Merge pull request #768 from Delta-Sierra/main

New clusters
This commit is contained in:
Alexandre Dulaunoy 2022-09-16 06:40:43 +02:00 committed by GitHub
commit 30cb4e7e60
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 81 additions and 6 deletions

View file

@ -1364,7 +1364,26 @@
], ],
"uuid": "421a3805-7741-4315-82c2-6c9aa30d0953", "uuid": "421a3805-7741-4315-82c2-6c9aa30d0953",
"value": "Qbot" "value": "Qbot"
},
{
"description": "This malware is characterized by alternative DNS connections and connects to several *.lib domains using custom DNS servers.",
"meta": {
"refs": [
"https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/"
]
},
"related": [
{
"dest-uuid": "fcdfd4af-da35-49a8-9610-19be8a487185",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "variant-of"
}
],
"uuid": "505c6a54-a701-4a4b-85d4-0f2038b7b46a",
"value": "Dark.IoT"
} }
], ],
"version": 27 "version": 28
} }

View file

@ -62,7 +62,17 @@
}, },
"uuid": "a0c0ab05-c390-425c-9311-f64bf7ca9145", "uuid": "a0c0ab05-c390-425c-9311-f64bf7ca9145",
"value": "Krane" "value": "Krane"
},
{
"description": "“Hezb”, which is based on command line artifact data, was observed around Kinsing. This malware is relatively new and was recently reported in late May exploiting WSO2 RCE (CVE-2022-29464) in the wild. Several malware components were observed, the first of which was an XMRig miner installed as “Hezb”. Additional modules included a polkit exploit for privilege escalation as well as a zero-detection ELF payload named “kik”.",
"meta": {
"refs": [
"https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/"
]
},
"uuid": "428bbf01-7756-48a2-848d-6bca3997f1df",
"value": "Hezb"
} }
], ],
"version": 2 "version": 3
} }

View file

@ -24589,7 +24589,20 @@
}, },
"uuid": "995c3772-dbda-4a2a-9e28-c47740d599a3", "uuid": "995c3772-dbda-4a2a-9e28-c47740d599a3",
"value": "Maui ransomware" "value": "Maui ransomware"
},
{
"description": "Lorenz is a ransomware group that has been active since at least February 2021 and like many ransomware groups, performs double-extortion by exfiltrating data before encrypting systems.",
"meta": {
"ransomnotes-refs": [
"https://marvel-b1-cdn.bc0a.com/f00000000241276/arcticwolf.com/wp-content/uploads/2022/09/Screen-Shot-2022-09-12-at-11.18.04-AM-1024x246.png"
],
"refs": [
"https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/"
]
},
"uuid": "d513199e-7f21-43fd-9610-ed708c3f6409",
"value": "Lorenz Ransomware"
} }
], ],
"version": 107 "version": 108
} }

View file

@ -1941,7 +1941,8 @@
"date": "2005 or 2008", "date": "2005 or 2008",
"refs": [ "refs": [
"https://www.lastline.com/labsblog/an-analysis-of-plugx-malware/", "https://www.lastline.com/labsblog/an-analysis-of-plugx-malware/",
"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PLUGX" "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PLUGX",
"https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
], ],
"synonyms": [ "synonyms": [
"Korplug", "Korplug",
@ -3536,5 +3537,5 @@
"value": "Ragnatela" "value": "Ragnatela"
} }
], ],
"version": 39 "version": 40
} }

View file

@ -8570,7 +8570,39 @@
}, },
"uuid": "0bdb6f1c-1229-4556-a535-7444ddfbd7a9", "uuid": "0bdb6f1c-1229-4556-a535-7444ddfbd7a9",
"value": "GootLoader" "value": "GootLoader"
},
{
"description": "BumbleBee is a modular backdoor that comprises two applications, a server and a client application (a master and slaver application, respectively in the malwares jargon). Once the client application is deployed on the target computer (these are commonly local government devices), threat actors can control the machine using the server module. Let us take a deeper look into this backdoor.",
"meta": {
"refs": [
"https://www.trendmicro.com/en_us/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html"
],
"type": [
"backdoor"
]
},
"related": [
{
"dest-uuid": "96b2b31e-b191-43c4-9929-48ba1cbee62c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "related-to"
}
],
"uuid": "6fc4beee-b922-4d25-833d-8fb574a3c56e",
"value": "BumbleBee"
},
{
"description": "Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go (golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network. Benign in itself, but used by threat actors.",
"meta": {
"refs": [
"https://github.com/jpillora/chisel"
]
},
"uuid": "f493dede-9134-44db-a00d-aa4866bfd555",
"value": "Chisel"
} }
], ],
"version": 153 "version": 155
} }