guuid & + VenomKit

This commit is contained in:
Kafeine 2018-06-06 18:00:25 +01:00 committed by GitHub
parent 6c7d0f8684
commit 178d5219c7
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -12,14 +12,16 @@
"Stegano EK" "Stegano EK"
], ],
"status": "Active" "status": "Active"
} },
"uuid": "e9ca60cd-94fc-4a54-ac98-30e675a46b3e"
}, },
{ {
"value": "Bingo", "value": "Bingo",
"description": "Bingo EK is the name chosen by the defense for a Fiesta-ish EK first spotted in March 2017 and targetting at that times mostly Russia", "description": "Bingo EK is the name chosen by the defense for a Fiesta-ish EK first spotted in March 2017 and targetting at that times mostly Russia",
"meta": { "meta": {
"status": "Active" "status": "Active"
} },
"uuid": "9e864c01-3d9e-4b8d-811e-46471ff866e9"
}, },
{ {
"value": "Terror EK", "value": "Terror EK",
@ -33,7 +35,8 @@
"Neptune EK" "Neptune EK"
], ],
"status": "Active" "status": "Active"
} },
"uuid": "f15f9264-854e-4e25-8641-cde2faeb86e9"
}, },
{ {
"value": "DealersChoice", "value": "DealersChoice",
@ -48,7 +51,8 @@
"Sednit RTF EK" "Sednit RTF EK"
], ],
"status": "Active" "status": "Active"
} },
"uuid": "0f116533-a755-4cfc-815a-fa6bcb85efb7"
}, },
{ {
"value": "DNSChanger", "value": "DNSChanger",
@ -62,7 +66,8 @@
"RouterEK" "RouterEK"
], ],
"status": "Active" "status": "Active"
} },
"uuid": "74fb6a14-1279-4a5b-939a-76478d36d3e1"
}, },
{ {
"value": "Disdain", "value": "Disdain",
@ -72,7 +77,8 @@
"http://blog.trendmicro.com/trendlabs-security-intelligence/new-disdain-exploit-kit-detected-wild/" "http://blog.trendmicro.com/trendlabs-security-intelligence/new-disdain-exploit-kit-detected-wild/"
], ],
"status": "Active" "status": "Active"
} },
"uuid": "1ded776d-6772-4cc8-a27f-f61e24a58d96"
}, },
{ {
"value": "Kaixin", "value": "Kaixin",
@ -86,7 +92,8 @@
"CK vip" "CK vip"
], ],
"status": "Active" "status": "Active"
} },
"uuid": "e6c1cfcf-3e37-4f5a-9494-989dd8c43d88"
}, },
{ {
"value": "Magnitude", "value": "Magnitude",
@ -103,7 +110,8 @@
"TopExp" "TopExp"
], ],
"status": "Active" "status": "Active"
} },
"uuid": "6a313e11-5bb2-40ed-8cde-9de768b783b1"
}, },
{ {
"value": "MWI", "value": "MWI",
@ -114,9 +122,10 @@
"https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-microsoft-word-intruder-revealed.pdf" "https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-microsoft-word-intruder-revealed.pdf"
], ],
"status": "Active" "status": "Active"
} },
"uuid": "489acbf2-d80b-4bb5-ac7d-c8573dcb6324"
}, },
{ {
"value": "ThreadKit", "value": "ThreadKit",
"description": "ThreadKit is the name given to a widely used Microsoft Office document exploit builder kit that appeared in June 2017", "description": "ThreadKit is the name given to a widely used Microsoft Office document exploit builder kit that appeared in June 2017",
"meta": { "meta": {
@ -124,7 +133,19 @@
"https://www.proofpoint.com/us/threat-insight/post/unraveling-ThreadKit-new-document-exploit-builder-distribute-The-Trick-Formbook-Loki-Bot-malware" "https://www.proofpoint.com/us/threat-insight/post/unraveling-ThreadKit-new-document-exploit-builder-distribute-The-Trick-Formbook-Loki-Bot-malware"
], ],
"status": "Active" "status": "Active"
} },
"uuid": "b8be783c-69a8-11e8-adc0-fa7ae01bbebc"
},
{
"value": "VenomKit",
"description": "VenomKit is the name given to a kit sold since april 2017 as \"Word 1day exploit builder\" by user badbullzvenom. Author allows only use in targeted campaign. Is used for instance by the \"Cobalt Gang\"",
"meta": {
"refs": [
""
],
"status": "Active"
},
"uuid": "b8be7af8-69a8-11e8-adc0-fa7ae01bbebc"
}, },
{ {
"value": "RIG", "value": "RIG",
@ -143,7 +164,8 @@
"Meadgive" "Meadgive"
], ],
"status": "Active" "status": "Active"
} },
"uuid": "0545e5c0-ed0d-4a02-a69d-31e9e2b31e8a"
}, },
{ {
"value": "Sednit EK", "value": "Sednit EK",
@ -157,7 +179,8 @@
"SedKit" "SedKit"
], ],
"status": "Active" "status": "Active"
} },
"uuid": "c8b9578a-78be-420c-a29b-9214d09685c8"
}, },
{ {
"value": "Sundown-P", "value": "Sundown-P",
@ -171,7 +194,8 @@
"CaptainBlack" "CaptainBlack"
], ],
"status": "Active" "status": "Active"
} },
"uuid": "3235ae90-598b-45dc-b336-852817b271a8"
}, },
{ {
"value": "Bizarro Sundown", "value": "Bizarro Sundown",
@ -185,7 +209,8 @@
"Sundown-b" "Sundown-b"
], ],
"status": "Retired" "status": "Retired"
} },
"uuid": "ef3b170e-3fbe-420b-b202-4689da137c50"
}, },
{ {
"value": "Hunter", "value": "Hunter",
@ -198,7 +223,8 @@
"3ROS Exploit Kit" "3ROS Exploit Kit"
], ],
"status": "Retired - Last seen 2017-02-06" "status": "Retired - Last seen 2017-02-06"
} },
"uuid": "96b2b31e-b191-43c4-9929-48ba1cbee62c"
}, },
{ {
"value": "GreenFlash Sundown", "value": "GreenFlash Sundown",
@ -211,7 +237,8 @@
"Sundown-GF" "Sundown-GF"
], ],
"status": "Active" "status": "Active"
} },
"uuid": "6e5c0dbb-fb0b-45ea-ac6c-bb6d8324bbd2"
}, },
{ {
"value": "Angler", "value": "Angler",
@ -228,7 +255,8 @@
"Axpergle" "Axpergle"
], ],
"status": "Retired - Last seen: 2016-06-07" "status": "Retired - Last seen: 2016-06-07"
} },
"uuid": "5daf41c7-b297-4228-85d1-eb040d5b7c90"
}, },
{ {
"value": "Archie", "value": "Archie",
@ -238,7 +266,8 @@
"https://www.alienvault.com/blogs/labs-research/archie-just-another-exploit-kit" "https://www.alienvault.com/blogs/labs-research/archie-just-another-exploit-kit"
], ],
"status": "Retired" "status": "Retired"
} },
"uuid": "2756caae-d2c5-4170-9e76-2b7f1b1fccb1"
}, },
{ {
"value": "BlackHole", "value": "BlackHole",
@ -252,7 +281,8 @@
"BHEK" "BHEK"
], ],
"status": "Retired - Last seen: 2013-10-07" "status": "Retired - Last seen: 2013-10-07"
} },
"uuid": "e6201dc3-01a7-40c5-ba72-02fa470ada53"
}, },
{ {
"value": "Bleeding Life", "value": "Bleeding Life",
@ -267,7 +297,8 @@
"BL2" "BL2"
], ],
"status": "Retired" "status": "Retired"
} },
"uuid": "5abe6240-dce2-4455-8125-ddae2e651243"
}, },
{ {
"value": "Cool", "value": "Cool",
@ -283,7 +314,8 @@
"Styxy Cool" "Styxy Cool"
], ],
"status": "Retired - Last seen: 2013-10-07" "status": "Retired - Last seen: 2013-10-07"
} },
"uuid": "9bb229b0-80f9-48e5-b8fb-00ee7af070cb"
}, },
{ {
"value": "Fiesta", "value": "Fiesta",
@ -298,7 +330,8 @@
"Fiexp" "Fiexp"
], ],
"status": "Retired - Last Seen: beginning of 2015-07" "status": "Retired - Last Seen: beginning of 2015-07"
} },
"uuid": "f50f860a-d795-4f4e-a170-8190f65499ad"
}, },
{ {
"value": "Empire", "value": "Empire",
@ -311,7 +344,8 @@
"RIG-E" "RIG-E"
], ],
"status": "Retired - Last seen: 2016-12-29" "status": "Retired - Last seen: 2016-12-29"
} },
"uuid": "6eb15569-4ddd-4820-9a44-7bca5b303b86"
}, },
{ {
"value": "FlashPack", "value": "FlashPack",
@ -328,17 +362,8 @@
"Vintage Pack" "Vintage Pack"
], ],
"status": "Retired - Last seen: middle of 2015-04" "status": "Retired - Last seen: middle of 2015-04"
} },
}, "uuid": "55a30ccc-8905-4af2-a498-5c0010815cc1"
{
"value": "Glazunov",
"description": "Glazunov is an exploit kit mainly seen behind compromised website in 2012 and 2013. Glazunov compromission is likely the ancestor activity of what became EITest in July 2014. Sibhost and Flimkit later shown similarities with this Exploit Kit",
"meta": {
"refs": [
"https://nakedsecurity.sophos.com/2013/06/24/taking-a-closer-look-at-the-glazunov-exploit-kit/"
],
"status": "Retired - Last seen: maybe end of 2013"
}
}, },
{ {
"value": "GrandSoft", "value": "GrandSoft",
@ -354,7 +379,8 @@
"SofosFO" "SofosFO"
], ],
"status": "Active" "status": "Active"
} },
"uuid": "180b6969-2aca-4642-b684-b57db8f0eff8"
}, },
{ {
"value": "HanJuan", "value": "HanJuan",
@ -367,7 +393,8 @@
"https://twitter.com/kafeine/status/562575744501428226" "https://twitter.com/kafeine/status/562575744501428226"
], ],
"status": "Retired - Last seen: 2015-07" "status": "Retired - Last seen: 2015-07"
} },
"uuid": "886abdc6-db1a-4fc5-afe0-e17d65a83614"
}, },
{ {
"value": "Himan", "value": "Himan",
@ -380,7 +407,8 @@
"High Load" "High Load"
], ],
"status": "Retired - Last seen: 2014-04" "status": "Retired - Last seen: 2014-04"
} },
"uuid": "3d0cb558-7f04-4be8-963e-5f137566b07b"
}, },
{ {
"value": "Impact", "value": "Impact",
@ -390,7 +418,8 @@
"http://malware.dontneedcoffee.com/2012/12/inside-impact-exploit-kit-back-on-track.html" "http://malware.dontneedcoffee.com/2012/12/inside-impact-exploit-kit-back-on-track.html"
], ],
"status": "Retired" "status": "Retired"
} },
"uuid": "319357b4-3041-4a71-89c5-51be08041d1b"
}, },
{ {
"value": "Infinity", "value": "Infinity",
@ -405,7 +434,8 @@
"Goon" "Goon"
], ],
"status": "Retired - Last seen: 2014-07" "status": "Retired - Last seen: 2014-07"
} },
"uuid": "4b858835-7b31-4b94-8144-b5175da1551f"
}, },
{ {
"value": "Lightsout", "value": "Lightsout",
@ -417,7 +447,8 @@
"http://malwageddon.blogspot.fr/2013/09/unknown-ek-by-way-how-much-is-fish.html" "http://malwageddon.blogspot.fr/2013/09/unknown-ek-by-way-how-much-is-fish.html"
], ],
"status": "Unknown - Last seen: 2014-03" "status": "Unknown - Last seen: 2014-03"
} },
"uuid": "244c05f8-1a2f-47fb-9dcf-2eaa99ab6aa1"
}, },
{ {
"value": "Nebula", "value": "Nebula",
@ -427,7 +458,8 @@
"http://malware.dontneedcoffee.com/2017/03/nebula-exploit-kit.html" "http://malware.dontneedcoffee.com/2017/03/nebula-exploit-kit.html"
], ],
"status": "Retired - Last seen 2017-03-09" "status": "Retired - Last seen 2017-03-09"
} },
"uuid": "4ca96067-8fdd-4b48-bd34-d2e175e27bad"
}, },
{ {
"value": "Neutrino", "value": "Neutrino",
@ -443,7 +475,8 @@
"Neutrino-v" "Neutrino-v"
], ],
"status": "Retired - Last seen 2017-04-10" "status": "Retired - Last seen 2017-04-10"
} },
"uuid": "218ae39b-2f92-4355-91c6-50cce319d26d"
}, },
{ {
"value": "Niteris", "value": "Niteris",
@ -457,7 +490,8 @@
"CottonCastle" "CottonCastle"
], ],
"status": "Unknown - Last seen: 2015-11" "status": "Unknown - Last seen: 2015-11"
} },
"uuid": "b344133f-e223-4fda-8fb2-88ad7999e549"
}, },
{ {
"value": "Nuclear", "value": "Nuclear",
@ -473,7 +507,8 @@
"Neclu" "Neclu"
], ],
"status": "Retired - Last seen: 2015-04-30" "status": "Retired - Last seen: 2015-04-30"
} },
"uuid": "e7c516f9-5222-4f0d-b80b-ae9f4c24583d"
}, },
{ {
"value": "Phoenix", "value": "Phoenix",
@ -487,7 +522,8 @@
"PEK" "PEK"
], ],
"status": "Retired" "status": "Retired"
} },
"uuid": "0df2c7a6-046f-4489-8c77-0999c92c839d"
}, },
{ {
"value": "Private Exploit Pack", "value": "Private Exploit Pack",
@ -501,7 +537,8 @@
"PEP" "PEP"
], ],
"status": "Retired" "status": "Retired"
} },
"uuid": "cfd0a4af-f559-496f-b56b-97145ea4e4c3"
}, },
{ {
"value": "Redkit", "value": "Redkit",
@ -513,7 +550,8 @@
"https://nakedsecurity.sophos.com/2013/05/09/redkit-exploit-kit-part-2/" "https://nakedsecurity.sophos.com/2013/05/09/redkit-exploit-kit-part-2/"
], ],
"status": "Retired" "status": "Retired"
} },
"uuid": "6958ff90-75e8-47ee-ab07-daa8d487130c"
}, },
{ {
"value": "Sakura", "value": "Sakura",
@ -523,19 +561,25 @@
"http://www.xylibox.com/2012/01/sakura-exploit-pack-10.html" "http://www.xylibox.com/2012/01/sakura-exploit-pack-10.html"
], ],
"status": "Retired - Last seen: 2013-09" "status": "Retired - Last seen: 2013-09"
} },
"uuid": "12af9112-3ac5-4422-858e-a22c293c6117"
},
{
"value": "SPL",
"description": "SPL exploit kit was mainly seen in 2012/2013 most often associated with ZeroAccess and Scareware/FakeAV",
"meta": {
"refs": [
"http://www.malwaresigs.com/2012/12/05/spl-exploit-kit/"
],
"status": "Retired - Last seen: 2015-04",
"synonyms": [
"SPL_Data",
"SPLNet",
"SPL2"
]
},
"uuid": "15936d30-c151-4051-835e-df327143ce76"
}, },
{
"value": "SPL",
"description": "SPL exploit kit was mainly seen in 2012/2013 most often associated with ZeroAccess and Scareware/FakeAV",
"meta": {
"refs": ["http://www.malwaresigs.com/2012/12/05/spl-exploit-kit/"],
"status": "Retired - Last seen: 2015-04",
"synonyms": ["SPL_Data",
"SPLNet",
"SPL2"],
}
},
{ {
"value": "Sundown", "value": "Sundown",
"description": "Sundown Exploit Kit is mainly built out of stolen code from other exploit kits", "description": "Sundown Exploit Kit is mainly built out of stolen code from other exploit kits",
@ -551,7 +595,8 @@
], ],
"status": "Retired - Last seen 2017-03-08", "status": "Retired - Last seen 2017-03-08",
"colour": "#C03701" "colour": "#C03701"
} },
"uuid": "670e28c4-001a-4ba4-b276-441620225123"
}, },
{ {
"value": "Sweet-Orange", "value": "Sweet-Orange",
@ -565,7 +610,8 @@
"Anogre" "Anogre"
], ],
"status": "Retired - Last seen: 2015-04-05" "status": "Retired - Last seen: 2015-04-05"
} },
"uuid": "222bc508-4d8d-4972-9cac-65192cfefd43"
}, },
{ {
"value": "Styx", "value": "Styx",
@ -577,7 +623,8 @@
"http://malware.dontneedcoffee.com/2013/05/inside-styx-2013-05.html" "http://malware.dontneedcoffee.com/2013/05/inside-styx-2013-05.html"
], ],
"status": "Retired - Last seen: 2014-06" "status": "Retired - Last seen: 2014-06"
} },
"uuid": "006eaa87-e8a6-4808-93ff-302b52c628b0"
}, },
{ {
"value": "WhiteHole", "value": "WhiteHole",
@ -587,7 +634,8 @@
"http://malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-exploit-kit-hello.html" "http://malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-exploit-kit-hello.html"
], ],
"status": "Retired - Last seen: 2013-12" "status": "Retired - Last seen: 2013-12"
} },
"uuid": "570bc715-7fe8-430b-bd2e-5512c95f2370"
}, },
{ {
"value": "Unknown", "value": "Unknown",
@ -598,10 +646,11 @@
"https://twitter.com/node5", "https://twitter.com/node5",
"https://twitter.com/kahusecurity" "https://twitter.com/kahusecurity"
] ]
} },
"uuid": "00815961-3249-4e2e-9421-bb57feb73bb2"
} }
], ],
"version": 5, "version": 7,
"uuid": "454f4e78-bd7c-11e6-a4a6-cec0c932ce01", "uuid": "454f4e78-bd7c-11e6-a4a6-cec0c932ce01",
"description": "Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years", "description": "Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years",
"authors": [ "authors": [