diff --git a/clusters/malpedia.json b/clusters/malpedia.json index 608f7d7..cb5af6a 100644 --- a/clusters/malpedia.json +++ b/clusters/malpedia.json @@ -20,6 +20,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/aix.fastcash", + "https://www.cisa.gov/uscert/ncas/alerts/aa20-239a", "https://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/", "https://github.com/fboldewin/FastCashMalwareDissected/", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf", @@ -27,6 +28,9 @@ "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware", "https://www.us-cert.gov/ncas/alerts/TA18-275A", + "https://www.cisa.gov/uscert/ncas/alerts/TA18-275A", + "https://www.symantec.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-108A-TraderTraitor-North_Korea_APT_Targets_Blockchain_Companies.pdf", "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html", "https://www.youtube.com/watch?v=LUxOcpIRxmg", "https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud-wp.pdf", @@ -57,14 +61,36 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.aberebot", - "https://blog.cyble.com/2021/07/30/aberebot-on-the-rise-new-banking-trojan-targeting-users-through-phishing/" + "https://hothardware.com/news/escobar-banking-trojan-targets-mfa-codes", + "https://blog.cyble.com/2021/07/30/aberebot-on-the-rise-new-banking-trojan-targeting-users-through-phishing/", + "https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/", + "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", + "https://blog.cyble.com/2022/03/10/aberebot-returns-as-escobar/", + "https://twitter.com/_icebre4ker_/status/1460527428544176128" + ], + "synonyms": [ + "Escobar" ], - "synonyms": [], "type": [] }, "uuid": "4b9c0228-2bfd-4bc7-bd64-8357a2da12ee", "value": "Aberebot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.abstract_emu", + "https://www.sentinelone.com/labs/the-art-and-science-of-macos-malware-hunting-with-radare2-leveraging-xrefs-yara-and-zignatures/", + "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", + "https://blog.lookout.com/lookout-discovers-global-rooting-malware-campaign" + ], + "synonyms": [], + "type": [] + }, + "uuid": "57a4c8c0-140a-45e3-9166-64e3e35c5986", + "value": "AbstractEmu" + }, { "description": "", "meta": { @@ -86,7 +112,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.adobot", - "https://twitter.com/LukasStefanko/status/1243198756981559296" + "https://twitter.com/LukasStefanko/status/1243198756981559296", + "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord" ], "synonyms": [], "type": [] @@ -130,31 +157,63 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien", "https://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html", "https://info.phishlabs.com/blog/alien-mobile-malware-evades-detection-increases-targets", - "https://preyproject.com/blog/en/cerberus-and-alien-the-malware-that-has-put-android-in-a-tight-spot/", - "https://research.checkpoint.com/2021/clast82-a-new-dropper-on-google-play-dropping-the-alienbot-banker-and-mrat/" + "https://research.checkpoint.com/2021/clast82-a-new-dropper-on-google-play-dropping-the-alienbot-banker-and-mrat/", + "https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/", + "https://www.prodaft.com/m/reports/BrunHilda_DaaS.pdf", + "https://www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html", + "https://www.bleepingcomputer.com/news/security/google-predator-spyware-infected-android-devices-using-zero-days/", + "https://drive.google.com/file/d/1qd7Nqjhe2vyGZ5bGm6gVw0mM1D6YDolu/view?usp=sharing", + "https://preyproject.com/blog/en/cerberus-and-alien-the-malware-that-has-put-android-in-a-tight-spot/" + ], + "synonyms": [ + "AlienBot" ], - "synonyms": [], "type": [] }, "uuid": "de483b10-4247-46b3-8ab5-77d089f0145c", "value": "Alien" }, + { + "description": "This malware was initially named BlackRock and later renamed to AmpleBot.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.amplebot", + "https://www.threatfabric.com/blogs/blackrock_the_trojan_that_wanted_to_get_them_all.html", + "https://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html", + "https://www.threatfabric.com/blogs/ermac-another-cerberus-reborn.html" + ], + "synonyms": [ + "BlackRock" + ], + "type": [] + }, + "uuid": "2f3f82f6-ec21-489e-8257-0967c567798a", + "value": "AmpleBot" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.anatsa", "https://www.cleafy.com/documents/teabot", + "https://thehackernews.com/2022/01/widespread-flubot-and-teabot-malware.html", "https://labs.k7computing.com/?p=22407", - "https://www.threatfabric.com/blogs/smishing-campaign-in-nl-spreading-cabassous-and-anatsa.html", + "https://labs.k7computing.com/index.php/play-store-app-serves-teabot-via-github/", "https://twitter.com/ThreatFabric/status/1394958795508523008", "https://labs.bitdefender.com/2021/06/threat-actors-use-mockups-of-popular-apps-to-spread-teabot-and-flubot-malware-on-android/", "https://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368", "https://blog.nviso.eu/2021/05/11/android-overlay-attacks-on-belgian-financial-applications/", + "https://www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html", "https://www.buguroo.com/hubfs/website/pdf/reports/buguroo-malware-report-Toddler_EN.pdf", - "https://twitter.com/_icebre4ker_/status/1416409813467156482" + "https://www.prodaft.com/m/reports/Toddler___TLPWHITE_V2.pdf", + "https://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered", + "https://www.cleafy.com/cleafy-labs/teabot-is-now-spreading-across-the-globe", + "https://gbhackers.com/teabot-banking-trojan/", + "https://twitter.com/_icebre4ker_/status/1416409813467156482", + "https://www.threatfabric.com/blogs/smishing-campaign-in-nl-spreading-cabassous-and-anatsa.html" ], "synonyms": [ + "ReBot", "TeaBot", "Toddler" ], @@ -176,6 +235,7 @@ "https://github.com/DesignativeDave/androrat", "https://mp.weixin.qq.com/s/AhxP5HmROtMsFBiUxj0cFg", "https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf", + "https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/" ], "synonyms": [], @@ -185,7 +245,7 @@ "value": "AndroRAT" }, { - "description": "", + "description": "BleepingComputer found that Anubis will display fake phishing login forms when users open up apps for targeted platforms to steal credentials. This overlay screen will be shown over the real app's login screen to make victims think it's a legitimate login form when in reality, inputted credentials are sent to the attackers.\r\n\r\nIn the new version spotted by Lookout, Anubis now targets 394 apps and has the following capabilities:\r\n\r\nRecording screen activity and sound from the microphone\r\nImplementing a SOCKS5 proxy for covert communication and package delivery\r\nCapturing screenshots\r\nSending mass SMS messages from the device to specified recipients\r\nRetrieving contacts stored on the device\r\nSending, reading, deleting, and blocking notifications for SMS messages received by the device\r\nScanning the device for files of interest to exfiltrate\r\nLocking the device screen and displaying a persistent ransom note\r\nSubmitting USSD code requests to query bank balances\r\nCapturing GPS data and pedometer statistics\r\nImplementing a keylogger to steal credentials\r\nMonitoring active apps to mimic and perform overlay attacks\r\nStopping malicious functionality and removing the malware from the device", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.anubis", @@ -199,12 +259,14 @@ "https://blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/", "https://www.youtube.com/watch?v=U0UsfO-0uJM", "http://blog.koodous.com/2017/05/bankbot-on-google-play.html", + "https://muha2xmad.github.io/malware-analysis/anubis/", "https://securelist.com/mobile-malware-evolution-2019/96280/", "https://eybisi.run/Mobile-Malware-Analysis-Tricks-used-in-Anubis/", "https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html", "https://sysopfb.github.io/malware,/reverse-engineering/2018/08/30/Unpacking-Anubis-APK.html", "http://blog.koodous.com/2017/04/decrypting-bankbot-communications.html", "https://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html", + "https://assets.virustotal.com/reports/2021trends.pdf", "https://securityboulevard.com/2018/09/android-malware-intercepts-sms-2fa-we-have-the-logs/ ", "https://community.riskiq.com/article/85b3db8c", "https://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/", @@ -212,6 +274,7 @@ "https://www.threatfabric.com/blogs/2020_year_of_the_rat.html", "https://securityintelligence.com/after-big-takedown-efforts-20-more-bankbot-mobile-malware-apps-make-it-into-google-play/", "https://pentest.blog/n-ways-to-unpack-mobile-malware/", + "https://securityboulevard.com/2018/09/android-malware-intercepts-sms-2fa-we-have-the-logs/", "https://www.fortinet.com/blog/threat-research/a-look-into-the-new-strain-of-bankbot.html" ], "synonyms": [ @@ -311,6 +374,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.bahamut", + "https://mp.weixin.qq.com/s/YAAybJBAvxqrQWYDg31BBw", "https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/", "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf", "https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/", @@ -343,33 +407,26 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.bianlian", "https://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware.html", - "https://www.threatfabric.com/blogs/bianlian_from_rags_to_riches_the_malware_dropper_that_had_a_dream.html" + "https://www.threatfabric.com/blogs/bianlian_from_rags_to_riches_the_malware_dropper_that_had_a_dream.html", + "https://cryptax.medium.com/multidex-trick-to-unpack-android-bianlian-ed52eb791e56" + ], + "synonyms": [ + "Hydra" ], - "synonyms": [], "type": [] }, "uuid": "1faaa5c5-ab4e-4101-b2d9-0e12207d70fc", "value": "BianLian" }, - { - "description": "", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.blackrock", - "https://www.threatfabric.com/blogs/blackrock_the_trojan_that_wanted_to_get_them_all.html", - "https://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html" - ], - "synonyms": [], - "type": [] - }, - "uuid": "2f3f82f6-ec21-489e-8257-0967c567798a", - "value": "BlackRock" - }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.brata", + "https://www.cleafy.com/cleafy-labs/brata-is-evolving-into-an-advanced-persistent-threat", + "https://www.cleafy.com/cleafy-labs/mobile-banking-fraud-brata-strikes-again", + "https://www.advintel.io/post/economic-growth-digital-inclusion-specialized-crime-financial-cyber-fraud-in-latam", + "https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account", "https://securelist.com/spying-android-rat-from-brazil-brata/92775/" ], "synonyms": [], @@ -378,6 +435,19 @@ "uuid": "d9ff080d-cde0-48da-89db-53435c99446b", "value": "BRATA" }, + { + "description": "PRODAFT describes Brunhilda as a \"Dropper as a Service\" for Google Play, delivering e.g. Alien.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.brunhilda", + "https://www.prodaft.com/m/reports/BrunHilda_DaaS.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5d3d5f52-0a55-4c81-af87-7809ce43906b", + "value": "Brunhilda" + }, { "description": "", "meta": { @@ -391,6 +461,19 @@ "uuid": "4bf68bf8-08e5-46f3-ade5-0bd4f124b168", "value": "BusyGasper" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.capra_rat", + "https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "7cd1c5f3-7635-46d2-87f1-e638fb8d714c", + "value": "CapraRAT" + }, { "description": "", "meta": { @@ -424,7 +507,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.cerberus", "https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html", - "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/04/12075509/EN_The-State-of-Stalkerware-2021.pdf", "https://labs.bitdefender.com/2020/09/apps-on-google-play-tainted-with-cerberus-banker-malware/", "https://insights.oem.avira.com/in-depth-analysis-of-a-cerberus-trojan-variant/", "https://community.riskiq.com/article/85b3db8c", @@ -432,14 +515,16 @@ "https://blog.cyberint.com/cerberus-is-dead-long-live-cerberus", "https://go.recordedfuture.com/hubfs/reports/cta-2020-1016.pdf", "https://github.com/ics-iot-bootcamp/cerberus_research", - "https://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html", + "https://securelist.com/the-state-of-stalkerware-in-2021/106193/", "https://nur.pub/cerberus-analysis", + "https://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html", "https://www.biznet.com.tr/wp-content/uploads/2020/08/Cerberus.pdf", "https://www.threatfabric.com/blogs/ermac-another-cerberus-reborn.html", "https://www.threatfabric.com/blogs/2020_year_of_the_rat.html", "https://preyproject.com/blog/en/cerberus-and-alien-the-malware-that-has-put-android-in-a-tight-spot/", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", - "https://twitter.com/AndroidCerberus" + "https://twitter.com/AndroidCerberus", + "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" ], "synonyms": [], "type": [] @@ -477,6 +562,20 @@ "uuid": "6e0545df-8df6-4990-971c-e96c4c60d561", "value": "Charger" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.chinotto", + "https://blog.cyble.com/2021/12/06/apt37-using-a-new-android-spyware-chinotto/", + "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "6cc7b402-21cf-4510-be7d-d7f811a57bc1", + "value": "Chinotto (Android)" + }, { "description": "", "meta": { @@ -484,8 +583,9 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.chrysaor", "https://www.theguardian.com/news/2021/jul/18/viktor-orban-using-nso-spyware-in-assault-on-media-data-suggests", "https://thewire.in/tag/pegasus-project", + "https://zetter.substack.com/p/pegasus-spyware-how-it-works-and", "https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/", - "https://twitter.com/HackSysTeam/status/1418223814387765258?s=20", + "https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html", "https://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/", "https://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html", "https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/", @@ -494,40 +594,52 @@ "https://www.amnesty.org/en/latest/news/2021/07/the-pegasus-project/", "https://www.theguardian.com/world/2021/jul/18/revealed-leak-uncovers-global-abuse-of-cyber-surveillance-weapon-nso-group-pegasus", "https://www.washingtonpost.com/technology/2021/07/18/reactions-pegasus-project-nso/", - "https://www.washingtonpost.com/investigations/interactive/2021/nso-spyware-pegasus-cellphones/", + "https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/", + "https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/", "https://forbiddenstories.org/about-the-pegasus-project/", - "https://www.theguardian.com/news/series/pegasus-project", + "https://irpimedia.irpi.eu/sorveglianze-cy4gate/", "https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html", "https://thewire.in/government/indian-army-bsf-raw-pegasus-spyware-threat", "https://www.washingtonpost.com/world/2021/07/19/india-nso-pegasus/", + "https://www.reuters.com/technology/how-saudi-womans-iphone-revealed-hacking-around-world-2022-02-17/", "https://www.washingtonpost.com/investigations/2021/07/18/takeaways-nso-pegasus-project/", "https://twitter.com/alexanderjaeger/status/1417447732030189569", "https://www.theguardian.com/news/2021/jul/18/revealed-murdered-journalist-number-selected-mexico-nso-client-cecilio-pineda-birto", "https://www.bleepingcomputer.com/news/security/iphones-running-latest-ios-hacked-to-deploy-nso-group-spyware/", + "https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/", "https://twitter.com/billmarczak/status/1416801439402262529", "https://arkadiyt.com/2021/07/25/scanning-your-iphone-for-nso-group-pegasus-malware/", "https://www.vice.com/en/article/xgx5bw/amazon-aws-shuts-down-nso-group-infrastructure", "https://citizenlab.ca/2021/07/amnesty-peer-review/", - "https://www.washingtonpost.com/investigations/interactive/2021/jamal-khashoggi-wife-fiancee-cellphone-hack/?itid=co_pegasus_5", + "https://twitter.com/HackSysTeam/status/1418223814387765258?s=20", "https://media.ccc.de/v/33c3-7901-pegasus_internals", "https://thewire.in/media/pegasus-project-spyware-indian-journalists", - "https://zetter.substack.com/p/pegasus-spyware-how-it-works-and", + "https://citizenlab.ca/2021/10/breaking-news-new-york-times-journalist-ben-hubbard-pegasus/", "https://forbiddenstories.org/pegasus-the-new-global-weapon-for-silencing-journalists/", + "https://www.bleepingcomputer.com/news/security/google-predator-spyware-infected-android-devices-using-zero-days/", "https://citizenlab.ca/2020/01/stopping-the-press-new-york-times-journalist-targeted-by-saudi-linked-pegasus-spyware-operator/", "https://www.lemonde.fr/projet-pegasus/article/2021/07/18/au-maroc-comme-en-france-des-journalistes-mis-sous-surveillance-avec-le-logiciel-pegasus_6088654_6088648.html", + "https://www.washingtonpost.com/investigations/interactive/2021/jamal-khashoggi-wife-fiancee-cellphone-hack/?itid=co_pegasus_5", "https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/", + "https://lifars.com/2022/01/forensics-analysis-of-the-nso-groups-pegasus-spyware/", "https://forbiddenstories.org/the-pegasus-project-a-worldwide-collaboration-to-counter-a-global-crime/", "https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html", "https://thewire.in/government/project-pegasus-journalists-ministers-activists-phones-spying", "https://nex.sx/blog/2021/08/03/the-pegasus-project.html", + "https://www.cyjax.com/2021/10/26/mercenary-apts-an-exploration/", + "https://www.washingtonpost.com/investigations/interactive/2021/nso-spyware-pegasus-cellphones/", "https://threatpost.com/nso-pegasus-spyware-bans-apple-accountability/167965/", + "https://objective-see.com/blog/blog_0x67.html", "https://github.com/AmnestyTech/investigations/tree/master/2021-07-18_nso", + "https://citizenlab.ca/2021/11/palestinian-human-rights-defenders-hacked-nso-groups-pegasus-spyware/", "https://thewire.in/rights/sar-geelani-pegasus-spyware-phone-messages", "https://blog.zecops.com/research/the-recent-ios-0-click-cve-2021-30860-sounds-familiar-an-unreleased-write-up-one-year-later/", "https://www.washingtonpost.com/technology/2021/07/19/apple-iphone-nso/", + "https://www.theguardian.com/news/series/pegasus-project", "https://www.trendmicro.com/en_us/research/21/i/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry.html", "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf", - "https://objective-see.com/blog/blog_0x67.html" + "https://citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/", + "https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/" ], "synonyms": [ "JigglyPuff", @@ -608,13 +720,22 @@ "value": "Connic" }, { - "description": "The malicious Coper apps have a modular architecture and a multi-stage infection mechanism. All known Coper banker trojan modifications target Colombian users to date. However, new versions targeting users from other countries are likely to emerge over time.", + "description": "Coper is a descendant of ExoBotCompat, which was a rewritten version of Exobot.\r\nMalicious Coper apps have a modular architecture and a multi-stage infection mechanism. Coper has originally been spotted in Colombia but has since emerged in Europa as well.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.coper", - "https://news.drweb.com/show/?p=0&lng=en&i=14259&c=0" + "https://thehackernews.com/2022/04/new-octo-banking-trojan-spreading-via.html", + "https://news.drweb.com/show/?p=0&lng=en&i=14259&c=0", + "https://www.bleepingcomputer.com/news/security/new-android-banking-malware-remotely-takes-control-of-your-device/", + "https://twitter.com/_icebre4ker_/status/1541875982684094465", + "https://blog.cyble.com/2022/03/24/coper-banking-trojan/", + "https://cert.pl/posts/2021/12/aktywacja-aplikacji-iko/", + "https://threatfabric.com/blogs/octo-new-odf-banking-trojan.html" + ], + "synonyms": [ + "ExobotCompact", + "Octo" ], - "synonyms": [], "type": [] }, "uuid": "70973ef7-e031-468f-9420-d8aa4eb7543a", @@ -761,6 +882,19 @@ "uuid": "8990cec7-ddd8-435e-97d6-5b36778e86fe", "value": "DroidJack" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.droidwatcher", + "https://documents.trendmicro.com/assets/white_papers/wp-void-balaur-tracking-a-cybermercenarys-activities.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "15f3e50b-9fa5-4eab-ac2b-928e9ce03b72", + "value": "DroidWatcher" + }, { "description": "", "meta": { @@ -809,7 +943,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ermac", - "https://www.threatfabric.com/blogs/ermac-another-cerberus-reborn.html" + "https://www.threatfabric.com/blogs/ermac-another-cerberus-reborn.html", + "https://twitter.com/ESETresearch/status/1445618031464357888", + "https://blog.cyble.com/2022/05/25/ermac-back-in-action/" ], "synonyms": [], "type": [] @@ -837,7 +973,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.exobot", - "https://securityintelligence.com/ibm-x-force-delves-into-exobots-leaked-source-code/" + "https://www.bleepingcomputer.com/news/security/exobot-author-calls-it-quits-and-sells-off-banking-trojan-source-code/", + "https://www.bleepingcomputer.com/news/security/new-exo-android-trojan-sold-on-hacking-forums-dark-web/", + "https://securityintelligence.com/ibm-x-force-delves-into-exobots-leaked-source-code/", + "https://www.bleepingcomputer.com/news/security/new-android-banking-malware-remotely-takes-control-of-your-device/", + "https://www.bleepingcomputer.com/news/security/source-code-for-exobot-android-banking-trojan-leaked-online/", + "https://blog.cyble.com/2022/03/24/coper-banking-trojan/", + "https://threatfabric.com/blogs/octo-new-odf-banking-trojan.html" ], "synonyms": [], "type": [] @@ -861,6 +1003,21 @@ "uuid": "462bc006-b7bd-4e10-afdb-52baf86121e8", "value": "Exodus" }, + { + "description": "Facebook Credential Stealer.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.facestealer", + "https://labs.k7computing.com/index.php/facestealer-the-rise-of-facebook-credential-stealer-malware/", + "https://threatpost.com/facestealer-trojan-google-play-facebook/179015/", + "https://www.trendmicro.com/en_us/research/22/e/fake-mobile-apps-steal-facebook-credentials--crypto-related-keys.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c35ebd96-d2f8-4add-b86f-f552ed5dfa9b", + "value": "FaceStealer" + }, { "description": "", "meta": { @@ -974,28 +1131,38 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.flubot", "https://mobile.twitter.com/alberto__segura/status/1400396365759500289", "https://twitter.com/alberto__segura/status/1399249798063087621?s=20", + "https://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered", "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon", "https://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368", + "https://www.prodaft.com/m/reports/FluBot_4.pdf", + "https://www.europol.europa.eu/media-press/newsroom/news/takedown-of-sms-based-flubot-spyware-infecting-android-phones", "https://cryptax.medium.com/android-flubot-preparing-for-a-new-campaign-2f7563fc6c06", "https://twitter.com/alberto__segura/status/1402615237296148483", "https://twitter.com/malwrhunterteam/status/1359939300238983172", "https://twitter.com/alberto__segura/status/1384840011892285440", + "https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/", "https://medium.com/csis-techblog/the-brief-glory-of-cabassous-flubot-a-private-android-banking-botnet-bc2ed7917027", "https://labs.bitdefender.com/2021/06/threat-actors-use-mockups-of-popular-apps-to-spread-teabot-and-flubot-malware-on-android/", "https://securityintelligence.com/posts/story-of-fakechat-malware/", "https://news.netcraft.com/archives/2021/08/04/flubot-malware-spreads-to-australia.html", "https://medium.com/walmartglobaltech/a-look-at-an-android-bot-from-unpacking-to-dga-e331554f9fb9", + "https://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond", "https://blog.cyble.com/2021/09/09/flubot-variant-masquerading-as-the-default-android-voicemail-app/", "https://www.nortonlifelock.com/blogs/research-group/flubot-targets-android-phone-users", "https://news.netcraft.com/archives/2021/08/17/resurgent-flubot-malware-targets-german-and-polish-banks.html", + "https://www.bitsight.com/blog/flubot-malware-persists-most-prevalent-germany-and-spain", "https://blog.zimperium.com/flubot-vs-zimperium/", + "https://www.threatfabric.com/blogs/partners-in-crime-medusa-cabassous.html", "https://hispasec.com/resources/FedexBanker.pdf", "https://twitter.com/alberto__segura/status/1395675479194095618", "https://raw.githubusercontent.com/prodaft/malware-ioc/master/FluBot/FluBot.pdf", + "https://www.ncsc.admin.ch/22w12-de", "https://blog.nviso.eu/2021/04/19/how-to-analyze-mobile-malware-a-cabassous-flubot-case-study/", "https://therecord.media/despite-arrests-in-spain-flubot-operations-explode-across-europe-and-japan/", "https://therecord.media/flubot-malware-gang-arrested-in-barcelona/", + "https://thehackernews.com/2022/01/widespread-flubot-and-teabot-malware.html", "https://twitter.com/alberto__segura/status/1404098461440659459", + "https://www.cert.govt.nz/individuals/news-and-events/parcel-delivery-text-message-infecting-android-phones/", "https://securityblog.switch.ch/2021/06/19/android-flubot-enters-switzerland/" ], "synonyms": [ @@ -1194,6 +1361,32 @@ "uuid": "13dc1ec7-aba7-4553-b990-8323405a1d32", "value": "GPlayed" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.grifthorse", + "https://blog.zimperium.com/grifthorse-android-trojan-steals-millions-from-over-10-million-victims-globally/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "fe40a0b2-be48-41c5-8814-7fa3a6a993b9", + "value": "GriftHorse" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.guerrilla", + "https://www.trendmicro.com/en_us/research/22/b/sms-pva-services-use-of-infected-android-phones-reveals-flaws-in-sms-verification.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "57de6ac2-8cf0-4022-aee2-5f76e3dbd503", + "value": "Guerrilla" + }, { "description": "Group-IB describes Gustuff as a mobile Android Trojan, which includes potential targets of customers in leading international banks, users of cryptocurrency services, popular ecommerce websites and marketplaces. Gustuff has previously never been reported. Gustuff is a new generation of malware complete with fully automated features designed to steal both fiat and crypto currency from user accounts en masse. The Trojan uses the Accessibility Service, intended to assist people with disabilities.\r\nThe analysis of Gustuff sample revealed that the Trojan is equipped with web fakes designed to potentially target users of Android apps of top international banks including Bank of America, Bank of Scotland, J.P.Morgan, Wells Fargo, Capital One, TD Bank, PNC Bank, and crypto services such as Bitcoin Wallet, BitPay, Cryptopay, Coinbase etc. Group-IB specialists discovered that Gustuff could potentially target users of more than 100 banking apps, including 27 in the US, 16 in Poland, 10 in Australia, 9 in Germany, and 8 in India and users of 32 cryptocurrency apps.", "meta": { @@ -1256,6 +1449,20 @@ "uuid": "0185f9f6-018e-4eb5-a214-d810cb759a38", "value": "HenBox" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hermit", + "https://de.lookout.com/blog/hermit-spyware-discovery", + "https://blog.google/threat-analysis-group/italian-spyware-vendor-targets-users-in-italy-and-kazakhstan/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b95f25a0-ba22-4320-95e3-323fbf852846", + "value": "Hermit" + }, { "description": "", "meta": { @@ -1286,12 +1493,28 @@ "value": "HiddenAd" }, { - "description": "", + "description": "RAT, which can be used to extract sensitive information, e.g. contact lists, txt messages, location information.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hilalrat", + "https://thehackernews.com/2022/04/microsoft-obtains-court-order-to-take.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "96bea6aa-3202-4352-8e36-fa05c677c0e8", + "value": "HilalRAT" + }, + { + "description": "Avira states that Hydra is an Android BankBot variant, a type of malware designed to steal banking credentials. The way it does this is by requesting the user enables dangerous permissions such as accessibility and every time the banking app is opened, the malware is hijacking the user by overwriting the legit banking application login page with a malicious one. The goal is the same, to trick the user to enter his login credentials so that it will go straight to the malware authors.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hydra", + "https://www.threatfabric.com/blogs/2020_year_of_the_rat.html", "https://pentest.blog/android-malware-analysis-dissecting-hydra-dropper/", - "https://www.threatfabric.com/blogs/2020_year_of_the_rat.html" + "https://www.avira.com/en/blog/avira-labs-research-reveals-hydra-banking-trojan-2-0", + "https://blog.cyble.com/2022/06/13/hydra-android-malware-distributed-via-play-store/", + "https://www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html" ], "synonyms": [], "type": [] @@ -1355,7 +1578,9 @@ "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html", "https://labs.k7computing.com/?p=22199" ], - "synonyms": [], + "synonyms": [ + "Bread" + ], "type": [] }, "uuid": "aa2ad8f4-3c46-4f16-994b-2a79c7481cac", @@ -1437,10 +1662,11 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.lokibot", "https://drive.google.com/file/d/144cOnM6fxfuBeP0V2JQshp8C0Zlk_0kH/view", - "https://isc.sans.edu/diary/27282", + "https://github.com/vc0RExor/Malware-Threat-Reports/blob/main/Lokibot/Machete-Weapons-Lokibot/Machete%20weapons-Lokibot_EN.pdf", "https://yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/", + "https://www.threatfabric.com/blogs/lokibot_the_first_hybrid_android_malware.html", "https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728", - "https://www.threatfabric.com/blogs/lokibot_the_first_hybrid_android_malware.html" + "https://isc.sans.edu/diary/27282" ], "synonyms": [], "type": [] @@ -1491,6 +1717,21 @@ "uuid": "f691663a-b360-4c0d-a4ee-e9203139c38e", "value": "Marcher" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.masterfred", + "https://twitter.com/AvastThreatLabs/status/1458162276708483073" + ], + "synonyms": [ + "Brox" + ], + "type": [] + }, + "uuid": "87131ea3-4c5e-42ba-a8e2-edd62a0bcd8d", + "value": "MasterFred" + }, { "description": "", "meta": { @@ -1511,7 +1752,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.medusa", "https://twitter.com/ThreatFabric/status/1285144962695340032", - "https://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html" + "https://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html", + "https://www.threatfabric.com/blogs/partners-in-crime-medusa-cabassous.html" ], "synonyms": [ "Gorgona" @@ -1555,10 +1797,13 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.moqhao", "https://cryptax.medium.com/a-native-packer-for-android-moqhao-6362a8412fe1", + "https://team-cymru.com/blog/2021/08/11/moqhao-part-1-5-high-level-trends-of-recent-campaigns-targeting-japan/", "https://hitcon.org/2019/CMT/slide-files/d2_s1_r1.pdf", "https://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681", + "https://team-cymru.com/blog/2021/01/20/moqhao-part-1-identifying-phishing-infrastructure/", "https://www.kashifali.ca/2021/05/05/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware/", "https://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang/", + "https://team-cymru.com/blog/2022/04/07/moqhao-part-2-continued-european-expansion/", "https://www.trendmicro.com/en_us/research/18/k/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang.html", "https://www.trendmicro.com/en_us/research/18/d/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing.html", "https://securelist.com/roaming-mantis-part-v/96250/", @@ -1662,6 +1907,35 @@ "uuid": "a73375a5-3384-4515-8538-b598d225586d", "value": "PhantomLance" }, + { + "description": "According to Zimperium, PhoneSpy is a spyware aimed at South Korean residents with Android devices.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.phonespy", + "https://blog.zimperium.com/phonespy-the-app-based-cyberattack-snooping-south-korean-citizens/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ff00bbb6-6856-4cf5-adde-d1cc536dd0e2", + "value": "PhoneSpy" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.pixstealer", + "https://research.checkpoint.com/2021/pixstealer-a-new-wave-of-android-banking-trojans-abusing-accessibility-services/", + "https://securityintelligence.com/posts/brazking-android-malware-upgraded-targeting-brazilian-banks/" + ], + "synonyms": [ + "BrazKing" + ], + "type": [] + }, + "uuid": "5d047596-eb67-4fed-b41d-65fa975150c5", + "value": "PixStealer" + }, { "description": "", "meta": { @@ -1731,6 +2005,19 @@ "uuid": "661471fe-2cb6-4b83-9deb-43225192a849", "value": "Premier RAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.rafelrat", + "https://github.com/swagkarna/Rafel-Rat" + ], + "synonyms": [], + "type": [] + }, + "uuid": "cdaa0a6d-3709-4e6f-8807-fff388baaba0", + "value": "Rafel RAT" + }, { "description": "", "meta": { @@ -1870,6 +2157,22 @@ "uuid": "a7c058cf-d482-42cf-9ea7-d5554287ea65", "value": "Sauron Locker" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.sharkbot", + "https://blog.fox-it.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/", + "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/", + "https://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/", + "https://www.cleafy.com/cleafy-labs/sharkbot-a-new-generation-of-android-trojan-is-targeting-banks-in-europe" + ], + "synonyms": [], + "type": [] + }, + "uuid": "7b20fdb1-5aee-4f17-a88e-bcd72c893f0a", + "value": "SharkBot" + }, { "description": "", "meta": { @@ -1994,7 +2297,7 @@ "value": "SpyC23" }, { - "description": "", + "description": "SpyMax is a popular Android surveillance tool. Its predecessor, SpyNote, was one of the most widely used spyware frameworks.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.spymax", @@ -2018,6 +2321,7 @@ "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", "https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/", "https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/", + "https://ti.qianxin.com/blog/articles/Blade-hawk-The-activities-of-targeted-the-Middle-East-and-West-Asia-are-exposed/", "https://bulldogjob.pl/articles/1200-an-in-depth-analysis-of-spynote-remote-access-trojan" ], "synonyms": [], @@ -2095,6 +2399,19 @@ "uuid": "46151a0d-aa0a-466c-9fff-c2c3474f572e", "value": "TalentRAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.tangle_bot", + "https://www.proofpoint.com/us/blog/threat-insight/mobile-malware-tanglebot-untangled" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1e37d712-df02-48aa-82fc-28fa80c92c2b", + "value": "TangleBot" + }, { "description": "", "meta": { @@ -2134,6 +2451,19 @@ "uuid": "5863d2eb-920d-4263-8c4b-7a16d410ff89", "value": "ThiefBot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.tianyspy", + "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "8260dda5-f608-48f2-9341-28dbc5a8e895", + "value": "TianySpy" + }, { "description": "", "meta": { @@ -2202,7 +2532,21 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_001" + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ultima_sms", + "https://blog.avast.com/premium-sms-scam-apps-on-play-store-avast" + ], + "synonyms": [], + "type": [] + }, + "uuid": "65476d5f-321f-4385-867a-383094cadb58", + "value": "UltimaSMS" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_001", + "https://www.welivesecurity.com/2017/02/14/new-android-trojan-mimics-user-clicks-download-dangerous-malware/" ], "synonyms": [], "type": [] @@ -2260,6 +2604,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_006", "https://twitter.com/MsftSecIntel/status/1441524497924833282?s=20", "https://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/", + "https://medium.com/@ThreatMiner/android-trojan-targeting-korean-demographic-using-github-for-c2-8219fc39f749", "https://twitter.com/ReBensk/status/1438027183490940931" ], "synonyms": [], @@ -2268,6 +2613,47 @@ "uuid": "2263198d-af38-4e38-a7a8-4435d29d88e8", "value": "Unidentified APK 006" }, + { + "description": "According to Cyble, this is an Android application that pretends to be the legitimate application for the Army Mobile Aadhaar App Network (ARMAAN), intended to be used by Indian army personnel. The application was customized to include RAT functionality.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_007", + "https://blog.cyble.com/2022/01/28/indian-army-personnel-face-remote-access-trojan-attacks/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "75c641c4-17df-43c4-9773-c27464c5d2ff", + "value": "Unidentified 007 (ARMAAN RAT)" + }, + { + "description": "Android malware distributed through fake shopping websites targeting Malaysian users, targeting banking information.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_008", + "https://www.welivesecurity.com/2022/04/06/fake-eshops-prowl-banking-credentials-android-malware/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "2ffddca0-841c-4eb6-9983-ff38abb5d6d6", + "value": "Unidentified APK 008" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.vajraspy", + "https://mp.weixin.qq.com/s/B0ElRhbqLzs-wGQh79fTww", + "https://twitter.com/malwrhunterteam/status/1481312752782258176", + "https://twitter.com/LukasStefanko/status/1509451238366236674" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c328b30f-e076-47dc-8c93-4d20f62c72ab", + "value": "VajraSpy" + }, { "description": "Related to the micropsia windows malware and also sometimes named micropsia.", "meta": { @@ -2298,6 +2684,22 @@ "uuid": "3482f5fe-f129-4c77-ae98-76e25f6086b9", "value": "Viper RAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.vultur", + "https://twitter.com/_icebre4ker_/status/1485651238175846400", + "https://www.threatfabric.com/blogs/vultur-v-for-vnc.html" + ], + "synonyms": [ + "Vulture" + ], + "type": [] + }, + "uuid": "49b1c344-ce13-48bf-9839-909ba57649c4", + "value": "Vultur" + }, { "description": "", "meta": { @@ -2333,7 +2735,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.wroba", - "https://www.avira.com/en/blog/the-android-banking-trojan-wroba-shifts-attack-from-south-korea-to-target-users-in-japan" + "https://www.avira.com/en/blog/the-android-banking-trojan-wroba-shifts-attack-from-south-korea-to-target-users-in-japan", + "https://securelist.com/roaming-mantis-reaches-europe/105596/" ], "synonyms": [], "type": [] @@ -2355,6 +2758,19 @@ "uuid": "4cfa42a3-71d9-43e2-bf23-daa79f326387", "value": "Xbot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.xenomorph", + "https://www.threatfabric.com/blogs/xenomorph-a-newly-hatched-banking-trojan.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d202e42d-2c35-4c1c-90f1-644a8cae38f1", + "value": "Xenomorph" + }, { "description": "", "meta": { @@ -2373,7 +2789,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.xrat", - "https://blog.lookout.com/xrat-mobile-threat" + "https://blog.lookout.com/xrat-mobile-threat", + "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_en.pdf" ], "synonyms": [], "type": [] @@ -2457,6 +2874,7 @@ "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", "https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/", + "https://www.recordedfuture.com/full-spectrum-detections-five-popular-web-shells/", "https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf" ], "synonyms": [ @@ -2482,11 +2900,28 @@ "uuid": "d4318f40-a39a-4ce0-8d3c-246d9923d222", "value": "Unidentified ASP 001 (Webshell)" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.abcbot", + "https://www.lacework.com/blog/abc-botnet-attacks-on-the-rise/", + "https://www.cadosecurity.com/abcbot-an-evolution-of-xanthe/", + "https://www.cadosecurity.com/the-continued-evolution-of-abcbot/", + "https://blog.netlab.360.com/abcbot_an_evolving_botnet_en/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "8d17175b-4e9f-43a9-851d-898bb6696984", + "value": "Abcbot" + }, { "description": "A Linux backdoor that was apparently ported to Windows. This entry represents the Linux version. This version appears to have been written first and the Windows version was ported later, without full functionality. The Linux version offers persistence as well as some process manipulation techniques, though both versions apparently offer the ability to access the command line and execute programs as well as self-update.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.acbackdoor", + "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", "https://www.bleepingcomputer.com/news/security/linux-windows-users-targeted-with-new-acbackdoor-malware/" ], "synonyms": [], @@ -2495,6 +2930,27 @@ "uuid": "cd2d7040-edc4-4985-b708-b206b08cc1fe", "value": "ACBackdoor (ELF)" }, + { + "description": "A MIPS ELF binary with wiper functionality used against Viasat KA-SAT modems.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.acidrain", + "https://www.splunk.com/en_us/blog/security/strt-ta03-cpe-destructive-software.html", + "https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/", + "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat", + "https://www.splunk.com/en_us/blog/security/threat-update-acidrain-wiper.html", + "https://www.bleepingcomputer.com/news/security/viasat-confirms-satellite-modems-were-wiped-with-acidrain-malware/", + "https://cybersecuritynews.com/acidrain-wiper-malware/", + "https://www.reversemode.com/2022/03/viasat-incident-from-speculation-to.html", + "https://www.techtimes.com/articles/273755/20220331/viasat-hit-russia-s-wiper-malware-called-acidrain-affecting-european.htm", + "https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works" + ], + "synonyms": [], + "type": [] + }, + "uuid": "6108aa3d-ea6e-47fd-9344-d333b07f5a56", + "value": "AcidRain" + }, { "description": "", "meta": { @@ -2545,18 +3001,21 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.anchor_dns", "https://www.netscout.com/blog/asert/dropping-anchor", "https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf", - "https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30", + "https://cyware.com/news/trickbots-anchordns-is-now-upgraded-to-anchormail-a21f5490/", + "https://securityintelligence.com/posts/new-malware-trickbot-anchordns-backdoor-upgrades-anchormail/", "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", + "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://hello.global.ntt/en-us/insights/blog/trickbot-variant-communicating-over-dns", "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", - "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30", "https://www.domaintools.com/resources/blog/finding-anchordns-c2s-with-iris-investigate" ], "synonyms": [], "type": [] }, "uuid": "b88dc3ec-d94c-4e6e-a846-5d07130df550", - "value": "Anchor_DNS" + "value": "AnchorDNS" }, { "description": "", @@ -2574,6 +3033,24 @@ "uuid": "6cb47609-b03e-43d9-a4c7-8342f1011f3b", "value": "ANGRYREBEL" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.avoslocker", + "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux", + "https://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/", + "https://blogs.blackberry.com/en/2022/04/threat-thursday-avoslocker-prompts-advisory-from-fbi-and-fincen", + "https://www.ic3.gov/Media/News/2022/220318.pdf", + "https://blogs.vmware.com/security/2022/02/avoslocker-modern-linux-ransomware-threats.html", + "https://blog.lexfo.fr/Avoslocker.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "465b6a74-87ca-4459-b4be-3f8b272f4485", + "value": "Avoslocker" + }, { "description": "Azazel is a Linux user-mode rootkit based off of a technique from the Jynx rootkit (LD_PRELOAD technique). Azazel is purportedly more robust than Jynx and has many more anti-analysis features ", "meta": { @@ -2587,6 +3064,19 @@ "uuid": "37374572-3346-4c00-abc9-9f6883c8866e", "value": "azazel" }, + { + "description": "B1txor20 is a malware that was discovered by 360 Netlab along others exploiting Log4J. the name is derived from using the file name \"b1t\", the XOR encrpytion algorithm, and the RC4 algorithm key length of 20 bytes. According to 360 Netlab this Backdoor for Linux platform uses DNS Tunnel to build a C2 communication channel. They also had the assumption that the malware is still in development, because of some bugs and not fully implemented features.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.b1txor20", + "https://blog.netlab.360.com/b1txor20-use-of-dns-tunneling_cn/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "05e6d9ff-93a1-429b-b856-794d9ded75df", + "value": "B1txor20" + }, { "description": "ESX and NAS modules for Babuk ransomware.", "meta": { @@ -2594,8 +3084,11 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.babuk", "https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751", "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", + "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", "https://marcoramilli.com/2021/07/05/babuk-ransomware-the-builder/", "https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings", + "https://raw.githubusercontent.com/antonioCoco/infosec-talks/main/InsomniHack_2022_Ransomware_Encryption_Internals.pdf", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/", "https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2", "https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d" @@ -2624,15 +3117,20 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite", + "https://maxkersten.nl/binary-analysis-course/malware-analysis/corona-ddos-bot/", "https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/", "https://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/", "https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/", "https://www.avira.com/en/blog/a-gafgyt-variant-that-exploits-pulse-secure-cve-2020-8218", + "https://cujo.com/mirai-gafgyt-with-new-ddos-modules-discovered/", + "https://cybersecurity.att.com/blogs/labs-research/code-similarity-analysis-with-r2diaphora", "https://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/", - "https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt", "https://www.uptycs.com/blog/discovery-of-simps-botnet-leads-ties-to-keksec-group", "http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/", - "https://cujo.com/mirai-gafgyt-with-new-ddos-modules-discovered/", + "https://blog.netlab.360.com/public-cloud-threat-intelligence-202203/", + "https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/", + "https://blog.netlab.360.com/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/", + "https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf" ], "synonyms": [ @@ -2701,21 +3199,69 @@ "uuid": "8e301f58-acef-48e7-ad8b-c27d3ed38eed", "value": "BioSet" }, + { + "description": "ALPHV, also known as BlackCat or Noberus, is a ransomware family that is deployed as part of Ransomware as a Service (RaaS) operations. ALPHV is written in the Rust programming language and supports execution on Windows, Linux-based operating systems (Debian, Ubuntu, ReadyNAS, Synology), and VMWare ESXi. ALPHV is marketed as ALPHV on cybercrime forums, but is commonly called BlackCat by security researchers due to an icon of a black cat appearing on its leak site. ALPHV has been observed being deployed in ransomware attacks since November 18, 2021.\r\n\r\nALPHV can be configured to encrypt files using either the AES or ChaCha20 algorithms. In order to maximize the amount of ransomed data, ALPHV can delete volume shadow copies, stop processes and services, and stop virtual machines on ESXi servers. ALPHV can self-propagate by using PsExec to remote execute itself on other hosts on the local network.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackcat", + "https://www.advintel.io/post/blackcat-in-a-shifting-threat-landscape-it-helps-to-land-on-your-feet-tech-dive", + "https://www.zdnet.com/article/blackcat-ransomware-implicated-in-attack-on-german-oil-companies/", + "https://twitter.com/sisoma2/status/1473243875158499330", + "https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html", + "https://killingthebear.jorgetesta.tech/actors/alphv", + "https://www.theregister.com/2022/03/22/talos-ransomware-blackcat/", + "https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/", + "https://krebsonsecurity.com/2022/01/who-wrote-the-alphv-blackcat-ransomware-strain/", + "https://securelist.com/a-bad-luck-blackcat/106254/", + "https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html", + "https://securelist.com/new-ransomware-trends-in-2022/106457/", + "https://www.forescout.com/resources/analysis-of-an-alphv-incident", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/blackcat-ransomware-as-a-service.html", + "https://blog.emsisoft.com/en/40931/ransomware-profile-alphv/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself" + ], + "synonyms": [ + "ALPHV", + "Noberus" + ], + "type": [] + }, + "uuid": "860e9d03-830e-4410-ac89-75b6eb89e7e5", + "value": "BlackCat (ELF)" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackmatter", + "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/", + "https://www.bleepingcomputer.com/news/security/linux-version-of-blackmatter-ransomware-targets-vmware-esxi-servers/", + "https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group", + "https://www.mandiant.com/resources/chasing-avaddon-ransomware", + "https://us-cert.cisa.gov/ncas/alerts/aa21-291a", + "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/", + "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/", + "https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/", + "https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/", + "https://blog.group-ib.com/blackmatter#", + "https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html", + "https://blog.group-ib.com/blackmatter2", + "https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2", + "https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d", + "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", + "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor", + "https://www.hhs.gov/sites/default/files/demystifying-blackmatter.pdf", + "https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service", + "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/", "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", "https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751", - "https://www.bleepingcomputer.com/news/security/linux-version-of-blackmatter-ransomware-targets-vmware-esxi-servers/", - "https://blog.group-ib.com/blackmatter#", - "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/", + "https://www.youtube.com/watch?v=NIiEcOryLpI", + "https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://twitter.com/VK_Intel/status/1423188690126266370", - "https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service", - "https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/", - "https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2", - "https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d" + "https://twitter.com/GelosSnake/status/1451465959894667275" ], "synonyms": [], "type": [] @@ -2753,6 +3299,61 @@ "uuid": "57c9ab70-7133-441a-af66-10c0e4eb898b", "value": "Break out the Box" }, + { + "description": "According to Alien Labs, this malware targets embedded devices including routers with more than 30 exploits.\r\nSourceCode: https://github.com/Egida/kek/blob/19991ef983f838287aa9362b78b4ed8da0929184/loader_multi.go (2021-10-16)", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.botenago", + "https://www.nozominetworks.com/blog/new-botenago-variant-discovered-by-nozomi-networks-labs/", + "https://cybersecurity.att.com/blogs/labs-research/botenago-strike-again-malware-source-code-uploaded-to-github", + "https://lifars.com/2022/01/newly-found-malware-threatens-iot-devices/", + "https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits" + ], + "synonyms": [], + "type": [] + }, + "uuid": "dffcc168-cb76-4ae6-b913-c369e92c614b", + "value": "BotenaGo" + }, + { + "description": "BPFDoor is a passive backdoor used by a China-based threat actor. This backdoor supports multiple protocols for communicating with a C2 including TCP, UDP, and ICMP allowing the threat actor a variety of mechanisms to interact with the implant.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bpfdoor", + "https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/", + "https://troopers.de/troopers22/talks/7cv8pz/", + "https://twitter.com/CraigHRowland/status/1523266585133457408", + "https://twitter.com/cyb3rops/status/1523227511551033349", + "https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896", + "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", + "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", + "https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/#" + ], + "synonyms": [ + "JustForFun" + ], + "type": [] + }, + "uuid": "3c7082b6-0181-4064-8e35-ab522b49200f", + "value": "BPFDoor" + }, + { + "description": "Pangu Lab discovered this backdoor during a forensic investigation in 2013. They refer to related incidents as \"Operation Telescreen\".", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bvp47", + "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", + "https://www.bleepingcomputer.com/news/security/nsa-linked-bvp47-linux-backdoor-widely-undetected-for-10-years/", + "https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf", + "https://thehackernews.com/2022/02/chinese-experts-uncover-details-of.html", + "https://www.pangulab.cn/en/post/the_bvp47_a_top-tier_backdoor_of_us_nsa_equation_group/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0492f9bf-3c5d-4c17-993b-2b53d0fb06f7", + "value": "Bvp47" + }, { "description": "XMRig-based mining malware written in Go.", "meta": { @@ -2838,6 +3439,19 @@ "uuid": "700366d8-4036-4e48-9a5f-bd6e09fb9b6b", "value": "Chapro" }, + { + "description": "Chisel is an open-source project by Jaime Pillora (jpillora) that allows tunneling TCP and UDP connections via HTTP. It is available across platforms and written in Go. While benign in itself, Chisel has been utilized by multiple threat actors. It was for example observed by SentinelOne during a PYSA ransomware campaign to achieve persistence and used as backdoor.\r\nGithub: https://github.com/jpillora/chisel", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.chisel", + "https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e5600185-39b7-49a0-bd60-a6806c7d47dd", + "value": "Chisel (ELF)" + }, { "description": "", "meta": { @@ -2846,6 +3460,7 @@ "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought", "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-cloud-snooper-report.pdf", "https://news.sophos.com/wp-content/uploads/2020/02/CloudSnooper_report.pdf" ], "synonyms": [ @@ -2856,6 +3471,29 @@ "uuid": "0b1c514d-f617-4380-a28c-a1ed305a7538", "value": "Cloud Snooper" }, + { + "description": "Ransomware", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.conti", + "https://securelist.com/new-ransomware-trends-in-2022/106457/", + "https://www.secureworks.com/blog/gold-ulrick-continues-conti-operations-despite-public-disclosures", + "https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike", + "https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-group-targets-esxi-hypervisors-with-its-linux-variant.html", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", + "https://www.youtube.com/watch?v=cYx7sQRbjGA", + "https://www.esentire.com/blog/analysis-of-leaked-conti-intrusion-procedures-by-esentires-threat-response-unit-tru" + ], + "synonyms": [ + "Conti Locker" + ], + "type": [] + }, + "uuid": "c1ab8323-ce61-409a-80f3-b945c8ffcd42", + "value": "Conti (ELF)" + }, { "description": "", "meta": { @@ -2900,6 +3538,45 @@ "uuid": "196b20ec-c3d1-4136-ab94-a2a6cc150e74", "value": "Cr1ptT0r" }, + { + "description": "A malware written in Bash that hides in the Linux calendar system on February 31st. Observed in relation to Magecart attacks.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cronrat", + "https://sansec.io/research/cronrat" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c49062cc-ceef-4794-9d8a-93ede434ecfd", + "value": "CronRAT" + }, + { + "description": "According to CISA, Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, and which exploited network devices, primarily small office/home office (SOHO) routers and network attached storage (NAS) devices. Cyclops Blink has been deployed since at least June 2019, fourteen months after VPNFilter was disrupted. In common with VPNFilter, Cyclops Blink deployment also appears indiscriminate and widespread. The actor has so far primarily deployed Cyclops Blink to WatchGuard devices, but it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cyclops_blink", + "https://github.com/trendmicro/research/blob/main/cyclops_blink/c2-scripts/check.py", + "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html", + "https://www.bleepingcomputer.com/news/security/cisa-warns-orgs-of-watchguard-bug-exploited-by-russian-state-hackers/", + "https://www.splunk.com/en_us/blog/security/strt-ta03-cpe-destructive-software.html", + "https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-botnet-controlled-russian-federation", + "https://www.bleepingcomputer.com/news/security/us-disrupts-russian-cyclops-blink-botnet-before-being-used-in-attacks/", + "https://www.theregister.com/2022/03/18/cyclops_asus_routers/", + "https://www.justice.gov/opa/press-release/file/1491281/download", + "https://www.bleepingcomputer.com/news/security/asus-warns-of-cyclops-blink-malware-attacks-targeting-routers/", + "https://www.justice.gov/opa/video/attorney-general-merrick-b-garland-announces-enforcement-actions-disrupt-and-prosecute", + "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-054a", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyclops-blink-sets-sights-on-asus-routers/Appendix_Cyclops%20Blink%20Sets%20Sights%20on%20ASUS%20Routers.pdf", + "https://www.shadowserver.org/news/shadowserver-special-reports-cyclops-blink/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "76d4b754-e025-41c5-a767-7b00a39bd255", + "value": "CyclopsBlink" + }, { "description": "", "meta": { @@ -2929,7 +3606,8 @@ "https://blogs.juniper.net/en-us/threat-research/attacks-continue-against-realtek-vulnerabilities", "https://www.radware.com/getmedia/d312a5fa-2d8d-4c1e-b31e-73046f24bf35/Alert-Dark-OMIGOD.aspx", "https://twitter.com/ESETresearch/status/1440052837820428298?s=20", - "https://www.radware.com/getmedia/18d24c2d-c092-4a61-9ad6-ebb92b7a49b8/Alert_Realtek_SDK.aspx" + "https://www.radware.com/getmedia/18d24c2d-c092-4a61-9ad6-ebb92b7a49b8/Alert_Realtek_SDK.aspx", + "https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/" ], "synonyms": [ "Dark.IoT" @@ -2944,6 +3622,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.darknexus", + "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://www.stratosphereips.org/blog/2020/6/8/dark-nexus-the-old-the-new-and-the-ugly" ], "synonyms": [], @@ -2961,25 +3640,34 @@ "https://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin", "https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/", "https://otx.alienvault.com/pulse/60d0afbc395c24edefb33bb9", + "https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group", "https://blog.gigamon.com/2021/05/17/tracking-darkside-and-ransomware-the-network-view/", "https://www.secureworks.com/blog/ransomware-groups-use-tor-based-backdoor-for-persistent-access", "https://www.crowdstrike.com/blog/how-ransomware-adversaries-reacted-to-the-darkside-pipeline-attack/", + "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/", + "https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/", "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", "https://krebsonsecurity.com/2021/05/darkside-ransomware-gang-quits-after-servers-bitcoin-stash-seized/", "https://blog.group-ib.com/blackmatter#", "https://www.maltego.com/blog/chasing-darkside-affiliates-identifying-threat-actors-connected-to-darkside-ransomware-using-maltego-intel-471-1/", "https://www.technologyreview.com/2021/05/24/1025195/colonial-pipeline-ransomware-bitdefender/", "https://www.intel471.com/blog/darkside-ransomware-shut-down-revil-avaddon-cybercrime", + "https://blog.group-ib.com/blackmatter2", "https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/darkside-ransomware-victims-sold-short/", "https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/", + "https://www.youtube.com/watch?v=NIiEcOryLpI", "https://www.youtube.com/watch?v=qxPXxWMI2i4", "https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636", "https://twitter.com/JAMESWT_MHT/status/1388301138437578757", "https://www.elliptic.co/blog/elliptic-follows-bitcoin-ransoms-paid-by-darkside-ransomware-victims", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/", + "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", "https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/", "https://therecord.media/popular-hacking-forum-bans-ransomware-ads/", + "https://www.justice.gov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside", "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/", "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html", "https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service", @@ -2991,10 +3679,12 @@ "https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b", "https://www.bleepingcomputer.com/news/security/chemical-distributor-pays-44-million-to-darkside-ransomware/", "https://cybersecurity.att.com/blogs/labs-research/darkside-raas-in-linux-version", - "https://www.justice.gov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.ic3.gov/Media/News/2021/211101.pdf", "https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/", "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", "https://www.nytimes.com/2021/05/29/world/europe/ransomware-russia-darkside.html", + "https://twitter.com/GelosSnake/status/1451465959894667275", "https://www.bleepingcomputer.com/news/security/darkside-ransomware-servers-reportedly-seized-revil-restricts-targets/", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://securityscorecard.com/blog/new-evidence-supports-assessment-that-darkside-likely-responsible-for-colonial-pipeline-ransomware-attack-others-targeted" @@ -3032,15 +3722,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "25a745c8-0d2a-40e1-9bb2-3704d1bd49e3", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "5c42585b-ea92-4fe2-8a79-bb47a3df67ad", "value": "DDG" }, @@ -3057,6 +3738,36 @@ "uuid": "07f48866-647c-46b0-a0d4-29c81ad488a8", "value": "ddoor" }, + { + "description": "DEADBOLT is a linux ransomware written in GO, targeting QNAP NAS devices worldwide. The files are encrypted with AES128 encryption and will have the .deadbolt extension appended to file names.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.deadbolt", + "https://www.bleepingcomputer.com/news/security/new-deadbolt-ransomware-targets-qnap-devices-asks-50-btc-for-master-key/", + "https://www.trendmicro.com/en_us/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html", + "https://community.riskiq.com/article/1601124b", + "https://securelist.com/new-ransomware-trends-in-2022/106457/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b37c9ba2-f1b0-4a2f-9387-7310939d2189", + "value": "DEADBOLT" + }, + { + "description": "Cado discovered this malware, written in Go and targeting AWS Lambda environments.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.denonia", + "https://thehackernews.com/2022/04/first-malware-targeting-aws-lambda.html", + "https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d5d9bb86-715d-4d86-a4d2-ab73085d1b0c", + "value": "Denonia" + }, { "description": "", "meta": { @@ -3070,6 +3781,23 @@ "uuid": "494dcdfb-88cb-456d-a95a-252ff10c0ba9", "value": "Derusbi (ELF)" }, + { + "description": "Dofloo (aka AESDDoS) is a popular malware used to create large scale botnets that can launch DDoS attacks and load cryptocurrency miners to the infected machines. ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.dofloo", + "https://www.bleepingcomputer.com/news/security/exposed-docker-apis-abused-by-ddos-cryptojacking-botnet-malware/", + "https://blog.syscall.party/post/aes-ddos-analysis-part-1/", + "https://www.botconf.eu/wp-content/uploads/2015/12/OK-P13-Liu-Ya-Automatically-Classify-Unknown-Bots-by-The-Register-Messages.pdf" + ], + "synonyms": [ + "AESDDoS" + ], + "type": [] + }, + "uuid": "ffb5789f-d7e6-4723-a447-e5bb2fe713a0", + "value": "Dofloo" + }, { "description": "", "meta": { @@ -3135,11 +3863,27 @@ "uuid": "040ac9c6-e3ab-4b51-88a9-5380101c74f8", "value": "Echobot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.enemybot", + "https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet", + "https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory", + "https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers" + ], + "synonyms": [], + "type": [] + }, + "uuid": "262d18be-7cab-46c2-bcb0-47fff17604aa", + "value": "EnemyBot" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.erebus", + "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/" ], "synonyms": [], @@ -3153,6 +3897,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.evilgnome", + "https://ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf", "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought", "https://www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/" ], @@ -3162,6 +3907,19 @@ "uuid": "149e693c-4b51-4143-9061-6a8698b0e7f5", "value": "EvilGnome" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ewdoor", + "https://blog.netlab.360.com/warning-ewdoor-botnet-is-attacking-att-customers/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e75eb723-7c23-4a3b-9419-cefb88e5f6b7", + "value": "EwDoor" + }, { "description": "", "meta": { @@ -3271,7 +4029,9 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.fritzfrog", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://www.guardicore.com/2020/08/fritzfrog-p2p-botnet-infects-ssh-servers/", - "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/" + "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://www.securityweek.com/sophisticated-fritzfrog-p2p-botnet-returns-after-long-break", + "https://www.akamai.com/blog/security/fritzfrog-p2p" ], "synonyms": [], "type": [] @@ -3292,6 +4052,20 @@ "uuid": "ffd09324-b585-49c0-97e5-536d386f49a5", "value": "Gitpaste-12" }, + { + "description": "ARM32 SOCKS proxy, written in Go, used in the Glupteba campaign.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.glupteba_proxy", + "https://decoded.avast.io/martinhron/meris-and-trickbot-standing-on-the-shoulders-of-giants/", + "https://thehackernews.com/2022/03/over-200000-microtik-routers-worldwide.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "bcfec1d3-ff29-4677-a5f6-be285e98a9db", + "value": "Glupteba Proxy" + }, { "description": "", "meta": { @@ -3425,9 +4199,13 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hellokitty", "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", + "https://unit42.paloaltonetworks.com/emerging-ransomware-groups/", "https://soolidsnake.github.io/2021/07/17/hellokitty_linux.html", "https://www.bleepingcomputer.com/news/security/linux-version-of-hellokitty-ransomware-targets-vmware-esxi-servers/", - "https://unit42.paloaltonetworks.com/emerging-ransomware-groups/" + "https://www.govinfosecurity.com/vice-society-ransomware-gang-disrupted-spar-stores-a-18225", + "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", + "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself" ], "synonyms": [], "type": [] @@ -3472,6 +4250,34 @@ "uuid": "41bf8f3e-bb6a-445d-bb74-d08aae61a94b", "value": "Hide and Seek" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hive", + "https://lifars.com/2022/02/how-to-decrypt-the-files-encrypted-by-the-hive-ransomware/", + "https://arxiv.org/pdf/2202.08477.pdf", + "https://thehackernews.com/2022/02/master-key-for-hive-ransomware.html", + "https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://twitter.com/malwrhunterteam/status/1455628865229950979", + "https://github.com/rivitna/Malware/tree/main/Hive", + "https://therecord.media/hive-ransomware-shuts-down-california-health-care-organization/", + "https://blog.group-ib.com/hive", + "https://therecord.media/academics-publish-method-for-recovering-data-encrypted-by-the-hive-ransomware/", + "https://twitter.com/ESETresearch/status/1454100591261667329", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-hive", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", + "https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again", + "https://securityaffairs.co/wordpress/128232/security/recover-files-hive-ransomware.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c22452c8-c818-4577-9737-0b87342c7913", + "value": "Hive (ELF)" + }, { "description": "", "meta": { @@ -3574,6 +4380,7 @@ "https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/kaiten-std-router-ddos-malware-threat-advisory.pdf", "https://www.trendmicro.com/en_us/research/20/i/exposed-docker-server-abused-to-drop-cryptominer-ddos-bot-.html", "https://www.lacework.com/the-kek-security-network/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apache-log4j-zero-day", "https://www.blackarrow.net/attackers-abuse-mobileirons-rce-to-deliver-kaiten/" ], "synonyms": [ @@ -3601,6 +4408,24 @@ "uuid": "e3787d95-2595-449e-8cf9-90845a9b7444", "value": "kerberods" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.keyplug", + "https://twitter.com/CyberJack42/status/1501290277864046595", + "https://www.mandiant.com/resources/apt41-us-state-governments", + "https://www.mandiant.com/resources/mobileiron-log4shell-exploitation", + "https://experience.mandiant.com/trending-evil/p/1" + ], + "synonyms": [ + "ELFSHELF" + ], + "type": [] + }, + "uuid": "2c4bfc14-3ea4-4ced-806a-fcac30b2a9d7", + "value": "KEYPLUG" + }, { "description": "", "meta": { @@ -3619,14 +4444,20 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.kinsing", + "https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://www.zscaler.com/blogs/security-research/threatlabz-analysis-log4shell-cve-2021-44228-exploit-attempts", "https://unit42.paloaltonetworks.com/cve-2020-25213/", "https://redcanary.com/blog/kinsing-malware-citrix-saltstack/", "https://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces", "https://twitter.com/IntezerLabs/status/1259818964848386048", "https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775", "https://www.alibabacloud.com/blog/new-outbreak-of-h2miner-worms-exploiting-redis-rce-detected_595743", + "https://www.cadosecurity.com/analysis-of-initial-in-the-wild-attacks-exploiting-log4shell-log4j-cve-2021-44228/", + "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", + "https://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039", "https://www.trendmicro.com/en_us/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit.html", + "https://www.bleepingcomputer.com/news/security/log4shell-exploits-now-used-mostly-for-ddos-botnets-cryptominers/", "https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability", "https://www.trendmicro.com/en_us/research/21/g/threat-actors-exploit-misconfigured-apache-hadoop-yarn.html" ], @@ -3738,6 +4569,26 @@ "uuid": "3fe8f3db-4861-4e78-8b60-a794fe22ae3f", "value": "LiquorBot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.lockbit", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", + "https://www.dragos.com/blog/industry-news/dragos-ics-ot-ransomware-analysis-q4-2021/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.bleepingcomputer.com/news/security/lockbit-victim-estimates-cost-of-ransomware-attack-to-be-42-million/", + "https://lifars.com/wp-content/uploads/2022/02/LockBitRansomware_Whitepaper.pdf", + "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html", + "https://blog.compass-security.com/2022/03/vpn-appliance-forensics/", + "https://www.ic3.gov/Media/News/2022/220204.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "afce6aba-d4c4-49fa-b9a9-1a70e92e5a0e", + "value": "LockBit (ELF)" + }, { "description": "Loader and Cleaner components used in attacks against high-performance computing centers in Europe.", "meta": { @@ -3861,39 +4712,61 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai", "https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html", "http://osint.bambenekconsulting.com/feeds/", - "https://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/", - "https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/", + "https://blogs.jpcert.or.jp/en/2022/03/anti_upx_unpack.html", + "https://www.netscout.com/blog/asert/ddos-attack-campaign-targeting-multiple-organizations-ukraine", + "https://www.lacework.com/blog/malware-targeting-latest-f5-vulnerability/", + "https://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/", + "https://exchange.xforce.ibmcloud.com/collection/InfectedNight-Mirai-Variant-With-Massive-Attacks-On-Our-Honeypots-dbea3e9e39b8265e729545fa798e4d18", + "https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign", + "https://forensicitguy.github.io/extracting-indicators-from-packed-mirai/", "https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/", "https://blog.trendmicro.com/trendlabs-security-intelligence/mirai-botnet-exploit-weaponized-to-attack-iot-devices-via-cve-2020-5902/", "https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/", - "https://www.radware.com/getmedia/18d24c2d-c092-4a61-9ad6-ebb92b7a49b8/Alert_Realtek_SDK.aspx", + "https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/", + "https://www.cadosecurity.com/technical-analysis-of-the-ddos-attacks-against-ukrainian-websites/", + "https://www.lacework.com/blog/mirai-goes-stealth-tls-iot-malware/", "https://www.politie.nl/nieuws/2019/oktober/2/11-servers-botnet-offline.html", "https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/", "https://unit42.paloaltonetworks.com/iot-vulnerabilities-mirai-payloads/", - "https://www.lacework.com/blog/mirai-goes-stealth-tls-iot-malware/", + "https://www.zscaler.com/blogs/security-research/threatlabz-analysis-log4shell-cve-2021-44228-exploit-attempts", + "https://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai", + "https://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html", + "https://www.radware.com/getmedia/18d24c2d-c092-4a61-9ad6-ebb92b7a49b8/Alert_Realtek_SDK.aspx", + "https://cert.gov.ua/article/37139", "https://www.uptycs.com/blog/discovery-of-simps-botnet-leads-ties-to-keksec-group", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-mirai-variant-expands-arsenal-exploits-cve-2020-10173/", + "https://blog.netlab.360.com/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/", "https://prod-blog.avira.com/katana-a-new-variant-of-the-mirai-botnet", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", + "https://www.crowdstrike.com/blog/linux-mirai-malware-double-on-stronger-chips/", "https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093", + "https://blog.netlab.360.com/rimasuta-spread-with-ruijie-0day-en/", + "https://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039", + "https://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/", "https://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/", - "https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt", + "https://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/", "https://blog.reversinglabs.com/blog/mirai-botnet-continues-to-plague-iot-space", + "https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf", "https://isc.sans.edu/diary/22786", "https://github.com/jgamblin/Mirai-Source-Code", "https://cujo.com/mirai-gafgyt-with-new-ddos-modules-discovered/", "https://blog.trendmicro.com/trendlabs-security-intelligence/with-mirai-comes-miori-iot-botnet-delivered-via-thinkphp-remote-code-execution-exploit/", + "https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/", "https://cybersecurity.att.com/blogs/labs-research/malware-hosting-domain-cyberium-fanning-out-mirai-variants", "https://www.youtube.com/watch?v=KVJyYTie-Dc", + "https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt", "https://www.bleepingcomputer.com/news/security/mirai-activity-picks-up-once-more-after-publication-of-poc-exploit-code/", "https://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/", "https://www.stratosphereips.org/blog/2019/4/12/analysis-of-a-irc-based-botnet", - "https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/", - "https://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai", + "https://thehackernews.com/2022/04/hackers-exploiting-spring4shell.html", + "https://community.riskiq.com/article/d8a78daf", + "https://www.cadosecurity.com/analysis-of-initial-in-the-wild-attacks-exploiting-log4shell-log4j-cve-2021-44228/", + "https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/", "https://synthesis.to/2021/06/30/automating_string_decryption.html", "http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/", "https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/", - "https://unit42.paloaltonetworks.com/cve-2021-32305-websvn/" + "https://unit42.paloaltonetworks.com/cve-2021-32305-websvn/", + "https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/" ], "synonyms": [ "Katana" @@ -3934,6 +4807,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.moobot", + "https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/", + "https://www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability", "https://blog.netlab.360.com/ddos-botnet-moobot-en/", "https://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/", "https://otx.alienvault.com/pulse/6075b645942d5adf9bb8949b" @@ -3965,11 +4840,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mozi", + "https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/", "https://www.elastic.co/blog/collecting-and-operationalizing-threat-data-from-the-mozi-botnet", + "https://www.nozominetworks.com/blog/how-iot-botnets-evade-detection-and-analysis/", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf", "https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/", "https://www.microsoft.com/security/blog/2021/08/19/how-to-proactively-defend-against-mozi-iot-botnet/", "https://blog.centurylink.com/new-mozi-malware-family-quietly-amasses-iot-bots/", "https://www.nozominetworks.com/blog/overcoming-the-challenges-of-detecting-p2p-botnets-on-your-network/", + "https://www.youtube.com/watch?v=cDFO_MRlg3M", "https://blog.netlab.360.com/the-mostly-dead-mozi-and-its-lingering-bots/", "https://blog.netlab.360.com/mozi-another-botnet-using-dht/" ], @@ -3984,6 +4863,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mrblack", + "https://www.botconf.eu/wp-content/uploads/2015/12/OK-P13-Liu-Ya-Automatically-Classify-Unknown-Bots-by-The-Register-Messages.pdf", "https://news.drweb.com/?i=5760&c=23&lng=en" ], "synonyms": [], @@ -3992,6 +4872,19 @@ "uuid": "fc047e32-9cf2-4a92-861a-be882efd8a50", "value": "MrBlack" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mumblehard", + "https://www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5f78127b-25d3-4f86-8a64-f9549b2db752", + "value": "Mumblehard" + }, { "description": "Ransomware used against Linux servers.", "meta": { @@ -4107,9 +5000,11 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.penquin_turla", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", - "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf", + "https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf", + "https://lab52.io/blog/looking-for-penquins-in-the-wild/", "https://securelist.com/big-threats-using-code-similarity-part-1/97239/", "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", + "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://www.leonardocompany.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf", "https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_PDF_eng.pdf", @@ -4128,12 +5023,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.perlbot", - "https://jask.com/wp-content/uploads/2019/02/Shellbot-Campaign_v2.pdf", + "https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html", + "https://twitter.com/Nocturnus/status/1308430959512092673", "https://documents.trendmicro.com/assets/Perl-Based_Shellbot_Looks_to_Target_Organizations_via_C&C_appendix.pdf", "https://therecord.media/agents-raid-home-of-kansas-man-seeking-info-on-botnet-that-infected-dod-network/", - "https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html", + "https://sysdig.com/blog/malware-analysis-shellbot-sysdig/", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", - "https://twitter.com/Nocturnus/status/1308430959512092673", + "https://jask.com/wp-content/uploads/2019/02/Shellbot-Campaign_v2.pdf", + "https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/", + "https://brianstadnicki.github.io/posts/malware-gitlab-perlbot/", "https://yoroi.company/research/outlaw-is-back-a-new-crypto-botnet-targets-european-organizations/", "https://unit42.paloaltonetworks.com/los-zetas-from-eleethub-botnet/" ], @@ -4159,6 +5057,19 @@ "uuid": "2ee05352-3d4a-448b-825d-9d6c10792bf7", "value": "Persirai" }, + { + "description": "A botnet with P2P and centralized C&C capabilities.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.pink", + "https://blog.netlab.360.com/pink-en/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "67063764-a47c-4058-9cb2-1685ffa14fe8", + "value": "Pink" + }, { "description": "", "meta": { @@ -4166,8 +5077,10 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.plead", "https://www.cyberandramen.net/home/blacktech-doesnt-miss-a-step-a-quick-analysis-of-a-busy-2020", "https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html", - "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", "https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf", + "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", + "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://cyberandramen.net/2021/02/11/blacktech-updates-elf-plead-backdoor/", "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape" ], "synonyms": [], @@ -4221,7 +5134,7 @@ "type": [] }, "uuid": "b6899bda-54e9-4953-8af5-22af39776b69", - "value": "Prometei" + "value": "Prometei (ELF)" }, { "description": "Unit 42 describes this as a malware used by Rocke Group that deploys an XMRig miner.", @@ -4259,13 +5172,15 @@ "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought", "https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/", "https://www.anomali.com/blog/the-ech0raix-ransomware", + "https://www.ibm.com/downloads/cas/Z81AVOY7", "https://www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers/", + "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", "https://www.qnap.com/en/security-advisory/QSA-20-02", "https://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt", "https://www.intezer.com/blog-russian-cybercrime-group-fullofdeep-behind-qnapcrypt-ransomware-campaigns/", "https://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/", "https://www.bleepingcomputer.com/news/security/qnap-warns-of-ech0raix-ransomware-attacks-roon-server-zero-day/", - "https://www.ibm.com/downloads/cas/Z81AVOY7" + "https://documents.trendmicro.com/assets/pdf/wp-backing-your-backup-defending-nas-devices-against-evolving-threats.pdf" ], "synonyms": [ "eCh0raix" @@ -4280,10 +5195,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.qsnatch", - "https://bin.re/blog/the-dga-of-qsnatch/", "https://www.kyberturvallisuuskeskus.fi/en/news/qsnatch-malware-designed-qnap-nas-devices", "https://us-cert.cisa.gov/ncas/alerts/aa20-209a", - "https://www.ncsc.gov.uk/files/NCSC%20CISA%20Alert%20-QNAP%20NAS%20Devices.pdf" + "https://bin.re/blog/the-dga-of-qsnatch/", + "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", + "https://www.ncsc.gov.uk/files/NCSC%20CISA%20Alert%20-QNAP%20NAS%20Devices.pdf", + "https://documents.trendmicro.com/assets/pdf/wp-backing-your-backup-defending-nas-devices-against-evolving-threats.pdf" ], "synonyms": [], "type": [] @@ -4291,6 +5208,19 @@ "uuid": "48389957-30e2-4747-b4c6-8b8a9f15250f", "value": "QSnatch" }, + { + "description": "Mandiant observed this backdoor being observed by UNC3524. It is based on the open-source Dropbear SSH source code. ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.quietexit", + "https://www.mandiant.com/resources/unc3524-eye-spy-email" + ], + "synonyms": [], + "type": [] + }, + "uuid": "6a5ab9ca-944c-4187-bdef-308516745d18", + "value": "QUIETEXIT" + }, { "description": "", "meta": { @@ -4304,6 +5234,20 @@ "uuid": "759f8590-a049-4c14-be8a-e6605e2cd43d", "value": "r2r2" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ragnarlocker", + "https://twitter.com/malwrhunterteam/status/1475568201673105409", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/analysis-and-protections-for-ragnarlocker-ransomware.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5f96787e-fc9f-486b-a15f-f46c8179a4d5", + "value": "RagnarLocker (ELF)" + }, { "description": "", "meta": { @@ -4330,7 +5274,9 @@ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.ic3.gov/Media/News/2021/211101.pdf", "https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/", + "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", "https://www.youtube.com/watch?v=qxPXxWMI2i4", "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", "https://www.bleepingcomputer.com/news/security/ecuadors-state-run-cnt-telco-hit-by-ransomexx-ransomware/", @@ -4404,10 +5350,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rekoobe", + "https://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/", + "https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/", + "https://twitter.com/billyleonard/status/1458531997576572929", "https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-part-3-advanced-analysis/", "https://intezer.com/blog-linux-rekoobe-operating-with-new-undetected-malware-samples/", - "https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/", - "https://vms.drweb.com/virus/?i=7754026&lng=en" + "https://vms.drweb.com/virus/?i=7754026&lng=en", + "https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/" ], "synonyms": [], "type": [] @@ -4433,23 +5382,56 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.revil", - "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", + "https://www.fincen.gov/sites/default/files/advisory/2021-11-08/FinCEN%20Ransomware%20Advisory_FINAL_508_.pdf", "https://otx.alienvault.com/pulse/60da2c80aa5400db8f1561d5", + "https://storage.courtlistener.com/recap/gov.uscourts.txnd.352371/gov.uscourts.txnd.352371.1.0_1.pdf", "https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa", - "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", - "https://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment", - "https://twitter.com/AdamTheAnalyst/status/1409499591452639242?s=20", - "https://github.com/f0wl/REconfig-linux", - "https://www.youtube.com/watch?v=ptbNMlWxYnE", + "https://www.br.de/nachrichten/deutschland-welt/mutmasslicher-ransomware-millionaer-identifiziert,Sn3iHgJ", + "https://www.justice.gov/opa/pr/ukrainian-arrested-and-charged-ransomware-attack-kaseya", + "https://www.darktrace.com/en/blog/staying-ahead-of-r-evils-ransomware-as-a-service-business-model/", "https://www.secureworks.com/blog/revil-ransomware-reemerges-after-shutdown-universal-decryptor-released", - "https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide", + "https://ke-la.com/will-the-revils-story-finally-be-over/", "https://twitter.com/VK_Intel/status/1409601311092490248", "https://cybleinc.com/2021/07/03/uncensored-interview-with-revil-sodinokibi-ransomware-operators/", + "https://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment", + "https://www.flashpoint-intel.com/blog/revil-disappears-again/", + "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", + "https://storage.courtlistener.com/recap/gov.uscourts.txnd.351760/gov.uscourts.txnd.351760.1.0_3.pdf", + "https://analyst1.com/file-assets/History-of-REvil.pdf", + "https://home.treasury.gov/news/press-releases/jy0471", "https://twitter.com/VK_Intel/status/1409601311092490248?s=20", - "https://threatpost.com/linux-variant-ransomware-vmwares-nas/167511/", - "https://www.digitalshadows.com/blog-and-research/revil-analysis-of-competing-hypotheses/", + "https://www.flashpoint-intel.com/blog/interview-with-revil-affiliated-ransomware-contractor/", + "https://www.bleepingcomputer.com/news/security/revil-ransomware-shuts-down-again-after-tor-sites-were-hijacked/", "https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version", - "https://threatpost.com/ransomware-revil-sites-disappears/167745/" + "https://threatpost.com/ransomware-revil-sites-disappears/167745/", + "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", + "http://www.fsb.ru/fsb/press/message/single.htm%21id%3D10439388%40fsbMessage.html", + "https://twitter.com/IntezerLabs/status/1452980772953071619", + "https://www.bbc.com/news/technology-59297187", + "https://russian.rt.com/russia/article/926347-barnaulec-rozysk-fbr-kibermoshennichestvo", + "https://twitter.com/AdamTheAnalyst/status/1409499591452639242?s=20", + "https://diicot.ro/mass-media/3341-comunicat-de-presa-2-08-11-2021", + "https://github.com/f0wl/REconfig-linux", + "https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21/", + "https://threatpost.com/linux-variant-ransomware-vmwares-nas/167511/", + "https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf", + "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", + "https://malienist.medium.com/revix-linux-ransomware-d736956150d0", + "https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide", + "https://therecord.media/us-arrests-and-charges-ukrainian-man-for-kaseya-ransomware-attack/", + "https://www.darkowl.com/blog-content/page-not-found-revil-darknet-services-offline-after-attack-last-weekend", + "https://angle.ankura.com/post/102hcny/revix-linux-ransomware", + "https://www.youtube.com/watch?v=ptbNMlWxYnE", + "https://www.advintel.io/post/storm-in-safe-haven-takeaways-from-russian-authorities-takedown-of-revil", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil", + "https://krebsonsecurity.com/2021/11/revil-ransom-arrest-6m-seizure-and-10m-reward/", + "https://www.fbi.gov/wanted/cyber/yevgyeniy-igoryevich-polyanin", + "https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html", + "https://www.digitalshadows.com/blog-and-research/revil-analysis-of-competing-hypotheses/", + "https://www.youtube.com/watch?v=mDUMpYAOMOo", + "https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom" ], "synonyms": [ "REvix" @@ -4533,6 +5515,21 @@ "uuid": "9e5d83a8-1181-43fe-a77f-28c8c75ffbd0", "value": "Satori" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.sbidiot", + "https://www.nozominetworks.com/blog/how-iot-botnets-evade-detection-and-analysis/", + "https://brianstadnicki.github.io/posts/malware-sbidiot-dec2021/", + "https://www.nozominetworks.com/blog/threat-intelligence-analysis-of-the-sbidiot-iot-malware/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b4c20cf4-8e94-4523-8d48-7781aab6785d", + "value": "SBIDIOT" + }, { "description": "", "meta": { @@ -4579,6 +5576,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.slapstick", + "https://www.mandiant.com/resources/unc2891-overview", "https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html" ], "synonyms": [], @@ -4587,6 +5585,22 @@ "uuid": "fb3e0a1d-3a98-4cbd-ad7f-4bbb4b9a8351", "value": "SLAPSTICK" }, + { + "description": "This is an implant used by APT31 on home routers to utilize them as ORBs.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.sowat", + "https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003", + "https://imp0rtp3.wordpress.com/2021/11/25/sowat/", + "https://twitter.com/billyleonard/status/1417910729005490177", + "https://twitter.com/bkMSFT/status/1417823714922610689" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c2866996-d622-4ee2-b548-a6598836e5ae", + "value": "SoWaT" + }, { "description": "", "meta": { @@ -4618,7 +5632,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.specter", - "https://blog.netlab.360.com/ghost-in-action-the-specter-botnet/" + "https://blog.netlab.360.com/ghost-in-action-the-specter-botnet/", + "https://blog.netlab.360.com/the-pitfall-of-threat-intelligence-whitelisting-specter-botnet-is-taking-over-top-legit-dns-domains-by-using-cloudns-service/" ], "synonyms": [], "type": [] @@ -4678,6 +5693,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.steelcorgi", + "https://www.mandiant.com/resources/unc2891-overview", "https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html", "https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/", "https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/" @@ -4729,8 +5745,53 @@ "uuid": "d2748a0c-8739-4006-95c4-bdf6350d7fa9", "value": "Suterusu" }, + { + "description": "A malware capable of capturing credentials and enabling backdoor access, implemented as a userland rootkit. It uses three methods for hiding its network activity, by hooking and hijacking 1) fopen/fopen64, 2) eBPF, 3) a set of libpcap functions.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.symbiote", + "https://blogs.blackberry.com/en/2022/06/symbiote-a-new-nearly-impossible-to-detect-linux-threat" + ], + "synonyms": [], + "type": [] + }, + "uuid": "4339d876-768c-4cdf-941f-3f55a08aafca", + "value": "Symbiote" + }, { "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.sysjoker", + "https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/", + "https://www.bleepingcomputer.com/news/security/new-sysjoker-backdoor-targets-windows-macos-and-linux/", + "https://blogs.vmware.com/security/2022/03/%e2%80%afsysjoker-an-analysis-of-a-multi-os-rat.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c4b681ec-f5b5-433a-9314-07e06f739ba2", + "value": "SysJoker (ELF)" + }, + { + "description": "Cryptojacking botnet", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.sysrvhello", + "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", + "https://www.lacework.com/sysrv-hello-expands-infrastructure/", + "https://www.riskiq.com/blog/external-threat-management/sysrv-hello-cryptojacking-botnet/" + ], + "synonyms": [ + "Sysrv" + ], + "type": [] + }, + "uuid": "d471083a-c8e1-4d9b-907e-685c9a75c1f9", + "value": "Sysrv-hello (ELF)" + }, + { + "description": "Since Fall 2019, Team TNT is a well known threat actor which targets *nix based systems and misconfigured Docker container environments. It has constantly evolved its capabilities for its cloud-based cryptojacking operations. They have shifted their focus on compromising Kubernetes Clusters. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.teamtnt", @@ -4740,13 +5801,20 @@ "https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf", "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://www.intezer.com/blog/malware-analysis/teamtnt-cryptomining-explosion/", "https://blog.aquasec.com/teamtnt-campaign-against-docker-kubernetes-environment", "https://www.cadosecurity.com/2020/08/17/teamtnt-the-first-crypto-mining-worm-to-steal-aws-credentials/", + "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", + "https://www.trendmicro.com/en_us/research/21/l/more-tools-in-the-arsenal-how-teamtnt-used-compromised-docker-hu.html", + "https://www.trendmicro.com/en_ae/research/21/k/teamtnt-upgrades-arsenal-refines-focus-on-kubernetes-and-gpu-env.html", + "https://tolisec.com/active-crypto-mining-operation-by-teamtnt/", "https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera", "https://www.intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf", "https://www.lacework.com/teamtnt-builds-botnet-from-chinese-cloud-servers/", "https://www.cadosecurity.com/teamtnt-script-employed-to-grab-aws-credentials/", - "https://www.uptycs.com/blog/team-tnt-deploys-malicious-docker-image-on-docker-hub-with-pentesting-tools" + "https://www.uptycs.com/blog/team-tnt-deploys-malicious-docker-image-on-docker-hub-with-pentesting-tools", + "https://sysdig.com/blog/teamtnt-aws-credentials/", + "https://www.cyberark.com/resources/threat-research-blog/conti-group-leaked" ], "synonyms": [], "type": [] @@ -4849,17 +5917,26 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.tsunami", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks", + "https://www.fortinet.com/blog/threat-research/recent-attack-uses-vulnerability-on-confluence-server", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://blog.aquasec.com/fileless-malware-container-security", + "https://www.cadosecurity.com/teamtnt-script-employed-to-grab-aws-credentials/", "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", + "https://blog.netlab.360.com/public-cloud-threat-intelligence-202203/", "https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775", "https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/", + "https://blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers", + "https://www.cadosecurity.com/analysis-of-initial-in-the-wild-attacks-exploiting-log4shell-log4j-cve-2021-44228/", "http://get.cyberx-labs.com/radiation-report", "https://www.lacework.com/blog/muhstik-takes-aim-at-confluence-cve-2021-26084/", "https://www.lacework.com/meet-muhstik-iot-botnet-infecting-cloud-servers/", - "http://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/", + "https://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039", + "https://tolisec.com/multi-vector-minertsunami-botnet-with-ssh-lateral-movement/", "https://www.intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf", - "https://www.cadosecurity.com/teamtnt-script-employed-to-grab-aws-credentials/" + "https://sysdig.com/blog/muhstik-malware-botnet-analysis/", + "http://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/", + "https://www.bleepingcomputer.com/news/security/log4shell-exploits-now-used-mostly-for-ddos-botnets-cryptominers/" ], "synonyms": [ "Amnesia", @@ -4913,25 +5990,38 @@ "value": "Unidentified Linux 001" }, { - "description": "This is an implant used by APT31 on home routers to utilize them as ORBs.", + "description": "Implant used by APT31 on compromised SOHO infrastructure, tries to camouflage as a tool (\"unifi-video\") related to Ubiquiti UniFi surveillance cameras. ", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.unidentified_003", - "https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003", - "https://twitter.com/billyleonard/status/1417910729005490177", - "https://twitter.com/bkMSFT/status/1417823714922610689" + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.unidentified_004", + "https://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/" ], "synonyms": [], "type": [] }, - "uuid": "c2866996-d622-4ee2-b548-a6598836e5ae", - "value": "Unidentified ELF 003" + "uuid": "44a57915-2ec0-476f-9f20-b11082f5b5a4", + "value": "Unidentified ELF 004" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.unidentified_005", + "https://ti.qianxin.com/blog/articles/SideCopy's-Golang-based-Linux-tool/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d49402b3-9f2a-4d9a-ae09-b1509da2e8fd", + "value": "Unidentified 005 (Sidecopy)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.vermilion_strike", + "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", + "https://notes.netbytesec.com/2021/09/discovering-linux-elf-beacon-of-cobalt_18.html", "https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/" ], "synonyms": [], @@ -4945,27 +6035,37 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.vpnfilter", - "https://www.trendmicro.com/en_us/research/21/a/vpnfilter-two-years-later-routers-still-compromised-.html", - "https://blog.talosintelligence.com/2018/06/vpnfilter-update.html?m=1", + "https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-054a", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-054A%20New%20Sandworm%20Malware%20Cyclops%20Blink%20Replaces%20VPN%20Filter.pdf", "https://i.blackhat.com/USA-19/Thursday/us-19-Doerr-The-Enemy-Within-Modern-Supply-Chain-Attacks.pdf", "https://blog.talosintelligence.com/2018/09/vpnfilter-part-3.html", - "https://securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/vpnfilter-affected-devices-still-riddled-with-19-vulnerabilities", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.trendmicro.com/en_us/research/21/a/vpnfilter-two-years-later-routers-still-compromised-.html", "https://www.lacework.com/blog/mirai-goes-stealth-tls-iot-malware/", "https://blog.talosintelligence.com/2019/05/one-year-later-vpnfilter-catastrophe.html", - "https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected", "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games", - "https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/", + "https://securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/", + "https://blog.talosintelligence.com/2022/02/threat-advisory-cyclops-blink.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/vpnfilter-affected-devices-still-riddled-with-19-vulnerabilities", + "https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected", "https://blog.talosintelligence.com/2018/05/VPNFilter.html", "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-VPN-Filter-analysis-v2.pdf?la=en", + "https://blog.talosintelligence.com/2022/02/current-executive-guidance-for-ongoing.html", + "https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks", + "https://blog.talosintelligence.com/2018/06/vpnfilter-update.html?m=1", + "https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter", + "https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", "https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware" ], "synonyms": [], "type": [] }, "uuid": "5ad30da2-2645-4893-acd9-3f8e0fbb5500", - "value": "elf.vpnfilter" + "value": "VPNFilter" }, { "description": "According to Intezer, this is a spreader module used by WatchBog. It is a dynamically linked ELF executable, compiled with Cython. C&C adresses are fetched from Pastebin. C&C communication references unique identification keys per victim. It contains a BlueKeep scanner, reporting positively scanned hosts to the C&C server (RC4 encrypted within SSL/TLS). It contains 5 exploits targeting Jira, Exim, Solr, Jenkins and Nexus Repository Manager 3. ", @@ -5014,6 +6114,7 @@ "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", "https://www.botconf.eu/wp-content/uploads/2018/12/2018-Y-Ishikawa-S-Nagano-Lets-go-with-a-Go-RAT-_final.pdf", "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://services.global.ntt/en-us/insights/blog/the-layered-infrastructure-operated-by-apt29", "https://community.riskiq.com/article/541a465f/description", "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", "https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html", @@ -5087,6 +6188,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xanthe", + "https://www.cadosecurity.com/abcbot-an-evolution-of-xanthe/", "https://blog.talosintelligence.com/2020/12/xanthe-docker-aware-miner.html", "https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775" ], @@ -5131,10 +6233,13 @@ "https://www.virusbulletin.com/uploads/pdf/conference/vb2015/KalnaiHorejsi-VB2015.pdf", "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf", "https://blog.nsfocusglobal.com/threats/vulnerability-analysis/analysis-report-of-the-xorddos-malware-family/", + "https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/", "https://blog.checkpoint.com/wp-content/uploads/2015/10/sb-report-threat-intelligence-groundhog.pdf", - "https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html", + "https://www.botconf.eu/wp-content/uploads/2015/12/OK-P13-Liu-Ya-Automatically-Classify-Unknown-Bots-by-The-Register-Messages.pdf", "http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html", "https://en.wikipedia.org/wiki/Xor_DDoS", + "https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html", + "https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/", "https://www.lacework.com/groundhog-botnet-rapidly-infecting-cloud/", "https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775", "https://bartblaze.blogspot.com/2015/09/notes-on-linuxxorddos.html", @@ -5178,6 +6283,19 @@ "uuid": "9218630d-0425-4b18-802c-447a9322990d", "value": "Zollard" }, + { + "description": "According to Black Lotus Labs, ZuoRAT is a MIPS file compiled for SOHO routers that can enumerate a host and internal LAN, capture packets being transmitted over the infected device and perform person-in-the-middle attacks (DNS and HTTPS hijacking based on predefined rules).", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.zuo_rat", + "https://blog.lumen.com/zuorat-hijacks-soho-routers-to-silently-stalk-networks/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c4b0a7cd-b349-44a1-94ca-3d5a4ac288b2", + "value": "ZuoRAT" + }, { "description": "Small downloader composed as a Fast-AutoLoad LISP (FAS) module for AutoCAD.", "meta": { @@ -5315,7 +6433,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.adwind", "https://dissectingmalware.blogspot.com/2018/08/export-jratadwind-config-with-x32dbg.html", "https://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", + "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/", "https://blogs.seqrite.com/evolution-of-jrat-java-malware/", "https://research.checkpoint.com/malware-against-the-c-monoculture/", "http://malware-traffic-analysis.net/2017/07/04/index.html", @@ -5326,6 +6444,7 @@ "https://www.zscaler.com/blogs/research/compromised-wordpress-sites-used-distribute-adwind-rat", "https://marcoramilli.com/2018/08/20/interesting-hidden-threat-since-years/", "https://www.securityinbits.com/malware-analysis/interesting-tactic-by-ratty-adwind-distribution-of-jar-appended-to-signed-msi/", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://citizenlab.ca/2015/12/packrat-report/" ], "synonyms": [ @@ -5355,13 +6474,14 @@ "value": "Adzok" }, { - "description": "", + "description": "F-Secure observed Banload variants silently downloading malicious files from a remote server, then installing and executing the files.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.banload", - "https://colin.guru/index.php?title=Advanced_Banload_Analysis", + "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf", + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanDownloader%3AWin32%2FBanload", "https://www.welivesecurity.com/wp-content/uploads/2015/05/CPL-Malware-in-Brasil-zx02m.pdf", - "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanDownloader%3AWin32%2FBanload" + "https://colin.guru/index.php?title=Advanced_Banload_Analysis" ], "synonyms": [], "type": [] @@ -5570,6 +6690,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.ratty", + "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/", "https://www.securityinbits.com/malware-analysis/interesting-tactic-by-ratty-adwind-distribution-of-jar-appended-to-signed-msi/" ], "synonyms": [], @@ -5579,15 +6700,22 @@ "value": "Ratty" }, { - "description": "According to G DATA, STRRAT is a Java-based RAT, which makes extensive use of plugins to provide full remote access to an attacker, as well as credential stealing, key logging and additional plugins. The RAT has a focus on stealing credentials of browsers and email clients, and passwords via keylogging. It supports the following browsers and email clients: Firefox, Internet Explorer, Chrome, Foxmail, Outlook, Thunderbird. \r\n\r\nOlder version of the malware came with a rudimentary ransomware module that appends \".crimson\" to affected files. The affected files are not encrypted, but simply reamed. If the extension is removed, the files can be opened as usual.\r\n\r\nAs of at least version 1.5, STRRAT has an implemented encryption routine.", + "description": "STRRAT is a Java-based RAT, which makes extensive use of plugins to provide full remote access to an attacker, as well as credential stealing, key logging and additional plugins. The RAT has a focus on stealing credentials of browsers and email clients, and passwords via keylogging. It supports the following browsers and email clients: Firefox, Internet Explorer, Chrome, Foxmail, Outlook, Thunderbird.\r\n\r\nSince Version 1.2 and above, STRRAT was infamous for its ransomware-like behavior of appending the file name extension .crimson to files. Version 1.5 is notably more obfuscated and modular than previous versions, but the backdoor functions mostly remain the same: collect browser passwords, run remote commands and PowerShell, log keystrokes, among others. Version 1.5 of STRRAT Malware includes a proper encryption routine, though currently pretty simple to revert.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.strrat", - "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries", - "https://www.jaiminton.com/reverse-engineering/strrat", + "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/", + "https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape", + "https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf", "https://twitter.com/MsftSecIntel/status/1395138347601854465", "https://www.gdatasoftware.com/blog/strrat-crimson", - "https://isc.sans.edu/diary/rss/27798" + "https://isc.sans.edu/diary/rss/27798", + "https://www.jaiminton.com/reverse-engineering/strrat", + "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries", + "https://www.fortinet.com/blog/threat-research/new-strrat-rat-phishing-campaign", + "https://forensicitguy.github.io/strrat-attached-to-msi/", + "https://www.jaiminton.com/reverse-engineering/strrat#", + "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-strrat-zloader-honeygain" ], "synonyms": [], "type": [] @@ -5610,6 +6738,19 @@ "uuid": "651e37e0-1bf8-4024-ac1e-e7bda42470b0", "value": "SupremeBot" }, + { + "description": "This malware seems to be used for attacks installing cyptocurrency miners on infected machines. Other indicators leads to the assumption that attackers may also use this malware for other purposes (e.g. stealing access tokens for Discord chat app). Symantec describes this malware as complex and powerful: The malware is loaded as a server-side polymorphic JAR file.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/jar.verblecon", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord" + ], + "synonyms": [], + "type": [] + }, + "uuid": "793565b4-666b-47a4-b15b-de9c80c75a51", + "value": "Verblecon" + }, { "description": "AIRBREAK, a JavaScript-based backdoor which retrieves commands from hidden strings in compromised webpages.", "meta": { @@ -5633,6 +6774,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.bateleur", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", + "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://www.secureworks.com/research/threat-profiles/gold-niagara", "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor" @@ -5649,6 +6791,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.bellhop", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", + "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" ], "synonyms": [], @@ -5663,10 +6806,11 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.cactustorch", "https://www.macnica.net/file/mpression_automobile.pdf", + "https://github.com/mdsecactivebreach/CACTUSTORCH", "https://www.seqrite.com/documents/en/white-papers/Seqrite-WhitePaper-Operation-SideCopy.pdf", - "https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/", + "https://forensicitguy.github.io/analyzing-cactustorch-hta-cobaltstrike/", "https://www.codercto.com/a/46729.html", - "https://github.com/mdsecactivebreach/CACTUSTORCH" + "https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/" ], "synonyms": [], "type": [] @@ -5674,6 +6818,19 @@ "uuid": "efbb5a7c-8c01-4aca-ac21-8dd614b256f7", "value": "CACTUSTORCH" }, + { + "description": "GoSecure describes ChromeBack as a browser hijacker, redirecting traffic and serving advertisements to users.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.chromeback", + "https://www.gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ec055670-4d25-4918-90c7-281fddf3a771", + "value": "ChromeBack" + }, { "description": "WebAssembly-based crpyto miner.", "meta": { @@ -5703,6 +6860,20 @@ "uuid": "d47ca107-3e03-4c25-88f9-8156426b7f60", "value": "CukieGrab" }, + { + "description": "Prevailion found this RAT written in JavaScript, which dynamically compiles an accompanying keylogger written in C# and uses a DGA für C&C.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.darkwatchman", + "https://www.prevailion.com/darkwatchman-new-fileness-techniques/", + "https://securityintelligence.com/posts/hive00117-fileless-malware-delivery-eastern-europe/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "4baf5a22-7eec-4ad8-8780-23a351d9b5f5", + "value": "DarkWatchman" + }, { "description": "", "meta": { @@ -5743,7 +6914,9 @@ "https://mp.weixin.qq.com/s/REXBtbnI2zXj4H3u6ofMMw", "https://securelist.com/deathstalker-mercenary-triumvirate/98177/", "https://securelist.com/apt-trends-report-q3-2020/99204/", + "http://blog.nsfocus.net/agentvxapt-evilnum/", "https://blog.prevailion.com/2020/05/phantom-in-command-shell5.html", + "https://www.zscaler.com/blogs/security-research/return-evilnum-apt-updated-ttps-and-new-targets", "https://www.clearskysec.com/wp-content/uploads/2019/08/ClearSky-2019-H1-Cyber-Events-Summary-Report.pdf", "http://www.pwncode.io/2018/05/javascript-based-bot-using-github-c.html", "https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/", @@ -5755,14 +6928,53 @@ "uuid": "b7deec7e-24f7-4f78-9d58-9b3c1e182ab3", "value": "EVILNUM (Javascript)" }, + { + "description": "FAKEUPDATES is a downloader written in JavaScript that communicates via HTTP. Supported payload types include executables and JavaScript. It writes the payloads to disk prior to launching them. FAKEUPDATES has led to further compromise via additional malware families that include CHTHONIC, DRIDEX, EMPIRE, KOADIC, DOPPELPAYMER, and AZORULT.\r\n\r\nFAKEUPDATES has been heavily used by UNC1543,a financially motivated group.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.fakeupdates", + "https://killingthebear.jorgetesta.tech/actors/evil-corp", + "https://www.menlosecurity.com/blog/increase-in-attack-socgholish", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/d/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload/iocs-thwarting-loaders-socgholish-blister.txt", + "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf", + "https://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems", + "https://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/", + "https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/", + "https://experience.mandiant.com/trending-evil/p/1", + "https://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html", + "https://www.lac.co.jp/lacwatch/report/20220407_002923.html", + "https://expel.io/blog/incident-report-spotting-socgholish-wordpress-injection/", + "https://www.mandiant.com/resources/they-come-in-the-night-ransomware-deployment-trends", + "https://blog.malwarebytes.com/threat-intelligence/2022/06/makemoney-malvertising-campaign-adds-fake-update-template/", + "https://twitter.com/MsftSecIntel/status/1522690116979855360", + "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee", + "https://www.digitalinformationworld.com/2022/04/threatening-redirect-web-service.html" + ], + "synonyms": [ + "FakeUpdate", + "SocGholish" + ], + "type": [] + }, + "uuid": "cff35ce3-8d6f-417b-ae6c-a9e6a60ee26c", + "value": "FAKEUPDATES" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.gootloader", "https://labs.sentinelone.com/gootloader-initial-access-as-a-service-platform-expands-its-search-for-high-value-targets/", + "https://threatresearch.ext.hp.com/tips-for-automating-ioc-extraction-from-gootloader-a-changing-javascript-malware/", + "https://dinohacks.blogspot.com/2022/06/loading-gootloader.html", "https://news.sophos.com/en-us/2021/08/12/gootloaders-mothership-controls-malicious-content/", - "https://community.riskiq.com/article/f5d5ed38" + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf", + "https://redcanary.com/blog/gootloader", + "https://community.riskiq.com/article/f5d5ed38", + "https://experience.mandiant.com/trending-evil/p/1" ], "synonyms": [], "type": [] @@ -5790,14 +7002,20 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon", + "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/", "https://twitter.com/ItsReallyNick/status/1059898708286939136", + "https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape", + "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.mandiant.com/resources/evolution-of-fin7", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://www.secureworks.com/research/threat-profiles/gold-niagara", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/would-you-exchange-your-security-for-a-gift-card/", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", - "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/" + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/would-you-exchange-your-security-for-a-gift-card/", + "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/", + "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/" ], "synonyms": [ "Harpy" @@ -5851,7 +7069,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.jsprat", - "https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators" + "https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators", + "https://www.mandiant.com/resources/fin13-cybercriminal-mexico" ], "synonyms": [], "type": [] @@ -5898,6 +7117,8 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/js.magecart", "https://community.riskiq.com/article/743ea75b/description", "https://sansec.io/research/magento-2-persistent-parasite", + "https://blog.malwarebytes.com/threat-intelligence/2021/10/q-logger-skimmer-keeps-magecart-attacks-going/", + "https://blog.malwarebytes.com/threat-intelligence/2021/11/credit-card-skimmer-evades-virtual-machines/", "https://geminiadvisory.io/wp-content/uploads/2020/07/Appendix-C-1.pdf", "https://sansec.io/research/north-korea-magecart", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", @@ -5909,20 +7130,24 @@ "https://blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada/", "https://scotthelme.co.uk/introducing-script-watch-detect-magecart-style-attacks-fast/?utm_source=dlvr.it&utm_medium=twitter", "https://blog.sucuri.net/2021/07/magecart-swiper-uses-unorthodox-concatenation.html", - "https://community.riskiq.com/article/fda1f967", + "https://blog.malwarebytes.com/threat-intelligence/2021/09/the-many-tentacles-of-magecart-group-8/", "https://www.riskiq.com/blog/labs/magecart-group-4-always-advancing/", "https://sansec.io/labs/2020/01/25/magecart-hackers-arrested/", "https://blog.trendmicro.com/trendlabs-security-intelligence/us-local-government-services-targeted-by-new-magecart-credit-card-skimming-attack/", "https://blog.trendmicro.com/trendlabs-security-intelligence/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops/", "https://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/", + "https://community.riskiq.com/article/017cf2e6", "https://twitter.com/AffableKraut/status/1415425132080816133?s=20", - "https://blog.malwarebytes.com/cybercrime/2021/06/lil-skimmer-the-magecart-impersonator/", + "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", "https://www.reflectiz.com/ico-fines-ticketmaster-uk-1-25-million-for-security-failures-a-lesson-to-be-learned/", + "https://community.riskiq.com/article/fda1f967", + "https://community.riskiq.com/article/2efc2782", "https://www.goggleheadedhacker.com/blog/post/14", "https://www.riskiq.com/blog/labs/magecart-group-12-olympics/", "https://geminiadvisory.io/keeper-magecart-group-infects-570-sites/", - "https://www.riskiq.com/blog/labs/misconfigured-s3-buckets/", + "https://geminiadvisory.io/magecart-google-tag-manager/", "https://community.riskiq.com/article/5bea32aa", + "https://www.riskiq.com/blog/labs/misconfigured-s3-buckets/", "https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/", "https://www.crowdstrike.com/blog/threat-actor-magecart-coming-to-an-ecommerce-store-near-you/", "https://blog.malwarebytes.com/cybercrime/2019/04/github-hosted-magecart-skimmer-used-against-hundreds-of-e-commerce-sites/", @@ -5940,9 +7165,8 @@ "https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/", "https://blog.trendmicro.com/trendlabs-security-intelligence/magecart-skimming-attack-targets-mobile-users-of-hotel-chain-booking-websites/", "https://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/", - "https://blog.malwarebytes.com/threat-intelligence/2021/09/the-many-tentacles-of-magecart-group-8/", "https://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html", - "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", + "https://blog.malwarebytes.com/cybercrime/2021/06/lil-skimmer-the-magecart-impersonator/", "https://twitter.com/MBThreatIntel/status/1416101496022724609", "https://maxkersten.nl/2020/02/24/closing-in-on-magecart-12/", "https://blog.sucuri.net/2020/07/skimmers-in-images-github-repos.html", @@ -5993,7 +7217,8 @@ "https://github.com/eset/malware-ioc/tree/master/evilnum", "https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/" + "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", + "https://www.esentire.com/blog/hackers-spearphish-corporate-hiring-managers-with-poisoned-resumes-infecting-them-with-the-more-eggs-malware" ], "synonyms": [ "SKID", @@ -6044,6 +7269,7 @@ "https://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/", "https://www.intrinsec.com/deobfuscating-hunting-ostap/", "https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/", + "https://malfind.com/index.php/2021/11/24/from-the-archive-1-ostap-dropper-deobfuscation-and-analysis/", "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", "https://www.cert.pl/en/news/single/ostap-malware-analysis-backswap-dropper/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", @@ -6055,6 +7281,34 @@ "uuid": "a3b93781-c51c-4ccb-a856-804331470a9d", "value": "ostap" }, + { + "description": "This malicious code written in JavaScript is used as Traffic Direction System (TDS). This TDS showes similarities to the Prometheus TDS. According to DECODED Avast.io this TDS has been active since October 2021.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.parrot_tds", + "https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "dbefad0a-29d3-49d3-b925-116598182dee", + "value": "Parrot TDS" + }, + { + "description": "PeaceNotWar was integrated into the nodejs module node-ipc as a piece of malware/protestware with wiper characteristics. It targets machines with a public IP address located in Russia and Belarus (using geolocation) and overwrites files recursively using a heart emoji.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.peacenotwar", + "https://www.vice.com/en/article/dypeek/open-source-sabotage-node-ipc-wipe-russia-belraus-computers", + "https://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/", + "https://gist.github.com/MidSpike/f7ae3457420af78a54b38a31cc0c809c" + ], + "synonyms": [], + "type": [] + }, + "uuid": "6c304481-024e-4f34-af06-6235edacfdcc", + "value": "PeaceNotWar" + }, { "description": "", "meta": { @@ -6118,6 +7372,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.sqlrat", + "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf" ], @@ -6282,6 +7537,21 @@ "uuid": "dcc0fad2-29a9-4b69-9d75-d288ca458bc7", "value": "witchcoven" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/jsp.godzilla_webshell", + "https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/", + "https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/", + "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "07e88ccf-6027-412b-99bf-0fa1d3cfb174", + "value": "Godzilla Webshell" + }, { "description": "", "meta": { @@ -6377,6 +7647,41 @@ "uuid": "387e1a19-458d-4961-a8e4-3f82463085e5", "value": "Casso" }, + { + "description": "Google TAG has observed this malware being delivered via watering hole attacks using 0-day exploits, targeting visitors to Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.cdds", + "https://www.sentinelone.com/labs/infect-if-needed-a-deeper-dive-into-targeted-backdoor-macos-macma/", + "https://objective-see.com/blog/blog_0x69.html", + "https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/" + ], + "synonyms": [ + "Macma" + ], + "type": [] + }, + "uuid": "5e4bdac7-b6c8-4c59-996f-babfc3bb3a3c", + "value": "CDDS" + }, + { + "description": "A loader delivering malicious Chrome and Safari extensions.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.choziosi", + "https://redcanary.com/blog/chromeloader/", + "https://www.gdatasoftware.com/blog/2022/01/37236-qr-codes-on-twitter-deliver-malicious-chrome-extension", + "https://www.th3protocol.com/2022/Choziosi-Loader" + ], + "synonyms": [ + "ChromeLoader", + "Chropex" + ], + "type": [] + }, + "uuid": "57f75f24-b77b-46b3-a06a-57d49374fb82", + "value": "Choziosi (OS X)" + }, { "description": "CoinThief was a malware package designed to steal Bitcoins from the victim, consisting of a binary patcher, browser extensions, and a backdoor component. \r\n\r\nIt was spreading in early 2014 from several different sources: \r\n- on Github (where the trojanized compiled binary didn’t match the displayed source code), o\r\n- on popular and trusted download sites line CNET's Download.com or MacUpdate.com, and \r\n- as cracked applications via torrents camouflaged as Bitcoin Ticker TTM, BitVanity, StealthBit, Litecoin Ticker, BBEdit, Pixelmator, Angry Birds and Delicious Library.\r\n\r\nThe patcher‘s role was to locate and modify legitimate versions of the Bitcoin-Qt wallet application. The analyzed malware samples targeted versions of Bitcoin-Qt 0.8.1, 0.8.0 and 0.8.5. The earlier patch modified Bitcoin-Qt adding malicious code that would send nearly all the victim’s Bitcoins to one of the hard-coded addresses belonging to the attacker. \r\n\r\nThe browser extensions targeted Chrome and Firefox and are disguised as a “Pop-up blocker”. The extensions monitored visited websites, download malicious JavaScripts and injected them into various Bitcoin-related websites (mostly Bitcoin exchanges and online wallet sites). The injected JS scripts were able to modify transactions to redirect Bitcoin transfers to an attacker’s address or simply harvest login credentials to the targeted online service.\r\n\r\nThe backdoor enabled the attacker to take full control over the victim’s computer:\r\n- collect information about the infected computer\r\n- execute arbitrary shell scripts on the target computer\r\n- upload an arbitrary file from the victim’s hard drive to a remote server\r\n- update itself to a newer version", "meta": { @@ -6510,6 +7815,20 @@ "uuid": "a8e71805-014d-4998-b21e-3125da800124", "value": "DarthMiner" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.dazzle_spy", + "https://objective-see.com/blog/blog_0x6D.html", + "https://www.sentinelone.com/blog/sneaky-spies-and-backdoor-rats-sysjoker-and-dazzlespy-malware-target-macos/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ba2c7d3c-7f7a-42f7-854c-a6cc0b5eb850", + "value": "DazzleSpy" + }, { "description": "", "meta": { @@ -6587,11 +7906,13 @@ "https://www.sentinelone.com/labs/defeating-macos-malware-anti-analysis-tricks-with-radare2/", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://github.com/gdbinit/evilquest_deobfuscator", + "https://www.sentinelone.com/blog/evilquest-a-new-macos-malware-rolls-ransomware-spyware-and-data-theft-into-one/", "https://labs.sentinelone.com/breaking-evilquest-reversing-a-custom-macos-ransomware-file-encryption-routine/", "https://objective-see.com/blog/blog_0x59.html", "https://objective-see.com/blog/blog_0x5F.html", "https://www.bleepingcomputer.com/news/security/evilquest-wiper-uses-ransomware-cover-to-steal-files-from-macs/", - "https://twitter.com/dineshdina04/status/1277668001538433025" + "https://twitter.com/dineshdina04/status/1277668001538433025", + "https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities" ], "synonyms": [ "ThiefQuest" @@ -6637,6 +7958,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.flashback", + "https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities", "http://contagiodump.blogspot.com/2012/04/osxflashbacko-sample-some-domains.html", "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed", "https://en.wikipedia.org/wiki/Flashback_(Trojan)", @@ -6670,6 +7992,20 @@ "uuid": "a517cdd1-6c82-4b29-bdd2-87e281227597", "value": "FruitFly" }, + { + "description": "This multi-platform malware is a ObjectiveC written macOS variant dubbed GIMMICK by Volexity. This malware is a file-based C2 implant used by Storm Cloud.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.gimmick", + "https://www.volexity.com/blog/2022/03/22/storm-cloud-on-the-horizon-gimmick-malware-strikes-at-macos/", + "https://cybersecuritynews.com/gimmick-malware-attacks/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0e259d0f-717a-4ced-ac58-6fe9d72e2c96", + "value": "GIMMICK" + }, { "description": "", "meta": { @@ -6724,11 +8060,16 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.janicab", "https://archive.f-secure.com/weblog/archives/00002576.html", + "https://www.malwarology.com/2022/05/janicab-series-attibution-and-iocs/", + "https://www.malwarology.com/posts/5-janicab-part_1/", "https://securelist.com/deathstalker-mercenary-triumvirate/98177/", "https://securelist.com/apt-trends-report-q3-2020/99204/", "https://www.macmark.de/blog/osx_blog_2013-08-a.php", + "https://www.malwarology.com/2022/05/janicab-series-first-steps-in-the-infection-chain/", "https://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/", - "https://sec0wn.blogspot.com/2018/12/powersing-from-lnk-files-to-janicab.html" + "https://www.malwarology.com/2022/05/janicab-series-further-steps-in-the-infection-chain/", + "https://sec0wn.blogspot.com/2018/12/powersing-from-lnk-files-to-janicab.html", + "https://www.malwarology.com/2022/05/janicab-series-the-core-artifact/" ], "synonyms": [], "type": [] @@ -6803,6 +8144,34 @@ "uuid": "d26b5518-8d7f-41a6-b539-231e4962853e", "value": "Komplex" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.lador", + "https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "9c6b54ce-44a0-4d0c-89cb-6532c8f89d8d", + "value": "Lador" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.lambert", + "https://objective-see.com/blog/blog_0x68.html" + ], + "synonyms": [ + "GreenLambert" + ], + "type": [] + }, + "uuid": "7433f3a8-f53c-4ba0-beff-e312fae9ad39", + "value": "Lambert (OS X)" + }, { "description": "", "meta": { @@ -6992,6 +8361,19 @@ "uuid": "cd397973-8f42-4c49-8322-414ea77ec773", "value": "Olyx" }, + { + "description": "SentinelOne describes this as a malware written in Go, mixing own custom code with code from public repositories.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.orat", + "https://www.sentinelone.com/blog/from-the-front-lines-unsigned-macos-orat-malware-gambles-for-the-win/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "699dac0f-092c-4c8e-85e9-6e3c86129190", + "value": "oRAT" + }, { "description": "", "meta": { @@ -7116,6 +8498,7 @@ "https://www.crowdstrike.com/blog/shlayer-malvertising-campaigns-still-using-flash-update-disguise/", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", "https://threatpost.com/shlayer-mac-youtube-wikipedia/152146/", + "https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities", "https://securelist.com/shlayer-for-macos/95724/" ], "synonyms": [], @@ -7129,6 +8512,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.silver_sparrow", + "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf", "https://redcanary.com/blog/clipping-silver-sparrows-wings/#technical-analysis" ], "synonyms": [], @@ -7137,14 +8521,35 @@ "uuid": "f6a7aeeb-fcc5-4d26-9eab-c0b6e2819a6c", "value": "Silver Sparrow" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.sysjoker", + "https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/", + "https://www.bleepingcomputer.com/news/security/new-sysjoker-backdoor-targets-windows-macos-and-linux/", + "https://blogs.vmware.com/security/2022/03/%e2%80%afsysjoker-an-analysis-of-a-multi-os-rat.html", + "https://www.sentinelone.com/blog/sneaky-spies-and-backdoor-rats-sysjoker-and-dazzlespy-malware-target-macos/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5bffe0fe-22f6-4d18-9372-f8c5d262d852", + "value": "SysJoker (OS X)" + }, { "description": "General purpose backdoor", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.systemd", - "https://vms.drweb.com/virus/?_is=1&i=15299312&lng=en" + "https://securelist.com/windealer-dealing-on-the-side/105946/", + "https://vms.drweb.com/virus/?_is=1&i=15299312&lng=en", + "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_301_shui-leon_en.pdf" + ], + "synonyms": [ + "Demsty", + "ReverseWindow" ], - "synonyms": [], "type": [] }, "uuid": "a8e7687b-9db7-4606-ba81-320d36099e3a", @@ -7177,6 +8582,22 @@ "uuid": "1c96f6b9-6b78-4137-9d5f-aa5575f80daa", "value": "Unidentified macOS 001 (UnionCryptoTrader)" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.update_agent", + "https://twitter.com/sysopfb/status/1532442456343691273", + "https://www.jamf.com/blog/updateagent-adapts-again/", + "https://www.esentire.com/blog/updateagent-macos-malware", + "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1f1bc885-5987-41fa-bb04-8775eeb45d88", + "value": "UpdateAgent" + }, { "description": "", "meta": { @@ -7196,6 +8617,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.vigram", + "https://twitter.com/MsftSecIntel/status/1451279679059488773", + "https://www.sentinelone.com/labs/the-art-and-science-of-macos-malware-hunting-with-radare2-leveraging-xrefs-yara-and-zignatures/", "https://twitter.com/ConfiantIntel/status/1351559054565535745" ], "synonyms": [ @@ -7308,6 +8731,7 @@ "https://www.trendmicro.com/en_us/research/21/d/xcsset-quickly-adapts-to-macos-11-and-m1-based-macs.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/xcsset-mac-malware-infects-xcode-projects-performs-uxss-attack-on-safari-other-browsers-leverages-zero-day-exploits/", "https://objective-see.com/blog/blog_0x5F.html", + "https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities", "https://www.jamf.com/blog/zero-day-tcc-bypass-discovered-in-xcsset-malware/" ], "synonyms": [], @@ -7321,12 +8745,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xloader", + "https://www.zscaler.com/blogs/security-research/analysis-xloaders-c2-network-encryption", "https://twitter.com/krabsonsecurity/status/1319463908952969216", + "https://research.checkpoint.com/2022/xloader-botnet-find-me-if-you-can/", + "https://research.checkpoint.com/2021/top-prevalent-malware-with-a-thousand-campaigns-migrates-to-macos/", "https://blogs.blackberry.com/en/2021/09/threat-thursday-xloader-infostealer", + "https://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-xbinder-xloader/", "https://research.checkpoint.com/2021/time-proven-tricks-in-a-new-environment-the-macos-evolution-of-formbook/", "https://www.sentinelone.com/blog/detecting-xloader-a-macos-malware-as-a-service-info-stealer-and-keylogger/", - "https://research.checkpoint.com/2021/top-prevalent-malware-with-a-thousand-campaigns-migrates-to-macos/", - "https://blog.malwarebytes.com/mac/2021/07/osx-xloader-hides-little-except-its-main-purpose-what-we-learned-in-the-installation-process/" + "https://malwarebookreports.com/cross-platform-java-dropper-snake-and-xloader-mac-version/", + "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", + "https://blog.malwarebytes.com/mac/2021/07/osx-xloader-hides-little-except-its-main-purpose-what-we-learned-in-the-installation-process/", + "https://www.lac.co.jp/lacwatch/report/20220307_002893.html" ], "synonyms": [ "Formbook" @@ -7409,6 +8839,19 @@ "uuid": "88a71ca8-d99f-416a-ad29-5af12212008c", "value": "ANTAK" }, + { + "description": "A webshell for multiple web languages (asp/aspx, jsp/jspx, php), openly distributed through Github.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/php.behinder", + "https://cyberandramen.net/2022/02/18/a-tale-of-two-shells/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5e5cd3a6-0348-4c6b-94b1-13ca0d845547", + "value": "Behinder" + }, { "description": "C99shell is a PHP backdoor that provides a lot of functionality, for example:\r\n\r\n\r\n* run shell commands;\r\n* download/upload files from and to the server (FTP functionality);\r\n* full access to all files on the hard disk;\r\n* self-delete functionality.\r\n\r\n", "meta": { @@ -7425,7 +8868,7 @@ "value": "c99shell" }, { - "description": "FireEye discovered the DEWMODE webshell starting mid-December 2020 after exploitation of zero-day vulnerabilities in Accellion's File Transfer Appliance.", + "description": "FireEye discovered the DEWMODE webshell starting mid-December 2020 after exploitation of zero-day vulnerabilities in Accellion's File Transfer Appliance. It is a PHP webshell that allows threat actors to view and download files in the victim machine. It also contains cleanup function to remove itself and clean the Apache log.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/php.dewmode", @@ -7455,6 +8898,19 @@ "uuid": "dfd8deac-ce86-4a22-b462-041c19d62506", "value": "Ensikology" }, + { + "description": "In combination with Parrot TDS the usage of a classical web shell was observed by DECODED Avast.io.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/php.parrot_tds_shell", + "https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c9e7c5a6-9082-47ec-89eb-477980e73dcb", + "value": "Parrot TDS WebShell" + }, { "description": "", "meta": { @@ -7472,6 +8928,20 @@ "uuid": "e6a40fa2-f79f-40e9-89d3-a56984bc51f7", "value": "PAS" }, + { + "description": "Backdoor written in php", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/php.prometheus_backdoor", + "https://blog.group-ib.com/prometheus-tds", + "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b4007b02-106d-420f-af1c-76c035843fd2", + "value": "Prometheus Backdoor" + }, { "description": "", "meta": { @@ -7490,6 +8960,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/php.wso", + "https://www.mandiant.com/resources/cloud-metadata-abuse-unc2903", "https://securelist.com/energetic-bear-crouching-yeti/85345/" ], "synonyms": [ @@ -7513,6 +8984,19 @@ "uuid": "b5cc7a39-305b-487e-b15a-02dcebefce90", "value": "Silence DDoS" }, + { + "description": "Ransomware.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.blacksun", + "https://blogs.vmware.com/security/2022/01/blacksun-ransomware-the-dark-side-of-powershell.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1fcc4425-6e14-47e6-8434-745cf1bc9982", + "value": "BlackSun" + }, { "description": "", "meta": { @@ -7636,6 +9120,19 @@ "uuid": "286a14a1-7113-4bed-97ce-8db41b312a51", "value": "JasperLoader" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.lazyscripter", + "https://github.com/SrujanKumar-K/Blogpost/tree/main/LazyScripter" + ], + "synonyms": [], + "type": [] + }, + "uuid": "74e5711e-b777-4f09-a4bc-db58d5e23e29", + "value": "Lazyscripter" + }, { "description": "According to Bleeping Computer and Vitali Kremez, LightBot is a compact reconnaissance tool suspected to be used to identify high-value targets for potential follow-up ransomware attacks.", "meta": { @@ -7655,8 +9152,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.octopus", - "https://resources.malwarebytes.com/files/2021/02/LazyScripter.pdf", + "https://isc.sans.edu/diary/rss/28628", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf", + "https://resources.malwarebytes.com/files/2021/02/LazyScripter.pdf", "https://isc.sans.edu/diary/26918", "https://github.com/mhaskar/Octopus" ], @@ -7737,6 +9235,19 @@ "uuid": "60d7f668-66b6-401b-976f-918470a23c3d", "value": "POWERPIPE" }, + { + "description": "This powershell code is a PowerShell written backdoor used by FIN7. Regarding to Mandiant that is was revealed to be a \"vast backdoor framework with a breadth of capabilities, depending on which modules are delivered from the C2 server.\"", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerplant", + "https://www.mandiant.com/resources/evolution-of-fin7" + ], + "synonyms": [], + "type": [] + }, + "uuid": "697626d3-04a1-4426-aeae-d7054c6e78fb", + "value": "POWERPLANT" + }, { "description": "", "meta": { @@ -7750,6 +9261,19 @@ "uuid": "4310dcab-0820-4bc1-8a0b-9691c20f5b49", "value": "powershell_web_backdoor" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powershortshell", + "https://www.safebreach.com/blog/2021/new-powershortshell-stealer-exploits-recent-microsoft-mshtml-vulnerability-to-spy-on-farsi-speakers/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f2198153-2d8b-49ed-b8a8-0952c289b8c0", + "value": "PowerShortShell" + }, { "description": "", "meta": { @@ -7770,6 +9294,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powersource", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", + "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html" ], "synonyms": [], @@ -7796,19 +9321,23 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerstats", + "https://www.secureworks.com/research/threat-profiles/cobalt-ulster", "https://blog.prevailion.com/2020/01/summer-mirage.html", "https://shells.systems/reviving-leaked-muddyc3-used-by-muddywater-apt/", "https://marcoramilli.com/2020/01/15/iranian-threat-actors-preliminary-analysis/", "http://www.secureworks.com/research/threat-profiles/cobalt-ulster", "https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/", - "https://www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/", + "https://thehackernews.com/2022/02/irans-muddywater-hacker-group-using-new.html", "https://blog.malwarebytes.com/threat-analysis/2017/09/elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity/", "https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/", "https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/", + "https://www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/", "https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/", "https://securelist.com/apt-trends-report-q2-2019/91897/", + "https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-055a", "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html", - "https://www.secureworks.com/research/threat-profiles/cobalt-ulster", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-055A_Iranian_Government-Sponsored_Actors_Conduct_Cyber_Operations.pdf", "https://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/" ], "synonyms": [ @@ -7838,6 +9367,19 @@ "uuid": "08d5b8a4-e752-48f3-ac6d-944807146ce7", "value": "POWERTON" }, + { + "description": "This PowerShell written malware is an in-memory dropper used by FIN7 to execute the included/embedded payload. According to Mandiant's blog article: \"POWERTRASH is a uniquely obfuscated iteration of a shellcode invoker included in the PowerSploit framework available on GitHub.\"", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powertrash", + "https://www.mandiant.com/resources/evolution-of-fin7" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ff20d720-285e-4168-ac8c-86a7f9ac18d4", + "value": "POWERTRASH" + }, { "description": "", "meta": { @@ -7870,10 +9412,17 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powgoop", "https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf", + "https://www.cyberscoop.com/muddywater-iran-symantec-middle-east/", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://thehackernews.com/2022/02/irans-muddywater-hacker-group-using-new.html", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", "https://unit42.paloaltonetworks.com/thanos-ransomware/", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", - "https://www.cyberscoop.com/muddywater-iran-symantec-middle-east/" + "https://www.security.ntt/blog/analysis-of-an-iranian-apts-e400-powgoop-variant", + "https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-055a", + "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-055A_Iranian_Government-Sponsored_Actors_Conduct_Cyber_Operations.pdf", + "https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/" ], "synonyms": [], "type": [] @@ -7925,6 +9474,19 @@ "uuid": "e27bfd65-4a58-416a-b03a-1ab1703edb24", "value": "QUADAGENT" }, + { + "description": "According to Trellix, this is a first-stage, powershell-based malware dropped via Excel/VBS. It is able to establish a foothold and exfiltrate data. Targets identified include hotels in Macao.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.rmot", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/suspected-darkhotel-apt-activity-update.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "7e79444b-95d9-422d-92f0-aeb833a7cbcd", + "value": "RMOT" + }, { "description": "", "meta": { @@ -8058,6 +9620,33 @@ "uuid": "77231587-0dbe-4064-97b5-d7f4a2e3dc67", "value": "Unidentified PS 001" }, + { + "description": "A Powershell-based RAT capable of pulling further payloads, delivered through Russia-themed phishing mails.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.unidentified_002", + "https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/", + "https://www.bleepingcomputer.com/news/security/phishing-campaign-targets-russian-govt-dissidents-with-cobalt-strike/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "73578ff6-b218-4271-9bda-2a567ba3e259", + "value": "Unidentified PS 002 (RAT)" + }, + { + "description": "This malware is a RAT written in PowerShell. It has the following capabilities: Downloading and Uploading files, loading and execution of a PowerShell script, execution of a specific command. It was observed by Malwarebytes LABS Threat Intelligence Team in a newly discovered campaign: this campaigns tries to lure Germans with a promise of updates on the current threat situation in Ukraine according to Malwarebyte LABS.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.unidentified_003", + "https://blog.malwarebytes.com/threat-intelligence/2022/05/custom-powershell-rat-targets-germans-seeking-information-about-the-ukraine-crisis/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "709ba4ad-9ec5-4e0b-b642-96db3b7f6898", + "value": "Unidentified PS 003 (RAT)" + }, { "description": "", "meta": { @@ -8160,6 +9749,19 @@ "uuid": "53dd4a8b-374e-48b6-a7c8-58af0e31f435", "value": "DropboxC2C" }, + { + "description": "According to Kaspersky Labs, Guard is a malware developed by threat actor WildPressure. It is written in Python and packaged using PyInstaller, both for Windows and macOS operating systems. Its intrinsics resemble parts of how win.milum operates.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/py.guard", + "https://securelist.com/wildpressure-targets-macos/103072/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ac3382b3-3c18-4b16-8f1b-b371794916ac", + "value": "Guard" + }, { "description": "", "meta": { @@ -8179,8 +9781,11 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.lazagne", "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", - "https://github.com/AlessandroZ/LaZagne", "https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/", + "https://www.infinitumit.com.tr/apt-35/", + "https://github.com/AlessandroZ/LaZagne", + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx", "https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html", "https://edu.anarcho-copy.org/Against%20Security%20&%20%20Self%20Security/Group-IB%20RedCurl.pdf" ], @@ -8190,6 +9795,19 @@ "uuid": "c752f295-7f08-4cb0-92d5-a0c562abd08c", "value": "LaZagne" }, + { + "description": "This RAT written in Python is an open-source fork of the Ares RAT. This malware integrates additional modules, like recording, lockscreen, and locate options. It was used in a customized form version by El Machete APT in an ongoing champaign since 2020. The original code can be found at: https://github.com/TheGeekHT/Loki.Rat/", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/py.lokirat", + "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5e7bb9d4-6633-49f8-8770-9ac1163e6531", + "value": "Loki RAT" + }, { "description": "An IRC bot written in (obfuscated) Python code. Distributed in attack campaign FreakOut, written by author Freak/Fl0urite and development potentially dating back as far as 2015.", "meta": { @@ -8199,10 +9817,12 @@ "https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/", "https://blog.netlab.360.com/not-really-new-pyhton-ddos-bot-n3cr0m0rph-necromorph/", "https://twitter.com/xuy1202/status/1393384128456794116", + "https://blogs.juniper.net/en-us/threat-research/necro-python-botnet-goes-after-vulnerable-visualtools-dvr", "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/", "https://www.lacework.com/the-kek-security-network/", "https://github.com/lacework/lacework-labs/tree/master/keksec", "https://www.lacework.com/keksec-tsunami-ryuk/", + "https://www.lacework.com/blog/spytech-necro-keksecs-latest-python-malware/", "https://twitter.com/xuy1202/status/1392089568384454657", "https://www.bleepingcomputer.com/news/security/freakout-malware-worms-its-way-into-vulnerable-vmware-servers/", "https://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/" @@ -8292,6 +9912,20 @@ "uuid": "01f15f4e-dd40-4246-9b99-c0d81306e37f", "value": "PyArk" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/py.pyback", + "https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_001", + "https://github.com/7h3w4lk3r/pyback" + ], + "synonyms": [], + "type": [] + }, + "uuid": "6d96cd1e-98f4-4784-9982-397c5df19bd9", + "value": "pyback" + }, { "description": "PyVil RAT", "meta": { @@ -8336,6 +9970,21 @@ "uuid": "30a22cdb-9393-460b-86ae-08d97c626155", "value": "Saphyra" }, + { + "description": "According to Proofpoint, this is a backdoor written in Python, used in attacks against French entities in the construction, real estate, and government industries.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/py.serpent", + "https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain", + "https://blogs.vmware.com/security/2022/04/serpent-the-backdoor-that-hides-in-plain-sight.html", + "https://www.bleepingcomputer.com/news/security/serpent-malware-campaign-abuses-chocolatey-windows-package-manager/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "8052319b-f6da-4f53-a630-59245ff65eaf", + "value": "Serpent" + }, { "description": "", "meta": { @@ -8376,18 +10025,6 @@ "uuid": "6239201b-a0bd-4f01-8bbe-79c6fc5fa861", "value": "Stitch" }, - { - "description": "", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_001" - ], - "synonyms": [], - "type": [] - }, - "uuid": "6d96cd1e-98f4-4784-9982-397c5df19bd9", - "value": "unidentified_001" - }, { "description": "", "meta": { @@ -8486,6 +10123,19 @@ "uuid": "8ca31b9b-6e78-4dcc-9d14-dfd97d44994e", "value": "GGLdr" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.glowspark", + "https://inquest.net/blog/2022/02/10/380-glowspark" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ab6f8b6d-f0a0-4d2c-a81b-2dcb146914ea", + "value": "GlowSpark" + }, { "description": "", "meta": { @@ -8540,7 +10190,9 @@ "https://seguranca-informatica.pt/trojan-lampion-is-back-after-3-months/", "https://research.checkpoint.com/wp-content/uploads/2019/12/Threat_Intelligence_News_2019-12-30.pdf", "https://seguranca-informatica.pt/targeting-portugal-a-new-trojan-lampion-has-spread-using-template-emails-from-the-portuguese-government-finance-tax/", + "https://seguranca-informatica.pt/the-hidden-c2-lampion-trojan-release-212-is-on-the-rise-and-using-a-c2-server-for-two-years", "https://unit42.paloaltonetworks.com/single-bit-trap-flag-intel-cpu/", + "https://securityaffairs.co/wordpress/128975/malware/hidden-c2-lampion-trojan-release-212.html", "https://seguranca-informatica.pt/lampion-trojan-disseminated-in-portugal-using-covid-19-template/" ], "synonyms": [], @@ -8601,6 +10253,29 @@ "uuid": "e24b852c-3ede-42ac-8d04-68ab96bf53a0", "value": "Starfighter (VBScript)" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.starwhale", + "https://rootdaemon.com/2022/03/10/iranian-hackers-targeting-turkey-and-arabian-peninsula-in-new-malware-campaign/", + "https://thehackernews.com/2022/02/irans-muddywater-hacker-group-using-new.html", + "https://www.govinfosecurity.com/iranian-apt-new-methods-to-target-turkey-arabian-peninsula-a-18706", + "https://www.techrepublic.com/article/muddywater-targets-middle-eastern-and-asian-countries-in-phishing-attacks/", + "https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611", + "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", + "https://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html", + "https://thehackernews.com/2022/03/iranian-hackers-targeting-turkey-and.html" + ], + "synonyms": [ + "Canopy", + "SloughRAT" + ], + "type": [] + }, + "uuid": "27c70673-d40e-46a2-8f47-13cc5738ff36", + "value": "STARWHALE" + }, { "description": "", "meta": { @@ -8632,6 +10307,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.unidentified_003", + "https://www.threatstop.com/blog/gamaredon-group-understanding-the-russian-apt", "https://aaqeel01.wordpress.com/2021/01/18/docx-files-template-injection/" ], "synonyms": [], @@ -8640,6 +10316,19 @@ "uuid": "d5955c4b-f507-4b3f-8d57-080849aba831", "value": "Unidentified 003 (Gamaredon Downloader)" }, + { + "description": "Lab52 describes this as a light first-stage RAT used by MuddyWater and observed samples between at least November 2020 and January 2022.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.unidentified_004", + "https://lab52.io/blog/muddywaters-light-first-stager-targetting-middle-east/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "84c6b483-ba17-4a22-809d-dc37d9ce1822", + "value": "Unidentified VBS 004 (RAT)" + }, { "description": "", "meta": { @@ -8653,18 +10342,40 @@ "uuid": "dc857b7d-f228-4aa5-9e89-f7e17bb7ea8c", "value": "WhiteShadow" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.000stealer", + "https://twitter.com/3xp0rtblog/status/1509978637189419008" + ], + "synonyms": [], + "type": [] + }, + "uuid": "24e598cf-4c55-468a-ac1d-cc4f89104943", + "value": "000Stealer" + }, { "description": "Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victim’s sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger", "https://twitter.com/James_inthe_box/status/1401921257109561353", + "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", "https://securityintelligence.com/posts/roboski-global-recovery-automation/", "https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--102", "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", + "https://www.cybereason.com/blog/threat-analysis-report-snake-infostealer-malware", + "https://www.youtube.com/watch?v=vzyJp2w8bPE", + "https://malwarebookreports.com/cross-platform-java-dropper-snake-and-xloader-mac-version/", "https://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/", + "https://www.bleepingcomputer.com/news/security/pdf-smuggles-microsoft-word-doc-to-drop-snake-keylogger-malware/", "https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--89", - "https://habr.com/ru/company/group-ib/blog/477198/" + "https://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter", + "https://habr.com/ru/company/group-ib/blog/477198/", + "https://www.fortinet.com/blog/threat-research/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware", + "https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/", + "https://threatresearch.ext.hp.com/pdf-malware-is-not-yet-dead/" ], "synonyms": [ "404KeyLogger", @@ -8715,6 +10426,7 @@ "https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf", "https://blog.malwarelab.pl/posts/on_the_royal_road/", "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/", + "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://community.riskiq.com/article/56fa1b2f", "https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746", @@ -9010,26 +10722,29 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_btz", - "http://www.intezer.com/new-variants-of-agent-btz-comrat-found/", "https://securelist.com/blog/virus-watch/58551/agent-btz-a-source-of-inspiration/", "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", - "https://unit42.paloaltonetworks.com/ironnetinjector/", "http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html", "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", - "https://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/", - "https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "http://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", - "https://www.msreverseengineering.com/blog/2020/8/31/an-exhaustively-analyzed-idb-for-comrat-v4", - "https://cdn.muckrock.com/foia_files/2021/02/16/21R019_RESPONSE.pdf", - "https://www.secureworks.com/research/threat-profiles/iron-hunter", + "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf", "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303a", - "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf", - "https://blog.gdata.de/2015/01/23779-weiterentwicklung-anspruchsvoller-spyware-von-agent-btz-zu-comrat" + "https://ryancor.medium.com/deobfuscating-powershell-malware-droppers-b6c34499e41d", + "https://unit42.paloaltonetworks.com/ironnetinjector/", + "https://docs.broadcom.com/doc/waterbug-attack-group", + "https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified", + "http://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/", + "https://cdn.muckrock.com/foia_files/2021/02/16/21R019_RESPONSE.pdf", + "https://www.msreverseengineering.com/blog/2020/8/31/an-exhaustively-analyzed-idb-for-comrat-v4", + "https://blog.gdata.de/2015/01/23779-weiterentwicklung-anspruchsvoller-spyware-von-agent-btz-zu-comrat", + "http://www.intezer.com/new-variants-of-agent-btz-comrat-found/", + "https://www.secureworks.com/research/threat-profiles/iron-hunter", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf" ], "synonyms": [ "ComRAT", @@ -9046,77 +10761,112 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-many-roads-leading-to-agent-tesla/", - "https://www.secureworks.com/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry", - "https://www.fortinet.com/blog/threat-research/phishing-malware-hijacks-bitcoin-addresses-delivers-new-agent-tesla-variant", - "https://community.riskiq.com/article/40000d46", - "https://community.riskiq.com/article/56e28880", - "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", - "https://blog.malwarelab.pl/posts/basfu_aggah/", "https://www.telsy.com/download/4832/", - "https://threatresearch.ext.hp.com/aggah-campaigns-latest-tactics-victimology-powerpoint-dropper-and-cryptocurrency-stealer/", + "https://youtu.be/QQuRp7Qiuzg", "https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/", - "https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire", - "https://blogs.juniper.net/en-us/security/aggah-malware-campaign-expands-to-zendesk-and-github-to-host-its-malware", - "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf", - "https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/", - "https://menshaway.blogspot.com/2021/04/agenttesla-malware.html", - "https://isc.sans.edu/diary/27666", - "https://mrt4ntr4.github.io/How-Analysing-an-AgentTesla-Could-Lead-To-Attackers-Inbox-2/", - "https://blogs.blackberry.com/en/2021/06/threat-thursday-agent-tesla-infostealer-malware", - "https://www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/", - "https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/", - "https://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting", - "https://news.sophos.com/en-us/2021/02/02/agent-tesla-amps-up-information-stealing-attacks/", - "https://blog.fortinet.com/2017/06/28/in-depth-analysis-of-net-malware-javaupdtr", "https://yoroi.company/research/the-wayback-campaign-a-large-scale-operation-hiding-in-plain-sight/", - "https://malwarebreakdown.com/2018/01/11/malspam-entitled-invoice-attched-for-your-reference-delivers-agent-tesla-keylogger/", - "https://isc.sans.edu/diary/27088", - "https://www.secureworks.com/research/threat-profiles/gold-galleon", - "https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads", - "https://medium.com/@mariohenkel/decrypting-agenttesla-strings-and-config-b9000b18c996?sk=fcead9538516eeb3daa7b53cb537f6f4", + "https://blog.fortinet.com/2017/06/28/in-depth-analysis-of-net-malware-javaupdtr", + "https://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "https://www.hornetsecurity.com/en/threat-research/vba-purging-malspam-campaigns/", - "https://www.youtube.com/watch?v=Q9_1xNbVQPY", + "https://youtu.be/hxaeWyK8gMI", + "https://www.telsy.com/wp-content/uploads/ATR_82599-1.pdf", + "https://lab52.io/blog/a-twisted-malware-infection-chain/", + "https://news.sophos.com/en-us/2020/05/14/raticate/", + "https://blog.qualys.com/vulnerabilities-threat-research/2022/02/02/catching-the-rat-called-agent-tesla", + "https://isc.sans.edu/diary/rss/27092", + "https://inquest.net/blog/2021/11/02/adults-only-malware-lures", + "https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader", + "https://www.bleepingcomputer.com/news/security/russia-ukraine-war-exploited-as-lure-for-malware-distribution/", + "https://unit42.paloaltonetworks.com/malicious-compiled-html-help-file-agent-tesla/", + "https://unit42.paloaltonetworks.com/excel-add-ins-malicious-xll-files-agent-tesla/", + "https://www.fortinet.com/blog/threat-research/phishing-malware-hijacks-bitcoin-addresses-delivers-new-agent-tesla-variant", + "https://community.riskiq.com/article/56e28880", + "https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads", + "http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/", + "https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html", + "https://menshaway.blogspot.com/2021/04/agenttesla-malware.html", + "https://medium.com/@mariohenkel/decrypting-agenttesla-strings-and-config-b9000b18c996?sk=fcead9538516eeb3daa7b53cb537f6f4", + "https://blogs.blackberry.com/en/2021/06/threat-thursday-agent-tesla-infostealer-malware", + "https://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting", + "https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire", + "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/", + "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", "https://labs.sentinelone.com/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/", - "https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/", - "https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html", - "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", - "https://www.telsy.com/wp-content/uploads/ATR_82599-1.pdf", + "https://guillaumeorlando.github.io/GorgonInfectionchain", "https://blog.morphisec.com/agent-tesla-a-day-in-a-life-of-ir", - "https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/another-archive-format-smuggling-malware/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/negasteal-uses-hastebin-for-fileless-delivery-of-crysis-ransomware", + "https://mrt4ntr4.github.io/How-Analysing-an-AgentTesla-Could-Lead-To-Attackers-Inbox-2/", + "https://isc.sans.edu/diary/rss/28190", + "https://community.riskiq.com/article/6337984e", + "https://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1", + "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf", + "https://www.denexus.io/wp-content/uploads/2021/02/Threat-actor-targeting-gas-oil-supply-chains_public.pdf", + "https://www.youtube.com/watch?v=Q9_1xNbVQPY", + "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", + "https://youtu.be/BM38OshcozE", + "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/", + "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols", + "https://www.secureworks.com/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry", + "https://isc.sans.edu/diary/27666", + "https://yoroi.company/research/serverless-infostealer-delivered-in-est-european-countries/", + "https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/", + "https://yoroi.company/research/office-documents-may-the-xll-technique-change-the-threat-landscape-in-2022/", + "https://community.riskiq.com/article/40000d46", + "https://isc.sans.edu/diary/28202", + "https://www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/", + "https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/", + "https://news.sophos.com/en-us/2021/02/02/agent-tesla-amps-up-information-stealing-attacks/", + "https://www.inde.nz/blog/inside-agenttesla", + "https://threatresearch.ext.hp.com/aggah-campaigns-latest-tactics-victimology-powerpoint-dropper-and-cryptocurrency-stealer/", + "https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/", "https://blog.minerva-labs.com/preventing-agenttesla", - "https://blog.malwarebytes.com/cybercrime/2020/04/new-agenttesla-variant-steals-wifi-credentials/", - "https://lab52.io/blog/a-twisted-malware-infection-chain/", + "https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/", + "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", "https://malwatch.github.io/posts/agent-tesla-malware-analysis/", "https://isc.sans.edu/forums/diary/AgentTesla+Delivered+via+a+Malicious+PowerPoint+AddIn/26162/", - "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/another-archive-format-smuggling-malware/", - "https://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/", - "https://news.sophos.com/en-us/2020/05/14/raticate/", - "http://www.secureworks.com/research/threat-profiles/gold-galleon", - "https://community.riskiq.com/article/6337984e", - "https://isc.sans.edu/diary/rss/27092", - "https://cofense.com/strategic-analysis-agent-tesla-expands-targeting-and-networking-capabilities/", - "https://twitter.com/MsftSecIntel/status/1392219299696152578", - "https://www.vmray.com/cyber-security-blog/threat-bulletin-agent-tesla/", "https://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/", - "https://www.denexus.io/wp-content/uploads/2021/02/Threat-actor-targeting-gas-oil-supply-chains_public.pdf", - "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/", - "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf", - "https://securityintelligence.com/posts/roboski-global-recovery-automation/", - "https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader", - "http://blog.nsfocus.net/sweed-611/", + "https://blog.malwarebytes.com/threat-intelligence/2022/05/nigerian-tesla-419-scammer-gone-malware-distributor-unmasked/", + "https://www.vmray.com/cyber-security-blog/threat-bulletin-agent-tesla/", + "https://forensicitguy.github.io/a-tale-of-two-dropper-scripts/", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://blog.malwarelab.pl/posts/basfu_aggah/", "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", "https://mrt4ntr4.github.io/How-Analysing-an-AgentTesla-Could-Lead-To-Attackers-Inbox-1/", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", + "https://isc.sans.edu/forums/diary/PowerPoint+attachments+Agent+Tesla+and+code+reuse+in+malware/28154/", + "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord?", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-many-roads-leading-to-agent-tesla/", + "https://blogs.juniper.net/en-us/security/aggah-malware-campaign-expands-to-zendesk-and-github-to-host-its-malware", "https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html", - "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/negasteal-uses-hastebin-for-fileless-delivery-of-crysis-ransomware", + "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", + "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf", + "https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/", + "https://isc.sans.edu/diary/27088", + "https://www.secureworks.com/research/threat-profiles/gold-galleon", + "https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns", "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update", - "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/", - "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols" + "https://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-sees-increased-malicious-and-scam-activity-exploiting-the-war-in-ukraine", + "https://blog.malwarebytes.com/cybercrime/2020/04/new-agenttesla-variant-steals-wifi-credentials/", + "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", + "https://mp.weixin.qq.com/s/X0kAIHOSldiFDthb4IsmbQ", + "https://malwarebreakdown.com/2018/01/11/malspam-entitled-invoice-attched-for-your-reference-delivers-agent-tesla-keylogger/", + "https://asec.ahnlab.com/ko/29133/", + "https://twitter.com/MsftSecIntel/status/1392219299696152578", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/", + "https://guillaumeorlando.github.io/AgentTesla", + "http://www.secureworks.com/research/threat-profiles/gold-galleon", + "https://www.lac.co.jp/lacwatch/report/20220307_002893.html", + "https://cofense.com/strategic-analysis-agent-tesla-expands-targeting-and-networking-capabilities/", + "https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/", + "https://forensicitguy.github.io/agenttesla-rtf-dotnet-tradecraft/", + "https://securityintelligence.com/posts/roboski-global-recovery-automation/", + "https://malwarebookreports.com/agent-teslaggah/", + "http://blog.nsfocus.net/sweed-611/", + "https://www.fortinet.com/blog/threat-research/fake-purchase-order-used-to-deliver-agent-tesla" ], "synonyms": [ "AgenTesla", @@ -9141,6 +10891,19 @@ "uuid": "405fe149-1454-4e8c-a4a3-d56e0c5f62d7", "value": "AgfSpy" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ahtapot", + "https://www.sentinelone.com/wp-content/uploads/2021/09/SentinelOne_-SentinelLabs_EGoManiac_WP_V4.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "549b23b1-6f53-494e-a302-1d00aa71043b", + "value": "Ahtapot" + }, { "description": "", "meta": { @@ -9232,7 +10995,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.allakore", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388", "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/592/original/Hashes_IOCs_for_coverage.txt", + "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf", "https://twitter.com/_re_fox/status/1212070711206064131", "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479", "https://github.com/Anderson-D/AllaKore", @@ -9374,10 +11139,11 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alureon", "http://contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html", "http://contagiodump.blogspot.com/2010/02/list-of-aurora-hydraq-roarur-files.html", - "http://contagiodump.blogspot.com/2011/02/tdss-tdl-4-alureon-32-bit-and-64-bit.html", + "https://archive.f-secure.com/weblog/archives/The_Case_of__TDL3.pdf", "https://www.johannesbader.ch/2016/01/the-dga-in-alureon-dnschanger/", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj64_wowlik.vt", "https://www.virusbulletin.com/virusbulletin/2016/01/paper-notes-click-fraud-american-story/", + "http://contagiodump.blogspot.com/2011/02/tdss-tdl-4-alureon-32-bit-and-64-bit.html", "https://www.youtube.com/watch?v=FttiysUZmDw" ], "synonyms": [ @@ -9393,7 +11159,7 @@ "value": "Alureon" }, { - "description": "", + "description": "Amadey is a botnet that appeared around October 2018 and is being sold for about 500$ on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called \"tasks\") for all or specifically targeted computers compromised by the malware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey", @@ -9402,13 +11168,17 @@ "https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-decrypt-strings-in-amadey-1-09/", "https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware", "https://medium.com/walmartglobaltech/amadey-stealer-plugin-adds-mikrotik-and-outlook-harvesting-518efe724ce4", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", + "https://blog.minerva-labs.com/underminer-exploit-kit-the-more-you-check-the-more-evasive-you-become", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", "https://krabsonsecurity.com/2019/02/13/analyzing-amadey-a-simple-native-malware/", + "https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot", "https://nao-sec.org/2019/04/Analyzing-amadey.html", "https://isc.sans.edu/diary/27264", "https://www.anquanke.com/post/id/230116", + "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", "https://twitter.com/0xffff0800/status/1062948406266642432", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", @@ -9459,7 +11229,7 @@ "https://technical.nttsecurity.com/post/102fsp2/trickbot-variant-anchor-dns-communicating-over-dns", "https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf", "https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/", - "https://www.netscout.com/blog/asert/dropping-anchor", + "https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/", "https://unit42.paloaltonetworks.com/ryuk-ransomware/", "https://hello.global.ntt/zh-cn/insights/blog/trickbot-variant-communicating-over-dns", "https://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/", @@ -9467,6 +11237,7 @@ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://www.netscout.com/blog/asert/dropping-anchor", "https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/", "https://www.kryptoslogic.com/blog/2021/07/adjusting-the-anchor/", "https://medium.com/walmartglobaltech/anchor-and-lazarus-together-again-24744e516607", @@ -9479,6 +11250,20 @@ "uuid": "c38308a1-c89d-4835-b057-744f66ff7ddc", "value": "Anchor" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.anchormail", + "https://cyware.com/news/trickbots-anchordns-is-now-upgraded-to-anchormail-a21f5490/", + "https://securityintelligence.com/posts/new-malware-trickbot-anchordns-backdoor-upgrades-anchormail/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "7792096a-7623-43a1-9a67-28dce0e4b39e", + "value": "AnchorMail" + }, { "description": "", "meta": { @@ -9490,12 +11275,14 @@ "http://blog.morphisec.com/andromeda-tactics-analyzed", "https://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis", "http://resources.infosecinstitute.com/andromeda-bot-analysis/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "http://www.0xebfe.net/blog/2013/03/30/fooled-by-andromeda/", "https://www.virusbulletin.com/virusbulletin/2013/08/andromeda-2-7-features", "https://blogs.technet.microsoft.com/mmpc/2017/12/04/microsoft-teams-up-with-law-enforcement-and-other-partners-to-disrupt-gamarue-andromeda/", - "https://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/", + "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", + "https://redcanary.com/blog/intelligence-insights-november-2021/", + "https://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/", "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf", "https://www.crowdstrike.com/blog/how-to-remediate-hidden-malware-real-time-response/", "https://eternal-todo.com/blog/andromeda-gamarue-loves-json", @@ -9523,6 +11310,7 @@ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://documents.trendmicro.com/assets/Tech-Brief-Latest-Spam-Campaigns-from-TA505-Now-Using-New-Malware-Tools-Gelup-and-FlowerPippi.pdf", + "https://intel471.com/blog/a-brief-history-of-ta505", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", @@ -9601,6 +11389,26 @@ "uuid": "b19c9f63-a18d-47bb-a9fe-1f9cea21bac0", "value": "Anubis (Windows)" }, + { + "description": "A loader written in Go, tracked since at least October 2021 by ZeroFox. Originally named Kraken and rebranded to Anubis in February 2022.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.anubis_loader", + "https://www.zerofox.com/blog/quick-update-kraken-completes-its-rebrand-to-anubis/", + "https://www.bleepingcomputer.com/news/security/new-golang-botnet-empties-windows-users-cryptocurrency-wallets/", + "https://windowsreport.com/kraken-botnet/", + "https://www.zerofox.com/blog/meet-kraken-a-new-golang-botnet-in-development/", + "https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e" + ], + "synonyms": [ + "Kraken", + "Pepega" + ], + "type": [] + }, + "uuid": "e65ca164-f448-4f8e-a672-3ff7ec37e191", + "value": "Anubis Loader" + }, { "description": "", "meta": { @@ -9658,7 +11466,8 @@ "https://www.vkremez.com/2019/10/lets-learn-dissecting-lazarus-windows.html", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e", "https://us-cert.cisa.gov/ncas/alerts/aa21-048a", - "https://twitter.com/VK_Intel/status/1182730637016481793" + "https://twitter.com/VK_Intel/status/1182730637016481793", + "https://www.telsy.com/download/5394/?uid=28b0a4577e" ], "synonyms": [], "type": [] @@ -9673,15 +11482,19 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.appleseed", "https://asec.ahnlab.com/ko/26705/", "https://www.youtube.com/watch?v=rfzmHjZX70s", + "https://www.telsy.com/download/5654/?uid=4869868efd", "https://www.boho.or.kr/filedownload.do?attach_file_seq=2651&attach_file_id=EpF2652.pdf", "https://www.boho.or.kr/filedownload.do?attach_file_seq=2651&attach_file_id=EpF2651.pdf", "https://www.youtube.com/watch?v=Dv2_DK3tRgI", + "https://asec.ahnlab.com/wp-content/uploads/2021/11/Kimsuky-%EA%B7%B8%EB%A3%B9%EC%9D%98-APT-%EA%B3%B5%EA%B2%A9-%EB%B6%84%EC%84%9D-%EB%B3%B4%EA%B3%A0%EC%84%9C-AppleSeed-PebbleDash.pdf", + "https://asec.ahnlab.com/en/30532/", "https://vblocalhost.com/presentations/operation-newton-hi-kimsuky-did-an-appleseed-really-fall-on-newtons-head/", "https://www.boho.or.kr/filedownload.do?attach_file_seq=2652&attach_file_id=EpF2652.pdf", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/", "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf", - "https://conference.hitb.org/hitbsecconf2021ams/materials/D2T1%20-%20The%20Phishermen%20-%20Dissecting%20Phishing%20Techniques%20of%20CloudDragon%20APT%20-%20Linda%20Kuo%20&Zih-Cing%20Liao%20.pdf" + "https://conference.hitb.org/hitbsecconf2021ams/materials/D2T1%20-%20The%20Phishermen%20-%20Dissecting%20Phishing%20Techniques%20of%20CloudDragon%20APT%20-%20Linda%20Kuo%20&Zih-Cing%20Liao%20.pdf", + "https://download.ahnlab.com/global/brochure/Analysis%20Report%20of%20Kimsuky%20Group.pdf" ], "synonyms": [ "JamBog" @@ -9718,11 +11531,25 @@ "uuid": "bf135b0a-3120-42c4-ba58-c80f9ef689bf", "value": "Arefty" }, + { + "description": "During a campaign against a Ukrainian energy provider, a new loader of a new version of CaddyWiper called \"ArguePatch\" was observed by ESET researchers. ArguePatch is a modified version of Hex-Ray's Remote Debugger Server (win32_remote.exe).\r\nArguePatch expects a decryption key and the file of the CaddyWiper shellcode as command line parameters.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.arguepatch", + "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e9b4bec3-ad18-49cc-b6af-c0ffcc283153", + "value": "ArguePatch" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ariabody", + "https://medium.com/insomniacs/aria-body-loader-is-that-you-53bdd630f8a1", "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/", "https://securelist.com/naikons-aria/96899/" ], @@ -9732,6 +11559,33 @@ "uuid": "5fa1c068-8e73-4930-b6fe-8c92c6357df6", "value": "Aria-body" }, + { + "description": "This malware is a Go written variant of Micropsia and according to DeepInstinct it is still in development.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.aridgopher", + "https://www.theregister.com/2022/03/22/arid-gopher-malware-deep-instinct/", + "https://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant" + ], + "synonyms": [], + "type": [] + }, + "uuid": "2037d9f1-bf2a-44e1-b04f-98fe3f961381", + "value": "Arid Gopher" + }, + { + "description": "Helper malware associated with AridGopher, which will provide an alternative persistence mechanism in case \"360 total security\" is found on a target system.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.aridhelper", + "https://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant" + ], + "synonyms": [], + "type": [] + }, + "uuid": "6bd3759f-5961-423d-9437-c67bddcda458", + "value": "AridHelper" + }, { "description": "", "meta": { @@ -9748,12 +11602,17 @@ "value": "Arik Keylogger" }, { - "description": "", + "description": "Arkei is a stealer that appeared around May 2018. It collects data about browsers (saved passwords and autofill forms), cryptocurrency wallets, and steal files matching an attacker-defined pattern. It then exfiltrates everything in a zip file uploaded to the attacker's panel. Later, it was forked and used as a base to create Vidar stealer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.arkei_stealer", + "https://forensicitguy.github.io/analyzing-stealer-msi-using-msitools/", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", - "https://www.bleepingcomputer.com/news/security/hacker-breaches-syscoin-github-account-and-poisons-official-client/" + "https://blogs.blackberry.com/en/2022/02/threat-thursday-arkei-infostealer", + "https://blog.minerva-labs.com/a-long-list-of-arkei-stealers-browser-crypto-wallets", + "https://www.bleepingcomputer.com/news/security/hacker-breaches-syscoin-github-account-and-poisons-official-client/", + "https://isc.sans.edu/diary/rss/28468", + "https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/" ], "synonyms": [ "ArkeiStealer" @@ -9797,11 +11656,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.artra", + "https://www.freebuf.com/articles/database/192726.html", "https://securelist.com/apt-trends-report-q1-2021/101967/", "https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf", - "https://www.freebuf.com/articles/database/192726.html", - "https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/", - "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english" + "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english", + "https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html", + "https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/" ], "synonyms": [], "type": [] @@ -9866,7 +11726,7 @@ "value": "Asruex" }, { - "description": "", + "description": "First spotted in the wild in 2017, Astaroth is a highly prevalent, information-stealing Latin American banking trojan. It is written in Delphi and has some innovative execution and attack techniques. Originally, this malware variant targeted Brazilian users, but Astaroth now targets users both in North America and Europe.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.astaroth", @@ -9874,12 +11734,14 @@ "https://labs.f-secure.com/blog/attack-detection-fundamentals-code-execution-and-persistence-lab-1/", "https://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/", "https://www.microsoft.com/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/", - "https://isc.sans.edu/diary/27482", "https://www.botconf.eu/wp-content/uploads/2019/12/B2019-Soucek-Hornak-DemystifyingBankingTrojansFromLatinAmerica.pdf", - "https://blog.talosintelligence.com/2020/05/astaroth-analysis.html", + "https://isc.sans.edu/diary/27482", "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", + "https://blog.talosintelligence.com/2020/05/astaroth-analysis.html", + "https://github.com/pan-unit42/tweets/blob/master/2022-01-17-IOCs-for-Astaroth-Guildma-infection.txt", "https://blog.easysol.net/meet-lucifer-international-trojan/", "https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/", + "https://www.armor.com/resources/threat-intelligence/astaroth-banking-trojan/", "https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html" ], @@ -9893,32 +11755,81 @@ }, { "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.astralocker", + "https://blog.reversinglabs.com/blog/smash-and-grab-astralocker-2-pushes-ransomware-direct-from-office-docs" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d32a6790-57c7-4985-b6e0-5b73f025fb43", + "value": "AstraLocker" + }, + { + "description": "AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victim’s computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat", + "https://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/", + "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", "https://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service", + "https://blogs.vmware.com/security/2019/11/threat-analysis-unit-tau-threat-intelligence-notification-asyncrat.html", + "https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html", + "https://blog.talosintelligence.com/2022/04/asyncrat-3losh-update.html", "https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services", "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", + "https://blog.morphisec.com/asyncrat-new-delivery-technique-new-threat-campaign", + "https://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/", + "https://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers", + "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", + "https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight", + "https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html", + "https://community.riskiq.com/article/ade260c6", + "https://blog.morphisec.com/syk-crypter-discord", + "https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2022/wochenrueckblick_7.html", + "https://thehackernews.com/2022/01/hackers-using-new-evasive-technique-to.html", + "https://threatresearch.ext.hp.com/wp-content/uploads/2022/05/HP-Wolf-Security-Threat-Insights-Report-Q1-2022.pdf", + "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf", + "https://brianstadnicki.github.io/posts/vulnerability-asyncrat-rce/", + "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", "https://labs.k7computing.com/?p=21759", - "https://ti.qianxin.com/uploads/2020/09/17/69da886eecc7087e9dac2d3ea4c66ba8.pdf", "https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp/", "https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns", - "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/", + "https://ti.qianxin.com/uploads/2020/09/17/69da886eecc7087e9dac2d3ea4c66ba8.pdf", + "https://aidenmitchell.ca/asyncrat-via-vbs/", + "https://www.fortinet.com/blog/threat-research/spear-phishing-campaign-with-new-techniques-aimed-at-aviation-companies", + "https://eln0ty.github.io/malware%20analysis/asyncRAT/", + "https://www.zscaler.com/blogs/security-research/targeted-attack-thailand-pass-customers-delivers-asyncrat", + "https://threatpost.com/ta2541-apt-rats-aviation/178422/", "https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html", + "https://community.riskiq.com/article/24759ad2", "https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf", "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html", + "https://community.riskiq.com/article/3929ede0/description", "https://securelist.com/apt-trends-report-q3-2020/99204/", - "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", + "https://github.com/jeFF0Falltrades/Tutorials/tree/master/asyncrat_config_parser", + "https://redskyalliance.org/xindustry/possible-identity-of-a-kuwaiti-hacker-nyanxcat", "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", - "https://twitter.com/MsftSecIntel/status/1392219299696152578", - "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://blog.morphisec.com/hubfs/Journey%20of%20a%20Crypto%20Scammer%20-%20NFT-001%20%7C%20Morphisec%20%7C%20Threat%20Report.pdf", + "https://assets.virustotal.com/reports/2021trends.pdf", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/follina-msdt-exploit-malware", + "https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html", + "https://www.esentire.com/blog/suspected-asyncrat-delivered-via-iso-files-using-html-smuggling-technique", + "https://twitter.com/ESETresearch/status/1449132020613922828", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt", + "https://twitter.com/MsftSecIntel/status/1392219299696152578", + "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", - "https://securityintelligence.com/posts/roboski-global-recovery-automation/", - "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", - "https://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html", - "https://www.fortinet.com/blog/threat-research/spear-phishing-campaign-with-new-techniques-aimed-at-aviation-companies", + "https://decoded.avast.io/threatintel/outbreak-of-follina-in-australia/", + "https://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html", + "https://www.esentire.com/blog/asyncrat-activity", + "https://securityintelligence.com/posts/roboski-global-recovery-automation/", + "https://www.bleepingcomputer.com/news/security/unskilled-hacker-linked-to-years-of-attacks-on-aviation-transport-sectors/", + "https://twitter.com/vxunderground/status/1519632014361640960", "https://www.menlosecurity.com/blog/isomorph-infection-in-depth-analysis-of-a-new-html-smuggling-campaign/", "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols" ], @@ -10017,8 +11928,14 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.atomsilo", "https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/", + "https://www.zscaler.com/blogs/security-research/atomsilo-ransomware-enters-league-double-extortion", + "https://twitter.com/siri_urz/status/1437664046556274694?s=20", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader", + "https://decoded.avast.io/threatintel/decryptor-for-atomsilo-and-lockfile-ransomware/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/", - "https://twitter.com/siri_urz/status/1437664046556274694?s=20" + "https://chuongdong.com/reverse%20engineering/2021/10/13/AtomSiloRansomware/" ], "synonyms": [], "type": [] @@ -10097,9 +12014,12 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.avaddon", "https://twitter.com/Securityinbits/status/1271065316903120902", + "https://www.mandiant.com/resources/chasing-avaddon-ransomware", "https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4", "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", + "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", "https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", "https://www.bleepingcomputer.com/news/security/another-ransomware-now-uses-ddos-attacks-to-force-victims-to-pay/", "https://labs.sentinelone.com/avaddon-raas-breaks-public-decryptor-continues-on-rampage/", @@ -10114,15 +12034,20 @@ "https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://twitter.com/dk_samper/status/1348560784285167617", + "https://www.connectwise.com/resources/avaddon-profile", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", "https://arxiv.org/pdf/2102.04796.pdf", + "https://atos.net/en/lp/securitydive/avaddon-ransomware-analysis", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", "https://www.cyber.gov.au/sites/default/files/2021-05/2021-003%20Ongoing%20campaign%20using%20Avaddon%20Ransomware%20-%2020210508.pdf", + "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", "https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure", "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://www.hornetsecurity.com/en/security-information/avaddon-from-seeking-affiliates-to-in-the-wild-in-2-days/", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", "https://www.tgsoft.it/files/report/download.asp?id=568531345", @@ -10160,6 +12085,19 @@ "uuid": "0568fcc6-755f-416e-9c5b-22232cd7ae0e", "value": "AVCrypt" }, + { + "description": "Cyble Research discovered this .Net written malware dubbed \"AvD Crypto Stealer\". The name of this malware is misleading, because this is a kind of clipper malware. Assumption of Cyble is, that this malware could target other threat actors as scenario.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.avd", + "https://blog.cyble.com/2022/03/22/hunters-become-the-hunted/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "de92fff8-337e-4cf8-853b-f13f08ffc24d", + "value": "AvD Crypto Stealer" + }, { "description": "", "meta": { @@ -10181,12 +12119,15 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria", "https://www.youtube.com/watch?v=81fdvmGmRvM", "https://blog.talosintelligence.com/2021/09/operation-armor-piercer.html", + "https://blog.morphisec.com/syk-crypter-discord", "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf", "https://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1", "https://reaqta.com/2019/04/ave_maria-malware-part1/", + "https://www.netskope.com/blog/dbatloader-abusing-discord-to-deliver-warzone-rat", "http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery", - "https://www.youtube.com/watch?v=T0tdj1WDioM", + "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", "https://www.kaspersky.com/about/press-releases/2019_fin7-hacking-group-targets-more-than-130-companies-after-leaders-arrest", + "https://blogs.blackberry.com/en/2021/12/threat-thursday-warzone-rat-breeds-a-litter-of-scriptkiddies", "https://mp.weixin.qq.com/s/fsesosMnKIfAi_I9I0wKSA", "https://blog.team-cymru.com/2019/07/25/unmasking-ave_maria/", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", @@ -10201,7 +12142,10 @@ "https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt", "https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html", + "https://www.youtube.com/watch?v=T0tdj1WDioM", + "https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware", "https://securityintelligence.com/posts/roboski-global-recovery-automation/", + "https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing", "https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/", "https://blogs.quickheal.com/warzone-rat-beware-of-the-trojan-malware-stealing-data-triggering-from-various-office-documents/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", @@ -10212,6 +12156,7 @@ "AVE_MARIA", "AveMariaRAT", "Warzone RAT", + "WarzoneRAT", "avemaria" ], "type": [] @@ -10225,7 +12170,21 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.avos_locker", "https://blog.malwarebytes.com/threat-analysis/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners/", - "https://unit42.paloaltonetworks.com/emerging-ransomware-groups/" + "https://cdn.pathfactory.com/assets/10555/contents/400686/13f4424c-05b4-46db-bb9c-6bf9b5436ec4.pdf", + "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group", + "https://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/", + "https://unit42.paloaltonetworks.com/emerging-ransomware-groups/", + "https://blogs.blackberry.com/en/2022/04/threat-thursday-avoslocker-prompts-advisory-from-fbi-and-fincen", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", + "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape", + "https://news.sophos.com/en-us/2021/12/22/avos-locker-remotely-accesses-boxes-even-running-in-safe-mode/", + "https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html", + "https://www.ic3.gov/Media/News/2022/220318.pdf", + "https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker" ], "synonyms": [], "type": [] @@ -10263,6 +12222,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aytoke", + "https://www.youtube.com/watch?v=FttiysUZmDw", "https://snort.org/rule_docs/1-34217" ], "synonyms": [], @@ -10279,7 +12239,7 @@ "https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/", "https://blog.team-cymru.com/2020/02/19/azorult-what-we-see-using-our-own-tools/", "https://yoroi.company/research/apt-or-not-apt-whats-behind-the-aggah-campaign/", - "https://community.riskiq.com/article/2a36a7d2/description", + "https://isc.sans.edu/diary/25120", "https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d", "https://community.riskiq.com/article/56e28880", "https://mariohenkel.medium.com/decrypting-azorult-traffic-for-fun-and-profit-9f28d8638b05", @@ -10288,18 +12248,20 @@ "https://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html", "https://www.vmray.com/cyber-security-blog/azorult-delivered-by-guloader-malware-analysis-spotlight/", "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", - "https://isc.sans.edu/diary/25120", + "https://community.riskiq.com/article/2a36a7d2/description", "https://ke-la.com/whats-dead-may-never-die-azorult-infostealer-decommissioned-again/", "https://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html", "https://www.youtube.com/watch?v=EyDiIAt__dI", "https://fr3d.hk/blog/gazorp-thieving-from-thieves", "https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/", "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/", + "https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html", "https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/", "https://blog.nviso.eu/2020/09/01/epic-manchego-atypical-maldoc-delivery-brings-flurry-of-infostealers/", "https://yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/", "https://twitter.com/DrStache_/status/1227662001247268864", "https://blog.yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/", + "https://asec.ahnlab.com/en/26517/", "https://www.virusbulletin.com/uploads/pdf/magazine/2021/202104-design-vulnerabilities-azorult-cc-panels.pdf", "https://malwarebreakdown.com/2017/11/12/seamless-campaign-delivers-ramnit-via-rig-ek-at-188-225-82-158-follow-up-malware-is-azorult-stealer/", "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf", @@ -10322,11 +12284,13 @@ "https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware", "https://blogs.blackberry.com/en/2020/04/threat-spotlight-gootkit-banking-trojan", "https://securityintelligence.com/posts/roboski-global-recovery-automation/", + "https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/", "https://www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign", "http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html", "https://maxkersten.nl/binary-analysis-course/malware-analysis/azorult-loader-stages/", "https://blog.minerva-labs.com/azorult-now-as-a-signed-google-update", "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", + "https://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html", "https://isc.sans.edu/forums/diary/Analysis+of+a+tripleencrypted+AZORult+downloader/25768/", "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside" ], @@ -10366,14 +12330,19 @@ "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-ransomware.pdf", "https://www.zerofox.com/blog/babuk-ransomware-variant-delta-plus/", "https://sebdraven.medium.com/babuk-is-distributed-packed-78e2f5dd2e62", + "https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html", "https://www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/", "https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/", "https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1", - "https://twitter.com/Sebdraven/status/1346377590525845504", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://krebsonsecurity.com/2022/02/wazawaka-goes-waka-waka/", + "https://raw.githubusercontent.com/vc0RExor/Malware-Threat-Reports/main/Ransomware/Babuk/Babuk_Ransomware_EN_2021_05.pdf", "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", "https://www.bleepingcomputer.com/news/security/babyk-ransomware-wont-hit-charities-unless-they-support-lgbt-blm/", + "https://killingthebear.jorgetesta.tech/actors/evil-corp", "https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/", "https://securelist.com/ransomware-world-in-2021/102169/", + "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", "https://marcoramilli.com/2021/07/05/babuk-ransomware-the-builder/", "https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings", "https://ke-la.com/new-russian-speaking-forum-a-new-place-for-raas/", @@ -10382,7 +12351,10 @@ "https://lab52.io/blog/quick-review-of-babuk-ransomware-builder/", "https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d", "https://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f", + "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/is-there-really-such-a-thing-as-a-low-paid-ransomware-operator/", + "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", "http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/", + "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/", "https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html", @@ -10391,12 +12363,16 @@ "https://therecord.media/builder-for-babuk-locker-ransomware-leaked-online/", "https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b", "https://www.databreaches.net/babuk-re-organizes-as-payload-bin-offers-its-first-leak/", + "https://twitter.com/Sebdraven/status/1346377590525845504", "https://twitter.com/GossiTheDog/status/1409117153182224386", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://blog.cyble.com/2022/05/06/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/are-virtual-machines-the-new-gold-for-cyber-criminals/", + "https://raw.githubusercontent.com/antonioCoco/infosec-talks/main/InsomniHack_2022_Ransomware_Encryption_Internals.pdf", "https://www.bleepingcomputer.com/news/security/babuk-ransomware-is-back-uses-new-version-on-corporate-networks/", "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-moving-to-vm-nix-systems.pdf", - "https://www.fr.sogeti.com/globalassets/france/avis-dexperts--livres-blancs/cybersecchronicles_-_babuk.pdf" + "https://www.fr.sogeti.com/globalassets/france/avis-dexperts--livres-blancs/cybersecchronicles_-_babuk.pdf", + "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/" ], "synonyms": [ "Babyk", @@ -10425,7 +12401,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.babymetal", + "https://www.mandiant.com/resources/evolution-of-fin7", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", + "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://www.infosecurityeurope.com/__novadocuments/367989?v=636338290033030000", "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" ], @@ -10440,6 +12418,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.babyshark", + "https://www.huntress.com/blog/targeted-apt-activity-babyshark-is-out-for-blood", "https://www.youtube.com/watch?v=rfzmHjZX70s", "https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html", "https://blog.alyac.co.kr/3352", @@ -10475,6 +12454,19 @@ "uuid": "934da8b2-f66e-4056-911e-1da09216e8b8", "value": "BACKBEND" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.backconfig", + "https://unit42.paloaltonetworks.com/threat-assessment-hangover-threat-group/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b3c517cf-6704-43b0-a6da-fed94c9b537a", + "value": "BackConfig" + }, { "description": "", "meta": { @@ -10525,6 +12517,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.backswap", "https://securityintelligence.com/backswap-malware-now-targets-six-banks-in-spain/", + "https://explore.group-ib.com/htct/hi-tech_crime_2018", "https://www.f5.com/labs/articles/threat-intelligence/backswap-defrauds-online-banking-customers-using-hidden-input-fi", "https://www.cert.pl/en/news/single/backswap-malware-analysis/", "https://research.checkpoint.com/the-evolution-of-backswap/", @@ -10586,8 +12579,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.badhatch", + "https://team-cymru.com/blog/2021/03/15/fin8-badhatch-threat-indicator-enrichment/", "https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf", - "https://team-cymru.com/blog/2021/03/15/fin8-badhatch-threat-indicator-enrichment/" + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf" ], "synonyms": [], "type": [] @@ -10600,6 +12594,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.badnews", + "https://www.forcepoint.com/blog/x-labs/monsoon-analysis-apt-campaign", "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1", "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2", @@ -10607,10 +12602,10 @@ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://securelist.com/apt-trends-report-q1-2021/101967/", "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf", - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/", + "https://lab52.io/blog/new-patchwork-campaign-against-pakistan/", "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-LunghiHorejsi.pdf", - "https://www.forcepoint.com/blog/x-labs/monsoon-analysis-apt-campaign", - "https://lab52.io/blog/new-patchwork-campaign-against-pakistan/" + "https://blog.malwarebytes.com/threat-intelligence/2022/01/patchwork-apt-caught-in-its-own-web/", + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/" ], "synonyms": [], "type": [] @@ -10622,7 +12617,8 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.bagle" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bagle", + "https://archive.f-secure.com/weblog/archives/carrera_erdelyi_VB2004.pdf" ], "synonyms": [], "type": [] @@ -10721,7 +12717,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bancos", - "https://www.fireeye.com/blog/threat-research/2009/03/bancos-a-brazilian-crook.html" + "https://www.fireeye.com/blog/threat-research/2009/03/bancos-a-brazilian-crook.html", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/banking-trojan-latam-brazil" ], "synonyms": [], "type": [] @@ -10788,11 +12785,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bankshot", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a", + "https://www.us-cert.gov/ncas/analysis-reports/ar20-133a", "https://www.secureworks.com/research/threat-profiles/nickel-gladstone", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF", - "https://www.us-cert.gov/ncas/analysis-reports/ar20-133a", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-108A-TraderTraitor-North_Korea_APT_Targets_Blockchain_Companies.pdf", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-108a", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://blog.reversinglabs.com/blog/hidden-cobra" ], @@ -10804,6 +12803,32 @@ "uuid": "bc67677c-c0e7-4fb1-8619-7f43fa3ff886", "value": "Bankshot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.barbie", + "https://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials" + ], + "synonyms": [], + "type": [] + }, + "uuid": "dbf9d453-cf02-4861-ab90-f65bb77d5971", + "value": "Barb(ie) Downloader" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.barbwire", + "https://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials" + ], + "synonyms": [], + "type": [] + }, + "uuid": "7e68e486-08a8-4d09-997f-2b844cf86fc2", + "value": "BarbWire" + }, { "description": "", "meta": { @@ -10824,6 +12849,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bart", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", + "https://intel471.com/blog/a-brief-history-of-ta505", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/" ], "synonyms": [], @@ -10864,82 +12890,126 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor", - "https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/", - "https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv", - "https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware", - "https://cofense.com/blog/bazarbackdoor-stealthy-infiltration", - "https://www.trendmicro.com/en_us/research/21/d/a-spike-in-bazarcall-and-icedid-activity.html", - "https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon", "https://unit42.paloaltonetworks.com/bazarloader-malware/", - "https://johannesbader.ch/blog/a-bazarloader-dga-that-breaks-during-summer-months/", - "https://www.proofpoint.com/us/blog/threat-insight/baza-valentines-day", - "https://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/", + "https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/", "https://www.bleepingcomputer.com/news/security/bazarbackdoor-sneaks-in-through-nested-rar-and-zip-archives/", "https://twitter.com/Unit42_Intel/status/1421117403644186629?s=20", - "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", "https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e", - "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/", - "https://thedfirreport.com/2020/10/08/ryuks-return/", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://johannesbader.ch/blog/the-dga-of-bazarbackdoor/", - "https://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/", - "https://johannesbader.ch/blog/yet-another-bazarloader-dga/", - "https://public.intel471.com/blog/trickbot-update-november-2020-bazar-loader-microsoft/", - "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", - "https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf", - "https://www.cybereason.com/hubfs/A%20Bazar%20of%20Tricks%20Following%20Team9%E2%80%99s%20Development%20Cycles%20IOCs.pdf", - "https://unit42.paloaltonetworks.com/ryuk-ransomware/", - "https://news.sophos.com/en-us/2021/04/15/bazarloader-deploys-a-pair-of-novel-spam-vectors", - "https://www.hornetsecurity.com/en/threat-research/bazarloader-campaign-with-fake-termination-emails/", "https://blog.minerva-labs.com/slamming-the-backdoor-on-bazarloader", + "https://public.intel471.com/blog/trickbot-update-november-2020-bazar-loader-microsoft/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", + "https://blog.prevailion.com/wizard-spider-continues-to-confound-4298370f6903", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue", + "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/", "https://johannesbader.ch/blog/next-version-of-the-bazarloader-dga/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", "https://www.youtube.com/watch?v=uAkeXCYcl4Y", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", - "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", - "https://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors", "https://www.crowdstrike.com/blog/four-popular-defensive-evasion-techniques-in-2021/", - "https://www.microsoft.com/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/", - "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", - "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/", - "https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-I", - "https://isc.sans.edu/diary/27308", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", - "https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/", - "https://www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", - "https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-II", - "https://fr3d.hk/blog/campo-loader-simple-but-effective", - "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor", - "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", - "https://www.domaintools.com/resources/blog/tracking-a-trickbot-related-ransomware-incident", + "https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/", + "https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/", + "https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware", + "https://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors", "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", - "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", "https://twitter.com/anthomsec/status/1321865315513520128", "https://www.hhs.gov/sites/default/files/bazarloader.pdf", "https://www.hornetsecurity.com/en/threat-research/bazarloaders-elaborate-flower-shop-lure/", "https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike", - "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", - "https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth", - "https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware", - "https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/", + "https://www.scythe.io/library/threatthursday-ryuk", + "https://kienmanowar.wordpress.com/2022/02/24/quicknote-techniques-for-decrypting-bazarloader-strings/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.bleepingcomputer.com/news/security/corporate-website-contact-forms-used-to-spread-bazarbackdoor-malware/", + "https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html", + "https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles", + "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti", + "https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv", + "https://isc.sans.edu/diary/27308", + "https://www.proofpoint.com/us/blog/threat-insight/baza-valentines-day", + "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", + "https://johannesbader.ch/blog/yet-another-bazarloader-dga/", + "https://unit42.paloaltonetworks.com/bazarloader-anti-analysis-techniques/", + "https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html", + "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", + "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", + "https://experience.mandiant.com/trending-evil/p/1", + "https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-II", + "https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf", + "https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon", + "https://pcsxcetrasupport3.wordpress.com/2021/11/16/excel-4-macro-code-obfuscation/", + "https://cofense.com/the-ryuk-threat-why-bazarbackdoor-matters-most/", + "https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware", + "https://johannesbader.ch/blog/the-buggy-dga-of-bazarbackdoor/", + "https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/", + "https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware", + "https://cofense.com/blog/bazarbackdoor-stealthy-infiltration", + "https://www.trendmicro.com/en_us/research/21/d/a-spike-in-bazarcall-and-icedid-activity.html", + "https://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/", + "https://abnormalsecurity.com/blog/bazarloader-contact-form", + "https://attackiq.com/2022/06/15/attack-graph-emulating-the-conti-ransomware-teams-behaviors/", + "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", + "https://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/", + "https://research.nccgroup.com/2022/04/29/adventures-in-the-land-of-bumblebee-a-new-malicious-loader/", + "https://www.cybereason.com/hubfs/A%20Bazar%20of%20Tricks%20Following%20Team9%E2%80%99s%20Development%20Cycles%20IOCs.pdf", + "https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf", + "https://unit42.paloaltonetworks.com/ryuk-ransomware/", + "https://news.sophos.com/en-us/2021/04/15/bazarloader-deploys-a-pair-of-novel-spam-vectors", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/", + "https://securityintelligence.com/posts/trickbot-gang-template-based-metaprogramming-bazar-malware/", + "https://fr3d.hk/blog/campo-loader-simple-but-effective", + "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor", + "https://www.domaintools.com/resources/blog/tracking-a-trickbot-related-ransomware-incident", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://www.microsoft.com/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/", + "https://www.bleepingcomputer.com/news/security/malicious-csv-text-files-used-to-install-bazarbackdoor-malware/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", + "https://intel471.com/blog/conti-leaks-ransomware-development", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://www.0ffset.net/reverse-engineering/analysing-the-main-bazarloader/", + "https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/", "https://medium.com/walmartglobaltech/decrypting-bazarloader-strings-with-a-unicorn-15d2585272a9", "https://storage.pardot.com/652283/16118467480sqebwq7/MSP_Security_Summit___John_Hammond_Huntress___Analyzing_Ryuk.pdf", - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "https://www.scythe.io/library/threatthursday-ryuk", - "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/", - "https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/", + "https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html", "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://unit42.paloaltonetworks.com/api-hammering-malware-families/", + "https://twitter.com/Unit42_Intel/status/1458113934024757256", + "https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/", + "https://www.cyberscoop.com/trickbot-shutdown-conti-emotet/", + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", + "https://johannesbader.ch/blog/a-bazarloader-dga-that-breaks-during-summer-months/", + "https://www.0ffset.net/reverse-engineering/bazarloader-iso-file-infection/", + "https://thedfirreport.com/2021/12/13/diavol-ransomware/", + "https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html", + "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/", + "https://thedfirreport.com/2020/10/08/ryuks-return/", + "https://www.trendmicro.com/en_us/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html", + "https://www.hornetsecurity.com/en/threat-research/bazarloader-campaign-with-fake-termination-emails/", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://www.gosecure.net/blog/2021/02/01/bazarloader-mocks-researchers-in-december-2020-malspam-campaign/", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", - "https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles", - "https://cofense.com/the-ryuk-threat-why-bazarbackdoor-matters-most/", + "https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-I", + "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", + "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf", + "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", + "https://www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html", + "https://forensicitguy.github.io/bazariso-analysis-advpack/", + "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", + "https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth", + "https://elis531989.medium.com/highway-to-conti-analysis-of-bazarloader-26368765689d", "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/group-behind-trickbot-spreads-fileless-bazarbackdoor", - "https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware", - "https://johannesbader.ch/blog/the-buggy-dga-of-bazarbackdoor/" + "https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/", + "https://malwarebookreports.com/bazarloader-back-from-holiday-break/", + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/" ], "synonyms": [ "BEERBOT", @@ -11120,7 +13190,7 @@ "value": "BestKorea" }, { - "description": "", + "description": "Cybereason concludes that Betabot is a sophisticated infostealer malware that’s evolved significantly since it first appeared in late 2012. The malware began as a banking Trojan and is now packed with features that allow its operators to practically take over a victim’s machine and steal sensitive information.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot", @@ -11131,6 +13201,7 @@ "http://www.xylibox.com/2015/04/betabot-retrospective.html", "https://news.sophos.com/en-us/2020/05/14/raticate/", "http://resources.infosecinstitute.com/beta-bot-analysis-part-1/#gref", + "https://krabsonsecurity.com/2022/03/28/betabot-in-the-rearview-mirror/", "https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728", "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/BetaBot.pdf?la=en", "http://www.malwaredigger.com/2013/09/how-to-extract-betabot-config-info.html" @@ -11168,6 +13239,21 @@ "uuid": "95b454f6-8ffb-4ef7-8a91-14d48601a899", "value": "BfBot" }, + { + "description": "BHunt collects the crypto wallets of its victims. The malware consists of several functions/modules, e.g. a reporting module that reports the presence of crypto wallets on the target computers to the C2 server. It searches for many different cryptocurrencies (e.g. Atomic, Bitcoin, Electrum, Ethereum, Exodus, Jaxx and Litecoin). The Blackjack module is used to steal wallets, Sweet_Bonanza steals victims' browser passwords. There are also modules like the Golden7 or the Chaos_crew module.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bhunt", + "https://blogs.blackberry.com/en/2022/02/threat-thursday-bhunt-scavenger", + "https://www.bitdefender.com/files/News/CaseStudies/study/411/Bitdefender-PR-Whitepaper-CyberWallet-creat5874-en-EN.pdf", + "https://www.bleepingcomputer.com/news/security/new-bhunt-malware-targets-your-crypto-wallets-and-passwords/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ae3fe9fa-0717-413e-94fe-6e7b607e45c6", + "value": "BHunt" + }, { "description": "Small and relatively simple ransomware for Windows. Gives files the .BI_D extension after encrypting them with a combination of RSA/AES. Persistence achieved via the Windows Registry. Kills all processes on the victim machine besides itself and a small whitelist of mostly Windows sytem processes and kills shadow copies.", "meta": { @@ -11201,11 +13287,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.billgates", - "https://securelist.com/versatile-ddos-trojan-for-linux/64361/", - "https://bartblaze.blogspot.com/2017/12/notes-on-linuxbillgates.html", + "https://www.fortinet.com/blog/threat-research/recent-attack-uses-vulnerability-on-confluence-server", + "https://thisissecurity.stormshield.com/2015/09/30/when-elf-billgates-met-windows/", "https://www.akamai.com/kr/ko/multimedia/documents/state-of-the-internet/bill-gates-botnet-threat-advisory.pdf", + "https://securelist.com/versatile-ddos-trojan-for-linux/64361/", "https://habrahabr.ru/post/213973/", - "https://thisissecurity.stormshield.com/2015/09/30/when-elf-billgates-met-windows/" + "https://bartblaze.blogspot.com/2017/12/notes-on-linuxbillgates.html", + "https://www.bleepingcomputer.com/news/security/log4shell-exploits-now-used-mostly-for-ddos-botnets-cryptominers/" ], "synonyms": [], "type": [] @@ -11233,6 +13321,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.biodata", "https://unit42.paloaltonetworks.com/unit42-recent-inpage-exploits-lead-multiple-malware-families/", + "https://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/", + "https://securelist.com/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/76717/", "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/" ], "synonyms": [], @@ -11336,7 +13426,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bitter_rat", + "https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html", "https://www.forcepoint.com/blog/security-labs/bitter-targeted-attack-against-pakistan", + "https://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/", "https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf", "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/" ], @@ -11347,21 +13439,34 @@ "value": "Bitter RAT" }, { - "description": "", + "description": "According to Bitdefender, BitRAT is a notorious remote access trojan (RAT) marketed on underground cybercriminal web markets and forums. Its price tag of $20 for lifetime access makes it irresistible to cybercriminals and helps the malicious payload spread.\r\n\r\nFurthermore, each buyer’s modus operandi makes BitRAT even harder to stop, considering it can be employed in various operations, such as trojanized software, phishing and watering hole attacks.\r\n\r\nBitRAT’s popularity arises from its versatility. The malicious tool can perform a wide range of operations, including data exfiltration, UAC bypass, DDoS attacks, clipboard monitoring, gaining unauthorized webcam access, credential theft, audio recording, XMRig coin mining and generic keylogging.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bit_rat", + "https://krabsonsecurity.com/2020/08/22/bitrat-the-latest-in-copy-pasted-malware-by-incompetent-developers/", + "https://krabsonsecurity.com/2020/09/04/bitrat-pt-2-hidden-browser-socks5-proxy-and-unknownproducts-unmasked/", + "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", + "https://www.bleepingcomputer.com/news/security/bitrat-malware-now-spreading-as-a-windows-10-license-activator/", + "https://community.riskiq.com/article/ade260c6", + "https://forensicitguy.github.io/hcrypt-injecting-bitrat-analysis/", + "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html", + "https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities", + "https://www.youtube.com/watch?v=CYm3g4zkQdw", + "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", + "https://blog.morphisec.com/hubfs/Journey%20of%20a%20Crypto%20Scammer%20-%20NFT-001%20%7C%20Morphisec%20%7C%20Threat%20Report.pdf", + "https://github.com/Finch4/Malware-Analysis-Reports/blob/main/13e0f258cfbe3aece8a7e6d29ceb5697/README.md", + "https://www.fortinet.com/blog/threat-research/nft-lure-used-to-distribute-bitrat", + "https://research.checkpoint.com/2021/apomacrosploit-apocalyptical-fud-race/", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt", + "https://www.bitdefender.com/blog/hotforsecurity/bitrat-malware-seen-spreading-through-unofficial-microsoft-windows-activators/", "https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html", + "https://asec.ahnlab.com/en/32781/", "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", - "https://krabsonsecurity.com/2020/08/22/bitrat-the-latest-in-copy-pasted-malware-by-incompetent-developers/", + "https://isc.sans.edu/forums/diary/A+Zip+Bomb+to+Bypass+Security+Controls+Sandboxes/28670/", + "https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware", "https://securityintelligence.com/posts/roboski-global-recovery-automation/", - "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", - "https://krabsonsecurity.com/2020/09/04/bitrat-pt-2-hidden-browser-socks5-proxy-and-unknownproducts-unmasked/", - "https://github.com/Finch4/Malware-Analysis-Reports/blob/main/13e0f258cfbe3aece8a7e6d29ceb5697/README.md", - "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html", - "https://research.checkpoint.com/2021/apomacrosploit-apocalyptical-fud-race/", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt" + "https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/" ], "synonyms": [], "type": [] @@ -11397,6 +13502,103 @@ "uuid": "ea06f87c-148c-49e5-afec-7012cb2b4f0a", "value": "BKA Trojaner" }, + { + "description": "\"Black Basta\" is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta", + "https://gbhackers.com/black-basta-ransomware/", + "https://www.bleepingcomputer.com/news/security/american-dental-association-hit-by-new-black-basta-ransomware/", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape", + "https://www.trendmicro.com/en_us/research/22/e/examining-the-black-basta-ransomwares-infection-routine.html", + "https://www.bleepingcomputer.com/news/security/new-black-basta-ransomware-springs-into-action-with-a-dozen-breaches/", + "https://securityintelligence.com/posts/black-basta-ransomware-group-besting-network/", + "https://therecord.media/german-wind-farm-operator-confirms-cybersecurity-incident-after-ransomware-group/" + ], + "synonyms": [ + "no_name_software" + ], + "type": [] + }, + "uuid": "ada47367-7e69-4122-b5c1-4e5aeb54f922", + "value": "Black Basta" + }, + { + "description": "Ransomware. Uses dropper written in JavaScript to deploy a .NET payload.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbyte", + "https://blog.talosintelligence.com/2022/05/the-blackbyte-ransomware-group-is.html", + "https://therecord.media/san-francisco-49ers-confirm-ransomware-attack/", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/trellix-global-defenders-analysis-and-protections-for-blackbyte-ransomware.html", + "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group", + "https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape", + "https://securelist.com/modern-ransomware-groups-ttps/106824/", + "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/", + "https://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants", + "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape", + "https://www.bleepingcomputer.com/news/security/fbi-blackbyte-ransomware-breached-us-critical-infrastructure/", + "https://www.picussecurity.com/resource/ttps-used-by-blackbyte-ransomware-targeting-critical-infrastructure", + "https://www.ic3.gov/Media/News/2022/220211.pdf", + "https://www.advintel.io/post/hydra-with-three-heads-blackbyte-the-future-of-ransomware-subsidiary-groups", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", + "https://redcanary.com/blog/blackbyte-ransomware/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c7732221-fbb3-4469-a1c6-260a825b290a", + "value": "BlackByte" + }, + { + "description": "ALPHV, also known as BlackCat or Noberus, is a ransomware family that is deployed as part of Ransomware as a Service (RaaS) operations. ALPHV is written in the Rust programming language and supports execution on Windows, Linux-based operating systems (Debian, Ubuntu, ReadyNAS, Synology), and VMWare ESXi. ALPHV is marketed as ALPHV on cybercrime forums, but is commonly called BlackCat by security researchers due to an icon of a black cat appearing on its leak site. ALPHV has been observed being deployed in ransomware attacks since November 18, 2021.\r\n\r\nALPHV can be configured to encrypt files using either the AES or ChaCha20 algorithms. In order to maximize the amount of ransomed data, ALPHV can delete volume shadow copies, stop processes and services, and stop virtual machines on ESXi servers. ALPHV can self-propagate by using PsExec to remote execute itself on other hosts on the local network.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022", + "https://www.ic3.gov/Media/News/2022/220420.pdf", + "https://go.kaspersky.com/rs/802-IJN-240/images/TR_BlackCat_Report.pdf", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-alphv-rust-ransomware", + "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", + "https://documents.trendmicro.com/assets/pdf/datasheet-ransomware-in-Q1-2022.pdf", + "https://medium.com/s2wblog/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809", + "https://therecord.media/german-wind-farm-operator-confirms-cybersecurity-incident-after-ransomware-group/", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", + "https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html", + "https://killingthebear.jorgetesta.tech/actors/alphv", + "https://github.com/f0wl/blackCatConf", + "https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/", + "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/blackcat-ransomware-as-a-service.html", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", + "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group", + "https://securelist.com/modern-ransomware-groups-ttps/106824/", + "https://www.crowdstrike.com/blog/falcon-overwatch-contributes-to-blackcat-protection/", + "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", + "https://krebsonsecurity.com/2022/01/who-wrote-the-alphv-blackcat-ransomware-strain/", + "https://securelist.com/a-bad-luck-blackcat/106254/", + "https://unit42.paloaltonetworks.com/blackcat-ransomware/", + "https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware", + "https://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/", + "https://www.zdnet.com/article/blackcat-ransomware-implicated-in-attack-on-german-oil-companies/", + "https://www.intrinsec.com/alphv-ransomware-gang-analysis", + "https://www.advintel.io/post/blackcat-in-a-shifting-threat-landscape-it-helps-to-land-on-your-feet-tech-dive", + "https://www.varonis.com/blog/alphv-blackcat-ransomware", + "https://id-ransomware.blogspot.com/2021/12/blackcat-ransomware.html", + "https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html" + ], + "synonyms": [ + "ALPHV", + "Noberus" + ], + "type": [] + }, + "uuid": "44109c47-f4ab-41c0-8d18-b93e7dcd8e42", + "value": "BlackCat (Windows)" + }, { "description": "a backdoor that obfuscates its communications as normal traffic to legitimate websites such as Github and Microsoft's Technet portal.", "meta": { @@ -11429,23 +13631,27 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackenergy", "https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf", + "https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Cherepanov-Lipovsky.pdf", + "http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf", + "https://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html", + "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", + "https://www.secureworks.com/research/blackenergy2", + "https://threatconnect.com/blog/casting-a-light-on-blackenergy/", "https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too", + "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games", "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection", "https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/", "https://www.secureworks.com/research/threat-profiles/iron-viking", - "https://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html", "https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/", "https://securelist.com/black-ddos/36309/", - "http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf", - "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", - "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games", - "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", - "https://www.welivesecurity.com/2014/10/14/cve-2014-4114-details-august-blackenergy-powerpoint-campaigns/", - "https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf", - "https://www.secureworks.com/research/blackenergy2", + "https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf", "https://marcusedmondson.com/2019/01/18/black-energy-analysis/", - "https://threatconnect.com/blog/casting-a-light-on-blackenergy/", - "https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Cherepanov-Lipovsky.pdf" + "http://pds15.egloos.com/pds/201001/01/66/BlackEnergy_DDoS_Bot_Analysis.pdf", + "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", + "https://www.welivesecurity.com/2014/10/14/cve-2014-4114-details-august-blackenergy-powerpoint-campaigns/", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", + "https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf" ], "synonyms": [], "type": [] @@ -11453,6 +13659,31 @@ "uuid": "82c644ab-550a-4a83-9b35-d545f4719069", "value": "BlackEnergy" }, + { + "description": "According to Zscaler, BlackGuard has the capability to steal all types of information related to Crypto wallets, VPN, Messengers, FTP credentials, saved browser credentials, and email clients.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackguard", + "https://blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/", + "https://www.techtimes.com/articles/273752/20220331/new-password-stealing-malware-hacking-forum-hack-password-stealing-google-chrome-binance-outlook-telegram.htm", + "https://www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking", + "https://team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-entry-for-malicious-actors/", + "https://cyberint.com/blog/research/blackguard-stealer/", + "https://www.youtube.com/watch?v=Fd8WjxzY2_g", + "https://blogs.blackberry.com/en/2022/04/threat-thursday-blackguard-infostealer", + "https://www.bleepingcomputer.com/news/security/new-blackguard-password-stealing-malware-sold-on-hacker-forums/", + "https://www.zdnet.com/article/meet-blackguard-a-new-infostealer-peddled-on-russian-hacker-forums/", + "https://medium.com/s2wblog/rising-stealer-in-q1-2022-blackguard-stealer-f516d9f85ee5", + "https://thehackernews.com/2022/04/experts-shed-light-on-blackguard.html", + "https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/", + "https://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4" + ], + "synonyms": [], + "type": [] + }, + "uuid": "86048398-cfc2-4d6c-a49f-9114e2966b61", + "value": "BlackGuard" + }, { "description": "", "meta": { @@ -11460,6 +13691,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackkingdom_ransomware", "https://news.sophos.com/en-us/2021/03/23/black-kingdom/", "https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://id-ransomware.blogspot.com/2020/02/blackkingdom-ransomware.html", "https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html", "https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities", @@ -11476,23 +13708,57 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackmatter", - "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", - "https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751", - "https://blog.group-ib.com/blackmatter#", + "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/", + "https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group", + "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus", "https://www.mcafee.com/blogs/enterprise/blackmatter-ransomware-analysis-the-dark-side-returns/", - "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/", - "https://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/", + "https://www.mandiant.com/resources/chasing-avaddon-ransomware", + "https://us-cert.cisa.gov/ncas/alerts/aa21-291a", + "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/", + "https://ke-la.com/the-ideal-ransomware-victim-what-attackers-are-looking-for/", + "https://www.netskope.com/blog/netskope-threat-coverage-blackmatter", + "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", + "https://go.recordedfuture.com/hubfs/reports/MTP-2021-0804.pdf", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/", + "https://www.mandiant.com/resources/cryptography-blackmatter-ransomware", + "https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/", + "https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/", + "https://medium.com/s2wblog/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", + "https://blog.group-ib.com/blackmatter#", + "https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackmatter-data-exfiltration", "https://blog.minerva-labs.com/blackmatter", "https://www.tesorion.nl/en/posts/analysis-of-the-blackmatter-ransomware/", - "https://www.ciphertechsolutions.com/rapidly-evolving-blackmatter-ransomware-tactics/", - "https://www.netskope.com/blog/netskope-threat-coverage-blackmatter", + "https://blog.group-ib.com/blackmatter2", "https://blog.digital-investigations.info/2021-08-05-understanding-blackmatters-api-hashing.html", - "https://go.recordedfuture.com/hubfs/reports/MTP-2021-0804.pdf", - "https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service", - "https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/", + "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", "https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2", "https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d", - "https://www.nozominetworks.com/blog/blackmatter-ransomware-technical-analysis-and-tools-from-nozomi-networks-labs/" + "https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/", + "https://services.google.com/fh/files/misc/gcat_threathorizons_full_nov2021.pdf", + "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", + "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", + "https://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/", + "https://assets.virustotal.com/reports/2021trends.pdf", + "https://www.ciphertechsolutions.com/rapidly-evolving-blackmatter-ransomware-tactics/", + "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", + "https://www.varonis.com/blog/blackmatter-ransomware/", + "https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service", + "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/", + "https://therecord.media/blackmatter-ransomware-says-its-shutting-down-due-to-pressure-from-local-authorities/", + "https://www.youtube.com/watch?v=NIiEcOryLpI", + "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", + "https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751", + "https://www.nozominetworks.com/blog/blackmatter-ransomware-technical-analysis-and-tools-from-nozomi-networks-labs/", + "https://www.theregister.com/2022/03/22/talos-ransomware-blackcat/", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.hhs.gov/sites/default/files/demystifying-blackmatter.pdf", + "https://raw.githubusercontent.com/antonioCoco/infosec-talks/main/InsomniHack_2022_Ransomware_Encryption_Internals.pdf", + "https://twitter.com/GelosSnake/status/1451465959894667275" ], "synonyms": [], "type": [] @@ -11501,12 +13767,13 @@ "value": "BlackMatter (Windows)" }, { - "description": "Advanced and modern Windows botnet with PHP panel developed using VB.NET", + "description": "Advanced and modern Windows botnet with PHP panel developed using VB.NET. It has a lot of functionalities including: stealing/grabbing files and passwords, keylogging, cryptojacking, loading files, executing commands, etc. It is open source and emerged at the end of 2019.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blacknet_rat", "https://github.com/BlackHacker511/BlackNET/", "http://www.pwncode.io/2019/12/blacknet-rat-when-you-leave-panel.html", + "https://github.com/mave12/BlackNET-3.7.0.1", "https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/", "https://labs.k7computing.com/?p=21365", "https://blog.minerva-labs.com/become-a-vip-victim-with-new-discord-distributed-malware", @@ -11691,6 +13958,34 @@ "uuid": "b34fd401-9d37-4bc6-908f-448c1697f749", "value": "BLINDTOAD" }, + { + "description": "Elastic observed this loader coming with valid code signatures, being used to deploy secondary payloads in-memory.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.blister", + "https://www.trendmicro.com/en_no/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html", + "https://killingthebear.jorgetesta.tech/actors/evil-corp", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/d/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload/iocs-thwarting-loaders-socgholish-blister.txt", + "https://redcanary.com/blog/intelligence-insights-january-2022/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://elastic.github.io/security-research/malware/2022/05/02.blister/article/", + "https://cloudsek.com/technical-analysis-of-code-signed-blister-malware-campaign-part-1/", + "https://www.elastic.co/blog/elastic-security-uncovers-blister-malware-campaign", + "https://cloudsek.com/technical-analysis-of-code-signed-blister-malware-campaign-part-2/", + "https://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", + "https://twitter.com/MsftSecIntel/status/1522690116979855360", + "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions" + ], + "synonyms": [ + "COLORFAKE" + ], + "type": [] + }, + "uuid": "8ffc1f23-c0a6-4186-b06e-11a72c153722", + "value": "Blister" + }, { "description": "", "meta": { @@ -11726,9 +14021,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blustealer", - "https://decoded.avast.io/anhho/blustealer/", "https://www.gosecure.net/blog/2021/09/22/gosecure-titan-labs-technical-report-blustealer-malware-threat/", + "https://blog.minerva-labs.com/a-new-blustealer-loader-uses-direct-syscalls-to-evade-edrs", + "https://decoded.avast.io/anhho/blustealer/", "https://twitter.com/GoSecure_Inc/status/1437435265350397957", + "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", "https://blogs.blackberry.com/en/2021/10/threat-thursday-blustealer-infostealer" ], "synonyms": [ @@ -11739,6 +14036,19 @@ "uuid": "cb4bfed3-3042-4a29-a72d-c8b5c510faea", "value": "BluStealer" }, + { + "description": "FIN7 uses this malware as helper module during intrusion operations. BOATLAUNCH is continuously looking for PowerShell processes on infected systems and patches them to bypuss Windows AntiMalware Scan Interface (AMSI).", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.boatlaunch", + "https://www.mandiant.com/resources/evolution-of-fin7" + ], + "synonyms": [], + "type": [] + }, + "uuid": "13e62fe0-af0e-4a44-8437-ed86101f12d4", + "value": "BOATLAUNCH" + }, { "description": "", "meta": { @@ -11781,11 +14091,25 @@ "uuid": "d3af810f-e657-409c-b821-4b1cf727ad18", "value": "Bolek" }, + { + "description": "This in .Net written malware is a classic information stealer. It can collect various information and can be depoyed in different configurations: \"The full-featured version of the malware can log keystrokes, collect profile files of Mozilla Firefox and Google Chrome browsers, record sound from the microphone, grab desktop screenshots, capture photo from the webcam, and collect information about the version of the operation system and installed anti-virus software.\" (ESET)\r\nThis malware has been active since at least 2012.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bookofeli", + "https://www.welivesecurity.com/2016/09/22/libya-malware-analysis/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "2029a6f7-f98e-4582-bc5b-7ff0188f1af2", + "value": "Book of Eli" + }, { "description": "FireEye describes BOOSTWRITE as a loader crafted to be launched via abuse of the DLL search order of applications which load the legitimate ‘Dwrite.dll’ provided by the Microsoft DirectX Typography Services. The application loads the ‘gdi’ library, which loads the ‘gdiplus’ library, which ultimately loads ‘Dwrite’. Mandiant identified instances where BOOSTWRITE was placed on the file system alongside the RDFClient binary to force the application to import DWriteCreateFactory from it rather than the legitimate DWrite.dll.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.boostwrite", + "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf" ], @@ -11811,6 +14135,21 @@ "uuid": "174b9314-765e-44d0-a761-10d352f4466c", "value": "BOOTWRECK" }, + { + "description": "The Borat RAT comes bundled with its components (e.g. binary builder, supporting modules, server certificates). According to Cyble this malware is an unique combination of RAT, Spyware, and ransomware.\r\nThe supporting modules are included; a few of the capabilities: Keylogger, Ransomware, Audio/Webcam Recording, Process Hollowing, Browser Credential/Discord Token Stealing, etc.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.boratrat", + "https://www.bleepingcomputer.com/news/security/new-borat-remote-access-malware-is-no-laughing-matter/", + "https://blog.cyble.com/2022/03/31/deep-dive-analysis-borat-rat/", + "https://blogs.blackberry.com/en/2022/04/threat-thursday-boratrat" + ], + "synonyms": [], + "type": [] + }, + "uuid": "7ff0b462-c5be-40fa-82da-7efe93722f92", + "value": "Borat RAT" + }, { "description": "", "meta": { @@ -11872,8 +14211,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.brambul", - "https://www.us-cert.gov/ncas/alerts/TA18-149A", + "https://swanleesec.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1", + "https://swanleesec.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-2", "https://www.secureworks.com/research/threat-profiles/nickel-academy", + "https://www.us-cert.gov/ncas/alerts/TA18-149A", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/", "https://www.us-cert.gov/ncas/analysis-reports/AR18-149A", @@ -11903,6 +14244,19 @@ "uuid": "fbed27da-551d-4793-ba7e-128256326909", "value": "BravoNC" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.brbbot", + "https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Brbbot/Brbbot.md" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b9a4455a-ad55-4858-9017-bb73a8640045", + "value": "BrbBot" + }, { "description": "This is a backdoor which FireEye call the Breach Remote Administration Tool (BreachRAT), written in C++. The malware name is derived from the hardcoded PDB path found in the RAT: C:\\Work\\Breach Remote Administration Tool\\Release\\Client.pdb", "meta": { @@ -11943,6 +14297,19 @@ "uuid": "55d343a1-7e80-4254-92eb-dfb433b91a90", "value": "Bredolab" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.brittle_bush", + "https://www.proofpoint.com/us/blog/threat-insight/ugg-boots-4-sale-tale-palestinian-aligned-espionage" + ], + "synonyms": [], + "type": [] + }, + "uuid": "fd4665b8-59b6-427f-a22d-bb3b50e9e176", + "value": "BrittleBush" + }, { "description": "", "meta": { @@ -12037,9 +14404,13 @@ "https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/", "https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware", "https://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/k/a-review-and-analysis-of-2021-buer-loader-campaigns/TechnicalBrief-An-Analysis-of-Buer-Loader.pdf", + "https://labs.vipre.com/buer-loader-found-in-an-unusual-email-attachment/", "http://www.secureworks.com/research/threat-profiles/gold-symphony", "https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace", "https://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/", + "https://tehtris.com/en/blog/buer-loader-analysis-a-rusted-malware-program", + "https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://blog.minerva-labs.com/stopping-buerloader", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", @@ -12048,6 +14419,7 @@ "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", "http://www.secureworks.com/research/threat-profiles/gold-blackburn", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", "https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/", "https://krabsonsecurity.com/2019/12/05/buer-loader-new-russian-loader-on-the-market-with-interesting-persistence/", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf", @@ -12057,7 +14429,8 @@ "https://twitter.com/StopMalvertisin/status/1182505434231398401", "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://medium.com/walmartglobaltech/buerloader-updates-3e34c1949b96", - "https://twitter.com/SophosLabs/status/1321844306970251265" + "https://twitter.com/SophosLabs/status/1321844306970251265", + "https://www.trendmicro.com/en_us/research/21/k/a-review-and-analysis-of-2021-buer-loader-campaigns.html" ], "synonyms": [ "Buerloader", @@ -12108,6 +14481,34 @@ "uuid": "fa278536-8293-4717-86b5-8a03aa11063f", "value": "Buhtrap" }, + { + "description": "This malware is delivered by an ISO file, with an DLL inside with a custom loader. Because of the unique user-agent \"bumblebee\" this malware was dubbed BUMBLEBEE. At the time of Analysis by Google's Threat Analysis Group (TAG) BumbleBee was observed to fetch Cobalt Strike Payloads.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee", + "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti", + "https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/", + "https://team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-entry-for-malicious-actors/", + "https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike", + "https://isc.sans.edu/diary/28636", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", + "https://isc.sans.edu/diary/rss/28664", + "https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming", + "https://isc.sans.edu/diary/rss/28636", + "https://blog.sekoia.io/bumblebee-a-new-trendy-loader-for-initial-access-brokers/", + "https://www.bleepingcomputer.com/news/security/new-bumblebee-malware-replaces-contis-bazarloader-in-cyberattacks/", + "https://research.openanalysis.net/bumblebee/malware/loader/unpacking/2022/05/12/bumblebee_loader.html", + "https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/", + "https://research.nccgroup.com/2022/04/29/adventures-in-the-land-of-bumblebee-a-new-malicious-loader/", + "https://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056", + "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "fa47d59d-7251-468f-9d84-6e1ba21887db", + "value": "BumbleBee" + }, { "description": "", "meta": { @@ -12215,6 +14616,47 @@ "uuid": "fe1d51d8-f0e8-4f71-bf5c-724f7d4a824c", "value": "CabArt" }, + { + "description": "CaddyWiper is another destructive malware believed to be deployed to target Ukraine.\r\n\r\nCaddyWiper wipes all files under C:\\Users and all also all files under available drives from D: to Z: by overwriting the data with NULL value. If the target file is greater than 0xA00000 bytes in size (10MB), it will only wipe the first 0xA00000 bytes.\r\n\r\nIt also wipes disk partitions from \\\\.\\PHYSICALDRIVE9 to \\\\.\\PHYSICALDRIVE0 by overwriting the first 0x780 bytes with NULL.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.caddywiper", + "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", + "https://cert.gov.ua/article/39518", + "https://thehackernews.com/2022/03/caddywiper-yet-another-data-wiping.html", + "https://www.truesec.com/hub/blog/analysis-of-caddywiper-wiper-targeting-ukraine", + "https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine/", + "https://cybernews.com/cyber-war/new-destructive-wiper-malware-deployed-in-ukraine/", + "https://blog.malwarebytes.com/threat-intelligence/2022/03/double-header-isaacwiper-and-caddywiper/", + "https://www.nextgov.com/cybersecurity/2022/03/ukrainian-cyber-lead-least-4-types-malware-are-targeting-ukrainian-institutions/363558/", + "https://twitter.com/HackPatch/status/1503538555611607042", + "https://www.nioguard.com/2022/03/analysis-of-caddywiper.html", + "https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works", + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd", + "https://www.bleepingcomputer.com/news/security/new-caddywiper-data-wiping-malware-hits-ukrainian-networks/", + "https://blog.morphisec.com/caddywiper-analysis-new-malware-attacking-ukraine", + "https://securityintelligence.com/posts/caddywiper-malware-targeting-ukrainian-organizations/", + "https://cybersecuritynews.com/destructive-data-wiper-malware/", + "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat", + "https://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html", + "https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-handle-stack-strings/", + "https://twitter.com/silascutler/status/1513870210398363651", + "https://blog.eset.ie/2022/04/12/industroyer2-industroyer-reloaded/", + "https://n0p.me/2022/03/2022-03-26-caddywiper/", + "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", + "https://www.splunk.com/en_us/blog/security/threat-update-caddywiper.html", + "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-caddywiper", + "https://twitter.com/ESETresearch/status/1503436420886712321", + "https://securityaffairs.co/wordpress/129069/cyber-warfare-2/caddywiper-wiper-hits-ukraine.html" + ], + "synonyms": [ + "KillDisk.NCX" + ], + "type": [] + }, + "uuid": "c6053700-5f3b-48cc-8176-191393522fc3", + "value": "CaddyWiper" + }, { "description": "", "meta": { @@ -12246,6 +14688,21 @@ "uuid": "52c0b49b-d57e-400d-8808-a00d4171ac05", "value": "CALMTHORN" }, + { + "description": "PWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html" + ], + "synonyms": [ + "StormKitty" + ], + "type": [] + }, + "uuid": "d3fb548f-64cb-4997-8262-1dca695fbae2", + "value": "Cameleon" + }, { "description": "", "meta": { @@ -12314,19 +14771,22 @@ "https://app.box.com/s/p7qzcury97tuwk26694uutujwqmwqyhe", "https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/", "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html", + "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-two-continuing-source-code-analysis.html", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", + "https://www.mandiant.com/resources/evolution-of-fin7", + "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://www.secureworks.com/research/threat-profiles/gold-niagara", "https://www.brighttalk.com/webcast/15591/382191/fin7-apt-how-billion-dollar-crime-ring-remains-active-after-leaders-arrest", "https://threatintel.blog/OPBlueRaven-Part2/", "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html", - "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-two-continuing-source-code-analysis.html", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-four-desktop-video-player.html", "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/" ], "synonyms": [ - "Anunak" + "Anunak", + "Sekur RAT" ], "type": [] }, @@ -12432,6 +14892,7 @@ "https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf", "http://www.intezer.com/evidence-aurora-operation-still-active-supply-chain-attack-through-ccleaner/", "https://risky.biz/whatiswinnti/", + "https://stmxcsr.com/persistence/print-processor.html", "https://www.ptsecurity.com/upload/corporate/ru-ru/pt-esc/winnti-2020-rus.pdf", "https://blog.avast.com/progress-on-ccleaner-investigation", "https://www.wired.com/story/ccleaner-malware-targeted-tech-firms", @@ -12441,7 +14902,8 @@ "https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident", "http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor", "https://www.crowdstrike.com/blog/in-depth-analysis-of-the-ccleaner-backdoor-stage-2-dropper-and-its-payload/", - "http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html" + "http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html", + "https://www.mandiant.com/resources/pe-file-infecting-malware-ot" ], "synonyms": [ "DIRTCLEANER" @@ -12473,15 +14935,18 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cerber", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/", - "https://www.youtube.com/watch?v=y8Z9KnL8s8s", + "https://news.sophos.com/en-us/2022/06/16/confluence-exploits-used-to-drop-ransomware-on-vulnerable-servers/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", "https://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "http://blog.trendmicro.com/trendlabs-security-intelligence/cerber-starts-evading-machine-learning/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks", "https://i.blackhat.com/asia-21/Thursday-Handouts/as21-Taniguchi-How-Did-The-Adversaries-Abusing-The-Bitcoin-Blockchain-Evade-Our-Takeover.pdf", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", + "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus", "https://www.youtube.com/watch?v=LUxOcpIRxmg", "https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ce44cbda9fdc061050c1d2a5dec0270874a9dc85.pdf", + "https://www.youtube.com/watch?v=y8Z9KnL8s8s", "https://www.virusbulletin.com/virusbulletin/2017/12/vb2017-paper-nine-circles-cerber/", "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/" ], @@ -12503,6 +14968,46 @@ "uuid": "ba7706c1-7d2a-4031-9acc-cb862860da1a", "value": "Cerbu" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ceta_rat", + "https://blogs.quickheal.com/cetarat-apt-group-targeting-the-government-agencies/", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388" + ], + "synonyms": [], + "type": [] + }, + "uuid": "12d2d503-def6-4161-bd42-2093ccad49bd", + "value": "CetaRAT" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.chachi", + "https://blogs.blackberry.com/en/2021/06/pysa-loves-chachi-a-new-golang-rat" + ], + "synonyms": [], + "type": [] + }, + "uuid": "6a3e6f07-1aaa-4af5-8bd3-96898aca3510", + "value": "ChaChi" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.chaes", + "https://decoded.avast.io/anhho/chasing-chaes-kill-chain/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0d4ab3af-189f-49af-b47a-9b25f59f9a12", + "value": "Chaes" + }, { "description": "", "meta": { @@ -12525,8 +15030,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chaos", + "https://blogs.blackberry.com/en/2022/05/yashma-ransomware-tracing-the-chaos-family-tree", + "https://blog.qualys.com/vulnerabilities-threat-research/2022/01/17/the-chaos-ransomware-can-be-ravaging", + "https://twitter.com/vinopaljiri/status/1519645742440329216", "https://marcoramilli.com/2021/06/14/the-allegedly-ryuk-ransomware-builder-ryukjoke/", - "https://www.trendmicro.com/en_us/research/21/h/chaos-ransomware-a-dangerous-proof-of-concept.html" + "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia", + "https://www.trendmicro.com/en_us/research/21/h/chaos-ransomware-a-dangerous-proof-of-concept.html", + "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-in-fake-minecraft-alt-list-brings-destruction", + "https://www.bleepingcomputer.com/news/security/roblox-game-pass-store-used-to-sell-ransomware-decryptor/", + "https://brianstadnicki.github.io/posts/malware-chaos-ransomware-v4/" ], "synonyms": [ "FakeRyuk", @@ -12654,18 +15166,22 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinachopper", + "https://www.picussecurity.com/resource/blog/ttps-hafnium-microsoft-exchange-servers", "https://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html", + "https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html", "https://www.secureworks.com/research/threat-profiles/bronze-union", "https://www.youtube.com/watch?v=rn-6t7OygGk", "https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers", "https://www.secureworks.com/research/threat-profiles/bronze-express", + "https://www.secureworks.com/research/threat-profiles/bronze-mohawk", "https://unit42.paloaltonetworks.com/china-chopper-webshell/", "https://www.crowdstrike.com/blog/an-end-to-smash-and-grab-more-targeted-approaches/", "https://unit42.paloaltonetworks.com/microsoft-exchange-server-attack-timeline/", "https://www.secureworks.com/research/threat-profiles/bronze-president", "https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day", + "https://unit42.paloaltonetworks.com/remediation-steps-for-the-Microsoft-Exchange-Server-vulnerabilities/", "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", "https://informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html", "https://twitter.com/ESETresearch/status/1366862946488451088", @@ -12677,7 +15193,7 @@ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/multi-factor-authentication-new-attacks", "https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/", - "https://www.picussecurity.com/resource/blog/ttps-hafnium-microsoft-exchange-servers", + "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Backdoor%2Bvia%2BXFF%2BMysterious%2BThreat%2BActor%2BUnder%2BRadar.pdf", "https://www.huntress.com/hubfs/Mass%20Exploitation%20of%20Microsoft%20Exchange%20(2).pdf", "https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968", "https://www.crowdstrike.com/blog/falcon-complete-stops-microsoft-exchange-server-zero-day-exploits", @@ -12693,13 +15209,15 @@ "https://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html", "https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html", "https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html", + "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers", "https://www.devo.com/blog/detect-and-investigate-hafnium-using-devo/", "https://unit42.paloaltonetworks.com/exchange-server-credential-harvesting/", "https://www.praetorian.com/blog/reproducing-proxylogon-exploit/", "https://www.secureworks.com/blog/ongoing-campaign-leveraging-exchange-vulnerability-potentially-linked-to-iran", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", + "https://www.domaintools.com/content/conceptualizing-a-continuum-of-cyber-threat-attribution.pdf", "https://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html", - "https://www.secureworks.com/research/threat-profiles/bronze-mohawk", + "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection", "https://us-cert.cisa.gov/ncas/alerts/aa20-259a", "https://www.imperva.com/blog/imperva-observes-hive-of-activity-following-hafnium-microsoft-exchange-disclosures/", @@ -12707,7 +15225,7 @@ "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html", "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Vorfaelle/Exchange-Schwachstellen-2021/MSExchange_Schwachstelle_Detektion_Reaktion.pdf", "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/", - "https://unit42.paloaltonetworks.com/remediation-steps-for-the-Microsoft-Exchange-Server-vulnerabilities/", + "https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf", "https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers", "https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a", @@ -12747,6 +15265,19 @@ "uuid": "ef216f1d-9ee5-4676-ae34-f954a8611290", "value": "ChinaJm" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinotto", + "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "fda4561c-56a9-479b-8db5-7f6774be9a3d", + "value": "Chinotto (Windows)" + }, { "description": "", "meta": { @@ -12755,6 +15286,7 @@ "https://medium.com/@Sebdraven/how-to-unpack-chinoxy-backdoor-and-decipher-the-configuration-of-the-backdoor-4ffd98ca2a02", "https://nao-sec.org/2021/01/royal-road-redive.html", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-1208.pdf", "https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf", "https://community.riskiq.com/article/56fa1b2f", "https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746", @@ -12779,6 +15311,47 @@ "uuid": "59b5697a-5154-4c08-87f8-c71b0e8425fc", "value": "Chir" }, + { + "description": "Chisel is an open-source project by Jaime Pillora (jpillora) that allows tunneling TCP and UDP connections via HTTP. It is available across platforms and written in Go. While benign in itself, Chisel has been utilized by multiple threat actors. It was for example observed by SentinelOne during a PYSA ransomware campaign to achieve persistence and used as backdoor.\r\nGithub: https://github.com/jpillora/chisel", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.chisel", + "https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "fbfbbcbc-6730-4c4d-9ece-9b72802d42e9", + "value": "Chisel (Windows)" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.chiser_client", + "https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "637714e1-c46d-4c10-bbc5-604c6e47fbbb", + "value": "ChiserClient" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.choziosi", + "https://redcanary.com/blog/chromeloader/" + ], + "synonyms": [ + "ChromeLoader" + ], + "type": [] + }, + "uuid": "7cfa3158-ccfc-4c23-8e7a-5d4e9cc1c43f", + "value": "Choziosi (Windows)" + }, { "description": "", "meta": { @@ -12903,8 +15476,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.clipbanker", - "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/", + "https://asec.ahnlab.com/en/35981/", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/covid-19-phishing-lure-to-steal-and-mine-cryptocurrency/", "https://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/" ], "synonyms": [], @@ -12929,9 +15505,10 @@ "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/", "https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824", "https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", "https://www.splunk.com/en_us/blog/security/clop-ransomware-detection-threat-research-release-april-2021.html", - "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", "https://www.bleepingcomputer.com/news/security/ta505-hackers-behind-maastricht-university-ransomware-attack/", "https://github.com/albertzsigovits/malware-notes/blob/master/Clop.md", "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", @@ -12945,22 +15522,25 @@ "https://www.bleepingcomputer.com/news/security/ransomware-gang-says-they-stole-2-million-credit-cards-from-e-land/", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://www.bleepingcomputer.com/news/security/ransomware-gang-urges-victims-customers-to-demand-a-ransom-payment/", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-clop", "https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Clop.md", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2", "https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti", + "https://securelist.com/modern-ransomware-groups-ttps/106824/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", "https://www.zdnet.com/article/croatias-largest-petrol-station-chain-impacted-by-cyber-attack/", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", - "https://www.youtube.com/watch?v=PqGaZgepNTE", + "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", "https://www.secureworks.com/research/threat-profiles/gold-tahoe", "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", "https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities", "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", "https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546", "https://www.carbonblack.com/blog/cb-tau-threat-intelligence-notification-cryptomix-clop-ransomware-disables-startup-repair-removes-edits-shadow-volume-copies/", + "https://www.youtube.com/watch?v=PqGaZgepNTE", "https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/", "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", "https://asec.ahnlab.com/wp-content/uploads/2021/01/Analysis_ReportCLOP_Ransomware.pdf", @@ -12981,6 +15561,7 @@ "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", "https://www.boho.or.kr/filedownload.do?attach_file_seq=2808&attach_file_id=EpF2808.pdf", "https://www.bleepingcomputer.com/news/security/cryptomix-clop-ransomware-says-its-targeting-networks-not-computers/", + "https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html", "https://unit42.paloaltonetworks.com/clop-ransomware/" ], "synonyms": [], @@ -13007,29 +15588,34 @@ "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", "https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728", "https://kienmanowar.wordpress.com/2020/06/27/quick-analysis-note-about-guloader-or-cloudeye/", + "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/", "https://twitter.com/VK_Intel/status/1255537954304524288", "https://twitter.com/TheEnergyStory/status/1239110192060608513", "https://twitter.com/VK_Intel/status/1252678206852907011", + "https://threatresearch.ext.hp.com/malware-campaigns-targeting-african-banking-sector/", "https://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland", - "https://cert.pl/en/posts/2021/04/keeping-an-eye-on-guloader-reverse-engineering-the-loader/", + "https://twitter.com/TheEnergyStory/status/1240608893610459138", "https://twitter.com/sysopfb/status/1258809373159305216", "https://research.checkpoint.com/2020/guloader-cloudeye/", "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update", "https://www.joesecurity.org/blog/3535317197858305930", "https://www.proofpoint.com/us/threat-insight/post/guloader-popular-new-vb6-downloader-abuses-cloud-services", "https://twitter.com/VK_Intel/status/1257206565146370050", - "https://www.youtube.com/watch?v=-FxyzuRv6Wg", + "https://experience.mandiant.com/trending-evil-2/p/1", "https://blog.morphisec.com/guloader-the-rat-downloader", "https://research.checkpoint.com/2020/threat-actors-migrating-to-the-cloud/", - "https://twitter.com/TheEnergyStory/status/1240608893610459138", + "https://cert.pl/en/posts/2021/04/keeping-an-eye-on-guloader-reverse-engineering-the-loader/", + "https://www.youtube.com/watch?v=-FxyzuRv6Wg", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4", "https://www.youtube.com/watch?v=K3Yxu_9OUxU", "https://www.crowdstrike.com/blog/guloader-malware-analysis/", + "https://forensicitguy.github.io/guloader-executing-shellcode-callbacks/", "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/playing-with-guloader-anti-vm-techniques-malware/", "https://malwation.com/malware-config-extraction-diaries-1-guloader/", "https://www.youtube.com/watch?v=N0wAh26wShE", "https://clickallthethings.wordpress.com/2021/03/06/oleobject1-bin-ole10native-shellcode/", + "https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf", "https://labs.k7computing.com/?p=20156", "https://labs.k7computing.com/?p=21725Lokesh" ], @@ -13098,26 +15684,54 @@ "uuid": "7acd9a27-f550-4c47-9fc8-429b61b04217", "value": "CoalaBot" }, + { + "description": "This Go written malware was observed during campaign of COBALT MIRAGE; it includes FRP (Fast Reverse Proxy) published by fatedier on GitHub (https://github.com/fatedier/frp) and other projects additionally. ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobaltmirage_tunnel", + "https://www.secureworks.com/blog/cobalt-mirage-conducts-ransomware-operations-in-us" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a9bebdbf-24b3-40e0-9596-2adf60c3abf8", + "value": "CobaltMirage FRP" + }, { "description": "Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.\r\n\r\nThe Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "https://www.advanced-intel.com/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent", + "https://www.prevailion.com/what-wicked-webs-we-unweave/", + "https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-powershell-proxyshell-conti-ttps-oh-my", "https://decoded.avast.io/threatintel/decoding-cobalt-strike-understanding-payloads/", + "https://blogs.blackberry.com/en/2022/01/log4u-shell4me", + "https://blog.nviso.eu/2021/11/03/cobalt-strike-using-process-memory-to-decrypt-traffic-part-3/", "https://www.zscaler.com/blogs/research/targeted-attack-leverages-india-china-border-dispute-lure-victims", + "https://www.bleepingcomputer.com/news/security/fake-antivirus-updates-used-to-deploy-cobalt-strike-in-ukraine/", + "https://ak100117.medium.com/analyzing-cobalt-strike-powershell-payload-64d55ed3521b", "https://github.com/Sentinel-One/CobaltStrikeParser/blob/master/parse_beacon_config.py", "https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html", "https://www.secureworks.com/research/threat-profiles/bronze-president", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://www.advanced-intel.com/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent", + "https://blog.prevailion.com/wizard-spider-continues-to-confound-4298370f6903", + "https://explore.group-ib.com/htct/hi-tech_crime_2018", "https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html", - "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/", + "https://www.malware-traffic-analysis.net/2021/09/29/index.html", + "https://socfortress.medium.com/detecting-cobalt-strike-beacons-3f8c9fdcb654", "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf", - "https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-main-loader/", + "https://blogs.blackberry.com/en/2021/11/zebra2104", + "https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", + "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/", + "https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/", "https://www.sans.org/webcasts/contrarian-view-solarwinds-119515", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/bb-ebook-finding-beacons-in-the-dark.pdf", + "https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/", "https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html", "https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike", + "https://blog.morphisec.com/vmware-identity-manager-attack-backdoor", "https://github.com/sophos-cybersecurity/solarwinds-threathunt", "https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware", "https://twitter.com/AltShiftPrtScn/status/1385103712918642688", @@ -13125,118 +15739,182 @@ "https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468", "https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", - "https://quake.360.cn/quake/#/reportDetail?id=5fc6fedd191038c3b25c4950", + "https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/", "https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b", "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html", "https://www.guidepointsecurity.com/blog/a-ransomware-near-miss-proxyshell-a-rat-and-cobalt-strike/", "https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections", + "https://www.esentire.com/blog/increase-in-emotet-activity-and-cobalt-strike-deployment", "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", "https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/", "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/", - "https://www.secureworks.com/blog/hades-ransomware-operators-use-distinctive-tactics-and-infrastructure", - "https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/", + "https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks", + "https://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64", + "https://morphuslabs.com/attackers-are-abusing-msbuild-to-evade-defenses-and-implant-cobalt-strike-beacons-edac4ab84f42", "https://securityscorecard.com/blog/securityscorecard-finds-usaid-hack-much-larger-than-initially-thought", "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/", + "https://www.ironnet.com/blog/ransomware-graphic-blog", "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", + "https://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware", + "https://www.bleepingcomputer.com/news/security/vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike/", + "https://cyber.wtf/2022/03/23/what-the-packer/", "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", "https://blog.fox-it.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", "https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/", "https://www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/", "https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/", "https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c", - "http://www.secureworks.com/research/threat-profiles/gold-drake", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue", + "https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf", + "https://file2.api.drift.com/download/drift-prod-file-uploads/417f%2F417f74ae8ddd24aa7c2b43a23093983f/Supply%20Chain%20Attacks_%20Cyber%20Criminals%20Target%20the%20Weakest%20Link.pdf", "https://blog.talosintelligence.com/2021/05/ctir-case-study.html", "https://therecord.media/mongolian-certificate-authority-hacked-eight-times-compromised-with-malware/", + "https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI", + "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", + "https://twitter.com/th3_protoCOL/status/1433414685299142660?s=20", "https://inteloperator.medium.com/the-default-63-6f-62-61-6c-74-strike-8ac9ee0de1b7", "https://www.ic3.gov/Media/News/2021/210823.pdf", - "https://twitter.com/th3_protoCOL/status/1433414685299142660?s=20", + "https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html", "https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/", + "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview", "https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf", + "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee", + "https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf", "https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/", "https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/", "https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one", + "https://twitter.com/cglyer/status/1480742363991580674", + "https://www.accenture.com/us-en/blogs/cyber-defense/karakurt-threat-mitigation", + "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/growling-bears-make-thunderous-noise.html", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/", + "https://cert.gov.ua/article/37704", "https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/", "https://securelist.com/apt-luminousmoth/103332/", "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/", "https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/", "https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike", - "https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/", + "https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike", + "https://blog.nviso.eu/2022/03/22/cobalt-strike-overview-part-7/", + "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/542/original/CTIR_casestudy_2.pdf", + "https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/", + "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis", "https://www.secureworks.com/research/threat-profiles/gold-dupont", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", "https://www.qurium.org/alerts/targeted-malware-against-crph/", "https://pylos.co/2018/11/18/cozybear-in-from-the-cold/", "https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/", + "https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-main-loader/", "https://www.mdsec.co.uk/2021/07/investigating-a-suspicious-service/", + "https://www.huntress.com/blog/cybersecurity-advisory-vmware-horizon-servers-actively-being-hit-with-cobalt-strike", "https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf", - "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures", + "https://www.youtube.com/watch?v=ysN-MqyIN7M", + "https://www.contextis.com/en/blog/dll-search-order-hijacking", + "https://www.scmagazine.com/brief/breach/novel-obfuscation-leveraged-by-hive-ransomware", "https://twitter.com/MBThreatIntel/status/1412518446013812737", "https://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html", "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", "https://www.cynet.com/understanding-squirrelwaffle/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang", + "https://isc.sans.edu/diary/rss/27176", "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf", "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", + "https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/", "https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/", + "https://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/", "https://twitter.com/vikas891/status/1385306823662587905", - "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", "https://malwarebookreports.com/cryptone-cobalt-strike/", - "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", + "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-011/", + "https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/", "https://www.trustnet.co.il/blog/virus-alert-to-powershell-encrypted-loader/", + "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf", + "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf", + "https://thehackernews.com/2022/05/this-new-fileless-malware-hides.html", + "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", + "https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/", "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://blog.malwarebytes.com/threat-intelligence/2021/11/a-multi-stage-powershell-based-attack-targets-kazakhstan/", + "https://attackiq.com/2022/06/03/attack-graph-response-to-us-cert-aa22-152a-karakurt-data-extortion-group/", "https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack", "https://www.secureworks.com/research/threat-profiles/bronze-riverside", - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "https://www.brighttalk.com/webcast/7451/462719", + "https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html", + "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/", + "https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/", "https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://isc.sans.edu/diary/28636", + "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader", + "https://vanmieghem.io/blueprint-for-evading-edr-in-2022/", "https://blog.group-ib.com/REvil_RaaS", + "https://cluster25.io/2022/05/03/a-strange-link-between-a-destructive-malware-and-the-loader-of-a-ransomware-group-isaacwiper-vs-vatet/", "https://medium.com/walmartglobaltech/cobaltstrike-stager-utilizing-floating-point-math-9bc13f9b9718", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass/", "https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/", + "http://www.secureworks.com/research/threat-profiles/gold-winter", "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", - "https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730", + "https://asec.ahnlab.com/en/31811/", "https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728", - "https://www.macnica.net/file/mpression_automobile.pdf", + "https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/", + "https://github.com/0xjxd/SquirrelWaffle-From-Maldoc-to-Cobalt-Strike/raw/main/2021-10-02%20-%20SquirrelWaffle%20-%20From%20Maldoc%20to%20Cobalt%20Strike.pdf", "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-ryuk-ransomware-targeting-webservers.pdf", + "https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/", "https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/", + "https://www.mandiant.com/resources/unc2452-merged-into-apt29", + "https://www.inde.nz/blog/different-kind-of-zoombomb", "https://www.hhs.gov/sites/default/files/bazarloader.pdf", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a", + "https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html", "https://www.deepinstinct.com/2021/03/18/cobalt-strike-post-exploitation-attackers-toolkit/", "https://asec.ahnlab.com/ko/19860/", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021", + "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", "https://dansec.medium.com/detecting-malicious-c2-activity-spawnas-smb-lateral-movement-in-cobaltstrike-9d518e68b64", "https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv", "https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/", "https://us-cert.cisa.gov/ncas/alerts/aa21-148a", + "https://experience.mandiant.com/trending-evil-2/p/1", "https://blog.securehat.co.uk/malware-analysis/extracting-the-cobalt-strike-config-from-a-teardrop-loader", + "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", "https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/", + "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus", + "https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware", + "https://blog.zsec.uk/cobalt-strike-profiles/", "https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html", "https://michaelkoczwara.medium.com/cobalt-strike-hunting-simple-pcap-and-beacon-analysis-f51c36ce6811", + "https://boschko.ca/cobalt-strike-process-injection/", "https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/?cmp=37153", - "https://connormcgarr.github.io/thread-hijacking/", + "https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/", "https://labs.sentinelone.com/hotcobalt-new-cobalt-strike-dos-vulnerability-that-lets-you-halt-operations/", + "https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html", "https://www.secureworks.com/blog/detecting-cobalt-strike-government-sponsored-threat-groups", "https://blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41", "https://news.sophos.com/en-us/2020/10/27/mtr-casebook-an-active-adversary-caught-in-the-act/", "https://rastamouse.me/ntlm-relaying-via-cobalt-strike/", + "https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/", + "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html", "https://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5", "https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/", "https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf", - "https://isc.sans.edu/diary/rss/27176", + "http://www.secureworks.com/research/threat-profiles/gold-drake", "https://community.riskiq.com/article/c88cf7e6", "https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf", - "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/542/original/CTIR_casestudy_2.pdf", + "https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/", + "https://quake.360.cn/quake/#/reportDetail?id=5fc6fedd191038c3b25c4950", "https://community.riskiq.com/article/f0320980", - "https://www.youtube.com/watch?v=ysN-MqyIN7M", + "https://intel471.com/blog/conti-emotet-ransomware-conti-leaks", + "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures", "https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon", "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", @@ -13246,16 +15924,30 @@ "https://twitter.com/GossiTheDog/status/1438500100238577670", "https://www.proofpoint.com/us/blog/threat-insight/cobalt-strike-favorite-tool-apt-crimeware", "https://www.secureworks.com/research/threat-profiles/tin-woodlawn", - "https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/", + "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671", + "https://www.mandiant.com/resources/tracking-apt29-phishing-campaigns", "https://twitter.com/VK_Intel/status/1294320579311435776", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf", + "https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure", + "https://nsfocusglobal.com/insights-into-ransomware-spread-using-exchange-1-day-vulnerabilities-1-2/", + "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://bmcder.com/blog/cobalt-strike-dfir-listening-to-the-pipes", "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", + "https://michaelkoczwara.medium.com/mapping-and-pivoting-cobalt-strike-c2-infrastructure-attributed-to-cve-2021-40444-438786fcd68a", + "https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike", "https://www.trustedsec.com/blog/tailoring-cobalt-strike-on-target/", "https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-machine-learning-and-277c4c30304f", "https://haggis-m.medium.com/malleable-c2-profiles-and-you-7c7ab43e7929", + "https://blogs.blackberry.com/en/2021/10/blackberry-shines-spotlight-on-evolving-cobalt-strike-threat-in-new-book", + "https://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-strike-fast-forwards-ransomware-attacks/", "https://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9", + "https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/", "https://github.com/swisscom/detections/blob/main/RYUK/cobaltstrike_c2s.txt", "https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/", - "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", + "https://mp.weixin.qq.com/s/peIpPJLt4NuJI1a31S_qbQ", + "https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/", + "https://blog.talosintelligence.com/2021/11/attackers-use-domain-fronting-technique.html", "https://www.youtube.com/watch?v=gfYswA_Ronw", "https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A", "https://blog.cobaltstrike.com/", @@ -13265,189 +15957,298 @@ "https://www.secureworks.com/research/threat-profiles/gold-waterfall", "https://grimminck.medium.com/spoofing-jarm-signatures-i-am-the-cobalt-strike-server-now-a27bd549fc6b", "https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/", - "https://www.youtube.com/watch?v=LA-XE5Jy2kU", + "https://teamt5.org/en/posts/hiding-in-plain-sight-obscuring-c2s-by-abusing-cdn-services", + "https://www.varonis.com/blog/hive-ransomware-analysis", "https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-custom-packer/", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://thedfirreport.com/2020/10/08/ryuks-return/", + "https://www.aon.com/cyber-solutions/aon_cyber_labs/cobalt-strike-configuration-extractor-and-parser/", + "https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach", + "https://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/", + "https://www.accenture.com/us-en/blogs/cyber-defense/double-extortion-campaigns", + "https://blog.securityonion.net/2022/02/quick-malware-analysis-emotet-epoch-5.html", "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf", + "https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot", "https://twitter.com/swisscom_csirt/status/1354052879158571008", "https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/", "https://us-cert.cisa.gov/ncas/alerts/aa21-265a", "https://blog.cobaltstrike.com/2020/11/06/cobalt-strike-4-2-everything-but-the-kitchen-sink/", "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", + "https://blog.didierstevens.com/2021/11/03/new-tool-cs-extract-key-py/", "https://news.sophos.com/en-us/2021/09/21/cring-ransomware-group-exploits-ancient-coldfusion-server/?cmp=30728", - "https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html", + "https://www.secureworks.com/blog/hades-ransomware-operators-use-distinctive-tactics-and-infrastructure", "https://web.br.de/interaktiv/ocean-lotus/en/", "https://twitter.com/alex_lanstein/status/1399829754887524354", - "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia", + "https://redcanary.com/blog/getsystem-offsec/", + "https://www.cynet.com/attack-techniques-hands-on/threats-looming-over-the-horizon/", + "https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes", "https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/", "https://us-cert.cisa.gov/ncas/alerts/aa20-275a", "https://www.microsoft.com/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/", "https://www.accenture.com/us-en/blogs/security/ransomware-hades", + "https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/", "https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/", + "https://www.brighttalk.com/webcast/7451/462719", "https://twitter.com/Unit42_Intel/status/1421117403644186629?s=20", + "https://www.huntress.com/blog/hackers-no-hashing-randomizing-api-hashes-to-evade-cobalt-strike-shellcode-detection", "https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e", "https://blog.macnica.net/blog/2020/11/dtrack.html", "https://blog.group-ib.com/colunmtk_apt41", "https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-seizure-domain-names-used-furtherance-spear", "https://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/", + "https://www.advintel.io/post/24-hours-from-log4shell-to-local-admin-deep-dive-into-conti-gang-attack-on-fortune-500-dfir", "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/", "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", "https://www.crowdstrike.com/blog/four-popular-defensive-evasion-techniques-in-2021/", - "https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/", - "https://mp.weixin.qq.com/s/peIpPJLt4NuJI1a31S_qbQ", + "https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/", + "https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/", + "https://www.mandiant.com/resources/apt41-us-state-governments", + "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", "https://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html", - "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", + "https://assets.virustotal.com/reports/2021trends.pdf", "http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems", + "https://blog.morphisec.com/log4j-exploit-targets-vulnerable-unifi-network-applications", + "https://stillu.cc/threat-spotlight/2021/11/13/domain-fronting-fastly/", "https://401trg.com/burning-umbrella/ ", + "https://twitter.com/Unit42_Intel/status/1461004489234829320", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md", - "https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware", + "https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html", + "https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/", "https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf", "https://www.youtube.com/watch?v=6SDdUVejR2w", "https://www.youtube.com/watch?v=y65hmcLIWDY", "https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2", "https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/", + "https://www.blackhillsinfosec.com/dns-over-https-for-cobalt-strike/", "https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://shells.systems/in-memory-shellcode-decoding-to-evade-avs/", "https://pkb1s.github.io/Relay-attacks-via-Cobalt-Strike-beacons/", + "https://www.crowdstrike.com/blog/how-crowdstrike-threat-hunters-identified-a-confluence-exploit/", + "https://blog.morphisec.com/log4j-exploit-hits-again-vulnerable-vmware-horizon-servers-at-risk", "https://www.malware-traffic-analysis.net/2021/09/17/index.html", "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", + "https://www.domaintools.com/resources/blog/covid-19-phishing-with-a-side-of-cobalt-strike#", "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", + "https://malware-traffic-analysis.net/2021/09/29/index.html", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811", + "https://isc.sans.edu/diary/rss/28448", "https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature/", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx", "https://isc.sans.edu/diary/rss/26862", "https://twitter.com/elisalem9/status/1398566939656601606", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a", + "https://www.mandiant.com/resources/sabbath-ransomware-affiliate", + "https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love", + "https://blog.lumen.com/zuorat-hijacks-soho-routers-to-silently-stalk-networks/", + "https://redcanary.com/blog/intelligence-insights-december-2021", "https://breakpoint-labs.com/blog/cobalt-strike-and-ransomware-tracking-an-effective-ransomware-campaign/", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", + "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", "https://www2.deloitte.com/content/dam/Deloitte/dk/Documents/Grabngo/Aarhus_miniseminar_291118.pdf", + "https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf", + "https://twitter.com/MsftSecIntel/status/1522690116979855360", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.bleepingcomputer.com/news/security/phishing-campaign-targets-russian-govt-dissidents-with-cobalt-strike/", "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/", + "https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html", + "https://forensicitguy.github.io/analyzing-cactustorch-hta-cobaltstrike/", "https://securelist.com/apt-trends-report-q3-2020/99204/", + "https://www.mandiant.com/media/12596/download", "https://blog.cobaltstrike.com/2020/12/08/a-red-teamer-plays-with-jarm/", + "https://www.mandiant.com/resources/russian-targeting-gov-business", + "https://intel471.com/blog/shipping-companies-ransomware-credentials", + "https://elastic.github.io/security-research/intelligence/2022/01/02.collecting-cobalt-strike-beacons/article/", + "https://isc.sans.edu/diary/rss/28664", + "https://www.youtube.com/watch?v=LA-XE5Jy2kU", + "https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730", "https://mez0.cc/posts/cobaltstrike-powershell-exec/", + "https://isc.sans.edu/diary/26752", + "https://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/", "https://www.advanced-intel.com/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations", "https://ti.qianxin.com/blog/articles/Operation-OceanStorm:The-OceanLotus-hidden-under-the-abyss-of-the-deep/", - "https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach", + "https://go.recordedfuture.com/hubfs/reports/cta-2022-0503.pdf", + "https://research.nccgroup.com/2022/03/25/mining-data-from-cobalt-strike-beacons/", + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://kienmanowar.wordpress.com/2021/09/06/quick-analysis-cobaltstrike-loader-and-shellcode/", "https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html", - "https://github.com/0xjxd/SquirrelWaffle-From-Maldoc-to-Cobalt-Strike/raw/main/2021-10-02%20-%20SquirrelWaffle%20-%20From%20Maldoc%20to%20Cobalt%20Strike.pdf", + "https://www.macnica.net/file/mpression_automobile.pdf", "https://labs.f-secure.com/blog/detecting-exposed-cobalt-strike-dns-redirectors", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/", + "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf", + "https://www.mandiant.com/resources/darkside-affiliate-supply-chain-software-compromise", + "https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html", "https://medium.com/@shabarkin/pointer-hunting-cobalt-strike-globally-a334ac50619a", + "https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom", "https://www.guidepointsecurity.com/yet-another-cobalt-strike-loader-guid-edition/", "https://twitter.com/redcanary/status/1334224861628039169", "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", + "https://thedfirreport.com/2022/03/07/2021-year-in-review/", "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", + "https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/", "https://www.getrevue.co/profile/80vul/issues/hunting-cobalt-strike-dns-redirectors-by-using-zoomeye-580734", "https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html", + "https://www.trendmicro.com/en_in/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html", "https://www.trendmicro.com/en_us/research/21/g/tracking_cobalt_strike_a_vision_one_investigation.html", + "https://www.recordedfuture.com/solardeflection-c2-infrastructure-used-by-nobelium-in-company-brand-misuse/", "https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/", "https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/", "https://isc.sans.edu/diary/27308", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-ml-and-kql-part-2-bff46cfc1e7e", - "https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/", + "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1", + "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-2", + "https://connormcgarr.github.io/thread-hijacking/", "https://paper.seebug.org/1301/", "https://netresec.com/?b=214d7ff", "https://sixdub.medium.com/using-kaitai-to-parse-cobalt-strike-beacon-configs-f5f0552d5a6e", + "https://elastic.github.io/security-research/intelligence/2022/01/03.extracting-cobalt-strike-beacon/article/", "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html", "https://www.youtube.com/watch?v=borfuQGrB8g", "https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/", + "https://www.mandiant.com/media/10916/download", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://www.lac.co.jp/lacwatch/people/20180521_001638.html", "https://www.istrosec.com/blog/apt-sk-cobalt/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/", + "https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html", "https://twitter.com/ffforward/status/1324281530026524672", "https://community.riskiq.com/article/0bcefe76", "https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/", "https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf", + "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", "https://michaelkoczwara.medium.com/cobalt-strike-powershell-payload-analysis-eecf74b3c2f7", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a", + "https://www.telsy.com/download/5972/?uid=d7c082ba55", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", + "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf", "https://github.com/blackorbird/APT_REPORT/blob/master/Oceanlotus/apt32_report_2019.pdf", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html", - "https://isc.sans.edu/diary/26752", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/harvester-new-apt-attacks-asia", + "https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/", "https://twitter.com/TheDFIRReport/status/1356729371931860992", "https://research.nccgroup.com/2020/06/15/striking-back-at-retired-cobalt-strike-a-look-at-a-legacy-vulnerability/", - "https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html", + "https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/", "https://twitter.com/Cryptolaemus1/status/1407135648528711680", + "https://blog.cyble.com/2022/05/20/malware-campaign-targets-infosec-community-threat-actor-uses-fake-proof-of-concept-to-deliver-cobalt-strike-beacon/", + "https://www.mandiant.com/resources/defining-cobalt-strike-components", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3", + "https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/", "https://twitter.com/AltShiftPrtScn/status/1350755169965924352", "https://redcanary.com/blog/grief-ransomware/", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", + "https://asec.ahnlab.com/en/34549/", "https://www.secureworks.com/blog/detecting-cobalt-strike-cybercrime-attacks", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", + "https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/", + "https://twitter.com/felixw3000/status/1521816045769662468", + "https://www.intezer.com/blog/malware-analysis/cobalt-strike-detect-this-persistent-threat/", + "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", "https://www.inky.com/blog/colonial-pipeline-ransomware-hack-unleashes-flood-of-related-phishing-attempts", + "https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage", "https://blog.morphisec.com/proxyshell-exchange-exploitation-now-leads-to-an-increasing-amount-of-cobaltstrike-backdoors", - "https://www.youtube.com/watch?v=GfbxHy6xnbA", + "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", + "https://wbglil.gitbook.io/cobalt-strike/", "https://malwarelab.eu/posts/fin6-cobalt-strike/", + "https://isc.sans.edu/diary/rss/28752", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021", + "https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/", "https://www.secureworks.com/research/threat-profiles/gold-kingswood", "https://twitter.com/AltShiftPrtScn/status/1403707430765273095", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448/", "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/", + "https://www.cynet.com/attack-techniques-hands-on/new-wave-of-emotet-when-project-x-turns-into-y/", "https://www.crowdstrike.com/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/", "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis", "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", + "https://thedfirreport.com/2022/01/24/cobalt-strike-a-defenders-guide-part-2/", + "https://bmcder.com/blog/extracting-cobalt-strike-from-windows-error-reporting", "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/543/original/CTIR_casestudy_1.pdf", "https://skyblue.team/posts/scanning-virustotal-firehose/", "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_201_haruyama_jp.pdf", "https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/", "https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/", + "https://blog.nviso.eu/2021/10/21/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-1/", "https://content.fireeye.com/m-trends/rpt-m-trends-2020", - "https://redcanary.com/blog/getsystem-offsec/", + "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia", "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", - "https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/", + "https://www.ironnet.com/blog/tracking-cobalt-strike-servers-used-in-cyberattacks-on-ukraine", + "https://redcanary.com/blog/gootloader", "https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a", "https://zero.bs/cobaltstrike-beacons-analyzed.html", "https://github.com/Apr4h/CobaltStrikeScan", "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/", - "https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/", + "https://thehackernews.com/2022/05/malware-analysis-trickbot.html", "https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go/", "https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/", + "https://www.telsy.com/legitimate-sites-used-as-cobalt-strike-c2s-against-indian-government/", + "https://isc.sans.edu/diary/rss/27618", "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", + "https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/", "https://www.secureworks.com/research/threat-profiles/gold-niagara", "https://www.arashparsa.com/hook-heaps-and-live-free/", + "https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html", + "https://www.arashparsa.com/catching-a-malware-with-no-name/", + "https://www.youtube.com/watch?v=GfbxHy6xnbA", + "https://www.cyberark.com/resources/threat-research/analyzing-malware-with-hooks-stomps-and-return-addresses-2", "https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html", "https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/", "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor", "https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/", + "https://r136a1.info/2022/05/25/introduction-of-a-pe-file-extractor-for-various-situations/", "https://www.darktrace.com/en/blog/catching-apt-41-exploiting-a-zero-day-vulnerability/", "https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/", - "https://isc.sans.edu/diary/rss/27618", + "https://blog.nviso.eu/2021/10/27/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-2/", "https://www.youtube.com/watch?v=WW0_TgWT2gs", - "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", - "https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates", - "https://www.crowdstrike.com/blog/how-crowdstrike-threat-hunters-identified-a-confluence-exploit/", - "https://www.domaintools.com/resources/blog/covid-19-phishing-with-a-side-of-cobalt-strike#", + "https://www.advintel.io/post/blackcat-in-a-shifting-threat-landscape-it-helps-to-land-on-your-feet-tech-dive", + "https://blog.sonatype.com/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux", + "https://insight-jp.nttsecurity.com/post/102ho8o/operation-restylink", + "https://twitter.com/Unit42_Intel/status/1458113934024757256", + "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", "https://blog.nviso.eu/2021/04/26/anatomy-of-cobalt-strike-dll-stagers/", + "https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/", "https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", - "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", + "https://www.infinitumit.com.tr/en/conti-ransomware-group-behind-the-karakurt-hacking-team/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services", + "https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/", + "https://www.cobaltstrike.com/support", "https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf", "https://blog.cobaltstrike.com/2020/03/04/cobalt-strike-joins-core-impact-at-helpsystems-llc/", "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", "http://www.secureworks.com/research/threat-profiles/gold-kingswood", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618", - "http://www.secureworks.com/research/threat-profiles/gold-winter", - "https://www.intezer.com/blog/malware-analysis/cobalt-strike-detect-this-persistent-threat/", + "https://thedfirreport.com/2022/04/25/quantum-ransomware/", + "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group", + "https://www.bitsight.com/blog/emotet-botnet-rises-again", + "https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/sneak-peek-ch1-2-finding-beacons-in-the-dark.pdf", "https://thedfirreport.com/2021/05/12/conti-ransomware/", "https://michaelkoczwara.medium.com/cobalt-strike-hunting-dll-hijacking-attack-analysis-ffbf8fd66a4e", "https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-2/", + "https://awakesecurity.com/blog/detecting-icedid-and-cobalt-strike-beacon-with-network-detection-and-response/", "https://cpj.org/2021/02/vietnam-based-hacking-oceanlotus-targets-journalists", "https://www.secureworks.com/research/threat-profiles/bronze-mohawk", "https://twitter.com/TheDFIRReport/status/1359669513520873473", "https://asec.ahnlab.com/ko/19640/", - "https://www.cobaltstrike.com/support", + "https://security.macnica.co.jp/blog/2022/05/iso.html", + "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", + "https://www.mandiant.com/resources/evolution-of-fin7", "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html", "https://awakesecurity.com/blog/catching-the-white-stork-in-flight/" ], @@ -13510,12 +16311,13 @@ "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", "https://github.com/hfiref0x/TDL", - "https://www.circl.lu/pub/tr-25/", + "https://docs.broadcom.com/doc/waterbug-attack-group", "https://blog.gdatasoftware.com/2015/01/23926-analysis-of-project-cobra", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://github.com/sisoma2/malware_analysis/tree/master/turla_carbon", "https://www.youtube.com/watch?v=FttiysUZmDw", "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/", + "https://www.circl.lu/pub/tr-25/", "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf" ], "synonyms": [ @@ -13572,6 +16374,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coinminer", "https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/amp/", "https://secrary.com/ReversingMalware/CoinMiner/", + "https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/", "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/" ], "synonyms": [], @@ -13580,6 +16383,19 @@ "uuid": "333e2e87-b9b0-4e2e-9ed9-7259c55a93db", "value": "Coinminer" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.coldbrew", + "https://businessinsights.bitdefender.com/hypervisor-introspection-thwarts-web-memory-corruption-attack-in-the-wild" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b30a19b2-383b-4ca5-a047-00910b8a3e03", + "value": "coldbrew" + }, { "description": "", "meta": { @@ -13613,6 +16429,36 @@ "uuid": "8d5b7766-673c-493f-b760-65afd61689cb", "value": "Cold$eal" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.coldstealer", + "https://asec.ahnlab.com/en/32090/", + "https://asec.ahnlab.com/ko/31703/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5869f846-adf8-4798-833e-54c05f9b30f6", + "value": "ColdStealer" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.colibri", + "https://cloudsek.com/in-depth-technical-analysis-of-colibri-loader-malware/", + "https://fr3d.hk/blog/colibri-loader-back-to-basics", + "https://github.com/Casperinous/colibri_loader", + "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "09926538-a7a0-413b-bc7d-4b20a8f4b515", + "value": "Colibri Loader" + }, { "description": "", "meta": { @@ -13620,7 +16466,9 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.collectorgoomba", "https://www.vmray.com/cyber-security-blog/cutting-off-command-and-control-infrastructure-collectorgoomba-threat-bulletin/" ], - "synonyms": [], + "synonyms": [ + "Collector Stealer" + ], "type": [] }, "uuid": "5c0f96fd-54c0-44cd-9caf-b986e3fa2879", @@ -13700,6 +16548,20 @@ "uuid": "f5044eda-3119-4fcf-b8af-9b56ab66b9be", "value": "Comfoo" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.comlook", + "https://twitter.com/ClearskySec/status/1484211242474561540", + "https://www.msreverseengineering.com/blog/2022/1/25/an-exhaustively-analyzed-idb-for-comlook" + ], + "synonyms": [], + "type": [] + }, + "uuid": "7726de54-95cc-4783-b26f-79882f0f6cba", + "value": "ComLook" + }, { "description": "", "meta": { @@ -13783,9 +16645,11 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.conficker", "https://www.sophos.com/fr-fr/medialibrary/PDFs/marketing%20material/confickeranalysis.pdf", + "http://www.csl.sri.com/users/vinod/papers/Conficker/addendumC/index.html", "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf", "https://www.minitool.com/backup-tips/conficker-worm.html", - "http://www.csl.sri.com/users/vinod/papers/Conficker/addendumC/index.html", + "https://redcanary.com/blog/intelligence-insights-january-2022/", + "https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Conficker/Conficker.md", "https://www.kaspersky.com/about/press-releases/2009_kaspersky-lab-analyses-new-version-of-kido--conficker", "https://github.com/tillmannw/cnfckr", "http://contagiodump.blogspot.com/2009/05/win32conficker.html" @@ -13821,72 +16685,187 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.conti", - "https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/", - "https://www.youtube.com/watch?v=hmaWy9QIC7c", - "https://www.advanced-intel.com/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent", - "https://news.sophos.com/en-us/2021/02/16/conti-ransomware-attack-day-by-day/", - "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", - "http://chuongdong.com/reverse%20engineering/2020/12/15/ContiRansomware/", + "https://www.prevailion.com/what-wicked-webs-we-unweave/", + "https://www.ironnet.com/blog/ransomware-graphic-blog", + "https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-powershell-proxyshell-conti-ttps-oh-my", + "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox", "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", "https://news.sophos.com/en-us/2021/02/16/what-to-expect-when-youve-been-hit-with-conti-ransomware/", - "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", - "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", - "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", - "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", + "https://cyware.com/news/ransomware-becomes-deadlier-conti-makes-the-most-money-39e17bae/", + "https://arcticwolf.com/resources/blog/conti-ransomware-leak-analyzed", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks", + "https://www.esentire.com/blog/analysis-of-leaked-conti-intrusion-procedures-by-esentires-threat-response-unit-tru", + "https://www.advanced-intel.com/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent", + "https://www.advintel.io/post/24-hours-from-log4shell-to-local-admin-deep-dive-into-conti-gang-attack-on-fortune-500-dfir", + "https://www.youtube.com/watch?v=uORuVVQzZ0A", "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/", - "https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one", + "https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again", + "https://www.youtube.com/watch?v=hmaWy9QIC7c", "https://news.sophos.com/en-us/2021/02/16/conti-ransomware-evasive-by-nature/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf", - "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape", + "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", + "https://www.cyberscoop.com/ransomware-gang-conti-bounced-back/", "https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", - "https://twitter.com/AltShiftPrtScn/status/1417849181012647938", - "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", - "https://us-cert.cisa.gov/ncas/alerts/aa21-265a", + "https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/", "https://github.com/cdong1012/ContiUnpacker", - "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", - "https://areteir.com/wp-content/uploads/2020/08/Arete_Insight_Is-Conti-the-new-Ryuk_August2020.pdf", - "https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", - "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", + "https://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/", + "https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/", "https://www.ic3.gov/Media/News/2021/210521.pdf", - "https://thedfirreport.com/2021/05/12/conti-ransomware/", + "https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://www.bleepingcomputer.com/news/security/hhs-conti-ransomware-encrypted-80-percent-of-irelands-hse-it-systems/", "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", "https://www.bleepingcomputer.com/news/security/angry-conti-ransomware-affiliate-leaks-gangs-attack-playbook/", - "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel", "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", "https://0xthreatintel.medium.com/reversing-conti-ransomware-bfce15019e74", - "https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware", + "https://cluster25.io/2022/03/02/contis-source-code-deep-dive-into/", + "https://www.mbsd.jp/2022/03/08/assets/images/MBSD_Summary_of_ContiLeaks_Rev3.pdf", + "https://intel471.com/blog/conti-leaks-cybercrime-fire-team", + "https://twitter.com/AltShiftPrtScn/status/1350755169965924352", + "https://www.bankinfosecurity.com/cybercrime-moves-conti-ransomware-absorbs-trickbot-malware-a-18573", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-conti", + "https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider", + "https://cocomelonc.github.io/tutorial/2022/04/02/malware-injection-18.html", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf", + "https://blog.qualys.com/vulnerabilities-threat-research/2021/11/18/conti-ransomware", + "https://www.prodaft.com/m/reports/Conti_TLPWHITE_v1.6_WVcSEtc.pdf", + "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti", + "https://krebsonsecurity.com/2021/10/conti-ransom-gang-starts-selling-access-to-victims/", + "https://github.com/TheParmak/conti-leaks-englished", + "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", + "https://share.vx-underground.org/Conti/", + "https://therecord.media/conti-leaks-the-panama-papers-of-ransomware/", + "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", + "https://www.bleepingcomputer.com/news/security/conti-ransomware-source-code-leaked-by-ukrainian-researcher/", + "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", + "https://medium.com/@whickey000/how-i-cracked-conti-ransomware-groups-leaked-source-code-zip-file-e15d54663a8", + "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-2", + "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", + "https://www.darktrace.com/en/blog/the-double-extortion-business-conti-ransomware-gang-finds-new-avenues-of-negotiation/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.connectwise.com/resources/conti-profile", + "https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html", + "https://www.elliptic.co/blog/conti-ransomware-nets-at-least-25.5-million-in-four-months", + "https://www.bleepingcomputer.com/news/security/hackers-use-contis-leaked-ransomware-to-attack-russian-companies/", + "https://areteir.com/wp-content/uploads/2020/08/Arete_Insight_Is-Conti-the-new-Ryuk_August2020.pdf", + "https://arcticwolf.com/resources/blog/karakurt-web", + "https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/", + "https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/", + "https://nakedsecurity.sophos.com/2021/08/06/conti-ransomware-affiliate-goes-rogue-leaks-company-data/", + "https://yoroi.company/research/conti-ransomware-source-code-a-well-designed-cots-ransomware/", + "https://www.mbsd.jp/research/20210413/conti-ransomware/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti", - "https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force_Final_Report.pdf", + "https://www.redhotcyber.com/post/il-ransomware-conti-si-schiera-a-favore-della-russia", "https://blog.talosintelligence.com/2021/09/Conti-leak-translation.html", - "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://intel471.com/blog/conti-emotet-ransomware-conti-leaks", + "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", + "https://www.clearskysec.com/wp-content/uploads/2021/02/Conti-Ransomware.pdf", + "https://therecord.media/disgruntled-ransomware-affiliate-leaks-the-conti-gangs-technical-manuals/", + "https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love", + "https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware", + "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/", + "https://news.sophos.com/en-us/2021/02/16/conti-ransomware-attack-day-by-day/", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", + "https://medium.com/@arnozobec/analyzing-conti-leaks-without-speaking-russian-only-methodology-f5aecc594d1b", + "http://chuongdong.com/reverse%20engineering/2020/12/15/ContiRansomware/", + "https://www.trmlabs.com/post/analysis-corroborates-suspected-ties-between-conti-and-ryuk-ransomware-groups-and-wizard-spider", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf", + "https://attackiq.com/2022/06/15/attack-graph-emulating-the-conti-ransomware-teams-behaviors/", + "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", + "https://thehackernews.com/2022/05/malware-analysis-trickbot.html", + "https://www.bleepingcomputer.com/news/security/conti-ransomware-gang-takes-over-trickbot-malware-operation/", + "https://research.nccgroup.com/2022/04/29/adventures-in-the-land-of-bumblebee-a-new-malicious-loader/", + "https://twitter.com/AltShiftPrtScn/status/1417849181012647938", + "https://www.cyberark.com/resources/threat-research-blog/conti-group-leaked", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one", + "https://securityaffairs.co/wordpress/128190/cyber-crime/conti-ransomware-takes-over-trickbot.html", + "https://documents.trendmicro.com/assets/pdf/datasheet-ransomware-in-Q1-2022.pdf", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-group-targets-esxi-hypervisors-with-its-linux-variant.html", + "https://news.sophos.com/en-us/2022/02/22/cyberthreats-during-russian-ukrainian-tensions-what-can-we-learn-from-history-to-be-prepared/", + "https://news.sophos.com/en-us/2022/02/28/conti-and-karma-actors-attack-healthcare-provider-at-same-time-through-proxyshell-exploits/?cmp=30728", + "https://www.youtube.com/watch?v=cYx7sQRbjGA", + "https://www.advintel.io/post/hydra-with-three-heads-blackbyte-the-future-of-ransomware-subsidiary-groups", + "https://lifars.com/wp-content/uploads/2021/10/ContiRansomware_Whitepaper.pdf", + "https://securelist.com/modern-ransomware-groups-ttps/106824/", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", + "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", + "https://thedfirreport.com/2021/05/12/conti-ransomware/", + "https://intel471.com/blog/shipping-companies-ransomware-credentials", + "https://www.eldiario.es/tecnologia/capos-cibercrimen-avisan-contratacaran-si-hackea-rusia_1_8795458.html", + "https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/the-sound-of-malware.html", + "https://threatpost.com/affiliate-leaks-conti-ransomware-playbook/168442/", + "https://www.coveware.com/blog/2022/1/26/ransomware-as-a-service-innovation-curve", + "https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force_Final_Report.pdf", + "https://www.dragos.com/blog/industry-news/suspected-conti-ransomware-activity-in-the-auto-manufacturing-sector/", "https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/", "https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide", "https://www.advanced-intel.com/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", - "https://twitter.com/AltShiftPrtScn/status/1350755169965924352", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", - "https://unit42.paloaltonetworks.com/conti-ransomware-gang/", - "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", - "https://assets.sentinelone.com/ransomware-enterprise/conti-ransomware-unpacked", + "https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.cynet.com/attack-techniques-hands-on/shelob-moonlight-spinning-a-larger-web/", - "https://www.clearskysec.com/wp-content/uploads/2021/02/Conti-Ransomware.pdf", - "https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider", - "https://therecord.media/disgruntled-ransomware-affiliate-leaks-the-conti-gangs-technical-manuals/", - "https://www.bleepingcomputer.com/news/security/ryuk-successor-conti-ransomware-releases-data-leak-site/", + "https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/", "https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf", - "https://twitter.com/AltShiftPrtScn/status/1423188974298861571" + "https://twitter.com/AltShiftPrtScn/status/1423188974298861571", + "https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/", + "https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf", + "https://www.zscaler.com/blogs/security-research/conti-ransomware-attacks-persist-updated-version-despite-leaks", + "https://github.com/whichbuffer/Conti-Ransomware-IOC", + "https://thedfirreport.com/2021/12/13/diavol-ransomware/", + "https://www.advintel.io/post/ransomware-advisory-log4shell-exploitation-for-initial-access-lateral-movement", + "https://redcanary.com/blog/intelligence-insights-november-2021/", + "https://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware", + "https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks", + "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", + "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", + "https://blog.talosintelligence.com/2022/05/conti-and-hive-ransomware-operations.html", + "https://blog.reversinglabs.com/blog/conversinglabs-ep-2-conti-pivots-as-ransomware-as-a-service-struggles", + "https://us-cert.cisa.gov/ncas/alerts/aa21-265a", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks", + "https://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd", + "https://marcoramilli.com/2021/11/07/conti-ransomware-cheat-sheet/", + "https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf", + "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", + "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", + "https://twitter.com/TheDFIRReport/status/1498642512935800833", + "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel", + "https://www.dragos.com/blog/industry-news/dragos-ics-ot-ransomware-analysis-q4-2021/", + "https://www.threatstop.com/blog/conti-ransomware-source-code-leaked", + "https://www.hse.ie/eng/services/publications/conti-cyber-attack-on-the-hse-full-report.pdf", + "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf?1651576098", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022", + "https://www.bleepingcomputer.com/news/security/conti-ransomwares-internal-chats-leaked-after-siding-with-russia/", + "https://www.bleepingcomputer.com/news/security/taiwanese-apple-and-tesla-contractor-hit-by-conti-ransomware/", + "https://unit42.paloaltonetworks.com/conti-ransomware-gang/", + "https://www.secureworks.com/blog/gold-ulrick-continues-conti-operations-despite-public-disclosures", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://assets.sentinelone.com/ransomware-enterprise/conti-ransomware-unpacked", + "https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/", + "https://www.bleepingcomputer.com/news/security/ryuk-successor-conti-ransomware-releases-data-leak-site/", + "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/", + "https://therecord.media/conti-ransomware-gang-chats-leaked-by-pro-ukraine-member/" ], "synonyms": [], "type": [] }, "uuid": "c9dca6f3-2a84-4abe-8f33-ccb7a7a0246c", - "value": "Conti" + "value": "Conti (Windows)" }, { "description": "FireEye described this malware as a proxy-aware backdoor that communicates using a custom-encrypted binary protocol. It may use the registry to store optional configuration data. The backdoor has been observed to support 26 commands that include directory traversal, file system manipulation, data archival and transmission, and command execution.", @@ -13968,10 +16947,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coreshell", + "https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf", + "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "http://malware.prevenity.com/2014/08/malware-info.html", "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/", - "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware.html" ], "synonyms": [ @@ -14006,6 +16986,7 @@ "https://www.youtube.com/watch?v=1WfPlgtfWnQ", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://vblocalhost.com/uploads/VB2020-20.pdf", + "https://www.trendmicro.com/en_in/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html", "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", "https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology", "https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf" @@ -14031,6 +17012,19 @@ "uuid": "e8986c0c-2997-425d-ae4e-529f82d3fa48", "value": "Covicli" }, + { + "description": "Destructive \"joke\" malware that ultimately deploys a wiper for the MBR.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.covid22", + "https://www.fortinet.com/blog/threat-research/to-joke-or-not-to-joke-covid-22-brings-disaster-to-mbr" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d4796a4f-63f0-42f0-a043-fb91416c29d2", + "value": "Covid22" + }, { "description": "", "meta": { @@ -14132,24 +17126,33 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crimson", "https://www.seqrite.com/blog/operation-honey-trap-apt36-targets-defense-organizations-in-india/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://labs.k7computing.com/index.php/transparent-tribe-targets-educational-institution/", "https://anchorednarratives.substack.com/p/trouble-in-asia-and-the-middle-east", "https://twitter.com/teamcymru/status/1351228309632385027", + "https://www.bleepingcomputer.com/news/security/hackers-use-modified-mfa-tool-against-indian-govt-employees/", "https://team-cymru.com/blog/2021/04/16/transparent-tribe-apt-infrastructure-mapping/", "https://team-cymru.com/blog/2021/07/02/transparent-tribe-apt-infrastructure-mapping-2/", + "https://twitter.com/katechondic/status/1502206599166939137", + "https://www.secrss.com/articles/24995", "https://securelist.com/transparent-tribe-part-2/98233/", + "https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html", "https://cybleinc.com/2021/04/30/transparent-tribe-operating-with-a-new-variant-of-crimson-rat/", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal/IoCs_Investigating%20APT36%20or%20Earth%20Karkaddan%20Attack%20Chain%20and%20Malware%20Arsenal.rtf", "https://www.secureworks.com/research/threat-profiles/copper-fieldstone", - "https://mp.weixin.qq.com/s/xUM2x89GuB8uP6otN612Fg", + "https://www.4hou.com/posts/vLzM", + "https://twitter.com/teamcymru_S2/status/1501955802025836546", "https://blog.yoroi.company/research/transparent-tribe-four-years-later", "https://securelist.com/apt-trends-report-q3-2020/99204/", "https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal/Earth%20Karkaddan%20APT-%20Adversary%20Intelligence%20and%20Monitoring%20Report.pdf", "https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html", "https://mp.weixin.qq.com/s/ELYDvdMiiy4FZ3KpmAddZQ", "https://s.tencent.com/research/report/669.html", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", + "https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html?m=1", "https://mp.weixin.qq.com/s/AhxP5HmROtMsFBiUxj0cFg", - "https://www.secrss.com/articles/24995", + "https://mp.weixin.qq.com/s/xUM2x89GuB8uP6otN612Fg", "https://securelist.com/transparent-tribe-part-1/98127/", "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf", "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols" @@ -14181,10 +17184,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cring", - "https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Vulnerability-in-Fortigate-VPN-servers-is-exploited-in-Cring-ransomware-attacks-En.pdf", "https://news.sophos.com/en-us/2021/09/21/cring-ransomware-group-exploits-ancient-coldfusion-server/?cmp=30728", - "https://twitter.com/swisscom_csirt/status/1354052879158571008" + "https://twitter.com/swisscom_csirt/status/1354052879158571008", + "https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html" ], "synonyms": [], "type": [] @@ -14246,6 +17250,7 @@ "https://securelist.ru/shifrovalshhik-cryakl-ili-fantomas-razbushevalsya/24070/", "https://securelist.com/cis-ransomware/104452/", "https://twitter.com/albertzsigovits/status/1217866089964679174", + "https://ke-la.com/the-ideal-ransomware-victim-what-attackers-are-looking-for/", "https://twitter.com/bartblaze/status/1305197264332369920", "https://www.telekom.com/en/blog/group/article/lockdata-auction-631300", "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", @@ -14305,7 +17310,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot", - "https://www.gdatasoftware.com/blog/2020/02/35802-bitbucket-abused-as-malware-slinger" + "https://asec.ahnlab.com/en/31683/", + "https://fr3d.hk/blog/cryptbot-too-good-to-be-true", + "https://www.gdatasoftware.com/blog/2020/02/35802-bitbucket-abused-as-malware-slinger", + "https://redcanary.com/wp-content/uploads/2021/12/KMSPico-V5.pdf", + "https://asec.ahnlab.com/en/35981/", + "https://asec.ahnlab.com/en/24423/", + "https://www.mandiant.com/resources/russian-targeting-gov-business", + "https://experience.mandiant.com/trending-evil-2/p/1", + "https://www.bleepingcomputer.com/news/security/malicious-kmspico-installers-steal-your-cryptocurrency-wallets/", + "https://asec.ahnlab.com/en/26052/", + "https://www.bleepingcomputer.com/news/security/revamped-cryptbot-malware-spread-by-pirated-software-sites/" ], "synonyms": [], "type": [] @@ -14548,14 +17563,26 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cuba", + "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-cuba-ransomware/", + "https://www.trendmicro.com/en_us/research/22/f/cuba-ransomware-group-s-new-variant-found-using-optimized-infect.html", "https://id-ransomware.blogspot.com/2019/12/cuba-ransomware.html", - "https://shared-public-reports.s3-eu-west-1.amazonaws.com/Cuba+Ransomware+Group+-+on+a+roll.pdf", + "https://lab52.io/blog/cuba-ransomware-analysis/", + "https://www.ic3.gov/Media/News/2021/211203-2.pdf", "https://blog.group-ib.com/hancitor-cuba-ransomware", + "https://shared-public-reports.s3-eu-west-1.amazonaws.com/Cuba+Ransomware+Group+-+on+a+roll.pdf", + "https://www.it-connect.fr/le-ransomware-cuba-sen-prend-aux-serveurs-exchange/", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-threat-report-a-quick-primer-on-cuba-ransomware", - "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf" + "https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/", + "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis", + "https://www.elastic.co/security-labs/cuba-ransomware-malware-analysis", + "https://www.guidepointsecurity.com/blog/using-hindsight-to-close-a-cuba-cold-case/", + "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf", + "https://www.mandiant.com/resources/unc2596-cuba-ransomware" + ], + "synonyms": [ + "COLDDRAW" ], - "synonyms": [], "type": [] }, "uuid": "6d9dfc5f-4ebf-404b-ab5e-e6497867fe65", @@ -14624,6 +17651,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cutlet", "http://www.vkremez.com/2017/12/lets-learn-cutlet-atm-malware-internals.html", "https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf", + "https://explore.group-ib.com/htct/hi-tech_crime_2018", "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html" ], "synonyms": [], @@ -14637,6 +17665,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cutwail", + "https://darknetdiaries.com/episode/110/", "http://www.secureworks.com/research/threat-profiles/gold-essex", "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf", "https://securityintelligence.com/dridex-campaign-propelled-by-cutwail-botnet-and-powershell/", @@ -14658,16 +17687,18 @@ "value": "Cutwail" }, { - "description": "", + "description": "According to Subex Secure, CyberGate is a Remote Access Trojan (RAT) that allows an attacker to gain unauthorized access to\r\nthe victim’s system. Attackers can remotely connect to the compromised system from anywhere\r\naround the world. The Malware author generally uses this program to steal private information\r\nlike passwords, files, etc. It might also be used to install malicious software on the compromised\r\nsystems.\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cybergate", + "https://www.zscaler.com/blogs/security-research/cybergate-rat-and-redline-stealer-delivered-ongoing-autoit-malware-campaigns", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", + "https://www.subexsecure.com/pdf/malware-reports/2021-05/cybergate-threat-report.pdf", "https://blog.reversinglabs.com/blog/rats-in-the-library", "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", - "https://citizenlab.ca/2015/12/packrat-report/", + "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols", "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", - "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols" + "https://citizenlab.ca/2015/12/packrat-report/" ], "synonyms": [ "Rebhip" @@ -14804,12 +17835,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot", + "https://news.sophos.com/en-us/2021/10/24/node-poisoning-hijacked-package-delivers-coin-miner-and-credential-stealing-backdoor", "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf", "https://www.proofpoint.com/us/threat-insight/post/danabot-control-panel-revealed", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://www.welivesecurity.com/2018/12/06/danabot-evolves-beyond-banking-trojan-new-spam/", - "https://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", "https://www.proofpoint.com/us/blog/threat-insight/new-year-new-version-danabot", + "https://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/", "https://www.gdatasoftware.com/blog/2019/05/31695-strange-bits-smuggling-malware-github", "https://www.fortinet.com/blog/threat-research/breakdown-of-a-targeted-danabot-attack.html", "https://securelist.com/financial-cyberthreats-in-2020/101638/", @@ -14818,16 +17851,26 @@ "https://malwareandstuff.com/deobfuscating-danabots-api-hashing/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://blogs.blackberry.com/en/2021/11/threat-thursday-danabot-malware-as-a-service", "https://research.checkpoint.com/danabot-demands-a-ransom-payment/", + "https://asec.ahnlab.com/en/30445/", "https://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns", "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", - "https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0", + "https://www.mandiant.com/resources/supply-chain-node-js", + "https://twitter.com/f0wlsec/status/1459892481760411649", + "https://assets.virustotal.com/reports/2021trends.pdf", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/DanaBot-Riding-Fake-MYOB-Invoice-Emails/", - "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", - "https://blog.yoroi.company/research/dissecting-the-danabot-paylaod-targeting-italy/", "https://blog.lexfo.fr/danabot-malware.html", + "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", + "https://www.zscaler.com/blogs/security-research/spike-danabot-malware-activity", + "https://www.zscaler.com/blogs/security-research/danabot-launches-ddos-attack-against-ukrainian-ministry-defense", + "https://blog.yoroi.company/research/dissecting-the-danabot-paylaod-targeting-italy/", + "https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0", + "https://www.bitdefender.com/blog/hotforsecurity/popular-npm-repositories-compromised-in-man-in-the-middle-attack/", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/DanaBot-Riding-Fake-MYOB-Invoice-Emails/", "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", + "https://security-soup.net/decoding-a-danabot-downloader/", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", "https://www.welivesecurity.com/2019/02/07/danabot-updated-new-cc-communication/", "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/" ], @@ -14838,11 +17881,12 @@ "value": "DanaBot" }, { - "description": "", + "description": "Danbot is a backdoor malware that is originally written in C#. Recent versions of Danbot are written in C++. Danbot is capable of giving a remote attacker remote access features such as running a cmd command, upload and download files, move and copy files. The backdoor commands are transmitted by either using HTTP or DNS protocols. The commands are encapsulated in an XML file that gets stored in disk. Danbot's backdoor component picks up the XML file where it decodes and decrypts the commands.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.danbot", "https://dragos.com/wp-content/uploads/Dragos-Oil-and-Gas-Threat-Perspective-2019.pdf", + "https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf", "https://www.secureworks.com/research/threat-profiles/cobalt-lyceum", "https://www.clearskysec.com/wp-content/uploads/2021/08/Siamesekitten.pdf", "https://otx.alienvault.com/pulse/5d4301edb3f3406ac01acc0f", @@ -14862,17 +17906,22 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcomet", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://content.fireeye.com/apt/rpt-apt38", + "https://www.sentinelone.com/wp-content/uploads/2022/02/Modified-Elephant-APT-and-a-Decade-of-Fabricating-Evidence-SentinelLabs.pdf", "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga", "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", - "https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html", + "https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html", "https://www.secureworks.com/research/threat-profiles/copper-fieldstone", "https://www.sysnet.ucsd.edu/sysnet/miscpapers/darkmatter-www20.pdf", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", - "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/", "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html", "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/", + "https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html", "https://www.tgsoft.it/files/report/download.asp?id=7481257469", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services", "https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Win.DarkComet", + "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html", "https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/" ], "synonyms": [ @@ -14898,6 +17947,19 @@ "uuid": "8258311c-0d64-4c6b-ab94-915e2cc267f0", "value": "DarkIRC" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkloader", + "https://twitter.com/3xp0rtblog/status/1459081435361517585" + ], + "synonyms": [], + "type": [] + }, + "uuid": "269be5a3-471c-4a4b-a5d7-97ce75579213", + "value": "DarkLoader" + }, { "description": "", "meta": { @@ -14947,7 +18009,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkrat", - "https://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md" + "https://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md", + "https://fr3d.hk/blog/darkrat-hacking-a-malware-control-panel" ], "synonyms": [], "type": [] @@ -14960,7 +18023,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkshell", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/darkshell-ddos-botnet-evolves-with-variants/" + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/darkshell-ddos-botnet-evolves-with-variants/", + "https://www.botconf.eu/wp-content/uploads/2015/12/OK-P13-Liu-Ya-Automatically-Classify-Unknown-Bots-by-The-Register-Messages.pdf" ], "synonyms": [], "type": [] @@ -14976,13 +18040,18 @@ "https://www.bloomberg.com/news/articles/2021-05-13/colonial-pipeline-paid-hackers-nearly-5-million-in-ransom", "https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service", "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", + "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", "http://chuongdong.com/reverse%20engineering/2021/05/06/DarksideRansomware/", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/", "https://www.intel471.com/blog/darkside-ransomware-colonial-pipeline-attack", + "https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/", "https://news.sophos.com/en-us/2021/05/11/a-defenders-view-inside-a-darkside-ransomware-attack/", "https://www.advanced-intel.com/post/from-dawn-to-silent-night-darkside-ransomware-initial-attack-vector-evolution", "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", "https://github.com/sisoma2/malware_analysis/tree/master/blackmatter", "https://www.intel471.com/blog/darkside-ransomware-shut-down-revil-avaddon-cybercrime", + "https://www.youtube.com/watch?v=NIiEcOryLpI", "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", "https://twitter.com/ValthekOn/status/1422385890467491841?s=20", "https://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6", @@ -14991,9 +18060,13 @@ "https://www.nozominetworks.com/blog/colonial-pipeline-ransomware-attack-revealing-how-darkside-works/", "https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b", "https://www.reuters.com/technology/colonial-pipeline-halts-all-pipeline-operations-after-cybersecurity-attack-2021-05-08/", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://blog.cyble.com/2021/08/05/blackmatter-under-the-lens-an-emerging-ransomware-group-looking-for-affiliates/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.ic3.gov/Media/News/2021/211101.pdf", "https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/are-virtual-machines-the-new-gold-for-cyber-criminals/", + "https://www.hhs.gov/sites/default/files/demystifying-blackmatter.pdf", + "https://asec.ahnlab.com/en/34549/", "https://chuongdong.com/reverse%20engineering/2021/05/06/DarksideRansomware/", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://securityscorecard.com/blog/new-evidence-supports-assessment-that-darkside-likely-responsible-for-colonial-pipeline-ransomware-attack-others-targeted", @@ -15005,9 +18078,12 @@ "https://www.varonis.com/blog/darkside-ransomware/", "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", "https://www.maltego.com/blog/chasing-darkside-affiliates-identifying-threat-actors-connected-to-darkside-ransomware-using-maltego-intel-471-1/", + "https://zawadidone.nl/darkside-ransomware-analysis/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://www.databreaches.net/a-chat-with-darkside/", + "https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/", "https://www.youtube.com/watch?v=qxPXxWMI2i4", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/are-virtual-machines-the-new-gold-for-cyber-criminals/", + "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", "https://www.deepinstinct.com/2021/06/04/the-ransomware-conundrum-a-look-into-darkside/", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-189a", "https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions", @@ -15018,31 +18094,38 @@ "https://therecord.media/ransomware-gang-wants-to-short-the-stock-price-of-their-victims/", "http://ti.dbappsecurity.com.cn/blog/index.php/2021/05/10/darkside/", "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/", + "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox", + "https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group", "https://zetter.substack.com/p/anatomy-of-one-of-the-first-darkside", "https://www.splunk.com/en_us/blog/security/the-darkside-of-the-ransomware-pipeline.html", "https://www.crowdstrike.com/blog/how-ransomware-adversaries-reacted-to-the-darkside-pipeline-attack/", "https://cybergeeks.tech/a-step-by-step-analysis-of-a-new-version-of-darkside-ransomware/", "https://www.bleepingcomputer.com/news/security/darkside-affiliates-claim-gangs-bitcoins-in-deposit-on-hacker-forum/", "https://twitter.com/JAMESWT_MHT/status/1388301138437578757", - "https://www.databreachtoday.com/blogs/darkside-ransomware-gang-launches-affiliate-program-p-2968", "https://blog.group-ib.com/blackmatter#", "https://github.com/Haxrein/Malware-Analysis-Reports/blob/main/darkside_ransomware_technical_analysis_report.pdf", + "https://blog.group-ib.com/blackmatter2", "https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636", "https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2021/05/18/darkside_ransomware-QfsV.html", "https://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin", "https://www.elliptic.co/blog/elliptic-follows-bitcoin-ransoms-paid-by-darkside-ransomware-victims", "https://threatpost.com/guess-fashion-data-loss-ransomware/167754/", "https://www.repubblica.it/economia/finanza/2021/04/28/news/un_sospetto_attacco_telematico_blocca_le_filiali_della_bcc_di_roma-298485827/", - "https://www.dragos.com/blog/industry-news/recommendations-following-the-colonial-pipeline-cyber-attack/", + "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", + "https://community.riskiq.com/article/fdf74f23", + "https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/", "https://us-cert.cisa.gov/ncas/alerts/aa21-131a", "https://www.flashpoint-intel.com/blog/darkside-ransomware-links-to-revil-difficult-to-dismiss/", "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/", "https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://www.bleepingcomputer.com/news/security/chemical-distributor-pays-44-million-to-darkside-ransomware/", + "https://www.secjuice.com/blue-team-detection-darkside-ransomware/", + "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", "https://id-ransomware.blogspot.com/2021/07/blackmatter-ransomware.html", "https://www.secureworks.com/research/threat-profiles/gold-waterfall", "https://www.sentinelone.com/blog/meet-darkside-and-their-ransomware-sentinelone-customers-protected/", + "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/", "https://www.digitalshadows.com/blog-and-research/darkside-the-new-ransomware-group-behind-highly-targeted-attacks/", "https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/", "https://www.bleepingcomputer.com/news/security/us-chemical-distributor-shares-info-on-darkside-ransomware-data-theft/", @@ -15056,18 +18139,23 @@ "https://www.technologyreview.com/2021/05/24/1025195/colonial-pipeline-ransomware-bitdefender/", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/", "https://labs.bitdefender.com/2021/01/darkside-ransomware-decryption-tool/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks", "https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.acronis.com/en-us/articles/darkside-ransomware/", - "https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/", - "https://www.secjuice.com/blue-team-detection-darkside-ransomware/", + "https://www.databreaches.net/a-chat-with-darkside/", + "https://www.dragos.com/blog/industry-news/recommendations-following-the-colonial-pipeline-cyber-attack/", "https://zawadidone.nl/2020/10/05/darkside-ransomware-analysis.html", - "https://community.riskiq.com/article/fdf74f23", + "https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf", + "https://brandefense.io/darkside-ransomware-analysis-report/", + "https://www.databreachtoday.com/blogs/darkside-ransomware-gang-launches-affiliate-program-p-2968", "https://www.crowdstrike.com/blog/falcon-protects-from-darkside-ransomware/", "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", + "https://www.nozominetworks.com/blog/how-to-analyze-malware-for-technical-writing/", "https://blog.360totalsecurity.com/en/darksides-targeted-ransomware-analysis-report-for-critical-u-s-infrastructure-2/", "https://socprime.com/blog/affiliates-vs-hunters-fighting-the-darkside/", + "https://www.metabaseq.com/recursos/inside-darkside-the-ransomware-that-attacked-colonial-pipeline#", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", - "https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf", + "https://twitter.com/GelosSnake/status/1451465959894667275", "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", "https://www.trendmicro.com/en_us/research/21/e/what-we-know-about-darkside-ransomware-and-the-us-pipeline-attac.html" ], @@ -15137,6 +18225,19 @@ "uuid": "fc91803f-610c-4ad5-ba0c-b78d65abc6db", "value": "Darktrack RAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkvnc", + "https://reaqta.com/2017/11/short-journey-darkvnc/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "302b2b26-9833-4da7-94f5-a7bd152ad40c", + "value": "DarkVNC" + }, { "description": "", "meta": { @@ -15192,14 +18293,36 @@ "uuid": "827490bf-19b8-4d14-83b3-7da67fbe436c", "value": "Datper" }, + { + "description": "Symantec describes this as a malware written as Windows kernel driver, used by China-linked threat actors. The malware has a custom TCP/IP stack and is capable of hijacking connections.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.daxin", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-malware-espionage-analysis", + "https://twitter.com/M_haggis/status/1498399791276912640", + "https://gist.github.com/usualsuspect/839fbc54e0d76bb2626329cd94274cd6", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage-analysis", + "https://www.nzz.ch/technologie/china-soll-mit-praezedenzloser-malware-regierungen-ausspioniert-haben-ld.1672292", + "https://www.bleepingcomputer.com/news/security/chinese-cyberspies-target-govts-with-their-most-advanced-backdoor/", + "https://www.reuters.com/technology/new-chinese-hacking-tool-found-spurring-us-warning-allies-2022-02-28/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "63bf3200-5e7b-4e29-ba1c-6bf834c15459", + "value": "Daxin" + }, { "description": "This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader", - "https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html", "https://news.sophos.com/en-us/2020/09/24/email-delivered-modi-rat-attack-pastes-powershell-commands", - "https://zero2auto.com/2020/08/20/dbatloader-modiloader-first-stage/" + "https://zero2auto.com/2020/08/20/dbatloader-modiloader-first-stage/", + "https://www.netskope.com/blog/dbatloader-abusing-discord-to-deliver-warzone-rat", + "https://malcat.fr/blog/exploit-steganography-and-delphi-unpacking-dbatloader/", + "https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html" ], "synonyms": [ "ModiLoader", @@ -15215,10 +18338,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat", + "https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html", + "https://community.riskiq.com/article/50c77491", "https://tccontre.blogspot.com/2019/10/dcrat-malware-evades-sandbox-that-use.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://www.fireeye.com/blog/threat-research/2020/05/analyzing-dark-crystal-rat-backdoor.html", - "https://www.youtube.com/watch?v=ElqmQDySy48" + "https://www.youtube.com/watch?v=ElqmQDySy48", + "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains", + "https://blogs.infoblox.com/cyber-threat-intelligence/cyber-campaign-briefs/malspam-campaign-delivers-dark-crystal-rat-dcrat/", + "https://forensicitguy.github.io/snip3-crypter-dcrat-vbs/", + "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus", + "https://www.zscaler.com/blogs/security-research/freecryptoscam-new-cryptocurrency-scam-leads-installation-backdoors-and", + "https://cert.gov.ua/article/405538" ], "synonyms": [ "DarkCrystal RAT" @@ -15228,6 +18359,21 @@ "uuid": "b32ffb50-8ef1-4c78-a71a-bb23089b4de6", "value": "DCRat" }, + { + "description": "A ransomware as used by MosesStaff, built around the DiskCryptor tool.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcsrv", + "https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/" + ], + "synonyms": [ + "DCrSrv" + ], + "type": [] + }, + "uuid": "7b2609aa-fc3f-4693-a3f1-da4cac77490c", + "value": "DCSrv" + }, { "description": "", "meta": { @@ -15279,6 +18425,7 @@ "https://www.youtube.com/watch?v=qmCjtigVVR0", "https://lifars.com/wp-content/uploads/2021/04/DearCry_Ransomware.pdf", "https://www.youtube.com/watch?v=Hhx9Q2i7zGo", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://www.youtube.com/watch?v=MRTdGUy1lfw", "https://www.youtube.com/watch?v=6lSfxsrs61s&t=5s", "https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities", @@ -15314,6 +18461,19 @@ "uuid": "2bc6623a-d7d6-48fc-af79-647648f455aa", "value": "DeathRansom" }, + { + "description": "Ransomware written in Go.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.decaf", + "https://blog.morphisec.com/decaf-ransomware-a-new-golang-threat-makes-its-appearance" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c70e97ea-73bb-4342-a8cd-6cbe0e589bec", + "value": "DECAF" + }, { "description": "", "meta": { @@ -15368,6 +18528,19 @@ "uuid": "bbc6dbe3-0ade-4b80-a1cb-c19e23ea8b88", "value": "Defray" }, + { + "description": "Described by Elastic as being associated with win.jupyter, and being used in the context of initial access, persistence, and C&C capabilities.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.deimos", + "https://www.elastic.co/blog/going-coast-to-coast-climbing-the-pyramid-with-the-deimos-implant" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e369e45e-0e92-4811-822e-5e598285465e", + "value": "Deimos" + }, { "description": "", "meta": { @@ -15539,25 +18712,32 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dharma", + "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox", "https://www.advanced-intel.com/post/inside-phobos-ransomware-dharma-past-underground", + "https://news.sophos.com/en-us/2020/08/12/color-by-numbers-inside-a-dharma-ransomware-as-a-service-attack/", "https://securelist.com/cis-ransomware/104452/", + "https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/dharma-ransomware-uses-av-tool-to-distract-from-malicious-activities/", "https://www.group-ib.com/media/iran-cybercriminals/", "https://cyberveille-sante.gouv.fr/cyberveille-sante/1821-france-retour-dexperience-suite-une-attaque-par-rancongiciel-contre-une", "https://thedfirreport.com/2020/06/16/the-little-ransomware-that-couldnt-dharma/", + "https://nakedsecurity.sophos.com/2018/09/11/the-rise-of-targeted-ransomware/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://www.acronis.com/en-us/articles/Dharma-ransomware/", "https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/", "https://www.youtube.com/watch?v=LUxOcpIRxmg", "https://www.carbonblack.com/2018/07/10/carbon-black-tau-threat-analysis-recent-dharma-ransomware-highlights-attackers-continued-use-open-source-tools/", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/negasteal-uses-hastebin-for-fileless-delivery-of-crysis-ransomware", "https://www.zscaler.com/blogs/security-research/ransomware-delivered-using-rdp-brute-force-attack", + "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/", "https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", "https://twitter.com/JakubKroustek/status/1087808550309675009", "https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/" @@ -15601,10 +18781,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.diavol", + "https://medium.com/walmartglobaltech/diavol-the-enigma-of-ransomware-1fd78ffda648", "https://www.binarydefense.com/threat_watch/new-ransomware-diavol-being-dropped-by-trickbot/", + "https://arcticwolf.com/resources/blog/karakurt-web", + "https://www.bleepingcomputer.com/news/security/fbi-links-diavol-ransomware-to-the-trickbot-cybercrime-group/", + "https://www.scythe.io/library/adversary-emulation-diavol-ransomware-threatthursday", + "https://www.ic3.gov/Media/News/2022/220120.pdf", "https://www.bleepingcomputer.com/news/security/trickbot-gang-developer-arrested-when-trying-to-leave-korea/", + "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider", "https://www.bleepingcomputer.com/news/security/diavol-ransomware-sample-shows-stronger-connection-to-trickbot-gang/", + "https://chuongdong.com/reverse%20engineering/2021/12/17/DiavolRansomware/", "https://heimdalsecurity.com/blog/is-diavol-ransomware-connected-to-wizard-spider/", "https://securityintelligence.com/posts/analysis-of-diavol-ransomware-link-trickbot-gang/" ], @@ -15659,9 +18846,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dirtymoe", - "https://decoded.avast.io/martinchlumecky/dirtymoe-3/", + "https://decoded.avast.io/martinchlumecky/dirtymoe-4/", + "https://decoded.avast.io/martinchlumecky/dirtymoe-5/", "https://decoded.avast.io/martinchlumecky/dirtymoe-rootkit-driver/", - "https://decoded.avast.io/martinchlumecky/dirtymoe-1/" + "https://decoded.avast.io/martinchlumecky/dirtymoe-1/", + "https://decoded.avast.io/martinchlumecky/dirtymoe-3/", + "https://thehackernews.com/2022/03/purple-fox-hackers-spotted-using-new.html" ], "synonyms": [], "type": [] @@ -15701,26 +18891,28 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.disttrack", - "http://contagiodump.blogspot.com/2012/08/shamoon-or-disttracka-samples.html", - "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", - "http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/", - "https://content.fireeye.com/m-trends/rpt-m-trends-2017", "http://www.vinransomware.com/blog/detailed-threat-analysis-of-shamoon-2-0-malware", - "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", - "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/?adbsc=social68389776&adbid=804134348374970368&adbpl=tw&adbpr=4487645412", "https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", - "https://securelist.com/shamoon-the-wiper-copycats-at-work/", - "https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", "https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/", - "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://afyonluoglu.org/PublicWebFiles/Reports-TR/2017%20FireEye%20M-Trends%20Report.pdf", - "https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf", "https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis", - "https://unit42.paloaltonetworks.com/unit42-second-wave-shamoon-2-attacks-identified/", + "https://afyonluoglu.org/PublicWebFiles/Reports-TR/2017%20FireEye%20M-Trends%20Report.pdf", + "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", + "https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", + "https://web.archive.org/web/20120818235442/https://www.symantec.com/connect/blogs/shamoon-attacks", + "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", + "https://content.fireeye.com/m-trends/rpt-m-trends-2017", + "https://securelist.com/shamoon-the-wiper-copycats-at-work/", "https://malwareindepth.com/shamoon-2012/", - "https://web.archive.org/web/20120818235442/https://www.symantec.com/connect/blogs/shamoon-attacks" + "http://contagiodump.blogspot.com/2012/08/shamoon-or-disttracka-samples.html", + "http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/", + "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/?adbsc=social68389776&adbid=804134348374970368&adbpl=tw&adbpr=4487645412", + "https://resources.cylera.com/hubfs/Cylera%20Labs/Cylera%20Labs%20Kwampirs%20Shamoon%20Technical%20Report.pdf", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail", + "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf", + "https://unit42.paloaltonetworks.com/unit42-second-wave-shamoon-2-attacks-identified/" ], "synonyms": [ "Shamoon" @@ -15821,10 +19013,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnsmessenger", - "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "http://wraithhacker.com/2017/10/11/more-info-on-evolved-dnsmessenger/", + "https://blog.talosintelligence.com/2017/03/dnsmessenger.html", "https://blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html", - "https://blog.talosintelligence.com/2017/03/dnsmessenger.html" + "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", + "https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/" ], "synonyms": [ "TEXTMATE" @@ -15879,28 +19073,54 @@ "value": "DogHousePower" }, { - "description": "", + "description": "Donut is an open-source in-memory injector/loader, designed for execution of VBScript, JScript, EXE, DLL files and dotNET assemblies. It was used during attacks against U.S. organisations according to Threat Hunter Team (Symantec) and U.S. Defence contractors (Unit42).\r\nGithub: https://github.com/TheWover/donut", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.donut_injector", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us" + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us", + "https://thewover.github.io/Introducing-Donut/" + ], + "synonyms": [ + "Donut" ], - "synonyms": [], "type": [] }, "uuid": "d713f337-b9c7-406d-88e4-3352b2523c73", "value": "donut_injector" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.doorme", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b91e1d34-cabd-404f-84d2-51a4f9840ffb", + "value": "DoorMe" + }, { "description": "DoppelDridex is a fork of Indrik Spider's Dridex malware. DoppelDridex has been run as a parallel operation to Dridex with a different malware versioning system, different RSA key, and with different infrastructure.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.doppeldridex", - "https://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document?&web_view=true", + "https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/", + "https://www.proofpoint.com/us/blog/threat-insight/ta575-uses-squid-game-lures-distribute-dridex-malware", + "https://www.bleepingcomputer.com/news/security/log4j-vulnerability-now-used-to-install-dridex-banking-malware/", "https://redcanary.com/blog/grief-ransomware/", - "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", + "https://twitter.com/BrettCallow/status/1453557686830727177?s=20", + "https://inquest.net/blog/2021/12/20/dont-bring-dridex-home-holidays", "https://security-soup.net/doppeldridex-delivered-via-slack-and-discord/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" + "https://cyber-anubis.github.io/malware%20analysis/dridex/", + "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", + "https://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document?&web_view=true", + "https://blogs.blackberry.com/en/2021/11/zebra2104", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://www.0ffset.net/reverse-engineering/malware-analysis/dridex-veh-api-obfuscation/" ], "synonyms": [], "type": [] @@ -15915,30 +19135,39 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymer", "https://www.bleepingcomputer.com/news/security/foxconn-electronics-giant-hit-by-ransomware-34-million-ransom/", "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", + "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/", "https://sites.temple.edu/care/ci-rw-attacks/", "https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", "https://www.zdnet.com/article/ransomware-gang-says-it-breached-one-of-nasas-it-contractors/", "https://techcrunch.com/2020/03/01/visser-breach/", "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://killingthebear.jorgetesta.tech/actors/evil-corp", "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/", + "https://lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.zscaler.com/blogs/security-research/doppelpaymer-continues-cause-grief-through-rebranding", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.bleepingcomputer.com/news/security/laptop-maker-compal-hit-by-ransomware-17-million-demanded/", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", "https://www.ic3.gov/Media/News/2020/201215-1.pdf", "https://twitter.com/vikas891/status/1385306823662587905", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", + "https://twitter.com/BrettCallow/status/1453557686830727177?s=20", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", "https://apnews.com/article/virus-outbreak-elections-georgia-voting-2020-voting-c191f128b36d1c0334c9d0b173daa18c", "https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/", "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", + "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", @@ -15949,12 +19178,13 @@ "https://www.secureworks.com/research/threat-profiles/gold-heron", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", "https://www.trendmicro.com/en_us/research/21/a/an-overview-of-the-doppelpaymer-ransomware.html", - "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", - "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://www.armor.com/resources/threat-intelligence/the-evolution-of-doppel-spider-from-bitpaymer-to-grief-ransomware/", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://redcanary.com/blog/grief-ransomware/", "https://twitter.com/AltShiftPrtScn/status/1385103712918642688", "http://www.secureworks.com/research/threat-profiles/gold-heron", + "https://www.crowdstrike.com/blog/how-doppelpaymer-hunts-and-kills-windows-processes/", "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", "https://intel471.com/blog/ransomware-attack-access-merchants-infostealer-escrow-service/", @@ -16032,7 +19262,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublefantasy", "https://fmnagisa.wordpress.com/2020/08/27/revisiting-equationgroups-fanny-worm-or-dementiawheel/", - "https://twitter.com/Int2e_/status/1294565186939092994" + "https://twitter.com/Int2e_/status/1294565186939092994", + "https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/" ], "synonyms": [ "VALIDATOR" @@ -16058,6 +19289,28 @@ "uuid": "32984744-c0f9-43f7-bfca-c3276248a4fa", "value": "DoublePulsar" }, + { + "description": "A wiper identified by CERT-UA on March 17th, written in C#.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublezero", + "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat", + "https://www.nextgov.com/cybersecurity/2022/03/ukrainian-cyber-lead-least-4-types-malware-are-targeting-ukrainian-institutions/363558/", + "https://www.splunk.com/en_us/blog/security/threat-update-doublezero-destructor.html", + "https://securelist.com/new-ransomware-trends-in-2022/106457/", + "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-doublezero", + "https://cert.gov.ua/article/38088", + "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", + "https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html", + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd", + "https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works" + ], + "synonyms": [], + "type": [] + }, + "uuid": "7b4234ff-a7c2-4991-b4bf-6e13c57103cd", + "value": "DoubleZero" + }, { "description": "", "meta": { @@ -16096,7 +19349,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.downpaper", "https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf", - "http://www.clearskysec.com/charmingkitten/" + "http://www.clearskysec.com/charmingkitten/", + "https://www.infinitumit.com.tr/apt-35/" ], "synonyms": [], "type": [] @@ -16104,23 +19358,6 @@ "uuid": "227862fd-ae83-4e3d-bb69-cc1a45a13aed", "value": "DownPaper" }, - { - "description": "simple tool to facilitate download and persistence of a next-stage tool; collects system information and metadata probably in an attempt to tell sandbox-environments apart from real targets on the server-side; uses domains of search engines like Google to check for Internet connectivity; XOR-based string obfuscation with a 16-byte key", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.downrage", - "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", - "https://blog.yoroi.company/research/apt28-and-upcoming-elections-possible-interference-signals-part-ii/", - "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/" - ], - "synonyms": [ - "GAMEFISH" - ], - "type": [] - }, - "uuid": "61ac2821-9512-40c0-b41f-19dd2ea14c74", - "value": "Downrage" - }, { "description": "", "meta": { @@ -16174,21 +19411,29 @@ "https://aaqeel01.wordpress.com/2021/02/07/dridex-malware-analysis/", "https://securityintelligence.com/dridexs-cold-war-enter-atombombing/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://muha2xmad.github.io/unpacking/dridex/", "https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf", "https://home.treasury.gov/news/press-releases/sm845", + "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/", "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much", "https://unit42.paloaltonetworks.com/travel-themed-phishing/", + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", + "https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/", "https://twitter.com/TheDFIRReport/status/1356729371931860992", + "https://inquest.net/blog/2021/12/20/dont-bring-dridex-home-holidays", + "https://intel471.com/blog/a-brief-history-of-ta505", "https://www.secureworks.com/research/threat-profiles/gold-heron", + "https://assets.virustotal.com/reports/2021trends.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "https://twitter.com/Cryptolaemus1/status/1407135648528711680", - "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-005.pdf", "https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps", "https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/", "https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex", + "https://www.cert.pl/en/news/single/talking-dridex-part-0-inside-the-dropper/", "https://viql.github.io/dridex/", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", @@ -16201,6 +19446,7 @@ "https://www.proofpoint.com/us/blog/security-briefs/threat-actors-pair-tax-themed-lures-covid-19-healthcare-themes", "https://thedfirreport.com/2020/08/03/dridex-from-word-to-domain-dominance/", "https://www.youtube.com/watch?v=1VB15_HgUkg", + "https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp", "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", "https://www.intel471.com/blog/cybercrime-russia-china-iran-nation-state", "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/", @@ -16214,49 +19460,63 @@ "https://isc.sans.edu/forums/diary/Recent+Dridex+activity/26550/", "http://www.secureworks.com/research/threat-profiles/gold-heron", "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", + "https://intel471.com/blog/privateloader-malware", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", + "https://www.sentinelone.com/labs/sanctions-be-damned-from-dridex-to-macaw-the-evolution-of-evil-corp/", "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", "https://votiro.com/blog/anatomy-of-a-well-crafted-ups-fedex-and-dhl-phishing-email-during-covid-19/", "https://adalogics.com/blog/the-state-of-advanced-code-injections", "https://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/", "https://cdn2.hubspot.net/hubfs/507516/ANB_MIR_Dridex_PRv7_final.pdf", - "https://www.cert.pl/en/news/single/talking-dridex-part-0-inside-the-dropper/", + "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", + "https://yoroi.company/research/office-documents-may-the-xll-technique-change-the-threat-landscape-in-2022/", "https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/", + "https://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office", "https://threatresearch.ext.hp.com/detecting-ta551-domains/", + "https://killingthebear.jorgetesta.tech/actors/evil-corp", + "https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.flashpoint-intel.com/blog-dridex-banking-trojan-returns/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/", "https://www.pandasecurity.com/mediacenter/src/uploads/2017/10/Informe_Dridex_Revisado_FINAL_EN-2.pdf", + "https://malcat.fr/blog/cutting-corners-against-a-dridex-downloader/", + "https://cyber-anubis.github.io/malware%20analysis/dridex/", "https://medium.com/walmartglobaltech/wastedloader-or-dridexloader-4f47c9b3ae77", "https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/", "https://www.cert.ssi.gouv.fr/ioc/CERTFR-2020-IOC-003/", + "https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf", "https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them", "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://blogs.blackberry.com/en/2021/08/blackberry-prevents-threat-actor-group-ta575-and-dridex-malware", "https://reaqta.com/2020/06/dridex-the-secret-in-a-postmessage/", - "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/", - "https://www.appgate.com/blog/reverse-engineering-dridex-and-automating-ioc-extraction", "https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation", + "https://community.riskiq.com/article/2cd1c003", + "https://www.appgate.com/blog/reverse-engineering-dridex-and-automating-ioc-extraction", "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf", - "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", + "https://twitter.com/felixw3000/status/1382614469713530883?s=20", "https://en.wikipedia.org/wiki/Maksim_Yakubets", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks", "https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf", "https://blogs.vmware.com/networkvirtualization/2021/03/analysis-of-a-new-dridex-campaign.html/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.secureworks.com/research/threat-profiles/gold-drake", "https://malwarebookreports.com/cryptone-cobalt-strike/", "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf", "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dridex-financial-trojan.pdf", + "https://community.riskiq.com/article/e4fb7245", "https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", + "https://unit42.paloaltonetworks.com/excel-add-ins-dridex-infection-chain", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", + "https://www.atomicmatryoshka.com/post/malware-headliners-dridex", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf", - "https://twitter.com/felixw3000/status/1382614469713530883?s=20" + "https://medium.com/s2wlab/operation-synctrek-e5013df8d167" ], "synonyms": [], "type": [] @@ -16269,10 +19529,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.driftpin", - "https://www.secureworks.com/research/threat-profiles/gold-niagara", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", + "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html", - "https://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-guns/" + "https://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-guns/", + "https://www.secureworks.com/research/threat-profiles/gold-niagara" ], "synonyms": [ "Spy.Agent.ORM", @@ -16318,7 +19579,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dropbook", - "https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign" + "https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign", + "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf" ], "synonyms": [], "type": [] @@ -16492,6 +19754,19 @@ "uuid": "8420653b-1412-45a1-9a2d-6aa9b9eaf906", "value": "DYEPACK" }, + { + "description": "Dynamic Stealer is a Github Project C# written code by L1ghtN4n. This code collects passwords and uploads these to Telegram. According to Cyble this Eternity Stealer leverages code from this project and also Jester Stealer could be rebranded from it.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dynamicstealer", + "https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b8b7b6e3-eef1-43cb-a251-e20a3e57d75e", + "value": "DynamicStealer" + }, { "description": "", "meta": { @@ -16519,6 +19794,19 @@ "uuid": "1ecbcd20-f238-47ef-874b-08ef93266395", "value": "Dyre" }, + { + "description": "This RAT written in C# was derived from HorusEyesRat. It was modified by \"Arsium\" and published on GitHub. There is also a client builder included.\r\nGithub Source: https://github.com/arsium/EagleMonitorRAT", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.eagle_monitor_rat", + "https://blog.cyble.com/2022/04/18/under-the-lens-eagle-monitor-rat/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c2839018-3e2a-44ac-9ad6-60dbc0973918", + "value": "EagleMonitorRAT" + }, { "description": "FireEye describes EASYNIGHT is a loader observed used with several malware families, including HIGHNOON and HIGHNOON.LITE. The loader often acts as a persistence mechanism via search order hijacking.\r\n\r\nExamples include a patched bcrypt.dll with no other modification than an additional import entry, in the observed case \"printwin.dll!gzwrite64\" (breaking the file signature).", "meta": { @@ -16553,17 +19841,19 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.egregor", "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/", + "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox", "https://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html", "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-007/", "https://www.intrinsec.com/egregor-prolock/", + "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/", "https://www.trendmicro.com/en_us/research/20/l/egregor-ransomware-launches-string-of-high-profile-attacks-to-en.html", "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", "https://blog.emsisoft.com/en/37810/ransomware-profile-egregor/", "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/", - "https://www.zdnet.com/article/ubisoft-crytek-data-posted-on-ransomware-gangs-site/", - "https://twitter.com/redcanary/status/1334224861628039169", + "https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://intel471.com/blog/egregor-arrests-ukraine-sbu-maze-ransomware", "https://areteir.com/wp-content/uploads/2021/01/01182021_Egregor_Insight.pdf", "https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer", @@ -16572,8 +19862,10 @@ "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/", "https://unit42.paloaltonetworks.com/egregor-ransomware-courses-of-action/", + "https://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html", "https://web.archive.org/web/20201207094648/https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Egregor_Ransomware.pdf", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/", "https://www.bleepingcomputer.com/news/security/barnes-and-noble-hit-by-egregor-ransomware-strange-data-leaked/", "https://blog.malwarebytes.com/ransomware/2020/12/threat-profile-egregor-ransomware-is-making-a-name-for-itself/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", @@ -16584,6 +19876,7 @@ "https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://news.sophos.com/en-us/2020/12/08/egregor-ransomware-mazes-heir-apparent/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", "https://www.bleepingcomputer.com/news/security/metro-vancouvers-transit-system-hit-by-egregor-ransomware/", "https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/", "https://www.bleepingcomputer.com/news/security/translink-confirms-ransomware-data-theft-still-restoring-systems/", @@ -16595,18 +19888,21 @@ "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", - "https://securityboulevard.com/2020/10/egregor-sekhmets-cousin/", + "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel", "https://therecord.media/frances-lead-cybercrime-investigator-on-the-egregor-arrests-cybercrime/", "https://www.appgate.com/news-press/appgate-labs-analyzes-new-family-of-ransomware-egregor", + "https://twitter.com/redcanary/status/1334224861628039169", "https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/EGREGOR%20REPORT%20WEB%20FINAL.pdf", "https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide", "https://www.bleepingcomputer.com/news/security/largest-global-staffing-agency-randstad-hit-by-egregor-ransomware/", "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", "https://go.recordedfuture.com/hubfs/reports/cta-2020-1203.pdf", "https://securelist.com/targeted-ransomware-encrypting-data/99255/", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://www.bleepingcomputer.com/news/security/kmart-nationwide-retailer-suffers-a-ransomware-attack/", "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", - "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel", + "https://www.zdnet.com/article/ubisoft-crytek-data-posted-on-ransomware-gangs-site/", + "https://securityboulevard.com/2020/10/egregor-sekhmets-cousin/", "https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/", "https://www.bleepingcomputer.com/news/security/crytek-confirms-egregor-ransomware-attack-customer-data-theft/", "https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/" @@ -16695,6 +19991,19 @@ "uuid": "3477a25d-e04b-475e-8330-39f66c10cc01", "value": "Elise" }, + { + "description": "This dropper masquerades itself as Adobe software, titled as Adobe.msi. It is used to executes the python written Backdoor used by this threat actor.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.elmachete_dropper_2022", + "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "66b8cbdc-6190-4568-b615-0ae8a51d2148", + "value": "El Machete APT Backdoor Dropper" + }, { "description": "ELMER is a non-persistent proxy-aware HTTP backdoor written in Delphi, and is capable of performing file uploads and downloads, file execution, and process and directory listings. To retrieve commands, ELMER sends HTTP GET requests to a hard-coded CnC server, and parses the HTTP response packets received from the CnC server for an integer string corresponding to the command that needs to be executed.", "meta": { @@ -16745,57 +20054,87 @@ "value": "Emissary" }, { - "description": "While Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.\r\nIt is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.\r\nEmotet has been taken down in January 2021.", + "description": "While Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.\r\nIt is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.\r\nEmotet had been taken down by authorities in January 2021, though it appears to have sprung back to life in November 2021.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet", + "https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure", + "https://www.youtube.com/watch?v=AkZ5TYBqcU4", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf", "https://www.youtube.com/watch?v=q8of74upT_g", + "https://www.hornetsecurity.com/en/threat-research/comeback-emotet/", + "https://www.netskope.com/blog/emotet-still-abusing-microsoft-office-macros", "https://team-cymru.com/blog/2021/01/27/taking-down-emotet/", "https://hello.global.ntt/en-us/insights/blog/behind-the-scenes-of-the-emotet-infrastructure", "https://www.proofpoint.com/us/blog/threat-insight/geofenced-amazon-japan-credential-phishing-volumes-rival-emotet", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://forensicitguy.github.io/shortcut-to-emotet-ttp-change/", "https://blog.vincss.net/2021/01/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-Emotet-samples.html", + "https://www.netskope.com/blog/emotet-new-delivery-mechanism-to-bypass-vba-protection", + "https://www.atomicmatryoshka.com/post/malware-headliners-emotet", "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2", "https://www.jpcert.or.jp/english/at/2019/at190044.html", + "https://blog.prevailion.com/wizard-spider-continues-to-confound-4298370f6903", "https://www.binarydefense.com/emotet-evolves-with-new-wi-fi-spreader/", - "https://www.zeit.de/digital/2021-06/cybercrime-extortion-internet-spyware-ransomware-police-prosecution-hackers", + "https://web.archive.org/web/20211223100528/https://cloudsek.com/emotet-2-0-everything-you-need-to-know-about-the-new-variant-of-thbanking-trojan/", "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much", "https://twitter.com/raashidbhatt/status/1237853549200936960", + "https://www.fortinet.com/blog/threat-research/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii", "https://www.us-cert.gov/ncas/alerts/TA18-201A", "https://cdn.www.carbonblack.com/wp-content/uploads/2020/05/VMWCB-Report-Modern-Bank-Heists-2020.pdf", "https://hello.global.ntt/en-us/insights/blog/shellbot-victim-overlap-with-emotet-network-infrastructure", + "https://www.zscaler.com/blogs/security-research/return-emotet-malware", "https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html", "https://blog.kryptoslogic.com/malware/2018/10/31/emotet-email-theft.html", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf", + "https://www.inde.nz/blog/analysis-of-the-latest-wave-of-emotet-malicious-documents", + "https://www.youtube.com/watch?v=_BLOmClsSpc", "https://therecord.media/over-780000-email-accounts-compromised-by-emotet-have-been-secured/", - "https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf", - "https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return", + "https://blogs.vmware.com/security/2022/03/emotet-c2-configuration-extraction-and-analysis.html", + "https://notes.netbytesec.com/2021/02/deobfuscating-emotet-macro-and.html", + "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmwcb-report-modern-bank-heists-2020.pdf", + "https://muha2xmad.github.io/unpacking/emotet-part-1/", + "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", + "https://blog.lumen.com/emotet-redux/", + "https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx", "https://www.zdnet.com/article/meet-the-white-hat-group-fighting-emotet-the-worlds-most-dangerous-malware/", "https://www.secureworks.com/research/threat-profiles/gold-crestwood", + "https://www.trendmicro.com/en_us/research/22/e/bruised-but-not-broken--the-resurgence-of-the-emotet-botnet-malw.html", "https://cert-agid.gov.it/news/malware/semplificare-lanalisi-di-emotet-con-python-e-iced-x86/", + "https://news.sophos.com/en-us/2022/05/04/attacking-emotets-control-flow-flattening/", + "https://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/", "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_workshop_malware-analysis_jp.pdf", + "https://www.welivesecurity.com/2022/06/16/how-emotet-is-changing-tactics-microsoft-tightening-office-macro-security/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", - "https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure", + "https://blogs.vmware.com/networkvirtualization/2022/02/emotet-is-not-dead-yet-part-2.html/", "https://www.youtube.com/watch?v=5_-oR_135ss", "https://www.digitalshadows.com/blog-and-research/emotet-disruption/", "https://www.deepinstinct.com/2020/08/12/why-emotets-latest-wave-is-harder-to-catch-than-ever-before/", - "https://www.youtube.com/watch?v=_BLOmClsSpc", + "https://www.kroll.com/en/insights/publications/cyber/monitor/emotet-analysis-new-lnk-in-the-infection-chain", + "https://twitter.com/Cryptolaemus1/status/1516535343281025032", + "https://threatresearch.ext.hp.com/emotets-return-whats-different/", "https://unit42.paloaltonetworks.com/c2-traffic/", "https://int0xcc.svbtle.com/dissecting-emotet-s-network-communication-protocol", "https://paste.cryptolaemus.com", "https://blog.virustotal.com/2020/11/using-similarity-to-expand-context-and.html", - "https://www.politie.nl/nieuws/2021/februari/17/politie-bestrijdt-cybercrime-via-nederlandse-infrastructuur.html", - "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", + "https://blog.malwarebytes.com/threat-intelligence/2021/11/trickbot-helps-emotet-come-back-from-the-dead/", + "https://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-strike-fast-forwards-ransomware-attacks/", "https://www.picussecurity.com/blog/emotet-technical-analysis-part-1-reveal-the-evil-code", + "https://forensicitguy.github.io/emotet-excel4-macro-analysis/", "https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/", + "https://kienmanowar.wordpress.com/2022/01/23/quicknote-emotet-epoch4-epoch5-tactics/", "https://www.gdata.de/blog/2017/10/30110-emotet-beutet-outlook-aus", "https://malfind.com/index.php/2018/07/23/deobfuscating-emotets-powershell-payload/", "https://www.hornetsecurity.com/en/threat-research/emotet-botnet-takedown/", - "https://medium.com/@0xd0cf11e/analyzing-emotet-with-ghidra-part-1-4da71a5c8d69", + "https://marcoramilli.com/2019/10/14/is-emotet-gang-targeting-companies-with-external-soc/", "https://www.lac.co.jp/lacwatch/people/20201106_002321.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", + "https://www.bleepingcomputer.com/news/security/emotet-malware-now-installs-via-powershell-in-windows-shortcut-files/", + "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/", + "https://www.bitsight.com/blog/emotet-botnet-rises-again", "https://blog.talosintelligence.com/2020/11/emotet-2020.html", "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", "https://atr-blog.gigamon.com/2020/01/13/emotet-not-your-run-of-the-mill-malware/", @@ -16803,57 +20142,93 @@ "https://www.hornetsecurity.com/en/security-information/emotet-is-back/", "https://www.proofpoint.com/us/blog/threat-insight/emotet-makes-timely-adoption-political-and-elections-lures", "https://www.tagesschau.de/investigativ/br-recherche/emotet-schadsoftware-103.html", + "https://www.cert.pl/en/news/single/analysis-of-emotet-v4/", + "https://www.politie.nl/nieuws/2021/februari/17/politie-bestrijdt-cybercrime-via-nederlandse-infrastructuur.html", "https://news.sophos.com/en-us/2020/07/28/emotets-return-is-the-canary-in-the-coal-mine/?cmp=30728", "https://www.cert.govt.nz/it-specialists/advisories/emotet-malware-being-spread-via-email/", "https://exchange.xforce.ibmcloud.com/collection/18f373debc38779065a26f1958dc260b", + "https://threatpost.com/emotet-spreading-malicious-excel-files/178444/", "https://unit42.paloaltonetworks.com/emotet-command-and-control/", "https://www.hornetsecurity.com/en/security-information/awaiting-the-inevitable-return-of-emotet/", + "https://www.youtube.com/watch?v=8PHCZdpNKrw", "https://www.bka.de/DE/Presse/Listenseite_Pressemitteilungen/2021/Presse2021/210127_pmEmotet.html", "https://medium.com/brim-securitys-knowledge-funnel/hunting-emotet-with-brim-and-zeek-1000c2f5c1ff", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.spamhaus.org/news/article/783/emotet-adds-a-further-layer-of-camouflage", + "https://www.zscaler.com/blogs/research/emotet-back-action-after-short-break", + "https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html", "https://www.bleepingcomputer.com/news/security/united-nations-targeted-with-emotet-malware-phishing-attack/", + "https://blog.cyble.com/2022/04/27/emotet-returns-with-new-ttps-and-delivers-lnk-files-to-its-victims/", "https://www.seqrite.com/blog/the-return-of-the-emotet-as-the-world-unlocks/", + "https://cyber.wtf/2022/03/23/what-the-packer/", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/", "http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1", - "https://www.justice.gov/opa/pr/emotet-botnet-disrupted-international-cyber-operation", + "https://www.cynet.com/attack-techniques-hands-on/new-wave-of-emotet-when-project-x-turns-into-y/", "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", "https://www.intezer.com/mitigating-emotet-the-most-common-banking-trojan/", - "https://www.youtube.com/watch?v=8PHCZdpNKrw", + "https://isc.sans.edu/forums/diary/Emotet+Stops+Using+0000+in+Spambot+Traffic/28270/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://threatresearch.ext.hp.com/wp-content/uploads/2022/05/HP-Wolf-Security-Threat-Insights-Report-Q1-2022.pdf", + "https://www.proofpoint.com/us/blog/threat-insight/emotet-tests-new-delivery-techniques", + "https://isc.sans.edu/diary/28044", + "https://www.trendmicro.com/en_us/research/22/a/emotet-spam-abuses-unconventional-ip-address-formats-spread-malware.html", "https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes", "https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-019/", "https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf", "https://www.hornetsecurity.com/en/security-information/emotet-update-increases-downloads/", + "https://www.zscaler.com/blogs/security-research/return-emotet-malware-analysis", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/", "https://github.com/mauronz/binja-emotet", + "https://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office", + "https://www.esentire.com/security-advisories/emotet-activity-identified", "https://www.cert.pl/en/news/single/whats-up-emotet/", + "https://securelist.com/emotet-modules-and-recent-attacks/106290/", "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf", - "https://persianov.net/emotet-malware-analysis-part-1", + "https://blogs.vmware.com/security/2022/05/emotet-moves-to-64-bit-and-updates-its-loader.html", + "https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them", "https://persianov.net/emotet-malware-analysis-part-2", "https://mirshadx.wordpress.com/2020/11/22/analyzing-an-emotet-dropper-and-writing-a-python-script-to-statically-unpack-payload/", + "https://intel471.com/blog/conti-emotet-ransomware-conti-leaks", + "https://twitter.com/ContiLeaks/status/1498614197202079745", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.justice.gov/opa/pr/emotet-botnet-disrupted-international-cyber-operation", "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", "https://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/", + "https://www.zeit.de/digital/2021-06/cybercrime-extortion-internet-spyware-ransomware-police-prosecution-hackers", "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", - "https://marcoramilli.com/2019/10/14/is-emotet-gang-targeting-companies-with-external-soc/", + "https://medium.com/@0xd0cf11e/analyzing-emotet-with-ghidra-part-1-4da71a5c8d69", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", "https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor", "https://blog.malwarebytes.com/trojans/2020/07/long-dreaded-emotet-has-returned/", + "https://www.lac.co.jp/lacwatch/alert/20211119_002801.html", "https://www.blueliv.com/blog/research/where-is-emotet-latest-geolocation-data/", + "https://www.bleepingcomputer.com/news/security/emotet-trickbot-malware-duo-is-back-infecting-windows-machines/", + "https://www.cronup.com/la-botnet-de-emotet-reinicia-ataques-en-chile-y-latinoamerica/", + "https://blog.threatlab.info/malware-analysis-emotet-infection/", "https://adalogics.com/blog/the-state-of-advanced-code-injections", "http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/", "https://hello.global.ntt/en-us/insights/blog/emotet-disruption-europol-counterattack", "https://krebsonsecurity.com/2021/01/international-action-targets-emotet-crimeware", + "https://www.dsih.fr/article/4483/emotet-de-retour-poc-exchange-0-day-windows-a-quelle-sauce-les-attaquants-prevoient-de-nous-manger-cette-semaine.html", + "https://github.com/cecio/EMOTET-2020-Reversing", + "https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html", "https://hatching.io/blog/powershell-analysis", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://quickheal.co.in/documents/technical-paper/Whitepaper_HowToPM.pdf", + "https://www.fortinet.com/blog/threat-research/bad-actors-capitalize-current-events-email-scams", "https://unit42.paloaltonetworks.com/attack-chain-overview-emotet-in-december-2020-and-january-2021/", "https://r3mrum.wordpress.com/2021/01/05/manual-analysis-of-new-powersplit-maldocs-delivering-emotet/", "https://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes", "https://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/", + "https://blogs.vmware.com/networkvirtualization/2022/01/emotet-is-not-dead-yet.html/", "https://securelist.com/financial-cyberthreats-in-2020/101638/", - "https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/", + "https://blog.nviso.eu/2022/03/23/hunting-emotet-campaigns-with-kusto/", + "https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/", "https://www.picussecurity.com/blog/emotet-technical-analysis-part-2-powershell-unveiled", "https://blogs.jpcert.or.jp/en/2019/12/emotetfaq.html", - "https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/", + "https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/", + "https://www.bleepingcomputer.com/news/security/emotet-botnet-switches-to-64-bit-modules-increases-activity/", + "https://www.netresec.com/?page=Blog&month=2022-05&post=Emotet-C2-and-Spam-Traffic-Video", "https://www.youtube.com/watch?v=_mGMJFNJWSk", "https://www.bleepingcomputer.com/news/security/emotet-malware-hits-lithuanias-national-public-health-center/", "https://www.telekom.com/en/blog/group/article/cybersecurity-dissecting-emotet-part-two-596128", @@ -16861,70 +20236,103 @@ "https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-droppers/", "http://ropgadget.com/posts/defensive_pcres.html", "https://www.securityartwork.es/2021/06/16/analisis-campana-emotet/", + "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", "https://research.checkpoint.com/emotet-tricky-trojan-git-clones/", "https://blogs.jpcert.or.jp/en/2021/02/emotet-notice.html", + "https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships", "https://cert.grnet.gr/en/blog/reverse-engineering-emotet/", + "https://muha2xmad.github.io/unpacking/emotet-part-2/", "https://www.bleepingcomputer.com/news/security/emotet-malware-now-steals-your-email-attachments-to-attack-contacts/", - "https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them", - "https://www.zscaler.com/blogs/research/emotet-back-action-after-short-break", - "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", + "https://blogs.cisco.com/security/emotet-is-back", + "https://persianov.net/emotet-malware-analysis-part-1", + "https://www.dragos.com/blog/industry-news/suspected-conti-ransomware-activity-in-the-auto-manufacturing-sector/", + "https://blogs.vmware.com/security/2022/05/emotet-config-redux.html", + "https://notes.netbytesec.com/2022/02/technical-malware-analysis-return-of.html", + "https://www.anomali.com/blog/mummy-spiders-emotet-malware-is-back-after-a-year-hiatus-wizard-spiders-trickbot-observed-in-its-return", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89", "https://intel471.com/blog/emotet-takedown-2021/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-003.pdf", + "https://www.esentire.com/blog/increase-in-emotet-activity-and-cobalt-strike-deployment", "https://cloudblogs.microsoft.com/microsoftsecure/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/?source=mmpc", "https://blog.trendmicro.com/trendlabs-security-intelligence/emotet-adds-new-evasion-technique-and-uses-connected-devices-as-proxy-cc-servers/", + "https://www.telekom.com/en/blog/group/article/cybersecurity-dissecting-emotet-part-one-592612", "https://www.tgsoft.it/files/report/download.asp?id=7481257469", + "https://www.fortinet.com/blog/threat-research/Trends-in-the-recent-emotet-maldoc-outbreak", "https://feodotracker.abuse.ch/?filter=version_e", + "https://www.cyberscoop.com/trickbot-shutdown-conti-emotet/", + "https://community.riskiq.com/article/2cd1c003", "https://www.deepinstinct.com/2020/10/12/why-emotets-latest-wave-is-harder-to-catch-than-ever-before-part-2/", - "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/", + "https://asec.ahnlab.com/en/33600/", "https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf", "https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html", + "https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html", "https://unit42.paloaltonetworks.com/domain-parking/", "https://www.eurojust.europa.eu/worlds-most-dangerous-malware-emotet-disrupted-through-global-action", + "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", "https://spamauditor.org/2020/10/the-many-faces-of-emotet/", "https://www.hornetsecurity.com/en/security-informationen-en/webshells-powering-emotet/", + "https://www.netskope.com/blog/netskope-threat-coverage-the-return-of-emotet", + "https://www.bleepingcomputer.com/news/security/emotet-malware-is-back-and-rebuilding-its-botnet-via-trickbot/", "https://blog.kryptoslogic.com/malware/2018/08/01/emotet.html", + "https://www.ironnet.com/blog/detecting-a-mummyspider-campaign-and-emotet-infection", "https://securelist.com/the-chronicles-of-emotet/99660/", "https://cofense.com/flash-bulletin-emotet-epoch-1-changes-c2-communication/", "https://twitter.com/milkr3am/status/1354459859912192002", "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection", "https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/", + "https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf", "https://github.com/d00rt/emotet_research", + "https://blog.securityonion.net/2022/02/quick-malware-analysis-emotet-epoch-5.html", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one", "https://www.binarydefense.com/emocrash-exploiting-a-vulnerability-in-emotet-malware-for-defense/", + "https://www.infosecurity-magazine.com/blogs/a-rundown-of-the-emotet-malware/", "https://portswigger.net/daily-swig/emotet-trojan-implicated-in-wolverine-solutions-ransomware-attack", - "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://blog.reversinglabs.com/blog/conversinglabs-ep-2-conti-pivots-as-ransomware-as-a-service-struggles", "https://www.berlin.de/sen/justva/presse/pressemitteilungen/2020/pm-11-2020-t-systems-forensik_bericht_public_v1.pdf", "https://www.netskope.com/blog/you-can-run-but-you-cant-hide-advanced-emotet-updates", + "https://www.advintel.io/post/corporate-loader-emotet-history-of-x-project-return-for-ransomware", + "https://research.checkpoint.com/2021/when-old-friends-meet-again-why-emotet-chose-trickbot-for-rebirth/", "https://isc.sans.edu/diary/rss/27036", "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service", - "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", + "https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return", "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/", "https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://dissectingmalwa.re/return-of-the-mummy-welcome-back-emotet.html", "https://www.youtube.com/watch?v=EyDiIAt__dI", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://isc.sans.edu/diary/rss/28254", "https://d00rt.github.io/emotet_network_protocol/", - "https://www.cert.pl/en/news/single/analysis-of-emotet-v4/", - "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://experience.mandiant.com/trending-evil-2/p/1", + "https://twitter.com/eduardfir/status/1461856030292422659", "https://www.binarydefense.com/emotet-wi-fi-spreader-upgraded/", "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "https://blog.malwarebytes.com/botnets/2019/09/emotet-is-back-botnet-springs-back-to-life-with-new-spam-campaign/", - "https://www.bleepingcomputer.com/news/security/emotet-trickbot-malware-duo-is-back-infecting-windows-machines/", + "https://cyber.wtf/2021/11/15/guess-whos-back/", "https://www.bleepingcomputer.com/news/security/microsoft-emotet-took-down-a-network-by-overheating-all-computers/", + "https://www.botconf.eu/wp-content/uploads/2019/12/B2019-OReilly-Jarvis-End-to-end-Botnet-Monitoring.pdf", "https://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html", "https://www.melani.admin.ch/melani/de/home/dokumentation/newsletter/Trojaner_Emotet_greift_Unternehmensnetzwerke_an.html", "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", - "https://www.telekom.com/en/blog/group/article/cybersecurity-dissecting-emotet-part-one-592612", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", "https://security-soup.net/quick-post-spooky-new-powershell-obfuscation-in-emotet-maldocs/", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-003.pdf", - "https://blog.malwarebytes.com/threat-analysis/2021/01/cleaning-up-after-emotet-the-law-enforcement-file/", + "https://pl-v.github.io/plv/posts/Emotet-unpacking/", + "https://medium.com/threat-intel/emotet-dangerous-malware-keeps-on-evolving-ac84aadbb8de", "https://www.wiwo.de/my/technologie/digitale-welt/emotet-netzwerk-wie-eines-der-groessten-hacker-netzwerke-der-welt-lahmgelegt-wurde/27164048.html", + "https://unit42.paloaltonetworks.com/new-emotet-infection-method/", + "https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html", "https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/", + "https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/", "https://www.digitalshadows.com/blog-and-research/how-cybercriminals-are-taking-advantage-of-covid-19-scams-fraud-misinformation/", + "https://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-emotets-use-of-cryptography/", "https://www.heise.de/ct/artikel/Was-Emotet-anrichtet-und-welche-Lehren-die-Opfer-daraus-ziehen-4665958.html", - "https://medium.com/threat-intel/emotet-dangerous-malware-keeps-on-evolving-ac84aadbb8de" + "https://blog.malwarebytes.com/threat-analysis/2021/01/cleaning-up-after-emotet-the-law-enforcement-file/" ], "synonyms": [ "Geodo", @@ -16940,12 +20348,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.empire_downloader", + "https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/looking-over-the-nation-state-actors-shoulders.html", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "http://www.secureworks.com/research/threat-profiles/gold-burlap", "https://decoded.avast.io/threatintel/decoding-cobalt-strike-understanding-payloads/", "https://us-cert.cisa.gov/ncas/alerts/aa20-275a", "https://paper.seebug.org/1301/", + "https://www.mandiant.com/media/12596/download", "http://www.secureworks.com/research/threat-profiles/gold-heron", "https://www.secureworks.com/research/threat-profiles/bronze-firestone", "https://twitter.com/thor_scanner/status/992036762515050496", @@ -16984,9 +20394,10 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.enfal", "https://www.secureworks.com/research/threat-profiles/bronze-palace", "https://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/", - "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/", - "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-union", + "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", + "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/", + "https://documents.trendmicro.com/assets/wp/wp-detecting-apt-activity-with-network-traffic-analysis.pdf", "https://www.bsk-consulting.de/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/" ], "synonyms": [ @@ -16997,6 +20408,22 @@ "uuid": "2a4cacb7-80a1-417e-8b9c-54b4089f35d9", "value": "Enfal" }, + { + "description": "Entropy is a ransomware first seen in 1st quarter of 2022, is being used in conjunction of Dridex infection. The ransomware uses a custom packer to pack itself which has been seen in some early dridex samples. ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.entropy", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://killingthebear.jorgetesta.tech/actors/evil-corp", + "https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/", + "https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/?cmp=30728" + ], + "synonyms": [], + "type": [] + }, + "uuid": "8dc64857-abb1-4926-8114-052f9ba4bc33", + "value": "Entropy" + }, { "description": "", "meta": { @@ -17010,6 +20437,21 @@ "uuid": "58071588-708d-447d-9fb4-8c9268142c82", "value": "Enviserv" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.envyscout", + "https://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/", + "https://go.recordedfuture.com/hubfs/reports/cta-2022-0503.pdf", + "https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0890e245-319d-4291-8f49-21dbc9486181", + "value": "EnvyScout" + }, { "description": "", "meta": { @@ -17017,6 +20459,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.epsilon_red", "https://therecord.media/epsilonred-ransomware-group-hits-one-of-indias-financial-software-powerhouses/", "https://news.sophos.com/en-us/2021/05/28/epsilonred/", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://cybleinc.com/2021/06/03/nucleus-software-becomes-victim-of-the-blackcocaine-ransomware/" ], "synonyms": [ @@ -17054,6 +20497,7 @@ "https://laanwj.github.io/2016/08/22/blatsting.html", "https://laanwj.github.io/2016/09/11/buzzdirection.html", "https://laanwj.github.io/2016/09/23/seconddate-adventures.html", + "https://research.checkpoint.com/2021/a-deep-dive-into-doublefeature-equation-groups-post-exploitation-dashboard/", "https://laanwj.github.io/2016/09/13/blatsting-rsa.html", "https://laanwj.github.io/2016/09/01/tadaqueos.html", "https://laanwj.github.io/2016/09/09/blatsting-lp-transcript.html" @@ -17116,6 +20560,20 @@ "uuid": "c4531af6-ab25-4266-af41-e01635a93abe", "value": "Eris" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.especter", + "https://www.welivesecurity.com/2021/10/05/uefi-threats-moving-esp-introducing-especter-bootkit/", + "https://www.binarly.io/posts/Design_issues_of_modern_EDR%E2%80%99s_bypassing_ETW-based_solutions/index.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "3e89d4e6-f7bd-44fd-ade9-c3d408ce67fb", + "value": "ESPecter" + }, { "description": "", "meta": { @@ -17148,6 +20606,7 @@ "https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/", "https://threatpost.com/ukrainian-man-arrested-charged-in-notpetya-distribution/127391/", "https://tisiphone.net/2017/06/28/why-notpetya-kept-me-awake-you-should-worry-too/", + "https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/", "http://blog.erratasec.com/2017/06/nonpetya-no-evidence-it-was-smokescreen.html", "https://www.crowdstrike.com/blog/petrwrap-technical-analysis-part-2-further-findings-and-potential-for-mbr-recovery/", "https://aguinet.github.io//blog/2020/08/29/miasm-bootloader.html", @@ -17157,35 +20616,43 @@ "https://securelist.com/big-threats-using-code-similarity-part-1/97239/", "https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-yet-another-stolen-piece-package/", "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games", "https://gvnshtn.com/maersk-me-notpetya/", "https://www.cyberscoop.com/russian-hackers-notpetya-charges-gru/", - "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games", + "https://marcoramilli.com/2022/03/01/diskkill-hermeticwiper-and-notpetya-dissimilarities/", "http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html", "https://www.wired.com/story/us-indicts-sandworm-hackers-russia-cyberwar-unit/", "https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force_Final_Report.pdf", "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/", - "https://www.wired.com/story/badrabbit-ransomware-notpetya-russia-ukraine/", + "https://blog.talosintelligence.com/2022/02/current-executive-guidance-for-ongoing.html", "https://www.crowdstrike.com/blog/fast-spreading-petrwrap-ransomware-attack-combines-eternalblue-exploit-credential-stealing/", "https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf", "https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b", "https://www.secureworks.com/research/threat-profiles/iron-viking", "https://securelist.com/schroedingers-petya/78870/", "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", + "https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf", + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/", "https://securelist.com/apt-trends-report-q2-2019/91897/", "https://www.gdatasoftware.com/blog/2017/07/29859-who-is-behind-petna", "https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware", - "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", + "https://istari-global.com/spotlight/the-untold-story-of-notpetya/", "https://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4", "https://labsblog.f-secure.com/2017/10/27/the-big-difference-with-bad-rabbit/", + "https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks", + "https://www.wired.com/story/badrabbit-ransomware-notpetya-russia-ukraine/", + "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat", "https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/?utm_content=buffer8ffe4&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer", "https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/", "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", "https://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/", "https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html", "https://pylos.co/2020/11/04/the-enigmatic-energetic-bear/", "https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-badrabbit-encryption-routine-specifics.html", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", "https://securelist.com/bad-rabbit-ransomware/82851/", "https://www.riskiq.com/blog/labs/badrabbit/" ], @@ -17205,6 +20672,66 @@ "uuid": "6f736038-4f74-435b-8904-6870ee0e23ba", "value": "EternalPetya" }, + { + "description": "This malware is part of the Eternity Malware \"Framework\".", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.eternity_clipper", + "https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/", + "https://www.bleepingcomputer.com/news/security/eternity-malware-kit-offers-stealer-miner-worm-ransomware-tools/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "283928b7-2820-4230-a012-59302febff90", + "value": "Eternity Clipper" + }, + { + "description": "Eternity Framework Ransomware Payload", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.eternity_ransomware", + "https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/", + "https://www.bleepingcomputer.com/news/security/eternity-malware-kit-offers-stealer-miner-worm-ransomware-tools/", + "https://yoroi.company/research/a-deep-dive-into-eternity-group-a-new-emerging-cyber-threat/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0554d721-71d7-49ff-965c-1512427b303e", + "value": "Eternity Ransomware" + }, + { + "description": "This Stealer is part of the eternity malware project.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.eternity_stealer", + "https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/", + "https://yoroi.company/research/a-deep-dive-into-eternity-group-a-new-emerging-cyber-threat/", + "https://twitter.com/3xp0rtblog/status/1509601846494695438", + "https://blog.sekoia.io/eternityteam-a-new-prominent-threat-group-on-underground-forums/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "94bf44d8-3eb3-42b0-b906-102f2b8548f5", + "value": "Eternity Stealer" + }, + { + "description": "This malware is part of the Eternity Malware \"Framework\".", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.eternity_worm", + "https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/", + "https://www.bleepingcomputer.com/news/security/eternity-malware-kit-offers-stealer-miner-worm-ransomware-tools/", + "https://yoroi.company/research/a-deep-dive-into-eternity-group-a-new-emerging-cyber-threat/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "9bdffa86-2bed-4d9d-8697-5d70e62015dc", + "value": "Eternity Worm" + }, { "description": "", "meta": { @@ -17262,7 +20789,8 @@ "https://mp.weixin.qq.com/s/lryl3a65uIz1AwZcfuzp1A", "https://github.com/eset/malware-ioc/tree/master/evilnum", "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", - "https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/" + "https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/", + "https://www.zscaler.com/blogs/security-research/return-evilnum-apt-updated-ttps-and-new-targets" ], "synonyms": [], "type": [] @@ -17270,6 +20798,19 @@ "uuid": "da922c36-ca13-4ea2-a22d-471e91ddac93", "value": "EVILNUM (Windows)" }, + { + "description": "A wiper used against in an attack against Iran’s state broadcaster. Using campaign name coined by Check Point in lack of a better name for the wiper component.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilplayout", + "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a90a1c08-00ea-49ad-8f79-9a4461fce48e", + "value": "EvilPlayout" + }, { "description": "Privately modded version of the Pony stealer.", "meta": { @@ -17360,6 +20901,21 @@ "uuid": "c932a2f3-1470-4b0c-8412-2d081901277b", "value": "Exile RAT" }, + { + "description": "Exfiltration tool written in .NET, used by at least one BlackMatter ransomware operator.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.exmatter", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackmatter-data-exfiltration", + "https://www.kroll.com/en/insights/publications/cyber/analyzing-exmatter-ransomware-data-exfiltration-tool", + "https://twitter.com/knight0x07/status/1461787168037240834?s=20" + ], + "synonyms": [], + "type": [] + }, + "uuid": "615e22f7-1b0e-44a0-a666-b95cb6b5e279", + "value": "ExMatter" + }, { "description": "Ransomware.", "meta": { @@ -17373,6 +20929,24 @@ "uuid": "d742986c-04f0-48ef-aaa3-10eeb0e95be4", "value": "Exorcist" }, + { + "description": "Expiro malware has been around for more than a decade, and the malware authors sill continue their work and update it with more features. Also the infection routine was changed in samples fround in 2017 (described by McAfee).\r\nExpiro \"infiltrates\" executables on 32- and 64bit Windows OS versions.\r\nIt has capabilities to install browser extensions, change security behaviour/settings on the infected system, and steal information (e.g. account credentials).\r\nThere is a newly described EPO file infector source code called m0yv in 2022, which is wrongly identified as expiro by some AVs.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.expiro", + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Expiro", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/expiro-infects-encrypts-files-to-complicate-repair/", + "https://www.welivesecurity.com/2013/07/30/versatile-and-infectious-win64expiro-is-a-cross-platform-file-infector/", + "https://github.com/GiacomoFerro/malware-analysis/blob/master/report/report-malware.pdf" + ], + "synonyms": [ + "Xpiro" + ], + "type": [] + }, + "uuid": "fd34b588-7b00-4924-827b-6118bece0af1", + "value": "Expiro" + }, { "description": "", "meta": { @@ -17493,8 +21067,11 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fanny", "https://fmnagisa.wordpress.com/2020/08/27/revisiting-equationgroups-fanny-worm-or-dementiawheel/", "https://fmmresearch.files.wordpress.com/2020/09/theemeraldconnectionreport_fmmr-2.pdf", - "https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/#_1", - "https://fmmresearch.wordpress.com/2020/09/28/the-emerald-connection-equationgroup-collaboration-with-stuxnet/" + "https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/", + "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf", + "https://fmmresearch.wordpress.com/2020/09/28/the-emerald-connection-equationgroup-collaboration-with-stuxnet/", + "https://research.checkpoint.com/2021/a-deep-dive-into-doublefeature-equation-groups-post-exploitation-dashboard/", + "https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/#_1" ], "synonyms": [ "DEMENTIAWHEEL" @@ -17566,7 +21143,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fatal_rat", - "https://cybersecurity.att.com/blogs/labs-research/new-sophisticated-rat-in-town-fatalrat-analysis" + "https://cybersecurity.att.com/blogs/labs-research/new-sophisticated-rat-in-town-fatalrat-analysis", + "https://thehackernews.com/2022/03/purple-fox-hackers-spotted-using-new.html", + "https://www.youtube.com/watch?v=gjvnVZc11Vg", + "https://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html" ], "synonyms": [], "type": [] @@ -17649,6 +21229,20 @@ "uuid": "66781866-f064-467d-925d-5e5f290352f0", "value": "Feodo" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ffdroider", + "https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users", + "https://thehackernews.com/2022/04/researchers-warn-of-ffdroider-and.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f557e98e-7e8c-450f-a2a2-abbe81a67a90", + "value": "FFDroider" + }, { "description": "", "meta": { @@ -17660,6 +21254,7 @@ "https://twitter.com/3xp0rtblog/status/1321209656774135810", "https://www.cyberark.com/resources/threat-research-blog/fickerstealer-a-new-rust-player-in-the-market", "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", + "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus", "https://blogs.blackberry.com/en/2021/08/threat-thursday-ficker-infostealer-malware", "https://www.bleepingcomputer.com/news/security/fake-microsoft-store-spotify-sites-spread-info-stealing-malware/" ], @@ -17731,20 +21326,27 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.finfisher", - "https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campaigns/", + "https://www.msreverseengineering.com/blog/2018/2/21/wsbjxrs1jjw7qi4trk9t3qy6hr7dye", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://artemonsecurity.blogspot.de/2017/01/finfisher-rootkit-analysis.html", + "https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campaigns/", "https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/", + "https://www.msreverseengineering.com/blog/2018/2/21/devirtualizing-finspy-phase-2-first-attempt-at-devirtualization", + "https://www.binarly.io/posts/Design_issues_of_modern_EDR%E2%80%99s_bypassing_ETW-based_solutions/index.html", + "https://www.msreverseengineering.com/blog/2018/2/21/finspy-vm-unpacking-tutorial-part-3-devirtualization", "https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/", "https://www.codeandsec.com/FinFisher-Malware-Analysis-Part-2", "https://securelist.com/finspy-unseen-findings/104322/", "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/", "https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf", + "https://github.com/RolfRolles/FinSpyVM", + "https://www.msreverseengineering.com/blog/2018/2/21/devirtualizing-finspy-phase-3-fixing-the-function-related-issues", "http://www.msreverseengineering.com/blog/2018/1/23/a-walk-through-tutorial-with-code-on-statically-unpacking-the-finspy-vm-part-one-x86-deobfuscation", "https://securelist.com/apt-trends-report-q2-2019/91897/", "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", "https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html", - "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" + "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", + "https://www.msreverseengineering.com/blog/2018/2/21/devirtualizing-finspy-phase-4-second-attempt-at-devirtualization" ], "synonyms": [ "FinSpy" @@ -17780,6 +21382,20 @@ "uuid": "0d63d92b-6d4d-470d-9f13-acce0c76911c", "value": "FireBird RAT" }, + { + "description": "The purpose of this rootkit/driver is hiding and protecting malicious artifacts from user-mode components(e.g. files, processes, registry keys and network connections).\r\nAccording to Fortguard Labs, this malware uses Direct Kernel Object Modification (DKOM), which involves undocumented kernel structures and objects, for its operations, why this malware has to rely on specific OS builds.\r\n", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.firechili", + "https://thehackernews.com/2022/04/chinese-hackers-target-vmware-horizon.html", + "https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits" + ], + "synonyms": [], + "type": [] + }, + "uuid": "762ea155-1cec-4c67-9c4f-7e8f4c21e19e", + "value": "Fire Chili" + }, { "description": "", "meta": { @@ -17824,19 +21440,45 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fivehands", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue", + "https://www.bleepingcomputer.com/news/security/yanluowang-ransomware-operation-matures-with-experienced-affiliates/", "https://research.nccgroup.com/2021/06/15/handy-guide-to-a-new-fivehands-ransomware-variant/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html", - "https://www.crowdstrike.com/blog/new-ransomware-variant-uses-golang-packer/", + "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126b", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a" + "https://www.crowdstrike.com/blog/new-ransomware-variant-uses-golang-packer/" + ], + "synonyms": [ + "Thieflock" ], - "synonyms": [], "type": [] }, "uuid": "4d0dc7a3-07bf-4cb9-ba86-c7f154c6b678", "value": "FiveHands" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.flagpro", + "https://cyberandramen.net/2021/12/12/more-flagpro-more-problems/", + "https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech", + "https://vblocalhost.com/uploads/VB2021-50.pdf", + "https://insight-jp.nttsecurity.com/post/102h7vx/blacktechflagpro", + "https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_8_hara_en.pdf" + ], + "synonyms": [ + "BUSYICE" + ], + "type": [] + }, + "uuid": "f6b10719-0f7a-45bc-9e47-1406b9966890", + "value": "Flagpro" + }, { "description": "", "meta": { @@ -17845,6 +21487,7 @@ "https://storage.googleapis.com/chronicle-research/Flame%202.0%20Risen%20from%20the%20Ashes.pdf", "https://securelist.com/the-flame-questions-and-answers-51/34344/", "https://www.crysys.hu/publications/files/skywiper.pdf", + "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf", "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://www.symantec.com/connect/blogs/flamer-recipe-bluetoothache" @@ -17875,27 +21518,28 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedammyy", - "https://www.youtube.com/watch?v=N4f2e8Mygag", - "https://habr.com/ru/company/pt/blog/475328/", "https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/", - "https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south", - "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", - "https://www.sans.org/reading-room/whitepapers/reverseengineeringmalware/unpacking-decrypting-flawedammyy-38930", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://attack.mitre.org/software/S0381/", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://habr.com/ru/company/pt/blog/475328/", + "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", + "https://www.sans.org/reading-room/whitepapers/reverseengineeringmalware/unpacking-decrypting-flawedammyy-38930", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", - "https://www.secureworks.com/research/threat-profiles/gold-tahoe", + "https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505/", + "https://www.secureworks.com/research/threat-profiles/gold-tahoe", + "https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south", + "https://www.youtube.com/watch?v=N4f2e8Mygag", + "https://intel471.com/blog/a-brief-history-of-ta505", + "https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/", + "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", + "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", "https://secrary.com/ReversingMalware/AMMY_RAT_Downloader/", "https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", - "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", - "https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/", - "https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat", - "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/", - "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", - "https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat" + "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/" ], "synonyms": [], "type": [] @@ -17908,13 +21552,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedgrace", + "https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", + "https://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant", "https://twitter.com/MsftSecIntel/status/1273359829390655488", + "https://intel471.com/blog/a-brief-history-of-ta505", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", "https://www.msreverseengineering.com/blog/2021/3/2/an-exhaustively-analyzed-idb-for-flawedgrace", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505", + "https://research.nccgroup.com/2021/12/01/tracking-a-p2p-network-related-with-ta505/", "https://www.secureworks.com/research/threat-profiles/gold-tahoe", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", @@ -17965,11 +21613,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flowcloud", + "https://nao-sec.org/2021/01/royal-road-redive.html", + "https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/", + "https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-talonite/", "https://www.proofpoint.com/us/blog/threat-insight/flowcloud-version-413-malware-analysis", "https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new", - "https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-talonite/", - "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", - "https://nao-sec.org/2021/01/royal-road-redive.html" + "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape" ], "synonyms": [], "type": [] @@ -17996,7 +21645,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.floxif", - "https://www.virusbulletin.com/virusbulletin/2012/12/compromised-library" + "https://www.virusbulletin.com/virusbulletin/2012/12/compromised-library", + "https://www.mandiant.com/resources/pe-file-infecting-malware-ot" ], "synonyms": [], "type": [] @@ -18080,20 +21730,28 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook", "https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/", - "https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Jullian-In-depth-Formbook-Malware-Analysis.pdf", + "https://elastic.github.io/security-research/intelligence/2022/01/01.formbook-adopts-cabless-approach/article/", "https://blog.malwarebytes.com/threat-analysis/2021/05/revisiting-the-nsis-based-crypter/", "http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html", "https://link.medium.com/uaBiIXgUU8", - "https://usualsuspect.re/article/formbook-hiding-in-plain-sight", + "https://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/", "https://blogs.blackberry.com/en/2021/09/threat-thursday-xloader-infostealer", "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", + "https://www.lac.co.jp/lacwatch/report/20220307_002893.html", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", "https://www.cyberbit.com/blog/endpoint-security/formbook-research-hints-large-data-theft-attack-brewing/", "https://www.peerlyst.com/posts/how-to-analyse-formbook-a-new-malware-as-a-service-sudhendu?trk=explore_page_resources_recent", + "https://yoroi.company/research/office-documents-may-the-xll-technique-change-the-threat-landscape-in-2022/", "https://tccontre.blogspot.com/2020/11/interesting-formbook-crypter.html", + "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/", "https://isc.sans.edu/diary/26806", "https://drive.google.com/file/d/1oxINyIJfMtv_upJqRK9vLSchIBaU8wiU/view", "https://blogs.quickheal.com/formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data/", + "https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/", + "https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-inside-formbook-infostealer/", + "https://www.netskope.com/blog/new-formbook-campaign-delivered-through-phishing-emails", + "https://usualsuspect.re/article/formbook-hiding-in-plain-sight", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", "https://www.hornetsecurity.com/en/threat-research/vba-purging-malspam-campaigns/", "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", @@ -18103,18 +21761,20 @@ "https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/", "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", "https://www.cyberbit.com/formbook-research-hints-large-data-theft-attack-brewing/", - "https://news.sophos.com/en-us/2020/05/14/raticate/", - "https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-inside-formbook-infostealer/", + "https://asec.ahnlab.com/en/32149/", + "https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Jullian-In-depth-Formbook-Malware-Analysis.pdf", "https://www.trendmicro.com/en_us/research/21/i/formbook-adds-latest-office-365-0-day-vulnerability-cve-2021-404.html", "https://www.fortinet.com/blog/threat-research/deep-analysis-formbook-new-variant-delivered-phishing-campaign-part-ii", "http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/", "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf", + "https://www.zscaler.com/blogs/security-research/analysis-xloaders-c2-network-encryption", "https://securityintelligence.com/posts/roboski-global-recovery-automation/", "https://youtu.be/aQwnHIlGSBM", "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", "http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html", "https://insights.oem.avira.com/a-new-technique-to-analyze-formbook-malware-infections/", "https://www.fortinet.com/blog/threat-research/deep-analysis-new-formbook-variant-delivered-phishing-campaign-part-I", + "https://news.sophos.com/en-us/2020/05/14/raticate/", "https://blog.talosintelligence.com/2018/06/my-little-formbook.html", "https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html" ], @@ -18131,6 +21791,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.former_first_rat", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/", "https://threatvector.cylance.com/en_us/home/breaking-down-ff-rat-malware.html", "https://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/" ], @@ -18155,6 +21816,19 @@ "uuid": "02caba7c-1820-40a3-94ae-dc89b5662b3e", "value": "FortuneCrypt" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.foxsocket", + "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "61b35242-0e16-4502-a909-f4fd5e32abcb", + "value": "FoxSocket" + }, { "description": "A RAT employing Node.js, Sails, and Socket.IO to collect information on a target", "meta": { @@ -18190,18 +21864,23 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.friedex", "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks/", + "https://sites.temple.edu/care/ci-rw-attacks/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/", "https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/", - "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", - "https://sites.temple.edu/care/ci-rw-attacks/", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://nakedsecurity.sophos.com/2018/09/11/the-rise-of-targeted-ransomware/", + "https://killingthebear.jorgetesta.tech/actors/evil-corp", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf", "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/everis-bitpaymer-ransomware-attack-analysis-dridex/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/", + "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", "https://www.secureworks.com/research/threat-profiles/gold-drake", "https://www.youtube.com/watch?v=LUxOcpIRxmg", + "https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp", "https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", @@ -18210,6 +21889,8 @@ "https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/", "http://www.secureworks.com/research/threat-profiles/gold-drake", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://www.armor.com/resources/threat-intelligence/the-evolution-of-doppel-spider-from-bitpaymer-to-grief-ransomware/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/account-with-admin-privileges-abused-to-install-bitpaymer-ransomware-via-psexec", "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", @@ -18259,6 +21940,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.funny_dream", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://nao-sec.org/2021/01/royal-road-redive.html", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-1208.pdf", "https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf", "https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager" ], @@ -18362,8 +22044,9 @@ "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/", "https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware", - "https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware", "https://www.wired.com/?p=2171700", + "https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware", + "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "https://www.lawfareblog.com/what-point-these-nation-state-indictments" ], @@ -18413,33 +22096,40 @@ "https://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "http://www.vmray.com/cyber-security-blog/gandcrab-ransomware-evolution-analysis/", + "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", "http://www.secureworks.com/research/threat-profiles/gold-garden", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks", + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", "https://www.fortinet.com/blog/threat-research/gandcrab-threat-actors-retire.html", "https://www.youtube.com/watch?v=LUxOcpIRxmg", + "https://intel471.com/blog/a-brief-history-of-ta505", "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/", "https://isc.sans.edu/diary/23417", "https://www.secureworks.com/research/threat-profiles/gold-garden", + "https://news.sophos.com/en-us/2019/05/24/gandcrab-spreading-via-directed-attacks-against-mysql-servers/", "https://www.advanced-intel.com/post/inside-revil-extortionist-machine-predictive-insights", "https://unit42.paloaltonetworks.com/revil-threat-actors/", "https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/", - "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", + "https://news.sophos.com/en-us/2019/03/05/gandcrab-101-all-about-the-most-widely-distributed-ransomware-of-the-moment/", "https://web.archive.org/web/20190331091056/https://myonlinesecurity.co.uk/fake-cdc-flu-pandemic-warning-delivers-gandcrab-5-2-ransomware/", "https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "http://asec.ahnlab.com/1145", "https://hotforsecurity.bitdefender.com/blog/belarus-authorities-arrest-gandcrab-ransomware-operator-23860.html", "https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", "https://www.advanced-intel.com/post/the-dark-web-of-intrigue-how-revil-used-the-underground-ecosystem-to-form-an-extortion-cartel", "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", "https://vimeo.com/449849549", - "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", + "https://blog.malwarebytes.com/threat-analysis/2019/01/vidar-gandcrab-stealer-and-ransomware-combo-observed-in-the-wild/", "https://teamt5.org/en/posts/introducing-the-most-profitable-ransomware-revil/", + "https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html", "https://krebsonsecurity.com/2019/07/whos-behind-the-gandcrab-ransomware/", "https://labs.bitdefender.com/2019/06/good-riddance-gandcrab-were-still-fixing-the-mess-you-left-behind", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", @@ -18484,7 +22174,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gauss", - "http://contagiodump.blogspot.com/2012/08/gauss-samples-nation-state-cyber.html" + "http://contagiodump.blogspot.com/2012/08/gauss-samples-nation-state-cyber.html", + "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf" ], "synonyms": [], "type": [] @@ -18583,27 +22274,28 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.get2", - "https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824", - "https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546", - "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", - "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md", - "https://github.com/Tera0017/TAFOF-Unpacker", - "https://www.hornetsecurity.com/en/security-information/clop-clop-ta505-html-malspam-analysis/", - "https://intel471.com/blog/ta505-get2-loader-malware-december-2020/", - "https://blog.intel471.com/2020/07/15/flowspec-ta505s-bulletproof-hoster-of-choice/", - "https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", - "https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/", - "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104", "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader", + "https://intel471.com/blog/ta505-get2-loader-malware-december-2020/", + "https://github.com/Tera0017/TAFOF-Unpacker", + "https://blog.intel471.com/2020/07/15/flowspec-ta505s-bulletproof-hoster-of-choice/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.goggleheadedhacker.com/blog/post/13", "https://www.secureworks.com/research/threat-profiles/gold-tahoe", + "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update", + "https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824", + "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md", + "https://www.hornetsecurity.com/en/security-information/clop-clop-ta505-html-malspam-analysis/", + "https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7", + "https://intel471.com/blog/a-brief-history-of-ta505", + "https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546", + "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", - "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672" + "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", + "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", + "https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/" ], "synonyms": [ "FRIENDSPEAK", @@ -18676,8 +22368,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghole", - "https://www.clearskysec.com/gholee-a-protective-edge-themed-spear-phishing-campaign/", - "http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf" + "https://documents.trendmicro.com/assets/wp/wp-operation-woolen-goldfish.pdf", + "http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf", + "https://www.clearskysec.com/gholee-a-protective-edge-themed-spear-phishing-campaign/" ], "synonyms": [ "CoreImpact (Modified)", @@ -18694,7 +22387,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghostemperor", "https://www.kaspersky.com/about/press-releases/2021_ghostemperor-chinese-speaking-apt-targets-high-profile-victims-using-unknown-rootkit", - "https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/" + "https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/30094337/GhostEmperor_technical-details_PDF_eng.pdf" ], "synonyms": [], "type": [] @@ -18708,8 +22402,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghostnet", "https://en.wikipedia.org/wiki/GhostNet", - "https://www.nartv.org/2019/03/28/10-years-since-ghostnet/", - "http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html" + "https://documents.trendmicro.com/assets/wp/wp-detecting-apt-activity-with-network-traffic-analysis.pdf", + "http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html", + "https://www.nartv.org/2019/03/28/10-years-since-ghostnet/" ], "synonyms": [ "Remosh" @@ -18736,27 +22431,33 @@ "value": "GhostAdmin" }, { - "description": "", + "description": "According to Security Ninja, Gh0st RAT (Remote Access Terminal) is a trojan “Remote Access Tool” used on Windows platforms, and has been used to hack into some of the most sensitive computer networks on Earth.\r\n\r\nBelow is a list of Gh0st RAT capabilities.\r\nTake full control of the remote screen on the infected bot.\r\nProvide real time as well as offline keystroke logging.\r\nProvide live feed of webcam, microphone of infected host.\r\nDownload remote binaries on the infected remote host.\r\nTake control of remote shutdown and reboot of host.\r\nDisable infected computer remote pointer and keyboard input.\r\nEnter into shell of remote infected host with full control.\r\nProvide a list of all the active processes.\r\nClear all existing SSDT of all existing hooks.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat", "https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf", + "https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits", "https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report", "https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf", "https://web.archive.org/web/20140816135909/https://www.symantec.com/connect/blogs/inside-back-door-attack", + "https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html", "https://www.seqrite.com/blog/rat-used-by-chinese-cyberspies-infiltrating-indian-businesses/", "http://www.hexblog.com/?p=1248", "http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf", "https://www.intezer.com/blog-chinaz-relations/", + "https://thehackernews.com/2022/04/chinese-hackers-target-vmware-horizon.html", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/", "https://tccontre.blogspot.com/2021/02/gh0strat-anti-debugging-nested-seh-try.html", + "https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html", "http://www.nartv.org/mirror/ghostnet.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-fleetwood", "https://blog.cylance.com/the-ghost-dragon", "https://blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41", "https://s.tencent.com/research/report/836.html", + "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-cloud-snooper-report.pdf", "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/", + "https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html", + "https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/", "https://blog.talosintelligence.com/2019/09/panda-evolution.html", "https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/", "https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf", @@ -18765,11 +22466,12 @@ "https://www.datanet.co.kr/news/articleView.html?idxno=133346", "https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html", "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", - "https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/", + "https://asec.ahnlab.com/en/32572/", "https://www.secureworks.com/research/threat-profiles/bronze-edison", "https://documents.trendmicro.com/assets/Appendix_Water-Pamola-Attacked-Online-Shops-Via-Malicious-Orders.pdf", "https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox", "http://www.malware-traffic-analysis.net/2018/01/04/index.html", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/", "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", "https://www.secureworks.com/research/threat-profiles/bronze-union", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", @@ -18832,6 +22534,19 @@ "uuid": "7f768705-d852-4c66-a7e0-76fd5016d07f", "value": "Ginwui" }, + { + "description": "An information stealer written in .NET.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ginzo", + "https://twitter.com/struppigel/status/1506933328599044100" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0edf6463-908a-4c3a-861d-70337c9f67bd", + "value": "Ginzo Stealer" + }, { "description": "", "meta": { @@ -18873,27 +22588,33 @@ "value": "GlitchPOS" }, { - "description": "", + "description": "GlobeImposter is a ransomware application which is mainly distributed via \"blank slate\" spam (the spam has no message content and an attached ZIP file), exploits, malicious advertising, fake updates, and repacked installers. GlobeImposter mimics the Globe ransomware family.\r\nThis malware may prevent execution of Anti-Virus solutions and other OS related security features and may prevent system restoration.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.globeimposter", "https://www.bleepingcomputer.com/news/security/new-doc-globeimposter-ransomware-variant-malspam-campaign-underway/", + "https://www.emsisoft.com/ransomware-decryption-tools/globeimposter", "https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Ransomware_whitepaper_eng.pdf", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", "https://blog.fortinet.com/2017/08/05/analysis-of-new-globeimposter-ransomware-variant", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://info.phishlabs.com/blog/globe-imposter-ransomware-makes-a-new-run", - "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much", - "https://www.youtube.com/watch?v=LUxOcpIRxmg", - "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://asec.ahnlab.com/ko/30284/", "https://isc.sans.edu/diary/23417", + "https://www.youtube.com/watch?v=LUxOcpIRxmg", + "https://blog.360totalsecurity.com/en/globeimposter-which-has-more-than-20-variants-is-still-wildly-growing/", + "https://intel471.com/blog/a-brief-history-of-ta505", "https://www.secureworks.com/research/threat-profiles/gold-swathmore", + "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much", "https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://blog.ensilo.com/globeimposter-ransomware-technical", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.acronis.com/en-us/blog/posts/globeimposter-ransomware-holiday-gift-necurs-botnet" ], - "synonyms": [], + "synonyms": [ + "Fake Globe" + ], "type": [] }, "uuid": "73806c57-cef8-4f7b-a78b-7949ef83b2c2", @@ -18929,21 +22650,28 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba", - "https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf", - "https://news.sophos.com/en-us/2020/06/24/glupteba-report/?cmp=30728", - "https://www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign", + "https://www.trendmicro.com/en_us/research/21/j/ransomware-operators-found-using-new-franchise-business-model.html", + "https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/", + "https://habr.com/ru/company/solarsecurity/blog/578900/", + "https://community.riskiq.com/article/2a36a7d2/description", + "https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/1_Complaint.pdf", "http://resources.infosecinstitute.com/tdss4-part-1/", "https://blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/", - "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", "https://medium.com/csis-techblog/installcapital-when-adware-becomes-pay-per-install-cyber-crime-15516249a451", - "https://habr.com/ru/company/solarsecurity/blog/578900/", + "https://dissectingmalwa.re/the-blame-game-about-false-flags-and-overwritten-mbrs.html", + "https://blog.google/technology/safety-security/new-action-combat-cyber-crime/", + "https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/", + "https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf", + "https://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/", + "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", + "https://decoded.avast.io/martinhron/meris-and-trickbot-standing-on-the-shoulders-of-giants/", + "https://news.sophos.com/en-us/2020/06/24/glupteba-report/?cmp=30728", + "https://www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign", + "https://blog.google/threat-analysis-group/disrupting-glupteba-operation/", "https://nakedsecurity.sophos.com/2020/06/24/glupteba-the-bot-that-gets-secret-messages-from-the-bitcoin-blockchain/", "https://labs.k7computing.com/?p=22319", - "https://dissectingmalwa.re/the-blame-game-about-false-flags-and-overwritten-mbrs.html", - "https://community.riskiq.com/article/2a36a7d2/description", "https://www.welivesecurity.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs/", - "https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/", - "https://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/" + "https://thehackernews.com/2022/03/over-200000-microtik-routers-worldwide.html" ], "synonyms": [], "type": [] @@ -19023,6 +22751,21 @@ "uuid": "9cfdc3ea-c838-4ac5-bff2-57c92ec24b48", "value": "Godzilla Loader" }, + { + "description": "A file infector written in Go, discovered by Karsten Hahn in February 2022. According to Karsten, despite its internal naming, it is not polymorphic and the virus body is not encrypted. Gofing uses the Coldfire Golang malware development library.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gofing", + "https://twitter.com/struppigel/status/1498229809675214849" + ], + "synonyms": [ + "Velocity Polymorphic Compression Malware" + ], + "type": [] + }, + "uuid": "ba142293-2f22-46e3-8b8e-086f3571f14c", + "value": "Gofing" + }, { "description": "", "meta": { @@ -19072,6 +22815,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.goldenhelper", + "https://tomiwa-xy.medium.com/static-analysis-of-goldenhelper-malware-golden-tax-malware-d9f85a88e74d", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-4-goldenhelper-malware-embedded-in-official-golden-tax-software/" ], "synonyms": [], @@ -19106,10 +22850,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.goldmax", - "https://x0r19x91.gitlab.io/post/malware-analysis/sunshuttle/", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a", "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-backdoors-rats-loaders-evasion-techniques", - "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" + "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", + "https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/", + "https://x0r19x91.gitlab.io/post/malware-analysis/sunshuttle/", + "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a", + "https://securelist.com/extracting-type-information-from-go-binaries/104715/", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a" ], "synonyms": [ "SUNSHUTTLE" @@ -19124,9 +22873,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gold_dragon", - "https://www.youtube.com/watch?v=rfzmHjZX70s", + "https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html", "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite", - "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf" + "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf", + "https://asec.ahnlab.com/en/31089/", + "https://www.youtube.com/watch?v=rfzmHjZX70s" ], "synonyms": [ "Lovexxx" @@ -19150,10 +22901,11 @@ "value": "Golroted" }, { - "description": "", + "description": "Gomorrah is a stealer with no or little obfuscation that appeared around March 2020. It is sold for about 150$ lifetime for v4 (originally 400$ for v3) or 100$ per month by its developer called \"th3darkly / lucifer\" (which is also the developer of CosaNostra botnet). The malware's main functionalities are stealing (passwords, cryptocurrency wallets) and loading of tasks and other payloads.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gomorrah_stealer", + "https://twitter.com/vxunderground/status/1469713783308357633", "https://github.com/jstrosch/malware-samples/tree/master/binaries/gomorrah/2020/April" ], "synonyms": [], @@ -19216,6 +22968,7 @@ "http://blog.cert.societegenerale.com/2015/04/analyzing-gootkits-persistence-mechanism.html", "http://www.vkremez.com/2018/04/lets-learn-in-depth-dive-into-gootkit.html", "https://www.certego.net/en/news/malware-tales-gootkit/", + "https://blogs.blackberry.com/en/2021/11/revil-under-the-microscope", "https://blog.malwarebytes.com/threat-analysis/2020/11/german-users-targeted-with-gootkit-banker-or-revil-ransomware/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/?cmp=30728", @@ -19226,6 +22979,7 @@ "https://labs.sentinelone.com/gootkit-banking-trojan-deep-dive-anti-analysis-features/", "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Delivery/Gootkit-malware.md", "https://www.f5.com/labs/articles/threat-intelligence/tackling-gootkit-s-traps", + "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf", "https://www.youtube.com/watch?v=242Tn0IL2jE", "https://www.sentinelone.com/blog/gootkit-banking-trojan-persistence-other-capabilities/", "https://connect.ed-diamond.com/MISC/MISC-100/Analyse-du-malware-bancaire-Gootkit-et-de-ses-mecanismes-de-protection", @@ -19237,6 +22991,8 @@ "http://blog.trendmicro.com/trendlabs-security-intelligence/fake-judicial-spam-leads-to-backdoor-with-fake-certificate-authority/", "https://twitter.com/MsftSecIntel/status/1366542130731094021", "https://www.sentinelone.com/blog/gootkit-banking-trojan-deep-dive-anti-analysis-features/", + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://twitter.com/jhencinski/status/1464268732096815105", "https://www.s21sec.com/en/blog/2016/05/reverse-engineering-gootkit/", "https://www.us-cert.gov/ncas/alerts/TA16-336A", "https://forums.juniper.net/t5/Security-Now/New-Gootkit-Banking-Trojan-variant-pushes-the-limits-on-evasive/ba-p/319055" @@ -19305,10 +23061,12 @@ "https://github.com/mlodic/ursnif_beacon_decryptor", "https://lokalhost.pl/gozi_tree.txt", "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", "https://www.youtube.com/watch?v=BcFbkjUVc7o", "https://therecord.media/gozi-malware-gang-member-arrested-in-colombia/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/" ], @@ -19366,6 +23124,24 @@ "uuid": "94b942e2-cc29-447b-97e2-e496cbf2aadf", "value": "Graftor" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gramdoor", + "https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611", + "https://thehackernews.com/2022/02/irans-muddywater-hacker-group-using-new.html", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-055A_Iranian_Government-Sponsored_Actors_Conduct_Cyber_Operations.pdf", + "https://www.mandiant.com/resources/telegram-malware-iranian-espionage" + ], + "synonyms": [ + "Small Sieve" + ], + "type": [] + }, + "uuid": "0dfa69cc-cc70-4944-af42-7e1f923e6b6b", + "value": "GRAMDOOR" + }, { "description": "According to ESET Research, Grandoreirois a Latin American banking trojan targeting Brazil, Mexico, Spain and Peru. As such, it shows unusual effort by its authors to evade detection and emulation, and progress towards a modular architecture.", "meta": { @@ -19398,6 +23174,50 @@ "uuid": "626de4fc-cfa4-4fbc-ab35-4c9ab9fdec14", "value": "GrandSteal" }, + { + "description": "Trellix describes Graphite as a malware using the Microsoft Graph API and OneDrive for C&C. It was found being deployed in-memory only and served as a downloader for Empire.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphite", + "https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "8ecc6605-eed1-416c-bc8b-0dc1147d3c2b", + "value": "Graphite" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphon", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/harvester-new-apt-attacks-asia" + ], + "synonyms": [], + "type": [] + }, + "uuid": "9ab9e88f-b365-4d58-af52-e9d19ab00348", + "value": "Graphon" + }, + { + "description": "This malware was seen during the cyberattacks on Ukrainian state organizations. It is one of two used backdoors written in Go and attributed to UAC-0056 (SaintBear, UNC2589, TA471).", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphsteel", + "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/", + "https://www.govinfosecurity.com/cyber-espionage-actor-deploying-malware-using-excel-a-18830", + "https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/", + "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", + "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview", + "https://cert.gov.ua/article/38374" + ], + "synonyms": [], + "type": [] + }, + "uuid": "64963521-0181-4220-935a-a6deefa871b2", + "value": "GraphSteel" + }, { "description": "POS malware targets systems that run physical point-of-sale device and operates by inspecting the process memory for data that matches the structure of credit card data (Track1 and Track2 data), such as the account number, expiration date, and other information stored on a card’s magnetic stripe. After the cards are first scanned, the personal account number (PAN) and accompanying data sit in the point-of-sale system’s memory unencrypted while the system determines where to send it for authorization. \r\nMasked as the LogMein software, the GratefulPOS malware appears to have emerged during the fall 2017 shopping season with low detection ratio according to some of the earliest detections displayed on VirusTotal. The first sample was upload in November 2017. Additionally, this malware appears to be related to the Framework POS malware, which was linked to some of the high-profile merchant breaches in the past.", "meta": { @@ -19486,10 +23306,11 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grey_energy", "https://www.eset.com/int/greyenergy-exposed/", + "https://securelist.com/greyenergys-overlap-with-zebrocy/89506/", "https://www.secureworks.com/research/threat-profiles/iron-viking", "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", "https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf", - "https://securelist.com/greyenergys-overlap-with-zebrocy/89506/", + "https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/", "https://www.nozominetworks.com/2019/02/12/blog/greyenergy-malware-research-paper-maldoc-to-backdoor/", "https://github.com/NozomiNetworks/greyenergy-unpacker" ], @@ -19531,11 +23352,31 @@ "uuid": "57460bae-84ad-402d-8949-9103c5917703", "value": "GRIMAGENT" }, + { + "description": "This malware was seen during the cyberattacks on Ukrainian state organizations. It is one of two used backdoors written in Go and attributed to UAC-0056 (SaintBear, UNC2589, TA471).", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.grimplant", + "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/", + "https://www.govinfosecurity.com/cyber-espionage-actor-deploying-malware-using-excel-a-18830", + "https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/", + "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", + "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview", + "https://cert.gov.ua/article/38374", + "https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "235cba54-256e-48a0-b5dc-5e1aa3247cde", + "value": "GrimPlant" + }, { "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.grok" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.grok", + "https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/" ], "synonyms": [], "type": [] @@ -19548,6 +23389,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grunt", + "https://www.telsy.com/download/5776/?uid=aca91e397e", "https://ti.qianxin.com/blog/articles/Suspected-Russian-speaking-attackers-use-COVID19-vaccine-decoys-against-Middle-East/", "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html", "https://twitter.com/ItsReallyNick/status/1208141697282117633" @@ -19643,16 +23485,22 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hades", "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", - "https://www.secureworks.com/blog/hades-ransomware-operators-use-distinctive-tactics-and-infrastructure", - "http://www.secureworks.com/research/threat-profiles/gold-winter", + "https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp", + "https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities", + "https://killingthebear.jorgetesta.tech/actors/evil-corp", + "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox", "https://www.bleepingcomputer.com/news/security/evil-corp-switches-to-hades-ransomware-to-evade-sanctions/", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://www.secureworks.com/blog/hades-ransomware-operators-use-distinctive-tactics-and-infrastructure", "https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/", "https://www.accenture.com/us-en/blogs/security/ransomware-hades", "https://twitter.com/inversecos/status/1381477874046169089?s=20", - "https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities", + "https://www.accenture.com/us-en/blogs/cyber-defense/unknown-threat-group-using-hades-ransomware", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf", "https://awakesecurity.com/blog/incident-response-hades-ransomware-gang-or-hafnium/", - "https://www.accenture.com/us-en/blogs/cyber-defense/unknown-threat-group-using-hades-ransomware" + "http://www.secureworks.com/research/threat-profiles/gold-winter" ], "synonyms": [], "type": [] @@ -19665,20 +23513,25 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hakbit", + "https://www.justice.gov/usao-edny/press-release/file/1505981/download", "https://www.cybereason.com/blog/cybereason-vs.-prometheus-ransomware", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4", "http://id-ransomware.blogspot.com/2019/11/hakbit-ransomware.html", + "https://www.zscaler.com/blogs/security-research/midas-ransomware-tracing-evolution-thanos-ransomware-variants", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", - "https://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland", + "https://securityintelligence.com/posts/ransomware-encryption-goes-wrong/", + "https://www.carbonblack.com/2020/06/15/tau-threat-analysis-relations-to-hakbit-ransomware/", + "https://www.sekoia.io/en/the-story-of-a-ransomware-builder-from-thanos-to-spook-and-beyond-part-1/", "https://blog.cyble.com/2021/06/05/prometheus-an-emerging-apt-group-using-thanos-ransomware-to-target-organizations/", "https://unit42.paloaltonetworks.com/thanos-ransomware/", "https://securelist.com/cis-ransomware/104452/", + "https://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland", "https://go.recordedfuture.com/hubfs/reports/cta-2020-0610.pdf", "https://www.seqrite.com/blog/thanos-ransomware-evading-anti-ransomware-protection-with-riplace-tactic/", "https://www.carbonblack.com/2020/06/08/tau-threat-analysis-hakbit-ransomware/", - "https://www.carbonblack.com/2020/06/15/tau-threat-analysis-relations-to-hakbit-ransomware/", + "https://securityboulevard.com/2022/03/midas-ransomware-tracing-the-evolution-of-thanos-ransomware-variants/", "https://unit42.paloaltonetworks.com/prometheus-ransomware/" ], "synonyms": [ @@ -19711,32 +23564,43 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor", "https://unit42.paloaltonetworks.com/wireshark-tutorial-hancitor-followup-malware/", - "https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/", "https://www.vmray.com/cyber-security-blog/hancitor-multi-step-delivery-process-malware-analysis-spotlight/", + "https://www.malware-traffic-analysis.net/2021/09/29/index.html", + "https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/", + "https://github.com/OALabs/Lab-Notes/blob/main/Hancitor/hancitor.ipynb", + "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", "https://inquest.net/blog/2021/04/16/unearthing-hancitor-infrastructure", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/hancitor-making-use-of-cookies-to-prevent-url-scraping", "https://researchcenter.paloaltonetworks.com/2016/08/unit42-pythons-and-unicorns-and-hancitoroh-my-decoding-binaries-through-emulation/", "https://elis531989.medium.com/dissecting-and-automating-hancitors-config-extraction-1a6ed85d99b8", "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear", "https://researchcenter.paloaltonetworks.com/2016/08/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/", "https://pid4.io/posts/how_to_write_a_hancitor_extractor/", - "https://www.uperesia.com/hancitor-packer-demystified", + "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor", "https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/", "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618", "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", + "https://malware-traffic-analysis.net/2021/09/29/index.html", "https://0ffset.net/reverse-engineering/malware-analysis/reversing-hancitor-again/", "https://isc.sans.edu/forums/diary/Hancitor+activity+resumes+after+a+hoilday+break/26980/", - "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor", + "https://twitter.com/TheDFIRReport/status/1359669513520873473", + "https://muha2xmad.github.io/malware-analysis/fullHancitor/", + "https://www.uperesia.com/hancitor-packer-demystified", "https://researchcenter.paloaltonetworks.com/2018/02/unit42-dissecting-hancitors-latest-2018-packer/", - "https://blog.group-ib.com/prometheus-tds", "https://www.vkremez.com/2018/11/lets-learn-in-depth-reversing-of.html", "https://isc.sans.edu/diary/rss/27618", - "https://twitter.com/TheDFIRReport/status/1359669513520873473", + "https://blog.group-ib.com/prometheus-tds", + "https://medium.com/@crovax/extracting-hancitors-configuration-with-ghidra-7963900494b5", "https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html", "https://www.zscaler.com/blogs/research/chanitor-downloader-actively-installing-vawtrak", "https://fidelissecurity.com/threatgeek/archive/me-and-mr-robot-tracking-actor-behind-man1-crypter/", + "https://www.0ffset.net/reverse-engineering/malware-analysis/hancitor-analysing-the-main-loader/", "https://blog.minerva-labs.com/new-hancitor-pimp-my-downloader", + "https://www.0ffset.net/reverse-engineering/malware-analysis/hancitor-maldoc-analysis/", "https://www.dodgethissecurity.com/2019/11/01/hancitor-evasive-new-waves-and-how-com-objects-can-use-cached-credentials-for-proxy-authentication/", + "https://www.silentpush.com/blog/pivoting-finding-malware-domains-without-seeing-malicious-activity", "https://researchcenter.paloaltonetworks.com/2018/02/unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks/", + "https://muha2xmad.github.io/unpacking/hancitor/", "https://blog.group-ib.com/hancitor-cuba-ransomware", "https://cyber-anubis.github.io/malware%20analysis/hancitor/" ], @@ -19809,10 +23673,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.havex_rat", + "https://vblocalhost.com/uploads/VB2021-Slowik.pdf", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-083a", "https://pylos.co/2020/11/04/the-enigmatic-energetic-bear/", "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", - "https://www.secureworks.com/research/threat-profiles/iron-liberty", - "https://www.f-secure.com/weblog/archives/00002718.html" + "https://www.f-secure.com/weblog/archives/00002718.html", + "https://www.secureworks.com/research/threat-profiles/iron-liberty" ], "synonyms": [], "type": [] @@ -19840,6 +23706,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hawkeye_keylogger", "https://blog.talosintelligence.com/2019/04/hawkeye-reborn.html", "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/covid-19-cybercrime-m00nd3v-hawkeye-malware-threat-actor/", + "https://www.secureworks.com/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry", "https://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/", "https://securityintelligence.com/posts/roboski-global-recovery-automation/", "https://nakedsecurity.sophos.com/2016/02/29/the-hawkeye-attack-how-cybercrooks-target-small-businesses-for-big-money/", @@ -19850,7 +23717,7 @@ "https://www.cyberbit.com/blog/endpoint-security/hawkeye-malware-keylogging-technique/", "https://www.cyberbit.com/hawkeye-malware-keylogging-technique/", "https://www.trustwave.com/Resources/SpiderLabs-Blog/How-I-Cracked-a-Keylogger-and-Ended-Up-in-Someone-s-Inbox/", - "https://www.secureworks.com/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry", + "https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md", "https://www.secureworks.com/research/threat-profiles/gold-galleon", "http://www.secureworks.com/research/threat-profiles/gold-galleon", "https://www.govcert.ch/blog/analysis-of-an-unusual-hawkeye-sample/", @@ -19898,6 +23765,23 @@ "uuid": "af8df5d7-cd8c-41ea-b9ec-b69ab7811e2d", "value": "HDRoot" }, + { + "description": "The Chinese threat actor \"Scarab\" is using a custom backdoor dubbed \"HeaderTip\" according to SentinelLABS. This malware may be the successor of \"Scieron\".", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.headertip", + "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-headertip", + "https://cert.gov.ua/article/38097", + "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", + "https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/", + "https://blogs.blackberry.com/en/2022/04/threat-thursday-headertip-backdoor-shows-attackers-from-china-preying-on-ukraine" + ], + "synonyms": [], + "type": [] + }, + "uuid": "994c64f3-ca59-4392-9ab4-0256e79fcfad", + "value": "HeaderTip" + }, { "description": "", "meta": { @@ -19920,11 +23804,19 @@ "https://id-ransomware.blogspot.com/2020/11/hellokitty-ransomware.html", "https://www.bleepingcomputer.com/news/security/hellokitty-ransomware-is-targeting-vulnerable-sonicwall-devices/", "https://www.databreaches.net/babuk-re-organizes-as-payload-bin-offers-its-first-leak/", + "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group", + "https://www.ic3.gov/Media/News/2021/211029.pdf", "https://unit42.paloaltonetworks.com/emerging-ransomware-groups/", "https://www.cadosecurity.com/post/punk-kitty-ransom-analysing-hellokitty-ransomware-attacks", + "https://www.speartip.com/resources/fbi-hellokitty-ransomware-adds-ddos-to-extortion-arsenal/", + "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape", "https://blog.malwarebytes.com/threat-spotlight/2021/03/hellokitty-when-cyberpunk-met-cy-purr-crime/", "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html", + "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", "https://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/", + "https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html", + "https://medium.com/proferosec-osm/static-unpacker-and-decoder-for-hello-kitty-packer-91a3e8844cb7", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://www.crowdstrike.com/blog/new-ransomware-variant-uses-golang-packer/" ], "synonyms": [ @@ -19986,6 +23878,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.heriplor", "https://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html", + "https://vblocalhost.com/uploads/VB2021-Slowik.pdf", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks", "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" ], @@ -20000,11 +23893,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermes", + "https://vxhive.blogspot.com/2020/11/deep-dive-into-hermes-ransomware.html", "https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12", + "https://www.youtube.com/watch?v=9nuo-AGg4p4", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf", + "https://web.archive.org/web/20200922165625/https://dcso.de/2019/03/18/enterprise-malware-as-a-service/", "http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html", - "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside", + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", + "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/" ], "synonyms": [], @@ -20013,23 +23910,102 @@ "uuid": "30a230c1-b598-4d06-90ab-3254d6a626d8", "value": "Hermes" }, + { + "description": "According to SentinelLabs, HermeticWiper is a custom-written application with very few standard functions. It abuses a signed driver called \"empntdrv.sys\" which is associated with the legitimate Software \"EaseUS Partition Master Software\" to enumerate the MBR and all partitions of all Physical Drives connected to the victims Windows Device and overwrite the first 512 Bytes of every MBR and Partition it can find, rendering them useless. \r\nThis malware is associated to the malware attacks against Ukraine during Russians Invasion in February 2022.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermeticwiper", + "https://blog.malwarebytes.com/threat-intelligence/2022/03/hermeticwiper-a-detailed-analysis-of-the-destructive-malware-that-targeted-ukraine/", + "https://therecord.media/second-data-wiper-attack-hits-ukraine-computer-networks/", + "https://blogs.blackberry.com/en/2022/03/threat-thursday-hermeticwiper", + "https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/", + "https://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/", + "https://www.youtube.com/watch?v=sUlW45c9izU", + "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview", + "https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/defenders-blog-on-cyberattacks-targeting-ukraine.html", + "https://www.zscaler.com/blogs/security-research/hermeticwiper-resurgence-targeted-attacks-ukraine", + "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-hermeticwiper-partyticket", + "https://eln0ty.github.io/malware%20analysis/HermeticWiper/", + "https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works", + "https://blogs.vmware.com/networkvirtualization/2022/03/hermetic-malware-multi-component-threat-targeting-ukraine-organizations.html/", + "https://securityboulevard.com/2022/03/isaacwiper-followed-hermeticwiper-attack-on-ukraine-orgs/", + "https://learnsentinel.blog/2022/02/28/detecting-malware-kill-chains-with-defender-and-microsoft-sentinel/", + "https://go.recordedfuture.com/hubfs/reports/mtp-2022-0302.pdf", + "https://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukraine-crisis/", + "https://www.kaspersky.com/blog/hermeticransom-hermeticwiper-attacks-2022/43825/", + "https://cluster25.io/2022/02/24/ukraine-analysis-of-the-new-disk-wiping-malware/", + "https://marcoramilli.com/2022/03/01/diskkill-hermeticwiper-and-notpetya-dissimilarities/", + "https://www.nextgov.com/cybersecurity/2022/03/ukrainian-cyber-lead-least-4-types-malware-are-targeting-ukrainian-institutions/363558/", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-057A_Destructive_Malware_Targeting_Organizations_in_Ukraine.pdf", + "https://thehackernews.com/2022/02/new-wiper-malware-targeting-ukraine.html", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/growling-bears-make-thunderous-noise.html", + "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", + "https://yoroi.company/research/diskkill-hermeticwiper-a-disruptive-cyber-weapon-targeting-ukraines-critical-infrastructures/", + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd", + "https://thehackernews.com/2022/02/putin-warns-russian-critical.html", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-057a", + "https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/", + "https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation", + "https://www.welivesecurity.com/2022/02/24/hermeticwiper-new-data-wiping-malware-hits-ukraine/", + "https://www.brighttalk.com/webcast/15591/534324", + "https://www.secureworks.com/blog/disruptive-hermeticwiper-attacks-targeting-ukrainian-organizations", + "https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html", + "https://dgc.org/en/hermeticwiper-malware/", + "https://twitter.com/threatintel/status/1496578746014437376", + "https://community.riskiq.com/article/9f59cb85", + "https://www.englert.one/hermetic-wiper-reverse-code-engineering", + "https://t3n.de/news/cyber-attacken-ukraine-wiper-malware-1454318/", + "https://twitter.com/fr0gger_/status/1497121876870832128", + "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat", + "https://brandefense.io/hermeticwiper-technical-analysis-report/", + "https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/", + "https://www.crowdstrike.com/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/", + "https://cloudsek.com/technical-analysis-of-the-hermetic-wiper-malware-used-to-target-ukraine/", + "https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks", + "https://www.mandiant.com/resources/information-operations-surrounding-ukraine", + "https://elastic.github.io/security-research/intelligence/2022/03/01.hermeticwiper-targets-ukraine/article/", + "https://www.deepinstinct.com/blog/hermeticwiper-malware-the-russian-ukrainian-cyber-war", + "https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf", + "https://www.zdnet.com/article/microsoft-finds-foxblade-malware-on-ukrainian-systems-removing-rt-from-windows-app-store/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/digging-into-hermeticwiper.html", + "https://lifars.com/2022/03/a-closer-look-at-the-russian-actors-targeting-organizations-in-ukraine/", + "https://threatpost.com/microsoft-ukraine-foxblade-trojan-hours-before-russian-invasion/178702/", + "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", + "https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/", + "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf", + "https://www.bitdefender.com/blog/hotforsecurity/five-things-you-need-to-know-about-the-cyberwar-in-ukraine/", + "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/01/ukrainian-targets-hit-by-hermeticwiper-new-datawiper-malware" + ], + "synonyms": [ + "DriveSlayer", + "FoxBlade", + "KillDisk.NCV", + "NEARMISS" + ], + "type": [] + }, + "uuid": "db6c1ec5-3961-47ce-9cd1-e650388a15fd", + "value": "HermeticWiper" + }, { "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermes_ransom", - "https://blog.dcso.de/enterprise-malware-as-a-service/", - "https://vxhive.blogspot.com/2020/11/deep-dive-into-hermes-ransomware.html", - "https://www.youtube.com/watch?v=9nuo-AGg4p4", - "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", - "https://dcso.de/2019/03/18/enterprise-malware-as-a-service", - "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermeticwizard", + "https://twitter.com/ET_Labs/status/1502494650640351236", + "https://www.brighttalk.com/webcast/15591/534324", + "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview", + "https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/", + "https://twitter.com/silascutler/status/1501668345640366091" ], "synonyms": [], "type": [] }, - "uuid": "4d8da0af-cfd7-4990-b211-af0e9906eca0", - "value": "Hermes Ransomware" + "uuid": "f4400c49-75c6-494a-aa3e-d873404281c1", + "value": "HermeticWizard" }, { "description": "", @@ -20055,6 +24031,32 @@ "uuid": "2637315d-d31e-4b64-aa4b-2fc265b0a1a3", "value": "HesperBot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.heyoka", + "https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5833d95c-4131-4cd3-8600-fc40bb834fe3", + "value": "heyoka" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hiasm", + "https://fortiguard.fortinet.com/encyclopedia/virus/6488677" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c49e1f43-a16a-49b1-b23e-9e49cd20c90b", + "value": "HiAsm" + }, { "description": "", "meta": { @@ -20064,8 +24066,10 @@ "https://blog.malwarebytes.com/threat-analysis/2018/07/hidden-bee-miner-delivered-via-improved-drive-by-download-toolkit/", "https://www.bleepingcomputer.com/news/security/new-underminer-exploit-kit-discovered-pushing-bootkits-and-coinminers/", "https://blog.malwarebytes.com/threat-analysis/2019/05/hidden-bee-lets-go-down-the-rabbit-hole/", + "https://www.msreverseengineering.com/blog/2018/9/2/weekend-project-a-custom-ida-loader-module-for-the-hidden-bee-malware-family", "https://www.freebuf.com/column/174581.html", - "https://www.freebuf.com/column/175106.html" + "https://www.freebuf.com/column/175106.html", + "https://blog.malwarebytes.com/threat-analysis/2018/08/reversing-malware-in-a-custom-format-hidden-bee-elements/" ], "synonyms": [], "type": [] @@ -20078,6 +24082,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hiddentear", + "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/", "https://twitter.com/struppigel/status/950787783353884672", "https://www.bleepingcomputer.com/news/security/new-f-unicorn-ransomware-hits-italy-via-fake-covid-19-infection-map/", "https://twitter.com/JAMESWT_MHT/status/1264828072001495041", @@ -20214,16 +24219,44 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hive", - "https://www.ic3.gov/Media/News/2021/210825.pdf", - "https://labs.sentinelone.com/hive-attacks-analysis-of-the-human-operated-ransomware-targeting-healthcare/", + "https://www.scmagazine.com/brief/breach/novel-obfuscation-leveraged-by-hive-ransomware", "https://www.netskope.com/blog/hive-ransomware-actively-targeting-hospitals", - "https://unit42.paloaltonetworks.com/emerging-ransomware-groups/" + "https://unit42.paloaltonetworks.com/emerging-ransomware-groups/", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf", + "https://blog.group-ib.com/hive", + "https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/", + "https://github.com/rivitna/Malware/tree/main/Hive", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-hive", + "https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again", + "https://blog.talosintelligence.com/2022/05/conti-and-hive-ransomware-operations.html", + "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape", + "https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_hive_2021_v1.pdf", + "https://www.connectwise.com/resources/hive-profile", + "https://securityaffairs.co/wordpress/128232/security/recover-files-hive-ransomware.html", + "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group", + "https://lifars.com/2022/02/how-to-decrypt-the-files-encrypted-by-the-hive-ransomware/", + "https://thehackernews.com/2022/02/master-key-for-hive-ransomware.html", + "https://securelist.com/modern-ransomware-groups-ttps/106824/", + "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", + "https://www.bleepingcomputer.com/news/security/hive-ransomware-uses-new-ipfuscation-trick-to-hide-payload/", + "https://labs.sentinelone.com/hive-attacks-analysis-of-the-human-operated-ransomware-targeting-healthcare/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://arxiv.org/pdf/2202.08477.pdf", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf?1651576098", + "https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/", + "https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/", + "https://www.varonis.com/blog/hive-ransomware-analysis", + "https://therecord.media/hive-ransomware-shuts-down-california-health-care-organization/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://therecord.media/academics-publish-method-for-recovering-data-encrypted-by-the-hive-ransomware/", + "https://www.ic3.gov/Media/News/2021/210825.pdf", + "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/" ], "synonyms": [], "type": [] }, "uuid": "4aaa039f-6239-46d8-850d-69e9cbd12e9e", - "value": "hive" + "value": "Hive (Windows)" }, { "description": "", @@ -20391,26 +24424,31 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.houdini", - "https://cybersecurity.att.com/blogs/labs-research/alien-labs-2019-analysis-of-threat-groups-molerats-and-apt-c-37", "https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/", - "https://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html", - "https://www.youtube.com/watch?v=h3KLKCdMUUY", - "https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g", "https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/wsh_rat.md", - "https://cofense.com/houdini-worm-transformed-new-phishing-attack/", - "https://www.binarydefense.com/revenge-is-a-dish-best-served-obfuscated", - "https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/", - "https://yoroi.company/research/threatening-within-budget-how-wsh-rat-is-abused-by-cyber-crooks/", "https://myonlinesecurity.co.uk/more-agenttesla-keylogger-and-nanocore-rat-in-one-bundle/", - "https://www.youtube.com/watch?v=XDAiS6KBDOs", + "https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks", + "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/", + "https://yoroi.company/research/threatening-within-budget-how-wsh-rat-is-abused-by-cyber-crooks/", + "https://www.youtube.com/watch?v=h3KLKCdMUUY", "https://blogs.360.cn/post/APT-C-44.html", "https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns", "http://blog.morphisec.com/hworm-houdini-aka-njrat", - "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", - "http://blogs.360.cn/post/analysis-of-apt-c-37.html", - "https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks", + "https://threatpost.com/ta2541-apt-rats-aviation/178422/", + "https://cofense.com/houdini-worm-transformed-new-phishing-attack/", + "https://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html", + "https://www.binarydefense.com/revenge-is-a-dish-best-served-obfuscated", "https://www.cadosecurity.com/post/threat-group-uses-voice-changing-software-in-espionage-attempt", - "https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html" + "http://blogs.360.cn/post/analysis-of-apt-c-37.html", + "https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g", + "https://cybersecurity.att.com/blogs/labs-research/alien-labs-2019-analysis-of-threat-groups-molerats-and-apt-c-37", + "https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/", + "https://isc.sans.edu/forums/diary/Houdini+is+Back+Delivered+Through+a+JavaScript+Dropper/28746/", + "https://www.bleepingcomputer.com/news/security/unskilled-hacker-linked-to-years-of-attacks-on-aviation-transport-sectors/", + "https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html", + "https://www.youtube.com/watch?v=XDAiS6KBDOs" ], "synonyms": [ "Hworm", @@ -20460,6 +24498,7 @@ "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", "https://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/", + "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers", "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/", "https://www.secureworks.com/research/threat-profiles/bronze-mayfair", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", @@ -20525,6 +24564,21 @@ "uuid": "339b3e7c-7a4a-4a1a-94b6-555f15a0b265", "value": "http_troy" }, + { + "description": "A loader that has been used by multiple threat actor groups since 2015.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hui_loader", + "https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html", + "https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf", + "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1cb6ed37-3017-45b9-b186-1e16d46a8dd2", + "value": "HUI Loader" + }, { "description": "", "meta": { @@ -20586,12 +24640,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperbro", + "https://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel", "http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/", "https://blog.team-cymru.com/2020/03/25/how-the-iranian-cyber-security-agency-detects-emissary-panda-malware/", + "https://www.bleepingcomputer.com/news/security/german-govt-warns-of-apt27-hackers-backdooring-business-networks/", "https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox", "https://vblocalhost.com/uploads/VB2020-Shank-Piccolini.pdf", - "https://team-cymru.com/2020/03/25/how-the-iranian-cyber-security-agency-detects-emissary-panda-malware/", "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/", + "https://team-cymru.com/2020/03/25/how-the-iranian-cyber-security-agency-detects-emissary-panda-malware/", + "https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2022-01-bfv-cyber-brief.pdf?__blob=publicationFile&v=10", "https://www.secureworks.com/research/threat-profiles/bronze-union", "https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf", "https://www.tra.gov.ae/assets/mTP39Tp6.pdf.aspx", @@ -20600,6 +24657,7 @@ "https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html", "https://www.fireeye.com/blog/threat-research/2021/08/unc215-chinese-espionage-campaign-in-israel.html", "https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf", + "https://cyware.com/news/apt27-group-targets-german-organizations-with-hyperbro-2c43b7cf/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/", "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/", "https://securelist.com/luckymouse-hits-national-data-center/86083/" @@ -20615,6 +24673,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperssl", + "https://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel", "https://www.sstic.org/media/SSTIC2021/SSTIC-actes/Taking_Advantage_of_PE_Metadata_or_How_To_Complete/SSTIC2021-Slides-Taking_Advantage_of_PE_Metadata_or_How_To_Complete_your_Favorite_Threat_Actor_Sample_Collection-lunghi.pdf", "https://norfolkinfosec.com/emissary-panda-dll-backdoor/", "https://www.tra.gov.ae/assets/mTP39Tp6.pdf.aspx", @@ -20642,62 +24701,96 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid", "https://www.microsoft.com/security/blog/2020/12/09/edr-in-block-mode-stops-icedid-cold/", + "https://cert.gov.ua/article/39609", "https://team-cymru.com/blog/2021/05/19/tracking-bokbot-infrastructure/", - "https://www.youtube.com/watch?v=7Dk7NkIbVqY", + "https://www.trendmicro.com/en_us/research/21/j/ransomware-operators-found-using-new-franchise-business-model.html", + "https://www.silentpush.com/blog/icedid-command-and-control-infrastructure", "https://www.youtube.com/watch?v=wObF9n2UIAM", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://isc.sans.edu/diary/28636", + "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", + "https://www.youtube.com/watch?v=oZ4bwnjcXWg", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-two.html", + "https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware", "https://ceriumnetworks.com/threat-of-the-month-icedid-malware/", "https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/", "https://www.crowdstrike.com/blog/bokbots-man-in-the-browser-overview/", - "https://www.youtube.com/watch?v=wMXD4Sv1Alw", + "https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/", + "https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx", + "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", "http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/", "https://www.binarydefense.com/icedid-gziploader-analysis/", "https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://matth.dmz42.org/posts/2022/automatically-unpacking-icedid-stage1-with-angr/", "https://github.com/Lastline-Inc/iocs-tools/tree/main/2021-07-IcedID-Part-2", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", + "https://twitter.com/felixw3000/status/1521816045769662468", + "https://www.splunk.com/en_us/blog/security/detecting-icedid-could-it-be-a-trickbot-copycat.html", "https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware", "https://www.uptycs.com/blog/icedid-campaign-spotted-being-spiced-with-excel-4-macros", + "https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/", "https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7", - "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", + "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", + "https://www.silentpush.com/blog/malicious-infrastructure-as-a-service", "https://securityintelligence.com/icedid-banking-trojan-spruces-up-injection-tactics-to-add-stealth/", + "https://nikpx.github.io/malware/analysis/2022/03/09/BokBot", "https://aaqeel01.wordpress.com/2021/04/09/icedid-analysis/", - "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", - "https://www.youtube.com/watch?v=oZ4bwnjcXWg", + "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", + "https://www.ironnet.com/blog/ransomware-graphic-blog", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.socinvestigation.com/icedid-banking-trojan-returns-with-new-ttps-detection-response/", "https://blog.cyberint.com/icedid-stealer-man-in-the-browser-banking-trojan", "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", + "https://www.youtube.com/watch?v=wMXD4Sv1Alw", "https://blog.malwarebytes.com/threat-analysis/2019/12/new-version-of-icedid-trojan-uses-steganographic-payloads/", - "https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-one.html", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx", + "https://www.bleepingcomputer.com/news/security/microsoft-exchange-targeted-for-icedid-reply-chain-hijacking-attacks/", "https://gist.github.com/psrok1/e6bf5851d674edda03a201e7f24a5e6b", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://www.secureworks.com/research/threat-profiles/gold-swathmore", + "https://intel471.com/blog/conti-emotet-ransomware-conti-leaks", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf", "https://www.crowdstrike.com/blog/digging-into-bokbots-core-module/", - "https://tccontre.blogspot.com/2021/01/", + "https://www.bleepingcomputer.com/news/security/hackers-target-ukrainian-govt-with-icedid-malware-zimbra-exploits/", + "https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-one.html", "https://www.trendmicro.com/en_us/research/21/d/a-spike-in-bazarcall-and-icedid-activity.html", "https://www.f5.com/labs/articles/threat-intelligence/icedid-banking-trojan-uses-covid-19-pandemic-to-lure-new-victims", + "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", "https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/", "https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/", "https://threatresearch.ext.hp.com/detecting-ta551-domains/", + "https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf", + "https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://zero2auto.com/2020/06/22/unpacking-visual-basic-packers/", + "https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://github.com/telekom-security/icedid_analysis", "https://www.nri-secure.co.jp/blog/explaining-the-tendency-of-malware-icedid", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://labs.sentinelone.com/evasive-maneuvers-massive-icedid-campaign-aims-for-stealth-with-benign-macros/", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", "https://securityintelligence.com/icedid-operators-using-atsengine-injection-panel-to-hit-e-commerce-sites/", + "https://www.youtube.com/watch?v=7Dk7NkIbVqY", "https://thedfirreport.com/2021/05/12/conti-ransomware/", + "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", "https://www.vkremez.com/2018/09/lets-learn-deeper-dive-into.html", + "https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships", "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", - "https://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766", "https://research.checkpoint.com/2021/melting-ice-tracking-icedid-servers-with-a-few-simple-steps/", "https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html", "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.cynet.com/attack-techniques-hands-on/shelob-moonlight-spinning-a-larger-web/", "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", "https://www.fortinet.com/blog/threat-research/deep-dive-icedid-malware-analysis-of-child-processes.html", + "https://isc.sans.edu/forums/diary/How+the+Contact+Forms+campaign+tricks+people/28142/", "https://4rchib4ld.github.io/blog/IcedIDOnMyNeckImTheCoolest/", "https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/", "https://securelist.com/malicious-spam-campaigns-delivering-banking-trojans/102917", + "https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/", "https://blog.reconinfosec.com/an-encounter-with-ta551-shathak", "https://blogs.vmware.com/security/2021/07/hunting-icedid-and-unpacking-automation-with-qiling.html", "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/", @@ -20705,27 +24798,36 @@ "https://blog.minerva-labs.com/icedid-maas", "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/", - "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", + "https://tccontre.blogspot.com/2021/01/", "https://digitalguardian.com/blog/iceid-banking-trojan-targeting-banks-payment-card-providers-e-commerce-sites", + "https://isc.sans.edu/forums/diary/TA551+Shathak+pushes+IcedID+Bokbot/28092/", "https://blog.reversinglabs.com/blog/code-reuse-across-packers-and-dll-loaders", "https://www.mimecast.com/globalassets/documents/whitepapers/taa551-treatresearch_final-1.15.21.pdf", - "https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-two.html", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://unit42.paloaltonetworks.com/ta551-shathak-icedid/", "https://www.youtube.com/watch?v=YEqLIR6hfOM", "https://blog.talosintelligence.com/2020/07/valak-emerges.html", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", - "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", + "https://thedfirreport.com/2022/04/25/quantum-ransomware/", + "https://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766", + "https://www.fortinet.com/blog/threat-research/spoofed-invoice-drops-iced-id", "https://kienmanowar.wordpress.com/2020/08/16/manual-unpacking-icedid-write-up/", "https://github.com/f0wl/deICEr", "https://netresec.com/?b=214d7ff", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://eln0ty.github.io/malware%20analysis/IcedID/", "https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/", + "https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes", + "https://awakesecurity.com/blog/detecting-icedid-and-cobalt-strike-beacon-with-network-detection-and-response/", "https://www.group-ib.com/blog/icedid", + "https://forensicitguy.github.io/analyzing-icedid-document/", "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://blogs.vmware.com/security/2021/07/icedid-analysis-and-detection.html", "https://blog.group-ib.com/prometheus-tds", "https://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/", + "https://threatpost.com/exchange-servers-speared-in-icedid-phishing-campaign/179137/", + "https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot", "https://malwation.com/icedid-malware-technical-analysis-report/", "https://blogs.juniper.net/en-us/threat-research/iceid-campaign-strikes-back" ], @@ -20743,8 +24845,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid_downloader", + "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", "http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/", - "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/" + "https://threatray.com/blog/a-new-icedid-gziploader-variant/" ], "synonyms": [], "type": [] @@ -20873,14 +24976,15 @@ "value": "Imecab" }, { - "description": "", + "description": "MITRE describes Imminent Monitor as a commodity remote access tool (RAT) offered for sale from 2012 until 2019, when an operation was conducted to take down the Imminent Monitor infrastructure. Various cracked versions and variations of this RAT are still in circulation.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.imminent_monitor_rat", - "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", + "https://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/", + "https://www.atomicmatryoshka.com/post/infographic-apts-in-south-america", "https://www.politie.nl/nieuws/2021/mei/19/04-aanhouding-in-onderzoek-naar-cybercrime.html", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/", + "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html", "https://itsjack.cc/blog/2016/01/imminent-monitor-4-rat-analysis-a-glance/", "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", @@ -20906,6 +25010,20 @@ "uuid": "5f688e85-5f33-4ae6-880a-fc2e5146dd28", "value": " Immortal Stealer" }, + { + "description": "Keylogger written in Visual Basic dating back to at least 2012.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.incubator", + "https://www.sentinelone.com/wp-content/uploads/2022/02/Modified-Elephant-APT-and-a-Decade-of-Fabricating-Evidence-SentinelLabs.pdf", + "https://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b03201bd-8307-4c66-915e-d8f623084abe", + "value": "Incubator" + }, { "description": "", "meta": { @@ -20928,17 +25046,23 @@ "https://en.wikipedia.org/wiki/Industroyer", "https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too", "https://hub.dragos.com/hubfs/Whitepaper-Downloads/Dragos_Manufacturing%20Threat%20Perspective_1120.pdf", - "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/", + "https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf", "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf", "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/", "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", - "https://www.virusbulletin.com/conference/vb2017/abstracts/last-minute-paper-industroyer-biggest-threat-industrial-control-systems-stuxnet/", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", + "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/", "https://www.secureworks.com/research/threat-profiles/iron-viking", "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games", "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", + "https://www.virusbulletin.com/conference/vb2017/abstracts/last-minute-paper-industroyer-biggest-threat-industrial-control-systems-stuxnet/", + "https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", + "https://cert.gov.ua/article/39518", "https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/", "https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security", - "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf", + "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/" ], "synonyms": [ "Crash", @@ -20949,6 +25073,31 @@ "uuid": "610d5ce7-c9c8-4fb1-94d9-69b7cb5397b6", "value": "Industroyer" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer2", + "https://pylos.co/2022/04/23/industroyer2-in-perspective/", + "https://www.netresec.com/?page=Blog&month=2022-04&post=Industroyer2-IEC-104-Analysis", + "https://blog.scadafence.com/industroyer2-attack", + "https://twitter.com/silascutler/status/1513870210398363651", + "https://blogs.blackberry.com/en/2022/05/threat-thursday-malware-rebooted-how-industroyer2-takes-aim-at-ukraine-infrastructure", + "https://www.ntop.org/cybersecurity/how-ntopng-monitors-iec-60870-5-104-traffic/", + "https://www.mandiant.com/resources/industroyer-v2-old-malware-new-tricks", + "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", + "https://blog.eset.ie/2022/04/12/industroyer2-industroyer-reloaded/", + "https://cert.gov.ua/article/39518", + "https://www.nozominetworks.com/blog/industroyer2-nozomi-networks-labs-analyzes-the-iec-104-payload/", + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd", + "https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works" + ], + "synonyms": [], + "type": [] + }, + "uuid": "fa54359c-4a3f-45ea-a941-f2105aa27ef4", + "value": "INDUSTROYER2" + }, { "description": "", "meta": { @@ -21042,6 +25191,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.invisimole", + "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/", "https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/", "https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf", @@ -21083,6 +25233,39 @@ "uuid": "44599616-3849-4960-9379-05307287ff80", "value": "IRONHALO" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.isaacwiper", + "https://thehackernews.com/2022/03/second-new-isaacwiper-data-wiper.html", + "https://twitter.com/ESETresearch/status/1521910890072842240", + "https://securityboulevard.com/2022/03/isaacwiper-followed-hermeticwiper-attack-on-ukraine-orgs/", + "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat", + "https://www.brighttalk.com/webcast/15591/534324", + "https://go.recordedfuture.com/hubfs/reports/mtp-2022-0324.pdf", + "https://www.recordedfuture.com/isaacwiper-continues-trend-wiper-attacks-against-ukraine/", + "https://lifars.com/2022/03/a-closer-look-at-the-russian-actors-targeting-organizations-in-ukraine/", + "https://securityintelligence.com/posts/new-wiper-malware-used-against-ukranian-organizations/", + "https://experience.mandiant.com/trending-evil-2/p/1", + "https://blog.malwarebytes.com/threat-intelligence/2022/03/double-header-isaacwiper-and-caddywiper/", + "https://www.nextgov.com/cybersecurity/2022/03/ukrainian-cyber-lead-least-4-types-malware-are-targeting-ukrainian-institutions/363558/", + "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", + "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine", + "https://cluster25.io/2022/05/03/a-strange-link-between-a-destructive-malware-and-the-loader-of-a-ransomware-group-isaacwiper-vs-vatet/", + "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd", + "https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/", + "https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works" + ], + "synonyms": [ + "LASAINRAW" + ], + "type": [] + }, + "uuid": "6fb2d1bb-f8a4-4f73-9ea7-a4a9aae4f609", + "value": "IsaacWiper" + }, { "description": "2006 Gozi v1.0, Gozi CRM, CRM, Papras\r\n2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)\r\n\r\nIn September 2010, the source code of a particular Gozi CRM dll version was leaked. This led to two main branches: one became known as Gozi Prinimalka, which was merge with Pony and became Vawtrak/Neverquest.\r\n\r\nThe other branch became known as Gozi ISFB, or ISFB in short. Webinject functionality was added to this version.\r\n\r\nThere is one panel which often was used in combination with ISFB: IAP. The panel's login page comes with the title 'Login - IAP'. The body contains 'AUTHORIZATION', 'Name:', 'Password:' and a single button 'Sign in' in a minimal design. Often, the panel is directly accessible by entering the C2 IP address in a browser. But there are ISFB versions which are not directly using IAP. The bot accesses a gate, which is called the 'Dreambot' gate. See win.dreambot for further information.\r\n\r\nISFB often was protected by Rovnix. This led to a further complication in the naming scheme - many companies started to call ISFB Rovnix. Because the signatures started to look for Rovnix, other trojans protected by Rovnix (in particular ReactorBot and Rerdom) sometimes got wrongly labelled.\r\n\r\nIn April 2016 a combination of Gozi ISFB and Nymaim was detected. This breed became known as GozNym. The merge uses a shellcode-like version of Gozi ISFB, that needs Nymaim to run. The C2 communication is performed by Nymaim.\r\n\r\nSee win.gozi for additional historical information.", "meta": { @@ -21095,10 +25278,10 @@ "https://blog.minerva-labs.com/attackers-insert-themselves-into-the-email-conversation-to-spread-malware", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", - "https://lokalhost.pl/gozi_tree.txt", + "https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/", "https://www.proofpoint.com/us/threat-insight/post/urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf", - "https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/", + "https://blog.qualys.com/vulnerabilities-threat-research/2022/05/08/ursnif-malware-banks-on-news-events-for-phishing-attacks", "https://isc.sans.edu/forums/diary/Reviewing+the+spam+filters+Malspam+pushing+GoziISFB/23245", "https://www.fidelissecurity.com/threatgeek/threat-intelligence/gozi-v3-technical-update/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", @@ -21115,6 +25298,7 @@ "https://0xc0decafe.com/malware-analysts-guide-to-aplib-decompression/", "https://www.youtube.com/watch?v=jlc7Ahp8Iqg", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://www.cleafy.com/cleafy-labs/digital-banking-fraud-how-the-gozi-malware-work", "https://news.sophos.com/en-us/2019/12/24/gozi-v3-tracked-by-their-own-stealth/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", "http://benkow.cc/DreambotSAS19.pdf", @@ -21123,10 +25307,13 @@ "https://blog.talosintelligence.com/2020/07/valak-emerges.html", "https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/", "https://journal.cecyf.fr/ojs/index.php/cybin/article/view/15", + "https://www.proofpoint.com/us/blog/security-briefs/ta544-targets-italian-organizations-ursnif-malware", + "https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489", + "https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/", "https://0ffset.net/reverse-engineering/analyzing-com-mechanisms-in-malware/", "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", "https://isc.sans.edu/forums/diary/German+language+malspam+pushes+Ursnif/25732/", - "https://www.proofpoint.com/us/blog/security-briefs/ta544-targets-italian-organizations-ursnif-malware", + "https://lokalhost.pl/gozi_tree.txt", "https://0ffset.net/reverse-engineering/malware-analysis/analyzing-isfb-second-loader/", "https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-ursnif-infections/", "https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization", @@ -21137,9 +25324,11 @@ "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", "https://0ffset.net/reverse-engineering/malware-analysis/analysing-isfb-loader/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/phishing-campaigns-featuring-ursnif-trojan/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html", "https://therecord.media/gozi-malware-gang-member-arrested-in-colombia/", + "https://www.botconf.eu/wp-content/uploads/2019/12/B2019-OReilly-Jarvis-End-to-end-Botnet-Monitoring.pdf", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf", "https://www.hornetsecurity.com/en/security-information/firefox-send-sends-ursnif-malware/", "https://arielkoren.com/blog/2016/11/01/ursnif-malware-deep-technical-dive/", @@ -21154,6 +25343,8 @@ "https://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/", "https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex", "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/", "https://redcanary.com/resources/webinars/deep-dive-process-injection/", "https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features", "https://www.tgsoft.it/files/report/download.asp?id=7481257469", @@ -21301,6 +25492,7 @@ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "http://malware-traffic-analysis.net/2017/05/16/index.html", "https://www.proofpoint.com/us/threat-insight/post/jaff-new-ransomware-from-actors-behind-distribution-of-dridex-locky-bart", + "https://intel471.com/blog/a-brief-history-of-ta505", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/" ], "synonyms": [], @@ -21326,12 +25518,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jaku", - "https://www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf", + "https://www.brighttalk.com/webcast/7451/538775", "https://securelist.com/whos-really-spreading-through-the-bright-star/68978/", + "https://www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf", "https://www-01.ibm.com/support/docview.wss?uid=ssg1S1010146" ], "synonyms": [ "C3PRO-RACOON", + "EQUINOX", "KCNA Infostealer", "Reconcyc" ], @@ -21548,9 +25742,11 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jsoutprox", "https://twitter.com/zlab_team/status/1208022180241530882", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://www.zscaler.com/blogs/research/targeted-attacks-indian-government-and-financial-institutions-using-jsoutprox-rat", - "https://blog.yoroi.company/research/unveiling-jsoutprox-a-new-enterprise-grade-implant/", "https://www.fortinet.com/blog/threat-research/adversary-playbook-javascript-rat-looking-for-that-government-cheese", + "https://blog.yoroi.company/research/unveiling-jsoutprox-a-new-enterprise-grade-implant/", + "https://www.zscaler.com/blogs/research/targeted-attacks-indian-government-and-financial-institutions-using-jsoutprox-rat", + "https://www.seqrite.com/documents/en/white-papers/whitepaper-multi-staged-jsoutprox-rat-target-indian-co-operative-banks-and-finance-companies.pdf", + "https://blogs.quickheal.com/multi-staged-jsoutprox-rat-targets-indian-cooperative-banks-and-finance-companies/", "https://yoroi.company/research/financial-institutions-in-the-sight-of-new-jsoutprox-attack-waves/" ], "synonyms": [], @@ -21564,9 +25760,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jssloader", - "https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/FIN7%20JSSLOADER%20FINAL%20WEB.pdf", + "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/", + "https://www.bleepingcomputer.com/news/security/malicious-microsoft-excel-add-ins-used-to-deliver-rat-malware/", + "https://www.splunk.com/en_us/blog/security/fin7-tools-resurface-in-the-field-splinter-or-copycat.html", + "https://www.secureworks.com/blog/excel-add-ins-deliver-jssloader-malware", "https://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded", - "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/" + "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", + "https://www.mandiant.com/resources/evolution-of-fin7", + "https://blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files", + "https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/FIN7%20JSSLOADER%20FINAL%20WEB.pdf", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://blog.morphisec.com/vmware-identity-manager-attack-backdoor" ], "synonyms": [], "type": [] @@ -21602,26 +25806,6 @@ "uuid": "a08db33d-4c37-4075-bd49-c3ab66a339db", "value": "JUMPALL" }, - { - "description": "", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.jupyter", - "https://blog.morphisec.com/new-jupyter-evasive-delivery-through-msi-installer", - "https://security5magics.blogspot.com/2020/12/tracking-jupyter-malware.html", - "https://blog.morphisec.com/jupyter-infostealer-backdoor-introduction", - "https://blog.minerva-labs.com/new-iocs-of-jupyter-stealer", - "https://blog.talosintelligence.com/2021/07/threat-spotlight-solarmarker.html#more", - "https://www.crowdstrike.com/blog/solarmarker-backdoor-technical-analysis/", - "https://squiblydoo.blog/2021/06/20/mars-deimos-from-jupiter-to-mars-and-back-again-part-two/", - "https://redcanary.com/blog/yellow-cockatoo/" - ], - "synonyms": [], - "type": [] - }, - "uuid": "5b834445-4437-46a6-9d4d-673ecf4bf1b9", - "value": "Jupyter Stealer" - }, { "description": "", "meta": { @@ -21640,11 +25824,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.karagany", + "https://vblocalhost.com/uploads/VB2021-Slowik.pdf", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks", + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf", "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group", "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector", - "https://www.secureworks.com/research/threat-profiles/iron-liberty", - "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks", - "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf" + "https://www.secureworks.com/research/threat-profiles/iron-liberty" ], "synonyms": [ "Karagny" @@ -21708,13 +25893,20 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.karma", - "https://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/" + "https://www.sentinelone.com/labs/karma-ransomware-an-emerging-threat-with-a-hint-of-nemty-pedigree/", + "https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/", + "https://www.youtube.com/watch?v=hgz5gZB3DxE", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", + "https://blogs.blackberry.com/en/2021/11/threat-thursday-karma-ransomware", + "https://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/", + "https://news.sophos.com/en-us/2022/02/28/conti-and-karma-actors-attack-healthcare-provider-at-same-time-through-proxyshell-exploits/?cmp=30728" ], "synonyms": [], "type": [] }, "uuid": "2667c9a6-4811-4535-95a1-3b75ba853a03", - "value": "karma" + "value": "Karma" }, { "description": "", @@ -21750,11 +25942,38 @@ "uuid": "bab92070-3589-4b7e-bf05-4f54bfefc2ca", "value": "Kazuar" }, + { + "description": "According to Karsten Hahn, a straightforward loader that runs assemblies from images.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kazyloader", + "https://twitter.com/struppigel/status/1501105224819392516" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a6f86df6-d822-4143-bdfe-149e70bcf1a0", + "value": "KazyLoader" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kdcsponge", + "https://us-cert.cisa.gov/ncas/alerts/aa21-336a" + ], + "synonyms": [], + "type": [] + }, + "uuid": "77c4a0e7-7ee1-446a-bc5d-8dd596d9d5fc", + "value": "KDC Sponge" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kegotip", + "https://intel471.com/blog/a-brief-history-of-ta505", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/" ], "synonyms": [], @@ -21799,6 +26018,19 @@ "uuid": "7d69892e-d582-4545-8798-4a9a84a821ea", "value": "Kelihos" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.keona", + "https://twitter.com/3xp0rtblog/status/1536704209760010241" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b74ad48b-ac26-4748-adac-b824defbe315", + "value": "Keona" + }, { "description": "", "meta": { @@ -21937,6 +26169,22 @@ "uuid": "d073b11a-a941-48b9-8e88-b59ffab9fcda", "value": "KGH_SPY" }, + { + "description": "A compact ransomware written in .NET and delivered as follow-up to Log4J exploitation, targeting Windows servers. ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.khonsari", + "https://assets.virustotal.com/reports/2021trends.pdf", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks", + "https://cloudsek.com/technical-analysis-of-khonsari-ransomware-campaign-exploiting-the-log4shell-vulnerability/", + "https://www.cadosecurity.com/analysis-of-novel-khonsari-ransomware-deployed-by-the-log4shell-vulnerability/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "76a7c43f-73d7-4f4f-acac-1fcaa150bf72", + "value": "Khonsari" + }, { "description": "", "meta": { @@ -21965,6 +26213,20 @@ "uuid": "f2ca304f-6577-4f3a-983c-beec447a9493", "value": "Kikothac" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.killav", + "https://cyber.aon.com/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/", + "https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ad6ac685-e13f-4522-9805-644f82818347", + "value": "KillAV" + }, { "description": "", "meta": { @@ -21972,6 +26234,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.killdisk", "https://www.secureworks.com/research/threat-profiles/iron-viking", "https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/", + "https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/", "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/" ], @@ -22015,6 +26278,7 @@ "https://blog.prevailion.com/2019/09/autumn-aperture-report.html", "https://metaswan.github.io/posts/Malware-Kimsuky-group's-resume-impersonation-malware", "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/", + "https://asec.ahnlab.com/en/30532/", "https://vblocalhost.com/presentations/operation-newton-hi-kimsuky-did-an-appleseed-really-fall-on-newtons-head/", "https://www.boho.or.kr/filedownload.do?attach_file_seq=2652&attach_file_id=EpF2652.pdf", "https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure", @@ -22035,7 +26299,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kingminer", - "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-labs-kingminer-botnet-report.pdf" + "https://asec.ahnlab.com/en/32572/", + "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-labs-kingminer-botnet-report.pdf", + "https://news.sophos.com/en-us/2020/06/09/kingminer-report/", + "https://www.bleepingcomputer.com/news/security/vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike/", + "https://www.trendmicro.com/en_us/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", + "https://www.bitdefender.com/files/News/CaseStudies/study/354/Bitdefender-PR-Whitepaper-KingMiner-creat4610-en-EN-GenericUse.pdf" ], "synonyms": [], "type": [] @@ -22205,7 +26474,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.konni", + "https://blog.lumen.com/new-konni-campaign-targeting-russian-ministry-of-foreign-affairs/", "https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/", + "https://blog.malwarebytes.com/threat-intelligence/2022/01/konni-evolves-into-stealthier-rat/", "http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html", "https://blog.alyac.co.kr/2474", "http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html", @@ -22275,10 +26546,12 @@ "https://blog.malwarebytes.com/threat-analysis/2015/01/major-malvertising-campaign-hits-sites-with-combined-total-monthly-traffic-of-1-5bn-visitors/", "https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/", "https://github.com/ewhitehats/kovterTools/blob/master/KovterWhitepaper.pdf", - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", + "https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Kovter/Kovter.md", + "https://0x00sec.org/t/analyzing-modern-malware-techniques-part-1/18663", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless", - "https://0x00sec.org/t/analyzing-modern-malware-techniques-part-1/18663", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", + "https://0xchrollo.github.io/articles/unpacking-kovter-malware/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/" ], "synonyms": [], @@ -22316,7 +26589,20 @@ "value": "KPOT Stealer" }, { - "description": "", + "description": "According to ESET, this malware family is a banking trojan and was active in Brazil until the middle of 2019. Its most noticeable characteristic was its usage of well-known cryptographic methods to encrypt strings, as opposed to the majority of Latin American banking trojans that mainly use custom encryption schemes.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.krachulka", + "https://www.welivesecurity.com/2021/12/15/dirty-dozen-latin-america-amavaldo-zumanek/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1ddcb067-e876-4eff-8bb7-e28c089d99a3", + "value": "Krachulka" + }, + { + "description": "A ransomware that was active in 2018.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kraken", @@ -22367,19 +26653,20 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kronos", "https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware", - "https://www.zdnet.com/article/security-researcher-malwaretech-pleads-guilty/", + "https://securityintelligence.com/the-father-of-zeus-kronos-malware-discovered/", "https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf", "https://www.securonix.com/securonix-threat-research-kronos-osiris-banking-trojan-attack", "https://www.proofpoint.com/us/threat-insight/post/kronos-reborn", "https://blog.morphisec.com/long-live-osiris-banking-trojan-targets-german-ip-addresses", "https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/", "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/", - "https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/", + "https://intel471.com/blog/privateloader-malware", "https://dissectingmalwa.re/osiris-the-god-of-afterlifeand-banking-malware.html", "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/", + "https://www.zdnet.com/article/security-researcher-malwaretech-pleads-guilty/", "https://therecord.media/osiris-banking-trojan-shuts-down-as-new-ares-variant-emerges/", - "https://securityintelligence.com/the-father-of-zeus-kronos-malware-discovered/", + "https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/", "https://twitter.com/3xp0rtblog/status/1294157781415743488", "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/", "https://www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan" @@ -22462,7 +26749,7 @@ "value": "Kurton" }, { - "description": "", + "description": "Cofense characterizes Kutaki as a data stealer that uses old-school techniques to detect sandboxes and debugging. Kutaki however works quite well against unhardened virtual machines and other analysis devices. By backdooring a legitimate application, it can fool unsophisticated detection methodologies.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kutaki", @@ -22480,13 +26767,16 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kwampirs", "https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf", - "http://www.documentcloud.org/documents/6821581-FLASH-CP-000111-MW-Downgraded-Version.html", "https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", + "https://resources.cylera.com/hubfs/Cylera%20Labs/Cylera%20Labs%20Kwampirs%20Shamoon%20Technical%20Report.pdf", "https://www.zdnet.com/article/fbi-re-sends-alert-about-supply-chain-attacks-for-the-third-time-in-three-months/", "https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/", - "https://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/", - "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia" + "https://resources.cylera.com/new-evidence-linking-kwampirs-malware-to-shamoon-apts", + "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia", + "https://thehackernews.com/2022/03/researchers-find-new-evidence-linking.html", + "http://www.documentcloud.org/documents/6821581-FLASH-CP-000111-MW-Downgraded-Version.html", + "https://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/" ], "synonyms": [], "type": [] @@ -22520,7 +26810,8 @@ "https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7", "https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-4cb83f9602de&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" + "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-4cb83f9602de&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", + "https://twitter.com/_CPResearch_/status/1484502090068242433" ], "synonyms": [ "Plexor" @@ -22528,7 +26819,7 @@ "type": [] }, "uuid": "3af9397a-b4f7-467d-93af-b3d77dcfc38d", - "value": "Lambert" + "value": "Lambert (Windows)" }, { "description": "", @@ -22544,7 +26835,7 @@ "value": "Lamdelin" }, { - "description": "", + "description": "FireEye describes this malware as a highly obfuscated bot that has been in the wild since mid-2013. It has managed to leave hardly any traces on the Internet, is capable of watching its victims without ever being noticed, and can even corrupt a hard disk, thus making a PC useless.\r\n\r\nUsing Dynamic Threat Intelligence, they have observed multiple campaigns targeting multiple industries in the United States, United Kingdom, South Korea, Brazil, United Arab Emirates, Singapore, Canada, Peru and Poland – primarily in the financial services and insurance sectors. Although the infection strategy is not new, the final payload dropped – which they named LATENTBOT – caught attention since it implements several layers of obfuscation, a unique exfiltration mechanism, and has been very successful at infecting multiple organizations.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.latentbot", @@ -22579,7 +26870,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.laziok", "https://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector", - "https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=802" + "https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=802", + "https://www.gdatasoftware.com/blog/2015/05/24280-dissecting-the-kraken" ], "synonyms": [], "type": [] @@ -22607,7 +26899,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lcpdot", "https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html", - "https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.102_ENG%20(4).pdf" + "https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.102_ENG%20(4).pdf", + "https://securelist.com/lazarus-trojanized-defi-app/106195/", + "https://research.nccgroup.com/2022/05/05/north-koreas-lazarus-and-their-initial-access-trade-craft-using-social-media-and-social-engineering/" ], "synonyms": [], "type": [] @@ -22641,6 +26935,32 @@ "uuid": "8faf7592-be5c-44af-b1ca-2bd8caec195d", "value": "Leash" }, + { + "description": "Lemon Duck is a monerocrypto-mining malware with capabilitiy to spread rapidly across the entire network. The malware runs its payload mainly in memory. Internal network spreading is performed by SMB RCE Vulnerability (CVE-2017-0144), or brute-force attacks.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lemonduck", + "https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html", + "https://www.bitdefender.com/files/News/CaseStudies/study/373/Bitdefender-PR-Whitepaper-LemonDuck-creat4826-en-EN-GenericUse.pdf", + "https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/", + "https://news.sophos.com/en-us/2019/10/01/lemon_duck-powershell-malware-cryptojacks-enterprise-networks/", + "https://therecord.media/lemonduck-botnet-evolves-to-allow-hands-on-keyboard-intrusions/", + "https://success.trendmicro.com/solution/000261916", + "https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/", + "https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html", + "https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/", + "https://notes.netbytesec.com/2021/06/lemon-duck-cryptominer-technical.html", + "https://www.bleepingcomputer.com/news/security/vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike/", + "https://asec.ahnlab.com/en/31811/", + "https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728", + "https://cybotsai.com/lemon-duck-attack/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ff1896f4-8774-4c15-9353-918e3dc2e840", + "value": "Lemon Duck" + }, { "description": "", "meta": { @@ -22678,10 +26998,13 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.liderc", "https://about.fb.com/news/2021/07/taking-action-against-hackers-in-iran/", - "https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media", - "https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html" + "https://go.recordedfuture.com/hubfs/reports/cta-2022-0330.pdf", + "https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html", + "https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media" + ], + "synonyms": [ + "LEMPO" ], - "synonyms": [], "type": [] }, "uuid": "ed825d46-be1e-4d36-b828-1b85274773dd", @@ -22710,6 +27033,19 @@ "uuid": "96b0b8fa-79b6-4519-a794-f6f325f96fd7", "value": "LightNeuron" }, + { + "description": "Lightning stealer can target 30+ Firefox and Chromium-based browsers and steal crypto wallets, Telegram data, Discord tokens, and Steam user’s data. Unlike other info stealers, Lightning Stealer stores all the stolen data in the JSON format for exfiltration. ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lightning_stealer", + "https://blog.cyble.com/2022/04/05/inside-lightning-stealer/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "48a21f7a-3dc9-4524-9628-10ed0f762bb4", + "value": "Lightning Stealer" + }, { "description": "", "meta": { @@ -22729,11 +27065,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lilith", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388", "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/", - "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/592/original/Hashes_IOCs_for_coverage.txt", + "https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html", "https://github.com/werkamsus/Lilith", "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479", - "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/592/original/Hashes_IOCs_for_coverage.txt" + "https://yoroi.company/research/a-deep-dive-into-eternity-group-a-new-emerging-cyber-threat/", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf" ], "synonyms": [], "type": [] @@ -22774,13 +27113,16 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.limerat", "https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html", "https://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service", - "https://github.com/NYAN-x-CAT/Lime-RAT/", + "https://blog.reversinglabs.com/blog/rats-in-the-library", "https://www.youtube.com/watch?v=x-g-ZLeX8GM", + "https://blog.talosintelligence.com/2022/04/asyncrat-3losh-update.html", "https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns", + "https://lab52.io/blog/apt-c-36-recent-activity-analysis/", + "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf", "https://blog.yoroi.company/research/limerat-spreads-in-the-wild/", "https://lab52.io/blog/literature-lover-targeting-colombia-with-limerat/", - "https://blog.reversinglabs.com/blog/rats-in-the-library", - "https://lab52.io/blog/apt-c-36-recent-activity-analysis/", + "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", + "https://github.com/NYAN-x-CAT/Lime-RAT/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt", "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html" ], @@ -22863,48 +27205,99 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit", - "https://seguranca-informatica.pt/malware-analysis-details-on-lockbit-ransomware/", - "https://unit42.paloaltonetworks.com/emerging-ransomware-groups/", - "https://www.trendmicro.com/en_us/research/21/h/lockbit-resurfaces-with-version-2-0-ransomware-detections-in-chi.html", - "https://yoroi.company/research/hunting-the-lockbit-gangs-exfiltration-infrastructures/", + "https://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html", "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", - "https://id-ransomware.blogspot.com/search?q=lockbit", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", - "https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1", - "https://blog.cyble.com/2021/08/16/a-deep-dive-analysis-of-lockbit-2-0/", - "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/d/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload/iocs-thwarting-loaders-socgholish-blister.txt", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", + "https://www.intrinsec.com/alphv-ransomware-gang-analysis", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/", + "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/", + "https://www.dragos.com/blog/industry-news/dragos-ics-ot-ransomware-analysis-q4-2021/", + "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-claims-attack-on-bridgestone-americas/", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://chuongdong.com/reverse%20engineering/2022/03/19/LockbitRansomware/", + "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://blog.lexfo.fr/lockbit-malware.html", + "https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/", + "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", + "https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354", + "https://asec.ahnlab.com/en/35822/", + "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", "https://www.netskope.com/blog/netskope-threat-coverage-lockbit", - "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/", - "https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Lockbit.md", - "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1", - "https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/", + "https://www.dr.dk/nyheder/viden/teknologi/frygtede-skulle-lukke-alle-vindmoeller-nu-aabner-vestas-op-om-hacking-angreb", "https://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion", "https://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a", - "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://therecord.media/australian-cybersecurity-agency-warns-of-spike-in-lockbit-ransomware-attacks/", - "https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf", - "https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/", - "https://www.bleepingcomputer.com/news/security/uk-rail-network-merseyrail-likely-hit-by-lockbit-ransomware/", - "https://securityintelligence.com/posts/lockbit-ransomware-attacks-surge-affiliate-recruitment/", + "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", + "https://lifars.com/wp-content/uploads/2022/02/LockBitRansomware_Whitepaper.pdf", "https://www.advanced-intel.com/post/from-russia-with-lockbit-ransomware-inside-look-preventive-solutions", - "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", - "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", - "https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/", - "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/", + "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", "https://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511", - "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel", + "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor", + "https://ke-la.com/lockbit-2-0-interview-with-russian-osint/", "https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/481/original/010421_LockBit_Interview.pdf", - "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", - "https://www.bleepingcomputer.com/news/security/ransomware-attack-hits-italys-lazio-region-affects-covid-19-site/", - "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-recruiting-insiders-to-breach-corporate-networks/", - "https://blog.lexfo.fr/lockbit-malware.html", + "https://www.cybereason.com/blog/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool", + "https://unit42.paloaltonetworks.com/lockbit-2-ransomware/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker", + "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", "https://therecord.media/missed-opportunity-bug-in-lockbit-ransomware-allowed-free-decryptions/", - "https://www.zdnet.com/article/ransomware-hits-helicopter-maker-kopter/", - "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "https://news.sophos.com/en-us/2020/10/21/lockbit-attackers-uses-automated-attack-tools-to-identify-tasty-targets", - "https://www.bleepingcomputer.com/news/security/energy-group-erg-reports-minor-disruptions-after-ransomware-attack/" + "https://skyblue.team/posts/hive-recovery-from-lockbit-2.0/", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022", + "https://www.cybereason.com/blog/rising-threat-from-lockbit-ransomware", + "https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1", + "https://twitter.com/MsftSecIntel/status/1522690116979855360", + "https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Lockbit.md", + "https://unit42.paloaltonetworks.com/emerging-ransomware-groups/", + "https://documents.trendmicro.com/assets/pdf/datasheet-ransomware-in-Q1-2022.pdf", + "https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf", + "https://www.ic3.gov/Media/News/2022/220204.pdf", + "https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-2-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254421", + "https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities", + "https://securelist.com/modern-ransomware-groups-ttps/106824/", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", + "https://intel471.com/blog/privateloader-malware", + "https://www.trendmicro.com/en_no/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html", + "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/", + "https://www.coveware.com/blog/2022/1/26/ransomware-as-a-service-innovation-curve", + "https://www.bleepingcomputer.com/news/security/ransomware-attack-hits-italys-lazio-region-affects-covid-19-site/", + "https://securelist.com/new-ransomware-trends-in-2022/106457/", + "https://www.mbsd.jp/2021/10/27/assets/images/MBSD_WhitePaper_A-deep-dive-analysis-of-LockBit2.0_Ransomware.pdf", + "https://www.crowdstrike.com/blog/how-crowdstrike-prevents-volume-shadow-tampering-by-lockbit-ransomware/", + "https://seguranca-informatica.pt/malware-analysis-details-on-lockbit-ransomware/", + "https://news.sophos.com/en-us/2022/04/12/attackers-linger-on-government-agency-computers-before-deploying-lockbit-ransomware/", + "https://www.trendmicro.com/en_us/research/21/h/lockbit-resurfaces-with-version-2-0-ransomware-detections-in-chi.html", + "https://yoroi.company/research/hunting-the-lockbit-gangs-exfiltration-infrastructures/", + "https://id-ransomware.blogspot.com/search?q=lockbit", + "https://redcanary.com/blog/intelligence-insights-november-2021/", + "https://blog.cyble.com/2021/08/16/a-deep-dive-analysis-of-lockbit-2-0/", + "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", + "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/", + "https://www.bleepingcomputer.com/news/security/lockbit-victim-estimates-cost-of-ransomware-attack-to-be-42-million/", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1", + "https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/", + "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", + "https://therecord.media/australian-cybersecurity-agency-warns-of-spike-in-lockbit-ransomware-attacks/", + "https://securityintelligence.com/posts/lockbit-ransomware-attacks-surge-affiliate-recruitment/", + "https://www.connectwise.com/resources/lockbit-profile", + "https://www.bleepingcomputer.com/news/security/energy-group-erg-reports-minor-disruptions-after-ransomware-attack/", + "https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/", + "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-lockbit", + "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-recruiting-insiders-to-breach-corporate-networks/", + "https://www.lemagit.fr/actualites/252516821/Ransomware-LockBit-30-commence-a-etre-utilise-dans-des-cyberattaques", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://www.bleepingcomputer.com/news/security/uk-rail-network-merseyrail-likely-hit-by-lockbit-ransomware/", + "https://www.zdnet.com/article/ransomware-hits-helicopter-maker-kopter/", + "https://therecord.media/conti-ransomware-gang-chats-leaked-by-pro-ukraine-member/" ], "synonyms": [ "ABCD Ransomware" @@ -22912,14 +27305,14 @@ "type": [] }, "uuid": "fd035735-1ab9-419d-a94c-d560612e970b", - "value": "LockBit" + "value": "LockBit (Windows)" }, { "description": "According to Trend Micro, LockerGoga is a ransomware that has been used in multiple attacks, most notably against Altran Technologies and Norsk Hydro. It encrypts a range of documents and source code files but certain versions had little to no whitelist that would protect import system files such as the Windows Boot Manager.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockergoga", - "https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202", + "https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure", "https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://dragos.com/wp-content/uploads/Spyware-Stealer-Locker-Wiper-LockerGoga-Revisited.pdf", @@ -22931,10 +27324,12 @@ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", + "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/", "https://www.youtube.com/watch?v=o6eEN0mUakM", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/", "https://www.helpnetsecurity.com/2019/04/02/aurora-decrypter-mira-decrypter/", "https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/", + "https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/" ], "synonyms": [], @@ -22948,12 +27343,19 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockfile", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows", + "https://news.sophos.com/en-us/2021/08/23/proxyshell-vulnerabilities-in-microsoft-exchange-what-to-do/", "https://news.sophos.com/en-us/2021/08/27/lockfile-ransomwares-box-of-tricks-intermittent-encryption-and-evasion/", "https://blog.cyble.com/2021/08/25/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader", + "https://decoded.avast.io/threatintel/decryptor-for-atomsilo-and-lockfile-ransomware/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://nsfocusglobal.com/insights-into-ransomware-spread-using-exchange-1-day-vulnerabilities-1-2/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows", "https://twitter.com/VirITeXplorer/status/1428750497872232459", "https://www.csoonline.com/article/3631517/lockfile-ransomware-uses-intermittent-encryption-to-evade-detection.html", - "https://thehackernews.com/2021/08/lockfile-ransomware-bypasses-protection.html" + "https://thehackernews.com/2021/08/lockfile-ransomware-bypasses-protection.html", + "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/" ], "synonyms": [], "type": [] @@ -22967,26 +27369,28 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.locky", "http://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html", - "https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", + "https://www.cylance.com/en_us/blog/threat-spotlight-locky-ransomware.html", + "http://web.archive.org/web/20181007211751/https://myonlinesecurity.co.uk/return-of-fake-ups-cannot-deliver-malspam-with-an-updated-nemucod-ransomware-and-kovter-payload/", + "https://blog.botfrei.de/2017/08/weltweite-spamwelle-verbreitet-teufliche-variante-des-locky/", "https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks", + "https://vixra.org/pdf/2002.0183v1.pdf", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", + "https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/", + "https://intel471.com/blog/a-brief-history-of-ta505", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", + "https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ce44cbda9fdc061050c1d2a5dec0270874a9dc85.pdf", + "https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/", + "https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/", "https://dissectingmalwa.re/picking-locky.html", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "http://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html", "https://thisissecurity.stormshield.com/2018/03/20/de-obfuscating-jump-chains-with-binary-ninja/", - "http://web.archive.org/web/20181007211751/https://myonlinesecurity.co.uk/return-of-fake-ups-cannot-deliver-malspam-with-an-updated-nemucod-ransomware-and-kovter-payload/", - "https://blog.botfrei.de/2017/08/weltweite-spamwelle-verbreitet-teufliche-variante-des-locky/", - "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", - "https://threatpost.com/ransomware-gang-arrested-locky-hospitals/155842/", - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", - "https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ce44cbda9fdc061050c1d2a5dec0270874a9dc85.pdf", - "https://vixra.org/pdf/2002.0183v1.pdf", - "https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/", - "https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/", - "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", - "https://www.cylance.com/en_us/blog/threat-spotlight-locky-ransomware.html", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf" + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", + "https://threatpost.com/ransomware-gang-arrested-locky-hospitals/155842/" ], "synonyms": [], "type": [] @@ -23038,10 +27442,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.loda", + "https://blog.talosintelligence.com/2021/02/kasablanka-lodarat.html", "https://blog.talosintelligence.com/2020/02/loda-rat-grows-up.html", + "https://www.silentpush.com/blog/more-lodarat-infrastructure-targeting-bangladesh-uncovered", "https://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware", "https://blog.talosintelligence.com/2020/09/lodarat-update-alive-and-well.html", - "https://blog.talosintelligence.com/2021/02/kasablanka-lodarat.html", "https://zerophagemalware.com/2018/01/23/maldoc-rtf-drop-loda-logger/" ], "synonyms": [ @@ -23104,10 +27509,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lojax", - "https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government", + "https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf", + "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", "https://www.youtube.com/watch?v=VeoXT0nEcFU", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf" + "https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government", + "https://habr.com/ru/amp/post/668154/" ], "synonyms": [], "type": [] @@ -23115,6 +27522,21 @@ "uuid": "15228ae0-26f9-44d8-8d6e-87b0bd2d2aba", "value": "LoJax" }, + { + "description": "LokiLocker is a .Net ransomware, which was seen first in August 2021. This malware is protected with NETGuard (modified ConfuserEX) using the additional KoiVM virtualization plugin.\r\nThe victims were observed ti be scattered around the world, with main concentation in Estern Europe and Asia (BlackBerry).", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lokilocker", + "https://blogs.blackberry.com/en/2022/03/lokilocker-ransomware", + "https://www.msspalert.com/cybersecurity-research/lokilocker-ransomware-may-use-false-flag-to-avoid-identification/", + "https://www.theregister.com/2022/03/16/blackberry_lokilocker_ransomware/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "3642aa5a-61b3-4de9-b124-8ecb8b53351d", + "value": "LokiLocker" + }, { "description": "\"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.\" - PhishMe\r\n\r\nLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.\r\n\r\nLoki-Bot accepts a single argument/switch of ‘-u’ that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.\r\n\r\nThe Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: “B7E1C2CC98066B250DDB2123“.\r\n\r\nLoki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: “%APPDATA%\\ C98066\\”.\r\n\r\nThere can be four files within the hidden %APPDATA% directory at any given time: “.exe,” “.lck,” “.hdb” and “.kdb.” They will be named after characters 13 thru 18 of the Mutex. For example: “6B250D.” Below is the explanation of their purpose:\r\n\r\nFILE EXTENSION\tFILE DESCRIPTION\r\n.exe\tA copy of the malware that will execute every time the user account is logged into\r\n.lck\tA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts\r\n.hdb\tA database of hashes for data that has already been exfiltrated to the C2 server\r\n.kdb\tA database of keylogger data that has yet to be sent to the C2 server\r\n\r\nIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.\r\n\r\nThe first packet transmitted by Loki-Bot contains application data.\r\n\r\nThe second packet transmitted by Loki-Bot contains decrypted Windows credentials.\r\n\r\nThe third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.\r\n\r\nCommunications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.\r\n\r\nThe first WORD of the HTTP Payload represents the Loki-Bot version.\r\n\r\nThe second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:\r\n\r\nBYTE\tPAYLOAD TYPE\r\n0x26\tStolen Cryptocurrency Wallet\r\n0x27\tStolen Application Data\r\n0x28\tGet C2 Commands from C2 Server\r\n0x29\tStolen File\r\n0x2A\tPOS (Point of Sale?)\r\n0x2B\tKeylogger Data\r\n0x2C\tScreenshot\r\n\r\nThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically “ckav.ru”. If you come across a Binary ID that is different from this, take note!\r\n\r\nLoki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.\r\n\r\nThe Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bot’s C2 infrastructure.\r\n\r\nLoki-Bot can accept the following instructions from the C2 Server:\r\n\r\nBYTE\tINSTRUCTION DESCRIPTION\r\n0x00\tDownload EXE & Execute\r\n0x01\tDownload DLL & Load #1\r\n0x02\tDownload DLL & Load #2\r\n0x08\tDelete HDB File\r\n0x09\tStart Keylogger\r\n0x0A\tMine & Steal Data\r\n0x0E\tExit Loki-Bot\r\n0x0F\tUpgrade Loki-Bot\r\n0x10\tChange C2 Polling Frequency\r\n0x11\tDelete Executables & Exit\r\n\r\nSuricata Signatures\r\nRULE SID\tRULE NAME\r\n2024311\tET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected\r\n2024312\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M1\r\n2024313\tET TROJAN Loki Bot Request for C2 Commands Detected M1\r\n2024314\tET TROJAN Loki Bot File Exfiltration Detected\r\n2024315\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M1\r\n2024316\tET TROJAN Loki Bot Screenshot Exfiltration Detected\r\n2024317\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M2\r\n2024318\tET TROJAN Loki Bot Request for C2 Commands Detected M2\r\n2024319\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2", "meta": { @@ -23126,6 +27548,7 @@ "https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads", "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/evasive-urls-in-spam-part-2/", + "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", "https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html", "https://r3mrum.wordpress.com/2017/05/07/loki-bot-atrifacts/", "https://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/", @@ -23136,19 +27559,25 @@ "https://blog.yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/", "https://www.virusbulletin.com/virusbulletin/2020/02/lokibot-dissecting-cc-panel-deployments/", "https://medium.com/@paul.k.burbage/the-tale-of-the-pija-droid-firefinch-4d304fde5ca2", + "https://malcat.fr/blog/statically-unpacking-a-simple-net-dropper/", "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf", + "https://malcat.fr/blog/reversing-a-nsis-dropper-using-quick-and-dirty-shellcode-emulation/", "https://github.com/R3MRUM/loki-parse", + "https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html", "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", "https://lab52.io/blog/a-twisted-malware-infection-chain/", "https://www.youtube.com/watch?v=-FxyzuRv6Wg", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/loki-info-stealer-propagates-through-lzh-files", "https://news.sophos.com/en-us/2020/05/14/raticate/", + "http://reversing.fun/posts/2021/06/08/lokibot.html", + "https://www.lac.co.jp/lacwatch/report/20220307_002893.html", "http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html", "https://github.com/d00rt/hijacked_lokibot_version/blob/master/doc/LokiBot_hijacked_2018.pdf", "https://isc.sans.edu/diary/27282", "https://www.trendmicro.com/en_us/research/21/h/new-campaign-sees-lokibot-delivered-via-multiple-methods.html", "https://clickallthethings.wordpress.com/2020/03/31/lokibot-getting-equation-editor-shellcode/", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/loki-info-stealer-propagates-through-lzh-files", + "https://www.infoblox.com/wp-content/uploads/infoblox-whitepaper-deep-analysis-of-a-recent-lokibot-attack.pdf", "https://blog.prevailion.com/2020/02/the-triune-threat-mastermana-returns.html", "https://www.lastline.com/blog/password-stealing-malware-loki-bot/", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", @@ -23158,9 +27587,11 @@ "https://www.youtube.com/watch?v=N0wAh26wShE", "https://marcoramilli.com/2019/10/28/sweed-targeting-precision-engineering-companies-in-italy/", "https://phishme.com/loki-bot-malware/", + "https://www.atomicmatryoshka.com/post/malware-headliners-lokibot", "https://securelist.com/loki-bot-stealing-corporate-passwords/87595/" ], "synonyms": [ + "Burkina", "Loki", "LokiBot", "LokiPWS" @@ -23170,6 +27601,19 @@ "uuid": "b8fa5036-813f-4887-b4d4-bb17b4a7eba0", "value": "Loki Password Stealer (PWS)" }, + { + "description": "According to ESET, this is a banking trojan that was active mainly in Mexico until the beginning of 2020, with builds for Brazil, Chile, and Colombia also having been identified.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lokorrito", + "https://www.welivesecurity.com/2021/12/15/dirty-dozen-latin-america-amavaldo-zumanek/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5e8f3d59-15bc-492c-afdb-4b71e0417142", + "value": "Lokorrito" + }, { "description": "", "meta": { @@ -23225,6 +27669,7 @@ "https://threatgen.com/taking-a-closer-look-at-the-lookback-malware-campaign-part-1/", "https://nao-sec.org/2021/01/royal-road-redive.html", "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf", + "https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/", "https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-talonite/", "https://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals", "https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks", @@ -23257,14 +27702,16 @@ "value": "L0rdix" }, { - "description": "", + "description": "Tesorion describes Lorenz as a ransomware with design and implementation flaws, leading to impossible decryption with tools provided by the attackers. A free decryptor for 2021 versions was made available via the NoMoreRansom initiative. A new version of the malware was discovered in March 2022, for which again was provided a free decryptor, while the ransomware operators are not able to provide tools to decrypt affected files.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lorenz", - "https://www.bleepingcomputer.com/news/security/meet-lorenz-a-new-ransomware-gang-targeting-the-enterprise/", "https://twitter.com/AltShiftPrtScn/status/1423190900516302860?s=20", - "https://therecord.media/free-decrypter-available-for-lorenz-ransomware/", - "https://www.tesorion.nl/en/posts/lorenz-ransomware-analysis-and-a-free-decryptor/" + "https://www.tesorion.nl/en/posts/lorenz-ransomware-rebound-corruption-and-irrecoverable-files/", + "https://www.cybereason.com/blog/cybereason-vs.-lorenz-ransomware", + "https://www.tesorion.nl/en/posts/lorenz-ransomware-analysis-and-a-free-decryptor/", + "https://www.bleepingcomputer.com/news/security/meet-lorenz-a-new-ransomware-gang-targeting-the-enterprise/", + "https://therecord.media/free-decrypter-available-for-lorenz-ransomware/" ], "synonyms": [], "type": [] @@ -23308,6 +27755,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lowkey", "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf", "https://www.welivesecurity.com/2019/10/21/winnti-group-skip2-0-microsoft-sql-server-backdoor/", + "https://www.mandiant.com/resources/apt41-us-state-governments", "https://www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html" ], "synonyms": [ @@ -23318,6 +27766,20 @@ "uuid": "515d1318-c3b1-4d40-a321-31b3baf75414", "value": "LOWKEY" }, + { + "description": "This in Go written malware is lsass process memory dumper, which was custom developed by threat actors according to Security Joes. It has the capability to automatically exfiltrate the results to the free file transfer service \"transfer.sh\".", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lsassdumper", + "https://www.bleepingcomputer.com/news/security/hackers-fork-open-source-reverse-tunneling-tool-for-persistence/", + "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f6e9f1f3-91ba-40af-aa2d-d0d5e824b791", + "value": "lsassDumper" + }, { "description": "", "meta": { @@ -23393,6 +27855,46 @@ "uuid": "8c0d3012-9dcb-46d3-964f-8a3c5b58d1b2", "value": "Luzo" }, + { + "description": "This .NET written malware is used as backdoor using the dns protocol by a state sponsored threat actor. It implements additional capabilities (e.g. execution of commands, taking screenshots, listing diles/directories/installed applications, and uploading/downloading/execution of files). There are also variants using HTTP (.Net) and also one written in Golang.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lyceum_dns_backdoor_dotnet", + "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/", + "https://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e7117036-5142-4a07-ae85-c3ddba7f1d75", + "value": "Lyceum .NET DNS Backdoor" + }, + { + "description": "This .Net written malware is used as backdoor using the http protocol by a state sponsored threat actor. It implements additional capabilities (e.g. execution of commands, taking screenshots, listing diles/directories/installed applications, and uploading/downloading/execution of files). There are also variants using DNS (.Net) and also one written in Golang.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lyceum_http_backdoor_dotnet", + "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "92e533c5-b32a-411a-9fcc-733854c4a18c", + "value": "Lyceum .NET TCP Backdoor" + }, + { + "description": "This Golang written malware is used as backdoor using the http protocol by a state sponsored threat actor (TA). This backdoor is running in a loop of three stages: \r\n- Check the connectivity\r\n- Registration of the victim\r\n- Retrieval and execution of commands\r\nThis TA is using also variants .NET backdoors utilizing HTTP and DNS.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lyceum_http_backdoor_golang", + "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "61fda7db-5e82-4e8c-a629-e8cc36151dec", + "value": "Lyceum Golang HTTP Backdoor" + }, { "description": "", "meta": { @@ -23425,6 +27927,36 @@ "uuid": "737a73d5-40a2-4779-a84b-bdbefd1af4c9", "value": "M00nD3V Logger" }, + { + "description": "Modular x86/x64 file infector created/used by Maze ransomware developer. According to the author, it has been mistakenly tagged by AVs as Expiro.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.m0yv", + "https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/", + "https://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html", + "https://github.com/baderj/domain_generation_algorithms/blob/master/expiro/dga.py" + ], + "synonyms": [], + "type": [] + }, + "uuid": "73db5c33-c05c-4835-af4d-9223516b0915", + "value": "m0yv" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.macaw", + "https://killingthebear.jorgetesta.tech/actors/evil-corp", + "https://www.bleepingcomputer.com/news/security/evil-corp-demands-40-million-in-new-macaw-ransomware-attacks/", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions" + ], + "synonyms": [], + "type": [] + }, + "uuid": "523883ea-b865-4713-b5ed-bb1a808f35cf", + "value": "Macaw" + }, { "description": "According to ESET, Machete’s dropper is a RAR SFX executable. Three py2exe components are dropped: GoogleCrash.exe, Chrome.exe and GoogleUpdate.exe. A single configuration file, jer.dll, is dropped, and it contains base64‑encoded text that corresponds to AES‑encrypted strings.\r\nGoogleCrash.exe is the main component of the malware. It schedules execution of the other two components and creates Windows Task Scheduler tasks to achieve persistence.\r\nRegarding the geolocation of victims, Chrome.exe collects data about nearby Wi-Fi networks and sends it to the Mozilla Location Service API. In short, this application provides geolocation coordinates when it’s given other sources of data such as Bluetooth beacons, cell towers or Wi-Fi access points. Then the malware takes latitude and longitude coordinates to build a Google Maps URL.\r\nThe GoogleUpdate.exe component is responsible for communicating with the remote C&C server. The configuration to set the connection is read from the jer.dll file: domain name, username and password. The principal means of communication for Machete is via FTP, although HTTP communication was implemented as a fallback in 2019.", "meta": { @@ -23433,6 +27965,7 @@ "https://static1.squarespace.com/static/5a01100f692ebe0459a1859f/t/5da340ded5ccf627e1764059/1570980068506/Day3-1130-Green-A+study+of+Machete+cyber+espionage+operations+in+Latin+America.pdf", "https://securelist.com/el-machete/66108/", "https://medium.com/@verovaleros/el-machete-what-do-we-know-about-the-apt-targeting-latin-america-be7d11e690e6", + "https://www.atomicmatryoshka.com/post/infographic-apts-in-south-america", "https://threatvector.cylance.com/en_us/home/threat-spotlight-machete-info-stealer.html", "https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html", "https://www.welivesecurity.com/2019/08/05/sharpening-machete-cyberespionage/" @@ -23475,14 +28008,19 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.magniber", - "https://medium.com/coinmonks/passive-income-of-cyber-criminals-dissecting-bitcoin-multiplier-scam-b9d2b6048372", + "https://www.bleepingcomputer.com/news/security/fake-windows-10-updates-infect-you-with-magniber-ransomware/", "https://therecord.media/printnightmare-vulnerability-weaponized-by-magniber-ransomware-gang/", - "https://www.crowdstrike.com/blog/magniber-ransomware-caught-using-printnightmare-vulnerability/", + "https://decoded.avast.io/janvojtesek/exploit-kits-vs-google-chrome/", + "https://medium.com/coinmonks/passive-income-of-cyber-criminals-dissecting-bitcoin-multiplier-scam-b9d2b6048372", + "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/", + "https://asec.ahnlab.com/en/30645/", "https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/", + "https://www.youtube.com/watch?v=lqWJaaofNf4", "https://www.cybereason.com/blog/threat-analysis-report-printnightmare-and-magniber-ransomware", + "https://www.bleepingcomputer.com/news/security/magniber-ransomware-gang-now-exploits-internet-explorer-flaws-in-attacks/", "http://asec.ahnlab.com/1124", "https://decoded.avast.io/janvojtesek/magnitude-exploit-kit-still-alive-and-kicking/", - "https://www.youtube.com/watch?v=lqWJaaofNf4", + "https://www.crowdstrike.com/blog/magniber-ransomware-caught-using-printnightmare-vulnerability/", "https://asec.ahnlab.com/en/19273/", "https://teamt5.org/tw/posts/internet-explorer-the-vulnerability-ridden-browser/" ], @@ -23516,6 +28054,7 @@ "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-three-of-three/", "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", + "https://www.bleepingcomputer.com/news/security/netwalker-ransomware-affiliate-sentenced-to-80-months-in-prison/", "https://www.zeit.de/digital/2021-06/cybercrime-extortion-internet-spyware-ransomware-police-prosecution-hackers", "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", @@ -23530,7 +28069,10 @@ "https://seguranca-informatica.pt/netwalker-ransomware-full-analysis/", "https://www.bleepingcomputer.com/news/security/enel-group-hit-by-ransomware-again-netwalker-demands-14-million/", "https://www.ucsf.edu/news/2020/06/417911/update-it-security-incident-ucsf", + "https://0x00-0x7f.github.io/Netwalker-from-Powershell-reflective-loader-to-injected-Dll/", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", + "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", "https://krebsonsecurity.com/2021/01/arrest-seizures-tied-to-netwalker-ransomware", @@ -23546,6 +28088,8 @@ "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", + "https://s3.documentcloud.org/documents/21199896/vachon-desjardins-court-docs.pdf", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://www.crowdstrike.com/blog/analysis-of-ecrime-menu-style-toolkits/", "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", @@ -23628,7 +28172,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.makop_ransomware", "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/", - "https://twitter.com/siri_urz/status/1221797493849018368" + "https://twitter.com/siri_urz/status/1221797493849018368", + "https://lifars.com/wp-content/uploads/2021/08/Makop-Ransomware-Whitepaper-case-studyNEW-1.pdf" ], "synonyms": [], "type": [] @@ -23816,6 +28361,30 @@ "uuid": "c19ac191-a881-437f-ae82-7bec174590cb", "value": "MarkiRAT" }, + { + "description": "3xp0rt describes Mars Stealer as an improved successor of Oski Stealer, supporting stealing from current browsers and targeting crypto currencies and 2FA plugins.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mars_stealer", + "https://www.microsoft.com/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/", + "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer", + "https://blog.sekoia.io/mars-a-red-hot-information-stealer/", + "https://cyberint.com/blog/research/mars-stealer/", + "https://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer", + "https://x-junior.github.io/malware%20analysis/MarsStealer/", + "https://cert.gov.ua/article/38606", + "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", + "https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/", + "https://3xp0rt.com/posts/mars-stealer", + "https://blog.morphisec.com/threat-research-mars-stealer", + "https://isc.sans.edu/diary/rss/28468" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a5c1a9bd-5c1c-4987-8844-2c38e7b83507", + "value": "Mars Stealer" + }, { "description": "", "meta": { @@ -23856,7 +28425,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.matanbuchus", - "https://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/" + "https://medium.com/@DCSO_CyTec/a-deal-with-the-devil-analysis-of-a-recent-matanbuchus-sample-3ce991951d6a", + "https://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/", + "https://research.openanalysis.net/matanbuchus/loader/yara/triage/dumpulator/emulation/2022/06/19/matanbuchus-triage.html", + "https://isc.sans.edu/diary/rss/28752", + "https://r136a1.info/2022/05/25/introduction-of-a-pe-file-extractor-for-various-situations/", + "https://www.0ffset.net/reverse-engineering/matanbuchus-loader-analysis/" ], "synonyms": [], "type": [] @@ -23864,6 +28438,19 @@ "uuid": "e30f2243-9e69-4b09-97ab-1643929b97ad", "value": "Matanbuchus" }, + { + "description": "Matiex Keylogger is being sold in the underground forums, due to their gained popularity, and can also be used as MaaS (Malware-as-a-service) because of their ease of use, competitive pricing and immediate response from support.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.matiex", + "https://labs.k7computing.com/index.php/matiex-on-sale-underground/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b946f5d5-6503-471a-b3cd-c6c6d6149768", + "value": "Matiex" + }, { "description": "", "meta": { @@ -23884,8 +28471,10 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.matrix_ransom", "https://unit42.paloaltonetworks.com/matrix-ransomware/", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", - "https://blogs.blackberry.com/en/2018/11/threat-spotlight-inside-vssdestroy-ransomware", - "https://www.blackhoodie.re/assets/archive/Matrix_Ransomware_blackhoodie.pdf" + "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-matrix-report.pdf", + "https://news.sophos.com/en-us/2019/01/30/matrix-targeted-small-scale-canary-in-the-coal-mine-ransomware/", + "https://www.blackhoodie.re/assets/archive/Matrix_Ransomware_blackhoodie.pdf", + "https://blogs.blackberry.com/en/2018/11/threat-spotlight-inside-vssdestroy-ransomware" ], "synonyms": [], "type": [] @@ -23953,16 +28542,18 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.maze", "https://www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://www.docdroid.net/dUpPY5s/maze.pdf", "https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html", "https://www.zdnet.com/article/ransomware-gang-publishes-tens-of-gbs-of-internal-data-from-lg-and-xerox/", + "https://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html", "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-007/", "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", "https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/", "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf", "https://news.sophos.com/en-us/2020/12/08/egregor-ransomware-mazes-heir-apparent/", + "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", "https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/", "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/escape-from-the-maze/", "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", @@ -23974,18 +28565,23 @@ "https://www.cityofpensacola.com/DocumentCenter/View/18879/Deloitte-Executive-Summary-PDF", "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "https://securelist.com/targeted-ransomware-encrypting-data/99255/", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://securelist.com/maze-ransomware/99137/", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", "https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/", "https://github.com/albertzsigovits/malware-notes/blob/master/Maze.md", "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", + "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/", "https://sites.temple.edu/care/ci-rw-attacks/", "https://www.secureworks.com/research/threat-profiles/gold-village", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", "https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", "https://www.bleepingcomputer.com/news/security/maze-ransomware-behind-pensacola-cyberattack-1m-ransom-demand/", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/", - "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/", "https://www.bleepingcomputer.com/news/security/chipmaker-maxlinear-reports-data-breach-after-maze-ransomware-attack/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/", @@ -23995,18 +28591,22 @@ "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/543/original/CTIR_casestudy_1.pdf", "https://oag.ca.gov/system/files/Letter%204.pdf", "https://blogs.quickheal.com/maze-ransomware-continues-threat-consumers/", + "https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker", "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", - "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", + "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", + "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", "https://www.bleepingcomputer.com/news/security/crytek-confirms-egregor-ransomware-attack-customer-data-theft/", "https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/", "https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/", "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/", "https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Maze.md", "https://techcrunch.com/2020/03/26/chubb-insurance-breach-ransomware/", + "https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/", "https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer", "https://www.crowdstrike.com/blog/maze-ransomware-deobfuscation/", "https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/", "https://krebsonsecurity.com/2019/12/ransomware-gangs-now-outing-victim-businesses-that-dont-pay-up/", + "https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis", "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", @@ -24029,13 +28629,14 @@ "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", "https://labs.sentinelone.com/case-study-catching-a-human-operated-maze-ransomware-attack-in-action/", - "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1", "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", "https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", "https://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/", - "https://securelist.com/maze-ransomware/99137/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", "https://www.bleepingcomputer.com/news/security/maze-ransomware-now-encrypts-via-virtual-machines-to-evade-detection/", "https://www.telsy.com/wp-content/uploads/Maze_Vaccine.pdf", "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel", @@ -24046,7 +28647,8 @@ "https://id-ransomware.blogspot.com/2019/05/chacha-ransomware.html", "https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", - "https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/" + "https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/", + "https://news.sophos.com/en-us/2020/09/22/mtr-casebook-blocking-a-15-million-maze-ransomware-attack/" ], "synonyms": [ "ChaCha" @@ -24075,7 +28677,7 @@ "value": "MBRlock" }, { - "description": "", + "description": "Ransomware overwriting the system's MBR, making it impossible to boot into Windows.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mbrlocker", @@ -24161,12 +28763,16 @@ "https://twitter.com/siri_urz/status/1215194488714346496?s=20", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", "https://www.carbonblack.com/2020/06/03/tau-threat-analyis-medusa-locker-ransomware/", + "https://www.mandiant.com/resources/chasing-avaddon-ransomware", "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "https://dissectingmalwa.re/try-not-to-stare-medusalocker-at-a-glance.html", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", + "https://www.theta.co.nz/news-blogs/cyber-security-blog/part-2-analysing-medusalocker-ransomware/", + "https://www.theta.co.nz/news-blogs/cyber-security-blog/part-3-analysing-medusalocker-ransomware/", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", + "https://www.theta.co.nz/news-blogs/cyber-security-blog/part-1-analysing-medusalocker-ransomware/", "https://id-ransomware.blogspot.com/2020/01/ako-ransomware.html", "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", @@ -24188,19 +28794,23 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.megacortex", - "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://www.trendmicro.com/vinfo/pl/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks", "https://blog.malwarebytes.com/detections/ransom-megacortex/", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://news.sophos.com/en-us/2019/05/10/megacortex-deconstructed-mysteries-mount-as-analysis-continues/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/", "https://www.bleepingcomputer.com/news/security/elusive-megacortex-ransomware-found-here-is-what-we-know/", "https://news.sophos.com/en-us/2019/05/03/megacortex-ransomware-wants-to-be-the-one/", "https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/", + "https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://threatpost.com/megacortex-ransomware-mass-distribution/146933/", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://www.bleepingcomputer.com/news/security/new-megacortex-ransomware-changes-windows-passwords-threatens-to-publish-data/", + "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/", "https://www.computing.co.uk/ctg/news/3084818/warning-over-lockergoga-and-megacortex-ransomware-attacks-targeting-private-industry-in-western-countries", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/" ], @@ -24228,10 +28838,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mekotio", - "https://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/", - "http://www.interior.gob.es/prensa/noticias/-/asset_publisher/GHU8Ap6ztgsg/content/id/13552853", + "https://research.checkpoint.com/2021/mekotio-banker-returns-with-improved-stealth-and-ancient-encryption/", + "https://therecord.media/spain-arrests-16-for-distributing-the-mekotio-and-grandoreiro-banking-trojans/", "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/rooty-dolphin-uses-mekotio-to-target-bank-clients-in-south-america-and-europe/", - "https://therecord.media/spain-arrests-16-for-distributing-the-mekotio-and-grandoreiro-banking-trojans/" + "https://threatresearch.ext.hp.com/wp-content/uploads/2022/05/HP-Wolf-Security-Threat-Insights-Report-Q1-2022.pdf", + "https://www.advintel.io/post/economic-growth-digital-inclusion-specialized-crime-financial-cyber-fraud-in-latam", + "https://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/", + "https://twitter.com/hpsecurity/status/1509185858146082816", + "http://www.interior.gob.es/prensa/noticias/-/asset_publisher/GHU8Ap6ztgsg/content/id/13552853", + "https://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/" ], "synonyms": [], "type": [] @@ -24252,6 +28867,20 @@ "uuid": "e3e289bb-3ac2-4f93-becd-540720501884", "value": "Melcoz" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mercurialgrabber", + "https://github.com/NightfallGT/Mercurial-Grabber", + "https://twitter.com/Arkbird_SOLG/status/1432127748001128459" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5fa45856-2960-47c4-ad73-df0ff142ae12", + "value": "MercurialGrabber" + }, { "description": "Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang.", "meta": { @@ -24272,25 +28901,37 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mespinoza", - "https://blogs.blackberry.com/en/2021/06/pysa-loves-chachi-a-new-golang-rat", - "https://www.ic3.gov/Media/News/2021/210316.pdf", - "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", - "https://www.cybereason.com/blog/threat-analysis-report-inside-the-destructive-pysa-ransomware", - "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://twitter.com/campuscodi/status/1347223969984897026", "http://www.secureworks.com/research/threat-profiles/gold-burlap", + "https://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/", + "https://www.bleepingcomputer.com/news/security/ransomware-gangs-script-shows-exactly-the-files-theyre-after/", + "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", + "https://www.prodaft.com/m/reports/PYSA_TLPWHITE_3.0.pdf", + "https://twitter.com/inversecos/status/1456486725664993287", + "https://www.cybereason.com/blog/threat-analysis-report-inside-the-destructive-pysa-ransomware", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", "https://www.zdnet.com/article/france-warns-of-new-ransomware-gang-targeting-local-governments/", - "https://id-ransomware.blogspot.com/2019/10/mespinoza-ransomware.html", - "https://dissectingmalwa.re/another-one-for-the-collection-mespinoza-pysa-ransomware.html", + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", - "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://www.cert.ssi.gouv.fr/cti/CERTFR-2020-CTI-002/", + "https://www.ic3.gov/Media/News/2021/210316.pdf", + "https://securelist.com/modern-ransomware-groups-ttps/106824/", + "https://id-ransomware.blogspot.com/2019/10/mespinoza-ransomware.html", + "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", + "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", + "https://blog.cyble.com/2021/11/29/pysa-ransomware-under-the-lens-a-deep-dive-analysis/", + "https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/", "https://www.lacework.com/blog/pysa-ransomware-gang-adds-linux-support/", - "https://twitter.com/campuscodi/status/1347223969984897026", - "https://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/", - "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/" + "https://blogs.blackberry.com/en/2021/06/pysa-loves-chachi-a-new-golang-rat", + "https://www.prodaft.com/resource/detail/pysa-ransomware-group-depth-analysis", + "https://www.hhs.gov/sites/default/files/mespinoza-goldburlap-cyborgspider-analystnote-tlpwhite.pdf", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://dissectingmalwa.re/another-one-for-the-collection-mespinoza-pysa-ransomware.html", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3" ], "synonyms": [ "pysa" @@ -24347,6 +28988,7 @@ "https://www.bitdefender.com/files/News/CaseStudies/study/333/Bitdefender-PR-Whitepaper-Metamorfo-creat4500-en-EN-GenericUse.pdf", "https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/metamorfo.md", "https://blog.ensilo.com/metamorfo-avast-abuser", + "https://www.advintel.io/post/economic-growth-digital-inclusion-specialized-crime-financial-cyber-fraud-in-latam", "https://www.botconf.eu/wp-content/uploads/2019/12/B2019-Soucek-Hornak-DemystifyingBankingTrojansFromLatinAmerica.pdf", "https://cofense.com/blog/autohotkey-banking-trojan/", "https://blog.talosintelligence.com/2018/11/metamorfo-brazilian-campaigns.html", @@ -24362,6 +29004,19 @@ "uuid": "18dc3e7a-600d-4e5f-a283-86156b938530", "value": "Metamorfo" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.metastealer", + "https://isc.sans.edu/forums/diary/Windows+MetaStealer+Malware/28522/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "9b7758fc-2fca-4b07-b669-34461fc95a67", + "value": "MetaStealer" + }, { "description": "A wiper used in an attack against the Iranian train system.", "meta": { @@ -24382,24 +29037,30 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.meterpreter", - "https://asec.ahnlab.com/ko/26705/", - "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md", - "https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a", - "https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/", - "https://www.recordedfuture.com/chinese-group-calypso-exploiting-microsoft-exchange/", + "https://www.bleepingcomputer.com/news/security/log4j-vulnerability-now-used-to-install-dridex-banking-malware/", + "https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html", "https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/", - "https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/", - "https://redcanary.com/blog/getsystem-offsec/", - "https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf", - "https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf", - "https://www.countercraftsec.com/blog/post/shellcode-detection-using-realtime-kernel-monitoring/", "https://blog.morphisec.com/fin7-attacks-restaurant-industry", "http://www.secureworks.com/research/threat-profiles/gold-franklin", + "https://explore.group-ib.com/htct/hi-tech_crime_2018", + "https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/", "http://schierlm.users.sourceforge.net/avevasion.html", "https://us-cert.cisa.gov/ncas/alerts/aa20-301a", - "http://www.secureworks.com/research/threat-profiles/gold-winter" + "http://www.secureworks.com/research/threat-profiles/gold-winter", + "https://asec.ahnlab.com/ko/26705/", + "https://redcanary.com/blog/getsystem-offsec/", + "https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf", + "https://www.cynet.com/attack-techniques-hands-on/threats-looming-over-the-horizon/", + "https://www.countercraftsec.com/blog/post/shellcode-detection-using-realtime-kernel-monitoring/", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a", + "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md", + "https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf", + "https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/", + "https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/", + "https://www.recordedfuture.com/chinese-group-calypso-exploiting-microsoft-exchange/", + "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis" ], "synonyms": [], "type": [] @@ -24413,6 +29074,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mevade", "https://www.youtube.com/watch?v=FttiysUZmDw", + "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/sefnit-trojan-just/", "https://blog.fox-it.com/2013/09/05/large-botnet-cause-of-recent-tor-network-overload/" ], @@ -24480,11 +29142,17 @@ "value": "Micrass" }, { - "description": "Open-source lightweight backdoor for C2 communication. ", + "description": "Open-source lightweight backdoor for C2 communication.\r\nGitHub: https://github.com/Cr4sh/MicroBackdoor", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.microbackdoor", - "https://github.com/cr4sh/microbackdoor" + "https://ti.qianxin.com/blog/articles/Analysis-of-attack-activities-of-suspected-aptorganization-unc1151-against-ukraine-and-other-countries/", + "https://attackiq.com/2022/04/29/attack-graph-response-to-unc1151-continued-targeting-of-ukraine/", + "https://github.com/cr4sh/microbackdoor", + "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", + "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview", + "https://cluster25.io/2022/03/08/ghostwriter-unc1151-adopts-microbackdoor-variants-in-cyber-operations-against-targets-in-ukraine/", + "https://cert.gov.ua/article/37626" ], "synonyms": [], "type": [] @@ -24515,14 +29183,15 @@ "value": "Microcin" }, { - "description": "", + "description": "This malware written in Delphi is an information stealing malware family dubbed \"MICROPSIA\". It has s wide range of data theft functionality built in.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.micropsia", "https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf", + "https://blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html", "http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/", - "http://blog.talosintelligence.com/2017/06/palestine-delphi.html", "https://research.checkpoint.com/apt-attack-middle-east-big-bang/", + "http://blog.talosintelligence.com/2017/06/palestine-delphi.html", "https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/micropsia_apt_c_23.md" ], "synonyms": [], @@ -24531,6 +29200,21 @@ "uuid": "b37f312f-a0b1-41a9-88ae-da2844c19cae", "value": "Micropsia" }, + { + "description": "This malware written in C# is a variant of the Thanos ransomware family and emerged in October 2021 and is obfuscated using SmartAssembly. In 2022, ThreatLabz analysed a report of Midas ransomware was slowly deployed over a two month period (ZScaler). This ransomware features also its own data leak site as part of its double extortion strategy.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.midas", + "https://news.sophos.com/en-us/2022/01/25/windows-services-lay-the-groundwork-for-a-midas-ransomware-attack/", + "https://securityboulevard.com/2022/03/midas-ransomware-tracing-the-evolution-of-thanos-ransomware-variants/", + "https://www.zscaler.com/blogs/security-research/midas-ransomware-tracing-evolution-thanos-ransomware-variants" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e5043a7f-2c38-4015-978e-253a7cdbda97", + "value": "Midas" + }, { "description": "", "meta": { @@ -24549,6 +29233,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.milan", + "https://www.prevailion.com/latest-targets-of-cyber-group-lyceum/", "https://www.clearskysec.com/wp-content/uploads/2021/08/Siamesekitten.pdf" ], "synonyms": [], @@ -24586,85 +29271,116 @@ "value": "Milum" }, { - "description": "", + "description": "Varonis summarizes Mimikatz as an open-source application that allows users to view and save authentication credentials like Kerberos tickets. Benjamin Delpy continues to lead Mimikatz developments, so the toolset works with the current release of Windows and includes the most up-to-date attacks.\r\n\r\nAttackers commonly use Mimikatz to steal credentials and escalate privileges: in most cases, endpoint protection software and anti-virus systems will detect and delete it. Conversely, pentesters use Mimikatz to detect and exploit vulnerabilities in your networks so you can fix them.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz", - "https://blog.xpnsec.com/exploring-mimikatz-part-1/", - "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/", - "http://www.secureworks.com/research/threat-profiles/gold-burlap", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", - "https://www.secureworks.com/research/threat-profiles/gold-kingswood", - "http://www.secureworks.com/research/threat-profiles/gold-kingswood", - "https://www.matteomalvica.com/blog/2020/01/30/mimikatz-lsass-dump-windg-pykd/", - "https://www.secureworks.com/research/samsam-ransomware-campaigns", - "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", - "https://www.ic3.gov/Media/News/2021/210527.pdf", - "https://www.ic3.gov/Media/News/2021/210823.pdf", "https://www.rsa.com/content/dam/en/white-paper/the-shadows-of-ghosts-carbanak-report.pdf", - "https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains", - "https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://www.verfassungsschutz.de/download/broschuere-2021-01-bfv-cyber-brief-2021-01.pdf", "https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html", - "http://www.secureworks.com/research/threat-profiles/gold-franklin", - "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", - "https://www.ic3.gov/media/news/2020/200917-1.pdf", - "https://www.secureworks.com/research/threat-profiles/bronze-atlas", - "https://www.secureworks.com/research/threat-profiles/cobalt-hickman", "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", "https://www.slideshare.net/yurikamuraki5/active-directory-240348605", - "https://github.com/gentilkiwi/mimikatz", - "https://ics-cert.kaspersky.com/media/KASPERSKY_Steganography_in_targeted_attacks_EN.pdf", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/", - "https://labs.f-secure.com/blog/catching-lazarus-threat-intelligence-to-real-detection-logic-part-two", "https://www.f-secure.com/content/dam/f-secure/en/consulting/our-thinking/collaterals/digital/f-secure-consulting-incident-readiness-proactive-response-guide-2020.pdf", + "https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", + "https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/", + "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers", + "https://www.devo.com/blog/detect-and-investigate-hafnium-using-devo/", + "https://assets.virustotal.com/reports/2021trends.pdf", + "https://www.varonis.com/blog/hive-ransomware-analysis", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-152A_Karakurt_Data_Extortion_Group.pdf", + "https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html", + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", + "https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf", + "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Vorfaelle/Exchange-Schwachstellen-2021/MSExchange_Schwachstelle_Detektion_Reaktion.pdf", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021", + "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", + "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks", + "https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf", + "https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_Intel_WP_InitAccess-IndEnvirons-Final.pdf", + "https://www.crowdstrike.com/blog/overwatch-elite-call-escalation-vital-to-containing-attack/", + "https://twitter.com/inversecos/status/1456486725664993287", + "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf", + "https://twitter.com/swisscom_csirt/status/1354052879158571008", + "http://www.secureworks.com/research/threat-profiles/gold-franklin", + "https://labs.f-secure.com/blog/catching-lazarus-threat-intelligence-to-real-detection-logic-part-two", "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf", "https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/?cmp=37153", - "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-152a", + "https://noticeofpleadings.com/nickel/#", + "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html", + "https://www.theta.co.nz/news-blogs/cyber-security-blog/snakes-ladders-the-offensive-use-of-python-on-windows/", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx", + "http://www.secureworks.com/research/threat-profiles/gold-drake", + "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/", + "https://www.matteomalvica.com/blog/2020/01/30/mimikatz-lsass-dump-windg-pykd/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks", + "https://www.secureworks.com/research/threat-profiles/tin-woodlawn", + "https://blog.xpnsec.com/exploring-mimikatz-part-1/", + "http://www.secureworks.com/research/threat-profiles/gold-burlap", "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/", - "https://twitter.com/swisscom_csirt/status/1354052879158571008", - "https://www.secureworks.com/research/threat-profiles/gold-drake", - "https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf", - "https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730", - "https://www.secureworks.com/research/threat-profiles/bronze-vinewood", - "https://www.crowdstrike.com/blog/credential-theft-mimikatz-techniques/", - "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", - "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf", - "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", - "https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf", - "https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection", - "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers", + "https://www.ic3.gov/Media/News/2021/210527.pdf", + "https://www.ic3.gov/Media/News/2021/210823.pdf", + "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", + "https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/", + "https://www.ic3.gov/media/news/2020/200917-1.pdf", + "https://www.secureworks.com/research/threat-profiles/cobalt-hickman", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions", + "https://ics-cert.kaspersky.com/media/KASPERSKY_Steganography_in_targeted_attacks_EN.pdf", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/", "https://www.hvs-consulting.de/lazarus-report/", - "https://www.devo.com/blog/detect-and-investigate-hafnium-using-devo/", + "https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html", + "https://www.secureworks.com/research/samsam-ransomware-campaigns", + "https://www.infinitumit.com.tr/en/conti-ransomware-group-behind-the-karakurt-hacking-team/", + "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis", + "https://www.fireeye.com/blog/threat-research/2021/08/unc215-chinese-espionage-campaign-in-israel.html", + "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", + "https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices/", + "https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe/", + "https://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-campaign-telecoms-asia-middle-east", + "https://ti.qianxin.com/blog/articles/Operation-OceanStorm:The-OceanLotus-hidden-under-the-abyss-of-the-deep/", + "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east", + "https://www.secureworks.com/research/threat-profiles/bronze-atlas", + "https://volatility-labs.blogspot.com/2021/10/memory-forensics-r-illustrated.html", + "https://www.infinitumit.com.tr/apt-35/", + "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", + "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", + "https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom", + "https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/", + "https://github.com/gentilkiwi/mimikatz", + "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", + "https://www.accenture.com/us-en/blogs/cyber-defense/double-extortion-campaigns", + "http://www.secureworks.com/research/threat-profiles/gold-kingswood", + "https://www.secureworks.com/blog/ransomware-deployed-by-adversary", + "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf", + "https://www.secureworks.com/research/threat-profiles/gold-kingswood", + "https://www.secureworks.com/research/threat-profiles/gold-drake", + "https://www.secureworks.com/research/threat-profiles/bronze-vinewood", + "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", + "https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf", + "https://paraflare.com/attack-lifecycle-detection-of-an-operational-technology-breach/", + "https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/", + "https://www.microsoft.com/security/blog/2021/11/18/iranian-targeting-of-it-sector-on-the-rise/", "https://www.secureworks.com/blog/ongoing-campaign-leveraging-exchange-vulnerability-potentially-linked-to-iran", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "http://blog.gentilkiwi.com/securite/un-observateur-evenements-aveugle", - "https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html", - "http://www.secureworks.com/research/threat-profiles/gold-drake", - "https://www.secureworks.com/blog/ransomware-deployed-by-adversary", - "https://www.fireeye.com/blog/threat-research/2021/08/unc215-chinese-espionage-campaign-in-israel.html", - "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", - "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", - "https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices/", - "https://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html", - "https://ti.qianxin.com/blog/articles/Operation-OceanStorm:The-OceanLotus-hidden-under-the-abyss-of-the-deep/", + "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", + "https://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection", "https://us-cert.cisa.gov/ncas/alerts/aa20-275a", - "https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf", - "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Vorfaelle/Exchange-Schwachstellen-2021/MSExchange_Schwachstelle_Detektion_Reaktion.pdf", - "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021", "https://www.accenture.com/us-en/blogs/security/ransomware-hades", - "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions", - "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", - "https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/", - "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html", - "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", - "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east", - "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", + "https://attackiq.com/2022/06/03/attack-graph-response-to-us-cert-aa22-152a-karakurt-data-extortion-group/", + "https://www.crowdstrike.com/blog/credential-theft-mimikatz-techniques/", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://awakesecurity.com/blog/catching-the-white-stork-in-flight/", - "https://www.secureworks.com/research/threat-profiles/tin-woodlawn", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware" ], "synonyms": [], @@ -24673,6 +29389,19 @@ "uuid": "588fb91d-59c6-4667-b299-94676d48b17b", "value": "MimiKatz" }, + { + "description": "Ransomware, potential rebranding of win.sfile.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mindware", + "https://www.sentinelone.com/blog/from-the-front-lines-another-rebrand-mindware-and-sfile-ransomware-technical-breakdown/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "cfd0ab21-12e6-4c95-acc7-a8f488ed1706", + "value": "Mindware" + }, { "description": "", "meta": { @@ -24760,10 +29489,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirai", + "https://dev.azure.com/Mastadamus/Mirai%20Botnet%20Analysis/_wiki/wikis/Mirai-Botnet-Analysis.wiki/12/Anatomy-of-An-Mirai-Botnet-Attack", "https://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/", - "https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html", + "https://twitter.com/PhysicalDrive0/status/830070569202749440", "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", - "https://twitter.com/PhysicalDrive0/status/830070569202749440" + "https://assets.virustotal.com/reports/2021trends.pdf", + "https://blog.netlab.360.com/public-cloud-threat-intelligence-202203/", + "https://blog.netlab.360.com/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tough-times-for-ukrainian-honeypot/", + "https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html" ], "synonyms": [], "type": [] @@ -24776,8 +29510,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirrorblast", + "https://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant", "https://www.proofpoint.com/us/daily-ruleset-update-summary-20210924", - "https://frsecure.com/blog/the-rebol-yell-new-rebol-exploit/" + "https://frsecure.com/blog/the-rebol-yell-new-rebol-exploit/", + "https://blog.morphisec.com/explosive-new-mirrorblast-campaign-targets-financial-companies", + "https://threatresearch.ext.hp.com/mirrorblast-and-ta505-examining-similarities-in-tactics-techniques-and-procedures/" ], "synonyms": [], "type": [] @@ -24813,6 +29550,19 @@ "uuid": "b4c33277-ec15-4bb3-89ef-314ecfa100da", "value": "Misfox" }, + { + "description": "Undocumented information stealer targeting multiple browsers and cryptocurrences. Internal project name appears to be \"misha\".", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.misha", + "https://bazaar.abuse.ch/sample/efab8bfe43de6edf96f9451a5a2cc15017cfc5c88f81b46b33e6ba5c7e2d7a7b/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "3f32d0bf-61b9-495b-88ca-77f4a254336d", + "value": "Misha" + }, { "description": "According to ESET Research, Mispadu is an ambitious Latin American banking trojan that utilizes McDonald’s malvertising and extends its attack surface to web browsers. It is used to target the general public and its main goals are monetary and credential theft. In Brazil, ESET has seen it distributing a malicious Google Chrome extension that attempts to steal credit card data and online banking data, and that compromises the Boleto payment system.", "meta": { @@ -24835,6 +29585,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mistyveal", + "https://research.checkpoint.com/2021/a-deep-dive-into-doublefeature-equation-groups-post-exploitation-dashboard/", "https://www.epicturla.com/previous-works/hitb2020-voltron-sta" ], "synonyms": [], @@ -24855,6 +29606,21 @@ "uuid": "4c786624-4a55-46e6-849d-b65552034235", "value": "Miuref" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mmon", + "http://reversing.fun/posts/2022/01/02/mmon.html" + ], + "synonyms": [ + "Kaptoxa" + ], + "type": [] + }, + "uuid": "a6d12f4f-57f6-4873-9c68-e079fef5e5fb", + "value": "MMON" + }, { "description": "", "meta": { @@ -25027,6 +29793,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.monero_miner", + "https://news.sophos.com/en-us/2021/10/24/node-poisoning-hijacked-package-delivers-coin-miner-and-credential-stealing-backdoor", "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/", "https://www.welivesecurity.com/2017/09/28/monero-money-mining-malware/" ], @@ -25038,6 +29805,19 @@ "uuid": "c57a4168-cd09-4611-a665-bbcede80f42b", "value": "Monero Miner" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mongall", + "https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e0627961-fc28-4b7d-bb44-f937defa052a", + "value": "mongall" + }, { "description": "", "meta": { @@ -25053,6 +29833,22 @@ "uuid": "8a6013a1-5e5c-41f5-bd8e-c86ea7f108d9", "value": "MontysThree" }, + { + "description": "MoonBounce is a malware embedded into a modified UEFI firmware. Placed into SPI flash, it can provide persistence across full reinstall and even disk replacements. MoonBounce deploys user-mode malware through in-memory staging with a small footprint.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.moonbounce", + "https://www.binarly.io/posts/A_deeper_UEFI_dive_into_MoonBounce/index.html", + "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", + "https://habr.com/ru/amp/post/668154/", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/19115831/MoonBounce_technical-details_eng.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "04ce84dc-f471-48b6-8456-348cd85af39f", + "value": "MoonBounce" + }, { "description": "", "meta": { @@ -25071,9 +29867,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.moriagent", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-055a", "https://securelist.com/apt-trends-report-q3-2020/99204/", + "https://live.paloaltonetworks.com/t5/custom-signatures/how-to-stop-mortiagent-malware-using-the-snort-rule/td-p/326590#", + "https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611", "https://twitter.com/Timele9527/status/1272776776335233024", - "https://live.paloaltonetworks.com/t5/custom-signatures/how-to-stop-mortiagent-malware-using-the-snort-rule/td-p/326590#" + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-055A_Iranian_Government-Sponsored_Actors_Conduct_Cyber_Operations.pdf", + "https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/" ], "synonyms": [], "type": [] @@ -25157,21 +29957,26 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mount_locker", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://intel471.com/blog/how-cybercriminals-create-turbulence-for-the-transportation-industry", "https://news.sophos.com/en-us/2021/03/31/sophos-mtr-in-real-time-what-is-astro-locker-team/", "https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates", "https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/", + "https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.trendmicro.com/en_us/research/21/j/ransomware-operators-found-using-new-franchise-business-model.html", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-virtual-machines", "https://www.bleepingcomputer.com/news/security/biotech-research-firm-miltenyi-biotec-hit-by-ransomware-data-leaked/", "https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game/", "https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-now-targets-your-turbotax-tax-returns/", "https://kienmanowar.wordpress.com/2021/08/04/quicknote-mountlocker-some-pseudo-code-snippets/", - "https://dissectingmalwa.re/between-a-rock-and-a-hard-place-exploring-mount-locker-ransomware.html", + "https://www.guidepointsecurity.com/mount-locker-ransomware-steps-up-counter-ir-capabilities/", + "https://blogs.blackberry.com/en/2021/11/zebra2104", "https://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/", "https://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker", - "https://www.guidepointsecurity.com/mount-locker-ransomware-steps-up-counter-ir-capabilities/" + "https://dissectingmalwa.re/between-a-rock-and-a-hard-place-exploring-mount-locker-ransomware.html", + "https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/" ], "synonyms": [], "type": [] @@ -25220,6 +30025,19 @@ "uuid": "2363dc9f-822a-4581-8d5f-1fc436e70621", "value": "MPKBot" }, + { + "description": "Ransomware.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mrac", + "https://id-ransomware.blogspot.com/2021/12/mrac-ransomware.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "3eee33df-76c5-4962-ac35-b0d98c37a81a", + "value": "MRAC" + }, { "description": "Ransomware.", "meta": { @@ -25280,6 +30098,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.murofet", "https://www.wired.com/2017/03/russian-hacker-spy-botnet/", + "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group" ], @@ -25343,11 +30162,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mykings_spreader", - "https://blog.talosintelligence.com/2020/07/valak-emerges.html", - "https://sophos.files.wordpress.com/2019/12/mykings_report_final.pdf", - "https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators", + "https://decoded.avast.io/janrubin/the-king-is-dead-long-live-mykings/", "http://download.ahnlab.com/kr/site/library/[AhnLab]Analysis%20Report_MyKings%20Botnet.pdf", - "http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/" + "https://sophos.files.wordpress.com/2019/12/mykings_report_final.pdf", + "http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/", + "https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators", + "https://blog.talosintelligence.com/2020/07/valak-emerges.html" ], "synonyms": [], "type": [] @@ -25489,14 +30309,21 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", "https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/", + "https://blog.morphisec.com/syk-crypter-discord", + "https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html", + "https://community.riskiq.com/article/24759ad2", "https://www.bleepingcomputer.com/news/security/nanocore-rat-author-gets-33-months-in-prison/", "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services", "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", "https://www.crowdstrike.com/blog/weaponizing-disk-image-files-analysis/", "https://zero2auto.com/2020/06/07/dealing-with-obfuscated-macros/", "https://threatrecon.nshc.net/2019/09/19/sectorh01-continues-abusing-web-services/", + "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", + "https://community.riskiq.com/article/ade260c6", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://www.ic3.gov/media/news/2020/200917-1.pdf", + "https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-spoofs-philippine-government-covid-19-health-data-widespread", "https://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52", "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire", @@ -25508,7 +30335,10 @@ "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", "https://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52?sk=00be46bc5bf99e8ab67369152ceb0332", "https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html", + "https://assets.virustotal.com/reports/2021trends.pdf", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html", + "https://medium.com/@M3HS1N/malware-analysis-nanocore-rat-6cae8c6df918", "https://goggleheadedhacker.com/blog/post/11", "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/image-file-trickery-part-ii-fake-icon-delivers-nanocore/", @@ -25520,6 +30350,7 @@ "https://securityintelligence.com/posts/roboski-global-recovery-automation/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/elfin-indictments-iran-espionage", "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", + "https://intel471.com/blog/privateloader-malware", "https://malwareindepth.com/defeating-nanocore-and-cypherit/", "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", @@ -25619,7 +30450,9 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nebulae", "https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf", "https://twitter.com/SyscallE/status/1390339497804636166", - "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos" + "https://www.securityweek.com/chinese-cyberspies-target-military-organizations-asia-new-malware", + "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", + "https://www.bleepingcomputer.com/news/security/cyberspies-target-military-organizations-with-new-nebulae-backdoor/" ], "synonyms": [], "type": [] @@ -25636,10 +30469,12 @@ "https://www.bitsighttech.com/blog/necurs-proxy-module-with-ddos-features", "http://www.secureworks.com/research/threat-profiles/gold-riverview", "http://blog.talosintelligence.com/2017/03/necurs-diversifies.html", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/Necurs-Recurs/", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://www.blueliv.com/wp-content/uploads/2018/07/Blueliv-Necurs-report-2017.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/Necurs-Recurs/", + "https://intel471.com/blog/a-brief-history-of-ta505", + "https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf", "https://www.secureworks.com/research/threat-profiles/gold-riverview", @@ -25647,7 +30482,7 @@ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much", "https://blogs.microsoft.com/on-the-issues/2020/03/10/necurs-botnet-cyber-crime-disrupt/", - "https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/", + "https://research.nccgroup.com/2021/12/01/tracking-a-p2p-network-related-with-ta505/", "https://cofense.com/necurs-targeting-banks-pub-file-drops-flawedammyy/", "https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/" ], @@ -25679,15 +30514,16 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nefilim", "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", - "https://www.bleepingcomputer.com/news/security/home-appliance-giant-whirlpool-hit-in-nefilim-ransomware-attack/", + "https://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks", "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", "https://www.trendmicro.com/en_us/research/21/b/nefilim-ransomware.html", - "https://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks", + "https://www.bleepingcomputer.com/news/security/home-appliance-giant-whirlpool-hit-in-nefilim-ransomware-attack/", "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", "https://intel471.com/blog/how-cybercriminals-create-turbulence-for-the-transportation-industry", "https://securelist.com/evolution-of-jsworm-ransomware/102428/", "https://documents.trendmicro.com/assets/white_papers/wp-modern-ransomwares-double-extortion-tactics.pdf", "https://www.cert.govt.nz/it-specialists/advisories/active-ransomware-campaign-leveraging-remote-access-technologies/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks", "https://www.trendmicro.com/en_us/research/21/f/nefilim-modern-ransomware-attack-story.html", "http://www.secureworks.com/research/threat-profiles/gold-mansard", "https://blog.qualys.com/vulnerabilities-research/2021/05/12/nefilim-ransomware", @@ -25700,6 +30536,7 @@ "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://id-ransomware.blogspot.com/2020/03/nefilim-ransomware.html", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", @@ -25735,6 +30572,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nemty", "https://www.bleepingcomputer.com/news/security/fake-paypal-site-spreads-nemty-ransomware/", + "https://www.tesorion.nl/en/posts/nemty-update-decryptors-for-nemty-1-5-and-1-6/", "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", @@ -25747,15 +30585,18 @@ "https://www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-connections/", "http://www.secureworks.com/research/threat-profiles/gold-mansard", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nemty-ransomware-trik-botnet", + "https://www.sentinelone.com/labs/karma-ransomware-an-emerging-threat-with-a-hint-of-nemty-pedigree/", "https://www.bleepingcomputer.com/news/security/nemty-ransomware-gets-distribution-from-rig-exploit-kit/", + "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", "https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2019-08-24-nemty-ransomware-notes.vk.raw", - "https://medium.com/csis-techblog/the-nemty-affiliate-model-13f5cf7ab66b", "https://www.fortinet.com/blog/threat-research/nemty-ransomware-early-stage-threat.html", "https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/", "https://github.com/albertzsigovits/malware-notes/blob/master/Nemty.md", + "https://www.tesorion.nl/nemty-update-decryptors-for-nemty-1-5-and-1-6/", + "https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/", "https://www.bleepingcomputer.com/news/security/nemty-ransomware-decryptor-released-recover-files-for-free/", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", - "https://www.tesorion.nl/nemty-update-decryptors-for-nemty-1-5-and-1-6/" + "https://medium.com/csis-techblog/the-nemty-affiliate-model-13f5cf7ab66b" ], "synonyms": [], "type": [] @@ -25763,6 +30604,19 @@ "uuid": "465696be-d576-4750-9469-89e19984f3df", "value": "Nemty" }, + { + "description": "Proofpoint observed distribution of this RAT since late April 2022, it is written on Go and incorporates code from various open-source Git repositories.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nerbian_rat", + "https://www.proofpoint.com/us/blog/threat-insight/nerbian-rat-using-covid-19-themes-features-sophisticated-evasion-techniques" + ], + "synonyms": [], + "type": [] + }, + "uuid": "3dba4da9-7fe0-4b12-a0ed-c55065b87481", + "value": "Nerbian RAT" + }, { "description": "Neshta is a 2005 Belarusian file infector virus . The name of the virus comes from the Belarusian word \"nesta\" meaning \"something.\" The program is a Windows application (exe file). Written in Delphi . The size of the original malicious file is 41,472 bytes . This file virus is the type of virus that is no longer popular at present.", "meta": { @@ -25770,6 +30624,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.neshta", "https://www.virusradar.com/en/Win32_Neshta.A/description", "https://www.virusbulletin.com/virusbulletin/2014/08/bird-s-nest", + "https://www.mandiant.com/resources/pe-file-infecting-malware-ot", "https://threatvector.cylance.com/en_us/home/threat-spotlight-neshta-file-infector-endures.html" ], "synonyms": [], @@ -25808,6 +30663,19 @@ "uuid": "0bc03bfa-1439-4162-bb33-ec9f8f952ee5", "value": "NetC" }, + { + "description": "A RAT written in .NET, delivered with a driver to protect it from deletion. Observed being dropped by PrivateLoader.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.netdooka", + "https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "dc6f887b-0c35-471f-9b18-2bf0a4ff357a", + "value": "NetDooka" + }, { "description": "", "meta": { @@ -25830,11 +30698,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netfilter", - "https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/", "https://www.gdatasoftware.com/blog/microsoft-signed-a-malicious-netfilter-rootkit", - "https://blog.360totalsecurity.com/en/netfilter-rootkit-ii-continues-to-hold-whql-signatures/", + "https://www.bitdefender.com/files/News/CaseStudies/study/405/Bitdefender-DT-Whitepaper-Fivesys-creat5699-en-EN.pdf", + "https://www.vice.com/en/article/pkbzxv/hackers-tricked-microsoft-into-certifying-malware-that-could-spy-on-users", + "https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/", "https://www.intezer.com/blog/malware-analysis/fast-insights-for-a-microsoft-signed-netfilter-rootkit/", - "https://www.vice.com/en/article/pkbzxv/hackers-tricked-microsoft-into-certifying-malware-that-could-spy-on-users" + "https://blog.360totalsecurity.com/en/netfilter-rootkit-ii-continues-to-hold-whql-signatures/", + "https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html" ], "synonyms": [], "type": [] @@ -25882,7 +30752,7 @@ "value": "Netrepser" }, { - "description": "", + "description": "Enigma Software notes that NetSupport Manager is a genuine application, which was first released about twenty years ago. The purpose of the NetSupport Manager tool is to enable users to receive remote technical support or provide remote computer assistance. However, cyber crooks have hijacked this useful application and misappropriated it to use it in their harmful campaigns. The name of the modified version of the NetSupport Manager has been labeled the NetSupport Manager RAT.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netsupportmanager_rat", @@ -25890,8 +30760,12 @@ "https://www.bleepingcomputer.com/news/security/hacked-steam-accounts-spreading-remote-access-trojan/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/", "https://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html", + "https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/", "https://blog.prevailion.com/2020/03/the-curious-case-of-criminal-curriculum.html", - "http://www.netsupportmanager.com/index.asp" + "https://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer", + "http://www.netsupportmanager.com/index.asp", + "https://www.bleepingcomputer.com/news/security/malicious-web-redirect-service-infects-16-500-sites-to-push-malware/", + "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee" ], "synonyms": [ "NetSupport" @@ -25924,23 +30798,29 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire", "https://blog.talosintelligence.com/2021/09/operation-armor-piercer.html", + "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", + "https://www.youtube.com/watch?v=TeQdZxP0RYY", "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf", "https://www.circl.lu/pub/tr-23/", "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", "https://news.drweb.ru/show/?i=13281&c=23", + "https://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers", "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", "https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728", "https://maskop9.wordpress.com/2019/01/30/analysis-of-netwiredrc-trojan/", "https://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://www.sentinelone.com/wp-content/uploads/2022/02/Modified-Elephant-APT-and-a-Decade-of-Fabricating-Evidence-SentinelLabs.pdf", "https://mp.weixin.qq.com/s/yrDzybPVTbu_9SrZPlSNKA", + "https://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/", "https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire", "https://www.zscaler.com/blogs/security-research/look-hydrojiin-campaign", + "https://www.bleepingcomputer.com/news/security/unskilled-hacker-linked-to-years-of-attacks-on-aviation-transport-sectors/", "https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data", "https://blog.vincss.net/2020/03/re011-unpack-crypter-cua-malware-netwire-bang-x64dbg.html", "https://mp.weixin.qq.com/s/xUM2x89GuB8uP6otN612Fg", - "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", + "https://community.riskiq.com/article/24759ad2", "http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/", "https://drive.google.com/file/d/1dD2sWYES_hrPsoql4G0aVF9ILIxAS4Fd/view", "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", @@ -25954,10 +30834,13 @@ "https://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers", "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", "https://securityintelligence.com/posts/roboski-global-recovery-automation/", + "https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf", "https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader", + "https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html", "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html", + "https://threatpost.com/ta2541-apt-rats-aviation/178422/", "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols" ], "synonyms": [ @@ -26025,6 +30908,19 @@ "uuid": "a954e642-4cf4-4293-a4b0-c82cf2db785d", "value": "Neutrino POS" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.newbounce", + "https://www.nortonlifelock.com/sites/default/files/2021-10/OPERATION%20EXORCIST%20White%20Paper.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1695fd64-5e6a-456f-97a4-d09937920543", + "value": "NewBounce" + }, { "description": "", "meta": { @@ -26145,6 +31041,20 @@ "uuid": "35fd764f-8723-4663-9bbf-5b02a64ec02e", "value": "Ngioweb (Windows)" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nglite", + "https://us-cert.cisa.gov/ncas/alerts/aa21-336a", + "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "3bd8a411-5a99-4cf9-bde9-b7c55e79acf8", + "value": "NGLite" + }, { "description": "", "meta": { @@ -26158,6 +31068,66 @@ "uuid": "5a998606-a9a9-42ad-affb-9be37e11ec25", "value": "Nibiru" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nightsky", + "https://www.youtube.com/watch?v=Yzt_zOO8pDM", + "https://twitter.com/cglyer/status/1480742363991580674", + "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader", + "https://www.bleepingcomputer.com/news/security/night-sky-is-the-latest-ransomware-targeting-corporate-networks/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.cynet.com/attack-techniques-hands-on/threats-looming-over-the-horizon/" + ], + "synonyms": [ + "Night Sky" + ], + "type": [] + }, + "uuid": "5c8dc23a-86a8-4fee-9fa3-371c9d7b4f1c", + "value": "NightSky" + }, + { + "description": "NimbleMamba is a new implant used by TA402/Molerats group as replacement of LastConn. It uses guardrails to ensure that victims are within the TA's target region. It is written in C# and delivered as an obfuscated .NET executable. One seen obfuscator is SmartAssembly.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nimblemamba", + "https://www.proofpoint.com/us/blog/threat-insight/ugg-boots-4-sale-tale-palestinian-aligned-espionage", + "https://thehackernews.com/2022/02/palestinian-hackers-using-new.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b52a6512-7b0c-431a-8680-93f12921ba46", + "value": "NimbleMamba " + }, + { + "description": "Malware written in Nim, stealing data including discord tokens from browsers, exfiltrating the results via a Discord webhook.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nimgrabber", + "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5f998c1d-0377-404d-8ece-dd3486758a44", + "value": "NimGrabber" + }, + { + "description": "Backdoor written in Nim.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nimrev", + "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671" + ], + "synonyms": [], + "type": [] + }, + "uuid": "69981781-962a-409a-93c6-cb5377257de8", + "value": "Nimrev" + }, { "description": "", "meta": { @@ -26193,6 +31163,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nitro", "https://github.com/nightfallgt/nitro-ransomware", "https://twitter.com/malwrhunterteam/status/1430616882231578624", + "https://documents.trendmicro.com/assets/wp/wp-detecting-apt-activity-with-network-traffic-analysis.pdf", "https://www.bleepingcomputer.com/news/security/discord-nitro-gift-codes-now-demanded-as-ransomware-payments/" ], "synonyms": [ @@ -26222,16 +31193,23 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat", "https://asec.ahnlab.com/1369", + "https://blog.morphisec.com/syk-crypter-discord", + "https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://github.com/itsKindred/malware-analysis-writeups/blob/master/bashar-bachir-chain/bashar-bachir-analysis.pdf", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks", "https://blog.talosintelligence.com/2021/07/sidecopy.html", + "https://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/", "http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/", "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/", + "https://forensicitguy.github.io/njrat-installed-from-msi/", "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/592/original/Hashes_IOCs_for_coverage.txt", "https://blog.nviso.eu/2020/09/01/epic-manchego-atypical-maldoc-delivery-brings-flurry-of-infostealers/", + "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf", "https://www.4hou.com/posts/VoPM", "https://blog.sonatype.com/bladabindi-njrat-rat-in-jdb.js-npm-malware", "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html", @@ -26244,31 +31222,36 @@ "https://unit42.paloaltonetworks.com/njrat-pastebin-command-and-control", "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", + "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains", "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", "https://malwr-analysis.com/2020/06/21/njrat-malware-analysis/", + "https://lab52.io/blog/very-very-lazy-lazyscripters-scripts-double-compromise-in-a-single-obfuscation/", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://www.seqrite.com/documents/en/white-papers/Whitepaper-OperationSideCopy.pdf", "https://news.sophos.com/en-us/2020/05/14/raticate/", "https://securelist.com/apt-trends-report-q2-2019/91897/", "http://blogs.360.cn/post/analysis-of-apt-c-37.html", + "https://twitter.com/ESETresearch/status/1449132020613922828", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt", "https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g", "https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html", "https://labs.k7computing.com/?p=21904", "https://www.trendmicro.com/en_us/research/20/i/wind-up-windscribe-vpn-bundled-with-backdoor.html", - "https://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services", "https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Win.njRAT", + "https://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services", "https://securityintelligence.com/posts/roboski-global-recovery-automation/", "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", "https://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html", "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", + "https://intel471.com/blog/privateloader-malware", "https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/", "https://ti.360.net/blog/articles/analysis-of-apt-c-27/", "https://blog.reversinglabs.com/blog/rats-in-the-library", "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479", "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf", + "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols", "https://www.menlosecurity.com/blog/isomorph-infection-in-depth-analysis-of-a-new-html-smuggling-campaign/", - "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols" + "https://cyberandramen.net/2022/01/12/analysis-of-njrat-powerpoint-macros/" ], "synonyms": [ "Bladabindi" @@ -26320,12 +31303,27 @@ "uuid": "f3cbe9ca-e65e-41af-8eb2-1e9877434124", "value": "Nokki" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nokoyawa", + "https://www.trendmicro.com/en_us/research/22/c/nokoyawa-ransomware-possibly-related-to-hive-.html", + "https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "934a633a-21f7-4010-a83a-0b64c365355d", + "value": "Nokoyawa Ransomware" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.noxplayer", - "https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/" + "https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/", + "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf" ], "synonyms": [], "type": [] @@ -26403,6 +31401,24 @@ "uuid": "83cfa206-b485-47fd-b298-1b008ab86507", "value": "NVISOSPIT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nworm", + "https://bazaar.abuse.ch/browse/tag/N-W0rm/", + "https://www.secuinfra.com/en/techtalk/n-w0rm-analysis-part-2/", + "https://www.secuinfra.com/en/techtalk/n-w0rm-analysis-part-1/" + ], + "synonyms": [ + "NWorm", + "nw0rm" + ], + "type": [] + }, + "uuid": "bdc00b3a-2ceb-4818-83fa-96fb11c8540f", + "value": "N-W0rm" + }, { "description": "", "meta": { @@ -26414,6 +31430,7 @@ "https://www.proofpoint.com/us/threat-insight/post/nymaim-config-decoded", "https://securityintelligence.com/posts/goznym-closure-comes-in-the-shape-of-a-europol-and-doj-arrest-operation/", "https://bitbucket.org/daniel_plohmann/idapatchwork", + "https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-aers-the-evolution-of-the-nymaim-criminal-enterprise.pdf", "https://arielkoren.com/blog/2016/11/02/nymaim-deep-technical-dive-adventures-in-evasive-malware/", "https://www.proofpoint.com/us/what-old-new-again-nymaim-moves-past-its-ransomware-roots-0", "https://public.gdatasoftware.com/Web/Landingpages/DE/GI-Spring2014/slides/004_plohmann.pdf", @@ -26450,8 +31467,12 @@ "https://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html", "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-backdoors-rats-loaders-evasion-techniques", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal/IoCs_Investigating%20APT36%20or%20Earth%20Karkaddan%20Attack%20Chain%20and%20Malware%20Arsenal.rtf", "https://securelist.com/transparent-tribe-part-2/98233/", + "https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html", + "https://www.bleepingcomputer.com/news/security/hackers-use-modified-mfa-tool-against-indian-govt-employees/", "https://www.secrss.com/articles/24995", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal/Earth%20Karkaddan%20APT-%20Adversary%20Intelligence%20and%20Monitoring%20Report.pdf", "https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html", "https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html" @@ -26516,6 +31537,23 @@ "uuid": "d8305201-9fec-4e6b-9eec-7ebb756364e2", "value": "OddJob" }, + { + "description": "Spam bot that was active around 2007 and after, one of the first malware families to use a domain generation algorithm.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.oderoor", + "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf", + "https://web.archive.org/web/20160324035554/https://www.johannesbader.ch/2015/12/krakens-two-domain-generation-algorithms//" + ], + "synonyms": [ + "Bobax", + "Kraken" + ], + "type": [] + }, + "uuid": "fb5c1af2-9028-47c7-937b-ab0ba0078485", + "value": "Oderoor" + }, { "description": "", "meta": { @@ -26552,6 +31590,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oldbait", "https://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", + "https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf", "https://www.secjuice.com/fancy-bear-review/" ], "synonyms": [ @@ -26569,7 +31608,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.olympic_destroyer", "https://www.youtube.com/watch?v=a4BZ3SZN-CI", "http://blog.talosintelligence.com/2018/02/olympic-destroyer.html", - "https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too", + "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat", "https://www.wired.com/story/us-indicts-sandworm-hackers-russia-cyberwar-unit/", "https://www.lastline.com/labsblog/olympic-destroyer-south-korea/", "https://www.youtube.com/watch?v=1jgdMY12mI8", @@ -26585,6 +31624,7 @@ "http://blog.talosintelligence.com/2018/02/who-wasnt-responsible-for-olympic.html", "https://securelist.com/apt-trends-report-q2-2019/91897/", "https://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/", + "https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too", "https://www.mbsd.jp/blog/20180215.html", "https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/" ], @@ -26761,11 +31801,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.orcus_rat", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks", "https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html", "https://blog.checkpoint.com/2019/02/27/protecting-against-winrar-vulnerabilities/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors", "https://www.canada.ca/en/radio-television-telecommunications/news/2019/03/crtc-and-rcmp-national-division-execute-warrants-in-malware-investigation.html", + "https://assets.virustotal.com/reports/2021trends.pdf", + "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", "https://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/", "https://krebsonsecurity.com/2019/04/canadian-police-raid-orcus-rat-author/", "http://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/" @@ -26785,6 +31828,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ordinypt", "https://dissectingmalwa.re/tfw-ransomware-is-only-your-side-hustle.html", "https://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/", + "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat", "https://www.gdata.de/blog/2017/11/30151-ordinypt", "https://www.carbonblack.com/2019/09/05/cb-threat-analysis-unit-technical-breakdown-germanwiper-ransomware/" ], @@ -26798,15 +31842,19 @@ "value": "Ordinypt" }, { - "description": "", + "description": "Oski is a stealer written in C++ that appeared around November 2019 and is being sold for between 70$ to 100$ on Russian-speaking forums. It collects different types of data (cryptocurrency wallets, saved passwords, files matching an attacker-defined pattern etc) and it exfiltrates it in a zip file uploaded to the attacker's panel.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oski", - "https://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer", "https://labs.bitdefender.com/2020/03/new-router-dns-hijacking-attacks-abuse-bitbucket-to-host-infostealer/", "https://yoroi.company/research/the-wayback-campaign-a-large-scale-operation-hiding-in-plain-sight/", - "https://drive.google.com/file/d/1c72YIF6JYcEvbFZCrkZO26D9hC3gnyMP/view", - "https://twitter.com/albertzsigovits/status/1160874557454131200" + "https://blog.minerva-labs.com/underminer-exploit-kit-the-more-you-check-the-more-evasive-you-become", + "https://medium.com/shallvhack/oski-stealer-a-credential-theft-malware-b9bba5164601", + "https://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer", + "https://cyberint.com/blog/research/mars-stealer/", + "https://twitter.com/albertzsigovits/status/1160874557454131200", + "https://3xp0rt.com/posts/mars-stealer", + "https://drive.google.com/file/d/1c72YIF6JYcEvbFZCrkZO26D9hC3gnyMP/view" ], "synonyms": [], "type": [] @@ -26835,7 +31883,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ousaban", - "https://www.welivesecurity.com/2021/05/05/ousaban-private-photo-collection-hidden-cabinet/" + "https://www.welivesecurity.com/2021/05/05/ousaban-private-photo-collection-hidden-cabinet/", + "https://www.atomicmatryoshka.com/post/ousaban-msi-installer-analysis" ], "synonyms": [], "type": [] @@ -26931,6 +31980,19 @@ "uuid": "7a6d97a2-821f-4083-9180-3f70a851ad5e", "value": "Owlproxy" }, + { + "description": "Kaspersky describes this as a OWA add-on that has credential stealing capabilities.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.owowa", + "https://securelist.com/owowa-credential-stealer-and-remote-access/105219/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "aa985bc5-92e4-43c6-a01b-1de02818cfc9", + "value": "Owowa" + }, { "description": "", "meta": { @@ -26999,6 +32061,7 @@ "https://www.spamhaus.org/news/article/771/", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware", + "https://medium.com/@crovax/panda-banker-analysis-part-1-d08b3a855847", "http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html", "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf", @@ -27021,6 +32084,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.panda_stealer", + "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/", "https://www.trendmicro.com/en_us/research/21/e/new-panda-stealer-targets-cryptocurrency-wallets-.html" ], "synonyms": [], @@ -27029,6 +32093,27 @@ "uuid": "7fa924a9-4d7a-406c-b298-bf3b01557ac8", "value": "Panda Stealer" }, + { + "description": "Pandora ransomware was obtained by vx-underground at 2022-03-14.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pandora", + "https://dissectingmalwa.re/blog/pandora/", + "https://cloudsek.com/technical-analysis-of-emerging-sophisticated-pandora-ransomware-group/", + "https://www.fortinet.com/blog/threat-research/Using-emulation-against-anti-reverse-engineering-techniques", + "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader", + "https://www.fortinet.com/blog/threat-research/looking-inside-pandoras-box", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", + "https://kienmanowar.wordpress.com/2022/03/21/quicknote-analysis-of-pandora-ransomware/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e43b67bc-3c16-4a69-b63d-f6bf3d732e1b", + "value": "Pandora" + }, { "description": "Ransomware.", "meta": { @@ -27052,11 +32137,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.parallax", - "https://www.vkremez.com/2020/02/lets-learn-inside-parallax-rat-malware.html", "https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html", - "https://blog.morphisec.com/parallax-rat-active-status", "https://www.bleepingcomputer.com/news/security/parallax-rat-common-malware-payload-after-hacker-forums-promotion/", - "https://twitter.com/malwrhunterteam/status/1227196799997431809" + "https://blog.morphisec.com/parallax-rat-active-status", + "https://twitter.com/malwrhunterteam/status/1227196799997431809", + "https://www.bleepingcomputer.com/news/security/unskilled-hacker-linked-to-years-of-attacks-on-aviation-transport-sectors/", + "https://www.vkremez.com/2020/02/lets-learn-inside-parallax-rat-malware.html", + "https://threatpost.com/ta2541-apt-rats-aviation/178422/" ], "synonyms": [ "ParallaxRAT" @@ -27079,6 +32166,43 @@ "uuid": "c5eee19f-0877-4709-86ea-328e346af1bf", "value": "parasite_http" }, + { + "description": "PartyTicket is a Go-written ransomware, which was described as a poorly designed one by Zscaler. According to Brett Stone-Gross this malware is likely intended to be a diversion from the Hermetic wiper (aka. KillDisk.NCV, DriveSlayer) attack.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.partyticket", + "https://threatpost.com/free-hermeticransom-ransomware-decryptor-released/178762/", + "https://www.crowdstrike.com/blog/how-to-decrypt-the-partyticket-ransomware-targeting-ukraine/", + "https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation", + "https://www.brighttalk.com/webcast/15591/534324", + "https://go.recordedfuture.com/hubfs/reports/mtp-2022-0302.pdf", + "https://decoded.avast.io/threatresearch/help-for-ukraine-free-decryptor-for-hermeticransom-ransomware/", + "https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html", + "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-hermeticwiper-partyticket", + "https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/", + "https://www.zscaler.com/blogs/security-research/technical-analysis-partyticket-ransomware", + "https://securelist.com/new-ransomware-trends-in-2022/106457/", + "https://www.techtarget.com/searchsecurity/news/252514091/CrowdStrike-cracks-PartyTicket-ransomware-targeting-Ukraine", + "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", + "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview", + "https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-hermeticransom-victims-in-ukraine/", + "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf", + "https://www.mandiant.com/resources/information-operations-surrounding-ukraine", + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd", + "https://securelist.com/elections-goransom-and-hermeticwiper-attack/105960/", + "https://www.kaspersky.com/blog/hermeticransom-hermeticwiper-attacks-2022/43825/" + ], + "synonyms": [ + "Elections GoRansom", + "HermeticRansom", + "SonicVote" + ], + "type": [] + }, + "uuid": "697d905a-5353-43ed-97e0-15f7d2763b69", + "value": "PartyTicket" + }, { "description": "Ransomware.", "meta": { @@ -27113,14 +32237,44 @@ "uuid": "46dc64c6-e927-44fc-b4a4-efd1677ae030", "value": "Pay2Key" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.payloadbin", + "https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "313c81ab-fba2-4577-8de6-863515a65c45", + "value": "PayloadBIN" + }, + { + "description": "PcShare is a open-source backdoor which has been seen modified and used by Chinese threat actors, mainly attacking countries in South East Asia.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pcshare", + "https://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "42100d7e-39c7-47c0-bc9e-3c590ed0d837", + "value": "PcShare" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pebbledash", + "https://malwarenailed.blogspot.com/2020/06/peebledash-lazarus-hiddencobra-rat.html?m=1", + "https://asec.ahnlab.com/wp-content/uploads/2021/11/Kimsuky-%EA%B7%B8%EB%A3%B9%EC%9D%98-APT-%EA%B3%B5%EA%B2%A9-%EB%B6%84%EC%84%9D-%EB%B3%B4%EA%B3%A0%EC%84%9C-AppleSeed-PebbleDash.pdf", + "https://asec.ahnlab.com/en/30532/", "https://www.us-cert.gov/ncas/analysis-reports/ar20-133c", "https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/", - "https://malwarenailed.blogspot.com/2020/06/peebledash-lazarus-hiddencobra-rat.html?m=1", + "https://download.ahnlab.com/global/brochure/Analysis%20Report%20of%20Kimsuky%20Group.pdf", + "https://asec.ahnlab.com/en/30022/", "https://blog.reversinglabs.com/blog/hidden-cobra" ], "synonyms": [], @@ -27136,6 +32290,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.peddlecheap", "https://www.forcepoint.com/fr/blog/security-labs/new-whitepaper-danderspritzpeddlecheap-traffic-analysis-part-1-2#", "https://twitter.com/ESETresearch/status/1258353960781598721", + "https://research.checkpoint.com/2021/a-deep-dive-into-doublefeature-equation-groups-post-exploitation-dashboard/", "https://obscuritylabs.com/blog/2017/11/13/match-made-in-the-shadows-part-3/" ], "synonyms": [], @@ -27247,10 +32402,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.philadelphia_ransom", - "https://www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/", - "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://www.cylance.com/en_us/blog/threat-spotlight-philadelphia-ransomware.html", + "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", + "https://www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/", "https://www.proofpoint.com/us/threat-insight/post/philadelphia-ransomware-customization-commodity-malware", + "https://intel471.com/blog/a-brief-history-of-ta505", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://krebsonsecurity.com/2017/03/ransomware-for-dummies-anyone-can-do-it/" ], @@ -27265,25 +32421,28 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", "https://www.coveware.com/blog/phobos-ransomware-distributed-dharma-crew", - "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", - "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", "https://www.advanced-intel.com/post/inside-phobos-ransomware-dharma-past-underground", - "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", - "https://www.sri.ro/articole/atac-cibernetic-cu-aplicatia-ransomware-phobos", + "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", + "https://securelist.com/cis-ransomware/104452/", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", "https://blog.morphisec.com/the-fair-upgrade-variant-of-phobos-ransomware", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", + "https://paraflare.com/luci-spools-the-fun-with-phobos-ransomware/", + "https://www.youtube.com/watch?v=LUxOcpIRxmg", + "https://www.sri.ro/articole/atac-cibernetic-cu-aplicatia-ransomware-phobos", + "https://blogs.blackberry.com/en/2021/11/zebra2104", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", + "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", + "https://www.fortinet.com/blog/threat-research/deep-analysis-the-eking-variant-of-phobos-ransomware", "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", "https://blog.malwarebytes.com/threat-spotlight/2020/01/threat-spotlight-phobos-ransomware-lives-up-to-its-name/", - "https://securelist.com/cis-ransomware/104452/", - "https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", "https://blog.malwarebytes.com/threat-analysis/2019/07/a-deep-dive-into-phobos-ransomware/", - "https://www.youtube.com/watch?v=LUxOcpIRxmg", - "https://www.fortinet.com/blog/threat-research/deep-analysis-the-eking-variant-of-phobos-ransomware", - "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/" + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", + "https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/" ], "synonyms": [], "type": [] @@ -27305,11 +32464,29 @@ "uuid": "601ea680-68ec-43c9-ba20-88eaaefe8818", "value": "Phoenix Keylogger" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.phoenix_locker", + "https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://killingthebear.jorgetesta.tech/actors/evil-corp", + "https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions" + ], + "synonyms": [], + "type": [] + }, + "uuid": "58aff639-0eda-4a80-9fe8-22e0498af728", + "value": "Phoenix Locker" + }, { "description": " Phoreal is a very simple backdoor that is capable of creating a reverse shell, performing simple file I/O and top-level window enumeration. It communicates to a list of four preconfigured C2 servers via ICMP on port 53", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.phoreal", + "https://elastic.github.io/security-research/intelligence/2022/03/02.phoreal-targets-southeast-asia-financial-sector/article/", "https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/SpyRATsofOceanLotusMalwareWhitePaper.pdf", "https://www.secureworks.com/research/threat-profiles/tin-woodlawn" ], @@ -27333,13 +32510,16 @@ "https://www.lastline.com/labsblog/nemty-ransomware-scaling-up-apac-mailboxes-swarmed-dual-downloaders/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://www.johannesbader.ch/2016/02/phorpiex/", + "https://blogs.vmware.com/security/2021/11/telemetry-peak-analyzer-an-automatic-malware-campaign-detector.html", "https://therecord.media/phorpiex-botnet-shuts-down-source-code-goes-up-for-sale/", "https://www.microsoft.com/security/blog/2021/05/20/phorpiex-morphs-how-a-longstanding-botnet-persists-and-thrives-in-the-current-threat-environment/", "https://www.zdnet.com/article/someone-is-uninstalling-the-phorpiex-malware-from-infected-pcs-and-telling-users-to-install-an-antivirus/", + "https://twitter.com/_CPResearch_/status/1447852018794643457", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/", + "https://research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/", "https://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows" ], "synonyms": [ @@ -27350,6 +32530,29 @@ "uuid": "9759f99b-6d6c-4633-aa70-cb1d2bacc540", "value": "Phorpiex" }, + { + "description": "A loader used to deliver IcedID, fetching a fake image from which payloads are extracted.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.photoloader", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", + "https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/", + "https://isc.sans.edu/diary/28636", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.silentpush.com/blog/icedid-command-and-control-infrastructure", + "https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes", + "https://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html", + "https://awakesecurity.com/blog/detecting-icedid-and-cobalt-strike-beacon-with-network-detection-and-response/", + "https://www.silentpush.com/blog/malicious-infrastructure-as-a-service", + "https://twitter.com/felixw3000/status/1521816045769662468" + ], + "synonyms": [], + "type": [] + }, + "uuid": "3418ca80-73d9-49ab-836a-98230a83c67d", + "value": "PhotoLoader" + }, { "description": "PICKPOCKET is a credential theft tool that dumps the user's website login credentials from Chrome, Firefox, and Internet Explorer to a file. This tool was previously observed solely utilized by APT34.", "meta": { @@ -27398,7 +32601,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pingback", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/" + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/", + "https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/" ], "synonyms": [], "type": [] @@ -27419,6 +32623,20 @@ "uuid": "ea1c71fe-ad42-4c5a-8114-9ab9ecaa66f5", "value": "pipcreat" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pipemon", + "https://twitter.com/ESETresearch/status/1506904404225630210", + "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "34c0b51a-7139-44ab-b09a-cef646e66ba0", + "value": "PipeMon" + }, { "description": "", "meta": { @@ -27560,11 +32778,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ploutus_atm", - "https://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html", - "https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf", - "http://antonioparata.blogspot.co.uk/2018/02/analyzing-nasty-net-protection-of.html", "https://www.metabaseq.com/recursos/ploutus-is-back-targeting-itautec-atms-in-latin-america", - "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html" + "https://www.advintel.io/post/economic-growth-digital-inclusion-specialized-crime-financial-cyber-fraud-in-latam", + "https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf", + "https://www.crowdstrike.com/blog/ploutus-atm-malware-deobfuscation-case-study", + "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html", + "https://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html", + "http://antonioparata.blogspot.co.uk/2018/02/analyzing-nasty-net-protection-of.html" ], "synonyms": [], "type": [] @@ -27591,26 +32811,34 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx", - "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://community.rsa.com/thread/185439", + "https://www.secureworks.com/blog/bronze-president-targets-russian-speakers-with-updated-plugx", + "https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/", "https://www.recordedfuture.com/redecho-targeting-indian-power-sector/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-president", + "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf", "http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html", "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf", "https://www.recordedfuture.com/china-linked-ta428-threat-group", "http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html", - "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", + "https://cyberandramen.net/2022/01/06/a-gulp-of-plugx/", "https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/plugx-a-talisman-to-behold.html", + "https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-", + "https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html", "https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf", + "https://www.nortonlifelock.com/sites/default/files/2021-10/OPERATION%20EXORCIST%20White%20Paper.pdf", "https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report", "https://www.secureworks.com/research/threat-profiles/bronze-union", "https://www.secureworks.com/research/threat-profiles/bronze-firestone", "https://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/", "https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/", + "https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage", "https://marcoramilli.com/2020/03/19/is-apt27-abusing-covid-19-to-attack-people/", "https://blog.xorhex.com/blog/mustangpandaplugx-1/", @@ -27620,6 +32848,7 @@ "https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf", "https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/", "https://blog.viettelcybersecurity.com/p1-chien-dich-cua-nhom-apt-trung-quoc-goblin-panda-tan-cong-vao-viet-nam-loi-dung-dai-dich-covid-19/", + "https://redalert.nshc.net/2022/04/14/hacking-activity-of-sectorb-group-in-2021/", "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/", "https://securelist.com/cycldek-bridging-the-air-gap/97157/", "https://www.recordedfuture.com/chinese-apt-groups-target-afghan-telecommunications-firm/", @@ -27633,40 +32862,53 @@ "https://blog.ensilo.com/uncovering-new-activity-by-apt10", "http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/", "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf", + "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor", "https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/", "https://blog.xorhex.com/blog/reddeltaplugxchangeup/", "https://securelist.com/time-of-death-connected-medicine/84315/", "https://tracker.h3x.eu/info/290", "https://www.contextis.com/de/blog/avivore", + "https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html", + "https://www.youtube.com/watch?v=C_TmANnbS2k", "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/", "https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf", "https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader", "https://www.secureworks.com/research/threat-profiles/bronze-keystone", "https://www.secureworks.com/research/threat-profiles/bronze-overbrook", "https://or10nlabs.tech/reverse-engineering-the-mustang-panda-plugx-rat-extracting-the-config/", + "https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european", "https://therecord.media/redecho-group-parks-domains-after-public-exposure/", "https://or10nlabs.tech/reverse-engineering-the-mustang-panda-plugx-loader", "https://www.secureworks.com/research/threat-profiles/bronze-express", "https://www.secureworks.com/research/threat-profiles/bronze-olive", "https://go.recordedfuture.com/hubfs/reports/cta-2020-0915.pdf", "https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf", "https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/", + "https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html", "https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/", + "https://threatpost.com/chinese-apt-combines-fresh-hodur-rat-with-complex-anti-detection/179084/", "https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf", "https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/", + "https://www.welivesecurity.com/fr/2022/03/25/mustang-pandas-hodur-nouveau-korplug/", "https://securelist.com/apt-trends-report-q3-2020/99204/", - "https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html", + "https://www.youtube.com/watch?v=qEwBGGgWgOM", + "https://www.computerweekly.com/news/252471769/New-threat-group-behind-Airbus-cyber-attacks-claim-researchers", "https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf", "https://www.macnica.net/file/security_report_20160613.pdf", - "https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-", + "http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html", + "https://blog.vincss.net/2022/05/re027-china-based-apt-mustang-panda-might-have-still-continued-their-attack-activities-against-organizations-in-Vietnam.html", + "https://www.uscc.gov/sites/default/files/2022-02/Adam_Kozy_Testimony.pdf", "https://www.us-cert.gov/ncas/alerts/TA17-117A", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://twitter.com/stvemillertime/status/1261263000960450562", "https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf", + "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", "https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html", "https://www.secureworks.com/research/threat-profiles/bronze-atlas", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf", "https://go.contextis.com/rs/140-OCV-459/images/White%20Paper_PlugX%20-%20Payload%20Extraction.pdf", + "https://www.contextis.com/en/blog/dll-search-order-hijacking", "https://blog.xorhex.com/blog/mustangpandaplugx-2/", "https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt", "https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn", @@ -27685,19 +32927,25 @@ "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia", "https://twitter.com/xorhex/status/1399906601562165249?s=20", "https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/", + "https://www.contextis.com/en/blog/avivore", "https://www.secureworks.com/research/threat-profiles/bronze-woodland", - "http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html", + "https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html", + "https://www.recordedfuture.com/chinese-group-calypso-exploiting-microsoft-exchange/", + "https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-handle-stack-strings/", + "https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/", "https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/", "https://risky.biz/whatiswinnti/", "https://www.cyber.gov.au/sites/default/files/2019-03/msp_investigation_report.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-riverside", - "https://www.recordedfuture.com/chinese-group-calypso-exploiting-microsoft-exchange/", - "http://blog.jpcert.or.jp/2017/02/plugx-poison-iv-919a.html" + "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", + "http://blog.jpcert.or.jp/2017/02/plugx-poison-iv-919a.html", + "https://www.bleepingcomputer.com/news/security/new-mustang-panda-hacking-campaign-targets-diplomats-isps/" ], "synonyms": [ "Destroy RAT", "Kaba", "Korplug", + "RedDelta", "Sogu", "TIGERPLUG" ], @@ -27780,11 +33028,12 @@ "https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf", "http://blog.fortinet.com/2017/08/23/deep-analysis-of-new-poison-ivy-variant", "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/", + "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html", "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/blob/master/2016/2016.04.26.New_Poison_Ivy_Activity_Targeting_Myanmar_Asian_Countries/New%20Poison%20Ivy%20Activity%20Targeting%20Myanmar%2C%20Asian%20Countries.pdf", "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/", - "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/analysing-a-recent-poison-ivy-sample/", "https://lab52.io/blog/icefog-apt-group-abusing-recent-conflict-between-iran-and-eeuu/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/", "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html", "https://www.recordedfuture.com/china-linked-ta428-threat-group", "https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology", @@ -27803,14 +33052,16 @@ "https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/the_nitro_attacks.pdf", "https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf", + "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf", - "https://us-cert.cisa.gov/ncas/alerts/aa20-275a", + "https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-union", - "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html", + "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", "https://www.secureworks.com/research/threat-profiles/bronze-firestone", "http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-riverside", + "https://us-cert.cisa.gov/ncas/alerts/aa20-275a", "http://blogs.360.cn/post/APT_C_01_en.html" ], "synonyms": [ @@ -27884,29 +33135,32 @@ "value": "Polyglot" }, { - "description": "", + "description": "According to KnowBe4, Pony Stealer is a password stealer that can decrypt or unlock passwords for over 110 different applications including VPN, FTP, email, instant messaging, web browsers and much more. Pony Stealer is very dangerous and once it infects a PC it will turn the device into a botnet, allowing it to use the PCs it infects to infect other PCs.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pony", - "http://www.secureworks.com/research/threat-profiles/gold-evergreen", - "http://www.secureworks.com/research/threat-profiles/gold-essex", - "https://www.youtube.com/watch?v=y8Z9KnL8s8s", - "https://www.youtube.com/watch?v=EyDiIAt__dI", - "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", - "https://www.uperesia.com/analysis-of-a-packed-pony-downloader", - "https://www.secureworks.com/research/threat-profiles/gold-evergreen", - "https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/", - "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", - "https://i.blackhat.com/asia-21/Thursday-Handouts/as21-Taniguchi-How-Did-The-Adversaries-Abusing-The-Bitcoin-Blockchain-Evade-Our-Takeover.pdf", "https://www.secureworks.com/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry", + "https://www.secureworks.com/research/threat-profiles/gold-evergreen", + "https://i.blackhat.com/asia-21/Thursday-Handouts/as21-Taniguchi-How-Did-The-Adversaries-Abusing-The-Bitcoin-Blockchain-Evade-Our-Takeover.pdf", + "https://www.secureworks.com/research/threat-profiles/gold-essex", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", + "http://www.secureworks.com/research/threat-profiles/gold-essex", + "https://www.knowbe4.com/pony-stealer", + "https://www.uperesia.com/analysis-of-a-packed-pony-downloader", "https://int0xcc.svbtle.com/practical-threat-hunting-and-incidence-response-a-case-of-a-pony-malware-infection", "https://www.secureworks.com/research/threat-profiles/gold-galleon", - "http://www.secureworks.com/research/threat-profiles/gold-galleon", - "https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-jun-2017.pdf", - "https://www.secureworks.com/research/threat-profiles/gold-essex", - "https://github.com/nyx0/Pony", + "http://www.secureworks.com/research/threat-profiles/gold-evergreen", + "https://www.youtube.com/watch?v=EyDiIAt__dI", + "https://www.youtube.com/watch?v=42yldTQ-fWA", + "https://intel471.com/blog/a-brief-history-of-ta505", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/" + "http://www.secureworks.com/research/threat-profiles/gold-galleon", + "https://www.youtube.com/watch?v=y8Z9KnL8s8s", + "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", + "https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/", + "https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-jun-2017.pdf", + "https://github.com/nyx0/Pony" ], "synonyms": [ "Fareit", @@ -27936,10 +33190,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poorweb", + "https://blog.reversinglabs.com/blog/poorweb-exploiting-document-formats", "https://securelist.com/apt-trends-report-q2-2018/86487/", - "https://fortiguard.com/resources/threat-brief/2019/05/10/fortiguard-threat-intelligence-brief-may-10-2019", "https://asec.ahnlab.com/ko/18796/", - "https://blog.reversinglabs.com/blog/poorweb-exploiting-document-formats" + "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf", + "https://fortiguard.com/resources/threat-brief/2019/05/10/fortiguard-threat-intelligence-brief-may-10-2019" ], "synonyms": [], "type": [] @@ -28000,6 +33256,7 @@ "https://redcanary.com/blog/getsystem-offsec/", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf", "http://www.rewterz.com/rewterz-news/rewterz-threat-alert-iranian-apt-uses-job-scams-to-lure-targets", + "https://ti.dbappsecurity.com.cn/blog/articles/2021/09/06/operation-maskface/", "https://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-detection-using-network-scan-data-and-automation.html" ], "synonyms": [], @@ -28049,7 +33306,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.povlsomware", - "https://www.trendmicro.com/en_us/research/21/c/povlsomware-ransomware-features-cobalt-strike-compatibility.html" + "https://www.trendmicro.com/en_us/research/21/c/povlsomware-ransomware-features-cobalt-strike-compatibility.html", + "https://youtu.be/oYLs6wuoOfg" ], "synonyms": [], "type": [] @@ -28285,13 +33543,32 @@ "uuid": "0714a7ad-45cb-44ec-92f9-2e839fd8a6b8", "value": "PrincessLocker" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.privateloader", + "https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service/", + "https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html", + "https://www.youtube.com/watch?v=Ldp7eESQotM", + "https://www.zscaler.com/blogs/security-research/peeking-privateloader", + "https://intel471.com/blog/privateloader-malware" + ], + "synonyms": [], + "type": [] + }, + "uuid": "dc62452c-a563-4a98-a4cd-174a7125e566", + "value": "PrivateLoader" + }, { "description": "Malware that abuses the Common Log File System (CLFS) to store/hide a second stage payload via registry transaction files.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.privatelog", + "https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html", "https://twitter.com/ESETresearch/status/1433819369784610828", - "https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html" + "https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive", + "https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques" ], "synonyms": [], "type": [] @@ -28312,18 +33589,37 @@ "uuid": "d0c7815d-6039-436f-96ef-0767aabbdb36", "value": "Project Hook POS" }, + { + "description": "According to Lior Rochberger, Cybereason, prometei is a modular and multi-stage cryptocurrency botnet. It was discovered in July 2020, Cybereason Nocturnus team found evidence that this Prometei has been evolved since 2016. There are Linux and Windows versions of this malware.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.prometei", + "https://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities", + "https://twitter.com/honeymoon_ioc/status/1494016518694309896", + "https://twitter.com/honeymoon_ioc/status/1494311182550904840", + "https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "eddb73d8-a33b-4cc6-b1d5-4697f2f4d0ee", + "value": "Prometei (Windows)" + }, { "description": "Ransomware written in .NET, apparently derived from the codebase of win.hakbit (Thanos) ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.prometheus", + "https://www.sentinelone.com/labs/spook-ransomware-prometheus-derivative-names-those-that-pay-shames-those-that-dont/", "https://www.cybereason.com/blog/cybereason-vs.-prometheus-ransomware", + "https://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd", "https://medium.com/cycraft/prometheus-decryptor-6933e7bac1ea", "https://twitter.com/inversecos/status/1441252744258461699?s=20", "https://medium.com/s2wlab/prometheus-x-spook-prometheus-ransomware-rebranded-spook-ransomware-6f93bd8ab5dd", - "https://therecord.media/decryptor-released-for-prometheus-ransomware-victims/", + "https://unit42.paloaltonetworks.com/prometheus-ransomware/", "https://id-ransomware.blogspot.com/2021/05/prometheus-ransomware.html", - "https://unit42.paloaltonetworks.com/prometheus-ransomware/" + "https://securityintelligence.com/posts/ransomware-encryption-goes-wrong/", + "https://therecord.media/decryptor-released-for-prometheus-ransomware-victims/" ], "synonyms": [], "type": [] @@ -28358,6 +33654,34 @@ "uuid": "03f30d04-4568-4c4c-88d6-b62efc72f33a", "value": "ProtonBot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.prynt_stealer", + "https://twitter.com/vxunderground/status/1519632014361640960", + "https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "09a1c6e8-c99f-4648-8210-08c25183f537", + "value": "Prynt Stealer" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pseudo_manuscrypt", + "https://asec.ahnlab.com/en/31683/", + "https://ics-cert.kaspersky.com/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "bae89d64-30ce-4bfd-937b-0ec4ac846f60", + "value": "PseudoManuscrypt" + }, { "description": "According to Matthew Mesa, this is a modular bot. The name stems from the string PsiXMainModule in binaries until mid of September 2018.\r\n\r\nIn binaries, apart from BotModule and MainModule, references to the following Modules have be observed:\r\nBrowserModule\r\nBTCModule\r\nComplexModule\r\nKeyLoggerModule\r\nOutlookModule\r\nProcessModule\r\nRansomwareModule\r\nSkypeModule", "meta": { @@ -28411,17 +33735,27 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pteranodon", + "https://ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf", + "https://www.vkremez.com/2019/01/lets-learn-deeper-dive-into-gamaredon.html", + "https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/", + "https://www.bleepingcomputer.com/news/security/russian-gamaredon-hackers-use-8-new-malware-payloads-in-attacks/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine", "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/", "https://www.elastic.co/blog/playing-defense-against-gamaredon-group", + "https://www.threatstop.com/blog/gamaredon-group-understanding-the-russian-apt", + "https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/", + "https://threatrecon.nshc.net/2019/06/11/sectorc08-multi-layered-sfx-recent-campaigns-target-ukraine/", "https://blog.yoroi.company/research/cyberwarfare-a-deep-dive-into-the-latest-gamaredon-espionage-campaign/", "https://labs.sentinelone.com/pro-russian-cyberspy-gamaredon-intensifies-ukrainian-security-targeting/", "https://blog.threatstop.com/russian-apt-gamaredon-group", "https://cert.gov.ua/news/42", - "https://www.vkremez.com/2019/01/lets-learn-deeper-dive-into-gamaredon.html", - "https://threatrecon.nshc.net/2019/06/11/sectorc08-multi-layered-sfx-recent-campaigns-target-ukraine/", + "https://blogs.cisco.com/security/network-footprints-of-gamaredon-group", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-intense-campaign-ukraine", "https://cert.gov.ua/news/46" ], - "synonyms": [], + "synonyms": [ + "Pterodo" + ], "type": [] }, "uuid": "d5138738-846e-4466-830c-cd2bb6ad09cf", @@ -28466,12 +33800,15 @@ "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://blog.cyber4sight.com/2017/02/malicious-powershell-script-analysis-indicates-shamoon-actors-used-pupy-rat/", "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", + "https://www.infinitumit.com.tr/apt-35/", "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://github.com/n1nj4sec/pupy", "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", - "https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf" + "https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf", + "https://go.recordedfuture.com/hubfs/reports/cta-2022-0330.pdf", + "https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/" ], "synonyms": [ "Patpoopy" @@ -28501,21 +33838,30 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.purplefox", - "https://nao-sec.org/2021/04/exploit-kit-still-sharpens-a-sword.html", + "https://blog.minerva-labs.com/malicious-telegram-installer-drops-purple-fox-rootkit", "https://blog.trendmicro.com/trendlabs-security-intelligence/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell/", + "https://twitter.com/C0rk1_H/status/1412801973628272641?s=20", + "https://www.thecybersecuritytimes.com/purple-fox-malware-is-actively-distributed-via-telegram-installers/", + "https://nao-sec.org/2021/04/exploit-kit-still-sharpens-a-sword.html", + "https://www.trendmicro.com/en_us/research/21/l/a-look-into-purple-fox-server-infrastructure.html", + "https://thehackernews.com/2022/03/purple-fox-hackers-spotted-using-new.html", + "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html", + "https://blogs.blackberry.com/en/2022/01/threat-thursday-purple-fox-rootkit", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal/Technical%20Brief%20-%20A%20Look%20Into%20Purple%20Fox%E2%80%99s%20New%20Arrival%20Vector.pdf", + "https://blog.malwarebytes.com/trojans/2021/03/perkiler-malware-turns-to-smb-brute-force-to-spread/", + "https://www.trendmicro.com/en_in/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html", + "https://threatresearch.ext.hp.com/purple-fox-exploit-kit-now-exploits-cve-2021-26411/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/security-101-the-impact-of-cryptocurrency-mining-malware", "https://s.tencent.com/research/report/1322.html", "https://www.trendmicro.com/en_us/research/21/g/purplefox-using-wpad-to-targent-indonesian-users.html", - "https://blog.malwarebytes.com/trojans/2021/03/perkiler-malware-turns-to-smb-brute-force-to-spread/", - "https://threatresearch.ext.hp.com/purple-fox-exploit-kit-now-exploits-cve-2021-26411/", - "https://twitter.com/C0rk1_H/status/1412801973628272641?s=20", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/security-101-the-impact-of-cryptocurrency-mining-malware", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal/IOCs-Purple-Fox.txt", "https://www.guardicore.com/labs/purple-fox-rootkit-now-propagates-as-a-worm/" ], "synonyms": [], "type": [] }, "uuid": "31638e2b-1c6b-47b9-bbb9-7316f206b354", - "value": "win.purplefox" + "value": "PurpleFox" }, { "description": "", @@ -28597,6 +33943,7 @@ "https://www.bleepingcomputer.com/news/security/new-pwndlocker-ransomware-targeting-us-cities-enterprises/", "https://raw.githubusercontent.com/fboldewin/When-ransomware-hits-an-ATM-giant---The-Diebold-Nixdorf-case-dissected/main/When%20ransomware%20hits%20an%20ATM%20giant%20-%20The%20Diebold%20Nixdorf%20case%20dissected%20-%20Group-IB%20CyberCrimeCon2020.pdf", "https://www.intrinsec.com/egregor-prolock/", + "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/", "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", "https://www.hornetsecurity.com/en/security-information/qakbot-malspam-leading-to-prolock/", "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", @@ -28606,6 +33953,7 @@ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", "https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/", "https://soolidsnake.github.io/2020/05/11/Prolock_ransomware.html", "https://news.sophos.com/en-us/2020/07/27/prolock-ransomware-gives-you-the-first-8-kilobytes-of-decryption-for-free/", @@ -28690,7 +34038,10 @@ "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.ic3.gov/Media/News/2021/211101.pdf", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx", "https://threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html", + "https://cluster25.io/2022/05/03/a-strange-link-between-a-destructive-malware-and-the-loader-of-a-ransomware-group-isaacwiper-vs-vatet/", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://www.secureworks.com/research/threat-profiles/gold-dupont", @@ -28725,6 +34076,7 @@ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://securityintelligence.com/an-analysis-of-the-qadars-trojan/", "https://info.phishlabs.com/blog/dissecting-the-qadars-banking-trojan", + "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://www.johannesbader.ch/2016/04/the-dga-of-qadars/", "https://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/" ], @@ -28739,19 +34091,36 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot", + "https://www.malwarology.com/posts/2-qakbot-conf-extraction/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.varonis.com/blog/varonis-discovers-global-cyber-campaign-qbot/", "https://research.checkpoint.com/2020/exploring-qbots-latest-attack-methods/", + "https://twitter.com/kienbigmummy/status/1460537501676802051", + "https://www.bleepingcomputer.com/news/security/qbot-needs-only-30-minutes-to-steal-your-credentials-emails/", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://quosecgmbh.github.io/blog/grap_qakbot_strings.html", + "https://www.group-ib.com/blog/egregor", "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89", + "https://www.malwarology.com/2022/04/qakbot-series-configuration-extraction/", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", "https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/", + "https://www.trendmicro.com/en_us/research/22/e/bruised-but-not-broken--the-resurgence-of-the-emotet-botnet-malw.html", "https://blog.talosintelligence.com/2019/05/qakbot-levels-up-with-new-obfuscation.html", + "https://twitter.com/Unit42_Intel/status/1461004489234829320", + "https://www.securityartwork.es/2021/06/16/analisis-campana-emotet/", + "https://twitter.com/tylabs/status/1462195377277476871", + "https://www.circl.lu/pub/tr-64/", + "https://documents.trendmicro.com/assets/pdf/Technical-Brief---The-Prelude-to-Ransomware-A-Look-into-Current-QAKBOT-Capabilities-and-Activity.pdf", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf", "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-countermeasures/", + "https://www.atomicmatryoshka.com/post/malware-headliners-qakbot", "https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex", - "https://go.recordedfuture.com/hubfs/reports/cta-2020-1203.pdf", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot", + "https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/", + "https://www.techtimes.com/articles/274190/20220412/qbot-botnet-deploys-malware-payloads-through-malicious-windows-installers.htm", "https://raw.githubusercontent.com/fboldewin/When-ransomware-hits-an-ATM-giant---The-Diebold-Nixdorf-case-dissected/main/When%20ransomware%20hits%20an%20ATM%20giant%20-%20The%20Diebold%20Nixdorf%20case%20dissected%20-%20Group-IB%20CyberCrimeCon2020.pdf", "https://www.hornetsecurity.com/en/security-information/qakbot-malspam-leading-to-prolock/", "https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7", @@ -28760,78 +34129,124 @@ "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", "https://media.scmagazine.com/documents/225/bae_qbot_report_56053.pdf", "https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-3/", + "https://www.silentpush.com/blog/malicious-infrastructure-as-a-service", + "https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks", "https://twitter.com/ChouchWard/status/1405168040254316547", "https://securelist.com/qakbot-technical-analysis/103931/", + "https://www.malwarology.com/2022/04/qakbot-series-string-obfuscation/", + "https://socprime.com/blog/qbot-malware-detection-old-dog-new-tricks/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448/", + "https://www.malwarology.com/posts/1-qakbot-strings-obfuscation/", + "https://www.malwarology.com/2022/04/qakbot-series-api-hashing/", + "https://www.vkremez.com/2018/07/lets-learn-in-depth-reversing-of-qakbot.html", "https://twitter.com/_alex_il_/status/1384094623270727685", "https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/", + "https://raw.githubusercontent.com/NtQuerySystemInformation/Malware-RE-papers/main/Qakbot%20report.pdf", "https://blog.talosintelligence.com/2016/04/qbot-on-the-rise.html", + "https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/", + "https://isc.sans.edu/diary/rss/28448", "https://drive.google.com/file/d/1mO2Zb-Q94t39DvdASd4KNTPBD8JdkyC3/view", + "https://experience.mandiant.com/trending-evil/p/1", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", + "https://www.youtube.com/watch?v=4I0LF8Vm7SI", "https://isc.sans.edu/diary/rss/26862", - "https://blog.vincss.net/2021/03/re021-qakbot-dangerous-malware-has-been-around-for-more-than-a-decade.html", "https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "http://www.secureworks.com/research/threat-profiles/gold-lagoon", - "https://blog.quosec.net/posts/grap_qakbot_strings/", + "https://intel471.com/blog/conti-emotet-ransomware-conti-leaks", + "https://content.fireeye.com/m-trends/rpt-m-trends-2020", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf", "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", + "https://news.sophos.com/en-us/2022/03/10/qakbot-injects-itself-into-the-middle-of-your-conversations/", "https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot", "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", - "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/", + "https://isc.sans.edu/diary/rss/28568", + "https://www.malwarology.com/posts/3-qakbot-process-injection/", + "https://redcanary.com/blog/intelligence-insights-december-2021", "https://seguranca-informatica.pt/a-taste-of-the-latest-release-of-qakbot", "https://www.intrinsec.com/egregor-prolock/", + "https://isc.sans.edu/forums/diary/XLSB+Files+Because+Binary+is+Stealthier+Than+XML/28476/", "https://hatching.io/blog/reversing-qakbot", "https://blog.morphisec.com/qakbot-qbot-maldoc-two-new-techniques", + "https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html", "https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-1/", - "https://www.vkremez.com/2018/07/lets-learn-in-depth-reversing-of-qakbot.html", + "https://securelist.com/malicious-spam-campaigns-delivering-banking-trojans/102917", + "https://www.trendmicro.com/en_us/research/21/l/staging-a-quack-reverse-analyzing-fileless-qakbot-stager.html", "https://threatresearch.ext.hp.com/detecting-ta551-domains/", + "https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf", + "https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.advanced-intel.com/post/from-qbot-with-revil-ransomware-initial-attack-exposure-of-jbs", "https://malwareandstuff.com/upnp-messing-up-security-since-years/", "https://quosecgmbh.github.io/blog/grap_qakbot_navigation.html", + "https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html", "https://0xthreatintel.medium.com/reversing-qakbot-tlp-white-d1b8b37ad8e7", "https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/", "https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/", "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", - "https://www.securityartwork.es/2021/06/16/analisis-campana-emotet/", + "https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike", + "https://www.malwarology.com/posts/4-qakbot-api-hashing/", + "https://blog.quosec.net/posts/grap_qakbot_strings/", "https://blog.reversinglabs.com/blog/spotting-malicious-excel4-macros", "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", - "https://content.fireeye.com/m-trends/rpt-m-trends-2020", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://blog.minerva-labs.com/a-new-datoploader-delivers-qakbot-trojan", + "https://www.bleepingcomputer.com/news/security/fujifilm-shuts-down-network-after-suspected-ransomware-attack/", + "https://go.recordedfuture.com/hubfs/reports/cta-2020-1203.pdf", "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-analyzing-a-fowl-banking-trojan-part-1/", + "https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/", "http://contagiodump.blogspot.com/2010/11/template.html", "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.cylance.com/en_us/blog/threat-spotlight-the-return-of-qakbot-malware.html", "https://www.f5.com/labs/articles/threat-intelligence/qbot-banking-trojan-still-up-to-its-old-tricks", "https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/", - "https://securelist.com/malicious-spam-campaigns-delivering-banking-trojans/102917", + "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus", + "https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/", "https://blog.quosec.net/posts/grap_qakbot_navigation/", + "https://blogs.vmware.com/security/2021/11/telemetry-peak-analyzer-an-automatic-malware-campaign-detector.html", "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/", + "https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html", + "https://redcanary.com/blog/intelligence-insights-november-2021/", "https://madlabs.dsu.edu/madrid/blog/2021/04/30/qbot-analyzing-php-proxy-scripts-from-compromised-web-server/", "https://twitter.com/redcanary/status/1334224861628039169", "https://web.archive.org/web/20201207094648/https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Egregor_Ransomware.pdf", + "https://www.youtube.com/watch?v=M22c1JgpG-U", + "https://www.bleepingcomputer.com/news/security/qbot-malware-switches-to-new-windows-installer-infection-vector/", "https://perception-point.io/insights-into-an-excel-4-0-macro-attack-using-qakbot-malware", "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", - "https://www.secureworks.com/research/threat-profiles/gold-lagoon", + "https://www.0ffset.net/reverse-engineering/malware-analysis/qakbot-browser-hooking-p1/", + "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://twitter.com/elisalem9/status/1381859965875462144", - "https://www.group-ib.com/blog/egregor", + "https://www.trendmicro.com/en_us/research/21/c/egregor-ransomware-cartel-members-arrested.html", + "https://twitter.com/Corvid_Cyber/status/1455844008081641472", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor", - "https://www.0ffset.net/reverse-engineering/malware-analysis/qakbot-browser-hooking-p1/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", + "https://www.bitsight.com/blog/emotet-botnet-rises-again", + "https://www.linkedin.com/posts/zayedaljaberi_hunting-recent-qakbot-malware-activity-6903498764984606720-2Gl4", + "https://www.secureworks.com/research/threat-profiles/gold-lagoon", + "https://isc.sans.edu/diary/rss/28728", + "https://experience.mandiant.com/trending-evil-2/p/1", + "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/", "https://securityintelligence.com/news/qbot-malware-using-windows-defender-antivirus-lure/", "https://www.youtube.com/watch?v=iB1psRMtlqg", "https://securityintelligence.com/posts/sodinokibi-ransomware-incident-response-intelligence-together/", + "https://www.trendmicro.com/en_us/research/21/k/qakbot-loader-returns-with-new-techniques-and-tools.html", + "https://www.botconf.eu/wp-content/uploads/2019/12/B2019-OReilly-Jarvis-End-to-end-Botnet-Monitoring.pdf", "https://n1ght-w0lf.github.io/malware%20analysis/qbot-banking-trojan/", "https://twitter.com/TheDFIRReport/status/1361331598344478727", "https://www.um.edu.mt/library/oar/handle/123456789/76802", "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", + "https://www.malwarology.com/2022/04/qakbot-series-process-injection/", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/decrypting-qakbots-encrypted-registry-keys/", "https://blog.group-ib.com/prometheus-tds", "https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/", - "https://www.bleepingcomputer.com/news/security/fujifilm-shuts-down-network-after-suspected-ransomware-attack/", - "https://www.trendmicro.com/en_us/research/21/c/egregor-ransomware-cartel-members-arrested.html", + "https://blog.vincss.net/2021/03/re021-qakbot-dangerous-malware-has-been-around-for-more-than-a-decade.html", + "https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot", "https://www.group-ib.com/blog/prolock_evolution" ], "synonyms": [ @@ -28879,11 +34294,13 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.quantloader", "https://malwarebreakdown.com/2017/10/10/malvertising-campaign-uses-rig-ek-to-drop-quant-loader-which-downloads-formbook/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/", "https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/", + "https://intel471.com/blog/a-brief-history-of-ta505", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", + "https://twitter.com/Arkbird_SOLG/status/1458973883068043264", "https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat" ], "synonyms": [], @@ -28897,48 +34314,65 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat", - "https://securityintelligence.com/posts/roboski-global-recovery-automation/", + "https://blog.morphisec.com/syk-crypter-discord", "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", "https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign", "https://blog.morphisec.com/cinarat-resurfaces-with-new-evasive-tactics-and-techniques", + "https://medium.com/cycraft/china-implicated-in-prolonged-supply-chain-attack-targeting-taiwan-financial-sector-264b6a1c3525", "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://securelist.com/apt-trends-report-q1-2021/101967/", - "https://www.zscaler.com/blogs/security-research/look-hydrojiin-campaign", + "https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html", + "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga", "https://twitter.com/malwrhunterteam/status/789153556255342596", "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf", + "https://www.bleepingcomputer.com/news/security/malware-now-using-nvidias-stolen-code-signing-certificates/", "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://twitter.com/struppigel/status/1130455143504318466", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf", + "https://therecord.media/chinese-hackers-linked-to-months-long-attack-on-taiwanese-financial-sector/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", + "https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html", "https://blog.minerva-labs.com/trapping-quasar-rat", "https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848", "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", "https://blog.malwarelab.pl/posts/venom/", + "https://asec.ahnlab.com/en/31089/", "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf", "https://blog.ensilo.com/uncovering-new-activity-by-apt10", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage", "https://blog.reversinglabs.com/blog/rats-in-the-library", "https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html", - "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", + "https://medium.com/cycraft/supply-chain-attack-targeting-taiwan-financial-sector-bae2f0962934", + "https://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers", + "https://www.zscaler.com/blogs/security-research/look-hydrojiin-campaign", "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", - "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", + "https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/", + "https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://www.zscaler.com/blogs/research/shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass", - "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/", + "https://blog.rootshell.be/2022/02/11/sans-isc-cinarat-delivered-through-html-id-attributes/", + "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", + "https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html", "https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html", "https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html", + "https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html", "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/", + "https://lab52.io/blog/another-cyber-espionage-campaign-in-the-russia-ukrainian-ongoing-cyber-attacks/", + "https://intel471.com/blog/privateloader-malware", "https://www.secureworks.com/research/threat-profiles/bronze-riverside", - "https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/", + "https://securityintelligence.com/posts/roboski-global-recovery-automation/", + "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/", "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf?platform=hootsuite", - "https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/", + "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord?", + "https://www.bleepingcomputer.com/news/security/trojanized-dnspy-app-drops-malware-cocktail-on-researchers-devs/", "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols", "https://www.antiy.cn/research/notice&report/research_report/20201228.html", "http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments", @@ -28954,6 +34388,19 @@ "uuid": "05252643-093b-4070-b62f-d5836683a9fa", "value": "Quasar RAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.quickheal", + "https://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42" + ], + "synonyms": [], + "type": [] + }, + "uuid": "8a4747a4-8165-40eb-abfe-fd674558ecb4", + "value": "QuickHeal" + }, { "description": "Qulab is an AutoIT Malware focusing on stealing & clipping content from victim's machines.\r\n", "meta": { @@ -28988,25 +34435,38 @@ "https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d", "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", "https://www.youtube.com/watch?v=5KHZSmBeMps", - "https://www.riskiq.com/blog/labs/magecart-medialand/", + "https://team-cymru.com/blog/2022/03/23/raccoon-stealer-an-insight-into-victim-gates/", "https://www.zerofox.com/blog/raccoon-stealer-pivots-towards-self-protection/", + "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", + "https://www.bleepingcomputer.com/news/security/raccoon-stealer-malware-suspends-operations-due-to-war-in-ukraine/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", "https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html", + "https://blog.cyble.com/2021/10/21/raccoon-stealer-under-the-lens-a-deep-dive-analysis/", + "https://asec.ahnlab.com/en/35981/", "https://www.group-ib.com/blog/fakesecurity_raccoon", "https://news.sophos.com/en-us/2021/09/01/fake-pirated-software-sites-serve-up-malware-droppers-as-a-service/", "https://therecord.media/malware-group-leaks-millions-of-stolen-authentication-cookies/", + "https://www.bleepingcomputer.com/news/security/massive-campaign-uses-youtube-to-push-password-stealing-malware/", "https://lp.cyberark.com/rs/316-CZP-275/images/CyberArk-Labs-Racoon-Malware-wp.pdf", "https://webcache.googleusercontent.com/search?q=cache:AvJw47-V_WwJ:https://ultrahacks.org/shop/product/raccoon-stealer-onion-panel/+&cd=1&hl=en&ct=clnk&gl=ch&client=firefox-b-d", "https://medium.com/s2wlab/deep-analysis-of-raccoon-stealer-5da8cbbc4949", "https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf", "https://www.youtube.com/watch?v=1dbepxN2YD8", "https://www.secfreaks.gr/2019/12/in-depth-analysis-of-an-infostealer-raccoon.html", + "https://decoded.avast.io/vladimirmartyanov/raccoon-stealer-trash-panda-abuses-telegram", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://www.riskiq.com/blog/labs/magecart-medialand/", "https://www.bitdefender.com/files/News/CaseStudies/study/289/Bitdefender-WhitePaper-Fallout.pdf", "https://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block", + "https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/", + "https://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d", + "https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/", "https://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/", "https://news.sophos.com/en-us/2021/08/03/trash-panda-as-a-service-raccoon-stealer-steals-cookies-cryptocoins-and-more/", - "https://blogs.blackberry.com/en/2021/09/threat-thursday-raccoon-infostealer" + "https://blogs.blackberry.com/en/2021/09/threat-thursday-raccoon-infostealer", + "https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/", + "https://asec.ahnlab.com/ko/25837/", + "https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/" ], "synonyms": [ "Mohazo", @@ -29019,6 +34479,19 @@ "uuid": "027fb7d0-3e9b-4433-aee1-c266e165a5cc", "value": "Raccoon" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rad", + "https://www.sentinelone.com/wp-content/uploads/2021/09/SentinelOne_-SentinelLabs_EGoManiac_WP_V4.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f99e0c8b-a479-4902-9c7e-e16724323ef6", + "value": "Rad" + }, { "description": "", "meta": { @@ -29050,53 +34523,69 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarlocker", "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ragnarlocker-ransomware-threatens-to-release-confidential-information", - "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html", + "https://www.acronis.com/en-sg/articles/ragnar-locker/", + "https://www.ic3.gov/Media/News/2022/220307.pdf", "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", + "https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom", "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", - "https://seguranca-informatica.pt/ragnar-locker-malware-analysis/", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://www.bleepingcomputer.com/news/security/japanese-game-dev-capcom-hit-by-cyberattack-business-impacted/", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "http://reversing.fun/reversing/2021/04/15/unpacking_ragnarlocker_via_emulation.html", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ragnarlocker-ransomware-threatens-to-release-confidential-information", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1", "https://blog.reversing.xyz/reversing/2021/04/15/unpacking_ragnarlocker_via_emulation.html", "https://twitter.com/AltShiftPrtScn/status/1403707430765273095", "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://www.bleepingcomputer.com/news/security/japanese-game-dev-capcom-hit-by-cyberattack-business-impacted/", + "https://seguranca-informatica.pt/ragnar-locker-malware-analysis/", "https://www.bleepingcomputer.com/news/security/ragnarlocker-ransomware-hits-edp-energy-giant-asks-for-10m/", "https://www.bleepingcomputer.com/news/security/capcom-hit-by-ragnar-locker-ransomware-1tb-allegedly-stolen/", "https://www.waterisac.org/system/files/articles/FLASH-MU-000140-MW.pdf", "https://krebsonsecurity.com/2020/11/ransomware-group-turns-to-facebook-ads/", "https://blog.reversing.xyz/docs/posts/unpacking_ragnarlocker_via_emulation/", + "https://securelist.com/modern-ransomware-groups-ttps/106824/", + "https://www.theregister.com/2022/03/09/fbi_says_ragnar_locker_ransomware/", "https://news.sophos.com/en-us/2021/02/03/mtr-casebook-uncovering-a-backdoor-implant-in-a-solarwinds-orion-server/", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/analysis-and-protections-for-ragnarlocker-ransomware.html", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", - "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel", + "https://cyware.com/news/ragnar-locker-breached-52-organizations-and-counting-fbi-warns-0588d220/", "https://id-ransomware.blogspot.com/2020/02/ragnarlocker-ransomware.html", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", + "https://www.bleepingcomputer.com/news/security/fbi-ransomware-gang-breached-52-us-critical-infrastructure-orgs/", + "http://reversing.fun/posts/2021/04/15/unpacking_ragnarlocker_via_emulation.html", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://www.zdnet.com/article/capcom-quietly-discloses-cyberattack-impacting-email-file-servers/", "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "https://securelist.com/targeted-ransomware-encrypting-data/99255/", "https://blog.blazeinfosec.com/dissecting-ragnar-locker-the-case-of-edp/", + "https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker", "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", - "https://www.capcom.co.jp/ir/english/news/pdf/e210413.pdf" + "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel", + "https://www.capcom.co.jp/ir/english/news/pdf/e210413.pdf", + "https://blog.cyble.com/2022/01/20/deep-dive-into-ragnar-locker-ransomware-gang/" ], "synonyms": [], "type": [] }, "uuid": "33f55172-873b-409e-a09b-97ac1301b036", - "value": "RagnarLocker" + "value": "RagnarLocker (Windows)" }, { "description": "According to Bleeping Computer, the ransomware is used in targeted attacks against unpatched Citrix servers. It excludes Russian and Chinese targets using the system's Language ID for filtering. It also tries to disable Windows Defender and has a number of UNIX filepath references in its strings. Encryption method is AES using a dynamically generated key, then bundling this key up via RSA.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarok", - "https://news.sophos.com/en-us/2020/05/21/asnarok2/", "https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/", + "https://news.sophos.com/en-us/2020/05/21/asnarok2/", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://github.com/k-vitali/Malware-Misc-RE/blob/master/2020-01-26-ragnarok-cfg-vk.notes.raw", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", "https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-releases-master-decryptor-after-shutdown/" ], "synonyms": [], @@ -29113,7 +34602,10 @@ "https://symantec.broadcom.com/hubfs/Attacks-Against-Government-Sector.pdf", "https://www.sans.org/webcasts/contrarian-view-solarwinds-119515", "https://www.youtube.com/watch?v=GfbxHy6xnbA", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware" + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", + "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf", + "https://file2.api.drift.com/download/drift-prod-file-uploads/417f%2F417f74ae8ddd24aa7c2b43a23093983f/Supply%20Chain%20Attacks_%20Cyber%20Criminals%20Target%20the%20Weakest%20Link.pdf", + "https://www.mandiant.com/resources/unc2452-merged-into-apt29" ], "synonyms": [], "type": [] @@ -29168,25 +34660,28 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramnit", + "https://malwarebreakdown.com/2017/08/23/the-seamless-campaign-isnt-losing-any-steam/", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/", + "https://research.checkpoint.com/ramnits-network-proxy-servers/", + "http://www.secureworks.com/research/threat-profiles/gold-fairfax", "https://securelist.com/financial-cyberthreats-in-2020/101638/", "http://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html", "https://blogs.akamai.com/2019/02/ramnit-in-the-uk.html", "http://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html", - "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/", - "https://malwarebreakdown.com/2017/08/23/the-seamless-campaign-isnt-losing-any-steam/", + "https://www.youtube.com/watch?v=l6ZunH6YG0A", + "https://www.mandiant.com/resources/pe-file-infecting-malware-ot", + "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-ramnit-analysis-15-en.pdf", + "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89", + "https://securityintelligence.com/posts/ramnit-banking-trojan-stealing-card-data/", "https://www.youtube.com/watch?v=N4f2e8Mygag", - "https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/", + "https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/", + "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", + "http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html", + "https://www.researchgate.net/profile/Lorenzo-De-Carli/publication/320250366_Botnet_protocol_inference_in_the_presence_of_encrypted_traffic/links/5fa9608792851cc286a08592/Botnet-protocol-inference-in-the-presence-of-encrypted-traffic.pdf?origin=publication_detail", "https://redcanary.com/resources/webinars/deep-dive-process-injection/", "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", - "https://research.checkpoint.com/ramnits-network-proxy-servers/", - "http://www.secureworks.com/research/threat-profiles/gold-fairfax", - "http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html", - "https://www.youtube.com/watch?v=l6ZunH6YG0A", - "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89", - "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-ramnit-analysis-15-en.pdf", - "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", - "https://www.researchgate.net/profile/Lorenzo-De-Carli/publication/320250366_Botnet_protocol_inference_in_the_presence_of_encrypted_traffic/links/5fa9608792851cc286a08592/Botnet-protocol-inference-in-the-presence-of-encrypted-traffic.pdf?origin=publication_detail" + "https://muha2xmad.github.io/unpacking/ramnit/" ], "synonyms": [ "Nimnul" @@ -29201,11 +34696,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramsay", + "https://www.youtube.com/watch?v=SKIu4LqMrns", + "https://www.sentinelone.com/blog/why-on-device-detection-matters-new-ramsay-trojan-targets-air-gapped-networks/", "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/", "https://www.antiy.cn/research/notice&report/research_report/20200522.html", - "https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html", - "https://www.youtube.com/watch?v=SKIu4LqMrns", - "https://www.sentinelone.com/blog/why-on-device-detection-matters-new-ramsay-trojan-targets-air-gapped-networks/" + "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf", + "https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html" ], "synonyms": [], "type": [] @@ -29218,11 +34714,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ranbyus", - "https://www.group-ib.ru/brochures/Group-IB-Corkow-Report-EN.pdf", "https://www.welivesecurity.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs/", - "https://www.welivesecurity.com/2012/06/05/smartcard-vulnerabilities-in-modern-banking-malware/", "http://www.xylibox.com/2013/01/trojanwin32spyranbyus.html", - "https://www.johannesbader.ch/2015/05/the-dga-of-ranbyus/" + "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", + "https://www.welivesecurity.com/2012/06/05/smartcard-vulnerabilities-in-modern-banking-malware/", + "https://www.johannesbader.ch/2015/05/the-dga-of-ranbyus/", + "https://www.group-ib.ru/brochures/Group-IB-Corkow-Report-EN.pdf" ], "synonyms": [], "type": [] @@ -29230,6 +34727,19 @@ "uuid": "5d9a27e7-3110-470a-ac0d-2bf00cac7846", "value": "Ranbyus" }, + { + "description": "Ransomware.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ranion", + "https://www.fortinet.com/blog/threat-research/ranion-ransomware-quiet-and-persistent-raas" + ], + "synonyms": [], + "type": [] + }, + "uuid": "2ae8b99c-cebe-4758-8ae9-8f336a7bef0d", + "value": "Ranion" + }, { "description": "", "meta": { @@ -29273,14 +34783,17 @@ "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://medium.com/proferosec-osm/ransomexx-fixing-corrupted-ransom-8e379bcaf701", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx", "https://www.bleepingcomputer.com/news/security/brazils-court-system-under-massive-ransomexx-ransomware-attack/", "https://github.com/Bleeping/Ransom.exx", "https://www.bleepingcomputer.com/news/security/ransomware-attack-hits-italys-lazio-region-affects-covid-19-site/", "https://id-ransomware.blogspot.com/2020/06/ransomexx-ransomware.html", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", + "https://www.ic3.gov/Media/News/2021/211101.pdf", "https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/", "https://www.youtube.com/watch?v=qxPXxWMI2i4", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", @@ -29382,6 +34895,23 @@ "uuid": "e0a1407f-2595-4bd2-ba16-2c6d9be4e066", "value": "rarstar" }, + { + "description": "Worm spread by external drives that leverages Windows Installer to reach out to QNAP-associated domains and download a malicious DLL.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.raspberry_robin", + "https://redcanary.com/blog/raspberry-robin/" + ], + "synonyms": [ + "LINK_MSIEXEC", + "QNAP-Worm", + "RaspberryRobin" + ], + "type": [] + }, + "uuid": "34b3a45b-e522-4342-91c8-b6aad9817f99", + "value": "Raspberry Robin" + }, { "description": "This is a backdoor that establishes persistence using the Startup folder. \r\nIt communicates to its C&C server using HTTPS and a static HTTP User-Agent \r\nstring. QUICKRIDE is capable of gathering information about the system, \r\ndownloading and loading executables, and uninstalling itself. It was leveraged \r\nagainst banks in Poland.", "meta": { @@ -29488,6 +35018,7 @@ "http://blogs.360.cn/post/APT-C-34_Golden_Falcon.html", "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/", "https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?", + "https://www.f-secure.com/content/dam/f-secure/en/labs/whitepapers/Callisto_Group.pdf", "https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-hacking-team-hacked-team/", "http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html", "https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/" @@ -29586,19 +35117,6 @@ "uuid": "6be9eee4-ee99-4ad6-bee3-2365d7b37a88", "value": "RedAlpha" }, - { - "description": "RedDelta variant of PlugX as used by Mustang Panda.", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.reddelta", - "https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader" - ], - "synonyms": [], - "type": [] - }, - "uuid": "a28c43e7-f303-4adb-b5f7-c3c7f9821bcd", - "value": "RedDelta" - }, { "description": "", "meta": { @@ -29630,26 +35148,63 @@ "value": "RedLeaves" }, { - "description": "RedLine Stealer is a malware available on underground forums for sale apparently as standalone versions or also on a subscription basis. This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.", + "description": "RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", + "https://www.microsoft.com/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/", + "https://www.zscaler.com/blogs/security-research/cybergate-rat-and-redline-stealer-delivered-ongoing-autoit-malware-campaigns", "https://www.proofpoint.com/us/threat-insight/post/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign", - "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", - "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", - "https://cyber-anubis.github.io/malware%20analysis/redline/", - "https://blogs.blackberry.com/en/2021/07/threat-thursday-redline-infostealer", - "https://blog.minerva-labs.com/become-a-vip-victim-with-new-discord-distributed-malware", - "https://securityintelligence.com/posts/roboski-global-recovery-automation/", - "https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns", + "https://blog.morphisec.com/syk-crypter-discord", + "https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html", + "https://www.esentire.com/blog/redline-stealer-masquerades-as-photo-editing-software", + "https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/", "https://blog.minerva-labs.com/redline-stealer-masquerades-as-telegram-installer", - "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", - "https://blog.morphisec.com/google-ppc-ads-deliver-redline-taurus-and-mini-redline-infostealers", - "https://bartblaze.blogspot.com/2021/06/digital-artists-targeted-in-redline.html", + "https://unit42.paloaltonetworks.com/lapsus-group/", "https://www.proofpoint.com/us/threat-insight/post/ta505-and-others-launch-new-coronavirus-campaigns-now-largest-collection-attack", + "https://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html", + "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", + "https://www.bleepingcomputer.com/news/security/fake-windows-11-upgrade-installers-infect-you-with-redline-malware/", + "https://www.bitdefender.com/files/News/CaseStudies/study/415/Bitdefender-PR-Whitepaper-RedLine-creat6109-en-EN.pdf", + "https://cyber-anubis.github.io/malware%20analysis/redline/", + "https://asec.ahnlab.com/en/35981/", + "https://www.atomicmatryoshka.com/post/cracking-open-the-malware-pi%C3%B1ata-series-intro-to-dynamic-analysis-with-redlinestealer", + "https://blog.minerva-labs.com/underminer-exploit-kit-the-more-you-check-the-more-evasive-you-become", + "https://blog.rootshell.be/2022/01/20/sans-isc-redline-stealer-delivered-through-ftp/", + "https://muha2xmad.github.io/malware-analysis/fullredline/", + "https://blog.minerva-labs.com/become-a-vip-victim-with-new-discord-distributed-malware", + "https://www.bleepingcomputer.com/news/security/fake-valorant-cheats-on-youtube-infect-you-with-redline-stealer/", + "https://www.qualys.com/docs/whitepapers/qualys-wp-fake-cracked-software-caught-peddling-redline-stealers-v220606.pdf", + "https://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload", + "https://threatresearch.ext.hp.com/redline-stealer-disguised-as-a-windows-11-upgrade/", + "https://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extortion-group/", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", + "https://team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-entry-for-malicious-actors/", "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md", + "https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns", "https://www.bleepingcomputer.com/news/security/redline-info-stealing-malware-spread-by-folding-home-phishing/", - "https://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html" + "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", + "https://asec.ahnlab.com/en/30445/", + "https://securityaffairs.co/wordpress/129391/hacking/lapsus-gang-compromised-microsoft-employees-account.html", + "https://www.fortinet.com/blog/threat-research/omicron-variant-lure-used-to-distribute-redline-stealer", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/trellix-global-defenders-invaders-of-the-information-snatchers.html", + "https://medium.com/s2wblog/deep-analysis-of-redline-stealer-leaked-credential-with-wcf-7b31901da904", + "https://isc.sans.edu/forums/diary/RedLine+Stealer+Delivered+Through+FTP/28258/", + "https://www.bleepingcomputer.com/news/security/massive-campaign-uses-youtube-to-push-password-stealing-malware/", + "https://www.bitdefender.com/blog/labs/redline-stealer-resurfaces-in-fresh-rig-exploit-kit-campaign/", + "https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/", + "https://blogs.blackberry.com/en/2021/07/threat-thursday-redline-infostealer", + "https://go.recordedfuture.com/hubfs/reports/mtp-2021-1014.pdf", + "https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-they-were-hacked-by-lapsus-extortion-group/", + "https://securityintelligence.com/posts/roboski-global-recovery-automation/", + "https://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html", + "https://intel471.com/blog/privateloader-malware", + "https://blog.morphisec.com/google-ppc-ads-deliver-redline-taurus-and-mini-redline-infostealers", + "https://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html", + "https://bartblaze.blogspot.com/2021/06/digital-artists-targeted-in-redline.html", + "https://asec.ahnlab.com/ko/25837/", + "https://thehackernews.com/2022/03/microsoft-and-okta-confirm-breach-by.html" ], "synonyms": [], "type": [] @@ -29799,7 +35354,9 @@ "https://www.kaspersky.com/blog/regin-apt-most-sophisticated/6852/", "https://securelist.com/big-threats-using-code-similarity-part-1/97239/", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", - "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/regin-top-tier-espionage-tool-15-en.pdf" + "https://securelist.com/regin-nation-state-ownage-of-gsm-networks/67741/", + "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/regin-top-tier-espionage-tool-15-en.pdf", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070305/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf" ], "synonyms": [], "type": [] @@ -29842,7 +35399,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rekoobew", - "https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/" + "https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/", + "https://www.mandiant.com/resources/fin13-cybercriminal-mexico" ], "synonyms": [ "tinyshell.win", @@ -29902,21 +35460,28 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos", + "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/", "https://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service", + "https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html", "https://dissectingmalwa.re/malicious-ratatouille.html", "https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads", "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", "https://github.com/1d8/analyses/blob/master/RemcosDocDropper.MD", + "https://asec.ahnlab.com/ko/32101/", "https://www.telsy.com/download/4832/", + "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html", "https://www.fortinet.com/blog/threat-research/new-variant-of-remcos-rat-observed-in-the-wild.html", - "https://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html", + "https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html", + "https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-spoofs-philippine-government-covid-19-health-data-widespread", "https://secrary.com/ReversingMalware/RemcosRAT/", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", - "https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html", - "https://www.welivesecurity.com/2021/10/06/moon-hack-fake-safemoon-cryptocurrency-app-drops-malware-spy/", - "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/", - "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html", + "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/", + "https://blog.morphisec.com/remcos-trojan-analyzing-attack-chain", + "https://www.splunk.com/en_us/blog/security/detecting-malware-script-loaders-using-remcos-threat-research-release-december-2021.html", + "https://www.esentire.com/blog/remcos-rat", + "https://threatresearch.ext.hp.com/malware-campaigns-targeting-african-banking-sector/", "https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire", "https://www.trendmicro.com/en_ca/research/19/h/analysis-new-remcos-rat-arrives-via-phishing-email.html", "https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2", @@ -29924,25 +35489,41 @@ "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", "https://myonlinesecurity.co.uk/fake-order-spoofed-from-finchers-ltd-sankyo-rubber-delivers-remcos-rat-via-ace-attachments/", "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update", + "https://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-sees-increased-malicious-and-scam-activity-exploiting-the-war-in-ukraine", "https://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers", + "https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities", "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", "http://malware-traffic-analysis.net/2017/12/22/index.html", + "https://isc.sans.edu/forums/diary/Remcos+RAT+Delivered+Through+Double+Compressed+Archive/28354/", + "https://blog.morphisec.com/hubfs/Journey%20of%20a%20Crypto%20Scammer%20-%20NFT-001%20%7C%20Morphisec%20%7C%20Threat%20Report.pdf", "https://blog.checkpoint.com/2019/06/19/sandblast-agent-phishing-germany-campaign-security-hack-ransomware/", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://krabsonsecurity.com/2018/03/02/analysing-remcos-rats-executable/", "https://news.sophos.com/en-us/2020/05/14/raticate/", "https://www.anomali.com/blog/threat-actors-use-msbuild-to-deliver-rats-filelessly", + "https://www.welivesecurity.com/2021/10/06/moon-hack-fake-safemoon-cryptocurrency-app-drops-malware-spy/", "https://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf", + "https://www.youtube.com/watch?v=DIH4SvKuktM", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt", + "https://medium.com/@amgedwageh/analysis-of-an-autoit-script-that-wraps-a-remcos-rat-6b5b66075b87", + "https://asec.ahnlab.com/en/32376/", + "https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/Remcos.md", "https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/", "https://www.bitdefender.com/files/News/CaseStudies/study/390/Bitdefender-PR-Whitepaper-Remcos-creat5080-en-EN-GenericUse.pdf", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/", "https://securityintelligence.com/posts/roboski-global-recovery-automation/", + "https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf", + "https://www.splunk.com/en_us/blog/security/fin7-tools-resurface-in-the-field-splinter-or-copycat.html", + "https://muha2xmad.github.io/mal-document/remcosdoc/", "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", + "https://intel471.com/blog/privateloader-malware", + "https://www.bleepingcomputer.com/news/security/russia-ukraine-war-exploited-as-lure-for-malware-distribution/", + "https://muha2xmad.github.io/unpacking/remcos/", "https://www.vmray.com/cyber-security-blog/smart-memory-dumping/", - "https://www.youtube.com/watch?v=DIH4SvKuktM", + "https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing", + "https://asec.ahnlab.com/ko/25837/", "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols" ], "synonyms": [ @@ -30095,7 +35676,8 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.retro", "https://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/", "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/", - "https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html" + "https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html", + "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf" ], "synonyms": [], "type": [] @@ -30104,7 +35686,7 @@ "value": "Retro" }, { - "description": "", + "description": "According to Cofense, Revenge RAT is a simple and freely available Remote Access Trojan that automatically gathers system information before allowing threat actors to remotely access system components such as webcams, microphones, and various other utilities.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.revenge_rat", @@ -30115,9 +35697,11 @@ "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://securelist.com/revengehotels/95229/", "https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html", + "https://perception-point.io/revenge-rat-back-from-microsoft-excel-macros/", "https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader", - "https://www.binarydefense.com/revenge-is-a-dish-best-served-obfuscated", + "https://github.com/itaymigdal/malware-analysis-writeups/blob/main/RevengeRAT/RevengeRAT.md", "https://yoroi.company/research/the-evolution-of-aggah-from-roma225-to-the-rg-campaign/", + "https://www.binarydefense.com/revenge-is-a-dish-best-served-obfuscated", "https://blog.yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/", "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries", "https://blogs.360.cn/post/APT-C-44.html", @@ -30140,7 +35724,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.reverse_rat", - "https://www.seqrite.com/documents/en/white-papers/Whitepaper-OperationSideCopy.pdf" + "https://blog.lumen.com/suspected-pakistani-actor-compromises-indian-power-company-with-new-reverserat/", + "https://www.seqrite.com/documents/en/white-papers/Whitepaper-OperationSideCopy.pdf", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388", + "https://blog.lumen.com/reverserat-reemerges-with-a-nightfury-new-campaign-and-new-developments-same-familiar-side-actor/", + "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf" ], "synonyms": [], "type": [] @@ -30169,23 +35757,31 @@ "https://therecord.media/i-scrounged-through-the-trash-heaps-now-im-a-millionaire-an-interview-with-revils-unknown/", "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/", "https://twitter.com/VK_Intel/status/1374571480370061312?s=20", + "https://www.ironnet.com/blog/ransomware-graphic-blog", + "https://storage.courtlistener.com/recap/gov.uscourts.txnd.352371/gov.uscourts.txnd.352371.1.0_1.pdf", + "https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", "https://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html", + "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", "https://blog.group-ib.com/REvil_RaaS", "https://www.tgsoft.it/english/news_archivio_eng.asp?id=1004", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/", "https://www.pandasecurity.com/emailhtml/2007-CAM-RANSOMWARE-AD360-WG/2006-Report-Sodinokibi-EN.pdf", "https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html", "https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/", "https://www.bleepingcomputer.com/news/security/revil-ransomware-devs-added-a-backdoor-to-cheat-affiliates/", "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-threatens-to-publish-data-of-automotive-group/", + "https://www.documentcloud.org/documents/21505031-hgsac-staff-report-americas-data-held-hostage-032422", + "https://www.secureworks.com/blog/revil-the-gandcrab-connection", "https://twitter.com/fwosar/status/1411281334870368260", "https://www.zdnet.com/article/revil-ransomware-gang-launches-auction-site-to-sell-stolen-data/", "https://news.sophos.com/en-us/2021/06/11/relentless-revil-revealed/", "https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/", "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf", "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/", - "https://www.netskope.com/blog/netskope-threat-coverage-revil", + "https://www.flashpoint-intel.com/blog/interview-with-revil-affiliated-ransomware-contractor/", "https://krebsonsecurity.com/2019/07/is-revil-the-new-gandcrab-ransomware/", "https://twitter.com/VK_Intel/status/1411066870350942213", "https://public.intel471.com/blog/revil-ransomware-interview-russian-osint-100-million/", @@ -30202,10 +35798,13 @@ "https://twitter.com/svch0st/status/1411537562380816384", "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/", "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-says-travelex-will-pay-one-way-or-another/", - "https://www.youtube.com/watch?v=P8o6GItci5w", + "https://www.bleepingcomputer.com/news/security/another-ransomware-will-now-publish-victims-data-if-not-paid/", + "https://www.acronis.com/en-sg/articles/sodinokibi-ransomware/", + "https://www.splunk.com/en_us/blog/security/kaseya-sera-what-revil-shall-encrypt-shall-encrypt.html", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", "https://www.digitalshadows.com/blog-and-research/competitions-on-russian-language-cybercriminal-forums-sharing-expertise-or-threat-actor-showboating/", - "https://www.bleepingcomputer.com/news/security/another-ransomware-will-now-publish-victims-data-if-not-paid/", + "https://therecord.media/us-arrests-and-charges-ukrainian-man-for-kaseya-ransomware-attack/", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://blog.truesec.com/2021/07/06/kaseya-vsa-zero-day-exploit", "https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/", "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", @@ -30218,58 +35817,75 @@ "https://awakesecurity.com/blog/threat-hunting-for-revil-ransomware/", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", "https://twitter.com/fwosar/status/1420119812815138824", + "https://krebsonsecurity.com/2021/11/revil-ransom-arrest-6m-seizure-and-10m-reward/", "https://hatching.io/blog/ransomware-part2", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://www.flashpoint-intel.com/blog/possible-universal-revil-master-key-posted-to-xss/", - "https://www.secureworks.com/research/lv-ransomware", + "https://www.justice.gov/opa/pr/sodinokibirevil-ransomware-defendant-extradited-united-states-and-arraigned-texas", + "https://www.fincen.gov/sites/default/files/advisory/2021-11-08/FinCEN%20Ransomware%20Advisory_FINAL_508_.pdf", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", - "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", + "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/", "https://sites.temple.edu/care/ci-rw-attacks/", "https://www.huntress.com/blog/security-researchers-hunt-to-discover-origins-of-the-kaseya-vsa-mass-ransomware-incident", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/undressing-the-revil/", + "https://www.br.de/nachrichten/deutschland-welt/mutmasslicher-ransomware-millionaer-identifiziert,Sn3iHgJ", "https://community.riskiq.com/article/3315064b", "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", + "https://www.darktrace.com/en/blog/staying-ahead-of-r-evils-ransomware-as-a-service-business-model/", "https://www.bleepingcomputer.com/news/security/ransomware-threatens-to-reveal-companys-dirty-secrets/", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", - "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", - "https://www.secureworks.com/blog/revil-ransomware-reemerges-after-shutdown-universal-decryptor-released", + "https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2022-05-01-revil-reborn-ransom.vk.cfg.txt", + "https://thehackernews.com/2022/03/ukrainian-hacker-linked-to-revil.html", "https://ke-la.com/easy-way-in-5-ransomware-victims-had-their-pulse-secure-vpn-credentials-leaked/", "https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/", "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", + "https://www.advanced-intel.com/post/the-dark-web-of-intrigue-how-revil-used-the-underground-ecosystem-to-form-an-extortion-cartel", "https://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment", + "https://www.flashpoint-intel.com/blog/revil-disappears-again/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", "https://www.flashpoint-intel.com/blog/cl0p-and-revil-escalate-their-ransomware-tactics/", - "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/", + "https://blog.morphisec.com/real-time-prevention-of-the-kaseya-vsa-supply-chain-revil-ransomware-attack", "https://blog.malwarebytes.com/threat-analysis/2020/11/german-users-targeted-with-gootkit-banker-or-revil-ransomware/", "https://twitter.com/_alex_il_/status/1412403420217159694", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", + "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-travelex-demands-3-million/", + "https://www.secureworks.com/research/lv-ransomware", + "https://www.cyjax.com/2021/07/09/revilevolution/", + "https://blogs.blackberry.com/en/2021/11/revil-under-the-microscope", "https://www.boll.ch/datasheets/WG_Threat_Report_EN.pdf", - "https://blog.gigamon.com/2021/07/08/observations-and-recommendations-from-the-ongoing-revil-kaseya-incident/", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/", "https://twitter.com/Jacob_Pimental/status/1391055792774729728", "https://twitter.com/SophosLabs/status/1412056467201462276", "https://threatpost.com/ransomware-revil-sites-disappears/167745/", "https://searchsecurity.techtarget.com/feature/Ransomware-negotiations-An-inside-look-at-the-process", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", - "https://blog.morphisec.com/real-time-prevention-of-the-kaseya-vsa-supply-chain-revil-ransomware-attack", + "http://www.fsb.ru/fsb/press/message/single.htm%21id%3D10439388%40fsbMessage.html", "https://www.bleepingcomputer.com/news/security/kaseya-obtains-universal-decryptor-for-revil-ransomware-victims/", "https://www.certego.net/en/news/malware-tales-sodinokibi/", - "https://www.secureworks.com/blog/revil-the-gandcrab-connection", + "https://www.grahamcluley.com/travelex-paid-ransom/", + "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", + "https://www.europol.europa.eu/newsroom/news/five-affiliates-to-sodinokibi/revil-unplugged", + "https://www.justice.gov/opa/pr/ukrainian-arrested-and-charged-ransomware-attack-kaseya", "https://f.hubspotusercontent10.net/hubfs/7095517/FLINT-Kaseya-Another%20Massive%20Heist%20by%20REvil.pdf", "https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities", + "https://www.bankinfosecurity.com/interviews/ransomware-files-episode-6-kaseya-revil-i-5045", "https://www.appgate.com/blog/electric-company-ransomware-attack-calls-for-14-million-in-ransom", "https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-1-000-plus-companies-in-msp-supply-chain-attack/", "https://www.nytimes.com/2019/08/22/us/ransomware-attacks-hacking.html", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti", "https://www.kaseya.com/potential-attack-on-kaseya-vsa/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/kaseya-ransomware-supply-chain", + "https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf", "https://areteir.com/wp-content/uploads/2020/07/Arete_Insight_Sodino-Ransomware_June-2020.pdf", "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-publishes-stolen-data-for-the-first-time/", + "https://www.connectwise.com/resources/revil-profile", "https://www.databreaches.net/a-former-darkside-listing-shows-up-on-revils-leak-site/", "https://www.goggleheadedhacker.com/blog/post/reversing-crypto-functions", "https://blag.nullteilerfrei.de/2020/02/02/defeating-sodinokibi-revil-string-obfuscation-in-ghidra/", + "https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html", "https://www.bleepingcomputer.com/news/security/a-look-inside-the-highly-profitable-sodinokibi-ransomware-business/", "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", @@ -30280,7 +35896,9 @@ "https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/", "https://ke-la.com/darknet-threat-actors-are-not-playing-games-with-the-gaming-industry/", "https://twitter.com/R3MRUM/status/1412064882623713283", + "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox", "https://blogs.blackberry.com/en/2021/05/threat-thursday-dr-revil-ransomware-strikes-again-employs-double-extortion-tactics", + "https://www.hsgac.senate.gov/media/minority-media/new-portman-report-demonstrates-threat-ransomware-presents-to-the-united-states", "https://www.domaintools.com/resources/blog/revealing-revil-ransomware-with-domaintools-and-maltego", "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b", "https://www.crowdstrike.com/blog/how-crowdstrike-stops-revil-ransomware-from-kaseya-attack/", @@ -30294,20 +35912,23 @@ "https://twitter.com/SophosLabs/status/1413616952313004040?s=20", "https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-managedcom-hosting-provider-500k-ransom/", "https://blog.amossys.fr/sodinokibi-malware-analysis.html", - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/", + "https://blog.gigamon.com/2021/07/08/observations-and-recommendations-from-the-ongoing-revil-kaseya-incident/", + "https://storage.courtlistener.com/recap/gov.uscourts.txnd.351760/gov.uscourts.txnd.351760.1.0_3.pdf", "https://twitter.com/LloydLabs/status/1411098844209819648", "https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/", "https://www.elastic.co/blog/elastic-security-prevents-100-percent-of-revil-ransomware-samples?utm_content=&utm_medium=social&utm_source=twitter", - "https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa", + "https://www.secureworks.com/blog/revil-development-adds-confidence-about-gold-southfield-reemergence?linkId=164334801", + "https://analyst1.com/file-assets/History-of-REvil.pdf", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://www.trendmicro.com/en_us/research/21/h/supply-chain-attacks-from-a-managed-detection-and-response-persp.html", + "https://home.treasury.gov/news/press-releases/jy0471", "https://securelist.com/ransomware-world-in-2021/102169/", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.youtube.com/watch?v=tZVFMVm5GAk", "https://www.advanced-intel.com/post/from-qbot-with-revil-ransomware-initial-attack-exposure-of-jbs", "https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/", "https://www.bleepingcomputer.com/news/security/revil-ransomwares-servers-mysteriously-come-back-online/", - "https://www.splunk.com/en_us/blog/security/kaseya-sera-what-revil-shall-encrypt-shall-encrypt.html", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/kaseya-ransomware-supply-chain", "https://www.bleepingcomputer.com/news/security/revil-ransomware-gang-claims-over-100-million-profit-in-a-year/", "https://unit42.paloaltonetworks.com/prometheus-ransomware/", "https://threatintel.blog/OPBlueRaven-Part1/", @@ -30316,7 +35937,10 @@ "https://ke-la.com/ransomware-gangs-are-starting-to-look-like-oceans-11/", "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", + "https://russian.rt.com/russia/article/926347-barnaulec-rozysk-fbr-kibermoshennichestvo", "https://www.youtube.com/watch?v=LUxOcpIRxmg", + "https://www.fbi.gov/wanted/cyber/yevgyeniy-igoryevich-polyanin", + "https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21/", "https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/", "https://securelist.com/sodin-ransomware/91473/", "https://www.flashpoint-intel.com/blog/chatter-indicates-blackmatter-as-revil-successor/", @@ -30325,10 +35949,11 @@ "https://www.splunk.com/en_us/blog/security/revil-ransomware-threat-research-update-and-detections.html", "https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/", "https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide", - "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://www.darkowl.com/blog-content/page-not-found-revil-darknet-services-offline-after-attack-last-weekend", "https://medium.com/s2wlab/deep-analysis-of-revil-ransomware-written-in-korean-d1899c0e9317", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", - "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2", + "https://redcanary.com/blog/uncompromised-kaseya/", + "https://www.secureworks.com/blog/revil-ransomware-reemerges-after-shutdown-universal-decryptor-released", "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://securelist.com/revil-ransomware-attack-on-msp-companies/103075/", "https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling", @@ -30339,53 +35964,71 @@ "https://www.youtube.com/watch?v=QYQQUUpU04s", "https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/", "https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/", - "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", + "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus", "https://www.kpn.com/security-blogs/Tracking-REvil.htm", "https://www.zscaler.com/blogs/security-research/kaseya-supply-chain-ransomware-attack-technical-analysis-revil-payload", "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://ke-la.com/will-the-revils-story-finally-be-over/", + "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2", + "https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil", + "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", "https://twitter.com/SyscallE/status/1411074271875670022", - "https://www.advanced-intel.com/post/the-dark-web-of-intrigue-how-revil-used-the-underground-ecosystem-to-form-an-extortion-cartel", + "https://securityscorecard.com/research/a-detailed-analysis-of-the-last-version-of-revil-ransomware", + "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", "https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html", "https://www.bleepingcomputer.com/news/security/revil-ransomware-gangs-web-sites-mysteriously-shut-down/", "https://twitter.com/resecurity_com/status/1412662343796813827", "https://twitter.com/Jacob_Pimental/status/1398356030489251842?s=20", "https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/", "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", - "https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html", + "https://www.netskope.com/blog/netskope-threat-coverage-revil", "https://tehtris.com/fr/peut-on-neutraliser-un-ransomware-lance-en-tant-que-system-sur-des-milliers-de-machines-en-meme-temps/", - "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-travelex-demands-3-million/", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", "https://news.sophos.com/en-us/2021/06/30/mtr-in-real-time-hand-to-hand-combat-with-revil-ransomware-chasing-a-2-5-million-pay-day/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://securityintelligence.com/posts/sodinokibi-revil-ransomware-disrupt-trade-secrets/", + "https://www.bleepingcomputer.com/news/security/revil-ransomware-shuts-down-again-after-tor-sites-were-hijacked/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", "https://www.cnbc.com/2021/04/23/axis-of-revil-inside-the-hacker-collective-taunting-apple.html", "https://www.youtube.com/watch?v=l2P5CMH9TE0", "https://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f", "https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/", + "https://www.bbc.com/news/technology-59297187", "https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/", "https://twitter.com/AdamTheAnalyst/status/1409499591452639242?s=20", - "https://www.grahamcluley.com/travelex-paid-ransom/", + "https://diicot.ro/mass-media/3341-comunicat-de-presa-2-08-11-2021", "https://www.elastic.co/blog/ransomware-interrupted-sodinokibi-and-the-supply-chain", "https://www.zdnet.com/article/revil-ransomware-gang-acquires-kpot-malware/", "https://www.secureworks.com/research/revil-sodinokibi-ransomware", "https://www.bleepingcomputer.com/news/security/kaseyas-universal-revil-decryption-key-leaked-on-a-hacking-forum/", "https://www.bleepingcomputer.com/news/security/fbi-revil-cybergang-behind-the-jbs-ransomware-attack/", + "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", "https://www.advanced-intel.com/post/inside-revil-extortionist-machine-predictive-insights", "https://securityintelligence.com/posts/sodinokibi-ransomware-incident-response-intelligence-together/", + "https://www.bleepingcomputer.com/news/security/revils-tor-sites-come-alive-to-redirect-to-new-ransomware-operation/", "https://www.cybereason.com/blog/cybereason-vs-revil-ransomware-the-kaseya-chronicles", "https://www.secureworks.com/research/threat-profiles/gold-southfield", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/", "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", + "https://www.youtube.com/watch?v=P8o6GItci5w", "https://asec.ahnlab.com/ko/19640/", "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-to-stop-taking-bitcoin-to-hide-money-trail/", + "https://www.advintel.io/post/storm-in-safe-haven-takeaways-from-russian-authorities-takedown-of-revil", + "https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html", "https://teamt5.org/tw/posts/revil-dll-sideloading-technique-used-by-other-hackers/", + "https://news.sophos.com/en-us/2021/06/30/what-to-expect-when-youve-been-hit-with-revil-ransomware/", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", "https://intel471.com/blog/changes-in-revil-ransomware-version-2-2", "https://dissectingmalwa.re/germanwipers-big-brother-gandgrabs-kid-sodinokibi.html", "https://www.bleepingcomputer.com/news/security/revil-gang-tries-to-extort-apple-threatens-to-sell-stolen-blueprints/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos" + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/" ], "synonyms": [ "Sodin", @@ -30521,7 +36164,8 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rising_sun", "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf" + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/" ], "synonyms": [], "type": [] @@ -30534,6 +36178,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rms", + "https://ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf", "https://ics-cert.kaspersky.com/media/Kaspersky-Attacks-on-industrial-enterprises-using-RMS-and-TeamViewer-EN.pdf", "https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf", "https://blog.malwarebytes.com/threat-analysis/2017/09/cve-2017-0199-used-to-deliver-modified-rms-agent-rat/", @@ -30557,20 +36202,23 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.robinhood", "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", "https://www.bleepingcomputer.com/news/security/ransomware-exploits-gigabyte-driver-to-kill-av-processes/", + "https://www.sentinelone.com/blog/robinhood-ransomware-coolmaker-function-not-cool/", + "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "https://krebsonsecurity.com/2019/06/report-no-eternal-blue-exploit-found-in-baltimore-city-ransomware/", - "https://www.sentinelone.com/blog/robinhood-ransomware-coolmaker-function-not-cool/", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://arstechnica.com/information-technology/2019/05/baltimore-city-government-hit-by-robbinhood-ransomware/", "https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/", "https://www.boll.ch/datasheets/WG_Threat_Report_EN.pdf", "https://statescoop.com/baltimore-ransomware-crowdstrike-extortion/", "https://goggleheadedhacker.com/blog/post/12", + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", "https://twitter.com/VK_Intel/status/1121440931759128576", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", "https://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/", - "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/" + "https://blogs.quickheal.com/a-new-ransomware-goodwill-hacks-the-victims-for-charity-read-more-to-know-more-about-this-ransomware-and-how-it-affects-its-victims/" ], "synonyms": [ "RobbinHood" @@ -30601,6 +36249,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rockloader", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://www.proofpoint.com/us/threat-insight/post/Locky-Ransomware-Cybercriminals-Introduce-New-RockLoader-Malware", + "https://intel471.com/blog/a-brief-history-of-ta505", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/" ], "synonyms": [], @@ -30657,6 +36306,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rokrat", "https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/", "https://github.com/ssp4rk/slides/blob/master/2019SAS_Behind_of_the_Mask_of_ScarCruft.pdf", @@ -30715,6 +36365,25 @@ "uuid": "87a45a07-30d7-4223-ae61-6b1e6dde0f5a", "value": "Romeo(Alfa,Bravo, ...)" }, + { + "description": "Ransomware.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rook", + "https://seguranca-informatica.pt/rook-ransomware-analysis/", + "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://chuongdong.com/reverse%20engineering/2022/01/06/RookRansomware/", + "https://www.sentinelone.com/labs/new-rook-ransomware-feeds-off-the-code-of-babuk/", + "https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit.md", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5df87e9b-4fd1-4f48-92d7-416b7d83313f", + "value": "Rook" + }, { "description": "", "meta": { @@ -30779,6 +36448,7 @@ "https://www.welivesecurity.com/2012/07/13/rovnix-bootkit-framework-updated/", "https://news.drweb.ru/?i=1772&c=23&lng=ru&p=0", "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-RodionovMatrosov.pdf", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/", "https://0xc0decafe.com/malware-analysts-guide-to-aplib-decompression/", "https://securelist.com/cybercriminals-switch-from-mbr-to-ntfs-2/29117/", "http://www.malwaretech.com/2014/05/rovnix-new-evolution.html", @@ -30834,6 +36504,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rozena", + "https://www.gdatasoftware.com/blog/2019/07/35061-server-side-polymorphism-powershell-backdoors", "https://www.gdatasoftware.com/blog/2018/06/30862-fileless-malware-rozena" ], "synonyms": [], @@ -30848,6 +36519,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rtm", "https://securelist.com/financial-cyberthreats-in-2020/101638/", + "https://jonahacks.medium.com/malware-analysis-manual-unpacking-of-redaman-ec1782352cfb", "https://www.youtube.com/watch?v=YXnNO3TipvM", "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf", "http://www.peppermalware.com/2019/11/brief-analysis-of-redaman-banking.html", @@ -30868,7 +36540,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rtpos", - "https://usa.visa.com/dam/VCOM/global/support-legal/documents/new-pos-malware-samples.pdf" + "https://usa.visa.com/dam/VCOM/global/support-legal/documents/new-pos-malware-samples.pdf", + "http://reversing.fun/posts/2022/01/30/rtpos.html" ], "synonyms": [], "type": [] @@ -30913,6 +36586,21 @@ "uuid": "b746a645-5974-44db-a811-a024214b7fba", "value": "running_rat" }, + { + "description": "RURansom shows characteristics of typical ransomware, but despite its name, TrendMicro's assumptions after analysis showed that this malware is more a wiper than ransomware, because the irreversible destruction of encrypted files.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ruransom", + "https://www.trendmicro.com/en_us/research/22/c/new-ruransom-wiper-targets-russia.html", + "https://blog.cyble.com/2022/03/11/new-wiper-malware-attacking-russia-deep-dive-into-ruransom-malware/", + "https://blogs.vmware.com/security/2022/04/ruransom-a-retaliatory-wiper.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "bdcfb449-e897-4c44-a429-7665cce194fe", + "value": "RURansom" + }, { "description": "", "meta": { @@ -30936,6 +36624,7 @@ "http://sunbeltsecurity.com/dl/Rootkit%20Installation%20and%20Obfuscation%20in%20Rustock.pdf", "http://blog.threatexpert.com/2008/05/rustockc-unpacking-nested-doll.html", "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf", + "https://darknetdiaries.com/episode/110/", "http://contagiodump.blogspot.com/2011/10/rustock-samples-and-analysis-links.html", "https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/chiang/chiang_html/index.html", "https://krebsonsecurity.com/2011/03/microsoft-hunting-rustock-controllers/", @@ -30961,7 +36650,9 @@ "https://www.hhs.gov/sites/default/files/bazarloader.pdf", "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", "https://www.carbonblack.com/blog/vmware-carbon-black-tau-ryuk-ransomware-technical-analysis/", + "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", "https://www.splunk.com/en_us/blog/security/ryuk-and-splunk-detections.html", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://twitter.com/ffforward/status/1324281530026524672", "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf", @@ -30983,6 +36674,7 @@ "https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/", "https://blog.virustotal.com/2020/10/tracing-fresh-ryuk-campaigns-itw.html", "https://www.scythe.io/library/threatthursday-ryuk", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://edition.cnn.com/2020/10/28/politics/hospitals-targeted-ransomware-attacks/index.html", "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", @@ -31000,6 +36692,7 @@ "https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/", "https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/", "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", "https://twitter.com/IntelAdvanced/status/1353546534676258816", "https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf", @@ -31012,6 +36705,7 @@ "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", "https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/", "https://areteir.com/wp-content/uploads/2020/08/Arete_Insight_Is-Conti-the-new-Ryuk_August2020.pdf", + "https://arcticwolf.com/resources/blog/karakurt-web", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", "https://www.zdnet.com/article/dod-contractor-suffers-ransomware-infection/", "https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes", @@ -31022,7 +36716,8 @@ "https://community.riskiq.com/article/c88cf7e6", "https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/91000/KB91844/en_US/McAfee%20Labs%20Threat%20Advisory%20-%20Ransom-Ryukv6.pdf", "https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/", - "https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon", + "https://4rchib4ld.github.io/blog/NiceToMeetYouRyuk/", + "https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker", "https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12", "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", @@ -31030,7 +36725,10 @@ "https://www.secureworks.com/research/threat-profiles/gold-ulrick", "https://cofense.com/the-ryuk-threat-why-bazarbackdoor-matters-most/", "https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/", + "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox", "https://www.reuters.com/article/usa-healthcare-cyber-idUSKBN27E0EP", + "https://www.trmlabs.com/post/analysis-corroborates-suspected-ties-between-conti-and-ryuk-ransomware-groups-and-wizard-spider", + "https://thehackernews.com/2022/05/malware-analysis-trickbot.html", "https://www.youtube.com/watch?v=HwfRxjV2wok", "https://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes", "https://www.youtube.com/watch?v=CgDtm05qApE", @@ -31045,43 +36743,52 @@ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", "https://www.youtube.com/watch?v=LUxOcpIRxmg", - "https://www.youtube.com/watch?v=BhjQ6zsCVSc", + "https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/", "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/", + "https://www.eldiario.es/tecnologia/capos-cibercrimen-avisan-contratacaran-si-hackea-rusia_1_8795458.html", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456", "https://blogs.quickheal.com/deep-dive-wakeup-lan-wol-implementation-ryuk/", "https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware", "https://storage.pardot.com/652283/16118467480sqebwq7/MSP_Security_Summit___John_Hammond_Huntress___Analyzing_Ryuk.pdf", + "https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html", "https://www.bleepingcomputer.com/news/security/new-ryuk-info-stealer-targets-government-and-military-secrets/", "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets", "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", "https://twitter.com/SophosLabs/status/1321844306970251265", + "https://www.youtube.com/watch?v=BhjQ6zsCVSc", "https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware", - "https://4rchib4ld.github.io/blog/NiceToMeetYouRyuk/", + "https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon", "https://labs.sentinelone.com/an-inside-look-at-how-ryuk-evolved-its-encryption-and-evasion-techniques/", + "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus", "https://blog.cyberint.com/ryuk-crypto-ransomware", "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/", "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://threatconnect.com/blog/threatconnect-research-roundup-ryuk-and-domains-spoofing-eset-and-microsoft/", "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", + "https://blogs.microsoft.com/on-the-issues/2022/04/13/zloader-botnet-disrupted-malware-ukraine/", "https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/", "https://www.bleepingcomputer.com/news/security/hacking-group-is-targeting-us-hospitals-with-ryuk-ransomware/", "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", "https://www.latimes.com/local/lanow/la-me-ln-times-delivery-disruption-20181229-story.html", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", "https://www.bleepingcomputer.com/news/security/french-it-giant-sopra-steria-hit-by-ryuk-ransomware/", "https://www.youtube.com/watch?v=Of_KjNG9DHc", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-deployed-two-weeks-after-trickbot-infection/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks", "https://securityliterate.com/reversing-ryuk-a-technical-analysis-of-ryuk-ransomware/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-005.pdf", "https://twitter.com/IntelAdvanced/status/1356114606780002308", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://blog.talosintelligence.com/2020/06/CTIR-trends-q3-2020.html#more", + "https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", "https://www.domaintools.com/resources/blog/analyzing-network-infrastructure-as-composite-objects", + "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", "https://www.heise.de/ct/artikel/Was-Emotet-anrichtet-und-welche-Lehren-die-Opfer-daraus-ziehen-4665958.html", "https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", @@ -31093,6 +36800,7 @@ "https://www.youtube.com/watch?v=7xxRunBP5XA", "https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://0xchina.medium.com/malware-reverse-engineering-31039450af27", "https://twitter.com/anthomsec/status/1321865315513520128", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" ], @@ -31197,6 +36905,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.saint_bot", + "https://www.cyberscoop.com/ukrainian-cyber-attacks-russia-conflict-q-and-a/", + "https://lifars.com/2022/03/a-closer-look-at-the-russian-actors-targeting-organizations-in-ukraine/", + "https://cert.gov.ua/article/18419", + "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview", + "https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/", "https://blog.malwarebytes.com/threat-analysis/2021/04/a-deep-dive-into-saint-bot-downloader/" ], "synonyms": [], @@ -31205,6 +36918,24 @@ "uuid": "aa0afca8-551e-4fc7-a314-f541b80c6833", "value": "Saint Bot" }, + { + "description": "This in .Net witten backdoor abuses the DNS protocoll for its C2 communication. Also other techniques (e.g. long random sleeps, compression) are used to become more stealthy.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.saitama", + "https://isc.sans.edu/diary/Translating+Saitama%27s+DNS+tunneling+messages/28738", + "https://blog.malwarebytes.com/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor/", + "https://www.fortinet.com/blog/threat-research/please-confirm-you-received-our-apt", + "https://x-junior.github.io/malware%20analysis/2022/06/24/Apt34.html" + ], + "synonyms": [ + "Saitama" + ], + "type": [] + }, + "uuid": "435e482d-adfe-4b28-936e-d13fda800767", + "value": "Saitama Backdoor" + }, { "description": "Sakula / Sakurel is a trojan horse that opens a back door and downloads potentially malicious files onto the compromised computer.", "meta": { @@ -31212,7 +36943,9 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat", "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/black-vine-cyberespionage-group-15-en.pdf", "https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Sakula", + "https://web.archive.org/web/20151001235506/https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=654", "https://www.secureworks.com/research/sakula-malware-family", + "https://docs.broadcom.com/doc/the-black-vine-cyberespionage-group", "https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/sakula-an-adventure-in-dll-planting/?page=1", @@ -31244,15 +36977,18 @@ "value": "Salgorea" }, { - "description": "", + "description": "F-Secure states that the Sality virus family has been circulating in the wild as early as 2003. Over the years, the malware has been developed and improved with the addition of new features, such as rootkit or backdoor functionality, and so on, keeping it an active and relevant threat despite the relative age of the malware.\r\n\r\nModern Sality variants also have the ability to communicate over a peer-to-peer (P2P) network, allowing an attacker to control a botnet of Sality-infected machines. The combined resources of the Sality botnet may also be used by its controller(s) to perform other malicious actions, such as attacking routers.\r\n\r\nInfection\r\nSality viruses typically infect executable files on local, shared and removable drives. In earlier variants, the Sality virus simply added its own malicious code to the end of the infected (or host) file, a technique known as prepending. The viral code that Sality inserts is polymorphic, a form of complex code that is intended to make analysis more difficult.\r\n\r\nEarlier Sality variants were regarded as technically sophisticated in that they use an Entry Point Obscuration (EPO) technique to hide their presence on the system. This technique means that the virus inserts a command somewhere in the middle of an infected file's code, so that when the system is reading the file to execute it and comes to the command, it forces the system to 'jump' to the malware's code and execute that instead. This technique was used to make discovery and disinfection of the malicious code harder.\r\n\r\nPayload\r\nOnce installed on the computer system, Sality viruses usually also execute a malicious payload. The specific actions performed depend on the specific variant in question, but generally Sality viruses will attempt to terminate processes, particularly those related to security programs. The virus may also attempt to open connections to remote sites, download and run additional malicious files, and steal data from the infected machine.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sality", - "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf", - "https://www.researchgate.net/profile/Lorenzo-De-Carli/publication/320250366_Botnet_protocol_inference_in_the_presence_of_encrypted_traffic/links/5fa9608792851cc286a08592/Botnet-protocol-inference-in-the-presence-of-encrypted-traffic.pdf?origin=publication_detail", "https://unit42.paloaltonetworks.com/c2-traffic/", - "https://www.botconf.eu/wp-content/uploads/2015/12/OK-P18-Kleissner-Sality.pdf", - "https://gist.githubusercontent.com/quangnh89/41deada8a936a1877a6c6c757ce73800/raw/41f27388a11a606e1d6a7596dcb6469578e79321/sality_extractor.py" + "https://www.researchgate.net/profile/Lorenzo-De-Carli/publication/320250366_Botnet_protocol_inference_in_the_presence_of_encrypted_traffic/links/5fa9608792851cc286a08592/Botnet-protocol-inference-in-the-presence-of-encrypted-traffic.pdf?origin=publication_detail", + "https://gist.githubusercontent.com/quangnh89/41deada8a936a1877a6c6c757ce73800/raw/41f27388a11a606e1d6a7596dcb6469578e79321/sality_extractor.py", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", + "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf", + "https://www.mandiant.com/resources/pe-file-infecting-malware-ot", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", + "https://www.botconf.eu/wp-content/uploads/2015/12/OK-P18-Kleissner-Sality.pdf" ], "synonyms": [], "type": [] @@ -31279,24 +37015,34 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.samsam", "https://www.secureworks.com/research/threat-profiles/gold-lowell", - "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1", - "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", - "http://blog.talosintel.com/2016/03/samsam-ransomware.html", "https://sites.temple.edu/care/ci-rw-attacks/", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", - "https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/", "https://www.secureworks.com/research/samsam-ransomware-campaigns", "https://www.justice.gov/opa/pr/two-iranian-men-indicted-deploying-ransomware-extort-hospitals-municipalities-and-public", "https://www.secureworks.com/blog/ransomware-deployed-by-adversary", - "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", - "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/samsam-ransomware-chooses-its-targets-carefully-wpna.aspx", - "https://nakedsecurity.sophos.com/2018/05/01/samsam-ransomware-a-mean-old-dog-with-a-nasty-new-trick-report/", - "https://www.youtube.com/watch?v=LUxOcpIRxmg", + "https://nakedsecurity.sophos.com/2018/07/31/samsam-the-almost-6-million-ransomware/", + "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf", "https://www.secureworks.com/blog/samsam-converting-opportunity-into-profit", - "https://www.secureworks.com/blog/samas-ransomware", - "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", + "https://news.sophos.com/en-us/2018/11/29/how-a-samsam-like-attack-happens-and-what-you-can-do-about-it/", "http://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html", - "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/" + "https://nakedsecurity.sophos.com/2018/09/11/the-rise-of-targeted-ransomware/", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1", + "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/samsam-ransomware-chooses-its-targets-carefully-wpna.aspx", + "https://news.sophos.com/en-us/2018/07/31/samsam-guide-to-coverage/", + "https://nakedsecurity.sophos.com/2018/08/02/how-to-defend-yourself-against-samsam-ransomware/", + "https://www.youtube.com/watch?v=LUxOcpIRxmg", + "https://news.sophos.com/en-us/2018/07/31/sophoslabs-releases-samsam-ransomware-report/", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", + "http://blog.talosintel.com/2016/03/samsam-ransomware.html", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", + "https://www.justice.gov/opa/press-release/file/1114746/download", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", + "https://therecord.media/iranian-hackers-behind-cox-media-group-ransomware-attack/", + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", + "https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", + "https://nakedsecurity.sophos.com/2018/05/01/samsam-ransomware-a-mean-old-dog-with-a-nasty-new-trick-report/", + "https://www.secureworks.com/blog/samas-ransomware" ], "synonyms": [ "Samas" @@ -31502,6 +37248,22 @@ "uuid": "92a65c89-acc3-4ee7-8db0-f0ea293ed12d", "value": "Schneiken" }, + { + "description": "The Chinese threat actor has used a custom backdoor dubbed \"Scieron\" over years in several campaigns according to SentinelLABS.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.scieron", + "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8bfa7311-fdd9-4f8d-b813-1ab6c9d2c363", + "https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine", + "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview", + "https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e343583b-8338-42ea-af60-311578146151", + "value": "Scieron" + }, { "description": "", "meta": { @@ -31547,27 +37309,28 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sdbbot", - "https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", - "https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546", - "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", - "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", + "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader", + "https://vblocalhost.com/uploads/VB2020-Jung.pdf", + "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.96_ENG.pdf", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://www.secureworks.com/research/threat-profiles/gold-tahoe", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", + "https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824", + "https://intel471.com/blog/a-brief-history-of-ta505", + "https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546", + "https://github.com/Tera0017/SDBbot-Unpacker", + "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", + "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104", "https://www.cyber.gov.au/acsc/view-all-content/alerts/sdbbot-targeting-health-sector", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/", - "https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.96_ENG.pdf", - "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", - "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", - "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", - "https://github.com/Tera0017/SDBbot-Unpacker", - "https://vblocalhost.com/uploads/VB2020-Jung.pdf", - "https://www.secureworks.com/research/threat-profiles/gold-tahoe" + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", + "https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/" ], "synonyms": [], "type": [] @@ -31646,6 +37409,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sedreco", + "https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", "https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf", @@ -31665,10 +37429,11 @@ "value": "Sedreco" }, { - "description": "", + "description": "simple tool to facilitate download and persistence of a next-stage tool; collects system information and metadata probably in an attempt to tell sandbox-environments apart from real targets on the server-side; uses domains of search engines like Google to check for Internet connectivity; XOR-based string obfuscation with a 16-byte key", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.seduploader", + "https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf", "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/", "https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government", "https://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/", @@ -31678,15 +37443,19 @@ "http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html", "https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", + "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/", "https://www.secureworks.com/research/threat-profiles/iron-twilight", + "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/", "http://www.welivesecurity.com/2015/07/10/sednit-apt-group-meets-hacking-team/", "http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/", "https://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/", "https://blog.xpnsec.com/apt28-hospitality-malware-part-2/", + "https://blog.yoroi.company/research/apt28-and-upcoming-elections-possible-interference-signals-part-ii/", "https://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed" ], "synonyms": [ + "GAMEFISH", "carberplike", "downrage", "jhuhugit", @@ -31715,8 +37484,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sekhmet", + "https://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html", "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-007/", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/", "https://id-ransomware.blogspot.com/2020/03/sekhmet-ransomware.html", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", @@ -31730,6 +37501,19 @@ "uuid": "b4b4e8c8-fc66-4618-ba35-75f21d7d6922", "value": "Sekhmet" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.selfmake", + "https://twitter.com/8th_grey_owl/status/1481433481485844483" + ], + "synonyms": [], + "type": [] + }, + "uuid": "2ef98145-45b8-4acf-ba28-71f495581387", + "value": "SelfMake Loader" + }, { "description": "", "meta": { @@ -31790,27 +37574,28 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.servhelper", + "https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", + "https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware", + "https://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/", "https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html", "https://insights.oem.avira.com/ta505-apt-group-targets-americas/", - "https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/", - "https://securitynews.sonicwall.com/xmlpost/servhelper-2-0-enriched-with-bot-capabilities-and-allow-remote-desktop-access/", - "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", - "https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf", - "https://medium.com/walmartglobaltech/ta505-adds-golang-crypter-for-delivering-miners-and-servhelper-af70b26a6e56", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", - "https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-financial-institutions-recently-en/", - "https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware", - "https://www.binarydefense.com/an-updated-servhelper-tunnel-variant/", - "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/servhelper-evolution-and-new-ta505-campaigns/", - "https://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/", - "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/", - "https://www.gdatasoftware.com/blog/2020/07/36122-hidden-miners", + "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/servhelper-evolution-and-new-ta505-campaigns/", + "https://securitynews.sonicwall.com/xmlpost/servhelper-2-0-enriched-with-bot-capabilities-and-allow-remote-desktop-access/", + "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505", + "https://www.secureworks.com/research/threat-profiles/gold-tahoe", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", - "https://www.secureworks.com/research/threat-profiles/gold-tahoe" + "https://www.gdatasoftware.com/blog/2020/07/36122-hidden-miners", + "https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf", + "https://intel471.com/blog/a-brief-history-of-ta505", + "https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-financial-institutions-recently-en/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", + "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", + "https://medium.com/walmartglobaltech/ta505-adds-golang-crypter-for-delivering-miners-and-servhelper-af70b26a6e56", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.binarydefense.com/an-updated-servhelper-tunnel-variant/" ], "synonyms": [], "type": [] @@ -31818,6 +37603,24 @@ "uuid": "cebfa7af-8c31-4dda-8373-82893c7f43f4", "value": "ServHelper" }, + { + "description": "Ransomware", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sfile", + "https://id-ransomware.blogspot.com/2020/02/sfile2-ransomware.html", + "https://twitter.com/GrujaRS/status/1296856836944076802?s=20", + "https://www.sentinelone.com/blog/from-the-front-lines-another-rebrand-mindware-and-sfile-ransomware-technical-breakdown/" + ], + "synonyms": [ + "Escal", + "Morseop" + ], + "type": [] + }, + "uuid": "6899dd08-a94b-4e76-813e-1b8437d23aa4", + "value": "Sfile" + }, { "description": "", "meta": { @@ -31854,30 +37657,43 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowpad", "https://www.youtube.com/watch?v=_fstHQSK-kk", + "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/", "https://therecord.media/redecho-group-parks-domains-after-public-exposure/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/", + "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf", "https://www.recordedfuture.com/redecho-targeting-indian-power-sector/", "https://www.ptsecurity.com/upload/corporate/ru-ru/pt-esc/winnti-2020-rus.pdf", "https://www.youtube.com/watch?v=55kaaMGBARM", "https://www.ptsecurity.com/upload/corporate/ru-ru/webinars/ics/winnti-shadowpad.pdf", "https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/", "https://securelist.com/shadowpad-in-corporate-networks/81432/", - "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/", + "https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/", + "https://www.recordedfuture.com/continued-targeting-of-indian-power-grid-assets/", "https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf", + "https://go.recordedfuture.com/hubfs/reports/ta-2022-0406.pdf", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", + "https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/", "https://labs.sentinelone.com/shadowpad-a-masterpiece-of-privately-sold-malware-in-chinese-espionage/", "https://www.trendmicro.com/en_us/research/19/d/analyzing-c-c-runtime-library-code-tampering-in-software-supply-chain-attacks.html", "https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/", + "https://www.ic3.gov/Media/News/2021/211220.pdf", "https://securelist.com/apt-trends-report-q3-2020/99204/", "https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf", "https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf", + "https://www.theregister.com/2022/04/08/china_sponsored_attacks_india_ukraine/", "https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf", + "https://medium.com/insomniacs/its-a-bee-it-s-a-no-it-s-shadowpad-aff6a970a1c2", + "https://hub.dragos.com/hubfs/333%20Year%20in%20Review/2021/2021%20ICS%20OT%20Cybersecurity%20Year%20In%20Review%20-%20Dragos%202021.pdf", + "https://thehackernews.com/2022/02/researchers-link-shadowpad-malware.html", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf", - "https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/", + "https://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/", + "https://www.secureworks.com/research/shadowpad-malware-analysis", "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf", + "https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage" ], "synonyms": [ @@ -31936,6 +37752,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shark", + "https://www.prevailion.com/latest-targets-of-cyber-group-lyceum/", "https://www.clearskysec.com/wp-content/uploads/2021/08/Siamesekitten.pdf" ], "synonyms": [], @@ -31944,6 +37761,19 @@ "uuid": "d00c8f94-d6b5-40b7-b167-fc546c5dec38", "value": "Shark" }, + { + "description": ".NET reimplementation of Cobalt Strike beacon/stager", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sharpbeacon", + "https://github.com/mai1zhi2/SharpBeacon" + ], + "synonyms": [], + "type": [] + }, + "uuid": "12c0e80c-c439-4eaf-9272-f78b16010313", + "value": "SharpBeacon" + }, { "description": "", "meta": { @@ -31960,12 +37790,26 @@ "uuid": "d31f1c73-d14b-41e2-bb16-81ee1d886e43", "value": "SHARPKNOT" }, + { + "description": "This tool is made to simplify penetration testing of networks and to create a Swiss-army knife that is made for running on Windows which is often a requirement during insider threat simulation engagements.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sharpmapexec", + "https://github.com/cube0x0/SharpMapExec" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e9940cca-6e3a-45e2-88b7-8fa9ae19c647", + "value": "SharpMapExec" + }, { "description": "The SharpStage backdoor is a .NET malware with backdoor capabilities. Its name is a derivative of the main activity class called “Stage_One”. SharpStage can take screenshots, run arbitrary commands and downloads additional payloads. It exfiltrates data from the infected machine to a dropbox account by implementing a dropbox client in its code. SharpStage was seen used by the Molerats group in targeted attacks in the middle east. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sharpstage", "https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign", + "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf", "https://www.0ffset.net/reverse-engineering/malware-analysis/molerats-string-decryption/" ], "synonyms": [ @@ -31989,6 +37833,22 @@ "uuid": "819fd946-ed0e-4cec-ad45-66b88e39b732", "value": "SHARPSTATS" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.shellclient", + "https://www.cybereason.com/blog/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms", + "https://www.microsoft.com/security/blog/2021/11/18/iranian-targeting-of-it-sector-on-the-rise/" + ], + "synonyms": [ + "GhostShell" + ], + "type": [] + }, + "uuid": "f91adcf2-10ce-4ea3-bfae-ea6e270d56f0", + "value": "ShellClient RAT" + }, { "description": "", "meta": { @@ -32011,8 +37871,9 @@ "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "https://www.virusbulletin.com/virusbulletin/2015/11/shifu-rise-self-destructive-banking-trojan", - "https://securityintelligence.com/shifu-masterful-new-banking-trojan-is-attacking-14-japanese-banks/" + "https://intel471.com/blog/a-brief-history-of-ta505", + "https://securityintelligence.com/shifu-masterful-new-banking-trojan-is-attacking-14-japanese-banks/", + "https://www.virusbulletin.com/virusbulletin/2015/11/shifu-rise-self-destructive-banking-trojan" ], "synonyms": [], "type": [] @@ -32130,6 +37991,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sidewinder", + "https://medium.com/@DCSO_CyTec/404-file-still-found-d52c3834084c", "https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html", "https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf", "https://ti.qianxin.com/blog/articles/the-recent-rattlesnake-apt-organized-attacks-on-neighboring-countries-and-regions/", @@ -32427,6 +38289,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.slingshot", + "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", "https://securelist.com/apt-slingshot/84312/", "https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf", "https://www.cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-eyes/" @@ -32442,7 +38305,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sliver", - "https://github.com/BishopFox/sliver" + "https://www.ncsc.gov.uk/files/Advisory%20Further%20TTPs%20associated%20with%20SVR%20cyber%20actors.pdf", + "https://team-cymru.com/blog/2022/04/29/sliver-case-study-assessing-common-offensive-security-tools/", + "https://github.com/BishopFox/sliver", + "https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike", + "https://www.telsy.com/download/5900/?uid=b797afdcfb", + "https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/" ], "synonyms": [], "type": [] @@ -32566,17 +38434,36 @@ "uuid": "b81cbf03-8909-4833-badf-4df32c9bf6cb", "value": "SMAUG" }, + { + "description": "According to Mandiant, SMOKEDHAM is dropped through a powershell script that contains the (C#) source code for this backdoor, which is stored in an encrypted variable. The dropper dynamically defines a cmdlet and .NET class for the backdoor, meaning the compiled code is only found in memory.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.smokedham", + "https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html", + "https://www.mandiant.com/resources/darkside-affiliate-supply-chain-software-compromise" + ], + "synonyms": [], + "type": [] + }, + "uuid": "7547af7d-e4fe-4ee1-8a3d-55981740b78c", + "value": "SMOKEDHAM" + }, { "description": "The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader", + "https://www.bleepingcomputer.com/news/security/new-golang-botnet-empties-windows-users-cryptocurrency-wallets/", "https://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft", "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", + "https://m.alvar.es/2020/06/comparative-analysis-between-bindiff.html", "https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/", "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", - "https://eternal-todo.com/blog/smokeloader-analysis-yulia-photo", + "https://asec.ahnlab.com/en/33600/", + "https://blogs.blackberry.com/en/2022/02/threat-thursday-arkei-infostealer", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", + "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", + "https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.101_ENG.pdf", "https://blog.badtrace.com/post/anti-hooking-checks-of-smokeloader-2018/", "https://www.spamhaus.org/news/article/774/smoke-loader-improves-encryption-after-microsoft-spoils-its-campaign", "https://research.checkpoint.com/2019-resurgence-of-smokeloader/", @@ -32584,6 +38471,7 @@ "https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe", "https://n1ght-w0lf.github.io/malware%20analysis/smokeloader/", "http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html", + "https://securitynews.sonicwall.com/xmlpost/html-application-hta-files-are-being-used-to-distribute-smoke-loader-malware/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", @@ -32595,6 +38483,7 @@ "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", "http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html", "https://hatching.io/blog/tt-2020-08-27/", + "https://eternal-todo.com/blog/smokeloader-analysis-yulia-photo", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "https://www.telekom.com/en/blog/group/article/a-new-way-to-encrypt-cc-server-urls-614886", "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/", @@ -32610,10 +38499,14 @@ "https://www.cert.pl/en/news/single/dissecting-smoke-loader/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/", "https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html", - "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", + "https://intel471.com/blog/privateloader-malware", "https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet/", "https://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/", "https://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader/", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", + "https://m.alvar.es/2019/10/dynamic-imports-and-working-around.html", + "https://m.alvar.es/2020/06/unpacking-smokeloader-and.html", "https://x0r19x91.in/malware-analysis/smokeloader/" ], "synonyms": [ @@ -32717,10 +38610,14 @@ "https://www.secureworks.com/blog/ransomware-groups-use-tor-based-backdoor-for-persistent-access", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://thedfirreport.com/2020/06/21/snatch-ransomware/", + "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", + "https://intel471.com/blog/a-brief-history-of-ta505", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://github.com/albertzsigovits/malware-notes/blob/master/Snatch.md", - "https://twitter.com/VK_Intel/status/1191414501297528832" + "https://twitter.com/VK_Intel/status/1191414501297528832", + "https://www.crowdstrike.com/blog/financial-motivation-drives-golang-malware-adoption/" ], "synonyms": [], "type": [] @@ -32728,6 +38625,19 @@ "uuid": "98139439-6863-439c-b4d0-c6893f1afb23", "value": "Snatch" }, + { + "description": "Malware observed in the SnatchCrypto campaign, attributed by Kaspersky Labs to BlueNoroff with high confidence.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.snatchcrypto", + "https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b7affd90-6551-4266-b864-a0b9f6d5b309", + "value": "SnatchCrypto" + }, { "description": "A downloader trojan with some infostealer capabilities focused on the browser. Previously observed as part of RigEK campaigns.", "meta": { @@ -32848,6 +38758,21 @@ "uuid": "4366ea63-b784-428c-bb00-89ee99eaf8c3", "value": "Socelars" }, + { + "description": "Sockbot is a customized and in Go written fork of the Ligolo reverse tunneling open-source \r\ntool. Several modification were performed by the threat actors who rewrote that code, e.g. execution checks, hardcoded values.\r\nLigolo: https://github.com/sysdream/ligolo", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sockbot", + "https://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html", + "https://www.bleepingcomputer.com/news/security/hackers-fork-open-source-reverse-tunneling-tool-for-persistence/", + "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b477dcfb-281c-4bef-9a23-f004ebe5a465", + "value": "Sockbot" + }, { "description": "", "meta": { @@ -32866,6 +38791,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.socksbot", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", + "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://www.accenture.com/t00010101T000000Z__w__/gb-en/_acnmedia/PDF-83/Accenture-Goldfin-Security-Alert.pdf", "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" @@ -32885,6 +38811,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sodamaster", "https://securelist.com/apt-trends-report-q1-2021/101967/", + "https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks", + "https://www.bleepingcomputer.com/news/security/chinese-hackers-abuse-vlc-media-player-to-launch-malware-loader/", "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_en.pdf" ], "synonyms": [ @@ -32915,18 +38844,26 @@ "value": "Solarbot" }, { - "description": "", + "description": "Unit 42 notes that they identified a new version of SolarMarker, a malware family known for its infostealing and backdoor capabilities, mainly delivered through search engine optimization (SEO) manipulation to convince users to download malicious documents.\r\n\r\nSome of SolarMarker’s capabilities include the exfiltration of auto-fill data, saved passwords and saved credit card information from victims’ web browsers. Besides capabilities typical for infostealers, SolarMarker has additional capabilities such as file transfer and execution of commands received from a C2 server.\r\n\r\nThe malware invests significant effort into defense evasion, which consists of techniques like signed files, huge files, impersonation of legitimate software installations and obfuscated PowerShell scripts.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.solarmarker", + "https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/", "https://blog.morphisec.com/new-jupyter-evasive-delivery-through-msi-installer", "https://www.binarydefense.com/mars-deimos-from-jupiter-to-mars-and-back-again-part-two/", + "https://blogs.blackberry.com/en/2022/01/threat-thursday-jupyter-infostealer-is-a-master-of-disguise", + "https://unit42.paloaltonetworks.com/solarmarker-malware/", "https://security5magics.blogspot.com/2020/12/tracking-jupyter-malware.html", + "https://blog.morphisec.com/jupyter-infostealer-backdoor-introduction", "https://twitter.com/MsftSecIntel/status/1403461397283950597", - "https://www.esentire.com/security-advisories/hackers-flood-the-web-with-100-000-malicious-pages-promising-professionals-free-business-forms-but-are-delivering-malware-reports-esentire", + "https://www.prodaft.com/m/reports/Solarmarker_TLPWHITEv2.pdf", + "https://blog.minerva-labs.com/new-iocs-of-jupyter-stealer", "https://blog.talosintelligence.com/2021/07/threat-spotlight-solarmarker.html#more", "https://www.crowdstrike.com/blog/solarmarker-backdoor-technical-analysis/", - "https://www.binarydefense.com/mars-deimos-solarmarker-jupyter-infostealer-part-1/" + "https://squiblydoo.blog/2021/06/20/mars-deimos-from-jupiter-to-mars-and-back-again-part-two/", + "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-solarmarker", + "https://www.binarydefense.com/mars-deimos-solarmarker-jupyter-infostealer-part-1/", + "https://www.esentire.com/security-advisories/hackers-flood-the-web-with-100-000-malicious-pages-promising-professionals-free-business-forms-but-are-delivering-malware-reports-esentire" ], "synonyms": [ "Jupyter", @@ -33009,6 +38946,21 @@ "uuid": "bc135ba5-637b-46c9-94fc-2eef5e018bb5", "value": "Sorgu" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.soul", + "https://www.fortinet.com/blog/threat-research/unraveling-the-evolution-of-the-soul-searcher-malware" + ], + "synonyms": [ + "SoulSearcher" + ], + "type": [] + }, + "uuid": "f7e3b124-ad70-4456-9aff-3ec501e8c42d", + "value": "Soul" + }, { "description": "", "meta": { @@ -33053,7 +39005,8 @@ "https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign", "https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one", "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf", - "https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/" + "https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/", + "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east" ], "synonyms": [], "type": [] @@ -33092,6 +39045,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sparrow_door", + "https://www.ncsc.gov.uk/files/NCSC-MAR-SparrowDoor.pdf", "https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/" ], "synonyms": [ @@ -33115,6 +39069,19 @@ "uuid": "e4dce19f-bb8e-4ea1-b771-58b162946f29", "value": "Spartacus" }, + { + "description": "Mixed RAT and Botnet malware sold in underground forums. In march 2021 it was advertised with the Spectre 2.0, it reached version 3 in June 2021 and then quickly version 4. This crimeware tool was being abused in malicious campaigns targeting European users in September 2021.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.spectre", + "https://yoroi.company/research/spectre-v4-0-the-speed-of-malware-threats-after-the-pandemics/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0d0935cc-d98f-4a0e-8e13-f36358e974b4", + "value": "Spectre Rat" + }, { "description": "", "meta": { @@ -33141,6 +39108,20 @@ "uuid": "dfbe088e-dd6d-4bad-8e2b-7a4162034da4", "value": "Spicy Hot Pot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.spider_rat", + "https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_8_hara_en.pdf", + "https://twitter.com/nahamike01/status/1471496800582664193?s=20" + ], + "synonyms": [], + "type": [] + }, + "uuid": "70d271b7-2dcc-4b4f-94a5-9ea4b2165510", + "value": "SPIDERPIG RAT" + }, { "description": "", "meta": { @@ -33176,10 +39157,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spyder", + "https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive", + "https://vms.drweb.com/virus/?i=23648386", + "https://st.drweb.com/static/new-www/news/2021/march/BackDoor.Spyder.1_en.pdf", "https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/", "https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf", - "https://securitynews.sonicwall.com/xmlpost/chinas-winnti-spyder-module/", - "https://st.drweb.com/static/new-www/news/2021/march/BackDoor.Spyder.1_en.pdf" + "https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques", + "https://securitynews.sonicwall.com/xmlpost/chinas-winnti-spyder-module/" ], "synonyms": [], "type": [] @@ -33216,19 +39200,34 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.squirrelwaffle", + "https://redcanary.com/blog/intelligence-insights-december-2021", + "https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html", + "https://www.cynet.com/understanding-squirrelwaffle/", + "https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-custom-packer/", + "https://www.sentinelone.com/blog/is-squirrelwaffle-the-new-emotet-how-to-detect-the-latest-malspam-loader/", + "https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html", + "https://redcanary.com/blog/intelligence-insights-november-2021/", + "https://blogs.blackberry.com/en/2021/11/threat-thursday-squirrelwaffle-loader", + "https://twitter.com/Max_Mal_/status/1442496131410190339", + "https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-main-loader/", "https://github.com/0xjxd/SquirrelWaffle-From-Maldoc-to-Cobalt-Strike/raw/main/2021-10-02%20-%20SquirrelWaffle%20-%20From%20Maldoc%20to%20Cobalt%20Strike.pdf", "https://www.malware-traffic-analysis.net/2021/09/17/index.html", "https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike", "https://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9", - "https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-custom-packer/", - "https://www.cynet.com/understanding-squirrelwaffle/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-newest-malicious-actor-squirrelwaffle-malicious-doc/", + "https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike", + "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", + "https://blog.minerva-labs.com/a-new-datoploader-delivers-qakbot-trojan", + "https://news.sophos.com/en-us/2022/02/15/vulnerable-exchange-server-hit-by-squirrelwaffle-and-financial-fraud/", + "https://certitude.consulting/blog/en/unpatched-exchange-servers-distribute-phishing-links-squirrelwaffle/", + "https://twitter.com/jhencinski/status/1464268732096815105", "https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot", - "https://twitter.com/Max_Mal_/status/1442496131410190339", "https://security-soup.net/squirrelwaffle-maldoc-analysis/", - "https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-main-loader/", "https://www.youtube.com/watch?v=9X2P7aFKSw0" ], - "synonyms": [], + "synonyms": [ + "DatopLoader" + ], "type": [] }, "uuid": "cdbfd973-fa96-4e64-b2a3-9d51460fd7af", @@ -33378,8 +39377,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stashlog", + "https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html", "https://twitter.com/ESETresearch/status/1433819369784610828", - "https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html" + "https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive", + "https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques" ], "synonyms": [], "type": [] @@ -33392,8 +39393,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealbit", + "https://www.cybereason.com/blog/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool", "https://yoroi.company/research/hunting-the-lockbit-gangs-exfiltration-infrastructures/", - "https://twitter.com/r3c0nst/status/1425875923606310913" + "https://twitter.com/r3c0nst/status/1425875923606310913", + "https://securelist.com/new-ransomware-trends-in-2022/106457/" ], "synonyms": [ "Corrempa" @@ -33479,13 +39482,19 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stop", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", "https://www.bleepingcomputer.com/news/security/djvu-ransomware-spreading-new-tro-variant-through-cracks-and-adware-bundles/", - "https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/", "https://www.gdata.de/blog/1970/01/-35391-finger-weg-von-illegalen-software-downloads", "https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/", "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", + "https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware", + "https://intel471.com/blog/privateloader-malware", "https://securelist.com/keypass-ransomware/87412/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", - "https://cybleinc.com/2021/06/21/djvu-malware-of-stop-ransomware-family-back-with-new-variant/" + "https://cybleinc.com/2021/06/21/djvu-malware-of-stop-ransomware-family-back-with-new-variant/", + "https://github.com/vithakur/detections/blob/main/STOP-ransomware-djvu/IOC-list", + "https://angle.ankura.com/post/102het9/the-stop-ransomware-variant", + "https://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/", + "https://malienist.medium.com/defendagainst-ransomware-stop-c8cf4116645b" ], "synonyms": [ "Djvu", @@ -33524,6 +39533,20 @@ "uuid": "00dedcea-4f87-4b6d-b12d-7749281b1366", "value": "Stresspaint" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.strifewater_rat", + "https://www.cybereason.com/blog/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations", + "https://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5627aff2-7e1d-4b11-81f5-33cd7febdd76", + "value": "StrifeWater RAT" + }, { "description": "", "meta": { @@ -33534,11 +39557,15 @@ "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://anchorednarratives.substack.com/p/recover-your-files-with-strongpity", "https://0xthreatintel.medium.com/uncovering-apt-c-41-strongpity-backdoor-e7f9a7a076f4", + "https://blog.minerva-labs.com/a-new-strongpity-variant-hides-behind-notepad-installation", "https://twitter.com/physicaldrive0/status/786293008278970368", "https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/", "https://cybleinc.com/2020/12/31/strongpity-apt-extends-global-reach-with-new-infrastructure/", + "https://ti.qianxin.com/blog/articles/promethium-attack-activity-analysis-disguised-as-Winrar.exe/", + "https://mp.weixin.qq.com/s/nQVUkIwkiQTj2pLaNYHeOA", "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf", + "https://blogs.blackberry.com/en/2021/11/zebra2104", "https://mp.weixin.qq.com/s/5No0TR4ECVPp_Xv4joXEBg", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/" @@ -33563,6 +39590,7 @@ "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://medium.com/s2wlab/w3-may-en-story-of-the-week-code-signing-certificate-on-the-darkweb-94c7ec437001", "https://www.welivesecurity.com/media_files/white-papers/Stuxnet_Under_the_Microscope.pdf", + "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf", "https://fmmresearch.wordpress.com/2020/09/28/the-emerald-connection-equationgroup-collaboration-with-stuxnet/", "https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf", "https://news.yahoo.com/revealed-how-a-secret-dutch-mole-aided-the-us-israeli-stuxnet-cyber-attack-on-iran-160026018.html", @@ -33591,6 +39619,21 @@ "uuid": "efe586da-a272-4898-9ebb-587f8f5a23ca", "value": "SUCEFUL" }, + { + "description": "Ransomware, written in Delphi.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sugar", + "https://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb", + "https://cyware.com/news/newly-found-sugar-ransomware-is-now-being-offered-as-raas-641cfa69", + "https://medium.com/s2wblog/tracking-sugarlocker-ransomware-3a3492353c49" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ea7d0457-3625-4224-aed4-739a360b10d3", + "value": "Sugar" + }, { "description": "FireEye describes SUNBURST as a trojanized SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. After an initial dormant period of up to two weeks, it uses a DGA to generate specific subdomains for a set C&C domain. The backdoor retrieves and executes commands, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The C2 traffic to the malicious domains is designed to mimic normal SolarWinds API communications: Orion Improvement Program (OIP) protocol. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers. Multiple trojanzied updates were digitally signed from March - May 2020 and posted to the SolarWinds updates website.", "meta": { @@ -33607,6 +39650,7 @@ "https://ics-cert.kaspersky.com/reports/2021/01/26/sunburst-industrial-victims/", "https://github.com/github/codeql/tree/main/csharp/ql/src/experimental/Security%20Features/campaign", "https://us-cert.cisa.gov/ncas/alerts/aa20-352a", + "https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/", "https://www.domaintools.com/resources/blog/continuous-eruption-further-analysis-of-the-solarwinds-supply-incident", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/additional-analysis-into-the-sunburst-backdoor/", "https://twitter.com/cybercdh/status/1339241246024404994", @@ -33647,6 +39691,7 @@ "https://www.trustedsec.com/blog/solarwinds-orion-and-unc2452-summary-and-recommendations/", "https://www.splunk.com/en_us/blog/security/smoothing-the-bumps-of-onboarding-threat-indicators-into-splunk-enterprise-security.html", "https://www.cisa.gov/supply-chain-compromise", + "https://notes.netbytesec.com/2021/01/solarwinds-attack-sunbursts-dll.html", "https://blog.gigamon.com/2021/07/27/ghosts-on-the-wire-expanding-conceptions-of-network-anomalies/", "https://www.comae.com/posts/sunburst-memory-analysis/", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", @@ -33658,10 +39703,11 @@ "https://docs.google.com/spreadsheets/d/1u0_Df5OMsdzZcTkBDiaAtObbIOkMa5xbeXdKk_k0vWs", "https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095", "https://www.elastic.co/blog/supervised-and-unsupervised-machine-learning-for-dga-detection", - "https://twitter.com/KimZetter/status/1338305089597964290", + "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-unique-dga", "https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/", "https://www.cyberark.com/resources/threat-research-blog/golden-saml-revisited-the-solorigate-connection", + "https://www.mandiant.com/resources/unc2452-merged-into-apt29", "https://www.bleepingcomputer.com/news/security/mimecast-links-security-breach-to-solarwinds-hackers/", "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", "https://www.aon.com/cyber-solutions/aon_cyber_labs/cloudy-with-a-chance-of-persistent-email-access/", @@ -33710,7 +39756,7 @@ "https://www.cadosecurity.com/post/responding-to-solarigate", "https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach", "https://www.microsoft.com/security/blog/2021/01/14/increasing-resilience-against-solorigate-and-other-sophisticated-attacks-with-microsoft-defender/", - "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", + "https://twitter.com/KimZetter/status/1338305089597964290", "https://news.sophos.com/en-us/2020/12/14/solarwinds-playbook/", "https://twitter.com/ItsReallyNick/status/1338382939835478016", "https://corelight.blog/2020/12/15/finding-sunburst-backdoor-with-zeek-logs-and-corelight/", @@ -33741,15 +39787,18 @@ "https://www.mimecast.com/blog/important-security-update/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-attacks-stealthy-attackers-attempted-evade-detection", "https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html", + "https://file2.api.drift.com/download/drift-prod-file-uploads/417f%2F417f74ae8ddd24aa7c2b43a23093983f/Supply%20Chain%20Attacks_%20Cyber%20Criminals%20Target%20the%20Weakest%20Link.pdf", "https://twitter.com/lordx64/status/1338526166051934213", "https://www.netresec.com/?page=Blog&month=2020-12&post=Reassembling-Victim-Domain-Fragments-from-SUNBURST-DNS", "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", "https://vrieshd.medium.com/finding-sunburst-victims-and-targets-by-using-passivedns-osint-68f5704a3cdc", + "https://www.domaintools.com/content/conceptualizing-a-continuum-of-cyber-threat-attribution.pdf", "https://github.com/fireeye/Mandiant-Azure-AD-Investigator", "https://www.consilium.europa.eu/en/press/press-releases/2021/04/15/declaration-by-the-high-representative-on-behalf-of-the-european-union-expressing-solidarity-with-the-united-states-on-the-impact-of-the-solarwinds-cyber-operation", "https://www.wired.com/story/hacker-lexicon-what-is-a-supply-chain-attack/", "https://www.bleepingcomputer.com/news/security/nasa-and-the-faa-were-also-breached-by-the-solarwinds-hackers/", "https://www.mimecast.com/incident-report/", + "https://www.mandiant.com/media/10916/download", "https://vxug.fakedoma.in/samples/Exotic/UNC2452/SolarWinds%20Breach/", "https://twitter.com/cybercdh/status/1338885244246765569", "https://research.checkpoint.com/2021/deep-into-the-sunburst-attack/", @@ -33772,23 +39821,28 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.suncrypt", - "https://pcsxcetrasupport3.wordpress.com/2021/03/28/suncrypt-powershell-obfuscation-shellcode-and-more-yara/", - "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", - "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", - "https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel/", - "https://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a", "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", + "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", + "https://pcsxcetrasupport3.wordpress.com/2021/03/28/suncrypt-powershell-obfuscation-shellcode-and-more-yara/", + "https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer", + "https://cdn.pathfactory.com/assets/10555/contents/394789/0dd521f8-aa64-4517-834e-bc852e9ab95d.pdf", + "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", + "https://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.tesorion.nl/en/posts/shining-a-light-on-suncrypts-curious-file-encryption-mechanism/", + "https://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt", + "https://medium.com/s2wlab/case-analysis-of-suncrypt-ransomware-negotiation-and-bitcoin-transaction-43a2194ac0bc", + "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/", + "https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel/", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", - "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://medium.com/@sapphirex00/diving-into-the-sun-suncrypt-a-new-neighbour-in-the-ransomware-mafia-d89010c9df83", "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel", - "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", - "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", - "https://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt", - "https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer", - "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", - "https://medium.com/s2wlab/case-analysis-of-suncrypt-ransomware-negotiation-and-bitcoin-transaction-43a2194ac0bc" + "https://blog.minerva-labs.com/suncrypt-ransomware-gains-new-abilities-in-2022", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-is-still-alive-and-kicking-in-2022/", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html" ], "synonyms": [], "type": [] @@ -33810,6 +39864,20 @@ "uuid": "a51b82ba-7e32-4a8e-b5d0-8d0441bdcce4", "value": "SunOrcal" }, + { + "description": "According to Proofpoint, this is a Lua-based malware likely used by a nation-state sponsored attacker used to target European government personnel involved in managing the logistics of refugees fleeing Ukraine.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sunseed", + "https://blogs.blackberry.com/en/2022/03/threat-thursday-sunseed-malware", + "https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a89f7e01-b049-4d09-aca3-ce19d91c4544", + "value": "SunSeed" + }, { "description": "", "meta": { @@ -33847,8 +39915,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.suppobox", - "https://www.symantec.com/connect/blogs/trojanbayrob-strikes-again-1", + "https://paper.bobylive.com/Meeting_Papers/BlackHat/USA-2013/US-13-Geffner-End-To-End-Analysis-of-a-Domain-Generating-Algorithm-Malware-Family-WP.pdf", "https://media.blackhat.com/us-13/US-13-Geffner-End-To-End-Analysis-of-a-Domain-Generating-Algorithm-Malware-Family-WP.pdf", + "https://www.symantec.com/connect/blogs/trojanbayrob-strikes-again-1", "https://www.justice.gov/opa/pr/two-romanian-cybercriminals-convicted-all-21-counts-relating-infecting-over-400000-victim", "https://www.symantec.com/connect/blogs/bayrob-three-suspects-extradited-face-charges-us" ], @@ -33874,6 +39943,20 @@ "uuid": "8666afcc-8cc2-4856-83de-b7e8b4309367", "value": "surtr" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.svcready", + "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/", + "https://www.socinvestigation.com/new-svcready-malware-loads-from-word-doc-properties-detection-response/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "20157c10-2a5f-49d9-baf5-d350fb65c06e", + "value": "SVCReady" + }, { "description": "", "meta": { @@ -33910,6 +39993,7 @@ "https://www.secureworks.com/research/threat-profiles/bronze-edison", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/", + "https://documents.trendmicro.com/assets/wp/wp-detecting-apt-activity-with-network-traffic-analysis.pdf", "https://www.symantec.com/connect/blogs/sykipot-attacks" ], "synonyms": [ @@ -34017,6 +40101,21 @@ "uuid": "a4b9c526-42d0-4de9-ab8e-e78f99655d11", "value": "SysGet" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sysjoker", + "https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/", + "https://www.bleepingcomputer.com/news/security/new-sysjoker-backdoor-targets-windows-macos-and-linux/", + "https://blogs.vmware.com/security/2022/03/%e2%80%afsysjoker-an-analysis-of-a-multi-os-rat.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "16387289-9064-4ae9-8493-0a3623cdfd9a", + "value": "SysJoker (Windows)" + }, { "description": "", "meta": { @@ -34054,6 +40153,19 @@ "uuid": "f90e9fb9-d60d-415e-9f7f-786ee45f6947", "value": "Sysraw Stealer" }, + { + "description": "Sysrv is a Golang written Cryptojacking malware. There are Windows and Linux variants.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sysrv_hello", + "https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "cabc5944-195e-4939-a00f-a3cd6758f308", + "value": "Sysrv-hello (Windows)" + }, { "description": "", "meta": { @@ -34071,16 +40183,22 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc", + "https://www.bitsight.com/blog/emotet-botnet-rises-again", "https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/", - "https://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.mandiant.com/resources/chasing-avaddon-ransomware", "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor", "https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/", "https://blog.reversinglabs.com/blog/code-reuse-across-packers-and-dll-loaders", "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", + "https://asec.ahnlab.com/en/33600/", + "https://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits", "https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6", + "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis", "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/", "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc/", - "https://news.sophos.com/en-us/2020/12/16/systembc/" + "https://news.sophos.com/en-us/2020/12/16/systembc/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/" ], "synonyms": [], "type": [] @@ -34128,8 +40246,9 @@ "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a", "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf", "http://contagiodump.blogspot.com/2011/10/sep-28-cve-2010-3333-manuscript-with.html", - "https://blog.reversinglabs.com/blog/taidoor-a-truly-persistent-threat", "https://www.nttsecurity.com/docs/librariesprovider3/resources/taidoor%E3%82%92%E7%94%A8%E3%81%84%E3%81%9F%E6%A8%99%E7%9A%84%E5%9E%8B%E6%94%BB%E6%92%83%E8%A7%A3%E6%9E%90%E3%83%AC%E3%83%9D%E3%83%BC%E3%83%88_v1", + "https://blog.reversinglabs.com/blog/taidoor-a-truly-persistent-threat", + "https://documents.trendmicro.com/assets/wp/wp-detecting-apt-activity-with-network-traffic-analysis.pdf", "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf" ], "synonyms": [ @@ -34192,6 +40311,24 @@ "uuid": "71e77349-98f5-49c6-bff7-6ed3b3d79410", "value": "Tapaoux" }, + { + "description": "This ransomware uses a combination of different crypto algorithms (ChaCha20, AES-128, Curve25519). The activity of this malware is dated to mid-June 2021. The extension of the encrypted files are set to the compromised company: .\r\nA decryptor was released on 2022-02-07 by AVAST", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.targetcompany", + "https://securityaffairs.co/wordpress/127761/malware/targetcompany-ransomware-decryptor.html", + "https://id-ransomware.blogspot.com/2021/06/tohnichi-ransomware.html", + "https://decoded.avast.io/threatresearch/decrypted-targetcompany-ransomware/", + "https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-targetcompany-ransomware-victims/" + ], + "synonyms": [ + "Tohnichi" + ], + "type": [] + }, + "uuid": "77af876d-84c5-4da3-a2b0-2fe5c77f758c", + "value": "TargetCompany" + }, { "description": "", "meta": { @@ -34312,9 +40449,10 @@ "https://blog.securehat.co.uk/malware-analysis/extracting-the-cobalt-strike-config-from-a-teardrop-loader", "https://twitter.com/craiu/status/1339954817247158272", "https://www.youtube.com/watch?v=GfbxHy6xnbA", - "https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline", + "https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/", "https://www.youtube.com/watch?v=LA-XE5Jy2kU", "https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b", "https://github.com/fireeye/sunburst_countermeasures", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", @@ -34323,9 +40461,10 @@ "https://twitter.com/TheEnergyStory/status/1346096298311741440", "https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b", + "https://file2.api.drift.com/download/drift-prod-file-uploads/417f%2F417f74ae8ddd24aa7c2b43a23093983f/Supply%20Chain%20Attacks_%20Cyber%20Criminals%20Target%20the%20Weakest%20Link.pdf", "https://symantec.broadcom.com/hubfs/Attacks-Against-Government-Sector.pdf", - "https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/", + "https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline", + "https://www.mandiant.com/resources/unc2452-merged-into-apt29", "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", "https://twitter.com/TheEnergyStory/status/1342041055563313152", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", @@ -34412,6 +40551,20 @@ "uuid": "b71f1656-975a-4daa-8109-00c30fd20410", "value": "TeleDoor" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tellyouthepass", + "https://www.crowdstrike.com/blog/tellyouthepass-ransomware-analysis-reveals-modern-reinterpretation-using-golang/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks" + ], + "synonyms": [], + "type": [] + }, + "uuid": "fa1dbbef-c2b0-44a2-8457-764dfc99be17", + "value": "TellYouThePass" + }, { "description": "", "meta": { @@ -34424,19 +40577,6 @@ "uuid": "26b2c2c0-036e-4e3a-a465-71a391046b74", "value": "Tempedreve" }, - { - "description": "A downloader written in Delphi that does direct decryption and memory injection of the payloads it fetches from services like OneDrive into benign processes such as dpiscaling.exe or mobsync.exe. It was observed to download Remcos.", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.temple_loader", - "https://app.any.run/tasks/cd25d8c3-1944-4fa0-a4be-436dc1389fca/" - ], - "synonyms": [], - "type": [] - }, - "uuid": "9143b544-ab77-4331-a49c-b420ca89e9c3", - "value": "TempleLoader" - }, { "description": "", "meta": { @@ -34460,6 +40600,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.termite", + "https://www.mandiant.com/resources/evolution-of-fin7", "https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/", "https://www.alienvault.com/blogs/labs-research/internet-of-termites" ], @@ -34668,11 +40809,14 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.thunderx", "https://labs.sentinelone.com/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/", + "https://www.mandiant.com/resources/chasing-avaddon-ransomware", "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", "https://www.bleepingcomputer.com/news/security/thunderx-ransomware-rebrands-as-ranzy-locker-adds-data-leak-site/", "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://id-ransomware.blogspot.com/2020/08/thunderx-ransomware.html", - "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/" + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://www.picussecurity.com/resource/blog/a-detailed-walkthrough-of-ranzy-locker-ransomware-ttps", + "https://www.ic3.gov/Media/News/2021/211026.pdf" ], "synonyms": [ "Ranzy Locker" @@ -34709,11 +40853,15 @@ "value": "Tidepool" }, { - "description": "under investigation, potentially linked to win.unidentified_082.", + "description": "This is third stage backdoor mentioned in the Kaspersky blog, \"Andariel evolves to target South Korea with ransomware\". The third stage payload was created via the second stage payload, is interactively executed in the operation and exists in both x64 and x86 versions. Most of them use Internet Explorer or Google Chrome icons and corresponding file names to disguise themselves as legitimate internet browsers. The malware decrypts the embedded payload at runtime. It uses an embedded 16-byte XOR key to decrypt the base64 encoded payload. The decrypted payload is another portable executable file that runs in memory. Before getting decrypted with a hardcoded XOR key, the backdoor also checks for sandbox environment.\r\nThe backdoor has some code overlap with a know malware family PEBBLEDASH, attributed to Lazarus/LABYRINTH CHOLLIMA.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tiger_rat", - "https://www.krcert.or.kr/filedownload.do?attach_file_seq=3277&attach_file_id=EpF3277.pdf" + "https://www.brighttalk.com/webcast/18282/493986", + "https://www.krcert.or.kr/filedownload.do?attach_file_seq=3277&attach_file_id=EpF3277.pdf", + "https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/", + "https://threatray.com/wp-content/uploads/2021/12/threatray-establishing-the-tigerrat-and-tigerdownloader-malware-families.pdf", + "https://blogs.vmware.com/security/2021/12/tigerrat-advanced-adversaries-on-the-prowl.html" ], "synonyms": [], "type": [] @@ -34735,14 +40883,15 @@ "value": "tildeb" }, { - "description": "", + "description": "F-Secure notes that TinyBanker or short Tinba is usually distributed through malvertising (advertising content that leads the user to sites hosting malicious threats), exploit kits and spam email campaigns. According to news reports, Tinba has been found targeting bank customers in the United States and Europe.\r\n\r\nIf Tinba successfully infects a device, it can steal banking and personal information through webinjects. To do this, the malware monitors the user's browser activity and if specific banking portals are visited, Tinba injects code to present the victim with fake web forms designed to mimic the legitimate web site. The malware then tricks them into entering their personal information, log-in credentials, etc in the legitimate-looking page.\r\n\r\nTinba may also display socially-engineered messages to lure or pressure the user into entering their information on the fake page; for example, a message may be shown which attempts to convince the victim that funds were accidentally deposited to his account and must be refunded immediately.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinba", "https://adalogics.com/blog/the-state-of-advanced-code-injections", - "https://blogs.blackberry.com/en/2019/03/blackberry-cylance-vs-tinba-banking-trojan", + "https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html", "https://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant", "https://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-domains/", + "https://blogs.blackberry.com/en/2019/03/blackberry-cylance-vs-tinba-banking-trojan", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "http://contagiodump.blogspot.com/2012/06/amazon.html", @@ -34788,6 +40937,7 @@ "https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-big-game-hunting-ransomware-attack/", "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/", "https://www.flashpoint-intel.com/blog/fin7-revisited:-inside-astra-panel-and-sqlrat-malware/", + "https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://twitter.com/VK_Intel/status/1273292957429510150", "https://www.secureworks.com/research/threat-profiles/gold-niagara", @@ -34807,10 +40957,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinynuke", + "https://asec.ahnlab.com/en/32781/", "https://www.bitsighttech.com/blog/break-out-of-the-tinynuke-botnet", "https://forums.juniper.net/t5/Threat-Research/Nukebot-Banking-Trojan-targeting-people-in-France/ba-p/326702", "https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html", "https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/", + "https://asec.ahnlab.com/en/27346/", "https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/", "https://krebsonsecurity.com/2019/12/nuclear-bot-author-arrested-in-sextortion-case/", "https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/", @@ -34860,6 +41012,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tiny_turla", + "https://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/", "https://blog.talosintelligence.com/2021/09/tinyturla.html" ], "synonyms": [], @@ -34907,11 +41060,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee", - "https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf", "https://www.cert.pl/en/news/single/tofsee-en/", + "https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html", + "https://www.dragos.com/blog/investigating-the-watering-hole-linked-to-the-oldsmar-water-treatment-facility-breach/", + "https://intel471.com/blog/privateloader-malware", + "https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf", "https://www.cert.pl/en/news/single/a-deeper-look-at-tofsee-modules/", - "https://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/", - "https://www.dragos.com/blog/investigating-the-watering-hole-linked-to-the-oldsmar-water-treatment-facility-breach/" + "https://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/" ], "synonyms": [ "Gheg" @@ -34921,6 +41076,20 @@ "uuid": "53e617fc-d71e-437b-a1a1-68b815d1ff49", "value": "Tofsee" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tokyox", + "https://lab52.io/blog/tokyox-dll-side-loading-an-unknown-artifact-part-2/", + "https://lab52.io/blog/tokyox-dll-side-loading-an-unknown-artifact/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ad23afb8-cfce-4e43-b73f-58ca20fa0afe", + "value": "TokyoX" + }, { "description": "", "meta": { @@ -34970,7 +41139,8 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.torisma", "https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html", "https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.102_ENG%20(4).pdf", - "http://blog.nsfocus.net/stumbzarus-apt-lazarus/" + "http://blog.nsfocus.net/stumbzarus-apt-lazarus/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/" ], "synonyms": [], "type": [] @@ -34999,7 +41169,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.toxiceye", - "https://blog.checkpoint.com/2021/04/22/turning-telegram-toxic-new-toxiceye-rat-is-the-latest-to-use-telegram-for-command-control/" + "https://blog.checkpoint.com/2021/04/22/turning-telegram-toxic-new-toxiceye-rat-is-the-latest-to-use-telegram-for-command-control/", + "https://www.bollyinside.com/articles/how-rat-malware-is-using-telegram-to-evade-detection/" ], "synonyms": [], "type": [] @@ -35051,43 +41222,64 @@ "https://unit42.paloaltonetworks.com/trickbot-updates-password-grabber-module/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://blog.morphisec.com/trickbot-delivery-method-gets-a-new-upgrade-focusing-on-windows", + "https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/", "https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module", "https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf", "https://www.flashpoint-intel.com/blog/trickbot-account-checking-hybrid-attack-model/", "https://www.slideshare.net/proidea_conferences/inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez", + "https://www.fortinet.com/blog/threat-research/new-variant-of-trickbot-being-spread-by-word-document.html", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://www.bleepingcomputer.com/news/security/trickbot-malware-mistakenly-warns-victims-that-they-are-infected/", "https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/", "https://public.intel471.com/blog/trickbot-update-november-2020-bazar-loader-microsoft/", "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2", "https://blogs.microsoft.com/on-the-issues/2020/10/20/trickbot-ransomware-disruption-update/", + "https://www.microsoft.com/security/blog/2020/10/12/trickbot-disrupted/", + "https://osint.fans/service-nsw-russia-association", + "https://www.ic3.gov/Media/News/2022/220120.pdf", "https://www.bleepingcomputer.com/news/security/trickbot-now-uses-a-windows-10-uac-bypass-to-evade-detection/", "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", "https://labs.vipre.com/trickbots-tricks/", "https://www.blueliv.com/research/trickbot-banking-trojan-using-eflags-as-an-anti-hook-technique/", "https://labs.bitdefender.com/2020/11/trickbot-is-dead-long-live-trickbot/", + "https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/", "https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/", "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89", "https://technical.nttsecurity.com/post/102fnog/targeted-trickbot-activity-drops-powerbrace-backdoor", "https://medium.com/@vishal_29486/trickbot-a-concise-treatise-d7e4cc97f737", "https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware", - "https://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors", + "https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx", "https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/", + "https://intel471.com/blog/a-brief-history-of-ta505", "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", "https://www.secureworks.com/research/threat-profiles/gold-swathmore", "https://twitter.com/anthomsec/status/1321865315513520128", + "https://decoded.avast.io/martinhron/meris-and-trickbot-standing-on-the-shoulders-of-giants/", "https://www.hhs.gov/sites/default/files/bazarloader.pdf", "https://www.cert.pl/en/news/single/detricking-trickbot-loader/", + "https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure", + "https://www.advintel.io/post/the-trickbot-saga-s-finale-has-aired-but-a-spinoff-is-already-in-the-works", "https://community.riskiq.com/article/298c9fc9", "https://labs.sentinelone.com/building-a-custom-malware-analysis-lab-environment/", "https://blog.talosintelligence.com/2020/03/trickbot-primer.html", "https://www.deepinstinct.com/2019/07/12/trickbooster-trickbots-email-based-infection-module/", - "https://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html", + "https://www.justice.gov/opa/pr/russian-national-extradited-united-states-face-charges-alleged-role-cybercriminal", + "https://www.bankinfosecurity.com/cybercrime-moves-conti-ransomware-absorbs-trickbot-malware-a-18573", + "https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf", "https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", + "https://blog.malwarebytes.com/threat-intelligence/2021/11/trickbot-helps-emotet-come-back-from-the-dead/", + "https://www.microsoft.com/security/blog/2022/03/16/uncovering-trickbots-use-of-iot-devices-in-command-and-control-infrastructure/", + "https://www.wired.co.uk/article/trickbot-malware-group-internal-messages", + "https://thehackernews.com/2022/05/malware-analysis-trickbot.html", "https://public.intel471.com/blog/trickbot-online-emotet-microsoft-cyber-command-disruption-attempts/", + "https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html", "https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf", + "https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly/", "https://public.intel471.com/blog/global-trickbot-disruption-operation-shows-promise/", "https://threatresearch.ext.hp.com/detecting-a-stealthy-trickbot-campaign/", - "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group", + "https://blog.vincss.net/2021/10/re025-trickbot-many-tricks.html", "https://www.welivesecurity.com/wp-content/uploads/2021/02/ESET_Threat_Report_Q42020.pdf", "https://na.eventscloud.com/file_uploads/6568237bca6dc156e5c5557c5989e97c_CrowdStrikeFal.Con2019_ThroughEyesOfAdversary_J.Ayers.pdf", "http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html", @@ -35095,7 +41287,10 @@ "https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/", "https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/", "https://hello.global.ntt/en-us/insights/blog/trickbot-variant-communicating-over-dns", + "https://www.youtube.com/watch?v=Brx4cygfmg8", "https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/", + "https://share.vx-underground.org/Conti/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://www.youtube.com/watch?v=EyDiIAt__dI", "https://www.hornetsecurity.com/en/security-information/trickbot-malspam-leveraging-black-lives-matter-as-lure/", "https://www.cyberbit.com/latest-trickbot-variant-has-new-tricks-up-its-sleeve/", @@ -35103,6 +41298,8 @@ "https://noticeofpleadings.com/trickbot/files/Complaint%20and%20Summons/2020-10-06%20Trickbot%201%20Complaint%20with%20exs.pdf", "https://www.intrinsec.com/deobfuscating-hunting-ostap/", "https://blog.morphisec.com/trickbot-uses-a-new-windows-10-uac-bypass", + "https://www.wired.com/story/trickbot-malware-group-internal-messages/", + "https://www.youtube.com/watch?v=KMcSAlS9zGE", "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://blog.fraudwatchinternational.com/malware/trickbot-malware-works", @@ -35113,121 +41310,159 @@ "https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2020/12/21/trickbot_a_closerl-TpQ0.html", "https://www.kryptoslogic.com/blog/2021/07/trickbot-and-zeus/", "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", - "https://www.microsoft.com/security/blog/2020/10/12/trickbot-disrupted/", + "https://arcticwolf.com/resources/blog/karakurt-web", + "https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/", "http://www.secureworks.com/research/threat-profiles/gold-blackburn", + "https://unit42.paloaltonetworks.com/ryuk-ransomware/", "https://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/", "https://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets/", + "https://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks", "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", + "https://www.justice.gov/opa/pr/latvian-national-charged-alleged-role-transnational-cybercrime-organization", "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor", "https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes", "https://us-cert.cisa.gov/ncas/alerts/aa21-076a", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx", "https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/", "https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/", + "https://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors", "https://www.washingtonpost.com/national-security/cyber-command-trickbot-disrupt/2020/10/09/19587aae-0a32-11eb-a166-dc429b380d10_story.html", "https://medium.com/walmartglobaltech/anchor-and-lazarus-together-again-24744e516607", - "https://www.splunk.com/en_us/blog/security/detecting-trickbots.html", + "https://www.cyberark.com/resources/threat-research-blog/conti-group-leaked", "https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c", + "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/", "https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them", "http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html", + "https://intel471.com/blog/conti-emotet-ransomware-conti-leaks", "https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://content.fireeye.com/m-trends/rpt-m-trends-2020", + "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", + "https://intel471.com/blog/privateloader-malware", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", "https://www.vkremez.com/2018/11/lets-learn-introducing-latest-trickbot.html", "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", "https://www.youtube.com/watch?v=lTywPmZEU1A", "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", - "https://www.secureworks.com/research/threat-profiles/gold-blackburn", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", "https://www.fortinet.com/blog/threat-research/global-malicious-spam-campaign-using-black-lives-matter-as-a-lure", "https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a", "https://www.infosecurity-magazine.com/blogs/trickbot-mikrotik-connection/", "https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/", - "https://www.bleepingcomputer.com/news/security/trickbot-malware-mistakenly-warns-victims-that-they-are-infected/", + "https://therecord.media/trickbot-gang-shuts-down-botnet-after-months-of-inactivity/", + "https://www.netscout.com/blog/asert/dropping-anchor", "https://malware.love/trickbot/malware_analysis/reverse_engineering/2020/11/22/trickbot-fake-ips-part2.html", "https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/", "https://malware.love/trickbot/malware_analysis/reverse_engineering/2020/11/17/trickbots-latest-trick.html", + "https://securityintelligence.com/trickbots-cryptocurrency-hunger-tricking-the-bitcoin-out-of-wallets/", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", + "https://attackiq.com/2022/06/15/attack-graph-emulating-the-conti-ransomware-teams-behaviors/", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://securelist.com/trickbot-module-descriptions/104603/", "http://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", "https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6", "https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/", - "https://www.youtube.com/watch?v=KMcSAlS9zGE", + "https://www.bleepingcomputer.com/news/security/conti-ransomware-gang-takes-over-trickbot-malware-operation/", "https://cofenselabs.com/all-you-need-is-text-second-wave/", "https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/", "https://labs.sentinelone.com/revealing-the-trick-a-deep-dive-into-trickloader-obfuscation/", - "https://www.justice.gov/opa/pr/latvian-national-charged-alleged-role-transnational-cybercrime-organization", + "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", "http://www.vkremez.com/2018/04/lets-learn-trickbot-implements-network.html", - "https://unit42.paloaltonetworks.com/ryuk-ransomware/", + "https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/trickbot-botnet-ransomware-disruption", "https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-2-loader", - "https://securityintelligence.com/trickbots-cryptocurrency-hunger-tricking-the-bitcoin-out-of-wallets/", + "https://securityaffairs.co/wordpress/128190/cyber-crime/conti-ransomware-takes-over-trickbot.html", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/", "https://labs.sentinelone.com/how-trickbot-hooking-engine-targets-windows-10-browsers/", + "https://threatpost.com/trickbot-amazon-paypal-top-brands/178483/", "https://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://www.bitdefender.com/files/News/CaseStudies/study/316/Bitdefender-Whitepaper-TrickBot-en-EN-interactive.pdf", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/evolving-trickbot-adds-detection-evasion-and-screen-locking-features", "https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/", - "https://www.netscout.com/blog/asert/dropping-anchor", - "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", + "https://www.kryptoslogic.com/blog/2022/01/deep-dive-into-trickbots-web-injection/", + "https://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html", + "https://securityintelligence.com/posts/trickbot-gang-template-based-metaprogramming-bazar-malware/", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://cyber.wtf/2020/08/31/trickbot-rdpscandll-password-transof/", "https://www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/", + "https://www.mandiant.com/media/12596/download", "https://www.domaintools.com/resources/blog/tracking-a-trickbot-related-ransomware-incident", "https://blog.lumen.com/a-look-inside-the-trickbot-botnet/", + "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/", "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/", + "https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/", + "https://intel471.com/blog/conti-leaks-ransomware-development", "https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/", "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", "https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html", "https://www.bitdefender.com/files/News/CaseStudies/study/399/Bitdefender-PR-Whitepaper-Trickbot-creat5515-en-EN.pdf", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot", + "https://community.riskiq.com/article/111d6005/description", "https://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html", "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://www.fortinet.com/blog/threat-research/new-variant-of-trickbot-being-spread-by-word-document.html", + "https://www.justice.gov/opa/press-release/file/1445241/download", + "https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/", "http://www.malware-traffic-analysis.net/2018/02/01/", "https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/", "https://www.secdata.com/the-trickbot-and-mikrotik/", + "https://www.cyberscoop.com/trickbot-shutdown-conti-emotet/", "https://www.arbornetworks.com/blog/asert/trickbot-banker-insights/", + "https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/", "https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware", "http://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html", - "https://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks", + "https://www.gosecure.net/blog/2021/12/03/trickbot-leverages-zoom-work-from-home-interview-malspam-heavens-gate-and-spamhaus/", "https://blog.cyberint.com/ryuk-crypto-ransomware", - "https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly/", + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", + "https://community.riskiq.com/article/04ec92f4", "https://www.advanced-intel.com/post/trickbot-group-launches-test-module-alerting-on-fraud-activity", "https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/", "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", "https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre", + "https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html", "https://therecord.media/trickbot-new-attacks-see-the-botnet-deploy-new-banking-module-new-ransomware/", - "https://www.bleepingcomputer.com/news/security/trickbot-gang-developer-arrested-when-trying-to-leave-korea/", + "https://research.checkpoint.com/2022/a-modern-ninja-evasive-trickbot-attacks-customers-of-60-high-profile-companies/", "https://eclypsium.com/2020/12/03/trickbot-now-offers-trickboot-persist-brick-profit/", "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf", "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/", "https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/", - "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", + "https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/", "https://www.kryptoslogic.com/blog/2021/02/trickbot-masrv-module/", "https://securityintelligence.com/trickbot-takes-to-latin-america-continues-to-expand-its-global-reach/", "https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/", "https://www.secureworks.com/blog/trickbot-modifications-target-us-mobile-users", + "https://www.splunk.com/en_us/blog/security/detecting-trickbots.html", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://www.bleepingcomputer.com/news/security/trickbot-gang-developer-arrested-when-trying-to-leave-korea/", + "https://blog.reversinglabs.com/blog/conversinglabs-ep-2-conti-pivots-as-ransomware-as-a-service-struggles", "https://www.berlin.de/sen/justva/presse/pressemitteilungen/2020/pm-11-2020-t-systems-forensik_bericht_public_v1.pdf", "https://github.com/JR0driguezB/malware_configs/tree/master/TrickBot", "https://www.joesecurity.org/blog/498839998833561473", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf", + "https://research.checkpoint.com/2021/when-old-friends-meet-again-why-emotet-chose-trickbot-for-rebirth/", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", "https://escinsecurity.blogspot.de/2018/01/weekly-trickbot-analysis-end-of-wc-22.html", "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", + "https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html", "https://www.bleepingcomputer.com/news/security/trickbot-now-steals-windows-active-directory-credentials/", "https://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html", "https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-reversing-the-dropper-variant/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", + "https://www.reuters.com/technology/details-another-big-ransomware-group-trickbot-leak-online-experts-say-2022-03-04/", + "https://securityintelligence.com/posts/trickbot-bolsters-layered-defenses-prevent-injection/", + "https://www.secureworks.com/research/threat-profiles/gold-blackburn", "https://krebsonsecurity.com/2020/10/attacks-aimed-at-disrupting-the-trickbot-botnet/", "https://www.secureworks.com/research/threat-profiles/gold-ulrick", - "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf", "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "https://twitter.com/VK_Intel/status/1328578336021483522", "https://www.bleepingcomputer.com/news/security/emotet-trickbot-malware-duo-is-back-infecting-windows-machines/", @@ -35236,6 +41471,7 @@ "https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/", "https://hurricanelabs.com/splunk-tutorials/splunking-with-sysmon-part-4-detecting-trickbot/", "https://securelist.com/financial-cyberthreats-in-2020/101638/", + "https://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056", "https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth", "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", "https://public.intel471.com/blog/partners-in-crime-north-koreans-and-elite-russian-speaking-cybercriminals/", @@ -35248,9 +41484,10 @@ "https://redcanary.com/resources/webinars/deep-dive-process-injection/", "https://www.bleepingcomputer.com/news/security/malware-tries-to-trump-security-software-with-potus-impeachment/", "https://unit42.paloaltonetworks.com/trickbot-campaign-uses-fake-payroll-emails-to-conduct-phishing-attacks/", - "https://osint.fans/service-nsw-russia-association", + "https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/", "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/", - "https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/" + "https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/", + "https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/" ], "synonyms": [ "TheTrick", @@ -35268,10 +41505,14 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.triton", "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html", + "https://www.ic3.gov/Media/News/2022/220325.pdf", "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html", "https://www.eenews.net/stories/1060123327/", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-083a", "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", "https://home.treasury.gov/news/press-releases/sm1162", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", "https://dragos.com/blog/trisis/TRISIS-01.pdf", "https://us-cert.cisa.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20A%29_S508C.PDF", "https://github.com/ICSrepo/TRISIS-TRITON-HATMAN", @@ -35292,7 +41533,7 @@ "value": "Triton" }, { - "description": "", + "description": "Trochilus is a C++ written RAT, which is available on GitHub. \r\nGitHub Repo:\r\n- https://github.com/m0n0ph1/malware-1/tree/master/Trochilus\r\n- https://github.com/5loyd/trochilus", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.trochilus_rat", @@ -35300,9 +41541,10 @@ "https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf", "https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf", "https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf", + "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn", - "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia", + "https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html", "https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains", "https://www.secureworks.com/research/threat-profiles/bronze-vinewood", "https://github.com/m0n0ph1/malware-1/tree/master/Trochilus" @@ -35388,6 +41630,33 @@ "uuid": "3da6f62c-9e06-4e7b-8852-7c7689f65833", "value": "Tsifiri" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.turian", + "https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/", + "https://www.fortinet.com/blog/threat-research/analysis-of-follina-zero-day" + ], + "synonyms": [], + "type": [] + }, + "uuid": "69585b58-ec98-4a70-b61d-288d5a7ca7c3", + "value": "turian" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.turkojan", + "https://www.sentinelone.com/wp-content/uploads/2021/09/SentinelOne_-SentinelLabs_EGoManiac_WP_V4.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "17f9e595-c7c2-448a-a48a-6079e4c5791a", + "value": "Turkojan" + }, { "description": "", "meta": { @@ -35411,6 +41680,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.turla_silentmoon", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://twitter.com/Arkbird_SOLG/status/1304187749373800455", + "https://www.emanueledelucia.net/the-bigboss-rules-something-about-one-of-the-uroburos-rpc-based-backdoors/", "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity" ], "synonyms": [ @@ -35546,6 +41816,20 @@ "uuid": "5e362cd1-bc5c-4225-b820-00ec7ebebadd", "value": "Uiwix" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.underminer_ek", + "https://blog.minerva-labs.com/underminer-exploit-kit-the-more-you-check-the-more-evasive-you-become", + "https://decoded.avast.io/janvojtesek/exploit-kits-vs-google-chrome/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "788b5c01-6609-4a3e-8922-5734fb6897b4", + "value": "UnderminerEK" + }, { "description": "", "meta": { @@ -35865,7 +42149,7 @@ "synonyms": [], "type": [] }, - "uuid": "45d78ad1-6b31-423d-8c90-9bea0934c218", + "uuid": "33c661b3-b9e7-49a7-a82b-4b5977e79cae", "value": "win.unidentified_059" }, { @@ -36090,20 +42374,6 @@ "uuid": "2eb8ca65-186b-44ae-bd91-189b3eb5ed54", "value": "Unidentified 081 (Andariel Ransomware)" }, - { - "description": "This is third stage backdoor mentioned in the Kaspersky blog, \"Andariel evolves to target South Korea with ransomware\". The third stage payload was created via the second stage payload, is interactively executed in the operation and exists in both x64 and x86 versions. Most of them use Internet Explorer or Google Chrome icons and corresponding file names to disguise themselves as legitimate internet browsers. The malware decrypts the embedded payload at runtime. It uses an embedded 16-byte XOR key to decrypt the base64 encoded payload. The decrypted payload is another portable executable file that runs in memory. Before getting decrypted with a hardcoded XOR key, the backdoor also checks for sandbox environment.\r\nThe backdoor has some code overlap with a know malware family PEBBLEDASH, attributed to Lazarus/LABYRINTH CHOLLIMA.", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_082", - "https://www.brighttalk.com/webcast/18282/493986", - "https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/" - ], - "synonyms": [], - "type": [] - }, - "uuid": "082d2e86-d320-43cf-a602-f7bee7e3f3d4", - "value": "Unidentified 082" - }, { "description": "", "meta": { @@ -36130,6 +42400,71 @@ "uuid": "f80e8948-8e1e-4ecf-8d5e-08148e4dd2b0", "value": "Unidentified 085" }, + { + "description": "Symantec describes this family as an unidentified tool set used to target a range of organizations in South East Asia. The campaign was first noticed in September 2020.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_087", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-campaign-south-east-asia?s=09" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a4c9861e-93c6-4b2b-aa2d-71c1405375b4", + "value": "Unidentified 087 " + }, + { + "description": "Ransomware written in Nim.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_088", + "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d7f1e6cf-1880-426a-881a-619309f32c37", + "value": "Unidentified 088 (Nim Ransomware)" + }, + { + "description": "Downloader used in suspected APT attack against Vietnam.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_089", + "https://kienmanowar.wordpress.com/2022/01/26/quicknote-analysis-of-malware-suspected-to-be-an-apt-attack-targeting-vietnam/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "685c9c30-aa9f-43ee-a262-43c17c350049", + "value": "Unidentified 089 (Downloader)" + }, + { + "description": "Recon/Loader malware attributed to Lazarus, disguised as Notepad++ shell extension.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_090", + "https://cybergeeks.tech/a-detailed-analysis-of-lazarus-malware-disguised-as-notepad-shell-extension/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "565de3f5-7eb7-43ca-a9d9-b588dfd6a50a", + "value": "Unidentified 090 (Lazarus)" + }, + { + "description": "Avast found this unidentified RAT, which abuses a code-signing certificate by the Philippine Navy. It is statically linked against OpenSSL 1.1.1g.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_091", + "https://decoded.avast.io/threatintel/avast-finds-compromised-philippine-navy-certificate-used-in-remote-access-tool/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "33c8e201-9cd1-4a44-9380-3e3d3d6894c3", + "value": "Unidentified 091" + }, { "description": "", "meta": { @@ -36218,20 +42553,23 @@ "value": "UrlZone" }, { - "description": "", + "description": "Uroburos is a driver for Windows, including a bypass of PatchGuard. According to Andrzej Dereszowski and Matthieu Kaczmarek, \"the techniques used demonstrate [their] excellent knowledge of Windows kernel internals.\"", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.uroburos", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/", "https://www.gdatasoftware.com/blog/2014/05/23958-uroburos-rootkit-belgian-foreign-ministry-stricken", - "https://www.secureworks.com/research/threat-profiles/iron-hunter", + "https://exatrack.com/public/Uroburos_EN.pdf", "https://www.gdatasoftware.com/blog/2014/03/23966-uroburos-deeper-travel-into-kernel-protection-mitigation", "https://www.circl.lu/pub/tr-25/", + "https://artemonsecurity.com/uroburos.pdf", + "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", "https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified", "https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence", "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/", "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", "https://www.gdatasoftware.com/blog/2014/02/23968-uroburos-highly-complex-espionage-software-with-russian-roots", + "https://www.secureworks.com/research/threat-profiles/iron-hunter", "https://www.gdatasoftware.com/blog/2014/06/23953-analysis-of-uroburos-using-windbg", "https://www.carbonblack.com/2017/08/18/threat-analysis-carbon-black-threat-research-dissects-png-dropper/" ], @@ -36249,6 +42587,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.usbculprit", "https://securelist.com/cycldek-bridging-the-air-gap/97157/", + "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf", "https://drive.google.com/file/d/11otA_VmL061KcFC5MhDYuNdIKHYbpyrd/view" ], "synonyms": [], @@ -36263,7 +42602,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.usbferry", "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-troopers-back-usbferry-attack-targets-air-gapped-environments/", - "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf" + "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf", + "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf" ], "synonyms": [], "type": [] @@ -36374,6 +42714,7 @@ "https://twitter.com/malwrhunterteam/status/1095024267459284992", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/buran-ransomware-the-evolution-of-vegalocker/", "https://twitter.com/malwrhunterteam/status/1093136163836174339", + "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618" ], "synonyms": [ @@ -36414,7 +42755,7 @@ "value": "Venom RAT" }, { - "description": "", + "description": "VenomLNK is the initial phase of the more_eggs malware-as-a-service. It is a poisoned .lnk file that depends on User Execution and points to LOLBINs (often cmd.exe) with additional obfuscated scripting options. This typically initiates WMI abuse and TerraLoader, which can load additional functionality through various plugins.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.venom_lnk", @@ -36486,9 +42827,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vhd_ransomware", - "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", + "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://twitter.com/GrujaRS/status/1241657443282825217", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/the-sound-of-malware.html", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/the-hermit-kingdoms-ransomware-play.html", "https://seguranca-informatica.pt/secrets-behind-the-lazaruss-vhd-ransomware/" ], "synonyms": [], @@ -36497,29 +42840,61 @@ "uuid": "fb0ad46d-20b6-4e8c-b401-702197667272", "value": "VHD Ransomware" }, + { + "description": "VictoryGate was the name of a cryptomining botnet, which was disrupted by ESET researchers in April 2020. The used malware itself was also referred to as VictoryGate. It was spotted in May 2019 and targeted mainly Latin American users, specifically, Peru (Criptonizando states 90% of the botnet publication residing there). Both public and private sectors were targeted.\r\nThis cryptojacking malware was specialized in Monero (XRM) cryptocurrency.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.victorygate", + "https://criptonizando.com/35-mil-computadores-foram-infectados-na-america-latina-por-malware-que-minerava-monero/", + "https://www.welivesecurity.com/2020/04/23/eset-discovery-monero-mining-botnet-disrupted/", + "https://www.advintel.io/post/economic-growth-digital-inclusion-specialized-crime-financial-cyber-fraud-in-latam", + "https://www.eset.com/int/about/newsroom/press-releases/research/eset-researchers-disrupt-cryptomining-botnet-victorygate/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "229cd7f6-2514-42b8-baa6-0c2a22cd5d9c", + "value": "VictoryGate" + }, { "description": "Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar", - "https://medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed", - "https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware", "https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d", - "https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/", - "https://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html", + "https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/", + "https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/", + "https://medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed", + "https://www.csoonline.com/article/3654849/microsoft-help-files-repurposed-to-contain-vidar-malware-in-new-campaign.html", + "https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/", + "https://asec.ahnlab.com/en/30875/", + "https://eln0ty.github.io/malware%20analysis/vidar/", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vidar-malware-launcher-concealed-in-help-file/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://twitter.com/sisoma2/status/1409816282065743872", + "https://asec.ahnlab.com/en/30445/", + "https://cert.pl/en/posts/2021/10/vidar-campaign/", "https://docs.google.com/spreadsheets/d/1nx42rdMdkCrvlmACDi3CHseyG87iSV1Y6rGZYq_-oDk", + "https://www.zscaler.com/blogs/security-research/vidar-distributed-through-backdoored-windows-11-downloads-and-abusing", + "https://asec.ahnlab.com/en/22932/", + "https://threatpost.com/microsoft-help-files-vidar-malware/179078/", + "https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware", + "https://www.bleepingcomputer.com/news/security/fake-pixelmon-nft-site-infects-you-with-password-stealing-malware/", + "https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/", + "https://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html", + "https://intel471.com/blog/privateloader-malware", + "https://blog.malwarebytes.com/threat-analysis/2019/01/vidar-gandcrab-stealer-and-ransomware-combo-observed-in-the-wild/", + "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", "https://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html", "https://blog.minerva-labs.com/vidar-stealer-evasion-arsenal", - "https://asec.ahnlab.com/en/22932/", - "https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/" + "https://asec.ahnlab.com/ko/25837/", + "https://isc.sans.edu/diary/rss/28468" ], "synonyms": [], "type": [] }, "uuid": "1f44c08a-b427-4496-9d6d-909b6bf34b9b", - "value": "vidar" + "value": "Vidar" }, { "description": "Wiper malware discovered by Japanese security firm Mitsui Bussan Secure Directions (MBSD), which is assumed to target Japan, the host country of the 2021 Summer Olympics. In addition to targeting common file Office-related files, it specifically targets file types associated with the Japanese word processor Ichitaro.", @@ -36564,6 +42939,7 @@ "https://blog.malwarebytes.com/threat-analysis/2018/03/blast-from-the-past-stowaway-virut-delivered-with-chinese-ddos-bot/", "https://www.theregister.co.uk/2018/01/10/taiwanese_police_malware/", "https://www.spamhaus.org/news/article/690/cooperative-efforts-to-shut-down-virut-botnet", + "https://www.mandiant.com/resources/pe-file-infecting-malware-ot", "https://securelist.com/review-of-the-virus-win32-virut-ce-malware-sample/36305/" ], "synonyms": [], @@ -36590,7 +42966,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vjw0rm", + "https://community.riskiq.com/article/24759ad2", + "https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape", "https://bazaar.abuse.ch/browse/signature/Vjw0rm/", + "https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf", + "https://twitter.com/tccontre18/status/1461386178528264204", + "https://lifars.com/wp-content/uploads/2021/09/Vjw0rm-.pdf", + "https://threatresearch.ext.hp.com/wp-content/uploads/2022/05/HP-Wolf-Security-Threat-Insights-Report-Q1-2022.pdf", "https://appriver.com/resources/blog/november-2020/vjw0rm-back-new-tactics" ], "synonyms": [], @@ -36655,6 +43037,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.volgmer", + "https://lifars.com/wp-content/uploads/2021/09/Lazarus.pdf", "https://www.us-cert.gov/ncas/alerts/TA17-318B", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://www.secureworks.com/research/threat-profiles/nickel-academy", @@ -36784,15 +43167,18 @@ "https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html", "https://dissectingmalwa.re/third-times-the-charm-analysing-wannacry-samples.html", "https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html", + "https://swanleesec.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1", "https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168", "https://securelist.com/big-threats-using-code-similarity-part-1/97239/", + "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/WannaCry-Aftershock.pdf", "https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/", "https://themoscowtimes.com/news/wcry-virus-reportedly-infects-russian-interior-ministrys-computer-network-57984", - "https://metaswan.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1", + "https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d", + "https://news.sophos.com/en-us/2019/09/18/the-wannacry-hangover/", "https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e", "https://www.il-pib.pl/czasopisma/JTIT/2019/1/113.pdf", "https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/", - "https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/", + "https://github.com/0xZuk0/rules-of-yaras/blob/main/reports/Wannacry%20Ransomware%20Report.pdf", "https://news.sophos.com/en-us/2021/03/15/dearcry-ransomware-attacks-exploit-exchange-server-vulnerabilities/", "https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ce44cbda9fdc061050c1d2a5dec0270874a9dc85.pdf", "https://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign", @@ -36800,11 +43186,13 @@ "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", "https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today", "http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://www.youtube.com/watch?v=Q90uZS3taG0", - "https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d", + "https://metaswan.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", - "http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/" + "http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/", + "https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/" ], "synonyms": [ "Wana Decrypt0r", @@ -36816,6 +43204,19 @@ "uuid": "ad67ff31-2a02-43f9-8b12-7df7e4fcccd6", "value": "WannaCryptor" }, + { + "description": "According to Mars, WannaHusky is a Nim-compiled ransomware malware sample, created for demonstration purposes and provided as part of the Practical Malware Analysis & Triage course provided by HuskyHacks.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.wannahusky", + "https://medium.com/@mars0x/wannahusky-malware-analysis-w-yara-ttps-2069fb479909" + ], + "synonyms": [], + "type": [] + }, + "uuid": "10fc30fe-9f64-4765-a341-acde878f105c", + "value": "WannaHusky" + }, { "description": "Ransomware.", "meta": { @@ -36829,6 +43230,20 @@ "uuid": "44f548e2-9a47-433a-bccf-fff412d2963b", "value": "WannaRen" }, + { + "description": "This malware looks similar to WastedLocker, but the ransomware component is missing.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.wastedloader", + "https://www.bitdefender.com/files/News/CaseStudies/study/397/Bitdefender-PR-Whitepaper-RIG-creat5362-en-EN.pdf", + "https://killingthebear.jorgetesta.tech/actors/evil-corp" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c6b601f6-4cb6-4e7b-98fd-35af910ec0d8", + "value": "WastedLoader" + }, { "description": "WastedLocker is a ransomware detected to be in use since May 2020 by EvilCorp. The ransomware name is derived from the filename that it creates which includes an abbreviation of the victim’s name and the string ‘wasted’. WastedLocker is protected with a custom crypter, referred to as CryptOne by Fox-IT InTELL. On examination, this crypter turned out to be very basic and was used also by other malware families such as: Netwalker, Gozi ISFB v3, ZLoader and Smokeloader. The crypter mainly contains junk code to increase entropy of the sample and hide the actual code.", "meta": { @@ -36837,6 +43252,7 @@ "https://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html", "https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf", "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://ioc.hatenablog.com/entry/2020/08/16/132853", "https://blog.talosintelligence.com/2020/07/wastedlocker-emerges.html", "https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/", @@ -36844,29 +43260,40 @@ "https://unit42.paloaltonetworks.com/wastedlocker/", "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", "https://areteir.com/wp-content/uploads/2020/07/Ransomware-WastedLocker-1.pdf", + "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://killingthebear.jorgetesta.tech/actors/evil-corp", "https://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/", + "https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf", "https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.bitdefender.com/files/News/CaseStudies/study/397/Bitdefender-PR-Whitepaper-RIG-creat5362-en-EN.pdf", "https://www.bleepingcomputer.com/news/security/insurance-giant-cna-hit-by-new-phoenix-cryptolocker-ransomware/", "https://www.bleepingcomputer.com/news/security/evil-corp-switches-to-hades-ransomware-to-evade-sanctions/", "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries", - "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", + "https://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd", "https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/", "https://securelist.com/wastedlocker-technical-analysis/97944/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us", "https://kc.mcafee.com/corporate/index?page=content&id=KB93302&locale=en_US", - "https://symantec.broadcom.com/hubfs/SED-Threats-Financial-Sector.pdf", + "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", + "https://www.bbc.com/news/world-us-canada-53195749", + "https://www.sentinelone.com/labs/sanctions-be-damned-from-dridex-to-macaw-the-evolution-of-evil-corp/", "https://medium.com/walmartglobaltech/wastedloader-or-dridexloader-4f47c9b3ae77", "http://www.secureworks.com/research/threat-profiles/gold-drake", "https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://seguranca-informatica.pt/wastedlocker-malware-analysis/#.YfAaIRUITTY.twitter", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://news.sophos.com/en-us/2020/08/04/wastedlocker-techniques-point-to-a-familiar-heritage/", "https://www.securonix.com/web/wp-content/uploads/2020/08/Securonix_Threat_Research_WastedLocker_Ransomware.pdf", "https://labs.sentinelone.com/wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes/", + "https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp", "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", - "https://www.bbc.com/news/world-us-canada-53195749", + "https://symantec.broadcom.com/hubfs/SED-Threats-Financial-Sector.pdf", "https://unit42.paloaltonetworks.com/atoms/wastedlocker-ransomware/" ], "synonyms": [], @@ -37165,6 +43592,85 @@ "uuid": "8ec2d984-8c10-49f2-ad97-64af275a7afc", "value": "WeSteal" }, + { + "description": "Destructive malware deployed against targets in Ukraine in January 2022.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.whispergate", + "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", + "https://therecord.media/second-data-wiper-attack-hits-ukraine-computer-networks/", + "https://blog.gigamon.com/2022/01/28/focusing-on-left-of-boom/", + "https://www.crowdstrike.com/blog/who-is-ember-bear/", + "https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/", + "https://blogs.blackberry.com/en/2022/01/threat-thursday-whispergate-wiper", + "https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html", + "https://www.netskope.com/blog/netskope-threat-coverage-whispergate", + "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", + "https://www.crowdstrike.com/blog/how-crowdstrike-protects-against-data-wiping-malware/", + "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview", + "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", + "https://www.youtube.com/watch?v=Ek3URIaC5O8", + "https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html?splunk", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/return-of-pseudo-ransomware.html", + "https://www.cadosecurity.com/resources-for-dfir-professionals-responding-to-whispergate-malware/", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/update-on-whispergate-destructive-malware-targeting-ukraine.html", + "https://intel471.com/blog/russia-ukraine-conflict-cybercrime-underground", + "https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html", + "https://stairwell.com/news/whispers-in-the-noise-microsoft-ukraine-whispergate/", + "https://www.youtube.com/watch?v=2nd-f1dIfD4", + "https://twitter.com/nunohaien/status/1484088885575622657", + "https://blogs.blackberry.com/en/2022/02/threat-spotlight-whispergate-wiper-wreaks-havoc-in-ukraine", + "https://cert.gov.ua/article/18101", + "https://twitter.com/HuskyHacksMK/status/1482876242047258628", + "https://zetter.substack.com/p/dozens-of-computers-in-ukraine-wiped", + "https://www.recordedfuture.com/whispergate-malware-corrupts-computers-ukraine/", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-057A_Destructive_Malware_Targeting_Organizations_in_Ukraine.pdf", + "https://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate/", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/growling-bears-make-thunderous-noise.html", + "https://www.microsoft.com/security/blog/2022/01/26/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa/", + "https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf", + "https://www.crowdstrike.com/blog/lessons-from-past-cyber-operations-against-ukraine/", + "https://go.recordedfuture.com/hubfs/reports/pov-2022-0127.pdf", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-057a", + "https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/", + "https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation", + "https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html", + "https://www.brighttalk.com/webcast/15591/534324", + "https://info.cyborgsecurity.com/hubfs/Emerging%20Threats/WhisperGate%20Malware%20Update%20-%20Emerging%20Threat.pdf", + "https://blogs.microsoft.com/on-the-issues/2022/01/15/mstic-malware-cyberattacks-ukraine-government/", + "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine", + "https://www.secureworks.com/blog/disruptive-attacks-in-ukraine-likely-linked-to-escalating-tensions", + "https://rxored.github.io/post/analysis/whispergate/whispergate/", + "https://www.crowdstrike.com/blog/technical-analysis-of-whispergate-malware/", + "https://zetter.substack.com/p/hackers-were-in-ukraine-systems-months", + "https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/Debugging%20MBR%20-%20IDA%20+%20Bochs%20Emulator/Debugging%20MBR%20-%20IDA%20+%20Bochs%20Emulator.md", + "https://www.secureworks.com/blog/whispergate-not-notpetya", + "https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/", + "https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks", + "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat", + "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", + "https://lifars.com/2022/01/a-detailed-analysis-of-whispergate-targeting-ukrainian-organizations/", + "https://csirt-mon.wp.mil.pl/pl/articles6-aktualnosci/analysis-cyberattack-ukrainian-government-resources/", + "https://github.com/OALabs/Lab-Notes/blob/main/WhisperGate/WhisperGate.ipynb", + "https://twitter.com/knight0x07/status/1483401072102502400", + "https://lifars.com/2022/03/a-closer-look-at-the-russian-actors-targeting-organizations-in-ukraine/", + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd", + "https://inquest.net/blog/2022/02/10/380-glowspark", + "https://twitter.com/Libranalysis/status/1483128221956808704", + "https://thehackernews.com/2022/02/putin-warns-russian-critical.html", + "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord?", + "https://maxkersten.nl/binary-analysis-course/malware-analysis/dumping-whispergates-wiper-from-an-eazfuscator-obfuscated-loader/", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf", + "https://www.bitdefender.com/blog/hotforsecurity/five-things-you-need-to-know-about-the-cyberwar-in-ukraine/" + ], + "synonyms": [ + "PAYWIPE" + ], + "type": [] + }, + "uuid": "6001ed9f-9108-4481-9980-dc6e5c1908a0", + "value": "WhisperGate" + }, { "description": "According to Dr.Web, WhiteBird is a backdoor written in C++ and designed to operate in both 32-bit and 64-bit Microsoft Windows operating systems. The configuration is encrypted with a single byte XOR key. An interesting feature is that the malware can be restricted to operate only within certain \"working_hours\" with a granularity of one minute.", "meta": { @@ -37179,6 +43685,22 @@ "uuid": "20286294-3813-4c17-a165-ef12aae64303", "value": "WhiteBird" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.whiteblackcrypt", + "https://www.checkmal.com/video/read/3605/", + "https://sebdraven.medium.com/whisperkill-vs-whiteblackcrypt-un-petit-soucis-de-fichiers-9c4dcd013316" + ], + "synonyms": [ + "WARYLOOK" + ], + "type": [] + }, + "uuid": "f587a5a2-907e-456c-91e9-74fd997c03b5", + "value": "WhiteBlackCrypt" + }, { "description": "", "meta": { @@ -37191,6 +43713,22 @@ "uuid": "2f512a73-6847-4231-81c6-8b51af8b5be2", "value": "WildFire" }, + { + "description": "Information stealer used by threat actor LuoYu.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.windealer", + "https://securelist.com/windealer-dealing-on-the-side/105946/", + "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_301_shui-leon_en.pdf", + "https://blogs.jpcert.or.jp/en/2021/10/windealer.html", + "https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_7_leon-niwa-ishimaru_en.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "3aa42316-9f3b-457b-9560-99ccf00a45c1", + "value": "WinDealer" + }, { "description": "", "meta": { @@ -37232,10 +43770,12 @@ "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/", "https://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/", - "https://www.tagesschau.de/investigativ/ndr/hackerangriff-chemieunternehmen-101.html", + "https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html", "https://securelist.com/games-are-over/70991/", "https://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf", "https://www.ptsecurity.com/upload/corporate/ru-ru/webinars/ics/winnti-shadowpad.pdf", + "https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques", + "https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive", "https://www.trendmicro.com/en_us/research/19/d/analyzing-c-c-runtime-library-code-tampering-in-software-supply-chain-attacks.html", "https://github.com/TKCERT/winnti-suricata-lua", "https://securitynews.sonicwall.com/xmlpost/chinas-winnti-spyder-module/", @@ -37249,6 +43789,7 @@ "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", "https://www.fireeye.com/blog/threat-research/2021/01/emulation-of-kernel-mode-rootkits-with-speakeasy.html", + "https://blogs.vmware.com/security/2021/11/monitoring-winnti-4-0-c2-servers-for-two-years.html", "https://www.carbonblack.com/2020/02/20/threat-analysis-active-c2-discovery-using-protocol-emulation-part2-winnti-4-0/", "https://securelist.com/apt-trends-report-q3-2020/99204/", "http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/", @@ -37267,7 +43808,8 @@ "https://www.recordedfuture.com/chinese-apt-groups-target-afghan-telecommunications-firm/", "https://docplayer.net/162112338-Don-t-miss-the-forest-for-the-trees-gleaning-hunting-value-from-too-much-intrusion-data.html", "https://www.secureworks.com/research/threat-profiles/bronze-atlas", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage" + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage", + "https://www.tagesschau.de/investigativ/ndr/hackerangriff-chemieunternehmen-101.html" ], "synonyms": [ "BleDoor", @@ -37297,6 +43839,19 @@ "uuid": "893a1da2-ae35-4877-8cde-3f532543af36", "value": "WinPot" }, + { + "description": "Backdoor used in the EvilPlayout campaign against Iran's State Broadcaster.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.winscreeny", + "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b45a1776-11a8-4ac9-9714-33cb17709166", + "value": "WinScreeny" + }, { "description": "", "meta": { @@ -37316,6 +43871,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wipbot", "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", + "https://docs.broadcom.com/doc/waterbug-attack-group", "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf", "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf" @@ -37389,6 +43945,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.woolger", + "https://documents.trendmicro.com/assets/wp/wp-operation-woolen-goldfish.pdf", "http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf", "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" ], @@ -37447,6 +44004,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wscspl", + "https://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/", "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/" ], "synonyms": [], @@ -37455,6 +44013,23 @@ "uuid": "62fd2b30-55b6-474a-8d72-31e492357d11", "value": "WSCSPL" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.wslink", + "https://www.welivesecurity.com/wp-content/uploads/2022/03/eset_wsliknkvm.pdf", + "https://www.welivesecurity.com/2021/10/27/wslink-unique-undocumented-malicious-loader-runs-server/", + "https://twitter.com/darienhuss/status/1453342652682981378" + ], + "synonyms": [ + "FinickyFrogfish" + ], + "type": [] + }, + "uuid": "63fc32b0-3017-418c-b00a-ae20205e9c90", + "value": "Wslink" + }, { "description": "", "meta": { @@ -37473,6 +44048,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xagent", + "https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf", "https://assets.documentcloud.org/documents/3461560/Google-Aquarium-Clean.pdf", "https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government", "https://www.thecssc.com/wp-content/uploads/2018/10/4OctoberIOC-APT28-malware-advisory.pdf", @@ -37564,6 +44140,19 @@ "uuid": "09fd85b1-6fc9-45af-a37e-732b5fc6447b", "value": "Xenon Stealer" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.xfilesstealer", + "https://twitter.com/3xp0rtblog/status/1473323635469438978" + ], + "synonyms": [], + "type": [] + }, + "uuid": "4e980ff8-20f2-4b3f-bad8-763321932b99", + "value": " X-Files Stealer" + }, { "description": "", "meta": { @@ -37622,6 +44211,23 @@ "uuid": "6aa7047f-7dfa-4a10-b515-853c3795db69", "value": "XP10" }, + { + "description": "Symantec describes this as a decryptor/loader used by Chinese threat actor Antlion in campaigns targeting Taiwan.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.xpack", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks", + "https://thehackernews.com/2022/02/chinese-hackers-target-taiwanese.html", + "https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html" + ], + "synonyms": [ + "NERAPACK" + ], + "type": [] + }, + "uuid": "f87a348e-fa1f-4c90-8b46-ef382868d043", + "value": "xPack" + }, { "description": "", "meta": { @@ -37819,6 +44425,23 @@ "uuid": "0308eff9-1e8c-434e-b551-40f0ceb7dc0e", "value": "Yakuza" }, + { + "description": "Ransomware.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.yanluowang", + "https://securelist.com/how-to-recover-files-encrypted-by-yanlouwang/106332/", + "https://github.com/albertzsigovits/malware-notes/tree/master/Ransomware-Windows-Yanluowang", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-targeted-ransomware", + "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", + "https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-yanluowang-ransomware-victims/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "4bc19ce2-e169-4f9f-aabf-ec7fc6a75d12", + "value": "Yanluowang" + }, { "description": "Yarraq is a ransomware that encrypts files by using asymmetric keys and adding '.yarraq' as extension to the end of filenames. At the time of writing the attacker asks for $2000 ransom in order to provide a decryptor, to enable victims to restore their original files back. To communicate with the attacker the email: cyborgyarraq@protonmail.ch is provided.", "meta": { @@ -37867,7 +44490,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.yellow_cockatoo", - "https://redcanary.com/blog/yellow-cockatoo/" + "https://redcanary.com/blog/yellow-cockatoo/", + "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf" ], "synonyms": [ "Polazer" @@ -37890,6 +44514,20 @@ "uuid": "8d67586f-3390-474b-a81e-8be90833f25f", "value": "Yoddos" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.yorekey", + "https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-threat-insight-paper-triple-threat-N-Korea-aligned-TA406-steals-scams-spies.pdf", + "https://www.proofpoint.com/us/blog/threat-insight/triple-threat-north-korea-aligned-ta406-scams-spies-and-steals" + ], + "synonyms": [], + "type": [] + }, + "uuid": "cf9b5867-77db-423d-9bdf-cfc0d24d39c9", + "value": "YoreKey" + }, { "description": "Simple malware with proxy/RDP and download capabilities. It often comes bundled with installers, in particular in the Chinese realm.\r\n\r\nPE timestamps suggest that it came into existence in the second half of 2014.\r\n\r\nSome versions perform checks of the status of the internet connection (InternetGetConnectedState: MODEM, LAN, PROXY), some versions perform simple AV process-checks (CreateToolhelp32Snapshot).\r\n", "meta": { @@ -37905,16 +44543,48 @@ "uuid": "1cc9d450-88cd-435c-bb74-8410d2d22571", "value": "YoungLotus" }, + { + "description": "According to Trend Micro, this is a ransomware written as a Windows commandline script, with obfuscation applied.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.your_cyanide", + "https://www.trendmicro.com/en_us/research/22/f/yourcyanide-a-cmd-based-ransomware.html" + ], + "synonyms": [ + "GonnaCope", + "Kekpop", + "Kekware" + ], + "type": [] + }, + "uuid": "4a9b8725-2d17-4601-adb4-67de607808d7", + "value": "YourCyanide" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ytstealer", + "https://www.intezer.com/blog/research/ytstealer-malware-youtube-cookies/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "302854bd-0e03-422c-8b79-54200c7d02ea", + "value": "YTStealer" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.yty", - "http://blog.ptsecurity.com/2019/11/studying-donot-team.html", "https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/", - "https://www.secureworks.com/research/threat-profiles/zinc-emerson", + "https://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/", + "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/", "https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/", - "https://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/" + "https://www.secureworks.com/research/threat-profiles/zinc-emerson", + "http://blog.ptsecurity.com/2019/11/studying-donot-team.html", + "https://www.amnesty.org/en/wp-content/uploads/2021/10/AFR5747562021ENGLISH.pdf" ], "synonyms": [], "type": [] @@ -37922,6 +44592,19 @@ "uuid": "c0e8b64c-bd2c-4a3e-addc-0ed6cc1ba200", "value": "yty" }, + { + "description": "W32/Yunsip!tr.pws is classified as a password stealing trojan.\r\nPassword Stealing Trojan searches the infected system for passwords and send them to the hacker.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.yunsip", + "https://www.fortiguard.com/encyclopedia/virus/3229143" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1f8755ac-3dcc-43bd-a07f-cf0fbf2cdb7d", + "value": "Yunsip" + }, { "description": "Ransomware.", "meta": { @@ -37967,10 +44650,12 @@ "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b", "https://www.vkremez.com/2018/12/lets-learn-reviewing-sofacys-zebrocy-c.html", "https://research.checkpoint.com/malware-against-the-c-monoculture/", + "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf", "https://mp.weixin.qq.com/s/pE_6VRDk-2aTI996sff0og", "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries", "https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/", "https://mp.weixin.qq.com/s/6R7bFs9lH1I3BNdkatCC9g", + "https://brandefense.io/zebrocy-malware-technical-analysis-report/", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", "https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/", "https://securelist.com/zebrocys-multilanguage-malware-salad/90680/", @@ -38053,6 +44738,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeppelin", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", "https://threatvector.cylance.com/en_us/home/zeppelin-russian-ransomware-targets-high-profile-users-in-the-us-and-europe.html", + "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", "https://www.gdatasoftware.com/blog/2020/06/35946-burans-transformation-into-zeppelin", @@ -38098,7 +44784,8 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zerocleare", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "https://www.ibm.com/downloads/cas/OAJ4VZNJ" + "https://www.ibm.com/downloads/cas/OAJ4VZNJ", + "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat" ], "synonyms": [], "type": [] @@ -38166,6 +44853,7 @@ "https://www.kryptoslogic.com/blog/2021/07/trickbot-and-zeus/", "http://www.secureworks.com/research/threat-profiles/gold-evergreen", "https://www.wired.com/2017/03/russian-hacker-spy-botnet/", + "https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html", "https://www.youtube.com/watch?v=LUxOcpIRxmg", "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", @@ -38306,6 +44994,21 @@ "uuid": "989330e9-52da-4489-888b-686429db3a45", "value": "ZhMimikatz" }, + { + "description": "An information stealer written in .NET.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zingo_stealer", + "https://blogs.blackberry.com/en/2022/05/threat-thursday-zingostealer" + ], + "synonyms": [ + "Ginzo" + ], + "type": [] + }, + "uuid": "3984dfa1-45dc-4c19-92ca-3b90b89c8c62", + "value": "ZingoStealer" + }, { "description": "", "meta": { @@ -38342,64 +45045,83 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zloader", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://securityliterate.com/chantays-resume-investigating-a-cv-themed-zloader-malware-campaign/", + "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", + "https://blog.vincss.net/2022/04/re026-a-deep-dive-into-zloader-the-silent-night.html", "https://www.sentinelone.com/labs/hide-and-seek-new-zloader-infection-chain-comes-with-improved-stealth-and-evasion-mechanisms/", "https://twitter.com/ffforward/status/1324281530026524672", + "https://blogs.microsoft.com/on-the-issues/2022/04/13/zloader-botnet-disrupted-malware-ukraine/", + "https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489", "https://twitter.com/VK_Intel/status/1294320579311435776", "https://clickallthethings.wordpress.com/2020/09/21/zloader-xlm-update-macro-code-and-behavior-change/", "https://securityintelligence.com/around-the-world-with-zeus-sphinx-from-canada-to-australia-and-back/", - "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", "https://cybleinc.com/2021/04/19/zloader-returns-through-spelevo-exploit-kit-phishing-campaign/", "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf", + "https://www.crowdstrike.com/blog/falcon-overwatch-uncovers-ongoing-night-spider-zloader-campaign/", "https://info.phishlabs.com/blog/surge-in-zloader-attacks-observed", + "https://www.hornetsecurity.com/en/threat-research/zloader-email-campaign-using-mhtml-to-download-and-decrypt-xls/", "https://securityintelligence.com/posts/zeus-sphinx-trojan-awakens-amidst-coronavirus-spam-frenzy/", + "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", "https://blogs.quickheal.com/zloader-entailing-different-office-files/", "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.lac.co.jp/lacwatch/people/20201106_002321.html", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://web.archive.org/web/20200929145931/https://www.comae.com/posts/2020-03-13_yet-another-active-email-campaign-with-malicious-excel-files-identified/", "https://www.bleepingcomputer.com/news/security/banking-malware-spreading-via-covid-19-relief-payment-phishing/", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", + "https://www.youtube.com/watch?v=mhX-UoaYnOM", + "https://unit42.paloaltonetworks.com/api-hammering-malware-families/", + "https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/", "https://johannesbader.ch/blog/the-dga-of-zloader/", + "https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/", "https://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware", "https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "https://info.phishlabs.com/blog/zloader-dominates-email-payloads-in-q1", "https://clickallthethings.wordpress.com/2020/06/19/zloader-vba-r1c1-references-and-other-tomfoolery/", + "https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/", "https://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html", "https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/", - "https://www.hornetsecurity.com/en/threat-research/zloader-email-campaign-using-mhtml-to-download-and-decrypt-xls/", + "https://noticeofpleadings.com/zloader/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", + "https://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems", "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", "https://resources.malwarebytes.com/files/2020/05/The-Silent-Night-Zloader-Zbot_Final.pdf", "https://www.forcepoint.com/blog/security-labs/zeus-delivered-deloader-defraud-customers-canadian-banks", + "https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/", "https://www.comae.com/posts/2020-03-13_yet-another-active-email-campaign-with-malicious-excel-files-identified/", "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf", "https://www.proofpoint.com/us/blog/threat-insight/zloader-loads-again-new-zloader-variant-returns", + "https://aaqeel01.wordpress.com/2021/10/18/zloader-reversing/", "https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/", "https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", "https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/", "https://www.youtube.com/watch?v=QBoj6GB79wM", - "https://securityintelligence.com/zeus-sphinx-pushes-empty-configuration-files-what-has-the-sphinx-got-cooking/", + "https://documents.trendmicro.com/assets/txt/IOCs-zloader-campaigns-at-a-glance.txt", "https://blag.nullteilerfrei.de/2020/05/24/zloader-string-obfuscation/", "https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", + "https://securityintelligence.com/zeus-sphinx-pushes-empty-configuration-files-what-has-the-sphinx-got-cooking/", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://blog.malwarebytes.com/threat-analysis/2020/11/malsmoke-operators-abandon-exploit-kits-in-favor-of-social-engineering-scheme/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/zloader-campaigns-at-a-glance", "https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex", "https://malware.pizza/2020/05/12/evading-av-with-excel-macros-and-biff8-xls/", "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/", "https://labs.k7computing.com/?p=22458", "https://blog.alyac.co.kr/3322", "https://blag.nullteilerfrei.de/2020/06/11/api-hashing-in-the-zloader-malware/", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/", "https://insight-jp.nttsecurity.com/post/102gsqj/pseudogatespelevo-exploit-kit", "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/", "https://www.forcepoint.com/blog/x-labs/invoicing-spam-campaigns-malware-zloader", "https://malware.pizza/2020/06/19/further-evasion-in-the-forgotten-corners-of-ms-xls/", - "https://www.lac.co.jp/lacwatch/people/20201106_002321.html" + "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-strrat-zloader-honeygain" ], "synonyms": [ "DELoader", @@ -38424,6 +45146,36 @@ "uuid": "ddccba7e-89f3-4b51-803c-e473ca5623da", "value": "Zlob" }, + { + "description": "Information Stealer used by Void Balaur.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zstealer", + "https://twitter.com/Arkbird_SOLG/status/1458973883068043264", + "https://documents.trendmicro.com/assets/white_papers/wp-void-balaur-tracking-a-cybermercenarys-activities.pdf" + ], + "synonyms": [ + "Z*Stealer" + ], + "type": [] + }, + "uuid": "750c4f21-36b0-45b7-80d5-e6c9fdf5134d", + "value": "ZStealer" + }, + { + "description": "According to ESET, this malware family was active exclusively in Brazil until the middle of 2020. It s identified by its method for obfuscating strings. It creates a function for each character of the alphabet and then concatenates the result of calling the correct functions in sequence.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zumanek", + "https://www.welivesecurity.com/2021/12/15/dirty-dozen-latin-america-amavaldo-zumanek/", + "https://www.welivesecurity.com/br/2018/01/17/zumanek-malware-tenta-roubar-credenciais-de-servicos/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "2fde6fa9-6e3f-491f-95f7-107b41efacd8", + "value": "Zumanek" + }, { "description": "", "meta": { @@ -38439,6 +45191,20 @@ "uuid": "36a54d23-39ea-446c-b690-6a899890773d", "value": "ZUpdater" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zupdax", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/", + "https://www.nortonlifelock.com/sites/default/files/2021-10/OPERATION%20EXORCIST%20White%20Paper.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0a0b04d4-afc7-4135-b71e-1148f965b566", + "value": "Zupdax" + }, { "description": "According to FireEye, ZXSHELL is a backdoor that can be downloaded from the internet, particularly Chinese hacker websites. The backdoor can launch port scans, run a keylogger, capture screenshots, set up an HTTP or SOCKS proxy, launch a reverse command shell, cause SYN floods, and transfer/delete/run files. The publicly available version of the tool provides a graphical user interface that malicious actors can use to interact with victim backdoors. Simplified Chinese is the language used for the bundled ZXSHELL documentation.", "meta": { @@ -38452,6 +45218,7 @@ "https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox", "https://www.secureworks.com/research/threat-profiles/bronze-union", "https://content.fireeye.com/apt-41/rpt-apt41", + "https://mp.weixin.qq.com/s/K1uBLGqD8kgsIp1yTyYBfw", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-keystone", "https://blogs.cisco.com/security/talos/opening-zxshell", @@ -38465,6 +45232,19 @@ "uuid": "23920e3b-246a-4172-bf9b-5e9f90510a15", "value": "ZXShell" }, + { + "description": "Cisco Talos attributes this backdoor with moderate confidence to the Bitter APT.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zxxz", + "https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "3782b76b-3fe8-41d9-b258-dac25f9699a2", + "value": "ZxxZ" + }, { "description": "", "meta": { @@ -38480,5 +45260,5 @@ "value": "Zyklon" } ], - "version": 11601 + "version": 14973 } diff --git a/tools/del_duplicate_refs.py b/tools/del_duplicate_refs.py new file mode 100755 index 0000000..2ec2896 --- /dev/null +++ b/tools/del_duplicate_refs.py @@ -0,0 +1,17 @@ +#!/usr/bin/env python3 +# coding=utf-8 +""" + Tool to remove duplicates in cluster references +""" +import sys +import json + +with open(sys.argv[1], 'r') as f: + data = json.load(f) + +for c in data['values']: + c['meta']['refs'] = list(dict.fromkeys(c['meta']['refs'])) + +with open(sys.argv[1], 'w') as f: + json.dump(data, f) + diff --git a/tools/fetch_malpedia.sh b/tools/fetch_malpedia.sh new file mode 100755 index 0000000..2b49b17 --- /dev/null +++ b/tools/fetch_malpedia.sh @@ -0,0 +1,6 @@ +#!/bin/bash +cd "${0%/*}" +wget -O malpedia.json https://malpedia.caad.fkie.fraunhofer.de/api/get/misp +mv malpedia.json ../clusters/malpedia.json +./del_duplicate_refs.py ../clusters/malpedia.json +(cd ..; ./jq_all_the_things.sh)