From 13be3273c46c2bdaa6fece00be18f166618c18b0 Mon Sep 17 00:00:00 2001 From: raw-data Date: Fri, 1 Jun 2018 15:57:41 +0100 Subject: [PATCH 1/4] [ADD] Introduced stealer cluster --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 0d0056c..2b6f345 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,8 @@ to localized information (which is not shared) or additional information (that c - [clusters/android.json](clusters/android.json) - Android malware galaxy based on multiple open sources. - [clusters/banker.json](clusters/banker.json) - A list of banker malware. -- [clusters/botnet.json](clusters/botnet.json) - A list of known botnets. +- [clusters/stealer.json](clusters/stealer.json) - A list of malware stealer. +- [clusters/banker.json](clusters/banker.json) - A list of banker malware. - [clusters/branded_vulnerability.json](clusters/branded_vulnerability.json) - List of known vulnerabilities and exploits. - [clusters/exploit-kit.json](clusters/exploit-kit.json) - Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits. It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years. - [clusters/microsoft-activity-group.json](clusters/microsoft-activity-group.json) - Activity groups as described by Microsoft. From 388a2b25b38ad8c37160192ad3e027b37282dda0 Mon Sep 17 00:00:00 2001 From: raw-data Date: Fri, 1 Jun 2018 15:59:25 +0100 Subject: [PATCH 2/4] [ADD] x2 new info/pwd stealers - Nocturnal Stealer, TeleGrab --- clusters/stealer.json | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 clusters/stealer.json diff --git a/clusters/stealer.json b/clusters/stealer.json new file mode 100644 index 0000000..8fbf92c --- /dev/null +++ b/clusters/stealer.json @@ -0,0 +1,35 @@ +{ + "uuid": "f2ef4033-9001-4427-a418-df8c48e6d054", + "description": "A list of malware stealer.", + "source": "Open Sources", + "version": 1, + "values": [ + { + "meta": { + "date": "March 2018.", + "refs": [ + "https://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap" + ] + }, + "description": "It is designed to steal data found within multiple Chromium and Firefox based browsers, it can also steal many popular cryptocurrency wallets as well as any saved FTP passwords within FileZilla. Nocturnal Stealer uses several anti-VM and anti-analysis techniques, which include but are not limited to: environment fingerprinting, checking for debuggers and analyzers, searching for known virtual machine registry keys, and checking for emulation software.", + "value": "Nocturnal Stealer", + "uuid": "e7080bce-99b5-4615-a798-a192ed89bd5a" + }, + { + "meta": { + "date": "March 2018.", + "refs": [ + "https://blog.talosintelligence.com/2018/05/telegrab.html" + ] + }, + "description": "The first version stole browser credentials and cookies, along with all text files it can find on the system. The second variant added the ability to collect Telegram's desktop cache and key files, as well as login information for the video game storefront Steam.", + "value": "TeleGrab", + "uuid": "a6780288-24eb-4006-9ddd-062870c6feec" + } + ], + "authors": [ + "raw-data" + ], + "type": "stealer", + "name": "Stealer" +} From b381d032070c12f17cc131c7f410976ba84873e5 Mon Sep 17 00:00:00 2001 From: raw-data Date: Fri, 1 Jun 2018 16:02:36 +0100 Subject: [PATCH 3/4] [ADD] Stealer galaxy definition --- galaxies/stealer.json | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 galaxies/stealer.json diff --git a/galaxies/stealer.json b/galaxies/stealer.json new file mode 100644 index 0000000..8ab1c20 --- /dev/null +++ b/galaxies/stealer.json @@ -0,0 +1,9 @@ +{ + "description": "Malware stealer galaxy.", + "type": "stealer", + "version": 1, + "name": "Stealer", + "icon": "key", + "uuid": "f2ef4033-9001-4427-a418-df8c48e6d054", + "namespace": "misp" +} From 4e0be5efd8e766f217a74100b2183cea9f4be737 Mon Sep 17 00:00:00 2001 From: raw-data Date: Fri, 1 Jun 2018 17:13:19 +0100 Subject: [PATCH 4/4] [FIX] botnet file link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2b6f345..30bff4a 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,7 @@ to localized information (which is not shared) or additional information (that c - [clusters/android.json](clusters/android.json) - Android malware galaxy based on multiple open sources. - [clusters/banker.json](clusters/banker.json) - A list of banker malware. - [clusters/stealer.json](clusters/stealer.json) - A list of malware stealer. -- [clusters/banker.json](clusters/banker.json) - A list of banker malware. +- [clusters/botnet.json](clusters/botnet.json) - A list of known botnets. - [clusters/branded_vulnerability.json](clusters/branded_vulnerability.json) - List of known vulnerabilities and exploits. - [clusters/exploit-kit.json](clusters/exploit-kit.json) - Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits. It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years. - [clusters/microsoft-activity-group.json](clusters/microsoft-activity-group.json) - Activity groups as described by Microsoft.