mirror of
https://github.com/MISP/misp-galaxy.git
synced 2024-11-30 02:37:17 +00:00
Merge pull request #313 from Delta-Sierra/master
add some clusters or info
This commit is contained in:
commit
15d1d9b547
4 changed files with 199 additions and 11 deletions
|
@ -191,9 +191,12 @@
|
||||||
"description": "VenomKit is the name given to a kit sold since april 2017 as \"Word 1day exploit builder\" by user badbullzvenom. Author allows only use in targeted campaign. Is used for instance by the \"Cobalt Gang\"",
|
"description": "VenomKit is the name given to a kit sold since april 2017 as \"Word 1day exploit builder\" by user badbullzvenom. Author allows only use in targeted campaign. Is used for instance by the \"Cobalt Gang\"",
|
||||||
"meta": {
|
"meta": {
|
||||||
"refs": [
|
"refs": [
|
||||||
""
|
"https://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648"
|
||||||
],
|
],
|
||||||
"status": "Active"
|
"status": "Active",
|
||||||
|
"synonyms": [
|
||||||
|
"Venom"
|
||||||
|
]
|
||||||
},
|
},
|
||||||
"uuid": "b8be7af8-69a8-11e8-adc0-fa7ae01bbebc",
|
"uuid": "b8be7af8-69a8-11e8-adc0-fa7ae01bbebc",
|
||||||
"value": "VenomKit"
|
"value": "VenomKit"
|
||||||
|
@ -748,5 +751,5 @@
|
||||||
"value": "Unknown"
|
"value": "Unknown"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"version": 12
|
"version": 13
|
||||||
}
|
}
|
||||||
|
|
|
@ -3295,7 +3295,9 @@
|
||||||
".fire",
|
".fire",
|
||||||
".myjob",
|
".myjob",
|
||||||
".[cyberwars@qq.com].war",
|
".[cyberwars@qq.com].war",
|
||||||
".risk"
|
".risk",
|
||||||
|
".RISK",
|
||||||
|
".bkpx"
|
||||||
],
|
],
|
||||||
"ransomnotes": [
|
"ransomnotes": [
|
||||||
"README.txt",
|
"README.txt",
|
||||||
|
@ -6893,6 +6895,15 @@
|
||||||
"http://www.bleepingcomputer.com/news/security/new-python-ransomware-called-holycrypt-discovered/"
|
"http://www.bleepingcomputer.com/news/security/new-python-ransomware-called-holycrypt-discovered/"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
|
"related": [
|
||||||
|
{
|
||||||
|
"dest-uuid": "d3337bec-fd4e-11e8-a3ad-e799cc59c59c",
|
||||||
|
"tags": [
|
||||||
|
"estimative-language:likelihood-probability=\"likely\""
|
||||||
|
],
|
||||||
|
"type": "similar"
|
||||||
|
}
|
||||||
|
],
|
||||||
"uuid": "c71819a4-f6ce-4265-b0cd-24a98d84321c",
|
"uuid": "c71819a4-f6ce-4265-b0cd-24a98d84321c",
|
||||||
"value": "HolyCrypt"
|
"value": "HolyCrypt"
|
||||||
},
|
},
|
||||||
|
@ -10020,7 +10031,8 @@
|
||||||
".bomber",
|
".bomber",
|
||||||
".CRYPTO",
|
".CRYPTO",
|
||||||
".lolita",
|
".lolita",
|
||||||
".stevenseagal@airmail.cc"
|
".stevenseagal@airmail.cc",
|
||||||
|
".lol"
|
||||||
],
|
],
|
||||||
"ransomnotes": [
|
"ransomnotes": [
|
||||||
"IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT",
|
"IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT",
|
||||||
|
@ -10034,7 +10046,8 @@
|
||||||
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/september/14/Scarab-ransomware.jpg",
|
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/september/14/Scarab-ransomware.jpg",
|
||||||
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsnFZrGX4AE2H1c[1].jpg",
|
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsnFZrGX4AE2H1c[1].jpg",
|
||||||
"_How to restore files.TXT",
|
"_How to restore files.TXT",
|
||||||
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/30/Ds8PMFpW0AIcYuJ[1].jpg"
|
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/30/Ds8PMFpW0AIcYuJ[1].jpg",
|
||||||
|
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/december/7/DtzAAIAW0AEHC86[1].jpg"
|
||||||
],
|
],
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://www.bleepingcomputer.com/news/security/scarab-ransomware-pushed-via-massive-spam-campaign/",
|
"https://www.bleepingcomputer.com/news/security/scarab-ransomware-pushed-via-massive-spam-campaign/",
|
||||||
|
@ -11507,7 +11520,99 @@
|
||||||
},
|
},
|
||||||
"uuid": "b2aa807d-98fa-48e4-927b-4e81a50736e5",
|
"uuid": "b2aa807d-98fa-48e4-927b-4e81a50736e5",
|
||||||
"value": "WeChat Ransom"
|
"value": "WeChat Ransom"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"meta": {
|
||||||
|
"extensions": [
|
||||||
|
".israbye"
|
||||||
|
],
|
||||||
|
"ransomnotes": [
|
||||||
|
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/december/7/Dtlxf0eW4AAJCdZ[1].jpg",
|
||||||
|
"https://pbs.twimg.com/media/DtlxfFsW4AAs-Co.jpg"
|
||||||
|
],
|
||||||
|
"refs": [
|
||||||
|
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-7th-2018-wechat-ransomware-scammers-and-more/",
|
||||||
|
"https://www.youtube.com/watch?v=QevoUzbqNTQ",
|
||||||
|
"https://twitter.com/GrujaRS/status/1070011234521673728"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "3ade75c8-6ef7-4c54-84d0-cab0161d3415",
|
||||||
|
"value": "IsraBye"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"meta": {
|
||||||
|
"extensions": [
|
||||||
|
"prepend (encrypted)"
|
||||||
|
],
|
||||||
|
"ransomnotes": [
|
||||||
|
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/december/7/DtkQKCDWoAM13kD[1].jpg"
|
||||||
|
],
|
||||||
|
"refs": [
|
||||||
|
"https://twitter.com/struppigel/status/1069905624954269696",
|
||||||
|
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-7th-2018-wechat-ransomware-scammers-and-more/"
|
||||||
|
],
|
||||||
|
"related": [
|
||||||
|
{
|
||||||
|
"dest-uuid": "c71819a4-f6ce-4265-b0cd-24a98d84321c",
|
||||||
|
"tags": [
|
||||||
|
"estimative-language:likelihood-probability=\"likely\""
|
||||||
|
],
|
||||||
|
"type": "similar"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "d3337bec-fd4e-11e8-a3ad-e799cc59c59c",
|
||||||
|
"value": "Dablio Ransomware"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"meta": {
|
||||||
|
"extensions": [
|
||||||
|
".XY6LR"
|
||||||
|
],
|
||||||
|
"ransomnotes": [
|
||||||
|
"https://pbs.twimg.com/media/Dtz4PD2WoAIWtRv.jpg",
|
||||||
|
"DECRYPT.txt"
|
||||||
|
],
|
||||||
|
"refs": [
|
||||||
|
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-7th-2018-wechat-ransomware-scammers-and-more/",
|
||||||
|
"https://twitter.com/petrovic082/status/1071003939015925760"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "3bcc725f-6b89-4350-ad79-f50daa30f74e",
|
||||||
|
"value": "Gerber Ransomware 1.0"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"uuid": "54240144-05c2-43f0-8386-4301a85330bb",
|
||||||
|
"value": "Gerber Ransomware 3.0"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"meta": {
|
||||||
|
"extensions": [
|
||||||
|
".protected"
|
||||||
|
],
|
||||||
|
"ransomnotes": [
|
||||||
|
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/december/7/Dt1_DpMXcAMC8J_[1].jpg"
|
||||||
|
],
|
||||||
|
"refs": [
|
||||||
|
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-7th-2018-wechat-ransomware-scammers-and-more/",
|
||||||
|
"https://twitter.com/GrujaRS/status/1071153192975642630",
|
||||||
|
"https://www.youtube.com/watch?v=iB019lDvArs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "9ebfa028-a9dd-46ec-a915-1045fb297824",
|
||||||
|
"value": "Outsider"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "Uses http://ccrypt.sourceforge.net/ encryption program",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://twitter.com/demonslay335/status/1071123090564923393",
|
||||||
|
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-7th-2018-wechat-ransomware-scammers-and-more/"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "23fcbbf1-93ee-4baf-9082-67ca26553643",
|
||||||
|
"value": "JungleSec"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"version": 45
|
"version": 46
|
||||||
}
|
}
|
||||||
|
|
|
@ -4108,11 +4108,13 @@
|
||||||
"meta": {
|
"meta": {
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://www.helpnetsecurity.com/2016/11/22/cobalt-hackers-synchronized-atm-heists/",
|
"https://www.helpnetsecurity.com/2016/11/22/cobalt-hackers-synchronized-atm-heists/",
|
||||||
"https://www.bleepingcomputer.com/news/security/cobalt-hacking-group-tests-banks-in-russia-and-romania/"
|
"https://www.bleepingcomputer.com/news/security/cobalt-hacking-group-tests-banks-in-russia-and-romania/",
|
||||||
|
"https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Cobalt group",
|
"Cobalt group",
|
||||||
"Cobalt gang"
|
"Cobalt gang",
|
||||||
|
"GOLD KINGSWOOD"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "01967480-c49b-4d4a-a7fa-aef0eaf535fe",
|
"uuid": "01967480-c49b-4d4a-a7fa-aef0eaf535fe",
|
||||||
|
@ -6060,7 +6062,55 @@
|
||||||
},
|
},
|
||||||
"uuid": "08ff3cb6-c292-4360-a978-6f05775881ed",
|
"uuid": "08ff3cb6-c292-4360-a978-6f05775881ed",
|
||||||
"value": "Operation Poison Needles"
|
"value": "Operation Poison Needles"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "From November 2017 to October 2018, we attributed 14 campaigns to the GC threat actors that used a specific MaaS provider (hereinafter “the Provider”) offered by a known individual (hereinafter “the Provider Operator”).",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"Golden Chickens",
|
||||||
|
"Golden Chickens01",
|
||||||
|
"Golden Chickens 01"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"related": [
|
||||||
|
{
|
||||||
|
"dest-uuid": "6d50a8a2-fdf5-11e8-9db3-833f231caac8",
|
||||||
|
"tags": [
|
||||||
|
"estimative-language:likelihood-probability=\"likely\""
|
||||||
|
],
|
||||||
|
"type": "similar"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"uuid": "6bd7c91a-fdf5-11e8-95a8-e712ad4b0a9d",
|
||||||
|
"value": "GC01"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "From November 2017 to October 2018, we attributed 14 campaigns to the GC threat actors that used a specific MaaS provider (hereinafter “the Provider”) offered by a known individual (hereinafter “the Provider Operator”).",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"Golden Chickens",
|
||||||
|
"Golden Chickens02",
|
||||||
|
"Golden Chickens 02"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"related": [
|
||||||
|
{
|
||||||
|
"dest-uuid": "6bd7c91a-fdf5-11e8-95a8-e712ad4b0a9d",
|
||||||
|
"tags": [
|
||||||
|
"estimative-language:likelihood-probability=\"likely\""
|
||||||
|
],
|
||||||
|
"type": "similar"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"uuid": "6d50a8a2-fdf5-11e8-9db3-833f231caac8",
|
||||||
|
"value": "GC02"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"version": 82
|
"version": 83
|
||||||
}
|
}
|
||||||
|
|
|
@ -7443,7 +7443,37 @@
|
||||||
},
|
},
|
||||||
"uuid": "a9467439-48d8-4f68-9519-560bb6430f0c",
|
"uuid": "a9467439-48d8-4f68-9519-560bb6430f0c",
|
||||||
"value": "KingMiner"
|
"value": "KingMiner"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "Toolkit - building kit for crafting documents used to deliver attacks",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "a315f2be-0cd7-4a2b-876d-d6a772de9dca",
|
||||||
|
"value": "Taurus"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "dbbc8e91-a6c4-441f-8424-6bc096edf944",
|
||||||
|
"value": "Terra Loader"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "In 2018, CTU researchers observed several GOLD KINGSWOOD campaigns involving SpicyOmelette, a tool used by the group during initial exploitation of an organization. This sophisticated JavaScript remote access tool is generally delivered via phishing, and it uses multiple defense evasion techniques to hinder prevention and detection activities. GOLD KINGSWOOD delivered SpicyOmelette through a phishing email containing a shortened link that appeared to be a PDF document attachment. When clicked, the link used the Google AppEngine to redirect the system to a GOLD KINGSWOOD-controlled Amazon Web Services (AWS) URL that installed a signed JavaScript file, which was SpicyOmelette.",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648",
|
||||||
|
"https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "48753e22-6c22-409c-b274-68f822c7ef57",
|
||||||
|
"value": "SpicyOmelette"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"version": 104
|
"version": 105
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue