Ruleset Update Summary - 2025/04/11 - v10903

rulesbot · April 11, 2025, 8:53pm

Summary:

60 new OPEN, 63 new PRO (60 + 3)

Thanks @g0njxa, @sublime_sec, @Lab52io, @sucurisecurity, @GDATA

Added rules:

Open:

2061449 - ET MALWARE StealC v2 CnC Checkin (POST) (malware.rules)
2061450 - ET MALWARE StealC v2 CnC Activity (POST) (malware.rules)
2061451 - ET MALWARE StealC v2 CnC Server Response (malware.rules)
2061452 - ET PHISHING Credit Card Skimming Domain (italicfonts .org) in DNS Lookup (phishing.rules)
2061453 - ET PHISHING Observed Credit Card Skimmer Domain (italicfonts .org) in TLS SNI (phishing.rules)
2061454 - ET MALWARE Vidar Stealer CnC Domain in DNS Lookup (fua .4t .com) (malware.rules)
2061455 - ET MALWARE Observed Vidar Stealer Domain (fua .4t .com) in TLS SNI (malware.rules)
2061456 - ET MALWARE Trox Stealer Related Domain (debt-collection-experts .online) in DNS Lookup (malware.rules)
2061457 - ET MALWARE Trox Stealer Related Domain (debt-collection-experts .com) in DNS Lookup (malware.rules)
2061458 - ET MALWARE Observed Trox Stealer Related Domain (debt-collection-experts .online) in TLS SNI (malware.rules)
2061459 - ET MALWARE Observed Trox Stealer Related Domain (debt-collection-experts .com) in TLS SNI (malware.rules)
2061460 - ET MALWARE Trox Stealer System Profiling Data Exfiltration Attempt (malware.rules)
2061461 - ET MALWARE Grandoreiro Stealer CnC Domain in DNS Lookup (airforce1 .mmafan .biz) (malware.rules)
2061462 - ET MALWARE Grandoreiro Stealer CnC Domain in DNS Lookup (bayerischemotorenwerke .nflfan .org) (malware.rules)
2061463 - ET MALWARE Grandoreiro Stealer CnC Domain in DNS Lookup (michaeljacksontribute .mmafan .biz) (malware.rules)
2061464 - ET MALWARE Grandoreiro Stealer CnC Domain in DNS Lookup (flightradar .mymediapc .net) (malware.rules)
2061465 - ET MALWARE Grandoreiro Stealer CnC Domain in DNS Lookup (camsobservations .nhlfan .net) (malware.rules)
2061466 - ET MALWARE Grandoreiro Stealer CnC Domain in DNS Lookup (marronfiveshows .serveexchange .com) (malware.rules)
2061467 - ET MALWARE Grandoreiro Stealer CnC Domain in DNS Lookup (mapfre .homesecuritypc .com) (malware.rules)
2061468 - ET MALWARE Grandoreiro Stealer CnC Domain in DNS Lookup (mercedesbenz .mysecuritycamera .net) (malware.rules)
2061469 - ET MALWARE Grandoreiro Stealer CnC Domain in DNS Lookup (simpsonsbartmovies .stufftoread .com) (malware.rules)
2061470 - ET MALWARE Grandoreiro Stealer CnC Domain in DNS Lookup (renault .hosthampster .com) (malware.rules)
2061471 - ET MALWARE Observed Grandoreiro Stealer Domain (airforce1 .mmafan .biz) in TLS SNI (malware.rules)
2061472 - ET MALWARE Observed Grandoreiro Stealer Domain (bayerischemotorenwerke .nflfan .org) in TLS SNI (malware.rules)
2061473 - ET MALWARE Observed Grandoreiro Stealer Domain (michaeljacksontribute .mmafan .biz) in TLS SNI (malware.rules)
2061474 - ET MALWARE Observed Grandoreiro Stealer Domain (flightradar .mymediapc .net) in TLS SNI (malware.rules)
2061475 - ET MALWARE Observed Grandoreiro Stealer Domain (camsobservations .nhlfan .net) in TLS SNI (malware.rules)
2061476 - ET MALWARE Observed Grandoreiro Stealer Domain (marronfiveshows .serveexchange .com) in TLS SNI (malware.rules)
2061477 - ET MALWARE Observed Grandoreiro Stealer Domain (mapfre .homesecuritypc .com) in TLS SNI (malware.rules)
2061478 - ET MALWARE Observed Grandoreiro Stealer Domain (mercedesbenz .mysecuritycamera .net) in TLS SNI (malware.rules)
2061479 - ET MALWARE Observed Grandoreiro Stealer Domain (simpsonsbartmovies .stufftoread .com) in TLS SNI (malware.rules)
2061480 - ET MALWARE Observed Grandoreiro Stealer Domain (renault .hosthampster .com) in TLS SNI (malware.rules)
2061481 - ET INFO DYNAMIC_DNS Query to a *.aspdebugger .com domain (info.rules)
2061482 - ET INFO DYNAMIC_DNS HTTP Request to a *.aspdebugger .com domain (info.rules)
2061483 - ET INFO DYNAMIC_DNS Query to a *.wittesolutions .com domain (info.rules)
2061484 - ET INFO DYNAMIC_DNS HTTP Request to a *.wittesolutions .com domain (info.rules)
2061485 - ET INFO DYNAMIC_DNS Query to a *.megaingenieria .com domain (info.rules)
2061486 - ET INFO DYNAMIC_DNS HTTP Request to a *.megaingenieria .com domain (info.rules)
2061487 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (adaptwrx .digital) (malware.rules)
2061488 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (adaptwrx .digital) in TLS SNI (malware.rules)
2061489 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dynamiczl .live) (malware.rules)
2061490 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (dynamiczl .live) in TLS SNI (malware.rules)
2061491 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (elvernwood .digital) (malware.rules)
2061492 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (elvernwood .digital) in TLS SNI (malware.rules)
2061493 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (modtunes .live) (malware.rules)
2061494 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (modtunes .live) in TLS SNI (malware.rules)
2061495 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tiltvc .digital) (malware.rules)
2061496 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tiltvc .digital) in TLS SNI (malware.rules)
2061497 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (transatcitov .cfd) (malware.rules)
2061498 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (transatcitov .cfd) in TLS SNI (malware.rules)
2061499 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wucijyi .shop) (malware.rules)
2061500 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (wucijyi .shop) in TLS SNI (malware.rules)
2061501 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (waxworkx .com) (exploit_kit.rules)
2061502 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (skatkat .com) (exploit_kit.rules)
2061503 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (waxworkx .com) (exploit_kit.rules)
2061504 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (skatkat .com) (exploit_kit.rules)
2061505 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (izone .digital) (exploit_kit.rules)
2061506 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (izone .digital) (exploit_kit.rules)
2061507 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (cpanel .gemstonebookkeepingservices .com) (malware.rules)
2061508 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (cpanel .gemstonebookkeepingservices .com) (malware.rules)

Pro:

2861122 - ETPRO PHISHING Job Scam Phishing Landing Page M1 2025-04-09 (phishing.rules)
2861123 - ETPRO PHISHING Job Scam Phishing Landing Page M2 2025-04-09 (phishing.rules)
2861124 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/09/02 - v10679 Ruleset Updates	126	September 2, 2024
Ruleset Update Summary - 2024/09/04 - v10681 Ruleset Updates	86	September 4, 2024
Ruleset Update Summary - 2024/08/22 - v10672 Ruleset Updates	77	August 22, 2024
Ruleset Update Summary - 2025/02/04 - v10852 Ruleset Updates	106	February 4, 2025
Ruleset Update Summary - 2024/09/12 - v10688 Ruleset Updates	44	September 12, 2024

Ruleset Update Summary - 2025/04/11 - v10903

Summary:

Added rules:

Open:

Pro:

Related topics