This release contains 21 new rules, nine new shared object rules, 138 modified rules and five modified shared object rules.
Thursday's release includes coverage for several different malware families recently used in the wild, including Godlua, Ratsnif and SoftCell.
Talos added and modified multiple rules in the browser-ie, browser-plugins, file-identify, file-image, file-multimedia, file-office, file-other, file-pdf, indicator-compromise, malware-cnc, malware-other, os-other, os-windows, policy-other, protocol-dns, protocol-ftp, protocol-imap, protocol-nntp, protocol-rpc, protocol-scada, protocol-services, protocol-snmp, protocol-telnet, server-iis, server-mail, server-mssql, server-mysql, server-oracle, server-other and sql rule sets to provide coverage for emerging threats from these technologies.
Here are several important rules we would like to highlight:
- 50808 - 50811: These rules provide protection against the Godlua malware, which attackers recently released on Linux and Windows machines. The backdoor secures its communication via DNS over HTTPS. The attackers primarily use Godlua as a distributed denial-of-service bot, even launching an HTTP flood attack against one domain. Written by Kristen Houser.
- 50800 - 50802: The OceanLotus APT recently launched a new malware known as "Ratsnif," which comes in four different variant forms. These rules fire when Ratsnif attempts to make an outbound connection to a command and control (C2) server, or if the user were to attempt to download the malware. Written by Kristen Houser.