Ruleset Update Summary - 2024/04/15 - v10575

Summary:

71 new OPEN, 76 new PRO (71 + 5)

Thanks @TrendMicro

Added rules:

Open:

• 2052027 - ET INFO External IP Check (checkip .amazonaws .com) (info.rules)
• 2052028 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (greetclassifytalk .shop) (malware.rules)
• 2052029 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (economicscreateojsu .shop) (malware.rules)
• 2052030 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (mealplayerpreceodsju .shop) (malware.rules)
• 2052031 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (suitcaseacanehalk .shop) (malware.rules)
• 2052032 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (pushjellysingeywus .shop) (malware.rules)
• 2052033 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (bordersoarmanusjuw .shop) (malware.rules)
• 2052034 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (absentconvicsjawun .shop) (malware.rules)
• 2052035 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (wifeplasterbakewis .shop) (malware.rules)
• 2052036 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (entitlementappwo .shop) (malware.rules)
• 2052037 - ET MALWARE Observed Lumma Stealer Related Domain (greetclassifytalk .shop in TLS SNI) (malware.rules)
• 2052038 - ET MALWARE Observed Lumma Stealer Related Domain (economicscreateojsu .shop in TLS SNI) (malware.rules)
• 2052039 - ET MALWARE Observed Lumma Stealer Related Domain (mealplayerpreceodsju .shop in TLS SNI) (malware.rules)
• 2052040 - ET MALWARE Observed Lumma Stealer Related Domain (suitcaseacanehalk .shop in TLS SNI) (malware.rules)
• 2052041 - ET MALWARE Observed Lumma Stealer Related Domain (pushjellysingeywus .shop in TLS SNI) (malware.rules)
• 2052042 - ET MALWARE Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) (malware.rules)
• 2052043 - ET MALWARE Observed Lumma Stealer Related Domain (absentconvicsjawun .shop in TLS SNI) (malware.rules)
• 2052044 - ET MALWARE Observed Lumma Stealer Related Domain (wifeplasterbakewis .shop in TLS SNI) (malware.rules)
• 2052045 - ET MALWARE Observed Lumma Stealer Related Domain (entitlementappwo .shop in TLS SNI) (malware.rules)
• 2052046 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (palmeventeryjusk .shop) (malware.rules)
• 2052047 - ET MALWARE Observed Lumma Stealer Related Domain (palmeventeryjusk .shop in TLS SNI) (malware.rules)
• 2052048 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (exceptionwillapews .shop) (malware.rules)
• 2052049 - ET MALWARE Observed Lumma Stealer Related Domain (exceptionwillapews .shop in TLS SNI) (malware.rules)
• 2052050 - ET INFO Observed DNS Over HTTPS Domain (dns .svoi .dev in TLS SNI) (info.rules)
• 2052051 - ET INFO Observed DNS Over HTTPS Domain (dns .hypercute .eu in TLS SNI) (info.rules)
• 2052052 - ET INFO Observed DNS Over HTTPS Domain (dns .bitservices .io in TLS SNI) (info.rules)
• 2052053 - ET INFO Observed DNS Over HTTPS Domain (3dns .eu in TLS SNI) (info.rules)
• 2052054 - ET INFO Observed DNS Over HTTPS Domain (dns .janl .eu in TLS SNI) (info.rules)
• 2052055 - ET INFO Observed DNS Over HTTPS Domain (dns .warma .me in TLS SNI) (info.rules)
• 2052056 - ET INFO Observed DNS Over HTTPS Domain (alleesph .online in TLS SNI) (info.rules)
• 2052057 - ET INFO Observed DNS Over HTTPS Domain (adblock .indianets .net in TLS SNI) (info.rules)
• 2052058 - ET INFO Observed DNS Over HTTPS Domain (diy .itsa .top in TLS SNI) (info.rules)
• 2052059 - ET INFO Observed DNS Over HTTPS Domain (drs .rustsword .com in TLS SNI) (info.rules)
• 2052060 - ET INFO Observed DNS Over HTTPS Domain (doh .runsel .id in TLS SNI) (info.rules)
• 2052061 - ET INFO Observed DNS Over HTTPS Domain (dns .immanuelschaffer .de in TLS SNI) (info.rules)
• 2052062 - ET INFO Observed DNS Over HTTPS Domain (dns .oliviertv .co .za in TLS SNI) (info.rules)
• 2052063 - ET INFO Observed DNS Over HTTPS Domain (dns1 .nordvpn .com in TLS SNI) (info.rules)
• 2052064 - ET INFO Observed DNS Over HTTPS Domain (dns .iki .my .id in TLS SNI) (info.rules)
• 2052065 - ET INFO Observed DNS Over HTTPS Domain (dns .kerekes .xyz in TLS SNI) (info.rules)
• 2052066 - ET INFO Observed DNS Over HTTPS Domain (dns2 .prima-solusindo .com in TLS SNI) (info.rules)
• 2052067 - ET INFO Observed DNS Over HTTPS Domain (dns .0x55 .net in TLS SNI) (info.rules)
• 2052068 - ET INFO Observed DNS Over HTTPS Domain (dns .pesaventofilippo .com in TLS SNI) (info.rules)
• 2052069 - ET INFO Observed DNS Over HTTPS Domain (dns .karfamily .net in TLS SNI) (info.rules)
• 2052070 - ET INFO Observed DNS Over HTTPS Domain (dnspub .restena .lu in TLS SNI) (info.rules)
• 2052071 - ET INFO Observed DNS Over HTTPS Domain (dns .asterimoon .com in TLS SNI) (info.rules)
• 2052072 - ET INFO Observed DNS Over HTTPS Domain (dns .kukal .cz in TLS SNI) (info.rules)
• 2052073 - ET MALWARE Earth Hundun Group Waterbear/Deuterbear CnC Domain in DNS Lookup (showgyella .quadrantbd .com) (malware.rules)
• 2052074 - ET MALWARE Earth Hundun Group Waterbear/Deuterbear CnC Domain in DNS Lookup (smartclouds .gelatosg .com) (malware.rules)
• 2052075 - ET MALWARE Earth Hundun Group Waterbear/Deuterbear CnC Domain in DNS Lookup (cloudflaread .quadrantbd .com) (malware.rules)
• 2052076 - ET MALWARE Earth Hundun Group Waterbear/Deuterbear CnC Domain in DNS Lookup (suitsvm003 .rchitecture .org) (malware.rules)
• 2052077 - ET MALWARE Earth Hundun Group Waterbear/Deuterbear CnC Domain in DNS Lookup (cloudsrm .gelatosg .com) (malware.rules)
• 2052078 - ET MALWARE Earth Hundun Group Waterbear/Deuterbear CnC Domain in DNS Lookup (rscvmogt .taishanlaw .com) (malware.rules)
• 2052079 - ET MALWARE Observed Earth Hundun Group Waterbear/Deuterbear Domain (showgyella .quadrantbd .com) in TLS SNI (malware.rules)
• 2052080 - ET MALWARE Observed Earth Hundun Group Waterbear/Deuterbear Domain (smartclouds .gelatosg .com) in TLS SNI (malware.rules)
• 2052081 - ET MALWARE Observed Earth Hundun Group Waterbear/Deuterbear Domain (freeprous .bakhell .com) in TLS SNI (malware.rules)
• 2052082 - ET MALWARE Observed Earth Hundun Group Waterbear/Deuterbear Domain (cloudflaread .quadrantbd .com) in TLS SNI (malware.rules)
• 2052083 - ET MALWARE Observed Earth Hundun Group Waterbear/Deuterbear Domain (suitsvm003 .rchitecture .org) in TLS SNI (malware.rules)
• 2052084 - ET MALWARE Observed Earth Hundun Group Waterbear/Deuterbear Domain (cloudsrm .gelatosg .com) in TLS SNI (malware.rules)
• 2052085 - ET MALWARE Observed Earth Hundun Group Waterbear/Deuterbear Domain (rscvmogt .taishanlaw .com) in TLS SNI (malware.rules)
• 2052086 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (akademipraktik .com) (exploit_kit.rules)
• 2052087 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (akademipraktik .com) (exploit_kit.rules)
• 2052088 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .register .arpsychotherapy .com) (malware.rules)
• 2052089 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .register .arpsychotherapy .com) (malware.rules)
• 2052090 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (jhansgansowen .com) (exploit_kit.rules)
• 2052091 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (hlktradecenter .com) (exploit_kit.rules)
• 2052092 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (bid2cart .com) (exploit_kit.rules)
• 2052093 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (carlaweishale .com) (exploit_kit.rules)
• 2052094 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (jhansgansowen .com) (exploit_kit.rules)
• 2052095 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (hlktradecenter .com) (exploit_kit.rules)
• 2052096 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (bid2cart .com) (exploit_kit.rules)
• 2052097 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (carlaweishale .com) (exploit_kit.rules)

Pro:

• 2856614 - ETPRO MALWARE Suspected Win32/Katastrof Loader Related Activity (GET) M2 (malware.rules)
• 2856615 - ETPRO MALWARE DarkGate Loader Related Domain in DNS Lookup (malware.rules)
• 2856616 - ETPRO MALWARE Observed DarkGate Loader Related Domain in TLS SNI (malware.rules)
• 2856618 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
• 2856619 - ETPRO MALWARE TA582 Domain in HTTP HOST (malware.rules)

Modified inactive rules:

• 2020864 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
• 2021145 - ET MALWARE Likely Dridex SSL Cert (malware.rules)
• 2032681 - ET PHISHING Possible Successful Generic Phish 2016-05-26 (phishing.rules)
• 2035603 - ET MALWARE GhostWriter APT Related Cobalt Strike Activity (GET) (malware.rules)
• 2812926 - ETPRO MALWARE Win32/Filecoder.DI Ransomware SSL Cert (malware.rules)
• 2827827 - ETPRO PHISHING Credphish Domain in SNI (phishing.rules)
• 2827834 - ETPRO PHISHING Credphish Domain in SNI (phishing.rules)

Disabled and modified rules:

• 2020964 - ET MALWARE CozyDuke APT HTTP POST CnC Beacon (malware.rules)
• 2022134 - ET WEB_CLIENT Possible eDellRoot Rogue Root CA (web_client.rules)
• 2024008 - ET PHISHING Possible Phishing Redirect Feb 24 2017 (phishing.rules)
• 2025005 - ET PHISHING Possible Successful Generic Phish Jan 14 2016 (phishing.rules)
• 2025006 - ET PHISHING Possible Phishing Redirect Feb 09 2016 (phishing.rules)
• 2032684 - ET PHISHING Possible Successful Generic Phish 2016-06-22 (phishing.rules)
• 2032689 - ET PHISHING Possible Successful Generic Phish 2016-08-19 (phishing.rules)
• 2032706 - ET PHISHING Possible Successful Generic Phish 2016-10-07 (phishing.rules)
• 2050030 - ET INFO Observed DNS Over HTTPS Domain (www .maxfong .cc in TLS SNI) (info.rules)
• 2050032 - ET INFO Observed DNS Over HTTPS Domain (clearweb .woodbridge .club in TLS SNI) (info.rules)
• 2050033 - ET INFO Observed DNS Over HTTPS Domain (local .sufly .top in TLS SNI) (info.rules)
• 2050034 - ET INFO Observed DNS Over HTTPS Domain (ns .lov .host in TLS SNI) (info.rules)
• 2050037 - ET INFO Observed DNS Over HTTPS Domain (v2 .xx3210766 .live in TLS SNI) (info.rules)
• 2050041 - ET INFO Observed DNS Over HTTPS Domain (dns .albony .xyz in TLS SNI) (info.rules)
• 2050046 - ET INFO Observed DNS Over HTTPS Domain (dns .888654 .xyz in TLS SNI) (info.rules)
• 2050048 - ET INFO Observed DNS Over HTTPS Domain (vanced .sytes .net in TLS SNI) (info.rules)
• 2050076 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (contextsuffreintymore .fun) (malware.rules)
• 2050077 - ET MALWARE Observed Lumma Stealer Related Domain (contextsuffreintymore .fun in TLS SNI) (malware.rules)
• 2051636 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (edurestunningcrackyow .funq) (malware.rules)
• 2051637 - ET MALWARE Observed Lumma Stealer Related Domain (edurestunningcrackyow .funq in TLS SNI) (malware.rules)
• 2809667 - ETPRO WEB_CLIENT Possible IE Same Origin Bypass Attempt CVE-2015-0072 (web_client.rules)
• 2814633 - ETPRO MALWARE Win32/TrojanDownloader.Banload.UKZ Receiving Payload (malware.rules)
• 2814677 - ETPRO MALWARE AbaddonPOS Exfiltrating CC Numbers 1 (malware.rules)
• 2814679 - ETPRO MALWARE AbaddonPOS Exfiltrating CC Numbers 3 (malware.rules)
• 2814934 - ETPRO ADWARE_PUP Win32/Iminent.Adinstaller.E PUP Checkin (adware_pup.rules)
• 2814959 - ETPRO MALWARE PhilBot/Toshliph POST CnC Beacon (malware.rules)
• 2815098 - ETPRO MALWARE Backdoor.Busadom CnC Beacon 3 (malware.rules)
• 2815142 - ETPRO MALWARE Bergard Checkin 1 (malware.rules)
• 2815423 - ETPRO MALWARE Win32/Spy.BZub CnC (malware.rules)
• 2815451 - ETPRO MALWARE Win32.WebToos/Agony CnC Checkin (malware.rules)
• 2816001 - ETPRO MALWARE Win32/iSpySoft PWS Exfil via SMTP (malware.rules)
• 2816032 - ETPRO POLICY OSX/Potential Vulnerable Application using Sparkle Updater (policy.rules)
• 2816265 - ETPRO MALWARE Possible APT.HTTPBrowser DNS Lookup (malware.rules)
• 2819816 - ETPRO WEB_CLIENT Suspicious Redirector Apr 18 M2 (web_client.rules)
• 2826043 - ETPRO PHISHING Possible Successful Generic Phish Apr 20 2017 (phishing.rules)
• 2827147 - ETPRO PHISHING Possible Successful Generic Phish Jul 17 2017 (phishing.rules)
• 2828331 - ETPRO PHISHING Possible Successful Generic Phish Oct 17 2017 (phishing.rules)

Removed rules:

• 2814787 - ETPRO POLICY External IP Check (checkip.amazonaws.com) (policy.rules)