Ruleset Update Summary - 2024/08/05 - v10659

Ruleset Updates
1

Summary:

84 new OPEN, 131 new PRO (84 + 47)

Added rules:

Open:

  • 2054851 - ET MALWARE APT SideWinder / TA399 CnC Domain in DNS Lookup (malware.rules)
  • 2054852 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (dais7nsa .shop) (exploit_kit.rules)
  • 2054853 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (dais7nsa .pics) (exploit_kit.rules)
  • 2054854 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (dais7nsa .shop) (exploit_kit.rules)
  • 2054855 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (dais7nsa .pics) (exploit_kit.rules)
  • 2054856 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (writeindia .com) (exploit_kit.rules)
  • 2054857 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (funnypots .com) (exploit_kit.rules)
  • 2054858 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (didsit .com) (exploit_kit.rules)
  • 2054859 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (writeindia .com) (exploit_kit.rules)
  • 2054860 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (funnypots .com) (exploit_kit.rules)
  • 2054861 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (didsit .com) (exploit_kit.rules)
  • 2054862 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (blacksaltys .com) (exploit_kit.rules)
  • 2054863 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (blacksaltys .com) (exploit_kit.rules)
  • 2054864 - ET MALWARE ZPHP CnC Domain in DNS Lookup (settisourchampion .site) (malware.rules)
  • 2054865 - ET MALWARE ZPHP CnC Domain in TLS SNI (settisourchampion .site) (malware.rules)
  • 2054866 - ET MALWARE SocGholish CnC Domain in DNS (* .donors .eucharisticjesus .net) (malware.rules)
  • 2054867 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .donors .eucharisticjesus .net) (malware.rules)
  • 2054868 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (assumedtribsosp .shop) (malware.rules)
  • 2054869 - ET MALWARE Observed Lumma Stealer Related Domain (assumedtribsosp .shop in TLS SNI) (malware.rules)
  • 2054870 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (boattyownerwrv .shop) (malware.rules)
  • 2054871 - ET MALWARE Observed Lumma Stealer Related Domain (boattyownerwrv .shop in TLS SNI) (malware.rules)
  • 2054872 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (budgetttysnzm .shop) (malware.rules)
  • 2054873 - ET MALWARE Observed Lumma Stealer Related Domain (budgetttysnzm .shop in TLS SNI) (malware.rules)
  • 2054874 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (chippyfroggsyhz .shop) (malware.rules)
  • 2054875 - ET MALWARE Observed Lumma Stealer Related Domain (chippyfroggsyhz .shop in TLS SNI) (malware.rules)
  • 2054876 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (creepydxzoxmj .shop) (malware.rules)
  • 2054877 - ET MALWARE Observed Lumma Stealer Related Domain (creepydxzoxmj .shop in TLS SNI) (malware.rules)
  • 2054878 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (definitonizmnx .shop) (malware.rules)
  • 2054879 - ET MALWARE Observed Lumma Stealer Related Domain (definitonizmnx .shop in TLS SNI) (malware.rules)
  • 2054880 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (empiredzmwnx .shop) (malware.rules)
  • 2054881 - ET MALWARE Observed Lumma Stealer Related Domain (empiredzmwnx .shop in TLS SNI) (malware.rules)
  • 2054882 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (occurrmensipz .shop) (malware.rules)
  • 2054883 - ET MALWARE Observed Lumma Stealer Related Domain (occurrmensipz .shop in TLS SNI) (malware.rules)
  • 2054884 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (outfittydadop .shop) (malware.rules)
  • 2054885 - ET MALWARE Observed Lumma Stealer Related Domain (outfittydadop .shop in TLS SNI) (malware.rules)
  • 2054886 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (rainbowmynsjn .shop) (malware.rules)
  • 2054887 - ET MALWARE Observed Lumma Stealer Related Domain (rainbowmynsjn .shop in TLS SNI) (malware.rules)
  • 2054888 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (sulphurhsum .shop) (malware.rules)
  • 2054889 - ET MALWARE Observed Lumma Stealer Related Domain (sulphurhsum .shop in TLS SNI) (malware.rules)
  • 2054890 - ET INFO Commonly Abused Link Aggregating Service Domain in DNS Lookup (bio .link) (info.rules)
  • 2054891 - ET INFO Commonly Abused Link Aggregating Service Domain in DNS Lookup (linkbio .co) (info.rules)
  • 2054892 - ET INFO Commonly Abused Link Aggregating Service Domain in DNS Lookup (mssg .me) (info.rules)
  • 2054893 - ET INFO Observed Commonly Abused Link Aggregating Service Domain (bio .link) in TLS SNI (info.rules)
  • 2054894 - ET INFO Observed Commonly Abused Link Aggregating Service Domain (linkbio .co) in TLS SNI (info.rules)
  • 2054895 - ET INFO Observed Commonly Abused Link Aggregating Service Domain (mssg .me) in TLS SNI (info.rules)
  • 2054896 - ET MALWARE Social Media Malvertising Related Domain in DNS Lookup (evotoforpc .net) (malware.rules)
  • 2054897 - ET MALWARE Social Media Malvertising Related Domain in DNS Lookup (support-team-account .fbb2024-20 .click) (malware.rules)
  • 2054898 - ET MALWARE Social Media Malvertising Related Domain in DNS Lookup (withthreekitties .itsm-us1 .comodo .com) (malware.rules)
  • 2054899 - ET MALWARE Social Media Malvertising Related Domain in DNS Lookup (businesscenter .fbb16 .click) (malware.rules)
  • 2054900 - ET MALWARE Social Media Malvertising Related Domain in DNS Lookup (nigx2a-msp .itsm-us1 .comodo .com) (malware.rules)
  • 2054901 - ET MALWARE Social Media Malvertising Related Domain in DNS Lookup (metaverifybusiness .sp247 .click) (malware.rules)
  • 2054902 - ET MALWARE Social Media Malvertising Related Domain in DNS Lookup (itstrq .itsm-us1 .comodo .com) (malware.rules)
  • 2054903 - ET MALWARE Social Media Malvertising Related Domain in DNS Lookup (evotophoto .com) (malware.rules)
  • 2054904 - ET MALWARE Social Media Malvertising Related Domain in DNS Lookup (techsupportcenter1902 .click) (malware.rules)
  • 2054905 - ET MALWARE Observed Social Media Malvertising Related Domain (evotoforpc .net) in TLS SNI (malware.rules)
  • 2054906 - ET MALWARE Observed Social Media Malvertising Related Domain (support-team-account .fbb2024-20 .click) in TLS SNI (malware.rules)
  • 2054907 - ET MALWARE Observed Social Media Malvertising Related Domain (withthreekitties .itsm-us1 .comodo .com) in TLS SNI (malware.rules)
  • 2054908 - ET MALWARE Observed Social Media Malvertising Related Domain (businesscenter .fbb16 .click) in TLS SNI (malware.rules)
  • 2054909 - ET MALWARE Observed Social Media Malvertising Related Domain (nigx2a-msp .itsm-us1 .comodo .com) in TLS SNI (malware.rules)
  • 2054910 - ET MALWARE Observed Social Media Malvertising Related Domain (metaverifybusiness .sp247 .click) in TLS SNI (malware.rules)
  • 2054911 - ET MALWARE Observed Social Media Malvertising Related Domain (itstrq .itsm-us1 .comodo .com) in TLS SNI (malware.rules)
  • 2054912 - ET MALWARE Observed Social Media Malvertising Related Domain (evotophoto .com) in TLS SNI (malware.rules)
  • 2054913 - ET MALWARE Observed Social Media Malvertising Related Domain (techsupportcenter1902 .click) in TLS SNI (malware.rules)
  • 2054914 - ET MALWARE Malvertising Loader User-Agent Observed (Magic Browser) (malware.rules)
  • 2054915 - ET INFO Observed DNS over HTTPS Domain (ns1 .opennameserver .org) in TLS SNI (info.rules)
  • 2054916 - ET INFO Observed DNS over HTTPS Domain (pashagame456 .com) in TLS SNI (info.rules)
  • 2054917 - ET INFO Observed DNS over HTTPS Domain (performance .gosami .xyz) in TLS SNI (info.rules)
  • 2054918 - ET INFO Observed DNS over HTTPS Domain (dns .aeiou .pp .ua) in TLS SNI (info.rules)
  • 2054919 - ET INFO Observed DNS over HTTPS Domain (vps .poly-tank .jp) in TLS SNI (info.rules)
  • 2054920 - ET INFO Observed DNS over HTTPS Domain (adguard .hartley .cloud) in TLS SNI (info.rules)
  • 2054921 - ET INFO Observed DNS over HTTPS Domain (dns .webpotato .nl) in TLS SNI (info.rules)
  • 2054922 - ET INFO Observed DNS over HTTPS Domain (mikezhang .xyz) in TLS SNI (info.rules)
  • 2054923 - ET INFO Observed DNS over HTTPS Domain (yuvelirtut .website) in TLS SNI (info.rules)
  • 2054924 - ET INFO Observed DNS over HTTPS Domain (adgdh .omkv .in) in TLS SNI (info.rules)
  • 2054925 - ET INFO Observed DNS over HTTPS Domain (adguard .speeddemon .co .za) in TLS SNI (info.rules)
  • 2054926 - ET INFO Observed DNS over HTTPS Domain (123000123 .xyz) in TLS SNI (info.rules)
  • 2054927 - ET INFO Observed DNS over HTTPS Domain (351242444 .xyz) in TLS SNI (info.rules)
  • 2054928 - ET INFO Observed DNS over HTTPS Domain (dns .yrrev .com) in TLS SNI (info.rules)
  • 2054929 - ET INFO Observed DNS over HTTPS Domain (doh .magunyan .com) in TLS SNI (info.rules)
  • 2054930 - ET INFO Observed DNS over HTTPS Domain (doh .immerda .ch) in TLS SNI (info.rules)
  • 2054931 - ET INFO Observed DNS over HTTPS Domain (dns1 .server .my .id) in TLS SNI (info.rules)
  • 2054932 - ET INFO Observed DNS over HTTPS Domain (dns .olgui .net) in TLS SNI (info.rules)
  • 2054933 - ET INFO Observed DNS over HTTPS Domain (deep-henchman-excuse .cfd) in TLS SNI (info.rules)
  • 2054934 - ET INFO Observed DNS over HTTPS Domain (89433332 .xyz) in TLS SNI (info.rules)

Pro:

  • 2857753 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2857754 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2857755 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2857756 - ETPRO MALWARE Malicious NetSupport Rat CnC Checkin (malware.rules)
  • 2857757 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2857758 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2857759 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2857760 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2857761 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2857762 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2857763 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2857764 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2857765 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2857766 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2857767 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2857768 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2857769 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2857770 - ETPRO MALWARE Win32/XWorm CnC Command - INFO Outbound (malware.rules)
  • 2857771 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2857772 - ETPRO MALWARE Win32/XWorm CnC Command - RD+ Inbound (malware.rules)
  • 2857773 - ETPRO MALWARE Win32/XWorm CnC Command - RD- Outbound (malware.rules)
  • 2857774 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2857775 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2857776 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2857777 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2857778 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2857779 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2857780 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2857781 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2857782 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2857783 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2857784 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2857785 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2857786 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2857787 - ETPRO MALWARE Win32/XWorm CnC Command - INFO Outbound (malware.rules)
  • 2857788 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2857789 - ETPRO MALWARE Win32/XWorm CnC Command - RD+ Inbound (malware.rules)
  • 2857790 - ETPRO MALWARE Win32/XWorm CnC Command - RD- Outbound (malware.rules)
  • 2857791 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2857792 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2857793 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2857794 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2857795 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2857796 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2857797 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2857798 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2857809 - ETPRO EXPLOIT_KIT Evil Keitaro Set-Cookie Inbound (c1a8d) (exploit_kit.rules)

Enabled and modified rules:

  • 2050697 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (trust .resourcehost .net) (exploit_kit.rules)
  • 2050698 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (trust .resourcehost .net) (exploit_kit.rules)

Removed rules:

  • 2054828 - ET MALWARE APT SideWinder CnC Domain in DNS Lookup (malware.rules)