Ruleset Update Summary - 2024/07/26 - v10654

Ruleset Updates
1

Summary:

43 new OPEN, 56 new PRO (43 + 13)

Thanks @g0njxa

Added rules:

Open:

  • 2054669 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (importancedopz .shop) (malware.rules)
  • 2054670 - ET MALWARE Observed Lumma Stealer Related Domain (importancedopz .shop in TLS SNI) (malware.rules)
  • 2054671 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (spliceszongsop .shop) (malware.rules)
  • 2054672 - ET MALWARE Observed Lumma Stealer Related Domain (spliceszongsop .shop in TLS SNI) (malware.rules)
  • 2054673 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (warrantelespsz .shop) (malware.rules)
  • 2054674 - ET MALWARE Observed Lumma Stealer Related Domain (warrantelespsz .shop in TLS SNI) (malware.rules)
  • 2054675 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (bravedreacisopm .shop) (malware.rules)
  • 2054676 - ET MALWARE Observed Lumma Stealer Related Domain (bravedreacisopm .shop in TLS SNI) (malware.rules)
  • 2054677 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (shellfyyousdjz .shop) (malware.rules)
  • 2054678 - ET MALWARE Observed Lumma Stealer Related Domain (shellfyyousdjz .shop in TLS SNI) (malware.rules)
  • 2054679 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (broccoltisop .shop) (malware.rules)
  • 2054680 - ET MALWARE Observed Lumma Stealer Related Domain (broccoltisop .shop in TLS SNI) (malware.rules)
  • 2054681 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (grassytaisol .shop) (malware.rules)
  • 2054682 - ET MALWARE Observed Lumma Stealer Related Domain (grassytaisol .shop in TLS SNI) (malware.rules)
  • 2054683 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (stimultaionsppzv .shop) (malware.rules)
  • 2054684 - ET MALWARE Observed Lumma Stealer Related Domain (stimultaionsppzv .shop in TLS SNI) (malware.rules)
  • 2054685 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (parntorpkxzlp .shop) (malware.rules)
  • 2054686 - ET MALWARE Observed Lumma Stealer Related Domain (parntorpkxzlp .shop in TLS SNI) (malware.rules)
  • 2054687 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (effectivedoxzj .shop) (malware.rules)
  • 2054688 - ET MALWARE Observed Lumma Stealer Related Domain (effectivedoxzj .shop in TLS SNI) (malware.rules)
  • 2054689 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (horizonvxjis .shop) (malware.rules)
  • 2054690 - ET MALWARE Observed Lumma Stealer Related Domain (horizonvxjis .shop in TLS SNI) (malware.rules)
  • 2054691 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (disappearsodsz .shop) (malware.rules)
  • 2054692 - ET MALWARE Observed Lumma Stealer Related Domain (disappearsodsz .shop in TLS SNI) (malware.rules)
  • 2054693 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (teentytinyjeo .shop) (malware.rules)
  • 2054694 - ET MALWARE Observed Lumma Stealer Related Domain (teentytinyjeo .shop in TLS SNI) (malware.rules)
  • 2054695 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (advertisedszp .shop) (malware.rules)
  • 2054696 - ET MALWARE Observed Lumma Stealer Related Domain (advertisedszp .shop in TLS SNI) (malware.rules)
  • 2054697 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (novidadesfresquinhas .online) (exploit_kit.rules)
  • 2054698 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (nijanse .com) (exploit_kit.rules)
  • 2054699 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (canroura .com) (exploit_kit.rules)
  • 2054700 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (megasena777 .top) (exploit_kit.rules)
  • 2054701 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (novidadesfresquinhas .online) (exploit_kit.rules)
  • 2054702 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (nijanse .com) (exploit_kit.rules)
  • 2054703 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (canroura .com) (exploit_kit.rules)
  • 2054704 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (megasena777 .top) (exploit_kit.rules)
  • 2054705 - ET MALWARE SocGholish Domain in DNS Lookup (books .friendsofthefolsomlibrary .org) (malware.rules)
  • 2054706 - ET MALWARE SocGholish Domain in TLS SNI (books .friendsofthefolsomlibrary .org) (malware.rules)
  • 2054707 - ET MALWARE Observed Glupteba CnC Domain (alldatadump .org in TLS SNI) (malware.rules)
  • 2054708 - ET MALWARE Observed Glupteba CnC Domain (localstats .org in TLS SNI) (malware.rules)
  • 2054709 - ET MALWARE PrivateLoader CnC Activity (GET) (malware.rules)
  • 2054710 - ET MALWARE PrivateLoader CnC Response (malware.rules)
  • 2054711 - ET MALWARE PrivateLoader CnC Activity (POST) (malware.rules)

Pro:

  • 2857660 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2857661 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2857662 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2857663 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2857664 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2857665 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2857666 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2857667 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2857668 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2857669 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2857670 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2857671 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2857672 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)

Modified inactive rules:

  • 2006445 - ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM in HTTP URI (web_server.rules)