Ruleset Update Summary - 2024/05/06 - v10590

rulesbot · May 6, 2024, 9:07pm

Summary:

49 new OPEN, 50 new PRO (49 + 1)

Thanks @suyog41, @500mk500

Added rules:

Open:

2052406 - ET MALWARE TA453 Related Domain in DNS Lookup (malware.rules)
2052407 - ET MALWARE Observed TA453 Related Domain in TLS SNI (malware.rules)
2052408 - ET MALWARE APT42/TA453 NICECURL Backdoor Related CnC Domain in DNS Lookup (drive-file-share .site) (malware.rules)
2052409 - ET MALWARE APT42/TA453 NICECURL Backdoor Related CnC Domain in DNS Lookup (prism-west-candy .glitch .me) (malware.rules)
2052410 - ET MALWARE Observed APT42/TA453 NICECURL Backdoor Related Domain (drive-file-share .site in TLS SNI) (malware.rules)
2052411 - ET MALWARE Observed APT42/TA453 NICECURL Backdoor Related Domain (prism-west-candy .glitch .me in TLS SNI) (malware.rules)
2052412 - ET MALWARE Suspected APT42/TA453 TAMECAT Loader Related Activity (POST) (malware.rules)
2052413 - ET MALWARE APT42/TA453 Related Domain in DNS Lookup (worried-eastern-salto .glitch .me) (malware.rules)
2052414 - ET MALWARE Observed APT42/TA453 Related Domain (worried-eastern-salto .glitch .me in TLS SNI) (malware.rules)
2052415 - ET MALWARE APT42/TA453 Related CnC Domain in DNS Lookup (bitly .org .il) (malware.rules)
2052416 - ET MALWARE APT42/TA453 Related CnC Domain in DNS Lookup (s51 .online) (malware.rules)
2052417 - ET MALWARE APT42/TA453 Related CnC Domain in DNS Lookup (s20 .site) (malware.rules)
2052418 - ET MALWARE APT42/TA453 Related CnC Domain in DNS Lookup (m85 .online) (malware.rules)
2052419 - ET MALWARE Observed APT42/TA453 Related Domain (bitly .org .il in TLS SNI) (malware.rules)
2052420 - ET MALWARE Observed APT42/TA453 Related Domain (s51 .online in TLS SNI) (malware.rules)
2052421 - ET MALWARE Observed APT42/TA453 Related Domain (s20 .site in TLS SNI) (malware.rules)
2052422 - ET MALWARE Observed APT42/TA453 Related Domain (m85 .online in TLS SNI) (malware.rules)
2052423 - ET MALWARE Observed APT42/TA453 Related Domain (litby .us in TLS SNI) (malware.rules)
2052424 - ET MALWARE APT42/TA453 Related CnC Domain in DNS Lookup (litby .us) (malware.rules)
2052425 - ET MALWARE Observed APT42/TA453 Domain (litby .us in TLS SNI) (malware.rules)
2052426 - ET MALWARE APT42/TA453 Related CnC Domain in DNS Lookup (wulpfsrqupnuqorhexiw .supabase .co) (malware.rules)
2052427 - ET MALWARE Observed APT42/TA453 Related Domain (wulpfsrqupnuqorhexiw .supabase .co in TLS SNI) (malware.rules)
2052428 - ET MALWARE APT42/TA453 Related CnC Domain in DNS Lookup (decorous-super-blender .glitch .me) (malware.rules)
2052429 - ET MALWARE Observed APT42/TA453 Related Domain (decorous-super-blender .glitch .me in TLS SNI) (malware.rules)
2052430 - ET MALWARE Suspected APT42/TA453 Related Domain in DNS Lookup (shorting-urling .live) (malware.rules)
2052431 - ET MALWARE Suspected APT42/TA453 Related Domain in DNS Lookup (tinurls .com) (malware.rules)
2052432 - ET MALWARE Suspected APT42/TA453 Related Domain in DNS Lookup (short-urling .live) (malware.rules)
2052433 - ET MALWARE Suspected APT42/TA453 Related Domain in DNS Lookup (shorturling .live) (malware.rules)
2052434 - ET MALWARE Observed APT42/TA453 Related Domain (shorting-urling .live in TLS SNI) (malware.rules)
2052435 - ET MALWARE Observed APT42/TA453 Related Domain (safeshortl .ink in TLS SNI) (malware.rules)
2052436 - ET MALWARE Observed APT42/TA453 Related Domain (tinurls .com in TLS SNI) (malware.rules)
2052437 - ET MALWARE Observed APT42/TA453 Related Domain (short-urling .live in TLS SNI) (malware.rules)
2052438 - ET MALWARE Observed APT42/TA453 Related Domain (shorturling .live in TLS SNI) (malware.rules)
2052439 - ET MALWARE DNS Query to TA453 Domain (malware.rules)
2052440 - ET MALWARE DNS Query to TA453 Domain (malware.rules)
2052441 - ET MALWARE Observed TA453 Domain in TLS SNI (malware.rules)
2052442 - ET MALWARE Observed TA453 Domain in TLS SNI (malware.rules)
2052443 - ET MALWARE Ducktail APT Certificate Observed Inbound (Waka Server CA) (malware.rules)
2052444 - ET MALWARE DuckTail APT Payload Request (malware.rules)
2052445 - ET PHISHING TA453 Domain in DNS Lookup (phishing.rules)
2052446 - ET PHISHING TA453 Domain in TLS SNI (phishing.rules)
2052447 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (thecookoutcaterer .com) (exploit_kit.rules)
2052448 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (firsho .com) (exploit_kit.rules)
2052449 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (geronimooficial .com) (exploit_kit.rules)
2052450 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (thecookoutcaterer .com) (exploit_kit.rules)
2052451 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (firsho .com) (exploit_kit.rules)
2052452 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (geronimooficial .com) (exploit_kit.rules)
2052453 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .colo .oystergarden .net) (malware.rules)
2052454 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .colo .oystergarden .net) (malware.rules)

Pro:

2856912 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Disabled and modified rules:

2017036 - ET MALWARE Activity related to APT.Seinup Checkin 1 (malware.rules)
2024182 - ET MALWARE MSIL/NR42 Bot Parsing Config From Webpage (malware.rules)
2024365 - ET WEB_CLIENT Tech Support Phone Scam Landing (warning.mp3) Jan 24 2017 (web_client.rules)
2027065 - ET MALWARE EarthWorm/Termite IoT Agent CnC Response (malware.rules)
2028897 - ET MALWARE Win32/Orion Logger SMTP Base64 Exfil (malware.rules)
2029284 - ET MALWARE Win32/MillionLoader CnC Activity (Inbound) (malware.rules)
2030141 - ET MALWARE MSIL/Modi RAT CnC Command Inbound (in) (malware.rules)
2030672 - ET MALWARE MSIL/JobCrypter Ransomware Checkin via SMTP (malware.rules)
2031479 - ET MALWARE ElectroRAT Command from Server (Screenshot) (malware.rules)
2031480 - ET MALWARE ElectroRAT Command from Server (Get folder content) (malware.rules)
2046918 - ET MALWARE NanoCore RAT CnC 28 (malware.rules)
2049465 - ET MALWARE Suspected TA453 Related Domain in DNS Lookup (metasupport .com) (malware.rules)
2049466 - ET MALWARE Observed Suspected TA453 Related Domain (metasupport .com in TLS SNI) (malware.rules)
2050739 - ET INFO Suspicious Application Related Domain in DNS Lookup (info.rules)
2050740 - ET INFO Observed Suspicious Application Related Domain in TLS SNI (info.rules)
2825027 - ETPRO EXPLOIT_KIT Possible SunDown EK Landing URI Struct T2 Feb 17 2017 (exploit_kit.rules)
2827182 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Boogr.gsh CnC Beacon 4 (mobile_malware.rules)
2841878 - ETPRO MALWARE Observed Office Doc with Reversed Strings Inbound (malware.rules)
2847032 - ETPRO MALWARE Win32/Farfli.RSK!MTB CnC Keep-Alive (Outbound) (malware.rules)

Removed rules:

2855365 - ETPRO MALWARE TA453 Related Domain in DNS Lookup (malware.rules)
2855366 - ETPRO MALWARE Observed TA453 Related Domain in TLS SNI (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2023/09/05 - v10410 Ruleset Updates	280	September 5, 2023
Ruleset Update Summary - 2023/07/17 - v10373 Ruleset Updates	265	July 17, 2023
Ruleset Update Summary - 2023/08/14 - v10393 Ruleset Updates	210	August 14, 2023
Ruleset Update Summary - 2024/02/20 - v10536 Ruleset Updates	486	February 20, 2024
Ruleset Update Summary - 2023/12/27 - v10494 Ruleset Updates	279	December 27, 2023

Ruleset Update Summary - 2024/05/06 - v10590

Summary:

Added rules:

Open:

Pro:

Disabled and modified rules:

Removed rules:

Related topics