From 2794a2058995141cfc0bbe7dfb3834559dd2ae95 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 14 Feb 2019 12:42:28 +0100 Subject: [PATCH] add OSX/Shlayer and some refs --- clusters/ransomware.json | 5 +++-- clusters/threat-actor.json | 3 ++- clusters/tool.json | 12 +++++++++++- 3 files changed, 16 insertions(+), 4 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 9f5d814..4a0b8e8 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -11005,7 +11005,8 @@ "Attention!\n\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KEYPASS\n\nThe only method of recovering files is to purchase an decrypt software and unique private key.\n\nAfter purchase you will start decrypt software, enter your unique private key and it will decrypt all your data.\n\nOnly we can give you this key and only we can recover your files.\n\nYou need to contact us by e-mail keypass@bitmessage.ch send us your personal ID and wait for further instructions.\n\nFor you to be sure, that we can decrypt your files - you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.\n\nPrice for decryption $300.\n\nThis price avaliable if you contact us first 72 hours.\n\nE-mail address to contact us:\n\nkeypass@bitmessage.ch\n\n\n\nReserve e-mail address to contact us:\n\nkeypass@india.com\n\n\n\nYour personal id:\n[id]" ], "refs": [ - "https://www.bleepingcomputer.com/news/security/new-keypass-ransomware-campaign-underway/" + "https://www.bleepingcomputer.com/news/security/new-keypass-ransomware-campaign-underway/", + "https://www.kaspersky.com/blog/keypass-ransomware/23447/" ], "synonyms": [ "KeyPass" @@ -11750,5 +11751,5 @@ "value": "LockerGoga" } ], - "version": 50 + "version": 51 } diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index e88965b..c225dad 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1006,6 +1006,7 @@ "APT10", "APT 10", "MenuPass", + "Menupass Team", "happyyongzi", "POTASSIUM", "DustStorm", @@ -6234,5 +6235,5 @@ "value": "Siesta" } ], - "version": 89 + "version": 90 } diff --git a/clusters/tool.json b/clusters/tool.json index f27cca8..4413d7a 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -7509,7 +7509,17 @@ }, "uuid": "0147c0fd-ed74-4d38-a823-130542d894a3", "value": "OSX.BadWord" + }, + { + "description": "The initial Trojan horse infection (the fake Flash Player installer) component of OSX/Shlayer leverages shell scripts to download additional malware or adware onto the infected system.\nThe primary goal of OSX/Shlayer is to download and install adware onto an infected Mac.\nAlthough \"adware\" may not sound like a big deal, it can be a lot more harmful than the name implies; be sure to watch our aforementioned interview with Amit Serper to learn more about one particular example of malicious Mac adware.\nAt least one variant of the malware also appears to exhibit an interesting behavior: It checks whether one of several Mac anti-virus products is installed.", + "meta": { + "refs": [ + "https://www.intego.com/mac-security-blog/osxshlayer-new-mac-malware-comes-out-of-its-shell/" + ] + }, + "uuid": "6e60cb73-0bcc-45bf-b14f-633aa7ffc8b4", + "value": "OSX/Shlayer" } ], - "version": 108 + "version": 109 }