From 3183a4d1ffae0792bad82ac661336e1842ef4eb3 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 12 Dec 2018 09:27:27 +0100 Subject: [PATCH 1/5] add ransomwares --- clusters/ransomware.json | 113 +++++++++++++++++++++++++++++++++++++-- 1 file changed, 109 insertions(+), 4 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index e270bc8..31d232b 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -3295,7 +3295,9 @@ ".fire", ".myjob", ".[cyberwars@qq.com].war", - ".risk" + ".risk", + ".RISK", + ".bkpx" ], "ransomnotes": [ "README.txt", @@ -6893,6 +6895,15 @@ "http://www.bleepingcomputer.com/news/security/new-python-ransomware-called-holycrypt-discovered/" ] }, + "related": [ + { + "dest-uuid": "d3337bec-fd4e-11e8-a3ad-e799cc59c59c", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], "uuid": "c71819a4-f6ce-4265-b0cd-24a98d84321c", "value": "HolyCrypt" }, @@ -10020,7 +10031,8 @@ ".bomber", ".CRYPTO", ".lolita", - ".stevenseagal@airmail.cc" + ".stevenseagal@airmail.cc", + ".lol" ], "ransomnotes": [ "IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT", @@ -10034,7 +10046,8 @@ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/september/14/Scarab-ransomware.jpg", "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsnFZrGX4AE2H1c[1].jpg", "_How to restore files.TXT", - "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/30/Ds8PMFpW0AIcYuJ[1].jpg" + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/30/Ds8PMFpW0AIcYuJ[1].jpg", + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/december/7/DtzAAIAW0AEHC86[1].jpg" ], "refs": [ "https://www.bleepingcomputer.com/news/security/scarab-ransomware-pushed-via-massive-spam-campaign/", @@ -11507,7 +11520,99 @@ }, "uuid": "b2aa807d-98fa-48e4-927b-4e81a50736e5", "value": "WeChat Ransom" + }, + { + "meta": { + "extensions": [ + ".israbye" + ], + "ransomnotes": [ + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/december/7/Dtlxf0eW4AAJCdZ[1].jpg", + "https://pbs.twimg.com/media/DtlxfFsW4AAs-Co.jpg" + ], + "refs": [ + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-7th-2018-wechat-ransomware-scammers-and-more/", + "https://www.youtube.com/watch?v=QevoUzbqNTQ", + "https://twitter.com/GrujaRS/status/1070011234521673728" + ] + }, + "uuid": "3ade75c8-6ef7-4c54-84d0-cab0161d3415", + "value": "IsraBye" + }, + { + "meta": { + "extensions": [ + "prepend (encrypted)" + ], + "ransomnotes": [ + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/december/7/DtkQKCDWoAM13kD[1].jpg" + ], + "refs": [ + "https://twitter.com/struppigel/status/1069905624954269696", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-7th-2018-wechat-ransomware-scammers-and-more/" + ], + "related": [ + { + "dest-uuid": "c71819a4-f6ce-4265-b0cd-24a98d84321c", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ] + }, + "uuid": "d3337bec-fd4e-11e8-a3ad-e799cc59c59c", + "value": "Dablio Ransomware" + }, + { + "meta": { + "extensions": [ + ".XY6LR" + ], + "ransomnotes": [ + "https://pbs.twimg.com/media/Dtz4PD2WoAIWtRv.jpg", + "DECRYPT.txt" + ], + "refs": [ + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-7th-2018-wechat-ransomware-scammers-and-more/", + "https://twitter.com/petrovic082/status/1071003939015925760" + ] + }, + "uuid": "3bcc725f-6b89-4350-ad79-f50daa30f74e", + "value": "Gerber Ransomware 1.0" + }, + { + "uuid": "54240144-05c2-43f0-8386-4301a85330bb", + "value": "Gerber Ransomware 3.0" + }, + { + "meta": { + "extensions": [ + ".protected" + ], + "ransomnotes": [ + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/december/7/Dt1_DpMXcAMC8J_[1].jpg" + ], + "refs": [ + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-7th-2018-wechat-ransomware-scammers-and-more/", + "https://twitter.com/GrujaRS/status/1071153192975642630", + "https://www.youtube.com/watch?v=iB019lDvArs" + ] + }, + "uuid": "9ebfa028-a9dd-46ec-a915-1045fb297824", + "value": "Outsider" + }, + { + "description": "Uses http://ccrypt.sourceforge.net/ encryption program", + "meta": { + "refs": [ + "https://twitter.com/demonslay335/status/1071123090564923393", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-7th-2018-wechat-ransomware-scammers-and-more/" + ] + }, + "uuid": "23fcbbf1-93ee-4baf-9082-67ca26553643", + "value": "JungleSec" } ], - "version": 45 + "version": 46 } From 169d69871a08d37db5caab39b16dd676f63e57a3 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 12 Dec 2018 13:52:55 +0100 Subject: [PATCH 2/5] add Goden Chickens and affiliates --- clusters/exploit-kit.json | 7 ++++-- clusters/threat-actor.json | 48 ++++++++++++++++++++++++++++++++++++++ clusters/tool.json | 30 ++++++++++++++++++++++++ 3 files changed, 83 insertions(+), 2 deletions(-) diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index 3061344..4d5d08c 100644 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -191,9 +191,12 @@ "description": "VenomKit is the name given to a kit sold since april 2017 as \"Word 1day exploit builder\" by user badbullzvenom. Author allows only use in targeted campaign. Is used for instance by the \"Cobalt Gang\"", "meta": { "refs": [ - "" + "https://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648" ], - "status": "Active" + "status": "Active", + "synonyms": [ + "Venom" + ] }, "uuid": "b8be7af8-69a8-11e8-adc0-fa7ae01bbebc", "value": "VenomKit" diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index bd39186..127815a 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6060,6 +6060,54 @@ }, "uuid": "08ff3cb6-c292-4360-a978-6f05775881ed", "value": "Operation Poison Needles" + }, + { + "description": "From November 2017 to October 2018, we attributed 14 campaigns to the GC threat actors that used a specific MaaS provider (hereinafter “the Provider”) offered by a known individual (hereinafter “the Provider Operator”).", + "meta": { + "refs": [ + "https://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648" + ], + "synonyms": [ + "Golden Chickens", + "Golden Chickens01", + "Golden Chickens 01" + ] + }, + "related": [ + { + "dest-uuid": "6d50a8a2-fdf5-11e8-9db3-833f231caac8", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], + "uuid": "6bd7c91a-fdf5-11e8-95a8-e712ad4b0a9d", + "value": "GC01" + }, + { + "description": "From November 2017 to October 2018, we attributed 14 campaigns to the GC threat actors that used a specific MaaS provider (hereinafter “the Provider”) offered by a known individual (hereinafter “the Provider Operator”).", + "meta": { + "refs": [ + "https://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648" + ], + "synonyms": [ + "Golden Chickens", + "Golden Chickens02", + "Golden Chickens 02" + ] + }, + "related": [ + { + "dest-uuid": "6bd7c91a-fdf5-11e8-95a8-e712ad4b0a9d", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], + "uuid": "6d50a8a2-fdf5-11e8-9db3-833f231caac8", + "value": "GC02" } ], "version": 82 diff --git a/clusters/tool.json b/clusters/tool.json index afc3b36..09f9ee2 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -7443,6 +7443,36 @@ }, "uuid": "a9467439-48d8-4f68-9519-560bb6430f0c", "value": "KingMiner" + }, + { + "description": "Toolkit - building kit for crafting documents used to deliver attacks", + "meta": { + "refs": [ + "https://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648" + ] + }, + "uuid": "a315f2be-0cd7-4a2b-876d-d6a772de9dca", + "value": "Taurus" + }, + { + "meta": { + "refs": [ + "https://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648" + ] + }, + "uuid": "dbbc8e91-a6c4-441f-8424-6bc096edf944", + "value": "Terra Loader" + }, + { + "description": "In 2018, CTU researchers observed several GOLD KINGSWOOD campaigns involving SpicyOmelette, a tool used by the group during initial exploitation of an organization. This sophisticated JavaScript remote access tool is generally delivered via phishing, and it uses multiple defense evasion techniques to hinder prevention and detection activities. GOLD KINGSWOOD delivered SpicyOmelette through a phishing email containing a shortened link that appeared to be a PDF document attachment. When clicked, the link used the Google AppEngine to redirect the system to a GOLD KINGSWOOD-controlled Amazon Web Services (AWS) URL that installed a signed JavaScript file, which was SpicyOmelette.", + "meta": { + "refs": [ + "https://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648", + "https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish" + ] + }, + "uuid": "48753e22-6c22-409c-b274-68f822c7ef57", + "value": "SpicyOmelette" } ], "version": 104 From 70d68a312cbf5f1d9bc8f16eba0b21829666a504 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 12 Dec 2018 15:26:54 +0100 Subject: [PATCH 3/5] add some clusters or info --- clusters/threat-actor.json | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 127815a..5c26c15 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4108,11 +4108,13 @@ "meta": { "refs": [ "https://www.helpnetsecurity.com/2016/11/22/cobalt-hackers-synchronized-atm-heists/", - "https://www.bleepingcomputer.com/news/security/cobalt-hacking-group-tests-banks-in-russia-and-romania/" + "https://www.bleepingcomputer.com/news/security/cobalt-hacking-group-tests-banks-in-russia-and-romania/", + "https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish" ], "synonyms": [ "Cobalt group", - "Cobalt gang" + "Cobalt gang", + "GOLD KINGSWOOD" ] }, "uuid": "01967480-c49b-4d4a-a7fa-aef0eaf535fe", @@ -6110,5 +6112,5 @@ "value": "GC02" } ], - "version": 82 + "version": 83 } From 3ef58f7b2152a6070bd1b4e4dad61e680f3ef5ad Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 12 Dec 2018 15:38:39 +0100 Subject: [PATCH 4/5] fix exploit-kit version --- clusters/exploit-kit.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index 4d5d08c..c6489c3 100644 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -751,5 +751,5 @@ "value": "Unknown" } ], - "version": 12 + "version": 13 } From 3a2ac48faaa484e65be3021ad9ba0ebdb67ff171 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 12 Dec 2018 15:39:34 +0100 Subject: [PATCH 5/5] fix tool version --- clusters/tool.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 09f9ee2..2d056f7 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -7475,5 +7475,5 @@ "value": "SpicyOmelette" } ], - "version": 104 + "version": 105 }