Ruleset Update Summary - 2024/05/03 - v10589

rulesbot · May 3, 2024, 8:51pm

Summary:

38 new OPEN, 41 new PRO (38 + 3)

Thanks @Threat_Down, @Fortinet

Added rules:

Open:

2052368 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (pearcyworkeronej .shop) (malware.rules)
2052369 - ET MALWARE Observed Lumma Stealer Related Domain (pearcyworkeronej .shop in TLS SNI) (malware.rules)
2052370 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (miniaturefinerninewjs .shop) (malware.rules)
2052371 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (sweetsquarediaslw .shop) (malware.rules)
2052372 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (obsceneclassyjuwks .shop) (malware.rules)
2052373 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (plaintediousidowsko .shop) (malware.rules)
2052374 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (zippyfinickysofwps .shop) (malware.rules)
2052375 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (stiffraspyofkwsl .shop) (malware.rules)
2052376 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (acceptabledcooeprs .shop) (malware.rules)
2052377 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (pollutiofactwoijk .shop) (malware.rules)
2052378 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (holicisticscrarws .shop) (malware.rules)
2052379 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (boredimperissvieos .shop) (malware.rules)
2052380 - ET MALWARE Observed Lumma Stealer Related Domain (miniaturefinerninewjs .shop in TLS SNI) (malware.rules)
2052381 - ET MALWARE Observed Lumma Stealer Related Domain (sweetsquarediaslw .shop in TLS SNI) (malware.rules)
2052382 - ET MALWARE Observed Lumma Stealer Related Domain (obsceneclassyjuwks .shop in TLS SNI) (malware.rules)
2052383 - ET MALWARE Observed Lumma Stealer Related Domain (plaintediousidowsko .shop in TLS SNI) (malware.rules)
2052384 - ET MALWARE Observed Lumma Stealer Related Domain (zippyfinickysofwps .shop in TLS SNI) (malware.rules)
2052385 - ET MALWARE Observed Lumma Stealer Related Domain (stiffraspyofkwsl .shop in TLS SNI) (malware.rules)
2052386 - ET MALWARE Observed Lumma Stealer Related Domain (acceptabledcooeprs .shop in TLS SNI) (malware.rules)
2052387 - ET MALWARE Observed Lumma Stealer Related Domain (pollutiofactwoijk .shop in TLS SNI) (malware.rules)
2052388 - ET MALWARE Observed Lumma Stealer Related Domain (holicisticscrarws .shop in TLS SNI) (malware.rules)
2052389 - ET MALWARE Observed Lumma Stealer Related Domain (boredimperissvieos .shop in TLS SNI) (malware.rules)
2052390 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (industrybuttonyoferwa .fun) (malware.rules)
2052391 - ET MALWARE Observed Lumma Stealer Related Domain (industrybuttonyoferwa .fun in TLS SNI) (malware.rules)
2052392 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (accountasifkwosov .shop) (malware.rules)
2052393 - ET MALWARE Observed Lumma Stealer Related Domain (accountasifkwosov .shop in TLS SNI) (malware.rules)
2052394 - ET MALWARE Goldoon Botnet Payload Retrieval Attempt (malware.rules)
2052395 - ET MALWARE Goldoon Botnet CnC Checkin (SystemInfo) (malware.rules)
2052396 - ET MALWARE Goldoon Botnet CnC Response (Tasking) (malware.rules)
2052397 - ET MALWARE Nitrogen Loader Activity (malware.rules)
2052398 - ET MALWARE Malvertising/Nitrogen Loader Domain in DNS Lookup (advanced-ip-scan .org) (malware.rules)
2052399 - ET MALWARE Malvertising/Nitrogen Loader Domain in DNS Lookup (giaoanso .com) (malware.rules)
2052400 - ET MALWARE Malvertising/Nitrogen Loader Domain in DNS Lookup (saltysour .com) (malware.rules)
2052401 - ET MALWARE Malvertising/Nitrogen Loader Domain (advanced-ip-scan .org) in TLS SNI (malware.rules)
2052402 - ET MALWARE Malvertising/Nitrogen Loader Domain (giaoanso .com) in TLS SNI (malware.rules)
2052403 - ET MALWARE Malvertising/Nitrogen Loader Domain (saltysour .com) in TLS SNI (malware.rules)
2052404 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (fitnessscop .com) (exploit_kit.rules)
2052405 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (fitnessscop .com) (exploit_kit.rules)

Pro:

2856828 - ETPRO MALWARE Unknown Golang Stealer Activity M2 (GET) (malware.rules)
2856829 - ETPRO MALWARE XenoRAT Related CnC Domain in DNS Lookup (malware.rules)
2856830 - ETPRO MALWARE Observed XenoRAT Related Domain in TLS SNI (malware.rules)

Disabled and modified rules:

2049442 - ET INFO Observed DNS Over HTTPS Domain (safe .dot .dns .yandex .net in TLS SNI) (info.rules)
2049443 - ET INFO Observed DNS Over HTTPS Domain (family .dot .dns .yandex .net in TLS SNI) (info.rules)
2049447 - ET INFO Observed DNS Over HTTPS Domain (common .dot .dns .yandex .net in TLS SNI) (info.rules)
2049448 - ET INFO Observed DNS Over HTTPS Domain (doh .max .net .id in TLS SNI) (info.rules)
2816341 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Hqwar.j Checkin (mobile_malware.rules)
2816669 - ETPRO MALWARE W32/Nymaim Checkin 7 (malware.rules)
2820186 - ETPRO MOBILE_MALWARE Android Unknown Trojan Checkin (mobile_malware.rules)
2846086 - ETPRO MALWARE MalDoc Retrieving Payload 2020-12-17 (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/06/20 - v10622 Ruleset Updates	157	June 20, 2024
Ruleset Update Summary - 2024/05/13 - v10594 Ruleset Updates	167	May 13, 2024
Ruleset Update Summary - 2024/05/20 - v10599 Ruleset Updates	150	May 20, 2024
Ruleset Update Summary - 2024/03/05 - v10545 Ruleset Updates	721	March 5, 2024
Ruleset Update Summary - 2024/02/20 - v10536 Ruleset Updates	486	February 20, 2024

Ruleset Update Summary - 2024/05/03 - v10589

Summary:

Added rules:

Open:

Pro:

Disabled and modified rules:

Related topics