Ruleset Update Summary - 2025/02/12 - v10858

Summary:

19 new OPEN, 21 new PRO (19 + 2)

Thanks @malware_traffic


Added rules:

Open:

  • 2060036 - ET MALWARE Observed DNS Query to UNK_CraftyCamel Domain (indicelectronics .net) (malware.rules)
  • 2060037 - ET MALWARE Observed DNS Query to UNK_CraftyCamel Domain (bokhoreshonline .com) (malware.rules)
  • 2060038 - ET MALWARE Observed UNK_CraftyCamel Domain (indicelectronics .net in TLS SNI) (malware.rules)
  • 2060039 - ET MALWARE Observed UNK_CraftyCamel Domain (bokhoreshonline .com in TLS SNI) (malware.rules)
  • 2060040 - ET INFO DYNAMIC_DNS Query to a *.garymcgill .ca domain (info.rules)
  • 2060041 - ET INFO DYNAMIC_DNS HTTP Request to a *.garymcgill .ca domain (info.rules)
  • 2060042 - ET MALWARE Win32/SocGholish CnC Domain in DNS Lookup (* .academy .entrepreneurwealthhub .com) (malware.rules)
  • 2060043 - ET MALWARE Win32/SocGholish CnC Domain in TLS SNI (* .academy .entrepreneurwealthhub .com) (malware.rules)
  • 2060044 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ecofrieendlysolutions .cyou) (malware.rules)
  • 2060045 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ecofrieendlysolutions .cyou in TLS SNI) (malware.rules)
  • 2060046 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (timnelessdesign .cyou) (malware.rules)
  • 2060047 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (timnelessdesign .cyou in TLS SNI) (malware.rules)
  • 2060048 - ET MALWARE Snake Keylogger Exfil via SMTP (VIP Recovery) (malware.rules)
  • 2060049 - ET INFO Microsoft OAuth 2.0 Device Auth Activity M1 (GET) (info.rules)
  • 2060050 - ET INFO Microsoft OAuth 2.0 Device Auth Activity M2 (GET) (info.rules)
  • 2060051 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (akerusa .com) (exploit_kit.rules)
  • 2060052 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (akerusa .com) (exploit_kit.rules)
  • 2060053 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (activekala .shop) (exploit_kit.rules)
  • 2060054 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (activekala .shopp) (exploit_kit.rules)

Pro:

  • 2860236 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2860237 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)

Disabled and modified rules:

  • 2860007 - ETPRO PHISHING Observed DNS Query to TA453 Domain (phishing.rules)