Ruleset Update Summary - 2025/01/14 - v10837

rulesbot · January 14, 2025, 10:08pm

Summary:

41 new OPEN, 54 new PRO (41 + 13)

Added rules:

Open:

2059213 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (internetkredite .top) (exploit_kit.rules)
2059214 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (internetkredite .top) (exploit_kit.rules)
2059215 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (maxcgi .com) (exploit_kit.rules)
2059216 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (maxcgi .com) (exploit_kit.rules)
2059217 - ET INFO DYNAMIC_DNS Query to a *.ultimamilla .cl domain (info.rules)
2059218 - ET INFO DYNAMIC_DNS HTTP Request to a *.ultimamilla .cl domain (info.rules)
2059219 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crookedfoshe .bond) (malware.rules)
2059220 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (crookedfoshe .bond in TLS SNI) (malware.rules)
2059221 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curtainykeo .lat) (malware.rules)
2059222 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (curtainykeo .lat in TLS SNI) (malware.rules)
2059223 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (growthselec .bond) (malware.rules)
2059224 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (growthselec .bond in TLS SNI) (malware.rules)
2059225 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immolatechallen .bond) (malware.rules)
2059226 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (immolatechallen .bond in TLS SNI) (malware.rules)
2059227 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (jarry-deatile .bond) (malware.rules)
2059228 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (jarry-deatile .bond in TLS SNI) (malware.rules)
2059229 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (jarry-fixxer .bond) (malware.rules)
2059230 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (jarry-fixxer .bond in TLS SNI) (malware.rules)
2059231 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (nippypreciosu .cyou) (malware.rules)
2059232 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (nippypreciosu .cyou in TLS SNI) (malware.rules)
2059233 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pain-temper .bond) (malware.rules)
2059234 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pain-temper .bond in TLS SNI) (malware.rules)
2059235 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (solveajbject .cyou) (malware.rules)
2059236 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (solveajbject .cyou in TLS SNI) (malware.rules)
2059237 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stripedre-lot .bond) (malware.rules)
2059238 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (stripedre-lot .bond in TLS SNI) (malware.rules)
2059239 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (strivehelpeu .bond) (malware.rules)
2059240 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (strivehelpeu .bond in TLS SNI) (malware.rules)
2059241 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (aleksandr-block .com) (malware.rules)
2059242 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (aleksandr-block .com in TLS SNI) (malware.rules)
2059243 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (misha-lomonosov .com) (malware.rules)
2059244 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (misha-lomonosov .com in TLS SNI) (malware.rules)
2059245 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sputnik-1985 .com) (malware.rules)
2059246 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sputnik-1985 .com in TLS SNI) (malware.rules)
2059247 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lev-tolstoi .com) (malware.rules)
2059248 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (lev-tolstoi .com in TLS SNI) (malware.rules)
2059249 - ET INFO Hide Referer Service (nullrefer .net) (info.rules)
2059250 - ET INFO URL Shortener Domain in DNS Lookup (sqzly .co) (info.rules)
2059251 - ET INFO Observed URL Shortener Domain (sqzly .co in TLS SNI) (info.rules)
2059252 - ET INFO High Number of Kerberos TGS Requests - Possible Kerberoasting (UDP) (info.rules)
2059253 - ET INFO High Number of Kerberos TGS Requests - Possible Kerberoasting (TCP) (info.rules)

Pro:

2859587 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859588 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2859589 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2859590 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2859591 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2859592 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2859593 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2859594 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2859595 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2859596 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2859597 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2859598 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2859599 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)

Disabled and modified rules:

2055840 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (auth-owlting .com) (exploit_kit.rules)
2055841 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (www-wpx .net) (exploit_kit.rules)
2055842 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (auth-owlting .com) (exploit_kit.rules)
2055843 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (www-wpx .net) (exploit_kit.rules)
2057406 - ET EXPLOIT_KIT VexTrio Domain in DNS Lookup (omenkid .top) (exploit_kit.rules)
2057407 - ET EXPLOIT_KIT VexTrio Domain in TLS SNI (omenkid .top) (exploit_kit.rules)
2057408 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (fencingfriends .com) (exploit_kit.rules)
2057409 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (fencingfriends .com) (exploit_kit.rules)
2057438 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (xcdd1003 .com) (exploit_kit.rules)
2057439 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (xcdd1003 .com) (exploit_kit.rules)
2057449 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (yimuzds .com) (exploit_kit.rules)
2057451 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (yimuzds .com) (exploit_kit.rules)
2057631 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (rshank .com) (exploit_kit.rules)
2057632 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (rshank .com) (exploit_kit.rules)
2057633 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (crickout .com) (exploit_kit.rules)
2057634 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (crickout .com) (exploit_kit.rules)
2059179 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (apex-shop .online) (exploit_kit.rules)
2059181 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (apex-shop .online) (exploit_kit.rules)
2859472 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859473 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859474 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/07/19 - v10649 Ruleset Updates	156	July 19, 2024
Ruleset Update Summary - 2024/12/10 - v10795 Ruleset Updates	103	December 10, 2024
Ruleset Update Summary - 2024/12/27 - v10818 Ruleset Updates	88	December 27, 2024
Ruleset Update Summary - 2025/01/06 - v10830 Ruleset Updates	98	January 6, 2025
Ruleset Update Summary - 2025/01/09 - v10834 Ruleset Updates	103	January 9, 2025

Ruleset Update Summary - 2025/01/14 - v10837

Summary:

Added rules:

Open:

Pro:

Disabled and modified rules:

Related topics