Ruleset Update Summary - 2025/02/21 - v10864

Summary:

30 new OPEN, 50 new PRO (30 + 20)

Thanks @monitorsg

Added rules:

Open:

• 2060249 - ET INFO Observed DNS Query to trycloudflare .com Domain (info.rules)
• 2060250 - ET INFO Observed trycloudflare .com Domain in TLS SNI (info.rules)
• 2060251 - ET INFO Go-http-client User-Agent Observed Outbound (info.rules)
• 2060252 - ET INFO Go-http-client User-Agent Observed Inbound (info.rules)
• 2060253 - ET MALWARE HTran/SensLiceld.A response to infected host - Outbound Connection Attempt (malware.rules)
• 2060254 - ET HUNTING implant.js CnC Handshake (HS_SYN) (hunting.rules)
• 2060255 - ET MALWARE implant.js Linux Beacon Check-in (malware.rules)
• 2060256 - ET MALWARE implant.js Windows Beacon Check-in (malware.rules)
• 2060257 - ET MALWARE implant.js CnC Handshake (HS_ACK) (malware.rules)
• 2060258 - ET MALWARE implant.js CnC Activity (Client PKT_FETCH for Evil Module) (malware.rules)
• 2060261 - ET MALWARE implant.js CnC Activity (Evil DBG_CMD_* Sent with DebugMode=ON) (malware.rules)
• 2060262 - ET MALWARE implant.js CnC Activity (Evil DBG_CMD_* Sent) (malware.rules)
• 2060263 - ET MALWARE implant.js Activity (DBG_RESP_* with DebugMode=ON) (malware.rules)
• 2060264 - ET MALWARE implant.js CnC Activity (DBG_RESP_* Sent) (malware.rules)
• 2060267 - ET MALWARE Win32/SocGholish CnC Domain in DNS Lookup (estate .envisionfonddulac .org) (malware.rules)
• 2060268 - ET MALWARE Win32/SocGholish CnC Domain in TLS SNI (estate .envisionfonddulac .org) (malware.rules)
• 2060269 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (MysticjPath .cyou) (malware.rules)
• 2060270 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (MysticjPath .cyou in TLS SNI) (malware.rules)
• 2060271 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deprescatve .shop) (malware.rules)
• 2060272 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (deprescatve .shop in TLS SNI) (malware.rules)
• 2060273 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lovexlearning .tech) (malware.rules)
• 2060274 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (lovexlearning .tech in TLS SNI) (malware.rules)
• 2060275 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (fnbsuffield .com) (exploit_kit.rules)
• 2060276 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (fnbsuffield .com) (exploit_kit.rules)
• 2060277 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (jkse .shop) (exploit_kit.rules)
• 2060278 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (jkse .shop) (exploit_kit.rules)
• 2060279 - ET EXPLOIT_KIT Malicious TDS Domain in DNS Lookup (allcareservicesga .com) (exploit_kit.rules)
• 2060280 - ET EXPLOIT_KIT Malicious TDS Domain in DNS Lookup (foxroofinginc .com) (exploit_kit.rules)
• 2060281 - ET EXPLOIT_KIT Malicious TDS Domain in TLS SNI (allcareservicesga .com) (exploit_kit.rules)
• 2060282 - ET EXPLOIT_KIT Malicious TDS Domain in TLS SNI (foxroofinginc .com) (exploit_kit.rules)

Pro:

• 2860380 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
• 2860381 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
• 2860382 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
• 2860383 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
• 2860384 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
• 2860385 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
• 2860386 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
• 2860387 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
• 2860388 - ETPRO MALWARE Win32/XWorm CnC Command - INFO Outbound (malware.rules)
• 2860389 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
• 2860390 - ETPRO MALWARE Win32/XWorm CnC Command - RD+ Inbound (malware.rules)
• 2860391 - ETPRO MALWARE Win32/XWorm CnC Command - RD- Outbound (malware.rules)
• 2860392 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
• 2860393 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
• 2860394 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
• 2860395 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
• 2860396 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
• 2860397 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
• 2860398 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
• 2860399 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)

Disabled and modified rules:

• 2060243 - ET MALWARE Win32/SocGholish CnC Domain in DNS Lookup (seminary .envisionfonddulac .com) (malware.rules)
• 2060244 - ET MALWARE Win32/SocGholish CnC Domain in TLS SNI (seminary .envisionfonddulac .com) (malware.rules)