diff --git a/README.md b/README.md index 30bff4a..a04ab83 100644 --- a/README.md +++ b/README.md @@ -19,6 +19,7 @@ to localized information (which is not shared) or additional information (that c - [clusters/android.json](clusters/android.json) - Android malware galaxy based on multiple open sources. - [clusters/banker.json](clusters/banker.json) - A list of banker malware. - [clusters/stealer.json](clusters/stealer.json) - A list of malware stealer. +- [clusters/backdoor.json](clusters/backdoor.json) - A list of backdoor malware. - [clusters/botnet.json](clusters/botnet.json) - A list of known botnets. - [clusters/branded_vulnerability.json](clusters/branded_vulnerability.json) - List of known vulnerabilities and exploits. - [clusters/exploit-kit.json](clusters/exploit-kit.json) - Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits. It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years. diff --git a/clusters/backdoor.json b/clusters/backdoor.json new file mode 100644 index 0000000..c0d2adb --- /dev/null +++ b/clusters/backdoor.json @@ -0,0 +1,24 @@ +{ + "uuid": "75436e27-cb57-4f32-bf1d-9636dd78a2bf", + "description": "A list of backdoor malware.", + "source": "Open Sources", + "version": 1, + "values": [ + { + "meta": { + "date": "July 2018.", + "refs": [ + "https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html" + ] + }, + "description": "Cross-platform malware written in Golang, compatible with Linux and Windows. Although there are some minor differences, both variants have the same functionality. The malware communicates with a CnC server using HTTP requests and performs functions based on the received commands. Results of command execution are sent in HTTP POST requests data (RSA-encrypted). Main functionalities are: (1) Execute arbitrary shell commands, (2) Upload/Download files. The PE variant of the infection, in addition, executes PowerShell scripts. A .Net version was also observed in the wild.", + "value": "WellMess", + "uuid": "e0e79fab-0f1d-4fc2-b424-208cb019a9cd" + } + ], + "authors": [ + "raw-data" + ], + "type": "backdoor", + "name": "Backdoor" +} diff --git a/clusters/banker.json b/clusters/banker.json index 1f0ad4f..725f3d5 100644 --- a/clusters/banker.json +++ b/clusters/banker.json @@ -2,7 +2,7 @@ "uuid": "59f20cce-5420-4084-afd5-0884c0a83832", "description": "A list of banker malware.", "source": "Open Sources", - "version": 9, + "version": 10, "values": [ { "meta": { @@ -595,6 +595,70 @@ "value": "Backswap", "uuid": "ea0b5f45-6b56-4c92-b22b-0d84c45160a0" }, + { + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Bebloh.A", + "https://www.symantec.com/security-center/writeup/2011-041411-0912-99" + ], + "synonyms": [ + "URLZone", + "Shiotob" + ] + }, + "value": "Bebloh", + "uuid": "67a1a317-9f79-42bd-a4b2-fa1867d37d27" + }, + { + "meta": { + "refs": [ + "https://www.johannesbader.ch/2015/02/the-dga-of-banjori/" + ], + "synonyms": [ + "MultiBanker 2", + "BankPatch", + "BackPatcher" + ] + }, + "value": "Banjori", + "uuid": "f68555ff-6fbd-4f5a-bc23-34996f629c52" + }, + { + "meta": { + "refs": [ + "https://www.countercept.com/our-thinking/decrypting-qadars-banking-trojan-c2-traffic/" + ] + }, + "value": "Qadars", + "uuid": "a717c873-6670-447a-ba98-90db6464c07d" + }, + { + "meta": { + "refs": [ + "https://www.johannesbader.ch/2016/06/the-dga-of-sisron/" + ] + }, + "value": "Sisron", + "uuid": "610a136c-820d-4f5f-b66c-ae298923dc55" + }, + { + "meta": { + "refs": [ + "https://www.johannesbader.ch/2016/06/the-dga-of-sisron/" + ] + }, + "value": "Ranbyus", + "uuid": "6720f960-0382-479b-a0f8-f9e008995af4" + }, + { + "meta": { + "refs": [ + "https://searchfinancialsecurity.techtarget.com/news/4500249201/Fobber-Drive-by-financial-malware-returns-with-new-tricks" + ] + }, + "value": "Fobber", + "uuid": "da124511-463c-4514-ad05-7ec8db1b38aa" + }, { "meta": { "refs": [ diff --git a/clusters/botnet.json b/clusters/botnet.json index 7bf90bd..a7862a8 100644 --- a/clusters/botnet.json +++ b/clusters/botnet.json @@ -2,7 +2,7 @@ "description": "botnet galaxy", "uuid": "a91732f4-164a-11e8-924a-ffd4097eb03f", "source": "MISP Project", - "version": 6, + "version": 8, "values": [ { "meta": { @@ -513,6 +513,16 @@ "value": "Mirai", "uuid": "fcdfd4af-da35-49a8-9610-19be8a487185" }, + { + "value": "XorDDoS", + "uuid": "5485d149-79b5-451e-b48c-a020eced3515", + "description": "XOR DDOS is a Linux trojan used to perform large-scale DDoS", + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Xor_DDoS" + ] + } + }, { "meta": { "refs": [ @@ -629,6 +639,68 @@ }, "value": "Trik Spam Botnet", "uuid": "c68d5e64-7485-11e8-8625-2b14141f0501" + }, + { + "meta": { + "refs": [ + "https://news.softpedia.com/news/researchers-crack-mad-max-botnet-algorithm-and-see-in-the-future-506696.shtml" + ], + "synonyms": [ + "Mad Max" + ] + }, + "value": "Madmax", + "uuid": "7a6fcec7-3408-4371-907b-cbf8fc931b66" + }, + { + "meta": { + "refs": [ + "https://labs.bitdefender.com/2013/12/in-depth-analysis-of-pushdo-botnet/" + ] + }, + "value": "Pushdo", + "uuid": "94d12a03-6ae8-4006-a98f-80c15e6f95c0" + }, + { + "meta": { + "refs": [ + "https://www.us-cert.gov/ncas/alerts/TA15-105A" + ] + }, + "value": "Simda", + "uuid": "347e7a64-8ee2-487f-bcb3-ca7564fa836c" + }, + { + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Virut" + ] + }, + "value": "Virut", + "uuid": "cc1432a1-6580-4338-b119-a43236528ea1" + }, + { + "meta": { + "refs": [ + "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/151/beebone-botnet-takedown-trend-micro-solutions" + ] + }, + "value": "Beebone", + "uuid": "49b13880-9baf-4ae0-9171-814094b03d89" + }, + { + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32%2FBamital", + "https://www.symantec.com/security-center/writeup/2010-070108-5941-99" + ], + "synonyms": [ + "Mdrop-CSK", + "Agent-OCF" + ] + }, + "value": "Bamital", + "uuid": "07815089-e2c6-4084-9a62-3ece7210f33f" } ], "authors": [ diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 39a82cf..e64aa02 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -9974,6 +9974,15 @@ }, "uuid": "9d09ac4a-73a0-11e8-b71c-63b86eedf9a2" }, + { + "value": "DirCrypt", + "meta": { + "refs": [ + "https://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/" + ] + }, + "uuid": "cdcc59a0-955e-412d-b481-8dff4bce6fdf" + }, { "value": "DBGer Ransomware", "description": "The authors of the Satan ransomware have rebranded their \"product\" and they now go by the name of DBGer ransomware, according to security researcher MalwareHunter, who spotted this new version earlier today. The change was not only in name but also in the ransomware's modus operandi. According to the researcher, whose discovery was later confirmed by an Intezer code similarity analysis, the new (Satan) DBGer ransomware now also incorporates Mimikatz, an open-source password-dumping utility. The purpose of DBGer incorporating Mimikatz is for lateral movement inside compromised networks. This fits a recently observed trend in Satan's modus operandi.", diff --git a/clusters/stealer.json b/clusters/stealer.json index 8fbf92c..23cedca 100644 --- a/clusters/stealer.json +++ b/clusters/stealer.json @@ -1,8 +1,8 @@ { "uuid": "f2ef4033-9001-4427-a418-df8c48e6d054", - "description": "A list of malware stealer.", + "name": "Stealer", "source": "Open Sources", - "version": 1, + "version": 2, "values": [ { "meta": { @@ -25,11 +25,24 @@ "description": "The first version stole browser credentials and cookies, along with all text files it can find on the system. The second variant added the ability to collect Telegram's desktop cache and key files, as well as login information for the video game storefront Steam.", "value": "TeleGrab", "uuid": "a6780288-24eb-4006-9ddd-062870c6feec" + }, + { + "meta": { + "date": "July 2018.", + "refs": [ + "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan", + "https://blog.minerva-labs.com/analyzing-an-azorult-attack-evasion-in-a-cloak-of-multiple-layers", + "https://malware.lu/articles/2018/05/04/azorult-stealer.html" + ] + }, + "description": "It is able to steal accounts from different software, such as, Firefox password Internet Explorer/Edge Thunderbird Chrome/Chromium and many more. It is also able to (1) list all installed software, (2) list processes, (3) Get information about the machine name (CPU type, Graphic card, size of memory), (4) take screen captures, (5) Steal cryptomoney wallet from Electrum, MultiBit, monero-project, bitcoin-qt.", + "value": "AZORult", + "uuid": "a646edab-5c6f-4a79-8a6c-153535259e16" } ], "authors": [ "raw-data" ], "type": "stealer", - "name": "Stealer" + "description": "A list of malware stealer." } diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index d6e09eb..1ab86a3 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -3201,6 +3201,16 @@ ] }, "uuid": "79c7c7e0-79d5-11e8-9b9c-1ff96be20c0b" + }, + { + "value": "The Big Bang", + "description": "While it is not clear exactly what the attacker is looking for, what is clear is that once he finds it, a second stage of the attack awaits, fetching additional modules and/or malware from the Command and Control server. This then is a surveillance attack in progress and has been dubbed ‘Big Bang’ due to the attacker’s fondness for the ‘Big Bang Theory’ TV show, after which some of the malware’s modules are named.", + "meta": { + "refs": [ + "https://research.checkpoint.com/apt-attack-middle-east-big-bang/", + "https://blog.talosintelligence.com/2017/06/palestine-delphi.html" + ] + } } ], "name": "Threat actor", @@ -3215,5 +3225,5 @@ ], "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.", "uuid": "7cdff317-a673-4474-84ec-4f1754947823", - "version": 44 + "version": 45 } diff --git a/galaxies/backdoor.json b/galaxies/backdoor.json new file mode 100644 index 0000000..6504c9c --- /dev/null +++ b/galaxies/backdoor.json @@ -0,0 +1,9 @@ +{ + "description": "Malware Backdoor galaxy.", + "type": "backdoor", + "version": 1, + "name": "Backdoor", + "icon": "door-open", + "uuid": "75436e27-cb57-4f32-bf1d-9636dd78a2bf", + "namespace": "misp" +}