Ruleset Update Summary - 2024/04/16 - v10576

Ruleset Updates
1

Summary:

32 new OPEN, 36 new PRO (32 + 4)

Thanks @ginkgo_g, @malware_traffic, @watchtowrcyber

Added rules:

Open:

  • 2052098 - ET MALWARE Win32/SSLoad Registration Activity (POST) (malware.rules)
  • 2052099 - ET MALWARE Win32/SSLoad Tasking Request (POST) (malware.rules)
  • 2052100 - ET MALWARE DonotGroup Related CnC Domain in DNS Lookup (letentinfo .info) (malware.rules)
  • 2052101 - ET MALWARE Observed DonotGroup Related Domain (letentinfo .info in TLS SNI) (malware.rules)
  • 2052102 - ET MALWARE DonotGroup Pult Downloader Activity (POST) M7 (malware.rules)
  • 2052103 - ET MALWARE DonotGroup Related CnC Domain in DNS Lookup (geographiclocation .info) (malware.rules)
  • 2052104 - ET MALWARE Observed DonotGroup Related Domain (geographiclocation .info in TLS SNI) (malware.rules)
  • 2052105 - ET ADWARE_PUP Android Fintech Related Domain in DNS Lookup (qt .qtzhreop .com) (adware_pup.rules)
  • 2052106 - ET ADWARE_PUP Observed Android Fintech Related Domain (qt .qtzhreop .com in TLS SNI) (adware_pup.rules)
  • 2052107 - ET ADWARE_PUP Android Fintech Related Domain in DNS Lookup (iu .iuuaufbt .com) (adware_pup.rules)
  • 2052108 - ET ADWARE_PUP Observed Android Fintech Related Domain (iu .iuuaufbt .com in TLS SNI) (adware_pup.rules)
  • 2052109 - ET ADWARE_PUP Android Fintech Related Domain in DNS Lookup (cy .amorcash .com) (adware_pup.rules)
  • 2052110 - ET ADWARE_PUP Observed Android Fintech Related Domain (cy .amorcash .com in TLS SNI) (adware_pup.rules)
  • 2052111 - ET ADWARE_PUP Android Fintech Related Domain in DNS Lookup (apitai .coccash .com) (adware_pup.rules)
  • 2052112 - ET ADWARE_PUP Android Fintech Related Domain in DNS Lookup (app .truenaira .co) (adware_pup.rules)
  • 2052113 - ET ADWARE_PUP Android Fintech Related Domain in DNS Lookup (api .yumicash .com) (adware_pup.rules)
  • 2052114 - ET ADWARE_PUP Observed Android Fintech Related Domain (apitai .coccash .com in TLS SNI) (adware_pup.rules)
  • 2052115 - ET ADWARE_PUP Observed Android Fintech Related Domain (app .truenaira .co in TLS SNI) (adware_pup.rules)
  • 2052116 - ET ADWARE_PUP Observed Android Fintech Related Domain (api .yumicash .com in TLS SNI) (adware_pup.rules)
  • 2052117 - ET INFO Observed DNS Query to URL Shortener Domain (lnkz .at) (info.rules)
  • 2052118 - ET INFO Observed URL Shortener Domain (lnkz .at) in TLS SNI (info.rules)
  • 2052119 - ET MALWARE Win32/SSLoad Module Request (GET) (malware.rules)
  • 2052120 - ET MALWARE Win32/SSLoad Payload Request (GET) (malware.rules)
  • 2052121 - ET MALWARE Win32/SSLoad Payload Response (malware.rules)
  • 2052122 - ET WEB_SPECIFIC_APPS Palo Alto GlobalProtect Session Cookie Command Injection Attempt (CVE-2024-3400) (web_specific_apps.rules)
  • 2052123 - ET MALWARE Anonymous RAT CnC Domain in DNS Lookup (anonymousrat8 .com) (malware.rules)
  • 2052124 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (barhell .com) (exploit_kit.rules)
  • 2052125 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (betvanced .com) (exploit_kit.rules)
  • 2052126 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (barhell .com) (exploit_kit.rules)
  • 2052127 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (betvanced .com) (exploit_kit.rules)
  • 2052128 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (doggygangers .com) (exploit_kit.rules)
  • 2052129 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (doggygangers .com) (exploit_kit.rules)

Pro:

  • 2856654 - ETPRO MALWARE TA582 CnC Checkin (malware.rules)
  • 2856659 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2856660 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2856661 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Disabled and modified rules:

  • 2022381 - ET INFO DYNAMIC_DNS Query to a Suspicious *.dnsalias.ru Domain (info.rules)
  • 2022384 - ET INFO DYNAMIC_DNS Query to a Suspicious *.dns-free.ru Domain (info.rules)
  • 2022647 - ET MALWARE Cryptolocker Payment Domain (3qbyaoohkcqkzrz6) (malware.rules)
  • 2022815 - ET INFO Possible SQLi Attempt in User Agent (Outbound) (info.rules)
  • 2031990 - ET PHISHING Suspicious File Download Post-Phishing 2016-05-25 (phishing.rules)
  • 2050143 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (groannysoapblockedstiw .site) (malware.rules)
  • 2050144 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (worrystitchsounddywuwp .site) (malware.rules)
  • 2050145 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (weedpairfolkloredheryw .site) (malware.rules)
  • 2050146 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (copyrightspareddcitwew .site) (malware.rules)
  • 2050147 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (qualifiedbehaviorrykej .site) (malware.rules)
  • 2050148 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (combinethemepiggerygoj .site) (malware.rules)
  • 2050149 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (lendremindcenterpassew .site) (malware.rules)
  • 2050150 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (expenditureddisumilarwo .site) (malware.rules)
  • 2050151 - ET MALWARE Observed Lumma Stealer Related Domain (groannysoapblockedstiw .site in TLS SNI) (malware.rules)
  • 2050152 - ET MALWARE Observed Lumma Stealer Related Domain (worrystitchsounddywuwp .site in TLS SNI) (malware.rules)
  • 2050153 - ET MALWARE Observed Lumma Stealer Related Domain (paperambiguonusphoterew .site in TLS SNI) (malware.rules)
  • 2050154 - ET MALWARE Observed Lumma Stealer Related Domain (weedpairfolkloredheryw .site in TLS SNI) (malware.rules)
  • 2050156 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (paperambiguonusphoterew .site) (malware.rules)
  • 2050157 - ET MALWARE Observed Lumma Stealer Related Domain (expenditureddisumilarwo .site in TLS SNI) (malware.rules)
  • 2050158 - ET MALWARE Observed Lumma Stealer Related Domain (combinethemepiggerygoj .site in TLS SNI) (malware.rules)
  • 2050159 - ET MALWARE Observed Lumma Stealer Related Domain (qualifiedbehaviorrykej .site in TLS SNI) (malware.rules)
  • 2050160 - ET MALWARE Observed Lumma Stealer Related Domain (lendremindcenterpassew .site in TLS SNI) (malware.rules)
  • 2050161 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (accouncementdivecane .site) (malware.rules)
  • 2050162 - ET MALWARE Observed Lumma Stealer Related Domain (accouncementdivecane .site in TLS SNI) (malware.rules)
  • 2050163 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (fleetconsciousnessjuiw .site) (malware.rules)
  • 2050164 - ET MALWARE Observed Lumma Stealer Related Domain (fleetconsciousnessjuiw .site in TLS SNI) (malware.rules)
  • 2050165 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (carpetcupboardtejjerew .site) (malware.rules)
  • 2050166 - ET MALWARE Observed Lumma Stealer Related Domain (carpetcupboardtejjerew .site in TLS SNI) (malware.rules)
  • 2809666 - ETPRO WEB_CLIENT Possible IE Same Origin Bypass Attempt CVE-2015-0072 (web_client.rules)
  • 2810895 - ETPRO MALWARE MSIL/Banker.N CnC Beacon (malware.rules)
  • 2815827 - ETPRO MALWARE PadCrypt CnC Checkin (malware.rules)
  • 2816282 - ETPRO MALWARE Win32/Dacic.A!rfn Backdoor CnC Checkin (malware.rules)
  • 2816658 - ETPRO MALWARE MSIL/Volt Logger PWS Exfil via FTP (malware.rules)
  • 2816680 - ETPRO MALWARE Win32/Blacked Checkin 2 (malware.rules)
  • 2816681 - ETPRO MALWARE MSIL/IRCBot.BK Upload Screenshot Notification via IRC (malware.rules)
  • 2820368 - ETPRO MALWARE TorrentLocker DNS query to Domain *.blasters.biz (malware.rules)
  • 2856175 - ETPRO MALWARE Suspected FIN7/Carbanak Related Domain in DNS Lookup (malware.rules)
  • 2856176 - ETPRO MALWARE Observed Suspected FIN7/Carbanak Related Domain in TLS SNI (malware.rules)

Removed rules:

  • 2856177 - ETPRO MALWARE Win32/SSLoad Registration Activity (POST) (malware.rules)
  • 2856178 - ETPRO MALWARE Win32/SSLoad Activity (POST) (malware.rules)