diff --git a/clusters/banker.json b/clusters/banker.json index 013da82..3cbacec 100644 --- a/clusters/banker.json +++ b/clusters/banker.json @@ -89,7 +89,8 @@ "https://feodotracker.abuse.ch/" ], "synonyms": [ - "Feodo Version D" + "Feodo Version D", + "Cridex" ] }, "related": [ @@ -589,7 +590,8 @@ ], "synonyms": [ "Qbot ", - "Pinkslipbot" + "Pinkslipbot", + "Akbot" ] }, "related": [ @@ -1179,6 +1181,16 @@ ], "uuid": "2fafe8b2-b0db-11e8-a81e-4b62ee50bd87", "value": "CamuBot" + }, + { + "description": "Dark Tequila has primarily been designed to steal victims’ financial information from a long list of online banking sites, as well as login credentials to popular websites, ranging from code versioning repositories to public file storage accounts and domain registrars.", + "meta": { + "refs": [ + "https://thehackernews.com/2018/08/mexico-banking-malware.html" + ] + }, + "uuid": "fa574138-a3bd-4ebc-a5f7-3b465df7106f", + "value": "Dark Tequila" } ], "version": 16 diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index 872cf17..8abab32 100644 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -172,7 +172,9 @@ "status": "Active", "synonyms": [ "Popads EK", - "TopExp" + "TopExp", + "Magniber", + "Magnitude EK" ] }, "uuid": "6a313e11-5bb2-40ed-8cde-9de768b783b1", diff --git a/clusters/mitre-enterprise-attack-tool.json b/clusters/mitre-enterprise-attack-tool.json index 7ae49b3..17eaad7 100644 --- a/clusters/mitre-enterprise-attack-tool.json +++ b/clusters/mitre-enterprise-attack-tool.json @@ -509,7 +509,8 @@ "external_id": "S0120", "refs": [ "https://attack.mitre.org/wiki/Software/S0120", - "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" + "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "https://www.aldeid.com/wiki/FGDump" ], "synonyms": [ "Fgdump" diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 6cf1827..9d50186 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -7951,6 +7951,9 @@ "http://forum.malekal.com/jobcrypter-geniesanstravaille-extension-locked-crypto-ransomware-t54381.html", "https://twitter.com/malwrhunterteam/status/828914052973858816", "http://id-ransomware.blogspot.com/2016/05/jobcrypter-ransomware.html" + ], + "synonyms": [ + "JobCrypter" ] }, "uuid": "7c9a273b-1534-4a13-b201-b7a782b6c32a", @@ -11193,9 +11196,15 @@ "meta": { "payment-method": "Bitcoin", "price": "0.05 (300 $)", + "ransomnotes": [ + "https://www.welivesecurity.com/wp-content/uploads/2017/10/mbr_cut.png" + ], "refs": [ "http://blog.talosintelligence.com/2017/10/bad-rabbit.html", - "https://id-ransomware.blogspot.com/2017/10/badrabbit-ransomware.html" + "https://id-ransomware.blogspot.com/2017/10/badrabbit-ransomware.html", + "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/", + "https://securelist.com/bad-rabbit-ransomware/82851/", + "http://www.intezer.com/notpetya-returns-bad-rabbit/" ], "synonyms": [ "BadRabbit", @@ -13637,6 +13646,45 @@ "uuid": "21b349c3-ede2-4e11-abda-1444eb272eff", "value": "Clop" }, + { + "description": "A new infection is being distributed by porn sites that tries to blackmail a victim into paying a ransom by stating they will tell law enforcement that the victim is spreading child porn. This is done by collecting information about the user, including screen shots of their active desktop, in order to catch them in compromising situations.", + "meta": { + "ransomnotes": [ + "https://www.bleepstatic.com/images/news/malware/b/blackmailware/pornblackmailer/ransom-note.jpg" + ], + "refs": [ + "https://www.bleepingcomputer.com/news/security/blackmailware-found-on-porn-site-threatens-to-report-users-are-spreading-child-porn/" + ] + }, + "uuid": "a1a730e2-f1a4-4d7b-9930-80529cd97f3c", + "value": "PornBlackmailer" + }, + { + "description": "This crypto-extortioner encrypts user data using AES, and then requires a $ 30- $ 50- $ 80 buy- back to BTC to return the files. The name is original. Written on AutoIt.", + "meta": { + "ransomnotes": [ + "Your files has been safely encrypted\n---\nEncrypted files: 276\n**********\n---\n[Buy Bitcoins] [Decrypt Files] (Decryptionkey)\n---\nThe only way you can recover your files is to buy a decryption key\nThe payment method is: Bitcoin. The price is: $50 = Bitcoins\nAfter buying the amount of bitcoins send an email\nto king.ouroboros@protonmail.com Your ID: *****\nWe will provide you with payment address and your decryption key.\nYou have 72 Hours to complete the payment otherwise your key will be deleted." + ], + "refs": [ + "https://id-ransomware.blogspot.com/2018/06/kingouroboros-ransomware.html" + ] + }, + "uuid": "303a07bf-c990-4fbe-ac7d-57b8c3cb29b6", + "value": "KingOuroboros" + }, + { + "description": "The ransomware appears to target users in Korea, and may have been developed with at least knowledge of the Korean language.", + "meta": { + "refs": [ + "https://bartblaze.blogspot.com/2018/08/mafia-ransomware-targeting-users-in.html" + ], + "synonyms": [ + "Mafia" + ] + }, + "uuid": "9ea6333f-1437-4a57-8acc-d73019378ef2", + "value": "MAFIA Ransomware" + }, { "description": "The cybercrime group that brought us Satan, DBGer and Lucky ransomware and perhaps Iron ransomware, has now come up with a new version or rebranding named 5ss5c. [...] It will however only encrypt files with the following extensions: 7z, bak, cer, csv, db, dbf, dmp, docx, eps, ldf, mdb, mdf, myd, myi, ora, pdf, pem, pfx, ppt, pptx, psd, rar, rtf, sql, tar, txt, vdi, vmdk, vmx, xls, xlsx, zip", "meta": { diff --git a/clusters/rat.json b/clusters/rat.json index 5bc8f76..9c8f5b3 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -3350,6 +3350,9 @@ "meta": { "refs": [ "https://www.proofpoint.com/us/threat-insight/post/parasite-http-rat-cooks-stew-stealthy-tricks" + ], + "synonyms": [ + "Parasite HTTP" ] }, "uuid": "1b6a067c-50ba-4aa7-a59b-824e94e210fe", @@ -3417,6 +3420,16 @@ "uuid": "1b4a085c-30bb-5aa5-b46a-803e94e010ff", "value": "InnfiRAT" }, + { + "description": "In the wild since February 2015. The malware comes equipped with a variety of features and can be purchased for $50 directly from the author. It has been deployed in attacks against organizations across many industries and is predominantly delivered via phishing emails.", + "meta": { + "refs": [ + "https://researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/" + ] + }, + "uuid": "b3cfd21f-b637-42ff-b118-2803630b718a", + "value": "KeyBase" + }, { "description": "Apparently existing since 2018", "meta": { diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 3250cef..93c0aa3 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1399,7 +1399,8 @@ ], "synonyms": [ "IceFog", - "Dagger Panda" + "Dagger Panda", + "Trident" ] }, "uuid": "32c534b9-abec-4823-b223-a810f897b47b", @@ -2017,10 +2018,12 @@ "attribution-confidence": "50", "country": "IR", "refs": [ - "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/" + "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/", + "https://carnegieendowment.org/2018/01/04/iran-s-cyber-ecosystem-who-are-threat-actors-pub-75140" ], "synonyms": [ - "Group 42" + "Group 42", + "VOYEUR" ] }, "uuid": "2e77511d-f72f-409e-9b64-e2a15efe9bf4", @@ -5148,16 +5151,22 @@ "refs": [ "https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/", "https://www.cfr.org/interactive/cyber-operations/kimsuky", - "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html" + "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html", + "https://youtu.be/hAsKp43AZmM?t=1027", + "https://www.bloomberglaw.com/document/public/subdoc/X67FPNDOUBV9VOPS35A4864BFIU?imagename=1", + "https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia", + "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", + "https://attack.mitre.org/groups/G0086/" ], "synonyms": [ - "Kimsuky", "Velvet Chollima", - "Black Banshee" + "Black Banshee", + "Thallium", + "Operation Stolen Pencil" ] }, "uuid": "bcaaad6f-0597-4b89-b69b-84a6be2b7bc3", - "value": "Kimsuki" + "value": "Kimsuky" }, { "description": "While investigating some of the smaller name servers that APT28/Sofacy routinely use to host their infrastructure, Cylance discovered another prolonged campaign that appeared to exclusively target Japanese companies and individuals that began around August 2016. The later registration style was eerily close to previously registered APT28 domains, however, the malware used in the attacks did not seem to line up at all. During the course of our investigation, JPCERT published this analysis of one of the group’s backdoors. Cylance tracks this threat group internally as ‘Snake Wine’.\nThe Snake Wine group has proven to be highly adaptable and has continued to adopt new tactics in order to establish footholds inside victim environments. The exclusive interest in Japanese government, education, and commerce will likely continue into the future as the group is just starting to build and utilize their existing current attack infrastructure.", @@ -7195,19 +7204,6 @@ "uuid": "ec3fda76-8c1c-4019-8109-3f92e6b15633", "value": "Ratpak Spider" }, - { - "description": "ASERT has learned of an APT campaign, possibly originating from DPRK, we are calling STOLEN PENCIL that is targeting academic institutions since at least May 2018.", - "meta": { - "refs": [ - "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/", - "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", - "https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia", - "https://attack.mitre.org/groups/G0086/" - ] - }, - "uuid": "769aeaa6-d193-4e90-a818-d74c6ff7b845", - "value": "STOLEN PENCIL" - }, { "meta": { "refs": [ @@ -7889,6 +7885,32 @@ "uuid": "feb0cfef-0472-4108-83d7-1a322d8ab86b", "value": "APT-C-34" }, + { + "description": "Since November 2014, the Golden Rat Organization (APT-C-27) has launched an organized, planned and targeted long-term uninterrupted attack on the Syrian region. The attack platform has gradually expanded from the beginning of the Windows platform to the Android platform.", + "meta": { + "refs": [ + "https://ti.360.net/blog/articles/analysis-of-apt-c-27/", + "http://csecybsec.com/download/zlab/20180723_CSE_APT27_Syria_v1.pdf" + ], + "since": "2014", + "synonyms": [ + "APT-C-27" + ] + }, + "uuid": "790cc0e7-4132-4e41-9b6c-11ff757400c0", + "value": "Golden RAT" + }, + { + "description": "Luoxk is a malware campaign targeting web servers throughout Asia, Europe and North America.", + "meta": { + "refs": [ + "https://www.systemtek.co.uk/2018/07/luoxk-malware-exploiting-cve-2018-2893/" + ], + "since": "2017" + }, + "uuid": "69e11692-691e-4bfb-9557-4e2a271684ed", + "value": "luoxk" + }, { "description": "The activities of some non-governmental organizations (NGOs) challenge governments on politically sensitive issues such as social, humanitarian, and environmental policies. As a result, these organizations are often exposed to increased government-directed threats aimed at monitoring their activities, discrediting their work, or stealing their intellectual property. BRONZE PRESIDENT is a likely People's Republic of China (PRC)-based targeted cyberespionage group that uses both proprietary and publicly available tools to target NGO networks. Secureworks® Counter Threat Unit (CTU) researchers have observed BRONZE PRESIDENT activity since mid-2018 but identified artifacts suggesting that the threat actors may have been conducting network intrusions as far back as 2014.", "meta": { @@ -8130,6 +8152,35 @@ }, "uuid": "21d08f2c-97b2-444e-be49-8457093b841a", "value": "NOTROBIN" + }, + { + "description": "ItaDuke is an actor known since 2013. It used PDF exploits for dropping malware and Twitter accounts to store C2 server urls. On 2018, an actor named DarkUniverse, which was active between 2009 to 2017, was attributed to this ItaDuke by Kaspersky.", + "meta": { + "refs": [ + "https://securelist.com/darkuniverse-the-mysterious-apt-framework-27/94897/", + "https://www.fireeye.com/blog/threat-research/2013/02/the-number-of-the-beast.html", + "https://securelist.com/new-uyghur-and-tibetan-themed-attacks-using-pdf-exploits/35465" + ], + "synonyms": [ + "DarkUniverse", + "SIG27" + ] + }, + "uuid": "d0b900fa-84b4-11ea-bc55-0242ac130003", + "value": "ItaDuke" + }, + { + "description": "This actor was identified by Juan Andres Guerrero-Saade from the SIG37 cluster as published in the ShadowBrokers' 'Lost in Translation' leak. Earliest known sighting potentially dates back to as far as 2008 with a confirmed center of activity around 2010-2013. The actor name is derived from a PDB debug string fragment: 'khzer'. Victimology indicates targeting of Iran, assessed with low confidence based on VT file submission locations. Nazar employs a modular toolkit where a main dropper silently registers multiple DLLs as OLE controls in the Windows registry. Functionality includes keylogging, sound and screen grabbing, as well as traffic capture using the MicroOlap Packet Sniffer library.", + "meta": { + "refs": [ + "https://www.epicturla.com/blog/the-lost-nazar" + ], + "synonyms": [ + "SIG37" + ] + }, + "uuid": "169187c5-9fbe-42df-ae92-6e35846db021", + "value": "Nazar" } ], "version": 158 diff --git a/clusters/tool.json b/clusters/tool.json index 19c1e7d..378a3ff 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -7916,6 +7916,26 @@ "uuid": "a0736351-1721-42ed-a057-19b4b93b585e", "value": "NBTScan" }, + { + "description": "PowerGhost is capable of stealthily establishing itself in a system and spreading across large corporate networks infecting both workstations and servers. This type of hidden consolidation is typical of miners: the more machines that get infected and the longer they remain that way, the greater the attacker’s profits. Therefore, it’s not uncommon to see clean software being infected with a miner; the popularity of the legitimate software serves to promote the malware’s proliferation. The creators of PowerGhost, however, went further and started using fileless techniques to establish the illegal miner within the victim system.", + "meta": { + "refs": [ + "https://securelist.com/a-mining-multitool/86950/" + ] + }, + "uuid": "92480988-82ad-4e1c-af5f-71c85f9ab809", + "value": "PowerGhost" + }, + { + "description": "Check Point researchers have found another wave of the Ursnif malspam campaign targeting Italy. Only a few details are known so far but what we have found is that the file delivered is a VBE file (encoded VBS) named “SCANSIONE.vbe” and is delivered via ZIP attachments in emails with the subject suggesting different documents in Italian.", + "meta": { + "refs": [ + "https://research.checkpoint.com/vbetaly/" + ] + }, + "uuid": "10c0d60b-c9c1-474c-8594-11b5d82c6498", + "value": "VBEtaly" + }, { "description": "ZeroCleare was used to execute a destructive attack that affected organizations in the energy and industrial sectorsin the Middle East. Based on the analysis of the malware and the attackers’ behavior, we suspect Iran-based nation state adversaries were involved to develop and deploy this new wiper. ", "meta": { @@ -7978,7 +7998,25 @@ }, "uuid": "32a6065c-4f4e-4a60-8717-5872b5f21ac4", "value": "Gelup malware tool" + }, + { + "description": "DenesRAT is a private Trojan horse of the \"Sea Lotus\" organization, which can perform corresponding functions according to the instructions issued by the C2 server. The main functions are file operations, such as creating files or directories, deleting files or directories, finding files; registry reading and writing; remote code execution, such as creating processes, executing DLLs, etc....", + "meta": { + "refs": [ + "http://baijiahao.baidu.com/s?id=1661498030941117519", + "https://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html" + ], + "synonyms": [ + "METALJACK" + ], + "type": [ + "Loader", + "Backdoor" + ] + }, + "uuid": "edd9e14c-80f7-4a50-ab85-fa1120c54003", + "value": "DenesRAT" } ], - "version": 133 + "version": 134 }