Ruleset Update Summary - 2024/09/09 - v10684

rulesbot · September 9, 2024, 8:30pm

Summary:

43 new OPEN, 64 new PRO (43 + 21)

Added rules:

Open:

2055769 - ET MALWARE SocGholish CnC Domain in DNS (* .benefits .melanatedbloodlinesrestoration .com) (malware.rules)
2055770 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .benefits .melanatedbloodlinesrestoration .com) (malware.rules)
2055771 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (druggywuop .shop) (malware.rules)
2055772 - ET MALWARE Observed Lumma Stealer Related Domain (druggywuop .shop in TLS SNI) (malware.rules)
2055773 - ET EXPLOIT_KIT CC Skimmer Domain in DNS Lookup (codecarawan .com) (exploit_kit.rules)
2055774 - ET EXPLOIT_KIT CC Skimmer Domain in TLS SNI (codecarawan .com) (exploit_kit.rules)
2055775 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (commisionipwn .shop) (malware.rules)
2055776 - ET MALWARE Observed Lumma Stealer Related Domain (commisionipwn .shop in TLS SNI) (malware.rules)
2055777 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (ignoracndwko .shop) (malware.rules)
2055778 - ET MALWARE Observed Lumma Stealer Related Domain (ignoracndwko .shop in TLS SNI) (malware.rules)
2055779 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (grassemenwji .shop) (malware.rules)
2055780 - ET MALWARE Observed Lumma Stealer Related Domain (grassemenwji .shop in TLS SNI) (malware.rules)
2055781 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (stitchmiscpaew .shop) (malware.rules)
2055782 - ET MALWARE Observed Lumma Stealer Related Domain (stitchmiscpaew .shop in TLS SNI) (malware.rules)
2055783 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (charistmatwio .shop) (malware.rules)
2055784 - ET MALWARE Observed Lumma Stealer Related Domain (charistmatwio .shop in TLS SNI) (malware.rules)
2055785 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (basedsymsotp .shop) (malware.rules)
2055786 - ET MALWARE Observed Lumma Stealer Related Domain (basedsymsotp .shop in TLS SNI) (malware.rules)
2055787 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (complainnykso .shop) (malware.rules)
2055788 - ET MALWARE Observed Lumma Stealer Related Domain (complainnykso .shop in TLS SNI) (malware.rules)
2055789 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (preachstrwnwjw .shop) (malware.rules)
2055790 - ET MALWARE Observed Lumma Stealer Related Domain (preachstrwnwjw .shop in TLS SNI) (malware.rules)
2055791 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (obstacleosdsapq .shop) (malware.rules)
2055792 - ET MALWARE Observed Lumma Stealer Related Domain (obstacleosdsapq .shop in TLS SNI) (malware.rules)
2055793 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (predatowpmn .shop) (malware.rules)
2055794 - ET MALWARE Observed Lumma Stealer Related Domain (predatowpmn .shop in TLS SNI) (malware.rules)
2055795 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (moneymoj .com) (exploit_kit.rules)
2055796 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ganharcomblog .com) (exploit_kit.rules)
2055797 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (swiftflicks .com) (exploit_kit.rules)
2055798 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (moneymoj .com) (exploit_kit.rules)
2055799 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ganharcomblog .com) (exploit_kit.rules)
2055800 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (swiftflicks .com) (exploit_kit.rules)
2055801 - ET MALWARE ZPHP CnC Domain in DNS Lookup (ipva2024-detransp .com) (malware.rules)
2055802 - ET MALWARE ZPHP CnC Domain in TLS SNI (ipva2024-detransp .com) (malware.rules)
2055803 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (quickresource .xyz) (exploit_kit.rules)
2055804 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (quickresource .xyz) (exploit_kit.rules)
2055805 - ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE Attempt M1 (CVE-2024-36401) (web_specific_apps.rules)
2055806 - ET MALWARE Librarian Ghouls CnC Domain in DNS Lookup (hostingforme .nl) (malware.rules)
2055807 - ET MALWARE Observed Librarian Ghouls Domain (hostingforme .nl in TLS SNI) (malware.rules)
2055808 - ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE Attempt M2 (CVE-2024-36401) (web_specific_apps.rules)
2055809 - ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE Attempt M3 (CVE-2024-36401) (web_specific_apps.rules)
2055810 - ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE Attempt M4 (CVE-2024-36401) (web_specific_apps.rules)
2055811 - ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE Attempt M5 (CVE-2024-36401) (web_specific_apps.rules)

Pro:

2858299 - ETPRO MALWARE Malicious NetSupport Rat CnC Checkin (malware.rules)
2858300 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2858301 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2858302 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2858303 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2858304 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2858305 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2858306 - ETPRO MALWARE Malicious NetSupport Rat CnC Checkin (malware.rules)
2858307 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2858308 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2858309 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2858310 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2858311 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2858312 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2858313 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2858314 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2858315 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2858316 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2858319 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2858320 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2858321 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Disabled and modified rules:

2028383 - ET JA3 Hash - Possible Malware - Neutrino (ja3.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/02/20 - v10536 Ruleset Updates	499	February 20, 2024
Ruleset Update Summary - 2024/07/26 - v10654 Ruleset Updates	117	July 26, 2024
Ruleset Update Summary - 2024/11/11 - v10739 Ruleset Updates	92	November 11, 2024
Ruleset Update Summary - 2024/03/05 - v10545 Ruleset Updates	751	March 5, 2024
Ruleset Update Summary - 2024/11/12 - v10740 Ruleset Updates	111	November 12, 2024

Ruleset Update Summary - 2024/09/09 - v10684

Summary:

Added rules:

Open:

Pro:

Disabled and modified rules:

Related topics