Merge pull request #768 from Delta-Sierra/main

New clusters
2024-11-22 23:07:19 +00:00 · 2022-09-16 06:40:43 +02:00 · 2022-09-16 06:40:43 +02:00 · 30cb4e7e60
commit 30cb4e7e60
parent 1c8d82cfcc 8202a7f48f
5 changed files with 81 additions and 6 deletions
--- a/clusters/botnet.json
+++ b/clusters/botnet.json
@ -1364,7 +1364,26 @@
      ],
      "uuid": "421a3805-7741-4315-82c2-6c9aa30d0953",
      "value": "Qbot"
+    },
+    {
+      "description": "This malware is characterized by alternative DNS connections and connects to several *.lib domains using custom DNS servers.",
+      "meta": {
+        "refs": [
+          "https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "fcdfd4af-da35-49a8-9610-19be8a487185",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "variant-of"
        }
      ],
-  "version": 27
+      "uuid": "505c6a54-a701-4a4b-85d4-0f2038b7b46a",
+      "value": "Dark.IoT"
+    }
+  ],
+  "version": 28
 }
--- a/clusters/cryptominers.json
+++ b/clusters/cryptominers.json
@ -62,7 +62,17 @@
      },
      "uuid": "a0c0ab05-c390-425c-9311-f64bf7ca9145",
      "value": "Krane"
+    },
+    {
+      "description": "“Hezb”, which is based on command line artifact data, was observed around Kinsing. This malware is relatively new and was recently reported in late May exploiting WSO2 RCE (CVE-2022-29464) in the wild. Several malware components were observed, the first of which was an XMRig miner installed as “Hezb”. Additional modules included a polkit exploit for privilege escalation as well as a zero-detection ELF payload named “kik”.",
+      "meta": {
+        "refs": [
+          "https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/"
+        ]
+      },
+      "uuid": "428bbf01-7756-48a2-848d-6bca3997f1df",
+      "value": "Hezb"
    }
  ],
-  "version": 2
+  "version": 3
 }
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@ -24589,7 +24589,20 @@
      },
      "uuid": "995c3772-dbda-4a2a-9e28-c47740d599a3",
      "value": "Maui ransomware"
+    },
+    {
+      "description": "Lorenz is a ransomware group that has been active since at least February 2021 and like many ransomware groups, performs double-extortion by exfiltrating data before encrypting systems.",
+      "meta": {
+        "ransomnotes-refs": [
+          "https://marvel-b1-cdn.bc0a.com/f00000000241276/arcticwolf.com/wp-content/uploads/2022/09/Screen-Shot-2022-09-12-at-11.18.04-AM-1024x246.png"
+        ],
+        "refs": [
+          "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/"
+        ]
+      },
+      "uuid": "d513199e-7f21-43fd-9610-ed708c3f6409",
+      "value": "Lorenz Ransomware"
    }
  ],
-  "version": 107
+  "version": 108
 }
--- a/clusters/rat.json
+++ b/clusters/rat.json
@ -1941,7 +1941,8 @@
        "date": "2005 or 2008",
        "refs": [
          "https://www.lastline.com/labsblog/an-analysis-of-plugx-malware/",
-          "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PLUGX"
+          "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PLUGX",
+          "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
        ],
        "synonyms": [
          "Korplug",
@ -3536,5 +3537,5 @@
      "value": "Ragnatela"
    }
  ],
-  "version": 39
+  "version": 40
 }
--- a/clusters/tool.json
+++ b/clusters/tool.json
@ -8570,7 +8570,39 @@
      },
      "uuid": "0bdb6f1c-1229-4556-a535-7444ddfbd7a9",
      "value": "GootLoader"
+    },
+    {
+      "description": "BumbleBee is a modular backdoor that comprises two applications, a server and a client application (a master and slaver application, respectively in the malware’s jargon). Once the client application is deployed on the target computer (these are commonly local government devices), threat actors can control the machine using the server module. Let us take a deeper look into this backdoor.",
+      "meta": {
+        "refs": [
+          "https://www.trendmicro.com/en_us/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html"
+        ],
+        "type": [
+          "backdoor"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "96b2b31e-b191-43c4-9929-48ba1cbee62c",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "related-to"
        }
      ],
-  "version": 153
+      "uuid": "6fc4beee-b922-4d25-833d-8fb574a3c56e",
+      "value": "BumbleBee"
+    },
+    {
+      "description": "Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go (golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network. Benign in itself, but used by threat actors.",
+      "meta": {
+        "refs": [
+          "https://github.com/jpillora/chisel"
+        ]
+      },
+      "uuid": "f493dede-9134-44db-a00d-aa4866bfd555",
+      "value": "Chisel"
+    }
+  ],
+  "version": 155
 }