Ruleset Update Summary - 2024/09/23 - v10701

Ruleset Updates
1

Summary:

70 new OPEN, 91 new PRO (70 + 21)

Added rules:

Open:

  • 2039749 - ET RETIRED WinGO\Monitor.go CnC Checkin (retired.rules)
  • 2039785 - ET RETIRED Win32/TyphonReborn Telegram CnC Checkin (retired.rules)
  • 2039786 - ET RETIRED Android/RatMilad CnC Checkin (retired.rules)
  • 2039834 - ET RETIRED Win32/Gh0st RAT Variant CnC Checkin response (retired.rules)
  • 2041455 - ET RETIRED Android/LoanBee Data Stealer Data Exfiltration Domain (api .loanbee .tech) in DNS Lookup (retired.rules)
  • 2041670 - ET RETIRED Bitter APT CHM Activity (GET) M3 (retired.rules)
  • 2041780 - ET RETIRED Win32/XFILES Stealer Data Exfiltration Attempt (retired.rules)
  • 2041928 - ET RETIRED Confucious APT CnC Checkin (retired.rules)
  • 2042950 - ET RETIRED CIA Ransomware - wallpaper/readme retrieval attempt (retired.rules)
  • 2042951 - ET RETIRED GoLinux/GoTrim CnC Checkin (retired.rules)
  • 2043193 - ET RETIRED linux.backdoor.wordpressexploit.1 CnC Checkin (retired.rules)
  • 2053030 - ET WEB_SERVER Adobe ColdFusion Arbitrary File Read Vulnerability M2 - logging Module Directory Traversal Attempt (CVE-2024-20767) (web_server.rules)
  • 2056032 - ET MALWARE SocGholish CnC Domain in DNS (* .free .thebitmeister .com) (malware.rules)
  • 2056033 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .free .thebitmeister .com) (malware.rules)
  • 2056034 - ET INFO DYNAMIC_DNS Query to a * .degaris .com Domain (info.rules)
  • 2056035 - ET INFO DYNAMIC_DNS HTTP Request to a * .degaris .com Domain (info.rules)
  • 2056036 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (appleboltelwk .shop) (malware.rules)
  • 2056037 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (appleboltelwk .shop in TLS SNI) (malware.rules)
  • 2056038 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bearrytankkewo .shop) (malware.rules)
  • 2056039 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (bearrytankkewo .shop in TLS SNI) (malware.rules)
  • 2056040 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (captainynfanw .shop) (malware.rules)
  • 2056041 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (captainynfanw .shop in TLS SNI) (malware.rules)
  • 2056042 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (coursedonnyre .shop) (malware.rules)
  • 2056043 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (coursedonnyre .shop in TLS SNI) (malware.rules)
  • 2056044 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discoveriwm .shop) (malware.rules)
  • 2056045 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discoveriwm .shop in TLS SNI) (malware.rules)
  • 2056046 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fossillargeiw .shop) (malware.rules)
  • 2056047 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fossillargeiw .shop in TLS SNI) (malware.rules)
  • 2056048 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lootebarrkeyn .shop) (malware.rules)
  • 2056049 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (lootebarrkeyn .shop in TLS SNI) (malware.rules)
  • 2056050 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pilotyiess .shop) (malware.rules)
  • 2056051 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pilotyiess .shop in TLS SNI) (malware.rules)
  • 2056052 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (strappystyio .shop) (malware.rules)
  • 2056053 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (strappystyio .shop in TLS SNI) (malware.rules)
  • 2056054 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (surveriysiop .shop) (malware.rules)
  • 2056055 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (surveriysiop .shop in TLS SNI) (malware.rules)
  • 2056056 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tearrybyiwo .shop) (malware.rules)
  • 2056057 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tearrybyiwo .shop in TLS SNI) (malware.rules)
  • 2056058 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tendencerangej .shop) (malware.rules)
  • 2056059 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tendencerangej .shop in TLS SNI) (malware.rules)
  • 2056060 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (trolleyrreiwn .shop) (malware.rules)
  • 2056061 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (trolleyrreiwn .shop in TLS SNI) (malware.rules)
  • 2056062 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vannysiidwq .shop) (malware.rules)
  • 2056063 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vannysiidwq .shop in TLS SNI) (malware.rules)
  • 2056064 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (surroundeocw .shop) (malware.rules)
  • 2056065 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (surroundeocw .shop in TLS SNI) (malware.rules)
  • 2056066 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covvercilverow .shop) (malware.rules)
  • 2056067 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (covvercilverow .shop in TLS SNI) (malware.rules)
  • 2056068 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (abortinoiwiam .shop) (malware.rules)
  • 2056069 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (abortinoiwiam .shop in TLS SNI) (malware.rules)
  • 2056070 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pumpkinkwquo .shop) (malware.rules)
  • 2056071 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pumpkinkwquo .shop in TLS SNI) (malware.rules)
  • 2056072 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (priooozekw .shop) (malware.rules)
  • 2056073 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (priooozekw .shop in TLS SNI) (malware.rules)
  • 2056074 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deallyharvenw .shop) (malware.rules)
  • 2056075 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (deallyharvenw .shop in TLS SNI) (malware.rules)
  • 2056076 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (defenddsouneuw .shop) (malware.rules)
  • 2056077 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (defenddsouneuw .shop in TLS SNI) (malware.rules)
  • 2056078 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (racedsuitreow .shop) (malware.rules)
  • 2056079 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (racedsuitreow .shop in TLS SNI) (malware.rules)
  • 2056080 - ET MALWARE SocGholish Domain in DNS Lookup (customer .thewayofmoney .us) (malware.rules)
  • 2056081 - ET MALWARE SocGholish Domain in TLS SNI (customer .thewayofmoney .us) (malware.rules)
  • 2056082 - ET EXPLOIT_KIT Fake Java Update Domain in DNS Lookup (edgeupgrade .com) (exploit_kit.rules)
  • 2056083 - ET EXPLOIT_KIT Fake Java Update Domain in TLS SNI (edgeupgrade .com) (exploit_kit.rules)
  • 2056084 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (virtana-tech .com) (exploit_kit.rules)
  • 2056085 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (virtana-tech .com) (exploit_kit.rules)
  • 2056086 - ET WEB_SERVER Adobe ColdFusion Arbitrary File Read Vulnerability M1 - UUID Leak Via servermanager.cfc getHeartBeat Method (CVE-2024-20767) (web_server.rules)
  • 2056087 - ET WEB_SERVER Adobe ColdFusion Arbitrary File Read Vulnerability M3 - Heap Memory Dump Module Unauthorized Memory Dump Attempt (CVE-2024-20767) (web_server.rules)
  • 2056088 - ET ATTACK_RESPONSE Fake MS Office Lure Containing Powershell Inbound (M1) (attack_response.rules)
  • 2056089 - ET ATTACK_RESPONSE Fake MS Office Lure Containing Powershell Inbound (M2) (attack_response.rules)

Pro:

  • 2852813 - ETPRO RETIRED Silence Downloader Payload Retrieval Attempt M2 (retired.rules)
  • 2858418 - ETPRO EXPLOIT_KIT Evil Keitaro Set-Cookie Inbound to VexTrio (exploit_kit.rules)
  • 2858419 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2858420 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2858421 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2858422 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2858423 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2858424 - ETPRO MALWARE Win32/XWorm CnC Command - INFO Outbound (malware.rules)
  • 2858425 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2858426 - ETPRO MALWARE Win32/XWorm CnC Command - RD+ Inbound (malware.rules)
  • 2858427 - ETPRO MALWARE Win32/XWorm CnC Command - RD- Outbound (malware.rules)
  • 2858428 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2858429 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2858430 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2858431 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2858432 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2858433 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2858434 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2858435 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2858438 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2858439 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Disabled and modified rules:

  • 2039744 - ET MALWARE ChromeLoader CnC Domain (istakechau .autos) in DNS Lookup (malware.rules)
  • 2039758 - ET MALWARE JS/Cloud9 Domain (download .loginserv .net) in DNS Lookup (malware.rules)
  • 2039759 - ET MALWARE JS/Cloud9 Domain (cloud-miner .de) in DNS Lookup (malware.rules)
  • 2039760 - ET MALWARE JS/Cloud9 Domain (zmsp .top) in DNS Lookup (malware.rules)
  • 2039761 - ET MALWARE JS/Cloud9 Domain (download .agency) in DNS Lookup (malware.rules)
  • 2039767 - ET MALWARE APT41 CnC Domain (www .affice366 .com) in DNS Lookup (malware.rules)
  • 2039768 - ET MALWARE APT41 CnC Domain (c .ymvh8w5 .xyz) in DNS Lookup (malware.rules)
  • 2039769 - ET MALWARE APT41 CnC Domain (www .vietsovspeedtest .com) in DNS Lookup (malware.rules)
  • 2039802 - ET MALWARE Kimsuky CnC Domain (jojoa .mypressonline .com) Observed in DNS Query (malware.rules)
  • 2039803 - ET MALWARE Kimsuky CnC Domain (okihs .mypressonline .com) Observed in DNS Query (malware.rules)
  • 2043176 - ET PHISHING Office 365 Credential Harvesting Domain (rightofcourse .com) in TLS SNI (phishing.rules)
  • 2043180 - ET MALWARE Observed linux.backdoor.wordpressexploit.1 Domain (gabriellalovecats .com) in TLS SNI (malware.rules)
  • 2043181 - ET MALWARE Observed linux.backdoor.wordpressexploit.1 Domain (transadforward .icu) in TLS SNI (malware.rules)
  • 2043182 - ET MALWARE Observed linux.backdoor.wordpressexploit.1 Domain (tommyforgreendream .icu) in TLS SNI (malware.rules)
  • 2043188 - ET MALWARE Observed linux.backdoor.wordpressexploit.2 Domain (clon .collectfasttracks .com) in TLS SNI (malware.rules)
  • 2043189 - ET MALWARE Observed linux.backdoor.wordpressexploit.2 Domain (letsmakeparty3 .ga) in TLS SNI (malware.rules)
  • 2043190 - ET MALWARE Observed linux.backdoor.wordpressexploit.2 Domain (count .trackstatisticsss .com) in TLS SNI (malware.rules)
  • 2043191 - ET MALWARE Observed linux.backdoor.wordpressexploit.2 Domain (lobbydesires .com) in TLS SNI (malware.rules)
  • 2043192 - ET MALWARE Observed linux.backdoor.wordpressexploit.2 Domain (deliverygoodstrategies .com) in TLS SNI (malware.rules)
  • 2043230 - ET MALWARE Win32/Youtube Bot - CnC Checkin (malware.rules)
  • 2043249 - ET MALWARE NetSupport RAT Domain (tradinghuy .duckdns .org) in DNS Lookup (malware.rules)
  • 2043260 - ET MALWARE BLINDEAGLE CnC Domain (laminascol .linkpc .net) in DNS Lookup (malware.rules)
  • 2043261 - ET MALWARE BLINDEAGLE CnC Domain (upxsystems .com) in DNS Lookup (malware.rules)
  • 2043262 - ET MALWARE BLINDEAGLE CnC Domain (systemwin .linkpc .net) in DNS Lookup (malware.rules)
  • 2043279 - ET MALWARE TA444 Related Domain (updatezone .org) in DNS Lookup (malware.rules)
  • 2043280 - ET MALWARE TA444 Related Domain (autoprotect .com .de) in DNS Lookup (malware.rules)
  • 2043281 - ET MALWARE TA444 Related Domain (autoprotect .gb .net) in DNS Lookup (malware.rules)
  • 2043282 - ET MALWARE TA444 Related Domain (azure-security .online) in DNS Lookup (malware.rules)
  • 2043283 - ET MALWARE TA444 Related Domain (azure-security .site) in DNS Lookup (malware.rules)
  • 2043284 - ET MALWARE TA444 Related Domain (hoststudio .org) in DNS Lookup (malware.rules)
  • 2043285 - ET MALWARE TA444 Related Domain (thecloudnet .org) in DNS Lookup (malware.rules)
  • 2054633 - ET MALWARE SocGholish CnC Domain in DNS (* .loyalty .hienphucuanhanloai .org) (malware.rules)
  • 2054634 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .loyalty.hienphucuanhanloai .org) (malware.rules)
  • 2054646 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (coaching-the-boss .com) (exploit_kit.rules)
  • 2054647 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (knoxvillevideoproductions .com) (exploit_kit.rules)
  • 2054648 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (darchrif .com) (exploit_kit.rules)
  • 2054649 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (coaching-the-boss .com) (exploit_kit.rules)
  • 2054650 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (knoxvillevideoproductions .com) (exploit_kit.rules)
  • 2054651 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (darchrif .com) (exploit_kit.rules)
  • 2054654 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (bestdoctornearme .com) (exploit_kit.rules)
  • 2054655 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (bestdoctornearme .com) (exploit_kit.rules)
  • 2054656 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (denaumtz .com) (exploit_kit.rules)
  • 2054657 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (denaumtz .com) (exploit_kit.rules)
  • 2054661 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (imc1 .top) (exploit_kit.rules)
  • 2054662 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (imc1 .top) (exploit_kit.rules)
  • 2858319 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2858320 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2858321 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Removed rules:

  • 2039749 - ET MALWARE WinGO\Monitor.go CnC Checkin (malware.rules)
  • 2039785 - ET MALWARE Win32/TyphonReborn Telegram CnC Checkin (malware.rules)
  • 2039786 - ET MOBILE_MALWARE Android/RatMilad CnC Checkin (mobile_malware.rules)
  • 2039834 - ET MALWARE Win32/Gh0st RAT Variant CnC Checkin response (malware.rules)
  • 2041455 - ET MOBILE_MALWARE Android/LoanBee Data Stealer Data Exfiltration Domain (api .loanbee .tech) in DNS Lookup (mobile_malware.rules)
  • 2041670 - ET MALWARE Bitter APT CHM Activity (GET) M3 (malware.rules)
  • 2041780 - ET MALWARE Win32/XFILES Stealer Data Exfiltration Attempt (malware.rules)
  • 2041928 - ET MALWARE Confucious APT CnC Checkin (malware.rules)
  • 2042950 - ET MALWARE CIA Ransomware - wallpaper/readme retrieval attempt (malware.rules)
  • 2042951 - ET MALWARE GoLinux/GoTrim CnC Checkin (malware.rules)
  • 2043193 - ET MALWARE linux.backdoor.wordpressexploit.1 CnC Checkin (malware.rules)
  • 2053030 - ET EXPLOIT Adobe ColdFusion Unauthorized File Access (CVE-2024-20767) (exploit.rules)
  • 2852813 - ETPRO MALWARE Silence Downloader Payload Retrieval Attempt M2 (malware.rules)