Ruleset Update Summary - 2024/10/09 - v10717

rulesbot · October 9, 2024, 8:38pm

Summary:

79 new OPEN, 81 new PRO (79 + 2)

Thanks @RecordedFuture

Please be aware that Friday, October 11th, is a Proofpoint company holiday. There will not be a rule release that day. Rule releases will continue the following Monday, October 14th.

Added rules:

Open:

2056556 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawwyobstacw .sbs) (malware.rules)
2056557 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawwyobstacw .sbs in TLS SNI) (malware.rules)
2056558 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (condifendteu .sbs) (malware.rules)
2056559 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (condifendteu .sbs in TLS SNI) (malware.rules)
2056560 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ehticsprocw .sbs) (malware.rules)
2056561 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ehticsprocw .sbs in TLS SNI) (malware.rules)
2056562 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vennurviot .sbs) (malware.rules)
2056563 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vennurviot .sbs in TLS SNI) (malware.rules)
2056564 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resinedyw .sbs) (malware.rules)
2056565 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (resinedyw .sbs in TLS SNI) (malware.rules)
2056566 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enlargkiw .sbs) (malware.rules)
2056567 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (enlargkiw .sbs in TLS SNI) (malware.rules)
2056568 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (allocatinow .sbs) (malware.rules)
2056569 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (allocatinow .sbs in TLS SNI) (malware.rules)
2056570 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mathcucom .sbs) (malware.rules)
2056571 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mathcucom .sbs in TLS SNI) (malware.rules)
2056572 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (widdensmoywi .sbs) (malware.rules)
2056573 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (widdensmoywi .sbs in TLS SNI) (malware.rules)
2056574 - ET MALWARE Win32/FleshStealer CnC Domain in DNS Lookup (utka .xyz) (malware.rules)
2056575 - ET MALWARE Observed Win32/FleshStealer Domain (utka .xyz) in TLS SNI (malware.rules)
2056576 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (unsbrtng .cfd) (exploit_kit.rules)
2056577 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (unsbrtng .cfd) (exploit_kit.rules)
2056578 - ET WEB_SPECIFIC_APPS Ivanti Connect Secure CRLF Injection Remote Code Execution Attempt (CVE-2024-37404) (web_specific_apps.rules)
2056579 - ET WEB_SPECIFIC_APPS Ivanti Connect Secure Shared Object File Upload Attempt (web_specific_apps.rules)
2056580 - ET MALWARE CleanUp Loader HTTP Request (GET) (malware.rules)
2056581 - ET MALWARE DNS Query to CleanUp Loader Domain (ns-client .net) (malware.rules)
2056582 - ET MALWARE DNS Query to CleanUp Loader Domain (pixalate .us) (malware.rules)
2056583 - ET MALWARE DNS Query to CleanUp Loader Domain (gang-force .com) (malware.rules)
2056584 - ET MALWARE DNS Query to CleanUp Loader Domain (microsoftt-teams-download .com) (malware.rules)
2056585 - ET MALWARE DNS Query to CleanUp Loader Domain (nnlcrosaftteams-download .pro) (malware.rules)
2056586 - ET MALWARE DNS Query to CleanUp Loader Domain (webex-up .com) (malware.rules)
2056587 - ET MALWARE DNS Query to CleanUp Loader Domain (zoom-video .org) (malware.rules)
2056588 - ET MALWARE DNS Query to CleanUp Loader Domain (autosdesk .net) (malware.rules)
2056589 - ET MALWARE DNS Query to CleanUp Loader Domain (basiconlineincome .com) (malware.rules)
2056590 - ET MALWARE DNS Query to CleanUp Loader Domain (crystalmaker .pro) (malware.rules)
2056591 - ET MALWARE DNS Query to CleanUp Loader Domain (crystal-maker .com) (malware.rules)
2056592 - ET MALWARE DNS Query to CleanUp Loader Domain (firscountryours .eu) (malware.rules)
2056593 - ET MALWARE DNS Query to CleanUp Loader Domain (backuppingplanseasy .com) (malware.rules)
2056594 - ET MALWARE DNS Query to CleanUp Loader Domain (prodfindfeatures .com) (malware.rules)
2056595 - ET MALWARE DNS Query to CleanUp Loader Domain (microssoft-teams .com) (malware.rules)
2056596 - ET MALWARE DNS Query to CleanUp Loader Domain (buydotclearlynet .com) (malware.rules)
2056597 - ET MALWARE DNS Query to CleanUp Loader Domain (metalforthecoredream .com) (malware.rules)
2056598 - ET MALWARE DNS Query to CleanUp Loader Domain (itisthebestforyou .eu) (malware.rules)
2056599 - ET MALWARE DNS Query to CleanUp Loader Domain (whereverhomebe .com) (malware.rules)
2056600 - ET MALWARE DNS Query to CleanUp Loader Domain (micrsoft-teams-download .com) (malware.rules)
2056601 - ET MALWARE DNS Query to CleanUp Loader Domain (time-check-broker .com) (malware.rules)
2056602 - ET MALWARE DNS Query to CleanUp Loader Domain (microsoftt-teams .com) (malware.rules)
2056603 - ET MALWARE DNS Query to CleanUp Loader Domain (docsfromthewest .com) (malware.rules)
2056604 - ET MALWARE DNS Query to CleanUp Loader Domain (auttodessk .com) (malware.rules)
2056605 - ET MALWARE DNS Query to CleanUp Loader Domain (lakeshorehomebuilders .com) (malware.rules)
2056606 - ET MALWARE DNS Query to CleanUp Loader Domain (heartwithinadream .com) (malware.rules)
2056607 - ET MALWARE DNS Query to CleanUp Loader Domain (aut0deskk .com) (malware.rules)
2056608 - ET MALWARE Observed CleanUp Loader Domain (ns-client .net in TLS SNI) (malware.rules)
2056609 - ET MALWARE Observed CleanUp Loader Domain (pixalate .us in TLS SNI) (malware.rules)
2056610 - ET MALWARE Observed CleanUp Loader Domain (gang-force .com in TLS SNI) (malware.rules)
2056611 - ET MALWARE Observed CleanUp Loader Domain (microsoftt-teams-download .com in TLS SNI) (malware.rules)
2056612 - ET MALWARE Observed CleanUp Loader Domain (nnlcrosaftteams-download .pro in TLS SNI) (malware.rules)
2056613 - ET MALWARE Observed CleanUp Loader Domain (webex-up .com in TLS SNI) (malware.rules)
2056614 - ET MALWARE Observed CleanUp Loader Domain (zoom-video .org in TLS SNI) (malware.rules)
2056615 - ET MALWARE Observed CleanUp Loader Domain (autosdesk .net in TLS SNI) (malware.rules)
2056616 - ET MALWARE Observed CleanUp Loader Domain (basiconlineincome .com in TLS SNI) (malware.rules)
2056617 - ET MALWARE Observed CleanUp Loader Domain (crystalmaker .pro in TLS SNI) (malware.rules)
2056618 - ET MALWARE Observed CleanUp Loader Domain (crystal-maker .com in TLS SNI) (malware.rules)
2056619 - ET MALWARE Observed CleanUp Loader Domain (firscountryours .eu in TLS SNI) (malware.rules)
2056620 - ET MALWARE Observed CleanUp Loader Domain (backuppingplanseasy .com in TLS SNI) (malware.rules)
2056621 - ET MALWARE Observed CleanUp Loader Domain (prodfindfeatures .com in TLS SNI) (malware.rules)
2056622 - ET MALWARE Observed CleanUp Loader Domain (microssoft-teams .com in TLS SNI) (malware.rules)
2056623 - ET MALWARE Observed CleanUp Loader Domain (buydotclearlynet .com in TLS SNI) (malware.rules)
2056624 - ET MALWARE Observed CleanUp Loader Domain (metalforthecoredream .com in TLS SNI) (malware.rules)
2056625 - ET MALWARE Observed CleanUp Loader Domain (itisthebestforyou .eu in TLS SNI) (malware.rules)
2056626 - ET MALWARE Observed CleanUp Loader Domain (whereverhomebe .com in TLS SNI) (malware.rules)
2056627 - ET MALWARE Observed CleanUp Loader Domain (micrsoft-teams-download .com in TLS SNI) (malware.rules)
2056628 - ET MALWARE Observed CleanUp Loader Domain (time-check-broker .com in TLS SNI) (malware.rules)
2056629 - ET MALWARE Observed CleanUp Loader Domain (microsoftt-teams .com in TLS SNI) (malware.rules)
2056630 - ET MALWARE Observed CleanUp Loader Domain (docsfromthewest .com in TLS SNI) (malware.rules)
2056631 - ET MALWARE Observed CleanUp Loader Domain (auttodessk .com in TLS SNI) (malware.rules)
2056632 - ET MALWARE Observed CleanUp Loader Domain (lakeshorehomebuilders .com in TLS SNI) (malware.rules)
2056633 - ET MALWARE Observed CleanUp Loader Domain (heartwithinadream .com in TLS SNI) (malware.rules)
2056634 - ET MALWARE Observed CleanUp Loader Domain (aut0deskk .com in TLS SNI) (malware.rules)

Pro:

2858665 - ETPRO INFO Observed Suspicious Transfer .sh Server Header (info.rules)
2858666 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup (malware.rules)

Enabled and modified rules:

2054718 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (packedbrick .com) (exploit_kit.rules)
2054719 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (packedbrick .com) (exploit_kit.rules)
2054862 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (blacksaltys .com) (exploit_kit.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/10/08 - v10716 Ruleset Updates	75	October 8, 2024
Ruleset Update Summary - 2024/10/07 - v10715 Ruleset Updates	113	October 7, 2024
Ruleset Update Summary - 2024/07/31 - v10657 Ruleset Updates	114	July 31, 2024
Ruleset Update Summary - 2024/07/30 - v10656 Ruleset Updates	108	July 30, 2024
Ruleset Update Summary - 2024/02/28 - v10542 Ruleset Updates	236	February 28, 2024