (malware.rules)
  • 2051854 - ET MALWARE DNS Query to Earth Krahang APT Domain (gtldgtld .store) (malware.rules)
  • 2051855 - ET MALWARE DNS Query to Earth Krahang APT Domain (softupdate .xyz) (malware.rules)
  • 2051856 - ET MALWARE Observed Earth Krahang APT Domain (gtldgtld .store in TLS SNI) (malware.rules)
  • 2051857 - ET MALWARE Observed Earth Krahang APT Domain (softupdate .xyz in TLS SNI) (malware.rules)
  • 2051858 - ET MALWARE Observed Earth Krahang APT Domain (security-microsoft .net in TLS SNI) (malware.rules)
  • 2051859 - ET MALWARE Observed Earth Krahang APT Domain (happy .gitweb .cloudns .nz in TLS SNI) (malware.rules)
  • 2051860 - ET MALWARE Observed Earth Krahang APT Domain (tfirstdaily .store in TLS SNI) (malware.rules)
  • 2051861 - ET MALWARE Observed Earth Krahang APT Domain (update .microsoft-setting .com in TLS SNI) (malware.rules)
  • 2051862 - ET MALWARE Observed Earth Krahang APT Domain (cdn-dev .helpkaspersky .top in TLS SNI) (malware.rules)
  • 2051863 - ET MALWARE Observed Earth Krahang APT Domain (update .windows .server-microsoft .com in TLS SNI) (malware.rules)
  • 2051864 - ET MALWARE Observed Earth Krahang APT Domain (update .centos-yum .com in TLS SNI) (malware.rules)
  • 2051865 - ET MALWARE Observed Earth Krahang APT Domain (support .helpkaspersky .top in TLS SNI) (malware.rules)
  • 2051866 - ET MALWARE Observed Earth Krahang APT Domain (data-dev .helpkaspersky .top in TLS SNI) (malware.rules)
  • 2051867 - ET MALWARE Dinodas RAT CnC Domain in DNS Lookup (update .centos-yum .com) (malware.rules)
  • 2051868 - ET MALWARE Linux/Dinodas RAT CnC Checkin - UDP (malware.rules)
  • 2051869 - ET MALWARE Linux/Dinodas RAT CnC Checkin - TCP (malware.rules)

Modified inactive rules:

  • 2841409 - ETPRO MALWARE Win32/Injector.EKXA Variant CnC Activity (malware.rules)

Disabled and modified rules:

  • 2026097 - ET MALWARE Suspected Monero Miner CnC Channel TXT Lookup (malware.rules)
  • 2048903 - ET INFO Observed DNS Over HTTPS Domain (dns .nhtsky .com in TLS SNI) (info.rules)
  • 2048915 - ET INFO Observed DNS Over HTTPS Domain (doh .xcom .pro in TLS SNI) (info.rules)
  • 2840940 - ETPRO WEB_CLIENT WordPress Plugin DZS-VideoGallery Cross-Site Scripting (Inbound) M1 (web_client.rules)
  • 2840941 - ETPRO WEB_CLIENT WordPress Plugin DZS-VideoGallery Cross-Site Scripting (Inbound) M2 (web_client.rules)
  • 2840942 - ETPRO WEB_CLIENT WordPress Plugin DZS-VideoGallery Cross-Site Scripting (Outbound) M1 (web_client.rules)
  • 2840943 - ETPRO WEB_CLIENT WordPress Plugin DZS-VideoGallery Cross-Site Scripting (Outbound) M2 (web_client.rules)