Ruleset Update Summary - 2024/10/02 - v10712

rulesbot · October 2, 2024, 8:44pm

Summary:

44 new OPEN, 48 new PRO (44 + 4)

Added rules:

Open:

2047754 - ET RETIRED ZenRAT Ping Command (retired.rules)
2047756 - ET RETIRED ZenRAT Get Status Command (retired.rules)
2047759 - ET RETIRED ZenRAT Request Module Command (retired.rules)
2047760 - ET RETIRED ZenRAT Request Module CnC Response (retired.rules)
2047761 - ET RETIRED ZenRAT Update Command (retired.rules)
2047921 - ET RETIRED [ANY.RUN] Echida Botnet Check-In M1 (retired.rules)
2047922 - ET RETIRED [ANY.RUN] Echida Botnet Check-In M2 (retired.rules)
2048265 - ET RETIRED Possible ToneShell CnC Checkin M3 (retired.rules)
2048324 - ET RETIRED [ANY.RUN] Lu0bot-Style DNS Query in DNS Lookup M1 (retired.rules)
2048325 - ET RETIRED [ANY.RUN] Lu0bot-Style DNS Query in DNS Lookup M2 (retired.rules)
2048326 - ET RETIRED [ANY.RUN] Lu0bot-Style DNS Query in DNS Lookup M3 (retired.rules)
2048327 - ET RETIRED [ANY.RUN] Lu0bot-Style DNS Query in DNS Lookup M4 (retired.rules)
2048328 - ET RETIRED [ANY.RUN] Lu0bot-Style DNS Query in DNS Lookup M5 (retired.rules)
2056384 - ET WEB_SPECIFIC_APPS Progress Flowmon OS Command Injection in Service:Pdfs:Confluence Module (CVE-2024-2389) (web_specific_apps.rules)
2056385 - ET WEB_SPECIFIC_APPS CraftCMS Remote Code Execution via ConditionsController Object Creation (CVE-2023-41892) (web_specific_apps.rules)
2056386 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (thehyperfocus .quest) (exploit_kit.rules)
2056387 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (yaseraljazeera .com) (exploit_kit.rules)
2056388 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (thehyperfocus .quest) (exploit_kit.rules)
2056389 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (yaseraljazeera .com) (exploit_kit.rules)
2056390 - ET WEB_SPECIFIC_APPS Fortra FileCatalyst Workflow 5.x Arbitrary File Upload (CVE-2024-25153) (web_specific_apps.rules)
2056391 - ET WEB_SPECIFIC_APPS Ivanti EPM SQL Injection (CVE-2024-29824) (web_specific_apps.rules)
2056392 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (abnomalrkmu .site) (malware.rules)
2056393 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (abnomalrkmu .site in TLS SNI) (malware.rules)
2056394 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (absorptioniw .site) (malware.rules)
2056395 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (absorptioniw .site in TLS SNI) (malware.rules)
2056396 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chorusarorp .site) (malware.rules)
2056397 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (chorusarorp .site in TLS SNI) (malware.rules)
2056398 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (consumptiy .site) (malware.rules)
2056399 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (consumptiy .site in TLS SNI) (malware.rules)
2056400 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mysterisop .site) (malware.rules)
2056401 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mysterisop .site in TLS SNI) (malware.rules)
2056402 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (questionsmw .store) (malware.rules)
2056403 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (questionsmw .store in TLS SNI) (malware.rules)
2056404 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (remembkreom .xyz) (malware.rules)
2056405 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (remembkreom .xyz in TLS SNI) (malware.rules)
2056406 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (snarlypagowo .site) (malware.rules)
2056407 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (snarlypagowo .site in TLS SNI) (malware.rules)
2056408 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soldiefieop .site) (malware.rules)
2056409 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (soldiefieop .site in TLS SNI) (malware.rules)
2056410 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (treatynreit .site) (malware.rules)
2056411 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (treatynreit .site in TLS SNI) (malware.rules)
2056412 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (trenndylicensei .shop) (malware.rules)
2056413 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (trenndylicensei .shop in TLS SNI) (malware.rules)
2056414 - ET MALWARE NamelessC2 Implant Terminal Checkin (malware.rules)

Pro:

2855338 - ETPRO RETIRED Possible Cryptex OPTIONS Request (retired.rules)
2855339 - ETPRO RETIRED Cryptex 302 Redirect (retired.rules)
2858530 - ETPRO MALWARE NamelessC2 Implant Registering with Default RC4 Key (malware.rules)
2858531 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)

Disabled and modified rules:

2047931 - ET MALWARE Epsilon Stealer CnC Domain in DNS Lookup (epsilon1337 .com) (malware.rules)
2047962 - ET MALWARE Red Wolf/RedCurl Domain in DNS Lookup (msftcloud .click) (malware.rules)
2047963 - ET MALWARE Red Wolf/RedCurl Domain in DNS Lookup (servicehost .click) (malware.rules)
2047964 - ET MALWARE Red Wolf/RedCurl Domain in DNS Lookup (amscloudhost .com) (malware.rules)
2047968 - ET MALWARE Atomic macOS (AMOS) Stealer Payload Delivery Domain in DNS Lookup (trabingviews .com) (malware.rules)
2047969 - ET MALWARE Atomic macOS (AMOS) Stealer Payload Delivery Domain in DNS Lookup (xn–tradgsvews-0ubd3y .com) (malware.rules)
2047970 - ET MALWARE Atomic macOS (AMOS) Stealer Payload Delivery Domain in DNS Lookup (app-downloads .org) (malware.rules)
2047971 - ET MALWARE Observed Atomic macOS (AMOS) Stealer Payload Deliver Domain (trabingviews .com) in TLS SNI (malware.rules)
2047972 - ET MALWARE Observed Atomic macOS (AMOS) Stealer Payload Deliver Domain (xn–tradgsvews-0ubd3y .com) in TLS SNI (malware.rules)
2047973 - ET MALWARE Observed Atomic macOS (AMOS) Stealer Payload Deliver Domain (app-downloads .org) in TLS SNI (malware.rules)
2047984 - ET MALWARE Red Wolf/RedCurl Domain in DNS Lookup (eap .byethost10 .com) (malware.rules)
2047985 - ET MALWARE Red Wolf/RedCurl Domain in DNS Lookup (tdnmouse .atspace .eu) (malware.rules)
2047986 - ET MALWARE Red Wolf/RedCurl Domain in DNS Lookup (buyhighroad .scienceontheweb .net) (malware.rules)
2047987 - ET MALWARE Red Wolf/RedCurl Domain in DNS Lookup (earthmart .c1 .biz) (malware.rules)
2048087 - ET MALWARE Free Download Manager Backdoor Domain in DNS Lookup (fdmpkg .org) (malware.rules)
2048088 - ET MALWARE Redfly APT Shadowpad Backdoor Domain in DNS Lookup (websencl .com) (malware.rules)
2048106 - ET MALWARE Transparent Tribe/CapraRAT CnC Domain in DNS Lookup (malware.rules)
2048107 - ET MALWARE Transparent Tribe/CapraRAT CnC Domain in DNS Lookup (malware.rules)
2048108 - ET MALWARE Transparent Tribe/CapraRAT CnC Domain in DNS Lookup (malware.rules)
2048214 - ET MALWARE Sandman APT LuaDream Backdoor Domain in DNS Lookup (ssl .explorecell .com) (malware.rules)
2048215 - ET MALWARE Sandman APT LuaDream Backdoor Domain in DNS Lookup (mode .encagil .com) (malware.rules)
2048218 - ET MALWARE Stately Taurus APT Toneshell Backdoor Domain in DNS Lookup (www .uvfr43p .com) (malware.rules)
2048219 - ET MALWARE Stately Taurus APT Related Domain in DNS Lookup (Feed-5613 .coderformylife .info) (malware.rules)
2048320 - ET MALWARE Lu0bot CnC Domain in DNS Lookup (hsh .juz09 .cfd) (malware.rules)
2048321 - ET MALWARE Lu0bot CnC Domain in DNS Lookup (apo .eus80 .fun) (malware.rules)
2048322 - ET MALWARE Lu0bot CnC Domain in DNS Lookup (bic .xdk03 .fun) (malware.rules)
2048323 - ET MALWARE Lu0bot CnC Domain in DNS Lookup (mko .tinh73 .shop) (malware.rules)
2048379 - ET MALWARE Akira Stealer CnC Domain in DNS Lookup (akira .red) (malware.rules)
2049041 - ET MALWARE Win32/Unknown CnC Domain in DNS Lookup (hackermania .org) (malware.rules)
2049042 - ET MALWARE Win32/Unknown Domain (hackermania .org) in TLS SNI (malware.rules)
2855336 - ETPRO MALWARE Cryptex Related Domain in DNS Lookup (malware.rules)
2855337 - ETPRO MALWARE Observed Cryptex Related Domain in TLS SNI (malware.rules)

Removed rules:

2047754 - ET MALWARE ZenRAT Ping Command (malware.rules)
2047756 - ET MALWARE ZenRAT Get Status Command (malware.rules)
2047759 - ET MALWARE ZenRAT Request Module Command (malware.rules)
2047760 - ET MALWARE ZenRAT Request Module CnC Response (malware.rules)
2047761 - ET MALWARE ZenRAT Update Command (malware.rules)
2047921 - ET MALWARE [ANY.RUN] Echida Botnet Check-In M1 (malware.rules)
2047922 - ET MALWARE [ANY.RUN] Echida Botnet Check-In M2 (malware.rules)
2048265 - ET MALWARE Possible ToneShell CnC Checkin M3 (malware.rules)
2048324 - ET MALWARE [ANY.RUN] Lu0bot-Style DNS Query in DNS Lookup M1 (malware.rules)
2048325 - ET MALWARE [ANY.RUN] Lu0bot-Style DNS Query in DNS Lookup M2 (malware.rules)
2048326 - ET MALWARE [ANY.RUN] Lu0bot-Style DNS Query in DNS Lookup M3 (malware.rules)
2048327 - ET MALWARE [ANY.RUN] Lu0bot-Style DNS Query in DNS Lookup M4 (malware.rules)
2048328 - ET MALWARE [ANY.RUN] Lu0bot-Style DNS Query in DNS Lookup M5 (malware.rules)
2855338 - ETPRO MALWARE Possible Cryptex OPTIONS Request (malware.rules)
2855339 - ETPRO MALWARE Cryptex 302 Redirect (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/12/03 - v10787 Ruleset Updates	110	December 3, 2024
Ruleset Update Summary - 2024/09/23 - v10701 Ruleset Updates	124	September 23, 2024
Ruleset Update Summary - 2024/09/18 - v10697 Ruleset Updates	248	September 18, 2024
Ruleset Update Summary - 2024/09/17 - v10696 Ruleset Updates	79	September 17, 2024
Ruleset Update Summary - 2023/09/28 - v10428 Ruleset Updates	308	September 28, 2023

Ruleset Update Summary - 2024/10/02 - v10712

Summary:

Added rules:

Open:

Pro:

Disabled and modified rules:

Removed rules:

Related topics