2016-03-15 07:59:44 +00:00
{
"values" : [
{
"value" : "PlugX" ,
"description" : "Malware"
} ,
{
"value" : "MSUpdater"
} ,
{
2016-03-20 08:17:41 +00:00
"value" : "Poison Ivy" ,
"description" : "Poison Ivy is a RAT which was freely available and first released in 2005." ,
"refs" : [ "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf" ]
2016-03-15 07:59:44 +00:00
} ,
2016-04-22 20:28:38 +00:00
{
"value" : "SPIVY" ,
"description" : "In March 2016, Unit 42 observed this new Poison Ivy variant we’ ve named SPIVY being deployed via weaponized documents leveraging CVE-2015-2545." ,
"refs" : [ "http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/" ]
} ,
2016-03-15 07:59:44 +00:00
{
"value" : "Torn RAT"
} ,
2016-03-17 06:34:47 +00:00
{
"value" : "ZeGhost"
} ,
2016-04-02 07:39:05 +00:00
{
"value" : "Backdoor.Dripion" ,
"description" : "Backdoor.Dripion was custom developed, deployed in a highly targeted fashion, and used command and control servers disguised as antivirus company websites." ,
"refs" : [ "http://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan" ] ,
"synonyms" : [ "Dripion" ]
} ,
2016-03-17 06:34:47 +00:00
{
"value" : "Elise Backdoor" ,
"synonyms" : [ "Elise" ]
} ,
2016-04-22 19:44:15 +00:00
{
"value" : "Trojan.Laziok" ,
"synonyms" : [ "Laziok" ] ,
"refs" : [ "http://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector" ] ,
"description" : "A new information stealer, Trojan.Laziok, acts as a reconnaissance tool allowing attackers to gather information and tailor their attack methods for each compromised computer."
} ,
2016-04-21 07:47:15 +00:00
{
"value" : "Slempo" ,
"description" : "Android-based malware" ,
"synonyms" : [ "GM-Bot" , "Acecard" ]
} ,
2016-04-21 07:51:50 +00:00
{
"value" : "PWOBot" ,
"description" : "We have discovered a malware family named ‘ PWOBot’ that is fairly unique because it is written entirely in Python, and compiled via PyInstaller to generate a Microsoft Windows executable. The malware has been witnessed affecting a number of Europe-based organizations, particularly in Poland. Additionally, the malware is delivered via a popular Polish file-sharing web service." ,
"refs" : [ "http://researchcenter.paloaltonetworks.com/2016/04/unit42-python-based-pwobot-targets-european-organizations/" ]
} ,
2016-03-17 06:34:47 +00:00
{
"value" : "Lstudio"
} ,
2016-03-15 07:59:44 +00:00
{
"value" : "Joy RAT"
} ,
2016-05-07 05:20:55 +00:00
{
"value" : "Lost Door RAT" ,
"synonyms" : [ "LostDoor RAT" ] ,
"descriptions" : "We recently came across a cyber attack that used a remote access Trojan (RAT) called Lost Door, a tool currently offered on social media sites. What also struck us the most about this RAT (detected as BKDR_LODORAT.A) is how it abuses the Port Forward feature in routers." ,
"refs" : [ "http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/" ]
} ,
2016-03-23 12:33:03 +00:00
{
"value" : "njRAT" ,
"synonyms" : [ "Bladakindi" ] ,
"refs" : [ "http://www.fidelissecurity.com/files/files/FTA_1009-njRAT_Uncovered_rev2.pdf" ]
} ,
2016-05-07 05:26:21 +00:00
{
"value" : "NanoCoreRAT" ,
"synonyms" : [ "NanoCore" ] ,
"refs" : [ "http://www.symantec.com/connect/blogs/nanocore-another-rat-tries-make-it-out-gutter" ]
} ,
2016-03-15 07:59:44 +00:00
{
"value" : "Sakula" ,
"synonyms" : [ "Sakurel" ]
} ,
{
"value" : "Derusbi"
} ,
{
"value" : "EvilGrab"
} ,
{
"value" : "IEChecker"
} ,
{
"value" : "Trojan.Naid"
} ,
{
"value" : "Backdoor.Moudoor"
2016-03-17 06:34:47 +00:00
} ,
{
"value" : "NetTraveler"
} ,
{
"value" : "Winnti"
} ,
{
"value" : "Mimikatz"
} ,
{
"value" : "WEBC2"
} ,
{
"value" : "Pirpi"
} ,
{
"value" : "RARSTONE"
} ,
{
"value" : "BACKSPACe"
} ,
{
"value" : "XSControl"
} ,
{
"value" : "NETEAGLE"
} ,
{
2016-03-19 22:08:01 +00:00
"value" : "Agent.BTZ" ,
"synonyms" : [ "ComRat" ]
} ,
{
"value" : "Heseber BOT" ,
"description" : "RAT bundle with standard VNC (to avoid/limit A/V detection)."
2016-03-17 06:34:47 +00:00
} ,
{
"value" : "Agent.dne"
} ,
{
"value" : "Wipbot"
} ,
{
"value" : "Turla"
} ,
{
"value" : "Uroburos"
} ,
{
"value" : "Winexe"
} ,
2016-03-19 22:08:01 +00:00
{
"value" : "Dark Comet" ,
"description" : "RAT initialy identified in 2011 and still actively used."
} ,
{
"value" : "AlienSpy" ,
"description" : "RAT for Apple OS X platforms"
} ,
2016-03-24 06:42:27 +00:00
{
"value" : "Cadelspy" ,
"synonyms" : [ "WinSpy" ]
} ,
{
"value" : "CMStar" ,
"refs" : [ "http://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/" ]
} ,
{
"value" : "DHS2015" ,
"synonyms" : [ "iRAT" ] ,
"refs" : [ "https://securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf" ]
} ,
2016-03-20 08:17:41 +00:00
{
"value" : "Gh0st Rat" ,
"description" : "Gh0st Rat is a well-known Chinese remote access trojan which was originally made by C.Rufus Security Team several years ago." ,
"synonyms" : [ "Gh0stRat, GhostRat" ] ,
"refs" : [ "http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf" ]
} ,
{
"value" : "Fakem RAT" ,
"description" : "Fakem RAT makes their network traffic look like well-known protocols (e.g. Messenger traffic, HTML pages). " ,
"synonyms" : [ "FAKEM" ] ,
"refs" : [ "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-fakem-rat.pdf" ]
} ,
{
"value" : "MFC Huner" ,
"synonyms" : [ "Hupigon" , "BKDR_HUPIGON" ] ,
"refs" : [ "http://blog.trendmicro.com/trendlabs-security-intelligence/japan-us-defense-industries-among-targeted-entities-in-latest-attack/" ]
} ,
{
"value" : "Blackshades" ,
"description" : "Blackshades Remote Access Tool targets Microsoft Windows operating systems. Authors were arrested in 2012 and 2014." ,
"refs" : [ "https://www.justice.gov/usao-sdny/pr/manhattan-us-attorney-and-fbi-assistant-director-charge-announce-charges-connection" , "https://blog.malwarebytes.org/intelligence/2012/06/you-dirty-rat-part-2-blackshades-net/" ]
} ,
2016-03-17 06:34:47 +00:00
{
"value" : "CORESHELL"
} ,
{
"value" : "CHOPSTICK"
} ,
{
"value" : "SOURFACE"
} ,
{
"value" : "OLDBAIT"
} ,
{
2016-03-19 22:08:01 +00:00
"value" : "Havex RAT" ,
"synonyms" : [ "Havex" ]
} ,
{
"value" : "KjW0rm" ,
"description" : "RAT initially written in VB." ,
"refs" : [ "https://www.sentinelone.com/blog/understanding-kjw0rm-malware-we-dive-in-to-the-tv5-cyber-attack/" ]
2016-03-17 06:34:47 +00:00
} ,
{
"value" : "LURK"
} ,
{
"value" : "Oldrea"
} ,
{
"value" : "AmmyAdmin"
} ,
{
"value" : "Matryoshka"
} ,
{
"value" : "TinyZBot"
} ,
{
"value" : "GHOLE"
} ,
{
"value" : "CWoolger"
} ,
{
"value" : "FireMalv"
} ,
{
"value" : "Regin"
} ,
{
"value" : "Duqu"
} ,
{
"value" : "Flame"
} ,
{
"value" : "Stuxnet"
} ,
{
"value" : "EquationLaser"
} ,
{
"value" : "EquationDrug"
} ,
{
"value" : "DoubleFantasy"
} ,
{
"value" : "TripleFantasy"
} ,
{
"value" : "Fanny"
} ,
{
"value" : "GrayFish"
} ,
{
"value" : "Babar"
} ,
{
"value" : "Bunny"
} ,
{
"value" : "Casper"
} ,
{
"value" : "NBot"
} ,
{
"value" : "Tafacalou"
} ,
{
"value" : "Tdrop"
} ,
{
"value" : "Troy"
} ,
{
"value" : "Tdrop2"
2016-03-23 12:33:03 +00:00
} ,
{
"value" : "ZXShell" ,
"synonyms" : [ "Sensode" ] ,
"refs" : [ "http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html" ]
} ,
{
"value" : "T9000" ,
"refs" : [ "http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/" ]
} ,
{
"value" : "T5000" ,
"synonyms" : [ "Plat1" ] ,
"refs" : [ "http://www.cylance.com/techblog/Grand-Theft-Auto-Panda.shtml" ]
} ,
{
"value" : "Taidoor" ,
"refs" : [ "http://www.symantec.com/connect/blogs/trojantaidoor-takes-aim-policy-think-tanks" ]
} ,
{
"value" : "Swisyn" ,
"refs" : [ "http://labs.alienvault.com/labs/index.php/2013/latest-adobe-pdf-exploit-used-to-target-uyghur-and-tibetan-activists/" ]
} ,
{
"value" : "Rekaf" ,
"refs" : [ "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" ]
} ,
{
"value" : "Scieron"
} ,
{
"value" : "SkeletonKey" ,
"refs" : [ "http://www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis/" ]
} ,
{
"value" : "Skyipot" ,
"refs" : [ "http://labs.alienvault.com/labs/index.php/2011/another-sykipot-sample-likely-targeting-us-federal-agencies/" ]
} ,
{
"value" : "Spindest" ,
"refs" : [ "http://www.threatconnect.com/news/threatconnect-enables-healthy-networking-biomed-life-sciences-industry/" ]
} ,
{
"value" : "Preshin"
} ,
{
"value" : "Rekaf" ,
"refs" : [ "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" ]
} ,
{
"value" : "Oficla"
} ,
{
"value" : "PCClient RAT" ,
"refs" : [ "http://researchcenter.paloaltonetworks.com/2014/10/new-indicators-compromise-apt-group-nitro-uncovered/" ]
} ,
{
"value" : "Plexor"
} ,
{
"value" : "Mongall" ,
"refs" : [ "https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html" ]
} ,
{
"value" : "NeD Worm" ,
"refs" : [ "http://www.clearskysec.com/dustysky/" ]
} ,
{
"value" : "NewCT" ,
"refs" : [ "https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html" ]
} ,
{
"value" : "Nflog" ,
"refs" : [ "https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html" ]
} ,
{
"value" : "Janicab" ,
"refs" : [ "http://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/" ]
} ,
{
"value" : "Jripbot" ,
"synonyms" : [ "Jiripbot" ] ,
"refs" : [ "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/butterfly-corporate-spies-out-for-financial-gain.pdf" ]
} ,
{
"value" : "Jolob" ,
"refs" : [ "http://pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whos-affected-and-whos-using-it-1.html" ]
} ,
{
"value" : "IsSpace" ,
"refs" : [ "https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html" ]
} ,
{
"value" : "Hoardy" ,
"synonyms" : [ "Hoarde" , "Phindolp" , "BS2005" ]
} ,
{
"value" : "Htran" ,
"refs" : [ "http://www.secureworks.com/research/threats/htran/" ]
} ,
{
"value" : "HTTPBrowser" ,
"synonyms" : [ "TokenControl" ] ,
"refs" : [ "https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop" ]
} ,
{
"value" : "Disgufa"
} ,
{
"value" : "Elirks"
} ,
2016-03-24 06:45:36 +00:00
{
"value" : "Snifula" ,
2016-03-30 08:58:59 +00:00
"synonyms" : [ "Ursnif" ] ,
2016-03-24 06:45:36 +00:00
"refs" : [ "https://www.circl.lu/pub/tr-13/" ]
} ,
2016-03-24 06:42:27 +00:00
{
"value" : "Aumlib" ,
"synonyms" : [ "Yayih" , "mswab" , "Graftor" ] ,
"refs" : [ "http://www.cybersquared.com/killing-with-a-borrowed-knife-chaining-core-cloud-service-profile-infrastructure-for-cyber-attacks" ]
} ,
{
"value" : "CTRat" ,
"refs" : [ "http://www.fireeye.com/blog/technical/threat-intelligence/2014/07/spy-of-the-tiger.html" ]
} ,
2016-03-23 12:33:03 +00:00
{
"value" : "Emdivi" ,
"synonyms" : [ "Newsripper" ] ,
"refs" : [ "http://www.symantec.com/connect/blogs/operation-cloudyomega-ichitaro-zero-day-and-ongoing-cyberespionage-campaign-targeting-japan" ]
} ,
{
"value" : "Etumbot" ,
"synonyms" : [ "Exploz" , "Specfix" , "RIPTIDE" ] ,
"refs" : [ "www.arbornetworks.com/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf" ]
} ,
{
"value" : "Fexel" ,
"synonyms" : [ "Loneagent" ]
} ,
{
"value" : "Fysbis" ,
"refs" : [ "http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/" ]
} ,
{
"value" : "Hikit" ,
"refs" : [ "https://blog.bit9.com/2013/02/25/bit9-security-incident-update/" ]
2016-05-16 11:44:02 +00:00
} ,
{
"value" : "Hancitor" ,
"refs" : [ "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear" ] ,
"synonyms" : [ "Tordal" , "Chanitor" ]
} ,
{
"value" : "Ruckguv" ,
"refs" : [ "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear" ]
2016-05-31 20:43:37 +00:00
} ,
{
"value" : "HerHer Trojan" ,
"refs" : [ "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" ]
} ,
{
"value" : "Helminth backdoor" ,
2016-05-31 20:48:40 +00:00
"refs" : [ "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" ]
2016-06-01 07:08:09 +00:00
} ,
{
"value" : "HDRoot" ,
"refs" : [ "http://williamshowalter.com/a-universal-windows-bootkit/" ]
2016-06-02 14:51:23 +00:00
} ,
{
"value" : "IRONGATE" ,
"refs" : [ "https://www.fireeye.com/blog/threat-research/2016/06/irongate_ics_malware.html" ]
2016-06-15 01:59:54 +00:00
} ,
{
"value" : "ShimRAT" ,
"refs" : [ "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" ]
2016-06-21 18:35:56 +00:00
} ,
{
"value" : "X-Agent" ,
"refs" : [ "http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/" ] ,
"synonyms" : [ "XAgent" ]
} ,
{
"value" : "X-Tunnel" ,
"synonyms" : [ "XTunnel" ]
} ,
{
"value" : "Foozer" ,
"refs" : [ "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" ]
} ,
{
"value" : "WinIDS" ,
"refs" : [ "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" ]
} ,
{
"value" : "DownRange" ,
"refs" : [ "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" ]
2016-07-28 07:08:40 +00:00
} ,
{
"value" : "Mad Max" ,
"refs" : [ "https://www.arbornetworks.com/blog/asert/mad-max-dga/" ]
2016-08-01 13:27:55 +00:00
} ,
{
"value" : "Crimson" ,
"description" : "Crimson is malware used as part of a campaign known as Operation Transparent Tribe that targeted Indian diplomatic and military victims" ,
2016-08-01 13:36:59 +00:00
"refs" : [ "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" ]
} ,
{
"value" : "Prikormka" ,
"description" : "Operation Groundbait based on our research into the Prikormka malware family. This includes detailed technical analysis of the Prikormka malware family and its spreading mechanisms, and a description of the most noteworthy attack campaigns." ,
"refs" : [ "http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf" ]
2016-03-15 07:59:44 +00:00
}
2016-06-21 18:35:56 +00:00
2016-03-15 07:59:44 +00:00
] ,
"version" : 1 ,
2016-03-17 06:34:47 +00:00
"description" : "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries." ,
2016-04-02 12:09:10 +00:00
"author" : [ "Alexandre Dulaunoy" , "Florian Roth" , "Timo Steffens" ] ,
2016-03-15 07:59:44 +00:00
"type" : "threat-actor-tools"
}