Ruleset Update Summary - 2024/05/28 - v10604

Ruleset Updates
1

Summary:

63 new OPEN, 78 new PRO (63 + 15)

Thanks @suyog41, @cyfirma, @0xrb

Added rules:

Open:

  • 2052886 - ET MOBILE_MALWARE Suspected APT Starry Addax DNS Lookup (mobile_malware.rules)
  • 2052887 - ET MOBILE_MALWARE Suspected APT Starry Addax CnC Domain in DNS Lookup 2 (mobile_malware.rules)
  • 2052888 - ET EXPLOIT Fortinet FortiSIEM Unauthenticated Command Injection CVE-2023-34992 (exploit.rules)
  • 2052889 - ET EXPLOIT Fortinet FortiSIEM Unauthenticated Command Injection CVE-2024-23108 (exploit.rules)
  • 2052890 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (establisheddisappearefe .site) (malware.rules)
  • 2052891 - ET MALWARE Observed Lumma Stealer Related Domain (establisheddisappearefe .site in TLS SNI) (malware.rules)
  • 2052892 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (catlackjellyodwps .shop) (malware.rules)
  • 2052893 - ET MALWARE Observed Lumma Stealer Related Domain (catlackjellyodwps .shop in TLS SNI) (malware.rules)
  • 2052894 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (questionconservawuts .shop) (malware.rules)
  • 2052895 - ET MALWARE Observed Lumma Stealer Related Domain (questionconservawuts .shop in TLS SNI) (malware.rules)
  • 2052896 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (occupytapsessijk .pw) (malware.rules)
  • 2052897 - ET MALWARE Observed Lumma Stealer Related Domain (occupytapsessijk .pw in TLS SNI) (malware.rules)
  • 2052898 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (jewelassertivebop .fun) (malware.rules)
  • 2052899 - ET MALWARE Observed Lumma Stealer Related Domain (jewelassertivebop .fun in TLS SNI) (malware.rules)
  • 2052900 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (purefinishonerbrothsjke .shop) (malware.rules)
  • 2052901 - ET MALWARE Observed Lumma Stealer Related Domain (purefinishonerbrothsjke .shop in TLS SNI) (malware.rules)
  • 2052902 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (refundemobxyyeols .shop) (malware.rules)
  • 2052903 - ET MALWARE Observed Lumma Stealer Related Domain (refundemobxyyeols .shop in TLS SNI) (malware.rules)
  • 2052904 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (discussiowardder .website) (malware.rules)
  • 2052905 - ET MALWARE Observed Lumma Stealer Related Domain (discussiowardder .website in TLS SNI) (malware.rules)
  • 2052906 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (tipsydulljaui .website) (malware.rules)
  • 2052907 - ET MALWARE Observed Lumma Stealer Related Domain (tipsydulljaui .website in TLS SNI) (malware.rules)
  • 2052908 - ET MALWARE CrimsonRAT Host Details Exfil (malware.rules)
  • 2052909 - ET MALWARE DNS Query to CrimsonRAT Domain (waqers .duckdns .org) (malware.rules)
  • 2052910 - ET MALWARE Observed CrimsonRAT Domain (waqers .duckdns .org in TLS SNI) (malware.rules)
  • 2052911 - ET MALWARE Suspected TA450 Activity (malware.rules)
  • 2052912 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (malware.rules)
  • 2052913 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (malware.rules)
  • 2052914 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (malware.rules)
  • 2052915 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (malware.rules)
  • 2052916 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (malware.rules)
  • 2052917 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (malware.rules)
  • 2052918 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (malware.rules)
  • 2052919 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (malware.rules)
  • 2052920 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (malware.rules)
  • 2052921 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (malware.rules)
  • 2052922 - ET MALWARE Observed Lumma Stealer Related Domain (patternapplauderw .shop) in TLS SNI (malware.rules)
  • 2052923 - ET MALWARE Observed Lumma Stealer Related Domain (considerrycurrentyws .shop) in TLS SNI (malware.rules)
  • 2052924 - ET MALWARE Observed Lumma Stealer Related Domain (relaxtionflouwerwi .shop) in TLS SNI (malware.rules)
  • 2052925 - ET MALWARE Observed Lumma Stealer Related Domain (understanndtytonyguw .shop) in TLS SNI (malware.rules)
  • 2052926 - ET MALWARE Observed Lumma Stealer Related Domain (messtimetabledkolvk .shop) in TLS SNI (malware.rules)
  • 2052927 - ET MALWARE Observed Lumma Stealer Related Domain (horsedwollfedrwos .shop) in TLS SNI (malware.rules)
  • 2052928 - ET MALWARE Observed Lumma Stealer Related Domain (stingmisplacedelivrrw .shop) in TLS SNI (malware.rules)
  • 2052929 - ET MALWARE Observed Lumma Stealer Related Domain (ensureclackexcatwi .shop) in TLS SNI (malware.rules)
  • 2052930 - ET MALWARE Observed Lumma Stealer Related Domain (deprivedrinkyfaiir .shop) in TLS SNI (malware.rules)
  • 2052931 - ET MALWARE Observed Lumma Stealer Related Domain (detailbaconroollyws .shop) in TLS SNI (malware.rules)
  • 2052932 - ET MALWARE Clipboard Monitor Data Exfiltration Attempt (malware.rules)
  • 2052933 - ET MALWARE Iluria Stealer CnC Domain in DNS Lookup (badgeshop .site) (malware.rules)
  • 2052934 - ET MALWARE Iluria Stealer CnC Domain in DNS Lookup (nikkistealer .shop) (malware.rules)
  • 2052935 - ET MALWARE Observed Iluria Stealer Domain (badgeshop .site) in TLS SNI (malware.rules)
  • 2052936 - ET MALWARE Observed Iluria Stealer Domain (nikkistealer .shop) in TLS SNI (malware.rules)
  • 2052937 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .sticky .oystergardening .name) (malware.rules)
  • 2052938 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .sticky .oystergardening .name) (malware.rules)
  • 2052939 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (10xshares .com) (exploit_kit.rules)
  • 2052940 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (elbied .com) (exploit_kit.rules)
  • 2052941 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (bookmycooks .com) (exploit_kit.rules)
  • 2052942 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ycva887 .top) (exploit_kit.rules)
  • 2052943 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (lucabet68 .online) (exploit_kit.rules)
  • 2052944 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (10xshares .com) (exploit_kit.rules)
  • 2052945 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (elbied .com) (exploit_kit.rules)
  • 2052946 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (bookmycooks .com) (exploit_kit.rules)
  • 2052947 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ycva887 .top) (exploit_kit.rules)
  • 2052948 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (lucabet68 .online) (exploit_kit.rules)

Pro:

  • 2857032 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2857033 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2857034 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2857035 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2857036 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2857037 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2857038 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2857039 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2857040 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2857041 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2857042 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2857043 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2857044 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2857045 - ETPRO MALWARE Win32/Koi Stealer CnC Checkin (POST) M2 (malware.rules)
  • 2857046 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Disabled and modified rules:

  • 2036992 - ET PHISHING Generic Phishing DNS Lookup (xn–sapeaunoticias-kjb .com .br) (phishing.rules)
  • 2037100 - ET PHISHING Observed DNS Query to Nedbank Phishing Domain (phishing.rules)
  • 2037122 - ET PHISHING Observed DNS Query to OWA Phishing Domain (phishing.rules)
  • 2037125 - ET PHISHING Observed DNS Query to ING Group Phishing Domain (phishing.rules)
  • 2037147 - ET PHISHING Successful ANZ Internet Banking Phish 2022-06-23 (phishing.rules)
  • 2044915 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (devcodejs .org) (exploit_kit.rules)
  • 2045314 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (neworderspath .org) (exploit_kit.rules)
  • 2050448 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (cachetransferjs .com) (exploit_kit.rules)
  • 2050449 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (cachewebspace .com) (exploit_kit.rules)
  • 2050450 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (googlecloudad .com) (exploit_kit.rules)
  • 2050455 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (webcachedata .com) (exploit_kit.rules)
  • 2050457 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (cachetransferjs .com) (exploit_kit.rules)
  • 2050458 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (cachewebspace .com) (exploit_kit.rules)
  • 2050459 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (googlecloudad .com) (exploit_kit.rules)
  • 2050464 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (webcachedata .com) (exploit_kit.rules)
  • 2851731 - ETPRO PHISHING DNS Query to Phishing Domain (inspiring-moser 172-93-188-73 .plesk .page) (phishing.rules)
  • 2851774 - ETPRO MALWARE Observed Snip3 Domain in DNS Lookup (coalminners .shop) (malware.rules)
  • 2851775 - ETPRO MALWARE Observed Snip3 Domain in DNS Lookup (asianexportglass .shop) (malware.rules)
  • 2856951 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)