Ruleset Update Summary - 2024/10/01 - v10710

Summary:

44 new OPEN, 54 new PRO (44 + 10)

Added rules:

Open:

• 2045611 - ET RETIRED Papercut MF/NG User/Group Sync Python Backdoor Trigger (retired.rules)
• 2045753 - ET RETIRED Camaro Dragon APT - Horse Shell CnC Checkin (retired.rules)
• 2045766 - ET RETIRED Stellar Stealer Data Exfiltration Attempt M1 (retired.rules)
• 2045767 - ET RETIRED Stellar Stealer Data Exfiltration Attempt M2 (retired.rules)
• 2045768 - ET RETIRED Stellar Stealer Data Exfiltration Attempt M3 (retired.rules)
• 2045769 - ET RETIRED Stellar Stealer Data Exfiltration Attempt M4 (retired.rules)
• 2045770 - ET RETIRED Stellar Stealer Data Exfiltration Attempt M5 (retired.rules)
• 2045781 - ET RETIRED BotLoader Retrieving Additional Payloads (retired.rules)
• 2045782 - ET RETIRED BotLoader CnC Checkin (retired.rules)
• 2045873 - ET RETIRED pswshopro_bot Stealer CnC Checkin (retired.rules)
• 2045874 - ET RETIRED pswshopro_bot Stealer data exfiltration attempt (retired.rules)
• 2045977 - ET RETIRED BellaCiao ASPX Backdoor Response (retired.rules)
• 2046234 - ET RETIRED Trojan.PSW.Autoit Data Exfiltration Attempt (retired.rules)
• 2046299 - ET RETIRED Zenlod System Information Retrieval (retired.rules)
• 2046697 - ET RETIRED DDoSia Client CnC Checkin (retired.rules)
• 2046698 - ET RETIRED DDoSia Client Target Retrieval (retired.rules)
• 2047015 - ET RETIRED abubasbanditbot CnC Checkin (retired.rules)
• 2047646 - ET RETIRED JanelaRAT CnC Checkin Observed (retired.rules)
• 2047647 - ET RETIRED QwixxRAT - Telegram CnC Checkin (retired.rules)
• 2056359 - ET INFO DNS Query to Commonly Actor Abused Online Service Domain (w3spaces .com) (info.rules)
• 2056360 - ET INFO Observed Commonly Actor Abused Online Service Domain (w3spaces .com in TLS SNI) (info.rules)
• 2056361 - ET MALWARE NamelessC2 CnC Domain in DNS Lookup (namelessserver .com) (malware.rules)
• 2056362 - ET MALWARE Observed NamelessC2 Domain (namelessserver .com in TLS SNI) (malware.rules)
• 2056363 - ET MALWARE NamelessC2 SSL/TLS Certificate Observed (malware.rules)
• 2056364 - ET WEB_SPECIFIC_APPS Apache OFBiz Remote Code Execution via Path Confusion (CVE-2024-32113) (web_specific_apps.rules)
• 2056365 - ET WEB_SPECIFIC_APPS Apache OFBiz Server-Side Request Forgery (CVE-2024-45195) (web_specific_apps.rules)
• 2056366 - ET WEB_SPECIFIC_APPS Supermicro BMC IPMI Buffer Overflow (CVE-2024-36435) (web_specific_apps.rules)
• 2056367 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diskegraciw .online) (malware.rules)
• 2056368 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (diskegraciw .online in TLS SNI) (malware.rules)
• 2056369 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (framedui .store) (malware.rules)
• 2056370 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (framedui .store in TLS SNI) (malware.rules)
• 2056371 - ET INFO DYNAMIC_DNS Query to a * .imagetemplate .net Domain (info.rules)
• 2056372 - ET INFO DYNAMIC_DNS HTTP Request to a * .imagetemplate .net Domain (info.rules)
• 2056373 - ET INFO DYNAMIC_DNS Query to a * .lecreativity .com Domain (info.rules)
• 2056374 - ET INFO DYNAMIC_DNS HTTP Request to a * .lecreativity .com Domain (info.rules)
• 2056375 - ET EXPLOIT Microsoft Office Spoofing to HTTP Redirect Inbound (CVE-2024-38200) (exploit.rules)
• 2056376 - ET WEB_SPECIFIC_APPS Zoho ManageEngine OpManager Directory Traversal Attempt (CVE-2020-12116) (web_specific_apps.rules)
• 2056377 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (indoprimitiveart .com) (exploit_kit.rules)
• 2056378 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (indoprimitiveart .com) (exploit_kit.rules)
• 2056379 - ET WEB_SPECIFIC_APPS Wavlink WN530H4 live_api.cgi ip Parameter Command Injection Attempt (CVE-2020-12124) (web_specific_apps.rules)
• 2056380 - ET WEB_SPECIFIC_APPS Clobber API XMLRPC Template Injection (CVE-2021-40323) (web_specific_apps.rules)
• 2056381 - ET WEB_SPECIFIC_APPS Clobber API XMLRPC Arbitrary File Upload (CVE-2021-40324) (web_specific_apps.rules)
• 2056382 - ET MALWARE Observed Malicious SSL Cert (Subject contains CN=c2server) (malware.rules)
• 2056383 - ET MALWARE Observed Malicious SSL Cert (Issuer contains CN=c2server) (malware.rules)

Pro:

• 2854247 - ETPRO RETIRED Win32/Spy.Autoit.GK CnC Checkin (retired.rules)
• 2854286 - ETPRO RETIRED Win32/Spy.Mekotio.GR Data Exfiltration Attempt (retired.rules)
• 2858516 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
• 2858517 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
• 2858518 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
• 2858519 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
• 2858520 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
• 2858521 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
• 2858522 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
• 2858523 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)

Disabled and modified rules:

• 2045216 - ET MALWARE TA453 BellaCiao CnC Domain in DNS Lookup (msn-service .co) (malware.rules)
• 2045217 - ET MALWARE TA453 BellaCiao CnC Domain in DNS Lookup (msn-center .uk) (malware.rules)
• 2045218 - ET MALWARE TA453 BellaCiao CnC Domain in DNS Lookup (maill-support .com) (malware.rules)
• 2045219 - ET MALWARE TA453 BellaCiao CnC Domain in DNS Lookup (mailupdate .info) (malware.rules)
• 2045220 - ET MALWARE TA453 BellaCiao CnC Domain in DNS Lookup (twittsupport .com) (malware.rules)
• 2045221 - ET MALWARE TA453 BellaCiao CnC Domain in DNS Lookup (mail-updateservice .info) (malware.rules)
• 2046281 - ET MALWARE UNC4841 Related Domain in DNS Lookup (togetheroffway .com) (malware.rules)
• 2046282 - ET MALWARE UNC4841 Related Domain in DNS Lookup (goldenunder .com) (malware.rules)
• 2046283 - ET MALWARE UNC4841 Related Domain in DNS Lookup (fessionalwork .com) (malware.rules)
• 2046284 - ET MALWARE UNC4841 Related Domain in DNS Lookup (singamofing .com) (malware.rules)
• 2046285 - ET MALWARE UNC4841 Related Domain in DNS Lookup (bestfindthetruth .com) (malware.rules)
• 2046286 - ET MALWARE UNC4841 Related Domain in DNS Lookup (troublendsef .com) (malware.rules)
• 2046287 - ET MALWARE UNC4841 Related Domain in DNS Lookup (singnode .com) (malware.rules)
• 2046288 - ET MALWARE UNC4841 Related Domain in DNS Lookup (gesturefavour .com) (malware.rules)
• 2046752 - ET MALWARE TA444 Domain in DNS Lookup (malware.rules)
• 2046826 - ET MALWARE Mallox Ransomware CnC Domain (whyers .io) in DNS Lookup (malware.rules)
• 2047016 - ET MALWARE Bahamut APT Group CnC Domain in DNS Lookup (laborer-posted .nl) (malware.rules)
• 2047017 - ET MALWARE Observed Bahamut APT Group Domain (laborer-posted .nl) in TLS SNI (malware.rules)
• 2047686 - ET MALWARE MacOS/XLOADER Domain in DNS Lookup (www .brioche-amsterdam .com) (malware.rules)
• 2047687 - ET MALWARE MacOS/XLOADER Domain in DNS Lookup (www .qhsbobfv .top) (malware.rules)
• 2047688 - ET MALWARE MacOS/XLOADER Domain in DNS Lookup (www .mommachic .com) (malware.rules)
• 2047689 - ET MALWARE MacOS/XLOADER Domain in DNS Lookup (www .hatch .computer) (malware.rules)
• 2047690 - ET MALWARE MacOS/XLOADER Domain in DNS Lookup (www .nationalrecoveryllc .com) (malware.rules)
• 2047691 - ET MALWARE MacOS/XLOADER Domain in DNS Lookup (www .spv88 .online) (malware.rules)
• 2047692 - ET MALWARE MacOS/XLOADER Domain in DNS Lookup (www .raveready .shop) (malware.rules)
• 2047693 - ET MALWARE MacOS/XLOADER Domain in DNS Lookup (www .activ-ketodietakjsy620 .cloud) (malware.rules)
• 2047694 - ET MALWARE MacOS/XLOADER Domain in DNS Lookup (www .lushespets .com) (malware.rules)
• 2047695 - ET MALWARE MacOS/XLOADER Domain in DNS Lookup (www .qq9122 .com) (malware.rules)
• 2047696 - ET MALWARE MacOS/XLOADER Domain in DNS Lookup (www .corkagenexus .com) (malware.rules)
• 2047697 - ET MALWARE MacOS/XLOADER Domain in DNS Lookup (www .growind .info) (malware.rules)
• 2047698 - ET MALWARE MacOS/XLOADER Domain in DNS Lookup (www .kiavisa .com) (malware.rules)
• 2047699 - ET MALWARE MacOS/XLOADER Domain in DNS Lookup (www .akrsnamchi .com) (malware.rules)
• 2047700 - ET MALWARE MacOS/XLOADER Domain in DNS Lookup (www .pinksugarpopmontana .com) (malware.rules)
• 2047701 - ET MALWARE MacOS/XLOADER Domain in DNS Lookup (www .switchmerge .com) (malware.rules)

Removed rules:

• 2045611 - ET MALWARE Papercut MF/NG User/Group Sync Python Backdoor Trigger (malware.rules)
• 2045753 - ET MALWARE Camaro Dragon APT - Horse Shell CnC Checkin (malware.rules)
• 2045766 - ET MALWARE Stellar Stealer Data Exfiltration Attempt M1 (malware.rules)
• 2045767 - ET MALWARE Stellar Stealer Data Exfiltration Attempt M2 (malware.rules)
• 2045768 - ET MALWARE Stellar Stealer Data Exfiltration Attempt M3 (malware.rules)
• 2045769 - ET MALWARE Stellar Stealer Data Exfiltration Attempt M4 (malware.rules)
• 2045770 - ET MALWARE Stellar Stealer Data Exfiltration Attempt M5 (malware.rules)
• 2045781 - ET MALWARE BotLoader Retrieving Additional Payloads (malware.rules)
• 2045782 - ET MALWARE BotLoader CnC Checkin (malware.rules)
• 2045873 - ET MALWARE pswshopro_bot Stealer CnC Checkin (malware.rules)
• 2045874 - ET MALWARE pswshopro_bot Stealer data exfiltration attempt (malware.rules)
• 2045977 - ET MALWARE BellaCiao ASPX Backdoor Response (malware.rules)
• 2046234 - ET MALWARE Trojan.PSW.Autoit Data Exfiltration Attempt (malware.rules)
• 2046299 - ET MALWARE Zenlod System Information Retrieval (malware.rules)
• 2046697 - ET MALWARE DDoSia Client CnC Checkin (malware.rules)
• 2046698 - ET MALWARE DDoSia Client Target Retrieval (malware.rules)
• 2047015 - ET MALWARE abubasbanditbot CnC Checkin (malware.rules)
• 2047646 - ET MALWARE JanelaRAT CnC Checkin Observed (malware.rules)
• 2047647 - ET MALWARE QwixxRAT - Telegram CnC Checkin (malware.rules)
• 2854247 - ETPRO MALWARE Win32/Spy.Autoit.GK CnC Checkin (malware.rules)
• 2854286 - ETPRO MALWARE Win32/Spy.Mekotio.GR Data Exfiltration Attempt (malware.rules)