Ruleset Update Summary - 2024/09/12 - v10688

Ruleset Updates
1

Summary:

8 new OPEN, 10 new PRO (8 + 2)

Added rules:

Open:

  • 2055824 - ET INFO DYNAMIC_DNS Query to a * .joaopinho .adv .br Domain (info.rules)
  • 2055825 - ET INFO DYNAMIC_DNS HTTP Request to a * .joaopinho .adv .br Domain (info.rules)
  • 2055826 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (absentcurtaino .shop) (malware.rules)
  • 2055827 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (absentcurtaino .shop in TLS SNI) (malware.rules)
  • 2055828 - ET EXPLOIT_KIT CC Skimmer Domain in DNS Lookup (marketsoilmart .com) (exploit_kit.rules)
  • 2055829 - ET EXPLOIT_KIT CC Skimmer Domain in TLS SNI (marketsoilmart .com) (exploit_kit.rules)
  • 2055830 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (simplymecosmetics .com) (exploit_kit.rules)
  • 2055831 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (simplymecosmetics .com) (exploit_kit.rules)

Pro:

  • 2858336 - ETPRO MALWARE Malicious NetSupport Rat CnC Checkin (malware.rules)
  • 2858337 - ETPRO MALWARE PS/Spy.Agent.CR Exfiltration via Dropbox API (POST) (malware.rules)

Disabled and modified rules:

  • 2035477 - ET MALWARE rat-test CnC Response (malware.rules)
  • 2035614 - ET MALWARE Win32/SodaMaster domain observed in DNS query (www. rare-coisns. com) (malware.rules)
  • 2035618 - ET PHISHING Generic Phishing Domain in DNS Lookup (info-getting-eu. com) (phishing.rules)
  • 2035660 - ET MALWARE Trojan.Verblecon Related Domain in DNS Lookup (gaymers .ax) (malware.rules)
  • 2035662 - ET MALWARE Trojan.Verblecon Related Domain in DNS Lookup (jonathanhardwick .me) (malware.rules)
  • 2035666 - ET MALWARE Trojan.Verblecon Related Domain in DNS Lookup (verble .software) (malware.rules)
  • 2035704 - ET MALWARE Deep Panda Domain in DNS Lookup (vpn2 .smi1egate .com) (malware.rules)
  • 2035705 - ET MALWARE Deep Panda Domain in DNS Lookup (svn1 .smi1egate .com) (malware.rules)
  • 2035706 - ET MALWARE Deep Panda Domain in DNS Lookup (giga .gnisoft .com) (malware.rules)
  • 2035710 - ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup (umpulumpu .ru) (malware.rules)
  • 2035712 - ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup (greenblguard .shop) (malware.rules)
  • 2035773 - ET MALWARE Pegasus Domain in DNS Lookup (akhbar-almasdar .com) (malware.rules)
  • 2035864 - ET MALWARE Pegasus Domain in DNS Lookup (malware.rules)
  • 2035865 - ET MALWARE Pegasus Domain in DNS Lookup (malware.rules)
  • 2035866 - ET MALWARE Pegasus Domain in DNS Lookup (malware.rules)
  • 2035867 - ET MALWARE Pegasus Domain in DNS Lookup (malware.rules)
  • 2035868 - ET MALWARE Pegasus Domain in DNS Lookup (malware.rules)
  • 2035869 - ET MALWARE Pegasus Domain in DNS Lookup (malware.rules)
  • 2035942 - ET MALWARE Observed DNS Query to Fodcha Bot Domain (malware.rules)
  • 2036217 - ET MALWARE Observed DNS Query to ShadowPad Domain (greatsong .soundcast .me) (malware.rules)
  • 2036325 - ET MALWARE Observed DNS Query to Certishell Domain (googleprovider .ru) (malware.rules)
  • 2036326 - ET MALWARE Observed DNS Query to Certishell Domain (profiit .fiit .stuba .sk) (malware.rules)
  • 2036327 - ET MALWARE Observed DNS Query to Certishell Domain (freetips .php5 .sk) (malware.rules)
  • 2036328 - ET MALWARE Observed DNS Query to Certishell Domain (sivpici .php5 .sk) (malware.rules)
  • 2036329 - ET MALWARE Observed DNS Query to Certishell Domain (hotel-boss .eu) (malware.rules)
  • 2036330 - ET MALWARE Observed DNS Query to Certishell Domain (limousine-service .cz) (malware.rules)
  • 2036331 - ET MALWARE Observed DNS Query to Certishell Domain (ms .rousinov .cz) (malware.rules)
  • 2036332 - ET MALWARE Observed DNS Query to Certishell Domain (vavave .xf .cz) (malware.rules)
  • 2036401 - ET MALWARE Observed TraderTraitor Domain (alticgo .com) in TLS SNI (malware.rules)
  • 2036491 - ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (flash .wy886066 .com) (malware.rules)
  • 2036622 - ET MALWARE Powershell/CustomRAT CnC Domain in DNS Lookup (kleinm .de) (malware.rules)
  • 2036623 - ET MALWARE Observed PowerShell/CustomRAT Domain (kleinm .de) in TLS SNI (malware.rules)
  • 2036625 - ET MALWARE Credit Card Scraper Domain in DNS Lookup (authorizen .net) (malware.rules)
  • 2036670 - ET MALWARE Python CTX Library Backdoor Domain in DNS Lookup (anti-theft-web .herokuapp .com) (malware.rules)
  • 2036671 - ET MALWARE Observed Python CTX Library Backdoor Domain (anti-theft-web .herokuapp .com) in TLS SNI (malware.rules)
  • 2851670 - ETPRO PHISHING Lastpass Credential Phishing Attempt (phishing.rules)
  • 2851671 - ETPRO PHISHING DNS Query to Lastpass Phishing domain (lastpass .colleqeinvest .org) (phishing.rules)
  • 2851672 - ETPRO PHISHING Observed Lastpass Phishing Domain (lastpass .colleqeinvest .org) in TLS SNI (phishing.rules)

Removed rules:

  • 2035620 - ET WEB_CLIENT Evil Keitaro Set-Cookie Inbound (85937) (web_client.rules)
  • 2035716 - ET MALWARE BlackGuard_v2 Data Exfiltration Observed (malware.rules)
  • 2035766 - ET MALWARE Suspected Lazarus APT Related Backdoor Activity (POST) M2 (malware.rules)
  • 2035901 - ET MALWARE Win32/TrojanDownloader.Agent.GEM Maldoc Remote Template Request M1 (malware.rules)
  • 2036236 - ET ADWARE_PUP Bluebox Data Exfiltration (adware_pup.rules)
  • 2036245 - ET MALWARE Matrix Max Stealer Exfiltration Observed (malware.rules)
  • 2036246 - ET MALWARE Zingo/GinzoStealer Stealer Exfiltration Observed (malware.rules)
  • 2036321 - ET MALWARE 000Stealer Data Exfiltration M2 (malware.rules)
  • 2036381 - ET HUNTING Possible Bot CnC Checkin (GET) (hunting.rules)
  • 2036382 - ET HUNTING Possible Bot CnC Beacon (GET) (hunting.rules)
  • 2036426 - ET MALWARE Nerbian RAT CnC Checkin (malware.rules)
  • 2036427 - ET MALWARE Nerbian RAT Data Exfiltration (malware.rules)
  • 2036541 - ET MALWARE Eternity Stealer Screen Capture Activity (malware.rules)
  • 2036542 - ET MALWARE Eternity Stealer Data Exfiltration Activity (malware.rules)
  • 2036597 - ET MALWARE PennyWise Stealer Data Exfil M1 (malware.rules)
  • 2036602 - ET MALWARE IceApple User-Agent observed (malware.rules)
  • 2036610 - ET MALWARE BlueShtorm Infostealer Data Exfiltration (malware.rules)
  • 2036624 - ET MALWARE PowerShell/CustomRAT CnC Traffic (malware.rules)
  • 2036655 - ET MALWARE TWISTEDPANDA CnC Domain in DNS Lookup (img .elliotterusties .com) (malware.rules)
  • 2036656 - ET MALWARE TWISTEDPANDA CnC Domain in DNS Lookup (www .miniboxmail .com) (malware.rules)
  • 2036657 - ET MALWARE TWISTEDPANDA CnC Domain in DNS Lookup (www .microtreely .com) (malware.rules)
  • 2036658 - ET MALWARE TWISTEDPANDA CnC Domain in DNS Lookup (www .minzdravros .com) (malware.rules)
  • 2036659 - ET MALWARE Observed TWISTEDPANDA Domain in TLS SNI (www .miniboxmail .com) (malware.rules)
  • 2036660 - ET MALWARE Observed TWISTEDPANDA Domain in TLS SNI (www .microtreely .com) (malware.rules)
  • 2036661 - ET MALWARE Observed TWISTEDPANDA Domain in TLS SNI (www .minzdravros .com) (malware.rules)
  • 2036662 - ET MALWARE Observed TWISTEDPANDA Domain in TLS SNI (img .elliotterusties .com) (malware.rules)
  • 2829286 - ETPRO MALWARE APT28 DNS Lookup (malware.rules)
  • 2851562 - ETPRO MALWARE MSIL.Cyfig CnC Activity (malware.rules)