Ruleset Update Summary - 2024/04/02 - v10565

Ruleset Updates
1

Summary:

20 new OPEN, 21 new PRO (20 + 1)

Thanks @Jane_0sint

Added rules:

Open:

  • 2051888 - ET MALWARE DNS Query to Konni APT Domain (settlores .com) (malware.rules)
  • 2051889 - ET MALWARE Observed Konni APT Domain (settlores .com in TLS SNI) (malware.rules)
  • 2051890 - ET INFO File Sharing Service Related Domain in DNS Lookup (ws .onehub .com) (info.rules)
  • 2051891 - ET INFO Observed File Sharing Service Related Domain (ws .onehub .com in TLS SNI) (info.rules)
  • 2051892 - ET MOBILE_MALWARE Android Vultur/brunhilda Related CnC Domain in DNS Lookup (safetyfactor .online) (mobile_malware.rules)
  • 2051893 - ET MOBILE_MALWARE Observed Android Vultur/brunhilda Related Domain (safetyfactor .online in TLS SNI) (mobile_malware.rules)
  • 2051894 - ET MOBILE_MALWARE Android Vultur/brunhilda Related CnC Domain in DNS Lookup (cloudmiracle .store) (mobile_malware.rules)
  • 2051895 - ET MOBILE_MALWARE Observed Android Vultur/brunhilda Related Domain (cloudmiracle .store in TLS SNI) (mobile_malware.rules)
  • 2051896 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (awardlandscareposiw .shop) (malware.rules)
  • 2051897 - ET MALWARE Observed Lumma Stealer Related Domain (awardlandscareposiw .shop in TLS SNI) (malware.rules)
  • 2051898 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (sailsystemeyeusjw .shop) (malware.rules)
  • 2051899 - ET MALWARE Observed Lumma Stealer Related Domain (sailsystemeyeusjw .shop in TLS SNI) (malware.rules)
  • 2051900 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ahryssa .com) (exploit_kit.rules)
  • 2051901 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (elmworldacademy .com) (exploit_kit.rules)
  • 2051902 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (foradopicadeiro .com) (exploit_kit.rules)
  • 2051903 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (techyureka .com) (exploit_kit.rules)
  • 2051904 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ahryssa .com) (exploit_kit.rules)
  • 2051905 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (elmworldacademy .com) (exploit_kit.rules)
  • 2051906 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (foradopicadeiro .com) (exploit_kit.rules)
  • 2051907 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (techyureka .com) (exploit_kit.rules)

Pro:

  • 2856567 - ETPRO MALWARE TeePlow CnC Checkin (malware.rules)

Modified inactive rules:

  • 2019079 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019106 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019279 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC) (malware.rules)
  • 2019414 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2019709 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2020564 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2020567 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2020966 - ET MALWARE CozyDuke APT Possible SSL Cert 1 (malware.rules)
  • 2021525 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC) (malware.rules)
  • 2021541 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC) (malware.rules)
  • 2021567 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC) (malware.rules)
  • 2021568 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC) (malware.rules)
  • 2021603 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC) (malware.rules)
  • 2021623 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC) (malware.rules)
  • 2021624 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (BlackEnergy CnC) (malware.rules)
  • 2022508 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) (malware.rules)
  • 2022509 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) (malware.rules)
  • 2800344 - ETPRO EXPLOIT Openwsman HTTP Basic Authentication Buffer Overflow (exploit.rules)
  • 2801405 - ETPRO MALWARE Unknown RBN Based BiFrost Botnet Response (malware.rules)
  • 2802013 - ETPRO MALWARE Trojan.Win32.Banker.qmd Activity - SET (malware.rules)
  • 2802014 - ETPRO MALWARE Trojan.Win32.Banker.qmd Runtime Detection (malware.rules)
  • 2802198 - ETPRO MALWARE Trojan.Win32.Banker.bkvd (sending info) (malware.rules)
  • 2803101 - ETPRO EXPLOIT Potential Hostile Flash File Exploit Exploit Specific Trigger SWF (exploit.rules)
  • 2803102 - ETPRO EXPLOIT Potential Hostile Flash File Exploit Specific ActionScript3 REST Flags Set (exploit.rules)
  • 2803103 - ETPRO EXPLOIT Exploit Specific Potential Adobe Flash ActiveX Request (exploit.rules)
  • 2812077 - ETPRO MALWARE Java/Adwind SSL Cert (malware.rules)
  • 2812098 - ETPRO MALWARE Java/Adwind SSL Cert (malware.rules)
  • 2826539 - ETPRO MALWARE Core Bot Injects SSL Certificate Detected (malware.rules)
  • 2826540 - ETPRO MALWARE Core Bot Injects SSL Certificate Detected (malware.rules)

Disabled and modified rules:

  • 2021289 - ET MALWARE Malicious SSL certificate detected (FindPOS) (malware.rules)
  • 2021528 - ET MALWARE KINS/ZeusVM Variant Retrieving Config (malware.rules)
  • 2021632 - ET MALWARE Sharik/Smoke CnC Beacon 3 (malware.rules)
  • 2031757 - ET PHISHING Possible Successful AirCanada Phish 2015-08-06 (phishing.rules)
  • 2049062 - ET MALWARE Suspected Higaisa APT Related Domain in DNS Lookup (insightinteriors .im) (malware.rules)
  • 2800826 - ETPRO WEB_CLIENT Adobe Acrobat and Reader CoolType.dll Stack Buffer Overflow 1 (web_client.rules)
  • 2800827 - ETPRO WEB_CLIENT Adobe Acrobat and Reader CoolType.dll Stack Buffer Overflow 2 (web_client.rules)
  • 2800828 - ETPRO WEB_CLIENT Adobe Acrobat and Reader CoolType.dll Stack Buffer Overflow 3 (web_client.rules)
  • 2800829 - ETPRO WEB_CLIENT Adobe Acrobat and Reader CoolType.dll Stack Buffer Overflow 4 (web_client.rules)
  • 2801861 - ETPRO WEB_CLIENT Oracle Java Applet2ClassLoader Remote Code Execution 1 (web_client.rules)
  • 2801862 - ETPRO WEB_CLIENT Oracle Java Applet2ClassLoader Remote Code Execution 2 (web_client.rules)
  • 2801929 - ETPRO WEB_CLIENT Microsoft Office Excel Pivot Item Index Boundary Error Memory Corruption 1 (web_client.rules)
  • 2801968 - ETPRO WEB_CLIENT Apple Safari Right-to-Left Text Rendering Use After Free Vulnerability (Published Exploit) - SET (web_client.rules)
  • 2801969 - ETPRO WEB_CLIENT Apple Safari Right-to-Left Text Rendering Use After Free Vulnerability (Published Exploit) (web_client.rules)
  • 2802068 - ETPRO WEB_CLIENT Microsoft Internet Explorer Object Management Memory Corruption 2 (web_client.rules)
  • 2802069 - ETPRO WEB_CLIENT Microsoft Internet Explorer Object Management Memory Corruption (web_client.rules)
  • 2802875 - ETPRO WEB_CLIENT Adobe flash malformed Table Record offset field exploit attempt 2 (web_client.rules)
  • 2802877 - ETPRO WEB_CLIENT Adobe flash malformed Table Record offset field exploit attempt 4 (web_client.rules)
  • 2802987 - ETPRO WEB_CLIENT Microsoft Excel Insufficient Record Validation (web_client.rules)
  • 2802991 - ETPRO WEB_CLIENT Microsoft Excel corrupted SerAuxTrend BIFF Record (web_client.rules)
  • 2803027 - ETPRO WEB_CLIENT Microsoft Excel Malformed Selection (type 0x1D) BIFF record (web_client.rules)
  • 2803339 - ETPRO MALWARE Downloader.Win32.BaoFa.cfx checkin (malware.rules)
  • 2803657 - ETPRO WEB_CLIENT Microsoft Excel SHRFMLA Biff Record Vulnerability Attempt (web_client.rules)
  • 2804521 - ETPRO WEB_CLIENT Microsoft Internet Explorer 9 Null Byte Information Disclosure (web_client.rules)
  • 2811061 - ETPRO MALWARE Win32/Spy.POSCardStealer.C FTP STOR Command (malware.rules)
  • 2811459 - ETPRO ADWARE_PUP Win32/Meinhudong.C Variant Checkin (adware_pup.rules)
  • 2812231 - ETPRO MALWARE Win32/Litera.A CnC Checkin (malware.rules)
  • 2812398 - ETPRO ADWARE_PUP Win32/Adware.FileTour Requesting Torrent (adware_pup.rules)
  • 2812405 - ETPRO MALWARE Linux.Trojan.Rain.A Sending IM Creds in SMTP (malware.rules)

Removed rules:

  • 2019280 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC) (malware.rules)