Ruleset Update Summary - 2024/08/01 - v10658

rulesbot · August 1, 2024, 8:49pm

Summary:

38 new OPEN, 51 new PRO (38 + 13)

Thanks @kaspersky, @Fortinet

ET/ETPRO Customers: Please be aware that tomorrow, August 2nd, is a Proofpoint company holiday. As such, we will not be publishing a daily rule release. Daily rule releases will continue the following Monday, August 5th.

Added rules:

Open:

2054813 - ET INFO DYNAMIC_DNS Query to a * .bal-tazaar .be Domain (info.rules)
2054814 - ET MOBILE_MALWARE Android/Mandrake CnC Domain in DNS Lookup (ricinus .ru) (mobile_malware.rules)
2054815 - ET MOBILE_MALWARE Android/Mandrake CnC Domain in DNS Lookup (toxicodendron .ru) (mobile_malware.rules)
2054816 - ET MOBILE_MALWARE Android/Mandrake CnC Domain in DNS Lookup (ricinus-ca .ru) (mobile_malware.rules)
2054817 - ET MOBILE_MALWARE Android/Mandrake CnC Domain in DNS Lookup (ricinus .su) (mobile_malware.rules)
2054818 - ET MOBILE_MALWARE Android/Mandrake CnC Domain in DNS Lookup (ricinus-cc .ru) (mobile_malware.rules)
2054819 - ET MOBILE_MALWARE Android/Mandrake CnC Domain in DNS Lookup (ricinus-cb .ru) (mobile_malware.rules)
2054820 - ET INFO DYNAMIC_DNS Query to a * .avtosnoj .si Domain (info.rules)
2054821 - ET INFO DYNAMIC_DNS HTTP Request to a * .avtosnoj .si Domain (info.rules)
2054822 - ET MOBILE_MALWARE Observed Android/Mandrake CnC Domain (ricinus .ru) in TLS SNI (mobile_malware.rules)
2054823 - ET MOBILE_MALWARE Observed Android/Mandrake CnC Domain (toxicodendron .ru) in TLS SNI (mobile_malware.rules)
2054824 - ET MOBILE_MALWARE Observed Android/Mandrake CnC Domain (ricinus-ca .ru) in TLS SNI (mobile_malware.rules)
2054825 - ET MOBILE_MALWARE Observed Android/Mandrake CnC Domain (ricinus .su) in TLS SNI (mobile_malware.rules)
2054826 - ET MOBILE_MALWARE Observed Android/Mandrake CnC Domain (ricinus-cc .ru) in TLS SNI (mobile_malware.rules)
2054827 - ET MOBILE_MALWARE Observed Android/Mandrake CnC Domain (ricinus-cb .ru) in TLS SNI (mobile_malware.rules)
2054828 - ET MALWARE APT SideWinder CnC Domain in DNS Lookup (malware.rules)
2054829 - ET MALWARE ACR Stealer CnC Domain in DNS Lookup (pddbj .xyz) (malware.rules)
2054830 - ET MALWARE ACR Stealer CnC Domain in DNS Lookup (pcvcf .xyz) (malware.rules)
2054831 - ET MALWARE ACR Stealer CnC Domain in DNS Lookup (ptdrf .xyz) (malware.rules)
2054832 - ET MALWARE ACR Stealer CnC Domain in DNS Lookup (pbpbj .xyz) (malware.rules)
2054833 - ET MALWARE ACR Stealer CnC Domain in DNS Lookup (pdddj .xyz) (malware.rules)
2054834 - ET MALWARE ACR Stealer CnC Domain in DNS Lookup (pqdrf .xyz) (malware.rules)
2054835 - ET MALWARE ACR Stealer CnC Domain in DNS Lookup (pdddk .xyz) (malware.rules)
2054836 - ET MALWARE ACR Stealer CnC Domain in DNS Lookup (pcvvf .xyz) (malware.rules)
2054837 - ET MALWARE ACR Stealer CnC Domain in DNS Lookup (pbdbj .xyz) (malware.rules)
2054838 - ET MALWARE Observed ACR Stealer Domain (pddbj .xyz) in TLS SNI (malware.rules)
2054839 - ET MALWARE Observed ACR Stealer Domain (pcvcf .xyz) in TLS SNI (malware.rules)
2054840 - ET MALWARE Observed ACR Stealer Domain (ptdrf .xyz) in TLS SNI (malware.rules)
2054841 - ET MALWARE Observed ACR Stealer Domain (pbpbj .xyz) in TLS SNI (malware.rules)
2054842 - ET MALWARE Observed ACR Stealer Domain (pdddj .xyz) in TLS SNI (malware.rules)
2054843 - ET MALWARE Observed ACR Stealer Domain (pqdrf .xyz) in TLS SNI (malware.rules)
2054844 - ET MALWARE Observed ACR Stealer Domain (pdddk .xyz) in TLS SNI (malware.rules)
2054845 - ET MALWARE Observed ACR Stealer Domain (pcvvf .xyz) in TLS SNI (malware.rules)
2054846 - ET MALWARE Observed ACR Stealer Domain (pbdbj .xyz) in TLS SNI (malware.rules)
2054847 - ET MALWARE Unknown Loader CnC Domain in DNS Lookup (scratchedcards .com) (malware.rules)
2054848 - ET MALWARE Unknown Loader CnC Domain in DNS Lookup (21centuryart .com) (malware.rules)
2054849 - ET MALWARE Unknown Loader CnC Domain in DNS Lookup (proffyrobharborye .xyz) (malware.rules)
2054850 - ET MALWARE Unknown Loader CnC Domain in DNS Lookup (answerrsdo .shop) (malware.rules)

Pro:

2857740 - ETPRO EXPLOIT_KIT Notification Scam Domain in DNS Lookup (exploit_kit.rules)
2857741 - ETPRO EXPLOIT_KIT Notification Scam Domain in TLS SNI (exploit_kit.rules)
2857742 - ETPRO EXPLOIT_KIT Notification Scam Landing Page (exploit_kit.rules)
2857743 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2857744 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2857745 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2857746 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2857747 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2857748 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2857749 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2857750 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2857751 - ETPRO MALWARE SynthIndi Loader Exfiltration Activity (POST) (malware.rules)
2857752 - ETPRO MALWARE SynthIndi Loader CnC Response (malware.rules)

Removed rules:

2054751 - ET INFO DYNAMIC_DNS Query to a * .bal-tazaar .be Domain (info.rules)

Topic	Replies	Views
Ruleset Update Summary - 2023/08/01 - v10385 Ruleset Updates	394	August 1, 2023
Ruleset Update Summary - 2024/10/08 - v10716 Ruleset Updates	74	October 8, 2024
Ruleset Update Summary - 2024/02/28 - v10542 Ruleset Updates	234	February 28, 2024
Ruleset Update Summary - 2024/07/30 - v10656 Ruleset Updates	106	July 30, 2024
Ruleset Update Summary - 2023/08/03 - v10387 Ruleset Updates	421	August 3, 2023