Ruleset Update Summary - 2025/02/19 - v10862

Ruleset Updates
1

Summary:

20 new OPEN, 28 new PRO (20 + 8)

Added rules:

Open:

  • 2060208 - ET MALWARE Win32/SocGholish CnC Domain in DNS Lookup (certificate .hypnotherapy-training .co .nz) (malware.rules)
  • 2060209 - ET MALWARE Win32/SocGholish CnC Domain in TLS SNI (certificate .hypnotherapy-training .co .nz) (malware.rules)
  • 2060210 - ET PHISHING NOTG Phish Landing Page 2025-02-19 (phishing.rules)
  • 2060211 - ET PHISHING NOTG Phish Kit Visitor Fingerprinting (phishing.rules)
  • 2060212 - ET INFO External IP Lookup via FreeIpAPI (info.rules)
  • 2060213 - ET INFO External IP Lookup via GeoLocation-db (info.rules)
  • 2060214 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (brjightfuture .tech) (malware.rules)
  • 2060215 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (brjightfuture .tech in TLS SNI) (malware.rules)
  • 2060216 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fpreshstart .tech) (malware.rules)
  • 2060217 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fpreshstart .tech in TLS SNI) (malware.rules)
  • 2060218 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (innovativezapproach .tech) (malware.rules)
  • 2060219 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (innovativezapproach .tech in TLS SNI) (malware.rules)
  • 2060220 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (simpxlehome .tech) (malware.rules)
  • 2060221 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (simpxlehome .tech in TLS SNI) (malware.rules)
  • 2060222 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (urbjanjungle .tech) (malware.rules)
  • 2060223 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (urbjanjungle .tech in TLS SNI) (malware.rules)
  • 2060224 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (onlinelas .com) (exploit_kit.rules)
  • 2060225 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (onlinelas .com) (exploit_kit.rules)
  • 2060226 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (club2 .site) (exploit_kit.rules)
  • 2060227 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (club2 .site) (exploit_kit.rules)

Pro:

  • 2860360 - ETPRO PHISHING Observed HTTP Response Header Used in Phish Web Pages (phishing.rules)
  • 2860361 - ETPRO EXPLOIT Attempted Unauthenticated Palo Alto Global Protect Administrator Password Change M1 (exploit.rules)
  • 2860362 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2860363 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2860364 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2860365 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2860366 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2860367 - ETPRO EXPLOIT Attempted Unauthenticated Palo Alto Global Protect Administrator Password Change M2 (exploit.rules)

Disabled and modified rules:

  • 2060110 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (agretex .com) (exploit_kit.rules)
  • 2060138 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (https://t .me/gwwrggwarhrha) (malware.rules)
  • 2060139 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (https://t .me/gwwrggwarhrha in TLS SNI) (malware.rules)
  • 2060199 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (ap-1739871718-ioj2rc-omeiiwaw3fgs3uq4wuooeceed5a96euw1b-s3alias .s3 .eu-west-1 .amazonaws .com) (exploit_kit.rules)
  • 2060201 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (ap-1739871718-ioj2rc-omeiiwaw3fgs3uq4wuooeceed5a96euw1b-s3alias .s3 .eu-west-1 .amazonaws .com) (exploit_kit.rules)

Removed rules:

  • 2060171 - ET MALWARE Win32/SocGholish CnC Domain in DNS Lookup (* .hypnotherapy-training .co .nz) (malware.rules)
  • 2060172 - ET MALWARE Win32/SocGholish CnC Domain in TLS SNI (* .hypnotherapy-training .co .nz) (malware.rules)