Ruleset Update Summary - 2024/11/26 - v10753

Summary:

31 new OPEN, 34 new PRO (31 + 3)

Thanks @gmcirt

Please be aware that November 28 and 29 are Proofpoint company holidays. There will not be rule releases on these days. Rule releases will continue the following Monday, December 2.


Added rules:

Open:

  • 2057854 - ET MALWARE RomCom Group Domain in DNS Lookup (devolredir .com) (malware.rules)
  • 2057855 - ET MALWARE RomCom Group Domain in DNS Lookup (redircorrectiv .com) (malware.rules)
  • 2057856 - ET MALWARE RomCom Group Domain in DNS Lookup (economistjournal .cloud) (malware.rules)
  • 2057857 - ET MALWARE RomCom Group Domain in DNS Lookup (journalctd .live) (malware.rules)
  • 2057858 - ET MALWARE RomCom Group Domain in DNS Lookup (redirconnectwise .cloud) (malware.rules)
  • 2057859 - ET MALWARE RomCom Group Domain in DNS Lookup (1drv .us .com) (malware.rules)
  • 2057860 - ET MALWARE RomCom Group Domain in DNS Lookup (cwise .store) (malware.rules)
  • 2057861 - ET MALWARE RomCom Group Domain in DNS Lookup (redjournal .cloud) (malware.rules)
  • 2057862 - ET MALWARE RomCom Group Domain in DNS Lookup (correctiv .sbs) (malware.rules)
  • 2057863 - ET MALWARE Observed RomCom Group Domain (devolredir .com) in TLS SNI (malware.rules)
  • 2057864 - ET MALWARE Observed RomCom Group Domain (redircorrectiv .com) in TLS SNI (malware.rules)
  • 2057865 - ET MALWARE Observed RomCom Group Domain (economistjournal .cloud) in TLS SNI (malware.rules)
  • 2057866 - ET MALWARE Observed RomCom Group Domain (journalctd .live) in TLS SNI (malware.rules)
  • 2057867 - ET MALWARE Observed RomCom Group Domain (redirconnectwise .cloud) in TLS SNI (malware.rules)
  • 2057868 - ET MALWARE Observed RomCom Group Domain (1drv .us .com) in TLS SNI (malware.rules)
  • 2057869 - ET MALWARE Observed RomCom Group Domain (cwise .store) in TLS SNI (malware.rules)
  • 2057870 - ET MALWARE Observed RomCom Group Domain (redjournal .cloud) in TLS SNI (malware.rules)
  • 2057871 - ET MALWARE Observed RomCom Group Domain (correctiv .sbs) in TLS SNI (malware.rules)
  • 2057872 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (blaekindustry .com) (exploit_kit.rules)
  • 2057873 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (blaekindustry .com) (exploit_kit.rules)
  • 2057874 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (nastictac .com) (exploit_kit.rules)
  • 2057875 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (nastictac .com) (exploit_kit.rules)
  • 2057876 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (uniqueplas .sbs) (malware.rules)
  • 2057877 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (uniqueplas .sbs in TLS SNI) (malware.rules)
  • 2057878 - ET MALWARE Observed DNS Query to Lumma Domain (s1gn1fyh0se .cyou) (malware.rules)
  • 2057879 - ET MALWARE Observed Lumma Domain (s1gn1fyh0se .cyou in TLS SNI) (malware.rules)
  • 2057880 - ET WEB_SPECIFIC_APPS SonicWall NetExtender for Windows EPC Client Update RCE Attempt (CVE-2024-29014) (web_specific_apps.rules)
  • 2057881 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (weeatsome .com) (exploit_kit.rules)
  • 2057882 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (weeatsome .com) (exploit_kit.rules)
  • 2057883 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (berandonosas .store) (exploit_kit.rules)
  • 2057884 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (berandonosas .store) (exploit_kit.rules)

Pro:

  • 2859197 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2859198 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2859199 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Modified inactive rules:

  • 2034090 - ET POLICY External IP Lookup via ad4989 .co .kr (policy.rules)
  • 2039682 - ET INFO External IP Lookup Domain (peoplesearch .real .com) in DNS Lookup (info.rules)