Ruleset Update Summary - 2024/08/19 - v10669

rulesbot · August 19, 2024, 8:58pm

Summary:

39 new OPEN, 49 new PRO (39 + 10)

Thanks @gdata, @Mandiant

Added rules:

Open:

2055315 - ET MALWARE SocGholish CnC Domain in DNS (* .sponsor .printondemandagency .com) (malware.rules)
2055316 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .sponsor .printondemandagency .com) (malware.rules)
2055317 - ET INFO DYNAMIC_DNS Query to a * .elangtama .com Domain (info.rules)
2055318 - ET INFO DYNAMIC_DNS HTTP Request to a * .elangtama .com Domain (info.rules)
2055319 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (abandonnyskop .shop) (malware.rules)
2055320 - ET MALWARE Observed Lumma Stealer Related Domain (abandonnyskop .shop in TLS SNI) (malware.rules)
2055321 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (beatablydoxzcop .shop) (malware.rules)
2055322 - ET MALWARE Observed Lumma Stealer Related Domain (beatablydoxzcop .shop in TLS SNI) (malware.rules)
2055323 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (episodepspzmp .shop) (malware.rules)
2055324 - ET MALWARE Observed Lumma Stealer Related Domain (episodepspzmp .shop in TLS SNI) (malware.rules)
2055325 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (futureddospzmvq .shop) (malware.rules)
2055326 - ET MALWARE Observed Lumma Stealer Related Domain (futureddospzmvq .shop in TLS SNI) (malware.rules)
2055327 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (guuynsqpwsima .shop) (malware.rules)
2055328 - ET MALWARE Observed Lumma Stealer Related Domain (guuynsqpwsima .shop in TLS SNI) (malware.rules)
2055329 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (polyctendizxcop .shop) (malware.rules)
2055330 - ET MALWARE Observed Lumma Stealer Related Domain (polyctendizxcop .shop in TLS SNI) (malware.rules)
2055331 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (revivewronggykwos .xyz) (malware.rules)
2055332 - ET MALWARE Observed Lumma Stealer Related Domain (revivewronggykwos .xyz in TLS SNI) (malware.rules)
2055333 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (sensitivyitszv .shop) (malware.rules)
2055334 - ET MALWARE Observed Lumma Stealer Related Domain (sensitivyitszv .shop in TLS SNI) (malware.rules)
2055335 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (solutionpxmuzo .shop) (malware.rules)
2055336 - ET MALWARE Observed Lumma Stealer Related Domain (solutionpxmuzo .shop in TLS SNI) (malware.rules)
2055337 - ET INFO File Sharing Related Domain in DNS Lookup (4sync .com) (info.rules)
2055338 - ET INFO Observed File Sharing Related Domain (4sync .com) in TLS SNI (info.rules)
2055339 - ET MALWARE NUMOZYLOD CnC Checkin M1 (malware.rules)
2055340 - ET MALWARE NUMOZYLOD CnC Checkin M2 (malware.rules)
2055341 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (carnivalsale .com) (exploit_kit.rules)
2055342 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (boylegmfg .com) (exploit_kit.rules)
2055343 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (localdominationsystems .com) (exploit_kit.rules)
2055344 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (carnivalsale .com) (exploit_kit.rules)
2055345 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (boylegmfg .com) (exploit_kit.rules)
2055346 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (localdominationsystems .com) (exploit_kit.rules)
2055347 - ET MALWARE Ailurophile Infostealer Data Exfiltration Attempt M1 (malware.rules)
2055348 - ET MALWARE Ailurophile Infostealer CnC Server Response M1 (malware.rules)
2055349 - ET MALWARE Ailurophile Infostealer Data Exfiltration Attempt M2 (malware.rules)
2055350 - ET MALWARE Ailurophile Infostealer CnC Server Response M2 (malware.rules)
2055351 - ET INFO TsPlus Remote Support Client Activity M1 (info.rules)
2055352 - ET INFO TsPlus Remote Support Client Activity M2 (info.rules)
2055353 - ET INFO TsPlus Remote Support Agent Download (info.rules)

Pro:

2857967 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2857968 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2857969 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2857970 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
2857971 - ETPRO MALWARE Malicious NetSupport Rat CnC Checkin (malware.rules)
2857972 - ETPRO MALWARE Malicious NetSupport Rat CnC Checkin (malware.rules)
2857973 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2857974 - ETPRO MALWARE Observed DNS Query to Lumma Domain (malware.rules)
2857975 - ETPRO MALWARE Observed Lumma Domain in TLS SNI (malware.rules)
2857976 - ETPRO HUNTING GoogleSheets API V4 Activity (Possible Exfil) (hunting.rules)

Disabled and modified rules:

2049272 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (treegreeny .org) (exploit_kit.rules)
2049273 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (treegreeny .org) (exploit_kit.rules)
2049308 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (daddygarages .org) (exploit_kit.rules)
2049309 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (daddygarages .org) (exploit_kit.rules)
2049469 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (emperorplan .org) (exploit_kit.rules)
2049470 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (emperorplan .org) (exploit_kit.rules)
2050683 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (eeatgoodx .com) (exploit_kit.rules)
2050684 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (eeatgoodx .com) (exploit_kit.rules)
2050718 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (tnoodlezy .com) (exploit_kit.rules)
2050719 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (gspiceyl .com) (exploit_kit.rules)
2050720 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (snackfunp .com) (exploit_kit.rules)
2050721 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (tnoodlezy .com) (exploit_kit.rules)
2050722 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (gspiceyl .com) (exploit_kit.rules)
2050723 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (snackfunp .com) (exploit_kit.rules)
2050785 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (ronreznick .com) (exploit_kit.rules)
2050786 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (ronreznick .com) (exploit_kit.rules)
2051884 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (apifetchmethod .com) (exploit_kit.rules)
2051885 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (apifetchmethod .com) (exploit_kit.rules)
2052018 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (apieventemitter .com) (exploit_kit.rules)
2052019 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (apieventemitter .com) (exploit_kit.rules)
2052128 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (doggygangers .com) (exploit_kit.rules)
2052129 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (doggygangers .com) (exploit_kit.rules)
2053450 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (mormonindianajones .com) (exploit_kit.rules)
2053451 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (santapubcrawlchattanooga .com) (exploit_kit.rules)
2053454 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (mormonindianajones .com) (exploit_kit.rules)
2053455 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (santapubcrawlchattanooga .com) (exploit_kit.rules)
2053475 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (newmarketofficecleaning .com) (exploit_kit.rules)
2053476 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (newmarketofficecleaning .com) (exploit_kit.rules)
2053688 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (feckwear .com) (exploit_kit.rules)
2053689 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (feckwear .com) (exploit_kit.rules)
2053690 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (cococuy8 .xyz) (exploit_kit.rules)
2053691 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (x52op6gt0i .xyz) (exploit_kit.rules)
2053692 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (cococuy8 .xyz) (exploit_kit.rules)
2053693 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (x52op6gt0i .xyz) (exploit_kit.rules)
2053698 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (icarusairlines .com) (exploit_kit.rules)
2053699 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (icarusairlines .com) (exploit_kit.rules)
2053702 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .pages .microcloud360 .com) (malware.rules)
2053703 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .pages .microcloud360 .com) (malware.rules)
2053707 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (varinspector .com) (exploit_kit.rules)
2053708 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (varinspector .com) (exploit_kit.rules)
2053709 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (upstatesunflowerfestival .com) (exploit_kit.rules)
2053710 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (upstatesunflowerfestival .com) (exploit_kit.rules)
2053745 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (rvandccc .com) (exploit_kit.rules)
2053746 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (pelicanbcnsolutions .com) (exploit_kit.rules)
2053747 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (rvandccc .com) (exploit_kit.rules)
2053748 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (pelicanbcnsolutions .com) (exploit_kit.rules)
2053776 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (onecapitalresidences .com) (exploit_kit.rules)
2053777 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (onecapitalresidences .com) (exploit_kit.rules)
2857675 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2857676 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2857677 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2857678 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2857688 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2857689 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2857690 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2857753 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2857754 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2857755 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/03/11 - v10549 Ruleset Updates	924	March 11, 2024
Ruleset Update Summary - 2024/03/08 - v10548 Ruleset Updates	233	March 8, 2024
Ruleset Update Summary - 2024/03/05 - v10545 Ruleset Updates	694	March 5, 2024
Ruleset Update Summary - 2024/02/20 - v10536 Ruleset Updates	480	February 20, 2024
Ruleset Update Summary - 2024/05/15 - v10596 Ruleset Updates	191	May 15, 2024

Ruleset Update Summary - 2024/08/19 - v10669

Summary:

Added rules:

Open:

Pro:

Disabled and modified rules:

Related Topics