add DDG botnet and more

2025-02-17 01:06:22 +00:00 · 2022-02-11 16:13:36 +01:00 · 2022-02-11 16:13:36 +01:00 · 3184819968
commit 3184819968
parent 5cf1eb01f4
3 changed files with 54 additions and 2 deletions
--- a/clusters/botnet.json
+++ b/clusters/botnet.json
@ -1197,6 +1197,45 @@
      },
      "uuid": "099223a1-4a6e-4024-8e48-dbe199ec7244",
      "value": "UPAS-Kit"
+    },
+    {
+      "description": "Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.",
+      "meta": {
+        "refs": [
+          "https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex"
+        ],
+        "synonyms": [
+          "Trik"
+        ]
+      },
+      "uuid": "26339b2e-7d82-4844-a9f0-81b0dd85e37c",
+      "value": "Phorpiex"
+    },
+    {
+      "description": "First activity observed in October 2017. DDG is a botnet with P2P capability that is targeting crypto currency mining (Monero).",
+      "meta": {
+        "refs": [
+          "https://twitter.com/JiaYu_521/status/1204248344043778048",
+          "https://twitter.com/JiaYu_521/status/1204248344043778048",
+          "https://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-servers/",
+          "https://blog.netlab.360.com/ddg-botnet-round-x-is-there-an-ending/",
+          "https://blog.netlab.360.com/threat-alert-ddg-3013-is-out/",
+          "https://blog.netlab.360.com/old-botnets-never-die-and-ddg-refuse-to-fade-away/",
+          "https://blog.netlab.360.com/ddg-mining-botnet-jin-qi-huo-dong-fen-xi/",
+          "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ddg"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "5c42585b-ea92-4fe2-8a79-bb47a3df67ad",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
+        }
+      ],
+      "uuid": "25a745c8-0d2a-40e1-9bb2-3704d1bd49e3",
+      "value": "DDG"
    }
  ],
  "version": 23
--- a/clusters/malpedia.json
+++ b/clusters/malpedia.json
@ -3032,6 +3032,15 @@
        "synonyms": [],
        "type": []
      },
+      "related": [
+        {
+          "dest-uuid": "25a745c8-0d2a-40e1-9bb2-3704d1bd49e3",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
+        }
+      ],
      "uuid": "5c42585b-ea92-4fe2-8a79-bb47a3df67ad",
      "value": "DDG"
    },
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -6157,12 +6157,16 @@
        "refs": [
          "https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/",
          "https://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia",
-          "https://ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/"
+          "https://ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/",
+          "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/",
+          "https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-investigates-donot-team-cyberespionage-targeting-military-governments-in-south-asia/",
+          "https://github.com/eset/malware-ioc/tree/master/donot"
        ],
        "synonyms": [
          "DoNot Team",
          "Donot Team",
-          "APT-C-35"
+          "APT-C-35",
+          "SectorE02"
        ]
      },
      "uuid": "b9dc4e81-909f-4324-8b25-a0f359cd88e0",