Ruleset Update Summary - 2024/09/17 - v10696

Ruleset Updates
1

Summary:

69 new OPEN, 70 new PRO (69 + 1)

Thanks @GMCIRT

Added rules:

Open:

  • 2036959 - ET RETIRED Win32/Agent.Fish Data Exfiltration (retired.rules)
  • 2037022 - ET RETIRED Win32/Criminal RAT CnC Checkin (retired.rules)
  • 2037139 - ET RETIRED ZuoRAT send_http_msg_php Call to ssid.php (retired.rules)
  • 2037140 - ET RETIRED ZuoRAT send_http_msg_php Call to dns.php (retired.rules)
  • 2037141 - ET RETIRED ZuoRAT send_http_msg_php Call to arp.php (retired.rules)
  • 2037144 - ET RETIRED ZuoRAT GoBeacon CnC (retired.rules)
  • 2037233 - ET RETIRED Troj_Yahoya Variant CnC Checkin (retired.rules)
  • 2037234 - ET RETIRED Win32/Fynloski.AA CnC Checkin (retired.rules)
  • 2037235 - ET RETIRED Win32/Wacatac.B!ml CnC Checkin (retired.rules)
  • 2037716 - ET RETIRED Win32/TrojanDownloader.AutoHK.MT CnC Checkin (retired.rules)
  • 2037718 - ET RETIRED Bitter APT ZxxZ Downloader CnC Checkin (retired.rules)
  • 2037738 - ET RETIRED NoMercy Stealer CnC Checkin (retired.rules)
  • 2037739 - ET RETIRED NoMercy Data Exfiltration M1 (retired.rules)
  • 2037740 - ET RETIRED NoMercy Data Exfiltration M2 (retired.rules)
  • 2037754 - ET RETIRED Win32/HackTool.Agent.CS SMTP Scanner CnC Checkin (retired.rules)
  • 2037941 - ET RETIRED Woody RAT CnC Checkin (retired.rules)
  • 2038496 - ET RETIRED Win32/Lilith Stealer getFile Command (retired.rules)
  • 2038497 - ET RETIRED Win32/Lilith Stealer registerBot CnC Checkin (retired.rules)
  • 2038498 - ET RETIRED Win32/Lilith Stealer getCommands Command (retired.rules)
  • 2038499 - ET RETIRED Win32/Lilith Stealer uploadFile Data Exfiltration Attempt (retired.rules)
  • 2038540 - ET RETIRED RShell Backdoor Initial CnC Checkin (retired.rules)
  • 2038570 - ET RETIRED Win32/Swjoy.A Telemetry Checkin (retired.rules)
  • 2038571 - ET RETIRED Shuckworm Backdoor Screenshot Upload Attempt (retired.rules)
  • 2038600 - ET RETIRED SAFIB Assistant Remote Administration Tool CnC Checkin (retired.rules)
  • 2038611 - ET RETIRED HTTPRevShell Initial CnC Checkin (retired.rules)
  • 2038664 - ET RETIRED Win32/Caypnamer.A RAT CnC Initial Checkin (retired.rules)
  • 2038686 - ET RETIRED Android/IRATA Data Exfiltration Attempt (retired.rules)
  • 2038703 - ET RETIRED MuLauncher Telemetry Gathering Attempt (retired.rules)
  • 2038704 - ET RETIRED Win32/Speedbit Variant Checkin (retired.rules)
  • 2038723 - ET RETIRED ErbiumStealer Variant CnC Activity (getstub) (retired.rules)
  • 2038732 - ET RETIRED Win32.Stealer.alwu Data Exfiltration Attempt (retired.rules)
  • 2038750 - ET RETIRED Trojan.Proxy.Small.Z CnC Checkin (retired.rules)
  • 2038765 - ET RETIRED Win32/MagicRAT CnC Checkin M1 (retired.rules)
  • 2038766 - ET RETIRED Win32/MagicRAT CnC Checkin M2 (retired.rules)
  • 2038767 - ET RETIRED Win32/MagicRAT Additional Payload URI M1 (retired.rules)
  • 2038768 - ET RETIRED Win32/MagicRAT Additional Payload URI M2 (retired.rules)
  • 2038769 - ET RETIRED Win32/MagicRAT Additional Payload URI M3 (retired.rules)
  • 2038770 - ET RETIRED Win32/MagicRAT Additional Payload URI M4 (retired.rules)
  • 2038808 - ET RETIRED Win32/TrojanDownloader.VB.RTN Payload Delivery Request (retired.rules)
  • 2055877 - ET INFO DYNAMIC_DNS Query to a * .grid2road .com Domain (info.rules)
  • 2055878 - ET INFO DYNAMIC_DNS HTTP Request to a * .grid2road .com Domain (info.rules)
  • 2055879 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eemmbryequo .shop) (malware.rules)
  • 2055880 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (eemmbryequo .shop in TLS SNI) (malware.rules)
  • 2055881 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (keennylrwmqlw .shop) (malware.rules)
  • 2055882 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (keennylrwmqlw .shop in TLS SNI) (malware.rules)
  • 2055883 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licenseodqwmqn .shop) (malware.rules)
  • 2055884 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (licenseodqwmqn .shop in TLS SNI) (malware.rules)
  • 2055885 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reggwardssdqw .shop) (malware.rules)
  • 2055886 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (reggwardssdqw .shop in TLS SNI) (malware.rules)
  • 2055887 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (relaxatinownio .shop) (malware.rules)
  • 2055888 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (relaxatinownio .shop in TLS SNI) (malware.rules)
  • 2055889 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (salvaitoynwo .shop) (malware.rules)
  • 2055890 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (salvaitoynwo .shop in TLS SNI) (malware.rules)
  • 2055891 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tendencctywop .shop) (malware.rules)
  • 2055892 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tendencctywop .shop in TLS SNI) (malware.rules)
  • 2055893 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tesecuuweqo .shop) (malware.rules)
  • 2055894 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tesecuuweqo .shop in TLS SNI) (malware.rules)
  • 2055895 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tryyudjasudqo .shop) (malware.rules)
  • 2055896 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tryyudjasudqo .shop in TLS SNI) (malware.rules)
  • 2055897 - ET EXPLOIT_KIT CC Skimmer Domain in DNS Lookup (sellwisehub .com) (exploit_kit.rules)
  • 2055898 - ET EXPLOIT_KIT CC Skimmer Domain in TLS SNI (sellwisehub .com) (exploit_kit.rules)
  • 2055899 - ET MALWARE SocGholish Domain in DNS Lookup (circle .innovativecsportal .com) (malware.rules)
  • 2055900 - ET MALWARE SocGholish Domain in TLS SNI (circle .innovativecsportal .com) (malware.rules)
  • 2055901 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (uniquetouniquetechnicalservices .com) (exploit_kit.rules)
  • 2055902 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (uniquetouniquetechnicalservices .com) (exploit_kit.rules)
  • 2055903 - ET MALWARE PS1/ExfiltracaoBot CnC Checkin (malware.rules)
  • 2055904 - ET MALWARE PS1/ExfiltracaoBot CnC Command Inbound (ZIP_FILE) (malware.rules)
  • 2055905 - ET MALWARE PS1/ExfiltracaoBot CnC Response (INFO_RECEIVED) (malware.rules)
  • 2055906 - ET MALWARE Win32/Mesquito Loader Related Activity (GET) (malware.rules)

Pro:

  • 2858390 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Disabled and modified rules:

  • 2036845 - ET MALWARE Deathstalker/Evilnum Delivery Domain in DNS Lookup (bukjut11 .com) (malware.rules)
  • 2036846 - ET MALWARE Deathstalker/Evilnum Delivery Domain in DNS Lookup (puccino .altervista .org) (malware.rules)
  • 2036848 - ET MALWARE Deathstalker/Evilnum Delivery Domain in DNS Lookup (storangefilecloud .vip) (malware.rules)
  • 2036849 - ET MALWARE Deathstalker/Evilnum Delivery Domain (bukjut11 .com) in TLS SNI (malware.rules)
  • 2036850 - ET MALWARE Deathstalker/Evilnum Delivery Domain (puccino .altervista .org) in TLS SNI (malware.rules)
  • 2036851 - ET MALWARE Deathstalker/Evilnum Delivery Domain (storangefilecloud .vip) in TLS SNI (malware.rules)
  • 2036852 - ET HUNTING DNS Lookup to (laurentprotector .com) (hunting.rules)
  • 2036853 - ET HUNTING Suspicious Domain (laurentprotector .com) in TLS SNI (hunting.rules)
  • 2036854 - ET MALWARE WatchDog Coinminer Payload Delivery Domain in DNS Lookup (oracle .zzhreceive .top) (malware.rules)
  • 2037119 - ET MALWARE ToddyCat Ninja Backdoor CnC Domain in DNS Lookup (eohsdnsaaojrhnqo .windowshost .us) (malware.rules)
  • 2037721 - ET MALWARE Bitter APT Domain in DNS Lookup (huandocimama .com) (malware.rules)
  • 2037842 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup (zuyonijobo .com) (malware.rules)
  • 2037843 - ET MALWARE Observed Cobalt Strike Domain (zuyonijobo .com) in TLS SNI (malware.rules)
  • 2037889 - ET MALWARE W32/CoinMiner.ESJ!tr CnC Domain (ui .0x0x0x0x0 .xyz) in DNS Lookup (malware.rules)
  • 2037890 - ET MALWARE W32/CoinMiner.ESJ!tr CnC Domain (rp .oiwcvbnc2e .stream) in DNS Lookup (malware.rules)
  • 2037891 - ET MALWARE W32/CoinMiner.ESJ!tr CnC Domain (aj .0x0x0x0x0 .best) in DNS Lookup (malware.rules)
  • 2037892 - ET MALWARE W32/CoinMiner.ESJ!tr CnC Domain (xs .0x0x0x0x0 .club) in DNS Lookup (malware.rules)
  • 2037893 - ET MALWARE W32/CoinMiner.ESJ!tr CnC Domain (qb .1c1c1c1c .best) in DNS Lookup (malware.rules)
  • 2037894 - ET MALWARE W32/CoinMinerESJ!tr CnC Domain (ox .mygoodluck .best) in DNS Lookup (malware.rules)
  • 2037909 - ET MALWARE ENV Variable Data Exfiltration Domain (ovz1 .j19544519 .pr46m .vps .myjino .ru) in DNS Lookup (malware.rules)
  • 2037910 - ET MALWARE ENV Variable Data Exfiltration Attempt (HTTP POST) (malware.rules)
  • 2037934 - ET MALWARE Woody RAT CnC Domain (microsoft-telemetry .ru) in DNS Lookup (malware.rules)
  • 2037935 - ET MALWARE Woody RAT CnC Domain (oakrussia .ru) in DNS Lookup (malware.rules)
  • 2037936 - ET MALWARE Woody RAT CnC Domain (kurmakata .duckdns .org) in DNS Lookup (malware.rules)
  • 2037937 - ET MALWARE Woody RAT CnC Domain (microsoft-ru-data .ru) in DNS Lookup (malware.rules)
  • 2037938 - ET MALWARE Woody RAT CnC Domain (fns77 .ru) in DNS Lookup (malware.rules)
  • 2037939 - ET MALWARE Woody RAT Payload Delivery Domain (garmandesar .duckdns .org) in DNS Lookup (malware.rules)
  • 2037940 - ET MALWARE Woody RAT Payload Delivery Domain (fcloud .nciinform .ru) in DNS Lookup (malware.rules)
  • 2037942 - ET MALWARE CHIMNEYSWEEP Backdoor CnC Domain (pgp .eu .com) in DNS Lookup (malware.rules)
  • 2037943 - ET MALWARE CHIMNEYSWEEP Backdoor CnC Domain (windowsupadates .com) in DNS Lookup (malware.rules)
  • 2037944 - ET MALWARE CHIMNEYSWEEP Backdoor CnC Domain (skype .se .net) in DNS Lookup (malware.rules)
  • 2037945 - ET MALWARE CHIMNEYSWEEP Backdoor CnC Domain (telegram-update .com) in DNS Lookup (malware.rules)
  • 2037946 - ET MALWARE CHIMNEYSWEEP Backdoor CnC Domain (update-pgp .com) in DNS Lookup (malware.rules)
  • 2037947 - ET MALWARE CHIMNEYSWEEP Backdoor CnC Domain (server-avira .com) in DNS Lookup (malware.rules)
  • 2037948 - ET MALWARE CHIMNEYSWEEP Backdoor CnC Domain (avira .ltd) in DNS Lookup (malware.rules)
  • 2037949 - ET MALWARE CHIMNEYSWEEP Backdoor CnC Domain (uk2privat .com) in DNS Lookup (malware.rules)
  • 2037950 - ET MALWARE CHIMNEYSWEEP Backdoor CnC Domain (cloud-avira .com) in DNS Lookup (malware.rules)
  • 2037951 - ET MALWARE CHIMNEYSWEEP Backdoor CnC Domain (update-real .com) in DNS Lookup (malware.rules)
  • 2038530 - ET MALWARE Shuckworm CnC Domain (leonardis .ru) in DNS Lookup (malware.rules)
  • 2038531 - ET MALWARE Shuckworm CnC Domain (destroy .asierdo .ru) in DNS Lookup (malware.rules)
  • 2038532 - ET MALWARE Shuckworm/Gamaredon CnC Domain (heato .ru) in DNS Lookup (malware.rules)
  • 2038533 - ET MALWARE Shuckworm/Gamaredon CnC Domain (motoristo .ru) in DNS Lookup (malware.rules)
  • 2038534 - ET MALWARE Shuckworm CnC Domain (a0698649 .xsph .ru) in DNS Lookup (malware.rules)
  • 2038537 - ET MALWARE RShell CnC Domain (linux .updatelive-oline .com) in DNS Lookup (malware.rules)
  • 2038538 - ET MALWARE RShell CnC Domain (time .ntp-server .asia) in DNS Lookup (malware.rules)
  • 2038539 - ET MALWARE RShell CnC Domain (center .veryssl .org) in DNS Lookup (malware.rules)
  • 2038572 - ET MALWARE JSSLoader CnC Domain (essentialsmassageanddayspa .com) in DNS Lookup (malware.rules)
  • 2038573 - ET MALWARE Observed JSSLoader Domain (essentialsmassageanddayspa .com) in TLS SNI (malware.rules)
  • 2038583 - ET MALWARE DonotGroup APT Related Domain in DNS Lookup (esr .suppservices .xyz) (malware.rules)
  • 2038588 - ET MALWARE DonotGroup APT Related Domain in DNS Lookup (beetelson .xyz) (malware.rules)
  • 2038589 - ET MALWARE DonotGroup APT Related Domain in DNS Lookup (ser .dermlogged .xyz) (malware.rules)
  • 2038590 - ET MALWARE DonotGroup APT Related Domain in DNS Lookup (kotlinn .xyz) (malware.rules)
  • 2038623 - ET MALWARE PyPI Phishing/Malware Data Exfiltration Domain (linkedopports .com) in DNS Lookup (malware.rules)
  • 2038624 - ET MALWARE Observed PyPI Phishing/Malicious Library Data Exfiltration Domain (linkedopports .com) in TLS SNI (malware.rules)
  • 2038625 - ET MALWARE PyPI Malicious Library Payload Delivery Domain (python-release .com) in DNS Lookup (malware.rules)
  • 2038679 - ET MALWARE Win32/Nitrokod Domain (intelserviceupdate .com) in TLS SNI (malware.rules)
  • 2038680 - ET MALWARE Win32/Nitrokod Domain (nitrokod .com) in TLS SNI (malware.rules)
  • 2038681 - ET MALWARE Win32/Nitrokod Domain (nvidiacenter .com) in TLS SNI (malware.rules)
  • 2038682 - ET MOBILE_MALWARE Android/IRATA CnC Domain (rimotgozaran .tk) in DNS Lookup (mobile_malware.rules)
  • 2038683 - ET MOBILE_MALWARE Android/IRATA CnC Domain (rimot-anitain .tk) in DNS Lookup (mobile_malware.rules)
  • 2038684 - ET MOBILE_MALWARE Observed Android/IRATA Domain (rimotgozaran .tk) in TLS SNI (mobile_malware.rules)
  • 2038685 - ET MOBILE_MALWARE Observed Android/IRATA Domain (rimot-anitain .tk) in TLS SNI (mobile_malware.rules)
  • 2038771 - ET MALWARE MagicRAT CnC Domain (gendoraduragonkgp126 .com) in DNS Lookup (malware.rules)
  • 2038803 - ET MALWARE PowerShell/PowHeartBeat CnC Domain (central .suhypercloud .org) in DNS Lookup (malware.rules)
  • 2038804 - ET MALWARE PowerShell/PowHeartBeat CnC Domain (airplane .travel-commercials .agency) in DNS Lookup (malware.rules)
  • 2038822 - ET MALWARE Observed DNS Query to Malicious Powershell Payload domain (onerecovery .click) (malware.rules)
  • 2038823 - ET MALWARE Observed DNS Query to Reverse Shell Payload Domain (opentunnel .quest) (malware.rules)
  • 2038824 - ET MALWARE Observed Malicious Powershell Payload Delivery Domain (onerecovery .click) in TLS SNI (malware.rules)
  • 2038825 - ET MALWARE Observed Reverse Shell Payload Delivery Domain (opentunnel .quest) in TLS SNI (malware.rules)
  • 2042966 - ET MALWARE TA453 Related Domain in DNS Lookup (universityofmhealth .biz) (malware.rules)

Removed rules:

  • 2036959 - ET MALWARE Win32/Agent.Fish Data Exfiltration (malware.rules)
  • 2037022 - ET MALWARE Win32/Criminal RAT CnC Checkin (malware.rules)
  • 2037139 - ET MALWARE ZuoRAT send_http_msg_php Call to ssid.php (malware.rules)
  • 2037140 - ET MALWARE ZuoRAT send_http_msg_php Call to dns.php (malware.rules)
  • 2037141 - ET MALWARE ZuoRAT send_http_msg_php Call to arp.php (malware.rules)
  • 2037144 - ET MALWARE ZuoRAT GoBeacon CnC (malware.rules)
  • 2037233 - ET MALWARE Troj_Yahoya Variant CnC Checkin (malware.rules)
  • 2037234 - ET MALWARE Win32/Fynloski.AA CnC Checkin (malware.rules)
  • 2037235 - ET MALWARE Win32/Wacatac.B!ml CnC Checkin (malware.rules)
  • 2037716 - ET MALWARE Win32/TrojanDownloader.AutoHK.MT CnC Checkin (malware.rules)
  • 2037718 - ET MALWARE Bitter APT ZxxZ Downloader CnC Checkin (malware.rules)
  • 2037738 - ET MALWARE NoMercy Stealer CnC Checkin (malware.rules)
  • 2037739 - ET MALWARE NoMercy Data Exfiltration M1 (malware.rules)
  • 2037740 - ET MALWARE NoMercy Data Exfiltration M2 (malware.rules)
  • 2037754 - ET MALWARE Win32/HackTool.Agent.CS SMTP Scanner CnC Checkin (malware.rules)
  • 2037941 - ET MALWARE Woody RAT CnC Checkin (malware.rules)
  • 2038496 - ET MALWARE Win32/Lilith Stealer getFile Command (malware.rules)
  • 2038497 - ET MALWARE Win32/Lilith Stealer registerBot CnC Checkin (malware.rules)
  • 2038498 - ET MALWARE Win32/Lilith Stealer getCommands Command (malware.rules)
  • 2038499 - ET MALWARE Win32/Lilith Stealer uploadFile Data Exfiltration Attempt (malware.rules)
  • 2038540 - ET MALWARE RShell Backdoor Initial CnC Checkin (malware.rules)
  • 2038570 - ET ADWARE_PUP Win32/Swjoy.A Telemetry Checkin (adware_pup.rules)
  • 2038571 - ET MALWARE Shuckworm Backdoor Screenshot Upload Attempt (malware.rules)
  • 2038600 - ET INFO SAFIB Assistant Remote Administration Tool CnC Checkin (info.rules)
  • 2038611 - ET MALWARE HTTPRevShell Initial CnC Checkin (malware.rules)
  • 2038664 - ET MALWARE Win32/Caypnamer.A RAT CnC Initial Checkin (malware.rules)
  • 2038686 - ET MOBILE_MALWARE Android/IRATA Data Exfiltration Attempt (mobile_malware.rules)
  • 2038703 - ET ADWARE_PUP MuLauncher Telemetry Gathering Attempt (adware_pup.rules)
  • 2038704 - ET ADWARE_PUP Win32/Speedbit Variant Checkin (adware_pup.rules)
  • 2038723 - ET MALWARE ErbiumStealer Variant CnC Activity (getstub) (malware.rules)
  • 2038732 - ET MALWARE Win32.Stealer.alwu Data Exfiltration Attempt (malware.rules)
  • 2038750 - ET MALWARE Trojan.Proxy.Small.Z CnC Checkin (malware.rules)
  • 2038765 - ET MALWARE Win32/MagicRAT CnC Checkin M1 (malware.rules)
  • 2038766 - ET MALWARE Win32/MagicRAT CnC Checkin M2 (malware.rules)
  • 2038767 - ET MALWARE Win32/MagicRAT Additional Payload URI M1 (malware.rules)
  • 2038768 - ET MALWARE Win32/MagicRAT Additional Payload URI M2 (malware.rules)
  • 2038769 - ET MALWARE Win32/MagicRAT Additional Payload URI M3 (malware.rules)
  • 2038770 - ET MALWARE Win32/MagicRAT Additional Payload URI M4 (malware.rules)
  • 2038808 - ET MALWARE Win32/TrojanDownloader.VB.RTN Payload Delivery Request (malware.rules)