From b75e9cf59da92028e60e7026eb506dd00ce40a42 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Thu, 23 Feb 2017 10:14:18 +0100 Subject: [PATCH 01/22] Gutemberg on first 10 --- clusters/tool.json | 251 +++++++++++++++++++++++++++++++-------------- 1 file changed, 173 insertions(+), 78 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index 99732f7..80f092b 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1,83 +1,178 @@ { "values": [ - { - "value": "PlugX", - "description": "Malware" - }, - { - "value": "MSUpdater" - }, - { - "value": "Lazagne", - "description": "A password recovery tool regularly used by attackers" - }, - { - "value": "Poison Ivy", - "description": "Poison Ivy is a RAT which was freely available and first released in 2005.", - "meta": { - "refs": [ - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf" - ] - } - }, - { - "value": "SPIVY", - "description": "In March 2016, Unit 42 observed this new Poison Ivy variant we’ve named SPIVY being deployed via weaponized documents leveraging CVE-2015-2545.", - "meta": { - "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/" - ] - } - }, - { - "value": "Torn RAT" - }, - { - "value": "OzoneRAT", - "meta": { - "refs": [ - "https://blog.fortinet.com/2016/08/29/german-speakers-targeted-by-spam-leading-to-ozone-rat" - ], - "synonyms": [ - "Ozone RAT", - "ozonercp" - ] - } - }, - { - "value": "ZeGhost" - }, - { - "value": "Elise Backdoor", - "meta": { - "synonyms": [ - "Elise" - ] - } - }, - { - "value": "Trojan.Laziok", - "meta": { - "synonyms": [ - "Laziok" - ], - "refs": [ - "http://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector" - ] - }, - "description": "A new information stealer, Trojan.Laziok, acts as a reconnaissance tool allowing attackers to gather information and tailor their attack methods for each compromised computer." - }, - { - "value": "Slempo", - "description": "Android-based malware", - "meta": { - "synonyms": [ - "GM-Bot", - "Acecard" - ] - } - }, - { + { + "value" : "PlugX", + "description" : "Malware", + "meta" : { + "refs" : [ + "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/112/pulling-the-plug-on-plugx" + ], + "synonyms" : [ + "W32/Backdoor.FSZO-5117", + "Gen:Trojan.Heur.JP.juW@ayZZvMb", + "Trojan.Inject1.6386", + "Win32/Korplug.A", + "Trojan.Win32.Korplug", + "Backdoor/Win32.Plugx", + "Backdoor.Win32.Agent.dhwf", + "W32/Korplug.CH!tr" + ], + "category" : [ + "rat" + ] + } + }, + { + "value" : "MSUpdater", + "description" : " Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009", + "meta" : { + "refs" : [ + "https://www.zscaler.com/pdf/whitepapers/msupdater_trojan_whitepaper.pdfx" + ], + "category" : [ + "rat" + ] + } + }, + { + "value" : "Lazagne", + "description" : "A password sthealing tool regularly used by attackers", + "meta" : { + "refs" : [ + "https://github.com/AlessandroZ/LaZagne" + ], + "category" : [ + "tool" + ] + } + }, + { + "value" : "Poison Ivy", + "description" : "Poison Ivy is a RAT which was freely available and first released in 2005.", + "meta" : { + "refs" : [ + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf", + "https://www.f-secure.com/v-descs/backdoor_w32_poisonivy.shtml" + ], + "synonyms" : [ + "Backdoor.Win32.PoisonIvy", + "Gen:Trojan.Heur.PT" + ], + "category" : [ + "rat" + ] + } + }, + { + "value" : "SPIVY", + "description" : "In March 2016, Unit 42 observed this new Poison Ivy variant we’ve named SPIVY being deployed via weaponized documents leveraging CVE-2015-2545.", + "meta" : { + "refs" : [ + "http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/" + ], + "category" : [ + "rat" + ] + } + }, + { + "value" : "Torn RAT", + "meta" : { + "refs" : [ + "https://www.crowdstrike.com/blog/whois-anchor-panda/" + ], + "synonyms" : [ + "Anchor Panda" + ], + "category" : [ + "rat" + ] + } + }, + { + "value" : "OzoneRAT", + "meta" : { + "refs" : [ + "https://blog.fortinet.com/2016/08/29/german-speakers-targeted-by-spam-leading-to-ozone-rat" + ], + "synonyms" : [ + "Ozone RAT", + "ozonercp" + ], + "category" : [ + "rat" + ] + } + }, + { + "value" : "ZeGhost", + "description" : "ZeGhots is a RAT which was freely available and first released in 2014.", + "meta" : { + "refs" : [ + "https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor%3aWin32%2fZegost.BW" + ], + "synonyms" : [ + "BackDoor-FBZT!52D84425CDF2", + "Trojan.Win32.Staser.ytq", + "Win32/Zegost.BW" + ], + "category" : [ + "rat" + ] + } + }, + { + "value" : "Elise Backdoor", + "description" : " Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009", + "meta" : { + "refs" : [ + "http://thehackernews.com/2015/08/elise-malware-hacking.html" + ], + "synonyms" : [ + "Elise" + ], + "category" : [ + "dropper", + "stealer" + ] + } + }, + { + "value" : "Trojan.Laziok", + "description" : "A new information stealer, Trojan.Laziok, acts as a reconnaissance tool allowing attackers to gather information and tailor their attack methods for each compromised computer.", + "meta" : { + "refs" : [ + "http://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector" + ], + "synonyms" : [ + "Laziok" + ], + "category" : [ + "stealer", + "reco" + ] + } + }, + { + "value" : "Slempo", + "description" : "Android-based malware", + "meta" : { + "refs" : [ + "https://securityintelligence.com/android-malware-about-to-get-worse-gm-bot-source-code-leaked/" + ], + "synonyms" : [ + "GM-Bot", + "SlemBunk", + "Bankosy", + "Acecard" + ], + "category" : [ + "spyware", + "android" + ] + } + }, + { "value": "PWOBot", "description": "We have discovered a malware family named ‘PWOBot’ that is fairly unique because it is written entirely in Python, and compiled via PyInstaller to generate a Microsoft Windows executable. The malware has been witnessed affecting a number of Europe-based organizations, particularly in Poland. Additionally, the malware is delivered via a popular Polish file-sharing web service.", "meta": { From c6ac4d847c382fca4fa1c39516e6aabd4bcc0d16 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Fri, 24 Feb 2017 13:25:38 +0100 Subject: [PATCH 02/22] Remove EK and Ransomwares --- clusters/tool.json | 32 -------------------------------- 1 file changed, 32 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index 80f092b..2539cee 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1068,29 +1068,12 @@ ] } }, - { - "value": "Angler EK", - "description": "Angler Exploit Kit is a hacking tool that is produced to search for Java and Flash Player vulnerabilities on the attacked PC and use them with the aim to distribute malware infections. Angler Exploit Kit commonly checks to see if the PC it is proliferating to has Java or Flash.", - "meta": { - "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/06/unit42-understanding-angler-exploit-kit-part-1-exploit-kit-fundamentals/", - "https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/" - ] - } - }, { "value": "Bedep" }, { "value": "Cromptui" }, - { - "value": "Cryptowall", - "description": "CryptoWall is a new and highly destructive variant of ransomware. Ransomware is malicious software (malware) that infects your computer and holds hostage something of value to you in exchange for money. Older ransomware used to block access to computers. Newer ransomware, such as CryptoWall, takes your data hostage." - }, - { - "value": "CTB-Locker" - }, { "value": "Dridex", "description": "Dridex is a strain of banking malware that leverages macros in Microsoft Office to infect systems. Once a computer has been infected, Dridex attackers can steal banking credentials and other personal information on the system to gain access to the financial records of a user.", @@ -1133,14 +1116,6 @@ ] } }, - { - "value": "Nuclear Pack", - "meta": { - "synonyms": [ - "Nuclear EK" - ] - } - }, { "value": "Palevo" }, @@ -1157,13 +1132,6 @@ ] } }, - { - "value": "Rig EK" - }, - { - "value": "Teslacrypt" - }, - { "value": "Upatre", "description": "Upatre is a Trojan downloader that is used to set up other threats on the victim's PC. Upatre has been used recently in several high profile Trojan attacks involving the Gameover Trojan. " }, From 796382d4ab2eb5e3795193a4c5da4b5841d65f87 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Fri, 24 Feb 2017 13:39:53 +0100 Subject: [PATCH 03/22] Remove Lstudio (group using elise) , add info to PWOBOT --- clusters/tool.json | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index 2539cee..fa69da7 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -177,13 +177,23 @@ "description": "We have discovered a malware family named ‘PWOBot’ that is fairly unique because it is written entirely in Python, and compiled via PyInstaller to generate a Microsoft Windows executable. The malware has been witnessed affecting a number of Europe-based organizations, particularly in Poland. Additionally, the malware is delivered via a popular Polish file-sharing web service.", "meta": { "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/04/unit42-python-based-pwobot-targets-european-organizations/" + "http://researchcenter.paloaltonetworks.com/2016/04/unit42-python-based-pwobot-targets-european-organizations/" + ], + "synonyms" : [ + "PWOLauncher", + "PWOHTTPD", + "PWOKeyLogger", + "PWOMiner", + "PWOPyExec", + "PWOQuery" + ], + "category" : [ + "dropper", + "coinminer", + "spyware" ] } }, - { - "value": "Lstudio" - }, { "value": "Joy RAT" }, From 0513668fcfa881fec3718ac84ed40b5bc99e384b Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Fri, 24 Feb 2017 13:46:12 +0100 Subject: [PATCH 04/22] =?UTF-8?q?Remove=20JOYRat=20->=20team=20->=20https:?= =?UTF-8?q?//www.crowdstrike.com/blog/whois-numbered-panda/=C2=A0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- clusters/tool.json | 3 --- 1 file changed, 3 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index fa69da7..cb1687a 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -194,9 +194,6 @@ ] } }, - { - "value": "Joy RAT" - }, { "value": "Lost Door RAT", "description": "We recently came across a cyber attack that used a remote access Trojan (RAT) called Lost Door, a tool currently offered on social media sites. What also struck us the most about this RAT (detected as BKDR_LODORAT.A) is how it abuses the Port Forward feature in routers.", From bb088f97d1f5d5c2a60df21584127af71381c706 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Fri, 24 Feb 2017 13:56:33 +0100 Subject: [PATCH 05/22] =?UTF-8?q?Update=C2=A0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- clusters/tool.json | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index cb1687a..7ff7bb7 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -199,10 +199,14 @@ "description": "We recently came across a cyber attack that used a remote access Trojan (RAT) called Lost Door, a tool currently offered on social media sites. What also struck us the most about this RAT (detected as BKDR_LODORAT.A) is how it abuses the Port Forward feature in routers.", "meta": { "synonyms": [ - "LostDoor RAT" + "LostDoor RAT", + "BKDR_LODORAT" ], "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/" + ], + "category": [ + "rat" ] } }, @@ -210,10 +214,14 @@ "value": "njRAT", "meta": { "synonyms": [ - "Bladabindi" + "Bladabindi", + "Jorik" ], "refs": [ "http://www.fidelissecurity.com/files/files/FTA_1009-njRAT_Uncovered_rev2.pdf" + ], + "category": [ + "rat" ] } }, @@ -221,10 +229,14 @@ "value": "NanoCoreRAT", "meta": { "synonyms": [ - "NanoCore" + "NanoCore", + "Nancrat", + "Zurten", + "Atros2.CKPN" ], "refs": [ - "http://www.symantec.com/connect/blogs/nanocore-another-rat-tries-make-it-out-gutter" + "http://www.symantec.com/connect/blogs/nanocore-another-rat-tries-make-it-out-gutter", + "https://nanocore.io/" ] } }, From f496c34fda623a2949e3f16edc2244b9d14e942c Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Fri, 24 Feb 2017 13:57:33 +0100 Subject: [PATCH 06/22] =?UTF-8?q?generic=20plugx=20names=C2=A0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- clusters/tool.json | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index 7ff7bb7..7bb01ec 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -8,14 +8,11 @@ "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/112/pulling-the-plug-on-plugx" ], "synonyms" : [ - "W32/Backdoor.FSZO-5117", - "Gen:Trojan.Heur.JP.juW@ayZZvMb", + "Backdoor.FSZO-5117", + "Trojan.Heur.JP.juW@ayZZvMb", "Trojan.Inject1.6386", - "Win32/Korplug.A", - "Trojan.Win32.Korplug", - "Backdoor/Win32.Plugx", - "Backdoor.Win32.Agent.dhwf", - "W32/Korplug.CH!tr" + "Korplug", + "Agent.dhwf" ], "category" : [ "rat" From c1848b1a3a82a440429318de40b93e865405adb3 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Fri, 24 Feb 2017 13:59:14 +0100 Subject: [PATCH 07/22] =?UTF-8?q?json=20issue=C2=A0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- clusters/tool.json | 1 + 1 file changed, 1 insertion(+) diff --git a/clusters/tool.json b/clusters/tool.json index 7bb01ec..eb7a68a 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1148,6 +1148,7 @@ ] } }, + { "value": "Upatre", "description": "Upatre is a Trojan downloader that is used to set up other threats on the victim's PC. Upatre has been used recently in several high profile Trojan attacks involving the Gameover Trojan. " }, From 8c2c47810ef696b102068c12d01cb6277b125fa2 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Fri, 24 Feb 2017 14:00:42 +0100 Subject: [PATCH 08/22] =?UTF-8?q?Locky=20removed=20>=20ransomware=C2=A0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- clusters/tool.json | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index eb7a68a..c2f5985 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1119,10 +1119,6 @@ ] } }, - { - "value": "Locky", - "description": "Ransomware" - }, { "value": "Necurs", "description": "The Necurs botnet is a distributor of many pieces of malware, most notably Locky.", @@ -1394,6 +1390,7 @@ "refs": [ "https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar" ] + ck } }, { From 8240e5f6615cf3276f70d57ebe0597062b080411 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Fri, 24 Feb 2017 14:05:57 +0100 Subject: [PATCH 09/22] =?UTF-8?q?json=20typo=C2=A0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- clusters/tool.json | 1 - 1 file changed, 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index c2f5985..5e9d711 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1390,7 +1390,6 @@ "refs": [ "https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar" ] - ck } }, { From b124d8a08d6aa9c7833344bb2e4e3b3ce34fbc6e Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Fri, 24 Feb 2017 15:52:08 +0100 Subject: [PATCH 10/22] Follow the format --- clusters/tool.json | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index 5e9d711..d4e8413 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -14,7 +14,7 @@ "Korplug", "Agent.dhwf" ], - "category" : [ + "type" : [ "rat" ] } @@ -26,7 +26,7 @@ "refs" : [ "https://www.zscaler.com/pdf/whitepapers/msupdater_trojan_whitepaper.pdfx" ], - "category" : [ + "type" : [ "rat" ] } @@ -38,7 +38,7 @@ "refs" : [ "https://github.com/AlessandroZ/LaZagne" ], - "category" : [ + "type" : [ "tool" ] } @@ -55,7 +55,7 @@ "Backdoor.Win32.PoisonIvy", "Gen:Trojan.Heur.PT" ], - "category" : [ + "type" : [ "rat" ] } @@ -67,7 +67,7 @@ "refs" : [ "http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/" ], - "category" : [ + "type" : [ "rat" ] } @@ -81,7 +81,7 @@ "synonyms" : [ "Anchor Panda" ], - "category" : [ + "type" : [ "rat" ] } @@ -96,7 +96,7 @@ "Ozone RAT", "ozonercp" ], - "category" : [ + "type" : [ "rat" ] } @@ -113,7 +113,7 @@ "Trojan.Win32.Staser.ytq", "Win32/Zegost.BW" ], - "category" : [ + "type" : [ "rat" ] } @@ -128,7 +128,7 @@ "synonyms" : [ "Elise" ], - "category" : [ + "type" : [ "dropper", "stealer" ] @@ -144,7 +144,7 @@ "synonyms" : [ "Laziok" ], - "category" : [ + "type" : [ "stealer", "reco" ] @@ -163,7 +163,7 @@ "Bankosy", "Acecard" ], - "category" : [ + "type" : [ "spyware", "android" ] @@ -184,7 +184,7 @@ "PWOPyExec", "PWOQuery" ], - "category" : [ + "type" : [ "dropper", "coinminer", "spyware" @@ -202,7 +202,7 @@ "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/" ], - "category": [ + "type": [ "rat" ] } @@ -217,7 +217,7 @@ "refs": [ "http://www.fidelissecurity.com/files/files/FTA_1009-njRAT_Uncovered_rev2.pdf" ], - "category": [ + "type": [ "rat" ] } From 7265af66128a5041fa81257477045a41069d4a4b Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Fri, 24 Feb 2017 16:24:59 +0100 Subject: [PATCH 11/22] go 4 string --- clusters/tool.json | 57 +++++++++++----------------------------------- 1 file changed, 13 insertions(+), 44 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index d4e8413..c59b455 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -14,9 +14,7 @@ "Korplug", "Agent.dhwf" ], - "type" : [ - "rat" - ] + "type" : "rat" } }, { @@ -26,9 +24,7 @@ "refs" : [ "https://www.zscaler.com/pdf/whitepapers/msupdater_trojan_whitepaper.pdfx" ], - "type" : [ - "rat" - ] + "type" : "rat" } }, { @@ -38,9 +34,7 @@ "refs" : [ "https://github.com/AlessandroZ/LaZagne" ], - "type" : [ - "tool" - ] + "type" : "tool" } }, { @@ -55,9 +49,7 @@ "Backdoor.Win32.PoisonIvy", "Gen:Trojan.Heur.PT" ], - "type" : [ - "rat" - ] + "type" : "rat" } }, { @@ -67,9 +59,7 @@ "refs" : [ "http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/" ], - "type" : [ - "rat" - ] + "type" :"rat" } }, { @@ -81,9 +71,7 @@ "synonyms" : [ "Anchor Panda" ], - "type" : [ - "rat" - ] + "type": "rat" } }, { @@ -113,9 +101,7 @@ "Trojan.Win32.Staser.ytq", "Win32/Zegost.BW" ], - "type" : [ - "rat" - ] + "type" : "rat" } }, { @@ -128,10 +114,7 @@ "synonyms" : [ "Elise" ], - "type" : [ - "dropper", - "stealer" - ] + "type" : "dropper, stealer" } }, { @@ -144,10 +127,7 @@ "synonyms" : [ "Laziok" ], - "type" : [ - "stealer", - "reco" - ] + "type" : "stealer ,reco" } }, { @@ -163,10 +143,7 @@ "Bankosy", "Acecard" ], - "type" : [ - "spyware", - "android" - ] + "type" : "spyware, android" } }, { @@ -184,11 +161,7 @@ "PWOPyExec", "PWOQuery" ], - "type" : [ - "dropper", - "coinminer", - "spyware" - ] + "type" : "dropper, coinminer, spyware" } }, { @@ -202,9 +175,7 @@ "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/" ], - "type": [ - "rat" - ] + "type": "rat" } }, { @@ -217,9 +188,7 @@ "refs": [ "http://www.fidelissecurity.com/files/files/FTA_1009-njRAT_Uncovered_rev2.pdf" ], - "type": [ - "rat" - ] + "type": "rat" } }, { From a29a5afbe8fa10cf0ee523257b03305a531aa31d Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Fri, 24 Feb 2017 23:36:45 +0100 Subject: [PATCH 12/22] update 2 array --- clusters/tool.json | 349 +++++++++++++++++++++++-------------------- schema_clusters.json | 6 +- 2 files changed, 195 insertions(+), 160 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index c59b455..20e942b 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1,167 +1,194 @@ { "values": [ - { - "value" : "PlugX", - "description" : "Malware", - "meta" : { - "refs" : [ - "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/112/pulling-the-plug-on-plugx" - ], - "synonyms" : [ - "Backdoor.FSZO-5117", - "Trojan.Heur.JP.juW@ayZZvMb", - "Trojan.Inject1.6386", - "Korplug", - "Agent.dhwf" - ], - "type" : "rat" - } - }, - { - "value" : "MSUpdater", - "description" : " Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009", - "meta" : { - "refs" : [ - "https://www.zscaler.com/pdf/whitepapers/msupdater_trojan_whitepaper.pdfx" - ], - "type" : "rat" - } - }, - { - "value" : "Lazagne", - "description" : "A password sthealing tool regularly used by attackers", - "meta" : { - "refs" : [ - "https://github.com/AlessandroZ/LaZagne" - ], - "type" : "tool" - } - }, - { - "value" : "Poison Ivy", - "description" : "Poison Ivy is a RAT which was freely available and first released in 2005.", - "meta" : { - "refs" : [ - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf", - "https://www.f-secure.com/v-descs/backdoor_w32_poisonivy.shtml" - ], - "synonyms" : [ - "Backdoor.Win32.PoisonIvy", - "Gen:Trojan.Heur.PT" - ], - "type" : "rat" - } - }, - { - "value" : "SPIVY", - "description" : "In March 2016, Unit 42 observed this new Poison Ivy variant we’ve named SPIVY being deployed via weaponized documents leveraging CVE-2015-2545.", - "meta" : { - "refs" : [ - "http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/" - ], - "type" :"rat" - } - }, - { - "value" : "Torn RAT", - "meta" : { - "refs" : [ - "https://www.crowdstrike.com/blog/whois-anchor-panda/" - ], - "synonyms" : [ - "Anchor Panda" - ], - "type": "rat" - } - }, - { - "value" : "OzoneRAT", - "meta" : { - "refs" : [ - "https://blog.fortinet.com/2016/08/29/german-speakers-targeted-by-spam-leading-to-ozone-rat" - ], - "synonyms" : [ - "Ozone RAT", - "ozonercp" - ], - "type" : [ - "rat" - ] - } - }, - { - "value" : "ZeGhost", - "description" : "ZeGhots is a RAT which was freely available and first released in 2014.", - "meta" : { - "refs" : [ - "https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor%3aWin32%2fZegost.BW" - ], - "synonyms" : [ - "BackDoor-FBZT!52D84425CDF2", - "Trojan.Win32.Staser.ytq", - "Win32/Zegost.BW" - ], - "type" : "rat" - } - }, - { - "value" : "Elise Backdoor", - "description" : " Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009", - "meta" : { - "refs" : [ - "http://thehackernews.com/2015/08/elise-malware-hacking.html" - ], - "synonyms" : [ - "Elise" - ], - "type" : "dropper, stealer" - } - }, - { - "value" : "Trojan.Laziok", - "description" : "A new information stealer, Trojan.Laziok, acts as a reconnaissance tool allowing attackers to gather information and tailor their attack methods for each compromised computer.", - "meta" : { - "refs" : [ - "http://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector" - ], - "synonyms" : [ - "Laziok" - ], - "type" : "stealer ,reco" - } - }, - { - "value" : "Slempo", - "description" : "Android-based malware", - "meta" : { - "refs" : [ - "https://securityintelligence.com/android-malware-about-to-get-worse-gm-bot-source-code-leaked/" - ], - "synonyms" : [ - "GM-Bot", - "SlemBunk", - "Bankosy", - "Acecard" - ], - "type" : "spyware, android" - } - }, - { + { + "value": "PlugX", + "description": "Malware", + "meta": { + "refs": [ + "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/112/pulling-the-plug-on-plugx" + ], + "synonyms": [ + "Backdoor.FSZO-5117", + "Trojan.Heur.JP.juW@ayZZvMb", + "Trojan.Inject1.6386", + "Korplug", + "Agent.dhwf" + ], + "type": [ + "rat" + ] + } + }, + { + "value": "MSUpdater", + "description": " Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009", + "meta": { + "refs": [ + "https://www.zscaler.com/pdf/whitepapers/msupdater_trojan_whitepaper.pdfx" + ], + "type": [ + "rat" + ] + } + }, + { + "value": "Lazagne", + "description": "A password sthealing tool regularly used by attackers", + "meta": { + "refs": [ + "https://github.com/AlessandroZ/LaZagne" + ], + "type": [ + "tool" + ] + } + }, + { + "value": "Poison Ivy", + "description": "Poison Ivy is a RAT which was freely available and first released in 2005.", + "meta": { + "refs": [ + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf", + "https://www.f-secure.com/v-descs/backdoor_w32_poisonivy.shtml" + ], + "synonyms": [ + "Backdoor.Win32.PoisonIvy", + "Gen:Trojan.Heur.PT" + ], + "type": [ + "rat" + ] + } + }, + { + "value": "SPIVY", + "description": "In March 2016, Unit 42 observed this new Poison Ivy variant we’ve named SPIVY being deployed via weaponized documents leveraging CVE-2015-2545.", + "meta": { + "refs": [ + "http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/" + ], + "type": [ + "rat" + ] + } + }, + { + "value": "Torn RAT", + "meta": { + "refs": [ + "https://www.crowdstrike.com/blog/whois-anchor-panda/" + ], + "synonyms": [ + "Anchor Panda" + ], + "type": [ + "rat" + ] + } + }, + { + "value": "OzoneRAT", + "meta": { + "refs": [ + "https://blog.fortinet.com/2016/08/29/german-speakers-targeted-by-spam-leading-to-ozone-rat" + ], + "synonyms": [ + "Ozone RAT", + "ozonercp" + ], + "type": [ + "rat" + ] + } + }, + { + "value": "ZeGhost", + "description": "ZeGhots is a RAT which was freely available and first released in 2014.", + "meta": { + "refs": [ + "https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor%3aWin32%2fZegost.BW" + ], + "synonyms": [ + "BackDoor-FBZT!52D84425CDF2", + "Trojan.Win32.Staser.ytq", + "Win32/Zegost.BW" + ], + "type": [ + "rat" + ] + } + }, + { + "value": "Elise Backdoor", + "description": " Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009", + "meta": { + "refs": [ + "http://thehackernews.com/2015/08/elise-malware-hacking.html" + ], + "synonyms": [ + "Elise" + ], + "type": [ + "dropper", + "stealer" + ] + } + }, + { + "value": "Trojan.Laziok", + "description": "A new information stealer, Trojan.Laziok, acts as a reconnaissance tool allowing attackers to gather information and tailor their attack methods for each compromised computer.", + "meta": { + "refs": [ + "http://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector" + ], + "synonyms": [ + "Laziok" + ], + "type": [ + "stealer", + "reco" + ] + } + }, + { + "value": "Slempo", + "description": "Android-based malware", + "meta": { + "refs": [ + "https://securityintelligence.com/android-malware-about-to-get-worse-gm-bot-source-code-leaked/" + ], + "synonyms": [ + "GM-Bot", + "SlemBunk", + "Bankosy", + "Acecard" + ], + "type": [ + "spyware", + "android" + ] + } + }, + { "value": "PWOBot", "description": "We have discovered a malware family named ‘PWOBot’ that is fairly unique because it is written entirely in Python, and compiled via PyInstaller to generate a Microsoft Windows executable. The malware has been witnessed affecting a number of Europe-based organizations, particularly in Poland. Additionally, the malware is delivered via a popular Polish file-sharing web service.", "meta": { "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/04/unit42-python-based-pwobot-targets-european-organizations/" + "http://researchcenter.paloaltonetworks.com/2016/04/unit42-python-based-pwobot-targets-european-organizations/" ], - "synonyms" : [ - "PWOLauncher", - "PWOHTTPD", - "PWOKeyLogger", - "PWOMiner", - "PWOPyExec", - "PWOQuery" + "synonyms": [ + "PWOLauncher", + "PWOHTTPD", + "PWOKeyLogger", + "PWOMiner", + "PWOPyExec", + "PWOQuery" ], - "type" : "dropper, coinminer, spyware" + "type": [ + "dropper", + "miner", + "spyware" + ] } }, { @@ -175,7 +202,9 @@ "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/" ], - "type": "rat" + "type": [ + "rat" + ] } }, { @@ -188,7 +217,9 @@ "refs": [ "http://www.fidelissecurity.com/files/files/FTA_1009-njRAT_Uncovered_rev2.pdf" ], - "type": "rat" + "type": [ + "rat" + ] } }, { @@ -198,7 +229,7 @@ "NanoCore", "Nancrat", "Zurten", - "Atros2.CKPN" + "Atros2.CKPN" ], "refs": [ "http://www.symantec.com/connect/blogs/nanocore-another-rat-tries-make-it-out-gutter", diff --git a/schema_clusters.json b/schema_clusters.json index 780bfe1..cf64f74 100644 --- a/schema_clusters.json +++ b/schema_clusters.json @@ -74,7 +74,11 @@ "type": "string" }, "type": { - "type": "string" + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + } }, "impact": { "type": "string" From d502d5b5bfb31d12bd858c133e9d90ed6de018d4 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Fri, 24 Feb 2017 23:46:44 +0100 Subject: [PATCH 13/22] fix side victims of schemaupdate --- clusters/preventive-measure.json | 68 ++++++++++++++++++++++++-------- clusters/tds.json | 28 +++++++++---- 2 files changed, 72 insertions(+), 24 deletions(-) diff --git a/clusters/preventive-measure.json b/clusters/preventive-measure.json index a9f9089..fd9c867 100644 --- a/clusters/preventive-measure.json +++ b/clusters/preventive-measure.json @@ -8,7 +8,9 @@ "complexity": "Medium", "effectiveness": "High", "impact": "Low", - "type": "Recovery" + "type": [ + "Recovery" + ] }, "value": "Backup and Restore Process", "description": "Make sure to have adequate backup processes on place and frequently test a restore of these backups.\n(Schrödinger's backup - it is both existent and non-existent until you've tried a restore" @@ -22,7 +24,9 @@ "complexity": "Low", "effectiveness": "High", "impact": "Low", - "type": "GPO" + "type": [ + "GPO" + ] }, "value": "Block Macros", "description": "Disable macros in Office files downloaded from the Internet. This can be configured to work in two different modes:\nA.) Open downloaded documents in 'Protected View'\nB.) Open downloaded documents and block all macros" @@ -35,7 +39,9 @@ "complexity": "Low", "effectiveness": "Medium", "impact": "Medium", - "type": "GPO", + "type": [ + "GPO" + ], "possible_issues": "Administrative VBS scripts on Workstations" }, "value": "Disable WSH", @@ -46,7 +52,9 @@ "complexity": "Low", "effectiveness": "Medium", "impact": "Low", - "type": "Mail Gateway" + "type": [ + "Mail Gateway" + ] }, "value": "Filter Attachments Level 1", "description": "Filter the following attachments on your mail gateway:\n.ade, .adp, .ani, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .exe, .hlp, .ht, .hta, .inf, .ins, .isp, .jar, .job, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .ocx, .pcd, .ps1, .reg, .scr, .sct, .shs, .svg, .url, .vb, .vbe, .vbs, .wbk, .wsc, .ws, .wsf, .wsh, .exe, .pif, .pub" @@ -56,7 +64,9 @@ "complexity": "Low", "effectiveness": "High", "impact": "High", - "type": "Mail Gateway", + "type": [ + "Mail Gateway" + ], "possible_issues": "Office Communication with old versions of Microsoft Office files (.doc, .xls) " }, "value": "Filter Attachments Level 2", @@ -71,7 +81,9 @@ "complexity": "Medium", "effectiveness": "Medium", "impact": "Medium", - "type": "GPO", + "type": [ + "GPO" + ], "possible_issues": "Web embedded software installers" }, "value": "Restrict program execution", @@ -85,7 +97,9 @@ "complexity": "Low", "effectiveness": "Low", "impact": "Low", - "type": "User Assistence" + "type": [ + "User Assistence" + ] }, "value": "Show File Extensions", "description": "Set the registry key \"HideFileExt\" to 0 in order to show all file extensions, even of known file types. This helps avoiding cloaking tricks that use double extensions. (e.g. \"not_a_virus.pdf.exe\")" @@ -98,7 +112,9 @@ "complexity": "Low", "effectiveness": "Medium", "impact": "Low", - "type": "GPO", + "type": [ + "GPO" + ], "possible_issues": "administrator resentment" }, "value": "Enforce UAC Prompt", @@ -109,7 +125,9 @@ "complexity": "Medium", "effectiveness": "Medium", "impact": "Medium", - "type": "Best Practice", + "type": [ + "Best Practice" + ], "possible_issues": "igher administrative costs" }, "value": "Remove Admin Privileges", @@ -120,7 +138,9 @@ "complexity": "Medium", "effectiveness": "Low", "impact": "Low", - "type": "Best Practice" + "type": [ + "Best Practice" + ] }, "value": "Restrict Workstation Communication", "description": "Activate the Windows Firewall to restrict workstation to workstation communication" @@ -129,7 +149,9 @@ "meta": { "complexity": "Medium", "effectiveness": "High", - "type": "Advanced Malware Protection" + "type": [ + "Advanced Malware Protection" + ] }, "value": "Sandboxing Email Input", "description": "Using sandbox that opens email attachments and removes attachments based on behavior analysis" @@ -138,7 +160,9 @@ "meta": { "complexity": "Medium", "effectiveness": "Medium", - "type": "3rd Party Tools" + "type": [ + "3rd Party Tools" + ] }, "value": "Execution Prevention", "description": "Software that allows to control the execution of processes - sometimes integrated in Antivirus software\nFree: AntiHook, ProcessGuard, System Safety Monitor" @@ -151,7 +175,9 @@ "complexity": "Low", "effectiveness": "Medium", "impact": "Medium", - "type": "GPO", + "type": [ + "GPO" + ], "possible_issues": "Some extensions will have legitimate uses, e.g., .vbs for logon scripts." }, "value": "Change Default \"Open With\" to Notepad", @@ -165,7 +191,9 @@ "complexity": "Low", "effectiveness": "Medium", "impact": "Low", - "type": "Monitoring" + "type": [ + "Monitoring" + ] }, "value": "File Screening", "description": "Server-side file screening with the help of File Server Resource Manager" @@ -179,7 +207,9 @@ "complexity": "Medium", "effectiveness": "Medium", "impact": "Medium", - "type": "GPO", + "type": [ + "GPO" + ], "possible_issues": "Configure & test extensively" }, "value": "Restrict program execution #2", @@ -194,7 +224,9 @@ "complexity": "Medium", "effectiveness": "Medium", "impact": "Low", - "type": "GPO" + "type": [ + "GPO" + ] }, "value": "EMET", "description": "Detect and block exploitation techniques" @@ -207,7 +239,9 @@ "complexity": "Medium", "effectiveness": "Low", "impact": "Low", - "type": "3rd Party Tools" + "type": [ + "3rd Party Tools" + ] }, "value": "Sysmon", "description": "Detect Ransomware in an early stage with new Sysmon 5 File/Registry monitoring" diff --git a/clusters/tds.json b/clusters/tds.json index 5cbf996..6a06fbb 100755 --- a/clusters/tds.json +++ b/clusters/tds.json @@ -7,7 +7,9 @@ "refs": [ "https://keitarotds.com/" ], - "type": "Commercial" + "type": [ + "Commercial" + ] } }, { @@ -17,7 +19,9 @@ "refs": [ "http://kytoon.com/sutra-tds.html" ], - "type": "Commercial" + "type": [ + "Commercial" + ] } }, { @@ -30,7 +34,9 @@ "synonyms": [ "Stds" ], - "type": "OpenSource" + "type": [ + "OpenSource" + ] } }, { @@ -40,7 +46,9 @@ "refs": [ "http://bosstds.com/" ], - "type": "Commercial" + "type": [ + "Commercial" + ] } }, { @@ -50,21 +58,27 @@ "refs": [ "http://malware.dontneedcoffee.com/2014/04/meet-blackhat-tds.html" ], - "type": "Underground" + "type": [ + "Underground" + ] } }, { "value": "Futuristic TDS", "description": "Futuristic TDS is the TDS component of BlackOS/CookieBomb/NorthTale Iframer", "meta": { - "type": "Underground" + "type": [ + "Underground" + ] } }, { "value": "Orchid TDS", "description": "Orchid TDS was sold underground. Rare usage", "meta": { - "type": "Underground" + "type": [ + "Underground" + ] } } ], From 50d2b1c87126dd395a246d3cf4602956b8150b04 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sat, 25 Feb 2017 00:42:44 +0100 Subject: [PATCH 14/22] go for caro, add hi-zor --- clusters/tool.json | 56 +++++++++++++++++++++++++++++++--------------- 1 file changed, 38 insertions(+), 18 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index 20e942b..5469aec 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -15,7 +15,7 @@ "Agent.dhwf" ], "type": [ - "rat" + "Backdoor" ] } }, @@ -27,7 +27,7 @@ "https://www.zscaler.com/pdf/whitepapers/msupdater_trojan_whitepaper.pdfx" ], "type": [ - "rat" + "Backdoor" ] } }, @@ -39,7 +39,7 @@ "https://github.com/AlessandroZ/LaZagne" ], "type": [ - "tool" + "HackTool" ] } }, @@ -56,7 +56,7 @@ "Gen:Trojan.Heur.PT" ], "type": [ - "rat" + "Backdoor" ] } }, @@ -68,7 +68,7 @@ "http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/" ], "type": [ - "rat" + "Backdoor" ] } }, @@ -82,7 +82,7 @@ "Anchor Panda" ], "type": [ - "rat" + "Backdoor" ] } }, @@ -97,7 +97,7 @@ "ozonercp" ], "type": [ - "rat" + "Backdoor" ] } }, @@ -114,13 +114,13 @@ "Win32/Zegost.BW" ], "type": [ - "rat" + "Backdoor" ] } }, { "value": "Elise Backdoor", - "description": " Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009", + "description": "Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009", "meta": { "refs": [ "http://thehackernews.com/2015/08/elise-malware-hacking.html" @@ -130,7 +130,7 @@ ], "type": [ "dropper", - "stealer" + "PWS" ] } }, @@ -145,7 +145,7 @@ "Laziok" ], "type": [ - "stealer", + "PWS", "reco" ] } @@ -164,8 +164,8 @@ "Acecard" ], "type": [ - "spyware", - "android" + "Spyware", + "AndroidOS" ] } }, @@ -185,9 +185,9 @@ "PWOQuery" ], "type": [ - "dropper", - "miner", - "spyware" + "Dropper", + "Miner", + "Spyware" ] } }, @@ -203,7 +203,7 @@ "http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/" ], "type": [ - "rat" + "Backdoor" ] } }, @@ -218,7 +218,7 @@ "http://www.fidelissecurity.com/files/files/FTA_1009-njRAT_Uncovered_rev2.pdf" ], "type": [ - "rat" + "Backdoor" ] } }, @@ -234,6 +234,9 @@ "refs": [ "http://www.symantec.com/connect/blogs/nanocore-another-rat-tries-make-it-out-gutter", "https://nanocore.io/" + ], + "type": [ + "Backdoor" ] } }, @@ -242,6 +245,23 @@ "meta": { "synonyms": [ "Sakurel" + ], + "refs": [ + "https://www.secureworks.com/research/sakula-malware-family" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "Hi-ZOR", + "meta": { + "refs": [ + "http://www.threatgeek.com/2016/01/introducing-hi-zor-rat.html" + ], + "type": [ + "Backdoor" ] } }, From bce60b0318bf06c93d8dc5b58674cdb94b8dd735 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sat, 25 Feb 2017 01:06:19 +0100 Subject: [PATCH 15/22] merge IEchecker et sasfi --- clusters/tool.json | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index 5469aec..c636568 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -271,9 +271,6 @@ { "value": "EvilGrab" }, - { - "value": "IEChecker" - }, { "value": "Trojan.Naid" }, @@ -496,10 +493,15 @@ "description": "credential harvester", "meta": { "synonyms": [ - "Sasfis" + "Sasfis", + "BackDoor-FDU", + "IEChecker" ], "refs": [ "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" + ], + "type": [ + "PWS" ] } }, From e98de5cb5eab6e404d5940d0e1ab8f1853381cc1 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sat, 25 Feb 2017 01:12:42 +0100 Subject: [PATCH 16/22] add derusbi --- clusters/tool.json | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index c636568..bfb4154 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -266,7 +266,19 @@ } }, { - "value": "Derusbi" + "value": "Derusbi", + "meta": { + "synonyms": [ + "TROJ_DLLSERV.BE" + ], + "refs": [ + "http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf", + "https://www.rsaconference.com/writable/presentations/file_upload/hta-w02-dissecting-derusbi.pdf" + ], + "type": [ + "Backdoor" + ] + } }, { "value": "EvilGrab" @@ -498,6 +510,7 @@ "IEChecker" ], "refs": [ + "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_sasfis.tl", "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" ], "type": [ From 724e836ae93e2c4795dc18458459e65ec72d478e Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sat, 25 Feb 2017 01:18:03 +0100 Subject: [PATCH 17/22] remove coreshell duplicate --- clusters/tool.json | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index bfb4154..fab733f 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -270,7 +270,7 @@ "meta": { "synonyms": [ "TROJ_DLLSERV.BE" - ], + ], "refs": [ "http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf", "https://www.rsaconference.com/writable/presentations/file_upload/hta-w02-dissecting-derusbi.pdf" @@ -439,9 +439,6 @@ ] } }, - { - "value": "CORESHELL" - }, { "value": "CHOPSTICK", "description": "backdoor", From 59b5ed6c1bdd1b7a9152e2b52ac78cd898ead5f4 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sat, 25 Feb 2017 01:30:10 +0100 Subject: [PATCH 18/22] update evilgrab --- clusters/tool.json | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index fab733f..b2137ed 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -281,7 +281,22 @@ } }, { - "value": "EvilGrab" + "value": "EvilGrab", + "meta": { + "synonyms": [ + "BKDR_HGDER", + "BKDR_EVILOGE", + "BKDR_NVICM", + "Wmonder" + ], + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/evilgrab-malware-family-used-in-targeted-attacks-in-asia/", + "http://researchcenter.paloaltonetworks.com/2015/06/evilgrab-delivered-by-watering-hole-attack-on-president-of-myanmars-website/" + ], + "type": [ + "Backdoor" + ] + } }, { "value": "Trojan.Naid" From 7eb98609a36bf0ac7d47a9d95801de2eb366a144 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sat, 25 Feb 2017 01:42:33 +0100 Subject: [PATCH 19/22] udpate trojan.main --- clusters/tool.json | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index b2137ed..a77699f 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -299,7 +299,25 @@ } }, { - "value": "Trojan.Naid" + "value": "Trojan.Naid", + "meta": { + "synonyms": [ + "Naid", + "Mdmbot.E", + "AGENT.GUNZ", + "AGENT.AQUP.DROPPER", + "AGENT.BMZA", + "MCRAT.A", + "AGENT.ABQMR" + ], + "refs": [ + "https://www.symantec.com/connect/blogs/cve-2012-1875-exploited-wild-part-1-trojannaid", + "http://telussecuritylabs.com/threats/show/TSL20120614-05" + ], + "type": [ + "Dropper" + ] + } }, { "value": "Backdoor.Moudoor" From 3d79a82bf5acdbca00c0e5e3b44aa4319cd5d404 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sat, 25 Feb 2017 02:08:51 +0100 Subject: [PATCH 20/22] Add Tinba banking --- clusters/tool.json | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/clusters/tool.json b/clusters/tool.json index a77699f..f474d8c 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1,5 +1,23 @@ { "values": [ + { + "value": "Tinba", + "description": "Banking Malware", + "meta": { + "refs": [ + "https://thehackernews.com/search/label/Zusy%20Malware", + "http://blog.trendmicro.com/trendlabs-security-intelligence/the-tinbatinybanker-malware/" + ], + "synonyms": [ + "Hunter", + "Zusy", + "TinyBanker" + ], + "type": [ + "Banking" + ] + } + }, { "value": "PlugX", "description": "Malware", From d4e3a08995ff94e41e6c754a8ff6fa9f82e5819e Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sat, 25 Feb 2017 02:22:30 +0100 Subject: [PATCH 21/22] add moudor info --- clusters/tool.json | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index f474d8c..ed82b3d 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -338,7 +338,21 @@ } }, { - "value": "Backdoor.Moudoor" + "value": "Moudoor", + "description": "Backdoor.Moudoor, a customized version of Gh0st RAT", + "meta": { + "synonyms": [ + "SCAR", + "KillProc.14145" + ], + "refs": [ + "http://www.darkreading.com/attacks-breaches/elite-chinese-cyberspy-group-behind-bit9-hack/d/d-id/1140495", + "https://securityledger.com/2013/09/apt-for-hire-symantec-outs-hidden-lynx-hacking-crew/" + ], + "type": [ + "Backdoor" + ] + } }, { "value": "NetTraveler" From 47903f839401ba47d2083793cff5d87a2ce22849 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sat, 25 Feb 2017 02:28:43 +0100 Subject: [PATCH 22/22] add info to the famous mimikatz --- clusters/tool.json | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index ed82b3d..9562a70 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -361,7 +361,19 @@ "value": "Winnti" }, { - "value": "Mimikatz" + "value": "Mimikatz", + "description": "Ease Credential stealh and replay, A little tool to play with Windows security.", + "meta": { + "synonyms": [ + "Mikatz" + ], + "refs": [ + "https://github.com/gentilkiwi/mimikatz" + ], + "type": [ + "HackTool" + ] + } }, { "value": "WEBC2"