Ruleset Update Summary - 2024/04/05 - v10569

Ruleset Updates
1

Summary:

5 new OPEN, 5 new PRO (5 + 0)

Thanks @eSentire

Added rules:

Open:

  • 2051945 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (officiallongberyw .shop) (malware.rules)
  • 2051946 - ET MALWARE Observed Lumma Stealer Related Domain (officiallongberyw .shop in TLS SNI) (malware.rules)
  • 2051947 - ET MALWARE Suspected Parallax RAT Checkin (malware.rules)
  • 2051948 - ET EXPLOIT_KIT Balada Domain in DNS Lookup (bestresulttostart .com) (exploit_kit.rules)
  • 2051949 - ET EXPLOIT_KIT Balada Domain in TLS SNI (bestresulttostart .com) (exploit_kit.rules)

Modified inactive rules:

  • 2018973 - ET MALWARE Possible Dyre SSL Cert Aug 20 2014 D1 (malware.rules)
  • 2018974 - ET MALWARE Possible Dyre SSL Cert Aug 20 2014 D2 (malware.rules)
  • 2019069 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019104 - ET MALWARE Possible Dyre SSL Cert Sept 3 2014 (malware.rules)
  • 2019108 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019109 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019120 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019121 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Upatre C2) (malware.rules)
  • 2019122 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019135 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019147 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019148 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019150 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019152 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019173 - ET MALWARE Possible Dyre SSL Cert Sept 15 2014 (malware.rules)
  • 2019178 - ET MALWARE Possible Dyre SSL Cert Sept 16 2014 (malware.rules)
  • 2019200 - ET MALWARE Possible Dyre SSL Cert Sept 19 2014 (malware.rules)
  • 2019205 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019213 - ET MALWARE Possible Dyre SSL Cert Sept 22 2014 (malware.rules)
  • 2019225 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (UPATRE CnC) (malware.rules)
  • 2019275 - ET MALWARE Possible Dyre SSL Cert Sept 26 2014 (malware.rules)
  • 2019276 - ET MALWARE Possible Dyre SSL Cert Sept 26 2014 (malware.rules)
  • 2019305 - ET MALWARE Dyre SSL Cert 1 (malware.rules)
  • 2019306 - ET MALWARE Dyre SSL Cert 2 (malware.rules)
  • 2019307 - ET MALWARE Dyre SSL Cert 3 (malware.rules)
  • 2019317 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (UPATRE CnC) (malware.rules)
  • 2019319 - ET MALWARE Possible Dyre SSL Cert Sept 30 2014 (malware.rules)
  • 2019320 - ET MALWARE Possible Dyre SSL Cert Sept 30 2014 (malware.rules)
  • 2019328 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019329 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019330 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (UPATRE CnC) (malware.rules)
  • 2019342 - ET MALWARE Possible Dyre SSL Cert Oct 3 2014 (malware.rules)
  • 2019360 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2019361 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2019413 - ET MALWARE Possible Dyre SSL Cert Oct 15 2014 (malware.rules)
  • 2019419 - ET MALWARE Possible Dyre SSL Cert Oct 15 2014 (malware.rules)
  • 2019477 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC) (malware.rules)
  • 2019493 - ET MALWARE Possible Dyre SSL Cert Oct 22 2014 (malware.rules)
  • 2019494 - ET MALWARE Possible Dyre SSL Cert Oct 22 2014 (malware.rules)
  • 2019495 - ET MALWARE Possible Dyre SSL Cert Oct 22 2014 (malware.rules)
  • 2019520 - ET MALWARE Possible Dyre SSL Cert Oct 27 2014 (malware.rules)
  • 2019521 - ET MALWARE Possible Dyre SSL Cert Oct 27 2014 (malware.rules)
  • 2019522 - ET MALWARE Possible Dyre SSL Cert Oct 27 2014 (malware.rules)
  • 2019523 - ET MALWARE Possible Dyre SSL Cert Oct 27 2014 (malware.rules)
  • 2019603 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019604 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019648 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC) (malware.rules)
  • 2019649 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC) (malware.rules)
  • 2019651 - ET MALWARE Possible Dyre SSL Cert Nov 05 2014 (malware.rules)
  • 2019670 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC) (malware.rules)
  • 2019671 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC) (malware.rules)
  • 2019691 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC) (malware.rules)
  • 2019699 - ET MALWARE Possible Dyre SSL Cert Nov 11 2014 (malware.rules)
  • 2019700 - ET MALWARE Possible Dyre SSL Cert Nov 11 2014 (malware.rules)
  • 2019701 - ET MALWARE Possible Dyre SSL Cert Nov 11 2014 (malware.rules)
  • 2019702 - ET MALWARE Possible Dyre SSL Cert Nov 11 2014 (malware.rules)
  • 2019703 - ET MALWARE Possible Dyre SSL Cert Nov 11 2014 (malware.rules)
  • 2019705 - ET MALWARE Possible Dyre SSL Cert Nov 12 2014 (malware.rules)
  • 2019719 - ET MALWARE Possible Dyre SSL Cert Nov 17 2014 (malware.rules)
  • 2019813 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Hesperbot CnC) (malware.rules)
  • 2019814 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2019815 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2020149 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2020187 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2020218 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC) (malware.rules)
  • 2020219 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2020220 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2020242 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC) (malware.rules)
  • 2020313 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2020314 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2020322 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2020331 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2020843 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2020961 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2021087 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC) (malware.rules)
  • 2021109 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC) (malware.rules)
  • 2021121 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2021621 - ET MALWARE Possible Dridex SSL Cert Aug 12 2015 (malware.rules)
  • 2021946 - ET MALWARE Possible Dridex SSL Cert Oct 12 2015 (malware.rules)
  • 2021993 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) (malware.rules)
  • 2022004 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) (malware.rules)
  • 2022231 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC) (malware.rules)
  • 2022249 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC) (malware.rules)
  • 2022275 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Malware CnC) (malware.rules)
  • 2022385 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) (malware.rules)
  • 2022397 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) (malware.rules)
  • 2022408 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) (malware.rules)
  • 2022489 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) (malware.rules)
  • 2022514 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC) (malware.rules)
  • 2022521 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) (malware.rules)
  • 2022522 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) (malware.rules)
  • 2022553 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Malware CnC) (malware.rules)
  • 2022624 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Kasidet CnC) (malware.rules)
  • 2022880 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC) (malware.rules)
  • 2808823 - ETPRO MALWARE Gozi/Ursnif/Papras SSL Cert (malware.rules)
  • 2808899 - ETPRO MALWARE Win32/Spy.Zbot.ACB SSL Cert (malware.rules)
  • 2826540 - ETPRO MALWARE Core Bot Injects SSL Certificate Detected (malware.rules)

Disabled and modified rules:

  • 2022780 - ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 5.0) (malware.rules)
  • 2022781 - ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 5.1) (malware.rules)
  • 2022782 - ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 5.2) (malware.rules)
  • 2022783 - ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.0) (malware.rules)
  • 2022784 - ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.1) (malware.rules)
  • 2022785 - ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.2) (malware.rules)
  • 2022786 - ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.3) (malware.rules)
  • 2022787 - ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 10.0) (malware.rules)
  • 2031983 - ET PHISHING Adobe Online Document Phishing Landing M1 2016-04-25 (phishing.rules)
  • 2049917 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (playerweighmailydailew .pw) (malware.rules)
  • 2049918 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (latetemporarynuance .pw) (malware.rules)
  • 2049919 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (blastechohackopeower .pw) (malware.rules)
  • 2049920 - ET MALWARE Observed Lumma Stealer Related Domain (latetemporarynuance .pw in TLS SNI) (malware.rules)
  • 2049921 - ET MALWARE Observed Lumma Stealer Related Domain (playerweighmailydailew .pw in TLS SNI) (malware.rules)
  • 2049922 - ET MALWARE Observed Lumma Stealer Related Domain (blastechohackopeower .pw in TLS SNI) (malware.rules)
  • 2051498 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (executivebrakeji .shop) (malware.rules)
  • 2051499 - ET MALWARE Observed Lumma Stealer Related Domain (executivebrakeji .shop in TLS SNI) (malware.rules)
  • 2051500 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (oneclickyporkeiw .fun) (malware.rules)
  • 2051501 - ET MALWARE Observed Lumma Stealer Related Domain (oneclickyporkeiw .fun in TLS SNI) (malware.rules)
  • 2819828 - ETPRO MALWARE Redyms/Ramdo CnC DGA DNS Lookup (yw//.org) (malware.rules)
  • 2820050 - ETPRO MALWARE W32/Unknown Banker Checkin Via Mysql (malware.rules)
  • 2820054 - ETPRO MALWARE Pirpi Variant CnC Beacon (malware.rules)
  • 2820065 - ETPRO MALWARE Backdoor.Absolute Eye Activity (malware.rules)
  • 2820381 - ETPRO MALWARE Hawkeye Keylogger SMTP Checkin M1 (malware.rules)
  • 2820382 - ETPRO MALWARE Hawkeye Keylogger SMTP Checkin M2 (malware.rules)
  • 2820383 - ETPRO MALWARE Hawkeye Keylogger SMTP Stolen Credentials (malware.rules)

Removed rules:

  • 2826539 - ETPRO MALWARE Core Bot Injects SSL Certificate Detected (malware.rules)