Ruleset Update Summary - 2024/04/04 - v10568

Summary:

30 new OPEN, 30 new PRO (30 + 0)


Added rules:

Open:

  • 2051915 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (marchsensedjurkey .shop) (malware.rules)
  • 2051916 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (abuselinenaidwjuew .shop) (malware.rules)
  • 2051917 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (methodgreenglassdatw .shop) (malware.rules)
  • 2051918 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (colorprioritytubbew .shop) (malware.rules)
  • 2051919 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (disagreemenywyws .shop) (malware.rules)
  • 2051920 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (birdpenallitysydw .shop) (malware.rules)
  • 2051921 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (fixturewordbakewos .shop) (malware.rules)
  • 2051922 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (cinemaclinicttanwk .shop) (malware.rules)
  • 2051923 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (speedparticipatewo .shop) (malware.rules)
  • 2051924 - ET MALWARE Observed Lumma Stealer Related Domain (marchsensedjurkey .shop in TLS SNI) (malware.rules)
  • 2051925 - ET MALWARE Observed Lumma Stealer Related Domain (abuselinenaidwjuew .shop in TLS SNI) (malware.rules)
  • 2051926 - ET MALWARE Observed Lumma Stealer Related Domain (methodgreenglassdatw .shop in TLS SNI) (malware.rules)
  • 2051927 - ET MALWARE Observed Lumma Stealer Related Domain (colorprioritytubbew .shop in TLS SNI) (malware.rules)
  • 2051928 - ET MALWARE Observed Lumma Stealer Related Domain (disagreemenywyws .shop in TLS SNI) (malware.rules)
  • 2051929 - ET MALWARE Observed Lumma Stealer Related Domain (birdpenallitysydw .shop in TLS SNI) (malware.rules)
  • 2051930 - ET MALWARE Observed Lumma Stealer Related Domain (fixturewordbakewos .shop in TLS SNI) (malware.rules)
  • 2051931 - ET MALWARE Observed Lumma Stealer Related Domain (cinemaclinicttanwk .shop in TLS SNI) (malware.rules)
  • 2051932 - ET MALWARE Observed Lumma Stealer Related Domain (speedparticipatewo .shop in TLS SNI) (malware.rules)
  • 2051933 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (appliedgrandyjuiw .shop) (malware.rules)
  • 2051934 - ET MALWARE Observed Lumma Stealer Related Domain (appliedgrandyjuiw .shop in TLS SNI) (malware.rules)
  • 2051935 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (concessionofsellerwo .shop) (malware.rules)
  • 2051936 - ET MALWARE Observed Lumma Stealer Related Domain (concessionofsellerwo .shop in TLS SNI) (malware.rules)
  • 2051937 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (shiverdreammyseaemw .shop) (malware.rules)
  • 2051938 - ET MALWARE Observed Lumma Stealer Related Domain (shiverdreammyseaemw .shop in TLS SNI) (malware.rules)
  • 2051939 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (edelmiramejiaterapeutacosmica .com) (exploit_kit.rules)
  • 2051940 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (replacegarbagedisposal .com) (exploit_kit.rules)
  • 2051941 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (edelmiramejiaterapeutacosmica .com) (exploit_kit.rules)
  • 2051942 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (replacegarbagedisposal .com) (exploit_kit.rules)
  • 2051943 - ET HUNTING Possible Kobold Letters CSS in Email M1 (hunting.rules)
  • 2051944 - ET HUNTING Possible Kobold Letters CSS in Email M2 (hunting.rules)

Modified inactive rules:

  • 2021586 - ET MALWARE Possible Dyre SSL Cert (non-ASCII) Jul 21 2015 (malware.rules)
  • 2021735 - ET MALWARE Possible Dyre SSL Cert Aug 31 2015 (malware.rules)
  • 2021736 - ET MALWARE Possible Dyre SSL Cert Aug 31 2015 (malware.rules)
  • 2021749 - ET MALWARE Possible Upatre/Dyre/Kegotip SSL Cert Sept 8 2015 (malware.rules)
  • 2021773 - ET MALWARE Possible Upatre/Dyre/Kegotip SSL Cert Sept 14 2015 (malware.rules)
  • 2021948 - ET MALWARE Possible Upatre/Dyre/Kegotip SSL Cert Oct 12 2015 (malware.rules)
  • 2023590 - ET MALWARE Zeus OPENSSL Banker Malicious SSL Certificate Detected (malware.rules)
  • 2822686 - ETPRO MALWARE Win32/Etumbot.G CnC SSL Certificate Detected (malware.rules)
  • 2823600 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)
  • 2824273 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)
  • 2826535 - ETPRO MALWARE Core Bot C2 SSL Certificate Detected (malware.rules)
  • 2828208 - ETPRO MALWARE RevCode SSL Cert (malware.rules)

Disabled and modified rules:

  • 2023025 - ET MALWARE ProjectSauron Remsec DNS Lookup (asrgd-uz .weedns.com) (malware.rules)
  • 2023026 - ET MALWARE ProjectSauron Remsec DNS Lookup (sx4-ws42 .yi.org) (malware.rules)
  • 2023027 - ET MALWARE ProjectSauron Remsec DNS Lookup (we .q.tcow.eu) (malware.rules)
  • 2023083 - ET MALWARE Alfa/Alpha Ransomware Checkin (malware.rules)
  • 2023161 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC) (malware.rules)
  • 2023611 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 107 (malware.rules)
  • 2050558 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .honors .howamerica .com) (malware.rules)
  • 2050559 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .honors .howamerica .com) (malware.rules)
  • 2050654 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (gigeconomycase .com) (exploit_kit.rules)
  • 2050655 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (pngairservices .com) (exploit_kit.rules)
  • 2050656 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (gigeconomycase .com) (exploit_kit.rules)
  • 2050657 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (pngairservices .com) (exploit_kit.rules)
  • 2050697 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (trust .resourcehost .net) (exploit_kit.rules)
  • 2050698 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (trust .resourcehost .net) (exploit_kit.rules)
  • 2051482 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (problemregardybuiwo .funj) (malware.rules)
  • 2051483 - ET MALWARE Observed Lumma Stealer Related Domain (problemregardybuiwo .funj in TLS SNI) (malware.rules)
  • 2821563 - ETPRO MALWARE iSpy Keylogger Reporting Infection via SMTP M2 (malware.rules)
  • 2821569 - ETPRO MALWARE Locky CnC checkin Aug 03 2016 M2 (malware.rules)
  • 2821600 - ETPRO MALWARE MSIL/Unknown Backdoor CnC Checkin (malware.rules)
  • 2821692 - ETPRO MALWARE ZeusPOS Payload M2 (malware.rules)
  • 2821821 - ETPRO MALWARE Godzilla CnC Beacon (malware.rules)
  • 2821890 - ETPRO MALWARE Likely Evil IRC BOT NICK Command (malware.rules)
  • 2821891 - ETPRO MALWARE Win32/Barys IRC Bot NICK Command (malware.rules)
  • 2821987 - ETPRO MALWARE MSIL/Unknown HTTP Bot CnC Checkin (malware.rules)