From 178d5219c7fd8c58078b884f070eafc3b55fed25 Mon Sep 17 00:00:00 2001 From: Kafeine Date: Wed, 6 Jun 2018 18:00:25 +0100 Subject: [PATCH] guuid & + VenomKit --- clusters/exploit-kit.json | 181 ++++++++++++++++++++++++-------------- 1 file changed, 115 insertions(+), 66 deletions(-) diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index 862843b..3d798a9 100755 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -12,14 +12,16 @@ "Stegano EK" ], "status": "Active" - } + }, + "uuid": "e9ca60cd-94fc-4a54-ac98-30e675a46b3e" }, { "value": "Bingo", "description": "Bingo EK is the name chosen by the defense for a Fiesta-ish EK first spotted in March 2017 and targetting at that times mostly Russia", "meta": { "status": "Active" - } + }, + "uuid": "9e864c01-3d9e-4b8d-811e-46471ff866e9" }, { "value": "Terror EK", @@ -33,7 +35,8 @@ "Neptune EK" ], "status": "Active" - } + }, + "uuid": "f15f9264-854e-4e25-8641-cde2faeb86e9" }, { "value": "DealersChoice", @@ -48,7 +51,8 @@ "Sednit RTF EK" ], "status": "Active" - } + }, + "uuid": "0f116533-a755-4cfc-815a-fa6bcb85efb7" }, { "value": "DNSChanger", @@ -62,7 +66,8 @@ "RouterEK" ], "status": "Active" - } + }, + "uuid": "74fb6a14-1279-4a5b-939a-76478d36d3e1" }, { "value": "Disdain", @@ -72,7 +77,8 @@ "http://blog.trendmicro.com/trendlabs-security-intelligence/new-disdain-exploit-kit-detected-wild/" ], "status": "Active" - } + }, + "uuid": "1ded776d-6772-4cc8-a27f-f61e24a58d96" }, { "value": "Kaixin", @@ -86,7 +92,8 @@ "CK vip" ], "status": "Active" - } + }, + "uuid": "e6c1cfcf-3e37-4f5a-9494-989dd8c43d88" }, { "value": "Magnitude", @@ -103,7 +110,8 @@ "TopExp" ], "status": "Active" - } + }, + "uuid": "6a313e11-5bb2-40ed-8cde-9de768b783b1" }, { "value": "MWI", @@ -114,9 +122,10 @@ "https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-microsoft-word-intruder-revealed.pdf" ], "status": "Active" - } + }, + "uuid": "489acbf2-d80b-4bb5-ac7d-c8573dcb6324" }, - { + { "value": "ThreadKit", "description": "ThreadKit is the name given to a widely used Microsoft Office document exploit builder kit that appeared in June 2017", "meta": { @@ -124,7 +133,19 @@ "https://www.proofpoint.com/us/threat-insight/post/unraveling-ThreadKit-new-document-exploit-builder-distribute-The-Trick-Formbook-Loki-Bot-malware" ], "status": "Active" - } + }, + "uuid": "b8be783c-69a8-11e8-adc0-fa7ae01bbebc" + }, + { + "value": "VenomKit", + "description": "VenomKit is the name given to a kit sold since april 2017 as \"Word 1day exploit builder\" by user badbullzvenom. Author allows only use in targeted campaign. Is used for instance by the \"Cobalt Gang\"", + "meta": { + "refs": [ + "" + ], + "status": "Active" + }, + "uuid": "b8be7af8-69a8-11e8-adc0-fa7ae01bbebc" }, { "value": "RIG", @@ -143,7 +164,8 @@ "Meadgive" ], "status": "Active" - } + }, + "uuid": "0545e5c0-ed0d-4a02-a69d-31e9e2b31e8a" }, { "value": "Sednit EK", @@ -157,7 +179,8 @@ "SedKit" ], "status": "Active" - } + }, + "uuid": "c8b9578a-78be-420c-a29b-9214d09685c8" }, { "value": "Sundown-P", @@ -171,7 +194,8 @@ "CaptainBlack" ], "status": "Active" - } + }, + "uuid": "3235ae90-598b-45dc-b336-852817b271a8" }, { "value": "Bizarro Sundown", @@ -185,7 +209,8 @@ "Sundown-b" ], "status": "Retired" - } + }, + "uuid": "ef3b170e-3fbe-420b-b202-4689da137c50" }, { "value": "Hunter", @@ -198,7 +223,8 @@ "3ROS Exploit Kit" ], "status": "Retired - Last seen 2017-02-06" - } + }, + "uuid": "96b2b31e-b191-43c4-9929-48ba1cbee62c" }, { "value": "GreenFlash Sundown", @@ -211,7 +237,8 @@ "Sundown-GF" ], "status": "Active" - } + }, + "uuid": "6e5c0dbb-fb0b-45ea-ac6c-bb6d8324bbd2" }, { "value": "Angler", @@ -228,7 +255,8 @@ "Axpergle" ], "status": "Retired - Last seen: 2016-06-07" - } + }, + "uuid": "5daf41c7-b297-4228-85d1-eb040d5b7c90" }, { "value": "Archie", @@ -238,7 +266,8 @@ "https://www.alienvault.com/blogs/labs-research/archie-just-another-exploit-kit" ], "status": "Retired" - } + }, + "uuid": "2756caae-d2c5-4170-9e76-2b7f1b1fccb1" }, { "value": "BlackHole", @@ -252,7 +281,8 @@ "BHEK" ], "status": "Retired - Last seen: 2013-10-07" - } + }, + "uuid": "e6201dc3-01a7-40c5-ba72-02fa470ada53" }, { "value": "Bleeding Life", @@ -267,7 +297,8 @@ "BL2" ], "status": "Retired" - } + }, + "uuid": "5abe6240-dce2-4455-8125-ddae2e651243" }, { "value": "Cool", @@ -283,7 +314,8 @@ "Styxy Cool" ], "status": "Retired - Last seen: 2013-10-07" - } + }, + "uuid": "9bb229b0-80f9-48e5-b8fb-00ee7af070cb" }, { "value": "Fiesta", @@ -298,7 +330,8 @@ "Fiexp" ], "status": "Retired - Last Seen: beginning of 2015-07" - } + }, + "uuid": "f50f860a-d795-4f4e-a170-8190f65499ad" }, { "value": "Empire", @@ -311,7 +344,8 @@ "RIG-E" ], "status": "Retired - Last seen: 2016-12-29" - } + }, + "uuid": "6eb15569-4ddd-4820-9a44-7bca5b303b86" }, { "value": "FlashPack", @@ -328,17 +362,8 @@ "Vintage Pack" ], "status": "Retired - Last seen: middle of 2015-04" - } - }, - { - "value": "Glazunov", - "description": "Glazunov is an exploit kit mainly seen behind compromised website in 2012 and 2013. Glazunov compromission is likely the ancestor activity of what became EITest in July 2014. Sibhost and Flimkit later shown similarities with this Exploit Kit", - "meta": { - "refs": [ - "https://nakedsecurity.sophos.com/2013/06/24/taking-a-closer-look-at-the-glazunov-exploit-kit/" - ], - "status": "Retired - Last seen: maybe end of 2013" - } + }, + "uuid": "55a30ccc-8905-4af2-a498-5c0010815cc1" }, { "value": "GrandSoft", @@ -354,7 +379,8 @@ "SofosFO" ], "status": "Active" - } + }, + "uuid": "180b6969-2aca-4642-b684-b57db8f0eff8" }, { "value": "HanJuan", @@ -367,7 +393,8 @@ "https://twitter.com/kafeine/status/562575744501428226" ], "status": "Retired - Last seen: 2015-07" - } + }, + "uuid": "886abdc6-db1a-4fc5-afe0-e17d65a83614" }, { "value": "Himan", @@ -380,7 +407,8 @@ "High Load" ], "status": "Retired - Last seen: 2014-04" - } + }, + "uuid": "3d0cb558-7f04-4be8-963e-5f137566b07b" }, { "value": "Impact", @@ -390,7 +418,8 @@ "http://malware.dontneedcoffee.com/2012/12/inside-impact-exploit-kit-back-on-track.html" ], "status": "Retired" - } + }, + "uuid": "319357b4-3041-4a71-89c5-51be08041d1b" }, { "value": "Infinity", @@ -405,7 +434,8 @@ "Goon" ], "status": "Retired - Last seen: 2014-07" - } + }, + "uuid": "4b858835-7b31-4b94-8144-b5175da1551f" }, { "value": "Lightsout", @@ -417,7 +447,8 @@ "http://malwageddon.blogspot.fr/2013/09/unknown-ek-by-way-how-much-is-fish.html" ], "status": "Unknown - Last seen: 2014-03" - } + }, + "uuid": "244c05f8-1a2f-47fb-9dcf-2eaa99ab6aa1" }, { "value": "Nebula", @@ -427,7 +458,8 @@ "http://malware.dontneedcoffee.com/2017/03/nebula-exploit-kit.html" ], "status": "Retired - Last seen 2017-03-09" - } + }, + "uuid": "4ca96067-8fdd-4b48-bd34-d2e175e27bad" }, { "value": "Neutrino", @@ -443,7 +475,8 @@ "Neutrino-v" ], "status": "Retired - Last seen 2017-04-10" - } + }, + "uuid": "218ae39b-2f92-4355-91c6-50cce319d26d" }, { "value": "Niteris", @@ -457,7 +490,8 @@ "CottonCastle" ], "status": "Unknown - Last seen: 2015-11" - } + }, + "uuid": "b344133f-e223-4fda-8fb2-88ad7999e549" }, { "value": "Nuclear", @@ -473,7 +507,8 @@ "Neclu" ], "status": "Retired - Last seen: 2015-04-30" - } + }, + "uuid": "e7c516f9-5222-4f0d-b80b-ae9f4c24583d" }, { "value": "Phoenix", @@ -487,7 +522,8 @@ "PEK" ], "status": "Retired" - } + }, + "uuid": "0df2c7a6-046f-4489-8c77-0999c92c839d" }, { "value": "Private Exploit Pack", @@ -501,7 +537,8 @@ "PEP" ], "status": "Retired" - } + }, + "uuid": "cfd0a4af-f559-496f-b56b-97145ea4e4c3" }, { "value": "Redkit", @@ -513,7 +550,8 @@ "https://nakedsecurity.sophos.com/2013/05/09/redkit-exploit-kit-part-2/" ], "status": "Retired" - } + }, + "uuid": "6958ff90-75e8-47ee-ab07-daa8d487130c" }, { "value": "Sakura", @@ -523,19 +561,25 @@ "http://www.xylibox.com/2012/01/sakura-exploit-pack-10.html" ], "status": "Retired - Last seen: 2013-09" - } + }, + "uuid": "12af9112-3ac5-4422-858e-a22c293c6117" + }, + { + "value": "SPL", + "description": "SPL exploit kit was mainly seen in 2012/2013 most often associated with ZeroAccess and Scareware/FakeAV", + "meta": { + "refs": [ + "http://www.malwaresigs.com/2012/12/05/spl-exploit-kit/" + ], + "status": "Retired - Last seen: 2015-04", + "synonyms": [ + "SPL_Data", + "SPLNet", + "SPL2" + ] + }, + "uuid": "15936d30-c151-4051-835e-df327143ce76" }, - { - "value": "SPL", - "description": "SPL exploit kit was mainly seen in 2012/2013 most often associated with ZeroAccess and Scareware/FakeAV", - "meta": { - "refs": ["http://www.malwaresigs.com/2012/12/05/spl-exploit-kit/"], - "status": "Retired - Last seen: 2015-04", - "synonyms": ["SPL_Data", - "SPLNet", - "SPL2"], - } - }, { "value": "Sundown", "description": "Sundown Exploit Kit is mainly built out of stolen code from other exploit kits", @@ -551,7 +595,8 @@ ], "status": "Retired - Last seen 2017-03-08", "colour": "#C03701" - } + }, + "uuid": "670e28c4-001a-4ba4-b276-441620225123" }, { "value": "Sweet-Orange", @@ -565,7 +610,8 @@ "Anogre" ], "status": "Retired - Last seen: 2015-04-05" - } + }, + "uuid": "222bc508-4d8d-4972-9cac-65192cfefd43" }, { "value": "Styx", @@ -577,7 +623,8 @@ "http://malware.dontneedcoffee.com/2013/05/inside-styx-2013-05.html" ], "status": "Retired - Last seen: 2014-06" - } + }, + "uuid": "006eaa87-e8a6-4808-93ff-302b52c628b0" }, { "value": "WhiteHole", @@ -587,7 +634,8 @@ "http://malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-exploit-kit-hello.html" ], "status": "Retired - Last seen: 2013-12" - } + }, + "uuid": "570bc715-7fe8-430b-bd2e-5512c95f2370" }, { "value": "Unknown", @@ -598,10 +646,11 @@ "https://twitter.com/node5", "https://twitter.com/kahusecurity" ] - } + }, + "uuid": "00815961-3249-4e2e-9421-bb57feb73bb2" } ], - "version": 5, + "version": 7, "uuid": "454f4e78-bd7c-11e6-a4a6-cec0c932ce01", "description": "Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years", "authors": [