Ruleset Update Summary - 2024/12/27 - v10818

Summary:

30 new OPEN, 34 new PRO (30 + 4)


Added rules:

Open:

  • 2058566 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (discoves .com) (exploit_kit.rules)
  • 2058567 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (discoves .com) (exploit_kit.rules)
  • 2058568 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (amcikressimleri .xyz) (exploit_kit.rules)
  • 2058569 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (amcikressimleri .xyz) (exploit_kit.rules)
  • 2058570 - ET INFO DYNAMIC_DNS Query to a *.port82 .net domain (info.rules)
  • 2058571 - ET INFO DYNAMIC_DNS HTTP Request to a *.port82 .net domain (info.rules)
  • 2058572 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (appliacnesot .buzz) (malware.rules)
  • 2058573 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (appliacnesot .buzz in TLS SNI) (malware.rules)
  • 2058574 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (brokenmatte .click) (malware.rules)
  • 2058575 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (brokenmatte .click in TLS SNI) (malware.rules)
  • 2058576 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cashfuzysao .buzz) (malware.rules)
  • 2058577 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cashfuzysao .buzz in TLS SNI) (malware.rules)
  • 2058578 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hummskitnj .buzz) (malware.rules)
  • 2058579 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (hummskitnj .buzz in TLS SNI) (malware.rules)
  • 2058580 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (inherineau .buzz) (malware.rules)
  • 2058581 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (inherineau .buzz in TLS SNI) (malware.rules)
  • 2058582 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mindhandru .buzz) (malware.rules)
  • 2058583 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mindhandru .buzz in TLS SNI) (malware.rules)
  • 2058584 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (prisonyfork .buzz) (malware.rules)
  • 2058585 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (prisonyfork .buzz in TLS SNI) (malware.rules)
  • 2058586 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rebuildeso .buzz) (malware.rules)
  • 2058587 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebuildeso .buzz in TLS SNI) (malware.rules)
  • 2058588 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (scentniej .buzz) (malware.rules)
  • 2058589 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (scentniej .buzz in TLS SNI) (malware.rules)
  • 2058590 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (screwamusresz .buzz) (malware.rules)
  • 2058591 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (screwamusresz .buzz in TLS SNI) (malware.rules)
  • 2058592 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slimmybearz .click) (malware.rules)
  • 2058593 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (slimmybearz .click in TLS SNI) (malware.rules)
  • 2058594 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tackybrushz .click) (malware.rules)
  • 2058595 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tackybrushz .click in TLS SNI) (malware.rules)

Pro:

  • 2859454 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859455 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859456 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859457 - ETPRO MALWARE Trojan-Banker.AndroidOS.BRats.d CnC Domain in DNS Lookup (malware.rules)

Modified inactive rules:

  • 2027729 - ET MALWARE Windigo SSH Connection Received (Ebury < 1.7.0) (malware.rules)
  • 2027730 - ET MALWARE Windigo SSH Connection Received (Ebury > 1.7.0) (malware.rules)
  • 2836269 - ETPRO MALWARE QuasarRAT C2 KeepAlive (malware.rules)