Summary:
39 new OPEN, 49 new PRO (39 + 10)
Thanks @gdata, @Mandiant
Added rules:
Open:
- 2055315 - ET MALWARE SocGholish CnC Domain in DNS (* .sponsor .printondemandagency .com) (malware.rules)
- 2055316 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .sponsor .printondemandagency .com) (malware.rules)
- 2055317 - ET INFO DYNAMIC_DNS Query to a * .elangtama .com Domain (info.rules)
- 2055318 - ET INFO DYNAMIC_DNS HTTP Request to a * .elangtama .com Domain (info.rules)
- 2055319 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (abandonnyskop .shop) (malware.rules)
- 2055320 - ET MALWARE Observed Lumma Stealer Related Domain (abandonnyskop .shop in TLS SNI) (malware.rules)
- 2055321 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (beatablydoxzcop .shop) (malware.rules)
- 2055322 - ET MALWARE Observed Lumma Stealer Related Domain (beatablydoxzcop .shop in TLS SNI) (malware.rules)
- 2055323 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (episodepspzmp .shop) (malware.rules)
- 2055324 - ET MALWARE Observed Lumma Stealer Related Domain (episodepspzmp .shop in TLS SNI) (malware.rules)
- 2055325 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (futureddospzmvq .shop) (malware.rules)
- 2055326 - ET MALWARE Observed Lumma Stealer Related Domain (futureddospzmvq .shop in TLS SNI) (malware.rules)
- 2055327 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (guuynsqpwsima .shop) (malware.rules)
- 2055328 - ET MALWARE Observed Lumma Stealer Related Domain (guuynsqpwsima .shop in TLS SNI) (malware.rules)
- 2055329 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (polyctendizxcop .shop) (malware.rules)
- 2055330 - ET MALWARE Observed Lumma Stealer Related Domain (polyctendizxcop .shop in TLS SNI) (malware.rules)
- 2055331 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (revivewronggykwos .xyz) (malware.rules)
- 2055332 - ET MALWARE Observed Lumma Stealer Related Domain (revivewronggykwos .xyz in TLS SNI) (malware.rules)
- 2055333 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (sensitivyitszv .shop) (malware.rules)
- 2055334 - ET MALWARE Observed Lumma Stealer Related Domain (sensitivyitszv .shop in TLS SNI) (malware.rules)
- 2055335 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (solutionpxmuzo .shop) (malware.rules)
- 2055336 - ET MALWARE Observed Lumma Stealer Related Domain (solutionpxmuzo .shop in TLS SNI) (malware.rules)
- 2055337 - ET INFO File Sharing Related Domain in DNS Lookup (4sync .com) (info.rules)
- 2055338 - ET INFO Observed File Sharing Related Domain (4sync .com) in TLS SNI (info.rules)
- 2055339 - ET MALWARE NUMOZYLOD CnC Checkin M1 (malware.rules)
- 2055340 - ET MALWARE NUMOZYLOD CnC Checkin M2 (malware.rules)
- 2055341 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (carnivalsale .com) (exploit_kit.rules)
- 2055342 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (boylegmfg .com) (exploit_kit.rules)
- 2055343 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (localdominationsystems .com) (exploit_kit.rules)
- 2055344 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (carnivalsale .com) (exploit_kit.rules)
- 2055345 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (boylegmfg .com) (exploit_kit.rules)
- 2055346 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (localdominationsystems .com) (exploit_kit.rules)
- 2055347 - ET MALWARE Ailurophile Infostealer Data Exfiltration Attempt M1 (malware.rules)
- 2055348 - ET MALWARE Ailurophile Infostealer CnC Server Response M1 (malware.rules)
- 2055349 - ET MALWARE Ailurophile Infostealer Data Exfiltration Attempt M2 (malware.rules)
- 2055350 - ET MALWARE Ailurophile Infostealer CnC Server Response M2 (malware.rules)
- 2055351 - ET INFO TsPlus Remote Support Client Activity M1 (info.rules)
- 2055352 - ET INFO TsPlus Remote Support Client Activity M2 (info.rules)
- 2055353 - ET INFO TsPlus Remote Support Agent Download (info.rules)
Pro:
- 2857967 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2857968 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
- 2857969 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
- 2857970 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
- 2857971 - ETPRO MALWARE Malicious NetSupport Rat CnC Checkin (malware.rules)
- 2857972 - ETPRO MALWARE Malicious NetSupport Rat CnC Checkin (malware.rules)
- 2857973 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2857974 - ETPRO MALWARE Observed DNS Query to Lumma Domain (malware.rules)
- 2857975 - ETPRO MALWARE Observed Lumma Domain in TLS SNI (malware.rules)
- 2857976 - ETPRO HUNTING GoogleSheets API V4 Activity (Possible Exfil) (hunting.rules)
Disabled and modified rules:
- 2049272 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (treegreeny .org) (exploit_kit.rules)
- 2049273 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (treegreeny .org) (exploit_kit.rules)
- 2049308 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (daddygarages .org) (exploit_kit.rules)
- 2049309 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (daddygarages .org) (exploit_kit.rules)
- 2049469 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (emperorplan .org) (exploit_kit.rules)
- 2049470 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (emperorplan .org) (exploit_kit.rules)
- 2050683 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (eeatgoodx .com) (exploit_kit.rules)
- 2050684 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (eeatgoodx .com) (exploit_kit.rules)
- 2050718 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (tnoodlezy .com) (exploit_kit.rules)
- 2050719 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (gspiceyl .com) (exploit_kit.rules)
- 2050720 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (snackfunp .com) (exploit_kit.rules)
- 2050721 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (tnoodlezy .com) (exploit_kit.rules)
- 2050722 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (gspiceyl .com) (exploit_kit.rules)
- 2050723 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (snackfunp .com) (exploit_kit.rules)
- 2050785 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (ronreznick .com) (exploit_kit.rules)
- 2050786 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (ronreznick .com) (exploit_kit.rules)
- 2051884 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (apifetchmethod .com) (exploit_kit.rules)
- 2051885 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (apifetchmethod .com) (exploit_kit.rules)
- 2052018 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (apieventemitter .com) (exploit_kit.rules)
- 2052019 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (apieventemitter .com) (exploit_kit.rules)
- 2052128 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (doggygangers .com) (exploit_kit.rules)
- 2052129 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (doggygangers .com) (exploit_kit.rules)
- 2053450 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (mormonindianajones .com) (exploit_kit.rules)
- 2053451 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (santapubcrawlchattanooga .com) (exploit_kit.rules)
- 2053454 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (mormonindianajones .com) (exploit_kit.rules)
- 2053455 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (santapubcrawlchattanooga .com) (exploit_kit.rules)
- 2053475 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (newmarketofficecleaning .com) (exploit_kit.rules)
- 2053476 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (newmarketofficecleaning .com) (exploit_kit.rules)
- 2053688 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (feckwear .com) (exploit_kit.rules)
- 2053689 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (feckwear .com) (exploit_kit.rules)
- 2053690 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (cococuy8 .xyz) (exploit_kit.rules)
- 2053691 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (x52op6gt0i .xyz) (exploit_kit.rules)
- 2053692 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (cococuy8 .xyz) (exploit_kit.rules)
- 2053693 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (x52op6gt0i .xyz) (exploit_kit.rules)
- 2053698 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (icarusairlines .com) (exploit_kit.rules)
- 2053699 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (icarusairlines .com) (exploit_kit.rules)
- 2053702 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .pages .microcloud360 .com) (malware.rules)
- 2053703 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .pages .microcloud360 .com) (malware.rules)
- 2053707 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (varinspector .com) (exploit_kit.rules)
- 2053708 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (varinspector .com) (exploit_kit.rules)
- 2053709 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (upstatesunflowerfestival .com) (exploit_kit.rules)
- 2053710 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (upstatesunflowerfestival .com) (exploit_kit.rules)
- 2053745 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (rvandccc .com) (exploit_kit.rules)
- 2053746 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (pelicanbcnsolutions .com) (exploit_kit.rules)
- 2053747 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (rvandccc .com) (exploit_kit.rules)
- 2053748 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (pelicanbcnsolutions .com) (exploit_kit.rules)
- 2053776 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (onecapitalresidences .com) (exploit_kit.rules)
- 2053777 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (onecapitalresidences .com) (exploit_kit.rules)
- 2857675 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2857676 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2857677 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2857678 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2857688 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2857689 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2857690 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2857753 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2857754 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2857755 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)