Merge pull request #220 from raw-data/master

[ADD] New Stealer galaxy and cluster

README.md

@@ -18,6 +18,7 @@ to localized information (which is not shared) or additional information (that c
 
 - [clusters/android.json](clusters/android.json) - Android malware galaxy based on multiple open sources.
 - [clusters/banker.json](clusters/banker.json) - A list of banker malware.
+- [clusters/stealer.json](clusters/stealer.json) - A list of malware stealer.
 - [clusters/botnet.json](clusters/botnet.json) - A list of known botnets.
 - [clusters/branded_vulnerability.json](clusters/branded_vulnerability.json) - List of known vulnerabilities and exploits.
 - [clusters/exploit-kit.json](clusters/exploit-kit.json) - Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits. It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years.

clusters/stealer.json

@@ -0,0 +1,35 @@
+{
+  "uuid": "f2ef4033-9001-4427-a418-df8c48e6d054",
+  "description": "A list of malware stealer.",
+  "source": "Open Sources",
+  "version": 1,
+  "values": [
+    {
+      "meta": {
+        "date": "March 2018.",
+        "refs": [
+          "https://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap"
+        ]
+      },
+      "description": "It is designed to steal data found within multiple Chromium and Firefox based browsers, it can also steal many popular cryptocurrency wallets as well as any saved FTP passwords within FileZilla. Nocturnal Stealer uses several anti-VM and anti-analysis techniques, which include but are not limited to: environment fingerprinting, checking for debuggers and analyzers, searching for known virtual machine registry keys, and checking for emulation software.",
+      "value": "Nocturnal Stealer",
+      "uuid": "e7080bce-99b5-4615-a798-a192ed89bd5a"
+    },
+    {
+      "meta": {
+        "date": "March 2018.",
+        "refs": [
+          "https://blog.talosintelligence.com/2018/05/telegrab.html"
+        ]
+      },
+      "description": "The first version stole browser credentials and cookies, along with all text files it can find on the system. The second variant added the ability to collect Telegram's desktop cache and key files, as well as login information for the video game storefront Steam.",
+      "value": "TeleGrab",
+      "uuid": "a6780288-24eb-4006-9ddd-062870c6feec"
+    }
+  ],
+  "authors": [
+    "raw-data"
+  ],
+  "type": "stealer",
+  "name": "Stealer"
+}

galaxies/stealer.json

@@ -0,0 +1,9 @@
+{
+  "description": "Malware stealer galaxy.",
+  "type": "stealer",
+  "version": 1,
+  "name": "Stealer",
+  "icon": "key",
+  "uuid": "f2ef4033-9001-4427-a418-df8c48e6d054",
+  "namespace": "misp"
+}