Ruleset Update Summary - 2024/04/19 - v10579

Ruleset Updates
1

Summary:

28 new OPEN, 33 new PRO (28 + 5)

Thanks Kevin, Ross

Added rules:

Open:

  • 2052172 - ET MALWARE Suspected Kapeka/ICYWELL Backdoor Server Response (execute command) (malware.rules)
  • 2052173 - ET MALWARE Suspected Kapeka/ICYWELL Backdoor Server Response (read from file) (malware.rules)
  • 2052174 - ET MALWARE Suspected Kapeka/ICYWELL Backdoor Server Response (write to file) (malware.rules)
  • 2052175 - ET MALWARE Suspected Kapeka/ICYWELL Backdoor Server Response (uninstall) (malware.rules)
  • 2052176 - ET MALWARE Suspected Kapeka/ICYWELL Backdoor Server Response (launch process) (malware.rules)
  • 2052177 - ET MALWARE Suspected Kapeka/ICYWELL Backdoor Server Response (launch payload) (malware.rules)
  • 2052178 - ET MALWARE Suspected Kapeka/ICYWELL Backdoor Server Response (execute shell command) (malware.rules)
  • 2052179 - ET MALWARE Suspected Kapeka/ICYWELL Backdoor Server Response (upgrade backdoor) (malware.rules)
  • 2052180 - ET INFO Observed DNS Over HTTPS Domain (dns .horcrux .vip in TLS SNI) (info.rules)
  • 2052181 - ET INFO Observed DNS Over HTTPS Domain (au .rslvr .eu in TLS SNI) (info.rules)
  • 2052182 - ET INFO Observed DNS Over HTTPS Domain (us .rslvr .eu in TLS SNI) (info.rules)
  • 2052183 - ET INFO Observed DNS Over HTTPS Domain (nl .rslvr .eu in TLS SNI) (info.rules)
  • 2052184 - ET INFO Observed DNS Over HTTPS Domain (dns .phillipjberry .net in TLS SNI) (info.rules)
  • 2052185 - ET INFO Observed DNS Over HTTPS Domain (sg .rslvr .eu in TLS SNI) (info.rules)
  • 2052186 - ET INFO Observed DNS Over HTTPS Domain (hk .rslvr .eu in TLS SNI) (info.rules)
  • 2052187 - ET INFO Observed DNS Over HTTPS Domain (dns .ian .rocks in TLS SNI) (info.rules)
  • 2052188 - ET INFO Observed DNS Over HTTPS Domain (dns .xwdmw .xyz in TLS SNI) (info.rules)
  • 2052189 - ET INFO Observed DNS Over HTTPS Domain (doh .cnetwork .cloud in TLS SNI) (info.rules)
  • 2052190 - ET INFO Observed DNS Over HTTPS Domain (jp .rslvr .eu in TLS SNI) (info.rules)
  • 2052191 - ET MALWARE Possible SSLoad Interactive Shell Connection (malware.rules)
  • 2052192 - ET MALWARE Possible SSload Interactive Shell whoami Output (malware.rules)
  • 2052193 - ET MALWARE TA577 Payload Delivery Attempt (malware.rules)
  • 2052194 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (cuponerachilanga .com) (exploit_kit.rules)
  • 2052195 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (svif-venezuela .com) (exploit_kit.rules)
  • 2052196 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (go8et .lol) (exploit_kit.rules)
  • 2052197 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (cuponerachilanga .com) (exploit_kit.rules)
  • 2052198 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (svif-venezuela .com) (exploit_kit.rules)
  • 2052199 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (go8et .lol) (exploit_kit.rules)

Pro:

  • 2856739 - ETPRO MALWARE Win32/Winter Loader Activity (malware.rules)
  • 2856740 - ETPRO INFO External IP Lookup Domain in DNS Lookup (info.rules)
  • 2856741 - ETPRO INFO Observed External IP Lookup Domain in TLS SNI (info.rules)
  • 2856742 - ETPRO MALWARE Malicious VBS Loader Related Domain in DNS Lookup (malware.rules)
  • 2856743 - ETPRO MALWARE Observed Malicious VBS Loader Related Domain in TLS SNI (malware.rules)

Modified inactive rules:

  • 2023591 - ET MALWARE Zeus OPENSSL Banker Malicious SSL Certificate Detected (malware.rules)
  • 2023902 - ET MALWARE Unknown Malicious SSL Cert 1 (malware.rules)
  • 2023903 - ET MALWARE Unknown Malicious SSL Cert 2 (malware.rules)
  • 2023904 - ET MALWARE Unknown Malicious SSL Cert 3 (malware.rules)
  • 2023905 - ET MALWARE Unknown Malicious SSL Cert 4 (malware.rules)
  • 2023906 - ET MALWARE Unknown Malicious SSL Cert 5 (malware.rules)
  • 2023907 - ET MALWARE Unknown Malicious SSL Cert 6 (malware.rules)
  • 2023908 - ET MALWARE Unknown Malicious SSL Cert 7 (malware.rules)
  • 2036338 - ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing) (phishing.rules)
  • 2036339 - ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing) (phishing.rules)
  • 2036340 - ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing) (phishing.rules)
  • 2036341 - ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing) (phishing.rules)
  • 2036342 - ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing) (phishing.rules)
  • 2036343 - ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing) (phishing.rules)
  • 2036344 - ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing) (phishing.rules)
  • 2036345 - ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing) (phishing.rules)
  • 2036346 - ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing) (phishing.rules)
  • 2812377 - ETPRO MALWARE Malicious SSL certificate detected (Dridex) (malware.rules)
  • 2812965 - ETPRO MALWARE Malicious SSL Certificate detected (Variant.Barys) (malware.rules)
  • 2814619 - ETPRO MALWARE Shifu SSL Cert (malware.rules)
  • 2814635 - ETPRO MALWARE Shifu ATS SSL Cert (malware.rules)
  • 2814655 - ETPRO MALWARE Shifu ATS SSL Cert (malware.rules)
  • 2814656 - ETPRO MALWARE Shifu ATS SSL Cert (malware.rules)
  • 2814665 - ETPRO MALWARE Shifu SSL Cert (malware.rules)
  • 2814674 - ETPRO MALWARE Shifu SSL Cert (malware.rules)
  • 2814750 - ETPRO MALWARE Dridex Injects SSL Cert (malware.rules)
  • 2814751 - ETPRO MALWARE Dridex Injects SSL Cert (malware.rules)
  • 2814784 - ETPRO MALWARE Shifu SSL Cert (malware.rules)
  • 2814785 - ETPRO MALWARE Shifu SSL Cert (malware.rules)
  • 2814786 - ETPRO MALWARE Shifu SSL Cert (malware.rules)
  • 2815043 - ETPRO MALWARE Malicious SSL Certificate Detected (Gootkit C2) (malware.rules)
  • 2815185 - ETPRO MALWARE Dridex Injects SSL Cert (malware.rules)
  • 2815186 - ETPRO MALWARE Dridex Injects SSL Cert (malware.rules)
  • 2815187 - ETPRO MALWARE Dridex Injects SSL Cert (malware.rules)
  • 2815278 - ETPRO MALWARE Dridex Injects SSL Cert (malware.rules)
  • 2815284 - ETPRO MALWARE Dridex Injects SSL Cert (malware.rules)
  • 2815291 - ETPRO MALWARE Malicious SSL Certificate Detected (Gootkit CnC) (malware.rules)
  • 2815972 - ETPRO MALWARE Dridex Injects SSL Cert (malware.rules)
  • 2816035 - ETPRO MALWARE Dridex Injects SSL Cert (malware.rules)
  • 2816504 - ETPRO MALWARE Zeus Variant CnC SSL Cert (malware.rules)
  • 2816567 - ETPRO MALWARE Zeus CnC SSL Cert (malware.rules)
  • 2816671 - ETPRO MALWARE Dridex Injects SSL Cert (malware.rules)
  • 2820049 - ETPRO MALWARE Zeus Variant CnC SSL Cert (malware.rules)
  • 2820098 - ETPRO MALWARE Zeus Variant CnC SSL Cert (malware.rules)
  • 2820482 - ETPRO MALWARE Malicious SSL Certificate Detected (Gootkit C2) (malware.rules)
  • 2820511 - ETPRO MALWARE Dridex Injects SSL Cert (malware.rules)
  • 2820593 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)
  • 2820594 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)
  • 2820738 - ETPRO MALWARE Malicious SSL certificate detected (Ursnif Injects) (malware.rules)
  • 2820739 - ETPRO MALWARE Malicious SSL certificate detected (Ursnif Injects) (malware.rules)
  • 2820751 - ETPRO MALWARE Malicious SSL Certificate Detected (Gootkit C2) (malware.rules)
  • 2820752 - ETPRO MALWARE Malicious SSL Certificate Detected (Gootkit C2) (malware.rules)
  • 2820789 - ETPRO MALWARE Malicious SSL certificate detected (Ursnif Injects) (malware.rules)
  • 2820790 - ETPRO MALWARE Malicious SSL certificate detected (Gootkit Injects) (malware.rules)
  • 2820817 - ETPRO MALWARE Malicious SSL certificate detected (Ursnif Injects) (malware.rules)
  • 2820948 - ETPRO MALWARE Zeus Panda SSL Cert (malware.rules)
  • 2820981 - ETPRO MALWARE Malicious SSL certificate detected (Malware C2) (malware.rules)
  • 2821053 - ETPRO MALWARE Malicious SSL certificate detected (Malware C2) (malware.rules)
  • 2821141 - ETPRO MALWARE Malicious SSL certificate detected (Gootkit Injects) (malware.rules)
  • 2821180 - ETPRO MALWARE Malicious SSL Certificate Detected (Zloader CnC) (malware.rules)
  • 2821197 - ETPRO MALWARE ZeusSSL/Terdot.A/Zloader Malicious SSL Cert Observed (malware.rules)
  • 2821472 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)
  • 2821525 - ETPRO MALWARE Malicious SSL certificate detected (Zeus Injects) (malware.rules)
  • 2821613 - ETPRO MALWARE Observed Malicious SSL Cert (Zeus Panda Banker) (malware.rules)
  • 2821624 - ETPRO MALWARE Observed Malicious SSL Cert (Zeus Panda Injects) (malware.rules)
  • 2821625 - ETPRO MALWARE Observed Malicious SSL Cert (Zeus Panda Injects) (malware.rules)
  • 2821808 - ETPRO MALWARE Malicious SSL certificate detected (Dreambot/Gozi CnC) (malware.rules)
  • 2821809 - ETPRO MALWARE Terdot.A/Zloader Malicious SSL Cert Observed (malware.rules)
  • 2821857 - ETPRO MALWARE Observed Malicious Domain SSL Cert in SNI (Zeus Panda) (malware.rules)
  • 2822090 - ETPRO MALWARE Shifu SSL Cert (malware.rules)
  • 2822521 - ETPRO MALWARE Malicious SSL Certificate Detected (Linux.Rex Scanner) (malware.rules)
  • 2822660 - ETPRO MALWARE Malicious SSL certificate detected (Gootkit CnC) (malware.rules)
  • 2822694 - ETPRO MALWARE Observed Malicious SSL Cert (Zeus Panda) (malware.rules)
  • 2823288 - ETPRO MALWARE Zeus Variant CnC SSL Cert (malware.rules)
  • 2823327 - ETPRO MALWARE Observed Malicious SSL Cert (Gootkit CnC) (malware.rules)
  • 2823480 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)
  • 2823657 - ETPRO MALWARE Observed Malicious SSL Cert (JS/Ostap Downloader) (malware.rules)
  • 2823673 - ETPRO MALWARE Observed Malicious SSL Cert (MalDoc DL) (malware.rules)
  • 2823775 - ETPRO MALWARE Malicious SSL Certificate Detected (Gootkit C2) (malware.rules)
  • 2824351 - ETPRO MALWARE Zeus Panda Injects Domain in SNI (malware.rules)
  • 2824357 - ETPRO MALWARE Malicious SSL Certificate Detected (Gootkit CnC) (malware.rules)
  • 2824448 - ETPRO MALWARE Observed Malicious SSL Cert (Gootkit) (malware.rules)
  • 2824478 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)
  • 2824548 - ETPRO MALWARE Malicious SSL Certificate Detected (Gootkit C2) (malware.rules)
  • 2824633 - ETPRO MALWARE Malicious SSL Certificate Detected (Gootkit C2) (malware.rules)
  • 2824649 - ETPRO MALWARE Malicious SSL Certificate Detected (Gootkit C2) (malware.rules)
  • 2824690 - ETPRO MALWARE Observed Malicious SSL Cert (MalDoc DL) (malware.rules)
  • 2824694 - ETPRO MALWARE Malicious SSL Certificate Detected (Gootkit C2) (malware.rules)
  • 2824918 - ETPRO MALWARE Malicious SSL Certificate Detected (Gootkit C2) (malware.rules)
  • 2824983 - ETPRO MALWARE Zeus Panda Domain in SNI (malware.rules)
  • 2825032 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)
  • 2825040 - ETPRO MALWARE Malicious SSL Certificate Detected (Gootkit C2) (malware.rules)
  • 2825209 - ETPRO MALWARE Zeus Panda Injects Domain in SNI (malware.rules)
  • 2825251 - ETPRO MALWARE Zeus Panda Injects Domain in SNI (malware.rules)
  • 2825354 - ETPRO MALWARE Zeus Panda Injects Domain in SNI (malware.rules)
  • 2825386 - ETPRO MALWARE Observed Malicious SSL Cert (Zeus Variant) (malware.rules)
  • 2825558 - ETPRO MALWARE Malicious SSL certificate detected (Ursnif Injects) (malware.rules)
  • 2826028 - ETPRO MALWARE Malicious SSL Certificate Observed (Win32/Kryptik.FRIW Banker Injects) (malware.rules)
  • 2826145 - ETPRO MALWARE Malicious SSL Certificate Detected (CobaltStrike Dropper) (malware.rules)
  • 2826437 - ETPRO MALWARE Observed Malicious SSL Cert (Orcus RAT) (malware.rules)
  • 2827244 - ETPRO MALWARE Observed Malicious SSL Cert (URLZone CnC) (malware.rules)
  • 2827262 - ETPRO MALWARE Observed Malicious SSL Cert (Evil CoinMiner) (malware.rules)
  • 2827395 - ETPRO MALWARE Observed Malicious SSL Cert (MalDoc DL) (malware.rules)
  • 2827464 - ETPRO MALWARE Observed Malicious SSL Cert (MalDoc DL) (malware.rules)
  • 2827746 - ETPRO MALWARE Observed Malicious SSL Cert (MalDoc DL) (malware.rules)
  • 2827764 - ETPRO MALWARE Observed Malicious SSL Cert (MalDoc DL) (malware.rules)
  • 2827821 - ETPRO MALWARE Malicious SSL Certificate Detected (CredPhishing) (malware.rules)
  • 2827822 - ETPRO MALWARE Malicious SSL Certificate Detected (CredPhishing) (malware.rules)
  • 2827823 - ETPRO MALWARE Malicious SSL Certificate Detected (CredPhishing) (malware.rules)
  • 2827991 - ETPRO MALWARE Observed Malicious SSL Cert (MalDoc DL) (malware.rules)
  • 2828191 - ETPRO MALWARE Observed Malicious SSL Cert (Fake O356 Installer) (malware.rules)
  • 2828332 - ETPRO MALWARE Observed Malicious SSL Cert (MalDoc DL) (malware.rules)
  • 2828428 - ETPRO MALWARE Malicious SSL certificate detected (TrickBot C2) (malware.rules)
  • 2828551 - ETPRO MALWARE Observed Malicious SSL Cert (Spymaster Keylogger Domain) (malware.rules)
  • 2828569 - ETPRO MALWARE ZeusPanda CnC Domain (henfobuthis .com in TLS SNI) (malware.rules)
  • 2828571 - ETPRO MALWARE ZeusPanda CnC Domain (rowrorofrat .com in TLS SNI) (malware.rules)
  • 2828577 - ETPRO MALWARE ZeusPanda CnC Domain (linghogolac .ru in TLS SNI) (malware.rules)
  • 2828584 - ETPRO MALWARE Observed Malicious Zeus Panda Domain in SNI (henfobuthis .com) (malware.rules)
  • 2828585 - ETPRO MALWARE Observed Malicious SSL Cert (Zeus Panda CnC) (malware.rules)
  • 2828665 - ETPRO MALWARE Observed Malicious SSL Cert (MalDoc HTA Download) (malware.rules)
  • 2829252 - ETPRO MALWARE Observed Malicious SSL Cert (Zeus Panda CnC) (malware.rules)

Disabled and modified rules:

  • 2018876 - ET POLICY DNS Query to .onion proxy Domain (onion.cab) (policy.rules)
  • 2021021 - ET MALWARE Kaspersky Sinkhole DNS Reply (malware.rules)
  • 2021022 - ET MALWARE Wapack Labs Sinkhole DNS Reply (malware.rules)
  • 2022486 - ET PHISHING Possible Phishing Landing via GetGoPhish Phishing Tool (phishing.rules)
  • 2022915 - ET INFO Web Proxy Auto Discovery Protocol WPAD DHCP 252 option Possible BadTunnel (info.rules)
  • 2024689 - ET WEB_CLIENT Download of Multimedia Content flowbit set (web_client.rules)
  • 2025986 - ET INFO MP3 with ID3 in HTTP Flowbit Set (info.rules)
  • 2812094 - ETPRO POLICY Observed Free HTTPS Proxy Service TLS Certificate (ssl-proxy.my-addr .org) (policy.rules)
  • 2827897 - ETPRO EXPLOIT MP4 Atom Parser Vulnerability Inbound M1 (CVE-2017-11281) (exploit.rules)
  • 2832176 - ETPRO EXPLOIT Flash Player Out-of-bounds Read (CVE-2018-12824) (exploit.rules)