Summary:
41 new OPEN, 78 new PRO (41 + 37)
Added rules:
Open:
- 2054450 - ET INFO DNS Query to Domain Hosting Port Scanning Tools (advanced-port-scanner .com) (info.rules)
- 2054451 - ET INFO Observed Domain Hosting Port Scanning Tools Domain (advanced-port-scanner .com in TLS SNI) (info.rules)
- 2054452 - ET ADWARE_PUP IP Scanner Tool Update Request (GET) (adware_pup.rules)
- 2054453 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (daslkjfhi2 .lol) (exploit_kit.rules)
- 2054454 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (daslkjfhi2 .lol) (exploit_kit.rules)
- 2054455 - ET INFO DYNAMIC_DNS Query to a * .afaa .it Domain (info.rules)
- 2054456 - ET INFO DYNAMIC_DNS HTTP Request to a * .afaa .it Domain (info.rules)
- 2054457 - ET INFO DYNAMIC_DNS Query to a * .dmtr .ru Domain (info.rules)
- 2054458 - ET INFO DYNAMIC_DNS HTTP Request to a * .dmtr .ru Domain (info.rules)
- 2054459 - ET INFO DYNAMIC_DNS Query to a * .lscomm .net Domain (info.rules)
- 2054460 - ET INFO DYNAMIC_DNS HTTP Request to a * .lscomm .net Domain (info.rules)
- 2054461 - ET INFO DYNAMIC_DNS Query to a * .gazmuri .cl Domain (info.rules)
- 2054462 - ET INFO DYNAMIC_DNS HTTP Request to a * .gazmuri .cl Domain (info.rules)
- 2054463 - ET INFO DYNAMIC_DNS Query to a * .arybarbosa .com Domain (info.rules)
- 2054464 - ET INFO DYNAMIC_DNS HTTP Request to a * .arybarbosa .com Domain (info.rules)
- 2054465 - ET INFO DYNAMIC_DNS Query to a * .allaround .hk Domain (info.rules)
- 2054466 - ET INFO DYNAMIC_DNS HTTP Request to a * .allaround .hk Domain (info.rules)
- 2054467 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (applyzxcksdia .shop) (malware.rules)
- 2054468 - ET MALWARE Observed Lumma Stealer Related Domain (applyzxcksdia .shop in TLS SNI) (malware.rules)
- 2054469 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (arriveoxpzxo .shop) (malware.rules)
- 2054470 - ET MALWARE Observed Lumma Stealer Related Domain (arriveoxpzxo .shop in TLS SNI) (malware.rules)
- 2054471 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (bindceasdiwozx .shop) (malware.rules)
- 2054472 - ET MALWARE Observed Lumma Stealer Related Domain (bindceasdiwozx .shop in TLS SNI) (malware.rules)
- 2054473 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (catchddkxozvp .shop) (malware.rules)
- 2054474 - ET MALWARE Observed Lumma Stealer Related Domain (catchddkxozvp .shop in TLS SNI) (malware.rules)
- 2054475 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (conformfucdioz .shop) (malware.rules)
- 2054476 - ET MALWARE Observed Lumma Stealer Related Domain (conformfucdioz .shop in TLS SNI) (malware.rules)
- 2054477 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (contemplateodszsv .shop) (malware.rules)
- 2054478 - ET MALWARE Observed Lumma Stealer Related Domain (contemplateodszsv .shop in TLS SNI) (malware.rules)
- 2054479 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (declaredczxi .shop) (malware.rules)
- 2054480 - ET MALWARE Observed Lumma Stealer Related Domain (declaredczxi .shop in TLS SNI) (malware.rules)
- 2054481 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (excellentdiwdu .shop) (malware.rules)
- 2054482 - ET MALWARE Observed Lumma Stealer Related Domain (excellentdiwdu .shop in TLS SNI) (malware.rules)
- 2054483 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (handyxczos .shop) (malware.rules)
- 2054484 - ET MALWARE Observed Lumma Stealer Related Domain (handyxczos .shop in TLS SNI) (malware.rules)
- 2054485 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (piedsiggnycliquieaw .shop) (malware.rules)
- 2054486 - ET MALWARE Observed Lumma Stealer Related Domain (piedsiggnycliquieaw .shop in TLS SNI) (malware.rules)
- 2054487 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (replacedoxcjzp .shop) (malware.rules)
- 2054488 - ET MALWARE Observed Lumma Stealer Related Domain (replacedoxcjzp .shop in TLS SNI) (malware.rules)
- 2054489 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (respectabledpcs .shop) (malware.rules)
- 2054490 - ET MALWARE Observed Lumma Stealer Related Domain (respectabledpcs .shop in TLS SNI) (malware.rules)
Pro:
- 2857563 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
- 2857564 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2857565 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
- 2857566 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
- 2857567 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
- 2857568 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
- 2857569 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
- 2857570 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
- 2857571 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
- 2857572 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2857573 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
- 2857574 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
- 2857575 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
- 2857576 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
- 2857577 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
- 2857578 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
- 2857579 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
- 2857580 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2857581 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2857582 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
- 2857583 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
- 2857584 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
- 2857585 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
- 2857586 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
- 2857587 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
- 2857588 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
- 2857589 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
- 2857590 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
- 2857591 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
- 2857592 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
- 2857593 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2857594 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
- 2857595 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
- 2857596 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
- 2857597 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
- 2857598 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
- 2857599 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
Modified inactive rules:
- 2035551 - ET MALWARE Suspected Mustang Panda APT Related Activity (GET) (malware.rules)
- 2035552 - ET MALWARE Mustang Panda APT Related Activity (GET) (malware.rules)
- 2035682 - ET MALWARE MustangPanda APT Dropper Activity (POST) (malware.rules)
- 2050597 - ET MALWARE [ANY.RUN] ToneShell FakeTLS Check-In (APT Mustang Panda / Earth Preta) M1 (malware.rules)
- 2050598 - ET MALWARE [ANY.RUN] BACKDOOR [ANY.RUN] ToneShell FakeTLS Check-In (APT Mustang Panda / Earth Preta) M2 (malware.rules)
- 2050599 - ET MALWARE [ANY.RUN] ToneShell FakeTLS Response (APT Mustang Panda / Earth Preta) M1 (malware.rules)
- 2050600 - ET MALWARE [ANY.RUN] ToneShell FakeTLS Response (APT Mustang Panda / Earth Preta) M2 (malware.rules)
Removed rules:
- 2054450 - ET MALWARE DNS Query to Malvertising Domain (advanced-port-scanner .com) (malware.rules)
- 2054451 - ET MALWARE Observed Malvertising Domain (advanced-port-scanner .com in TLS SNI) (malware.rules)
- 2054452 - ET MALWARE Fake IP Scanner CnC Checkin (GET) (malware.rules)