Ruleset Update Summary - 2025/01/27 - v10846

Summary:

84 new OPEN, 114 new PRO (84 + 30)

Thanks @TalosSecurity


Added rules:

Open:

  • 2059636 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (babberstalek .org) (malware.rules)
  • 2059637 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (babberstalek .org in TLS SNI) (malware.rules)
  • 2059638 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (carrystuppeder .net) (malware.rules)
  • 2059639 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (carrystuppeder .net in TLS SNI) (malware.rules)
  • 2059640 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (classyhelped .net) (malware.rules)
  • 2059641 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (classyhelped .net in TLS SNI) (malware.rules)
  • 2059642 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (climepunneddus .com) (malware.rules)
  • 2059643 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (climepunneddus .com in TLS SNI) (malware.rules)
  • 2059644 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (flockefaccek .org) (malware.rules)
  • 2059645 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (flockefaccek .org in TLS SNI) (malware.rules)
  • 2059646 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (guardeduppe .com) (malware.rules)
  • 2059647 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (guardeduppe .com in TLS SNI) (malware.rules)
  • 2059648 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (oppressbreatv .cyou) (malware.rules)
  • 2059649 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (oppressbreatv .cyou in TLS SNI) (malware.rules)
  • 2059650 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rebuildhurrte .com) (malware.rules)
  • 2059651 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebuildhurrte .com in TLS SNI) (malware.rules)
  • 2059652 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (athleisurestyletop .top) (malware.rules)
  • 2059653 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (athleisurestyletop .top in TLS SNI) (malware.rules)
  • 2059654 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (creativeoutlookstop .top) (malware.rules)
  • 2059655 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (creativeoutlookstop .top in TLS SNI) (malware.rules)
  • 2059656 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (innerkomen .com) (malware.rules)
  • 2059657 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (innerkomen .com in TLS SNI) (malware.rules)
  • 2059658 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (palehandycook .top) (malware.rules)
  • 2059659 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (palehandycook .top in TLS SNI) (malware.rules)
  • 2059660 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (politercuteop .top) (malware.rules)
  • 2059661 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (politercuteop .top in TLS SNI) (malware.rules)
  • 2059662 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (squezzepreca .top) (malware.rules)
  • 2059663 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (squezzepreca .top in TLS SNI) (malware.rules)
  • 2059664 - ET MALWARE Nosviak C2 Variant Host Status Page Response (sha1:7894a2cf11597ca5b3dcd8516294d2b06528d3fa) (malware.rules)
  • 2059665 - ET MALWARE Nosviak C2 Variant Host Status Page Response (sha1:8b1ebc6832852a06ab02097af10c4984b557a957) (malware.rules)
  • 2059666 - ET MALWARE Nosviak C2 Variant Host Status Page Response (sha1:3e2561532be10aa91242c3867f3257f6a005b1b8) (malware.rules)
  • 2059667 - ET MALWARE Nosviak C2 Variant Advertised Services in HTML Elements (malware.rules)
  • 2059668 - ET MALWARE SSN C2 Build Status Page Response (sha1:e9371aca7b792814d55df07b56a9aafd25ee3b89) (malware.rules)
  • 2059669 - ET MALWARE Moonly C2 API Management Page Response (sha1:c1a12dd0ac8283f60349f8800e5ac889d495b4cf) (malware.rules)
  • 2059670 - ET MALWARE Erf C2 Admin Panel Page Response (sha1:63060ac2fb64f9045b054bbdd8d73d4f6905b4f3) (malware.rules)
  • 2059671 - ET MALWARE Erf C2 API Management Page Response (sha1:911936199d078877a5ccd93537471044251806ca) (malware.rules)
  • 2059672 - ET MALWARE Observed Malicious SSL Cert (Nosviak4 C2) (malware.rules)
  • 2059673 - ET MALWARE Cindy C2 SSH Server Banner (malware.rules)
  • 2059674 - ET MALWARE Moonly C2 SSH Server Banner (malware.rules)
  • 2059675 - ET MALWARE Nosviak C2 SSH Server Banner (malware.rules)
  • 2059676 - ET MALWARE RCNC C2 SSH Server Banner (malware.rules)
  • 2059677 - ET MALWARE Sentinel C2 SSH Server Banner (malware.rules)
  • 2059678 - ET HUNTING Microsoft Windows rapi.dll DLL Planting Remote Code Execution (CVE-2015-2369) (hunting.rules)
  • 2059679 - ET HUNTING Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution 0-click RTF (CVE-2022-30190) (hunting.rules)
  • 2059680 - ET HUNTING Microsoft Office Memory Corruption (CVE-2015-1641) (hunting.rules)
  • 2059681 - ET WEB_SPECIFIC_APPS Microsoft Configuration Manager Unauthenticated SQL Injection (CVE-2024-43468) (web_specific_apps.rules)
  • 2059682 - ET WEB_SPECIFIC_APPS TP-Link TL-WR940N Hardware v3/v4 Authenticated Remote Code Execution (CVE-2024-54887) (web_specific_apps.rules)
  • 2059683 - ET WEB_SPECIFIC_APPS Reolink RLC Series IP Camera TestEmail Authenticated Command Injection Attempt (CVE-2019-11001) (web_specific_apps.rules)
  • 2059684 - ET WEB_SPECIFIC_APPS Apache Tomcat Time-of-check Time-of-use (TOCTOU) Race Condition during JSP Compilation (CVE-2024-50379) (web_specific_apps.rules)
  • 2059685 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (armysmootevop .top) (malware.rules)
  • 2059686 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (armysmootevop .top in TLS SNI) (malware.rules)
  • 2059687 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (beachviopeo .top) (malware.rules)
  • 2059688 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (beachviopeo .top in TLS SNI) (malware.rules)
  • 2059689 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clockersspic .click) (malware.rules)
  • 2059690 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (clockersspic .click in TLS SNI) (malware.rules)
  • 2059691 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (financialfreez .click) (malware.rules)
  • 2059692 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (financialfreez .click in TLS SNI) (malware.rules)
  • 2059693 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fishubuckerz .cyou) (malware.rules)
  • 2059694 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fishubuckerz .cyou in TLS SNI) (malware.rules)
  • 2059695 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (foodloverstop .top) (malware.rules)
  • 2059696 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (foodloverstop .top in TLS SNI) (malware.rules)
  • 2059697 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (languageslearning .click) (malware.rules)
  • 2059698 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (languageslearning .click in TLS SNI) (malware.rules)
  • 2059699 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (leerborisup .shop) (malware.rules)
  • 2059700 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (leerborisup .shop in TLS SNI) (malware.rules)
  • 2059701 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (petsandanimals .click) (malware.rules)
  • 2059702 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (petsandanimals .click in TLS SNI) (malware.rules)
  • 2059703 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sheayingero .shop) (malware.rules)
  • 2059704 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sheayingero .shop in TLS SNI) (malware.rules)
  • 2059705 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (theadventureclubstop .top) (malware.rules)
  • 2059706 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (theadventureclubstop .top in TLS SNI) (malware.rules)
  • 2059707 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thefashionist .top) (malware.rules)
  • 2059708 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (thefashionist .top in TLS SNI) (malware.rules)
  • 2059709 - ET WEB_SPECIFIC_APPS Reolink RLC Series IP Camera SetDdns Authenticated Command Injection Attempt (CVE-2021-40407, CVE-2021-40408, CVE-2021-40409) (web_specific_apps.rules)
  • 2059710 - ET WEB_SPECIFIC_APPS Next.js Forced Caching via x-now-route-matches HTTP Header (CVE-2024-46982) (web_specific_apps.rules)
  • 2059711 - ET WEB_SPECIFIC_APPS Next.js Cached Server Response (CVE-2024-46982) (web_specific_apps.rules)
  • 2059712 - ET WEB_SPECIFIC_APPS Reolink RLC Series IP Camera SetLocalLink Authenticated Command Injection Attempt (CVE-2021-40410, CVE-2021-40411) (web_specific_apps.rules)
  • 2059713 - ET MALWARE SocGholish CnC Domain in DNS Lookup (gemini .1stpagegold .com) (malware.rules)
  • 2059714 - ET MALWARE SocGholish CnC Domain in TLS SNI (gemini .1stpagegold .com) (malware.rules)
  • 2059715 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (pictureiol .top) (exploit_kit.rules)
  • 2059716 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (pictureiol .top) (exploit_kit.rules)
  • 2059717 - ET WEB_SPECIFIC_APPS Reolink RLC Series IP Camera SetDevName Authenticated Command Injection Attempt (CVE-2021-40412) (web_specific_apps.rules)
  • 2059718 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (opticna .com) (exploit_kit.rules)
  • 2059719 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (opticna .com) (exploit_kit.rules)

Pro:

  • 2859791 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2859792 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2859793 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2859794 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2859795 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2859796 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2859797 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2859798 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2859799 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2859800 - ETPRO MALWARE Observed DNS Query to TA456 Domain (malware.rules)
  • 2859801 - ETPRO MALWARE Observed TA456 Domain in TLS SNI (malware.rules)
  • 2859802 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2859803 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2859804 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2859805 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2859806 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2859807 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2859808 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2859809 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2859810 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
  • 2859811 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)
  • 2859812 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859813 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859814 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859815 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859816 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859817 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859818 - ETPRO MALWARE Observed HTTP Request to TA456 Watering Hole Infrastructure (malware.rules)
  • 2859819 - ETPRO ATTACK_RESPONSE TA456 Watering Hole Infrastructure Observed M1 (attack_response.rules)
  • 2859820 - ETPRO ATTACK_RESPONSE TA456 Watering Hole Infrastructure Observed M2 (attack_response.rules)

Disabled and modified rules:

  • 2057872 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (blaekindustry .com) (exploit_kit.rules)
  • 2057873 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (blaekindustry .com) (exploit_kit.rules)
  • 2057874 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (nastictac .com) (exploit_kit.rules)
  • 2057875 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (nastictac .com) (exploit_kit.rules)
  • 2057881 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (weeatsome .com) (exploit_kit.rules)
  • 2057882 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (weeatsome .com) (exploit_kit.rules)
  • 2057883 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (berandonosas .store) (exploit_kit.rules)
  • 2057884 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (berandonosas .store) (exploit_kit.rules)
  • 2057885 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (erickakingpr .com) (exploit_kit.rules)
  • 2057886 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (studioclic53 .com) (exploit_kit.rules)
  • 2057887 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (erickakingpr .com) (exploit_kit.rules)
  • 2057888 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (studioclic53 .com) (exploit_kit.rules)
  • 2057895 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (premiosdosul .com) (exploit_kit.rules)
  • 2057896 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (premiosdosul .com) (exploit_kit.rules)
  • 2057897 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .studio .lacrenshawcrossing .com) (malware.rules)
  • 2059185 - ET MALWARE Win32/SocGholish CnC Domain in DNS Lookup (* .order .buyanemostatonline .com) (malware.rules)
  • 2059186 - ET MALWARE Win32/SocGholish CnC Domain in TLS SNI (* .order .buyanemostatonline .com) (malware.rules)
  • 2059553 - ET INFO Observed Smart Chain Domain in TLS SNI (opbnb-mainnet .nodereal .io) (info.rules)
  • 2859581 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859582 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859583 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859584 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)