From 74ff4b957a05772388e9448318385470e1997cbc Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 30 Oct 2018 13:28:27 +0100 Subject: [PATCH 1/3] add Operation EvilTraffic --- clusters/threat-actor.json | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2534fbf..07f542d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5983,7 +5983,18 @@ }, "uuid": "d5e90854-d5c9-11e8-98b9-1f98eb80d30a", "value": "The Shadow Brokers" + }, + { + "value" : "EvilTraffic", + "description": "Malware experts at CSE Cybsec uncovered a massive malvertising campaign dubbed EvilTraffic leveraging tens of thousands compromised websites. Crooks exploited some CMS vulnerabilities to upload and execute arbitrary PHP pages used to generate revenues via advertising.", + "meta": { + "refs": [ + "http://securityaffairs.co/wordpress/68059/cyber-crime/eviltraffic-malvertising-campaign.html", + "http://csecybsec.com/download/zlab/20180121_CSE_Massive_Malvertising_Report.pdf" + ] + }, + "uuid": "c2d5a052-dc30-11e8-9643-d76f3b9c94fa" } ], - "version": 75 + "version": 76 } From 41942d0daf0c80541bf4705aa981fb5a4d803d0f Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 30 Oct 2018 13:28:46 +0100 Subject: [PATCH 2/3] add Operation EvilTraffic --- clusters/threat-actor.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 07f542d..e25c223 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5991,6 +5991,9 @@ "refs": [ "http://securityaffairs.co/wordpress/68059/cyber-crime/eviltraffic-malvertising-campaign.html", "http://csecybsec.com/download/zlab/20180121_CSE_Massive_Malvertising_Report.pdf" + ], + "synonyms": [ + "Operation EvilTraffic" ] }, "uuid": "c2d5a052-dc30-11e8-9643-d76f3b9c94fa" From e6b1eec329d6271cc08472686d4231c37a3d80ce Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 30 Oct 2018 14:39:13 +0100 Subject: [PATCH 3/3] add Chalubo botnet (+ jqallthethings) --- clusters/botnet.json | 12 +++++++++++- clusters/threat-actor.json | 4 ++-- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/clusters/botnet.json b/clusters/botnet.json index c3ad3ad..1df05f5 100644 --- a/clusters/botnet.json +++ b/clusters/botnet.json @@ -1136,7 +1136,17 @@ ], "uuid": "e3e91fe2-c7ce-11e8-8e85-6bc15cd2a63c", "value": "Persirai" + }, + { + "description": "Since early September, SophosLabs has been monitoring an increasingly prolific attack targeting Internet-facing SSH servers on Linux-based systems that has been dropping a newly-discovered family of denial-of-service bots we’re calling Chalubo. The attackers encrypt both the main bot component and its corresponding Lua script using the ChaCha stream cipher. This adoption of anti-analysis techniques demonstrates an evolution in Linux malware, as the authors have adopted principles more common to Windows malware in an effort to thwart detection. Like some of its predecessors, Chalubo incorporates code from the Xor.DDoS and Mirai malware families.", + "meta": { + "refs": [ + "https://news.sophos.com/en-us/2018/10/22/chalubo-botnet-wants-to-ddos-from-your-server-or-iot-device/" + ] + }, + "uuid": "f387e30a-dc48-11e8-b9f4-370bc63008bf", + "value": "Chalubo" } ], - "version": 17 + "version": 18 } diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index e25c223..c902d63 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5985,7 +5985,6 @@ "value": "The Shadow Brokers" }, { - "value" : "EvilTraffic", "description": "Malware experts at CSE Cybsec uncovered a massive malvertising campaign dubbed EvilTraffic leveraging tens of thousands compromised websites. Crooks exploited some CMS vulnerabilities to upload and execute arbitrary PHP pages used to generate revenues via advertising.", "meta": { "refs": [ @@ -5996,7 +5995,8 @@ "Operation EvilTraffic" ] }, - "uuid": "c2d5a052-dc30-11e8-9643-d76f3b9c94fa" + "uuid": "c2d5a052-dc30-11e8-9643-d76f3b9c94fa", + "value": "EvilTraffic" } ], "version": 76