From 773d76444531f5b5593dc034470376005323d223 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 9 Mar 2018 09:21:32 +0100 Subject: [PATCH 01/10] add Exforel --- clusters/tool.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index ee22f1d..2396114 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -10,7 +10,7 @@ ], "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", - "version": 53, + "version": 54, "values": [ { "meta": { @@ -3726,6 +3726,16 @@ "http://blog.jpcert.or.jp/.s/2018/03/malware-tscooki-7aa0.html" ] } + }, + { + "value": "Exforel", + "description": "Exforel backdoor malware, VirTool:WinNT/Exforel.A, backdoor implemented at the Network Driver Interface Specification (NDIS) level.", + "meta": { + "refs": [ + "http://news.softpedia.com/news/Exforel-Backdoor-Implemented-at-NDIS-Level-to-Be-More-Stealthy-Experts-Say-313567.shtml" + ] + }, + "uuid": "3119554e-236e-11e8-ae2e-b7063732fd07" } ] } From 0cfc8907f3ac42ec48f32e9f9e224c26cfc9dc55 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 9 Mar 2018 09:25:40 +0100 Subject: [PATCH 02/10] add Rotinom --- clusters/tool.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/tool.json b/clusters/tool.json index 2396114..37f2be4 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -3736,6 +3736,16 @@ ] }, "uuid": "3119554e-236e-11e8-ae2e-b7063732fd07" + }, + { + "value": "Rotinom", + "description": "W32.Rotinom is a worm that spreads by copying itself to removable drives. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-011117-0057-99" + ] + }, + "uuid": "5f4be30a-2373-11e8-bbab-774ff49fd040" } ] } From 0ad7f06cf6f3f0543939ad0c18a2b8f0ca412398 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 9 Mar 2018 10:18:47 +0100 Subject: [PATCH 03/10] add Aurora/Hydraq --- clusters/tool.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/clusters/tool.json b/clusters/tool.json index 37f2be4..c1c20ca 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -3746,6 +3746,21 @@ ] }, "uuid": "5f4be30a-2373-11e8-bbab-774ff49fd040" + }, + { + "value": "Aurora", + "description": "You probably have heard the recent news about a widespread attack that was carried out using a 0-Day exploit for Internet Explorer as one of the vectors. This exploit is also known as the \"Aurora Exploit\". The code has recently gone public and it was also added to the Metasploit framework.\nThis exploit was used to deliver a malicious payload, known by the name of Trojan.Hydraq, the main purpose of which was to steal information from the compromised computer and report it back to the attackers.\nThe exploit code makes use of known techniques to exploit a vulnerability that exists in the way Internet Explorer handles a deleted object. The final purpose of the exploit itself is to access an object that was previously deleted, causing the code to reference a memory location over which the attacker has control and in which the attacker dropped his malicious code.", + "meta": { + "refs": [ + "https://www.symantec.com/connect/blogs/trojanhydraq-incident-analysis-aurora-0-day-exploit", + "https://www.symantec.com/connect/blogs/hydraq-aurora-attackers-back", + "https://www.symantec.com/connect/blogs/hydraq-attack-mythical-proportions" + ], + "synonyms":[ + "Hydraq" + ] + }, + "uuid": "70c31066-237a-11e8-8eff-37ef1ad0c703" } ] } From a415a48d710fdbc7c926eb2145bc54748cc28756 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 9 Mar 2018 10:47:17 +0100 Subject: [PATCH 04/10] add Cheshire Cat -hack.lu video as reference! --- clusters/tool.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/tool.json b/clusters/tool.json index c1c20ca..8512cf0 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -3761,6 +3761,18 @@ ] }, "uuid": "70c31066-237a-11e8-8eff-37ef1ad0c703" + }, + { + "value": "Cheshire Cat", + "description": "Oldest Cheshire Cat malware compiled in 2002. It's a very old family of malware.\nThe time stamps may be forged but the malware does have support for very old operating systems. The 2002 implant retrieves a handle for an asr2892 drives that they never got their hands on. It checks for a NE header which is a header type used before PE headers even existed. References to 16bit or DOS on a non 9x platform. This malware implant IS REALLY for old systems.\nThe malware is for espionage - it's very carefully made to stay hidden. Newer versions install as icon handler shell extension for .lnk files. Shell in this case means the program manager because windows explorer was not yet a thing. It sets up COM server objects. It looks like it was written in pure C, but made to look like C++.\nA sensitive implant as well: it checks for all kinds of old MS platforms including Windows NT, win95, win98, winME and more. It checks the patch level as well. A lot of effort was put into adapting this malware to a lot of different operating systems with very granular decision chains.", + "meta": { + "refs": [ + "https://www.youtube.com/watch?v=u2Ry9HTBbZI", + "https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/", + "https://www.peerlyst.com/posts/hack-lu-2016-recap-interesting-malware-no-i-m-not-kidding-by-marion-marschalek-claus-cramon" + ] + }, + "uuid": "7af226a0-237d-11e8-b438-075460988010" } ] } From 6096c45da517eeb70ee4e844ef14c7fddcd5718d Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 9 Mar 2018 11:32:31 +0100 Subject: [PATCH 05/10] add Downloader-FGO --- clusters/tool.json | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/clusters/tool.json b/clusters/tool.json index 8512cf0..b3296a5 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -3773,6 +3773,29 @@ ] }, "uuid": "7af226a0-237d-11e8-b438-075460988010" + }, + { + "value": "Downloader-FGO", + "description": "Downloader-FGO is a trojan that comes hidden in malicious programs. Once you install the source (carrier) program, this trojan attempts to gain \"root\" access (administrator level access) to your computer without your knowledge", + "meta": { + "refs": [ + "https://www.solvusoft.com/en/malware/trojans/downloader-fgo/" + ], + "synonyms": [ + "Win32:Malware-gen", + "Generic30.ASYL (Trojan horse)", + "TR/Agent.84480.85", + "Trojan.Generic.8627031", + "Trojan:Win32/Sisproc", + "SB/Malware", + "Trj/CI.A", + "Mal/Behav-112", + "Trojan.Spuler", + "TROJ_KAZY.SM1", + "Win32/FakePPT_i" + ], + "uuid": "c565a3a4-2384-11e8-99e9-ebd8ea5c3c3e" + } } ] } From d2ad0f1c09a1b86f43d5497a67bedd9aedf8aa94 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 9 Mar 2018 12:20:06 +0100 Subject: [PATCH 06/10] add miniflame --- clusters/tool.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/tool.json b/clusters/tool.json index b3296a5..132ec37 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -3796,6 +3796,16 @@ ], "uuid": "c565a3a4-2384-11e8-99e9-ebd8ea5c3c3e" } + }, + { + "value": "miniFlame", + "description": "Newly discovered spying malware designed to steal data from infected systems was likely built from the same cyber-weaponry factory that produced two other notorious cyberespionage software Flame and Gauss, a security vendor says.\nKaspersky Lab released a technical paper Monday outlining the discovery of the malware the vendor has dubbed \"miniFlame.\"\nWhile capable of working with Flame and Gauss, miniFlame is a \"small, fully functional espionage module designed for data theft and direct access to infected systems,\" Kaspersky said.", + "meta": { + "refs": [ + "https://securelist.com/miniflame-aka-spe-elvis-and-his-friends-5/31730/", + "https://www.csoonline.com/article/2132422/malware-cybercrime/cyberespionage-malware--miniflame--discovered.html" + ] + } } ] } From 1b19f99f879350d75194a3d7d30542662f450c47 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 9 Mar 2018 14:29:24 +0100 Subject: [PATCH 07/10] add ghotex --- clusters/tool.json | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/clusters/tool.json b/clusters/tool.json index 132ec37..871539e 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -3806,6 +3806,15 @@ "https://www.csoonline.com/article/2132422/malware-cybercrime/cyberespionage-malware--miniflame--discovered.html" ] } + }, + { + "value": "GHOTEX", + "description": "PE_GHOTEX.A-O is a portable executable (PE is the standard executable format for 32-bit Windows files) virus. PE viruses infect executable Windows files by incorporating their code into these files such that they are executed when the infected files are opened.", + "meta": { + "refs": [ + "https://www.trendmicro.com/vinfo/dk/threat-encyclopedia/archive/malware/pe_ghotex.a-o" + ] + } } ] } From ac8dc7122cc9c357fc4e14685c83a3c2bc33d070 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 9 Mar 2018 14:34:14 +0100 Subject: [PATCH 08/10] add Shipup --- clusters/tool.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/tool.json b/clusters/tool.json index 871539e..cf01ef7 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -3815,6 +3815,20 @@ "https://www.trendmicro.com/vinfo/dk/threat-encyclopedia/archive/malware/pe_ghotex.a-o" ] } + }, + { + "value": "Shipup", + "description": "Trojan:Win32/Shipup.G is a trojan that modifies the Autorun feature for certain devices.", + "meta": { + "refs": + [ + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Shipup.G", + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3AWin32%2FShipup.K", + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Shipup.A", + "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~ShipUp-F/detailed-analysis.aspx", + "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~ShipUp-A/detailed-analysis.aspx" + ] + } } ] } From 0c1e0b86b57f062f5c714ff0e191d0ab0c7b2e69 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 9 Mar 2018 14:39:14 +0100 Subject: [PATCH 09/10] add missing uuid --- clusters/tool.json | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index cf01ef7..59fb9b6 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -3805,7 +3805,8 @@ "https://securelist.com/miniflame-aka-spe-elvis-and-his-friends-5/31730/", "https://www.csoonline.com/article/2132422/malware-cybercrime/cyberespionage-malware--miniflame--discovered.html" ] - } + }, + "uuid": "16c57264-239f-11e8-9469-0738871e7aa4" }, { "value": "GHOTEX", @@ -3814,7 +3815,8 @@ "refs": [ "https://www.trendmicro.com/vinfo/dk/threat-encyclopedia/archive/malware/pe_ghotex.a-o" ] - } + }, + "uuid": "231b7572-239f-11e8-8404-df420a5d403b" }, { "value": "Shipup", @@ -3828,7 +3830,8 @@ "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~ShipUp-F/detailed-analysis.aspx", "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~ShipUp-A/detailed-analysis.aspx" ] - } - } + }, + "uuid": "231b7572-239f-11e8-8404-df420a5d403b" + }, ] } From ca7034a1170f58630bce6e78066079790c2770ad Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 9 Mar 2018 14:53:31 +0100 Subject: [PATCH 10/10] jq all the things --- clusters/tool.json | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index 59fb9b6..0e5c511 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -3729,7 +3729,7 @@ }, { "value": "Exforel", - "description": "Exforel backdoor malware, VirTool:WinNT/Exforel.A, backdoor implemented at the Network Driver Interface Specification (NDIS) level.", + "description": "Exforel backdoor malware, VirTool:WinNT/Exforel.A, backdoor implemented at the Network Driver Interface Specification (NDIS) level.", "meta": { "refs": [ "http://news.softpedia.com/news/Exforel-Backdoor-Implemented-at-NDIS-Level-to-Be-More-Stealthy-Experts-Say-313567.shtml" @@ -3739,7 +3739,7 @@ }, { "value": "Rotinom", - "description": "W32.Rotinom is a worm that spreads by copying itself to removable drives. ", + "description": "W32.Rotinom is a worm that spreads by copying itself to removable drives. ", "meta": { "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-011117-0057-99" @@ -3756,7 +3756,7 @@ "https://www.symantec.com/connect/blogs/hydraq-aurora-attackers-back", "https://www.symantec.com/connect/blogs/hydraq-attack-mythical-proportions" ], - "synonyms":[ + "synonyms": [ "Hydraq" ] }, @@ -3822,8 +3822,7 @@ "value": "Shipup", "description": "Trojan:Win32/Shipup.G is a trojan that modifies the Autorun feature for certain devices.", "meta": { - "refs": - [ + "refs": [ "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Shipup.G", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3AWin32%2FShipup.K", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Shipup.A", @@ -3832,6 +3831,6 @@ ] }, "uuid": "231b7572-239f-11e8-8404-df420a5d403b" - }, + } ] }