diff --git a/clusters/malpedia.json b/clusters/malpedia.json index b1d9303..d6d9cd4 100644 --- a/clusters/malpedia.json +++ b/clusters/malpedia.json @@ -13,7 +13,7 @@ "name": "Malpedia", "source": "Malpedia", "type": "malpedia", - "uuid": "1d1c9af9-37fa-4deb-a928-f9b0abc7354a", + "uuid": "5fc98d08-90a4-498a-ad2e-0edf50ef374e", "values": [ { "description": "", @@ -156,6 +156,7 @@ "https://www.secrss.com/articles/24995", "https://mp.weixin.qq.com/s/J_A12SOX0k5TOYFAegBv_w", "https://securelist.com/transparent-tribe-part-2/98233/", + "https://deform.co/hacker-group-caracal-kitten-targets-kdp-activists-with-malware/", "https://www.welivesecurity.com/2019/08/22/first-spyware-android-ahmyth-google-play/", "https://www.stratosphereips.org/blog/2020/11/10/android-mischief-rats-dataset" ], @@ -997,13 +998,16 @@ "value": "Dracarys" }, { - "description": "", + "description": "Android variant of ios.LightSpy.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.dragonegg", - "https://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41" + "https://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41", + "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack" + ], + "synonyms": [ + "LightSpy" ], - "synonyms": [], "type": [] }, "uuid": "4ef28f14-17f4-4f87-a292-e63b42027c8c", @@ -1085,6 +1089,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ermac", "https://www.threatfabric.com/blogs/ermac-another-cerberus-reborn.html", "https://twitter.com/ESETresearch/status/1445618031464357888", + "https://twitter.com/ShilpeshTrivedi/status/1709096404835356883", "https://www.threatfabric.com/blogs/zombinder-ermac-and-desktop-stealers.html", "https://intel471.com/blog/rmac-2-0-perfecting-the-art-of-account-takeover", "https://blog.cyble.com/2022/05/25/ermac-back-in-action/", @@ -1325,6 +1330,7 @@ "https://twitter.com/alberto__segura/status/1402615237296148483", "https://www.cert.govt.nz/individuals/news-and-events/parcel-delivery-text-message-infecting-android-phones/", "https://securityblog.switch.ch/2021/06/19/android-flubot-enters-switzerland/", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", "https://twitter.com/alberto__segura/status/1404098461440659459", "https://thehackernews.com/2022/01/widespread-flubot-and-teabot-malware.html", @@ -1545,6 +1551,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.godfather", "https://brandefense.io/blog/godfather-android-banking-trojan/", "https://muha2xmad.github.io/malware-analysis/godfather/", + "https://github.com/LaurieWired/StrangeLoop", "https://blog.group-ib.com/godfather-trojan" ], "synonyms": [], @@ -1579,6 +1586,19 @@ "uuid": "e111fff8-c73c-4069-b804-2d3732653481", "value": "GoldenRAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.gold_digger", + "https://www.group-ib.com/blog/golddigger-fraud-matrix/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "8ff9cde1-627e-4967-8b12-195544f31d83", + "value": "GoldDigger" + }, { "description": "", "meta": { @@ -2147,6 +2167,19 @@ "uuid": "41a9408d-7020-4988-af2c-51baf4d20763", "value": "MoqHao" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.morder_rat", + "https://www.ctfiot.com/138538.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f91f27ad-edcd-4e3d-824e-23f6acd81a7b", + "value": "MOrder RAT" + }, { "description": "", "meta": { @@ -3196,9 +3229,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.wyrmspy", - "https://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41" + "https://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41", + "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack" + ], + "synonyms": [ + "AndroidControl" ], - "synonyms": [], "type": [] }, "uuid": "77f81373-bb3a-449d-82ff-b28fe31acef6", @@ -5216,6 +5252,19 @@ "uuid": "263aaef5-9758-49f1-aff1-9a509f545bb3", "value": "HyperSSL (ELF)" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.icefire", + "https://www.sentinelone.com/labs/icefire-ransomware-returns-now-targeting-linux-enterprise-networks/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c03b2f7f-31ed-4133-b947-4b8846d90f19", + "value": "iceFire" + }, { "description": "", "meta": { @@ -5267,6 +5316,19 @@ "uuid": "a24f9c4b-1fa7-4da2-9929-064345389e67", "value": "IPStorm (ELF)" }, + { + "description": "ccording to Fortinet, this is a Mirai-based DDoS botnet.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.iz1h9", + "https://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits" + ], + "synonyms": [], + "type": [] + }, + "uuid": "6e98a149-9ce2-4750-9680-69f3ced5f33e", + "value": "IZ1H9" + }, { "description": "", "meta": { @@ -5524,6 +5586,7 @@ "https://blog.compass-security.com/2022/03/vpn-appliance-forensics/", "https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/", "https://www.dragos.com/blog/industry-news/dragos-ics-ot-ransomware-analysis-q4-2021/", + "https://medium.com/@lcam/lighting-the-exfiltration-infrastructure-of-a-lockbit-affiliate-and-more-f57fbb7a4e79", "https://analyst1.com/ransomware-diaries-volume-1/", "https://lifars.com/wp-content/uploads/2022/02/LockBitRansomware_Whitepaper.pdf", "https://www.ic3.gov/Media/News/2022/220204.pdf", @@ -6171,6 +6234,20 @@ "uuid": "de3c14aa-f9f4-4071-8e6e-a2c16a3394ad", "value": "PLEAD (ELF)" }, + { + "description": "Part of Mythic C2, written in Golang.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.poseidon", + "https://github.com/MythicAgents/poseidon", + "https://cert.gov.ua/article/6123309" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ad796632-2595-4ae5-a563-b92197210d61", + "value": "Poseidon (ELF)" + }, { "description": "", "meta": { @@ -6702,7 +6779,7 @@ "value": "SBIDIOT" }, { - "description": "", + "description": "According to CISA, this malware is a persistent backdoor that masquerades as a legitimate Barracuda Networks service. The malware is designed to listen to commands received from the Threat Actor’s Command-and-Control through TCP packets. When executed, the malware uses libpcap sniffer to monitor traffic for a magic packet on TCP port 25 (SMTP) and TCP port 587. It checks the network packet captured for a hard-coded string. When the right sequence of packet is captured, it establishes a TCP reverse shell to the C2 server for further exploitation. This allows the TA to execute arbitrary commands on the compromised system.\r\nThe malware is based on an open-source backdoor program named \"cd00r\".", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.seaspy", @@ -7677,7 +7754,8 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/ios.lightspy", "https://documents.trendmicro.com/assets/Tech-Brief-Operation-Poisoned-News-Hong-Kong-Users-Targeted-with-Mobile-Malware-via-Local-News-Links.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/", - "https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/" + "https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/", + "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack" ], "synonyms": [], "type": [] @@ -8206,6 +8284,19 @@ "uuid": "ec055670-4d25-4918-90c7-281fddf3a771", "value": "ChromeBack" }, + { + "description": "ClearFake is a malicious JavaScript framework deployed on compromised websites to deliver further malware using the drive-by download technique. The malware leverages social engineering to trick the user into running a fake web browser update.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.clearfake", + "https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "8899bc6f-62e1-4732-988a-d5d64a5cf9bd", + "value": "ClearFake" + }, { "description": "WebAssembly-based crpyto miner.", "meta": { @@ -9732,10 +9823,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.lockbit", + "https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/", + "https://krebsonsecurity.com/2023/05/russian-hacker-wazawaka-indicted-for-ransomware/", "https://twitter.com/malwrhunterteam/status/1647384505550876675", "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", - "https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/", - "https://krebsonsecurity.com/2023/05/russian-hacker-wazawaka-indicted-for-ransomware/" + "https://medium.com/@lcam/lighting-the-exfiltration-infrastructure-of-a-lockbit-affiliate-and-more-f57fbb7a4e79" ], "synonyms": [], "type": [] @@ -10007,6 +10099,19 @@ "uuid": "bfd9e30e-ddc7-426f-8f77-4d2e1a846541", "value": "POOLRAT" }, + { + "description": "Part of Mythic C2, written in Golang.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.poseidon", + "https://github.com/MythicAgents/poseidon" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e4ac9105-c3ad-41e2-846b-048e2bbedc6a", + "value": "Poseidon (OS X)" + }, { "description": "", "meta": { @@ -11355,6 +11460,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.vipersoftx", "https://chris.partridge.tech/2022/evolution-of-vipersoftx-dga", + "https://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryption-steals-data.html", "https://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/" ], "synonyms": [], @@ -12356,8 +12462,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.4h_rat", - "https://github.com/securitykitten/malware_references/blob/master/crowdstrike-intelligence-report-putter-panda.original.pdf", + "https://cocomelonc.github.io/malware/2023/09/25/malware-trick-36.html", "https://attack.mitre.org/groups/G0024", + "https://github.com/securitykitten/malware_references/blob/master/crowdstrike-intelligence-report-putter-panda.original.pdf", "https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html" ], "synonyms": [], @@ -12858,6 +12965,7 @@ "https://blog.qualys.com/vulnerabilities-threat-research/2022/02/02/catching-the-rat-called-agent-tesla", "https://guillaumeorlando.github.io/AgentTesla", "https://malwatch.github.io/posts/agent-tesla-malware-analysis/", + "https://blog.cluster25.duskrise.com/2023/10/12/cve-2023-38831-russian-attack", "https://inquest.net/blog/2021/11/02/adults-only-malware-lures", "http://www.secureworks.com/research/threat-profiles/gold-galleon", "https://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/", @@ -12882,6 +12990,7 @@ "https://twitter.com/MsftSecIntel/status/1392219299696152578", "https://www.hornetsecurity.com/en/threat-research/vba-purging-malspam-campaigns/", "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", + "https://www.intrinsec.com/wp-content/uploads/2023/09/TLP-CLEAR-20230912-EN-GuLoader-Information-report.pdf", "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord?", "https://www.splunk.com/en_us/blog/security/inside-the-mind-of-a-rat-agent-tesla-detection-and-analysis.html", "https://forensicitguy.github.io/agenttesla-rtf-dotnet-tradecraft/", @@ -13321,6 +13430,7 @@ "https://nao-sec.org/2019/04/Analyzing-amadey.html", "https://embee-research.ghost.io/amadey-bot-infrastructure/", "https://embee-research.ghost.io/redline-stealer-basic-static-analysis-and-c2-extraction/", + "https://www.zscaler.com/blogs/security-research/latest-version-amadey-introduces-screen-capturing-and-pushes-remcos-rat", "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", "https://thecyberexpress.com/amadey-botnet-back-via-phishing-sites/", "https://asec.ahnlab.com/en/41450/", @@ -13428,7 +13538,10 @@ "https://securityintelligence.com/posts/new-malware-trickbot-anchordns-backdoor-upgrades-anchormail/", "https://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/" ], - "synonyms": [], + "synonyms": [ + "ANCHOR.MAIL", + "Delegatz" + ], "type": [] }, "uuid": "7792096a-7623-43a1-9a67-28dce0e4b39e", @@ -13458,7 +13571,9 @@ "https://asec.ahnlab.com/ko/56256/", "https://asec.ahnlab.com/ko/47751/" ], - "synonyms": [], + "synonyms": [ + "ROCKHATCH" + ], "type": [] }, "uuid": "59a2437b-ae63-466a-9172-60d6610c3e19", @@ -13824,9 +13939,10 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ariabody", "https://medium.com/insomniacs/aria-body-loader-is-that-you-53bdd630f8a1", - "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/", + "https://cocomelonc.github.io/malware/2023/09/25/malware-trick-36.html", "https://securelist.com/naikons-aria/96899/", - "https://securelist.com/it-threat-evolution-q2-2020/98230" + "https://securelist.com/it-threat-evolution-q2-2020/98230", + "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/" ], "synonyms": [], "type": [] @@ -14063,7 +14179,7 @@ "value": "Astaroth" }, { - "description": "", + "description": "Astasia is a banking trojan that spreads through phishing emails that contain an executable attachment. Once the attachment is executed, Astasia downloads and installs a trojan that runs in the background. The trojan can steal personal information, such as passwords and credit card numbers, from victims.\r\n\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.astasia", @@ -14152,6 +14268,7 @@ "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html", "https://community.riskiq.com/article/ade260c6", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf", "https://aidenmitchell.ca/asyncrat-via-vbs/", "https://decoded.avast.io/threatintel/outbreak-of-follina-in-australia/", "https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4", @@ -14191,6 +14308,19 @@ "uuid": "c94c4f23-20d1-4858-8f94-01a54b213981", "value": "AsyncRAT" }, + { + "description": "Part of the Mythic framework, payload in C# (.NET 6), support HTTP, Websockets, Slack, SMB for C2.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.athena", + "https://cyble.com/blog/threat-actor-deploys-mythics-athena-agent-to-target-russian-semiconductor-suppliers/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "69bcd272-e69e-4548-bb8e-05eedcc3f13e", + "value": "Athena" + }, { "description": "", "meta": { @@ -14216,6 +14346,19 @@ "uuid": "e248d80d-de8e-45de-b6d0-3740e5b34573", "value": "ATI-Agent" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.atlas_agent", + "https://nsfocusglobal.com/warning-newly-discovered-apt-attacker-atlascross-exploits-red-cross-blood-drive-phishing-for-cyberattack/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "2fa8f479-63c3-4f91-954a-f30a50d2ad6e", + "value": "AtlasAgent" + }, { "description": "", "meta": { @@ -14523,6 +14666,7 @@ "https://muha2xmad.github.io/malware-analysis/warzonerat/", "https://blog.talosintelligence.com/2021/09/operation-armor-piercer.html", "https://mp.weixin.qq.com/s/C09P0al1nhsyyujHRp0FAw", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", "https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/", "https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware", @@ -15489,6 +15633,7 @@ "https://securityintelligence.com/posts/trickbot-gang-template-based-metaprogramming-bazar-malware/", "https://www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html", "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", + "https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_Conti_Wizard_Spider_dc2a733e18.pdf", "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/", "https://medium.com/walmartglobaltech/decrypting-bazarloader-strings-with-a-unicorn-15d2585272a9", "https://public.intel471.com/blog/trickbot-update-november-2020-bazar-loader-microsoft/", @@ -17312,6 +17457,7 @@ "https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/", "https://www.youtube.com/watch?v=a7W6rhkpVSM", "https://twitter.com/embee_research/status/1580030303950995456?s=20&t=0vfXnrCXaVSX-P-hiSrFwA", + "https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing", "https://0xdarkvortex.dev/hiding-in-plainsight/", "https://andreafortuna.org/2023/02/23/how-to-detect-brute-ratel-activities", "https://bruteratel.com/research/feature-update/2021/06/01/PE-Reflection-Long-Live-The-King/", @@ -17327,7 +17473,8 @@ "https://medium.com/walmartglobaltech/brute-ratel-config-decoding-update-7820455022cb", "https://web.archive.org/web/20230216110153/https://yoroi.company/research/hunting-cyber-evil-ratels-from-the-targeted-attacks-to-the-widespread-usage-of-brute-ratel/", "https://twitter.com/MichalKoczwara/status/1652067563545800705", - "https://protectedmo.de/brute.html" + "https://protectedmo.de/brute.html", + "https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads-part-2/" ], "synonyms": [ "BruteRatel" @@ -17498,6 +17645,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee", + "https://twitter.com/Intrinsec/status/1709609529070010447", "https://www.bleepingcomputer.com/news/security/new-bumblebee-malware-replaces-contis-bazarloader-in-cyberattacks/", "https://www.secureworks.com/blog/bumblebee-malware-distributed-via-trojanized-installer-downloads", "https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/", @@ -17516,6 +17664,7 @@ "https://blog.cerbero.io/?p=2617", "https://www.botconf.eu/wp-content/uploads/formidable/2/2023_4889_DESOUZA.pdf", "https://0xtoxin.github.io/malware%20analysis/Bumblebee-DocuSign-Campaign/", + "https://twitter.com/Artilllerie/status/1701250284238823493", "https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/", "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks", "https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming", @@ -17548,6 +17697,7 @@ "https://www.deepinstinct.com/blog/the-dark-side-of-bumblebee-malware-loader", "https://isc.sans.edu/diary/28636", "https://research.openanalysis.net/bumblebee/malware/loader/unpacking/2022/05/12/bumblebee_loader.html", + "https://bin.re/blog/the-dga-of-bumblebee/", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", "https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/", @@ -17747,7 +17897,7 @@ "value": "CaddyWiper" }, { - "description": "", + "description": "CadelSpy is a spyware supposedly used by Iranian threat actors. It has several functions such as logging keystrokes, record audio, capture screenshots and webcam photos, and steal any documents that are sent to a printer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cadelspy", @@ -18226,6 +18376,19 @@ "uuid": "e4027aaa-de86-48ea-8567-c215cdb88ec1", "value": "Chaperone" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.chargeweapon", + "https://blog.eclecticiq.com/chinese-state-sponsored-cyber-espionage-activity-targeting-semiconductor-industry-in-east-asia" + ], + "synonyms": [], + "type": [] + }, + "uuid": "4eccbebb-9f7d-411f-a8fe-da01c99c8e3b", + "value": "ChargeWeapon" + }, { "description": "CHCH is a Ransomware spotted in the wild in December 2019. It encrypts victim files and adds the extension .chch to them while it drops a ransomware note named: READ_ME.TXT", "meta": { @@ -18799,9 +18962,12 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudburst", "https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970", - "https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/" + "https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/", + "https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/" + ], + "synonyms": [ + "NickelLoader" ], - "synonyms": [], "type": [] }, "uuid": "3f320960-77a2-4525-8d19-95b6028ec0d5", @@ -18864,6 +19030,7 @@ "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update", "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", + "https://www.intrinsec.com/wp-content/uploads/2023/09/TLP-CLEAR-20230912-EN-GuLoader-Information-report.pdf", "https://research.checkpoint.com/2020/guloader-cloudeye/", "https://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland", "https://www.vmray.com/cyber-security-blog/guloader-evasion-techniques-threat-bulletin/", @@ -19000,6 +19167,7 @@ "https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html", "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", "https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g", + "https://www.netresec.com/?page=Blog&month=2023-10&post=Forensic-Timeline-of-an-IcedID-Infection", "https://news.sophos.com/en-us/2021/09/21/cring-ransomware-group-exploits-ancient-coldfusion-server/?cmp=30728", "https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encryption-decryption/", "https://www.fortinet.com/blog/threat-research/the-year-of-the-wiper", @@ -19039,6 +19207,7 @@ "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", "https://www.trustnet.co.il/blog/virus-alert-to-powershell-encrypted-loader/", "https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayling-taiwan-cyber-attacks", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://www.getrevue.co/profile/80vul/issues/hunting-cobalt-strike-dns-redirectors-by-using-zoomeye-580734", "https://twitter.com/ffforward/status/1324281530026524672", @@ -19139,6 +19308,7 @@ "https://socfortress.medium.com/detecting-cobalt-strike-beacons-3f8c9fdcb654", "https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/", "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/hydrochasma-asia-medical-shipping-intelligence-gathering", "https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/", "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control", "https://twitter.com/Unit42_Intel/status/1458113934024757256", @@ -19349,6 +19519,7 @@ "https://www.hhs.gov/sites/default/files/bazarloader.pdf", "https://blog.talosintelligence.com/2021/11/attackers-use-domain-fronting-technique.html", "https://go.recordedfuture.com/hubfs/reports/cta-2022-0503.pdf", + "https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_Conti_Wizard_Spider_dc2a733e18.pdf", "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://decoded.avast.io/threatintel/decoding-cobalt-strike-understanding-payloads/", "https://asec.ahnlab.com/en/34549/", @@ -19388,6 +19559,7 @@ "https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/", "https://isc.sans.edu/diary/26752", "https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://binary.ninja/2022/07/22/reverse-engineering-cobalt-strike.html", "https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot", @@ -19604,6 +19776,7 @@ "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://www.istrosec.com/blog/apt-sk-cobalt/", "https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html", + "https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing", "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", "https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/", "https://www.youtube.com/watch?v=XfUTpwZKCDU", @@ -19941,7 +20114,7 @@ "value": "Combos" }, { - "description": "This malware was found in a backdoored Visual Studio project that was used to target security researchers.", + "description": "ComeBacker was found in a backdoored Visual Studio project that was used to target security researchers in Q4 2020 and early 2021.\r\n\r\nIt is an HTTP(S) downloader.\r\n\r\nIt uses the AES CBC cipher implemented through the OpenSSL's EVP interface for decryption of its configuration, and also for encryption and decryption of the client-server communication. \r\n\r\nThe parameter names in HTTP POST requests of the client are generated randomly. As the initial connection, the client exchanges the keys with the server via the Diffie–Hellman key agreement protocol for the elliptic curve secp521r1. The client generates a random 32-bytes long private key, and the server responds with its public key in a buffer starting with the wide character \"0\".\r\n\r\nNext, the clients sends the current local time, and the server responds with a buffer containing multiple values separated with the pipe symbol. The typical values are the encrypted payload, the export to execute, and the MD5 hash of the decrypted DLL to verify the authenticity of the payload. \r\n\r\nThere are variants of ComeBacker without statically linked OpenSSL. In that case, the key exchange is omitted and AES CBC is replaced with HC-256.\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.comebacker", @@ -20190,6 +20363,7 @@ "https://news.sophos.com/en-us/2022/02/28/conti-and-karma-actors-attack-healthcare-provider-at-same-time-through-proxyshell-exploits/?cmp=30728", "https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again", "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", + "https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_Conti_Wizard_Spider_dc2a733e18.pdf", "https://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd", "https://thehackernews.com/2022/05/malware-analysis-trickbot.html", "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/", @@ -20238,8 +20412,9 @@ "https://0xthreatintel.medium.com/reversing-conti-ransomware-bfce15019e74", "https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html", "https://arcticwolf.com/resources/blog/conti-ransomware-leak-analyzed", - "https://www.youtube.com/watch?v=cYx7sQRbjGA", + "https://medium.com/@lcam/lighting-the-exfiltration-infrastructure-of-a-lockbit-affiliate-and-more-f57fbb7a4e79", "https://blogs.vmware.com/security/2022/09/threat-report-illuminating-volume-shadow-deletion.html", + "https://www.youtube.com/watch?v=cYx7sQRbjGA", "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-group-targets-esxi-hypervisors-with-its-linux-variant.html", "https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force_Final_Report.pdf", @@ -20683,6 +20858,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crimson", "https://twitter.com/katechondic/status/1502206599166939137", + "https://blog.cluster25.duskrise.com/2023/10/12/cve-2023-38831-russian-attack", "https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html", "https://mp.weixin.qq.com/s/xUM2x89GuB8uP6otN612Fg", "https://securelist.com/transparent-tribe-part-1/98127/", @@ -21325,6 +21501,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.customerloader", + "https://inside.harfanglab.io/blog/articles/cyber-threat-intelligence/loader-galore-taskloader-at-the-start-of-a-pay-per-install-infection-chain/", "https://blog.sekoia.io/customerloader-a-new-malware-distributing-a-wide-variety-of-payloads/#h-c2-servers" ], "synonyms": [], @@ -21458,12 +21635,14 @@ "https://blog.netlab.360.com/dacls-the-dual-platform-rat/", "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", "https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/dark-river-you-can-t-see-them-but-they-re-there/", "https://malwareandstuff.com/peb-where-magic-is-stored/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://blogs.vmware.com/security/2022/11/threat-analysis-active-c2-discovery-using-protocol-emulation-part4-dacls-aka-mata.html", "https://www.sygnia.co/mata-framework", "https://securelist.com/apt-trends-report-q2-2020/97937/", - "https://vblocalhost.com/uploads/VB2021-Park.pdf" + "https://vblocalhost.com/uploads/VB2021-Park.pdf", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/10/18092216/Updated-MATA-attacks-Eastern-Europe_full-report_ENG.pdf" ], "synonyms": [ "MATA" @@ -21697,15 +21876,18 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate", "https://github.com/telekom-security/malware_analysis/blob/main/darkgate/extractor.py", + "https://www.trendmicro.com/en_us/research/23/j/darkgate-opens-organizations-for-attack-via-skype-teams.html", "https://www.truesec.com/hub/blog/darkgate-loader-delivered-via-teams", "https://decoded.avast.io/janrubin/meh-2-2/", "https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign", + "https://embee-research.ghost.io/decoding-a-simple-visual-basic-vbs-script-darkgate-loader/", "https://0xtoxin.github.io/threat%20breakdown/DarkGate-Camapign-Analysis/", "https://www.zerofox.com/blog/the-underground-economist-volume-3-issue-12/", "https://www.aon.com/cyber-solutions/aon_cyber_labs/darkgate-keylogger-analysis-masterofnone/", "https://securelist.com/emotet-darkgate-lokibot-crimeware-report/110286/", "https://decoded.avast.io/janrubin/complex-obfuscation-meh/", "https://github.com/prodaft/malware-ioc/blob/master/PTI-66/DarkGate.md", + "https://embee-research.ghost.io/practical-signatures-for-identifying-malware-with-yara/", "https://medium.com/@DCSO_CyTec/shortandmalicious-darkgate-d9102a457232", "https://github.security.telekom.com/2023/08/darkgate-loader.html" ], @@ -22206,6 +22388,7 @@ "https://blogs.infoblox.com/cyber-threat-intelligence/cyber-campaign-briefs/malspam-campaign-delivers-dark-crystal-rat-dcrat/", "https://go.recordedfuture.com/hubfs/reports/cta-2022-0919.pdf", "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", "https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html", "https://kienmanowar.wordpress.com/2023/04/08/quicknote-uncovering-suspected-malware-distributed-by-individuals-from-vietnam/", @@ -22798,6 +22981,22 @@ "uuid": "6fa944af-3def-437a-8a52-9234782b5bb8", "value": "Diavol" }, + { + "description": "A RAT written in .NET, used by FIN7 since 2021. In some instances dropped by ps1.powertrash.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.diceloader", + "https://www.mandiant.com/resources/blog/evolution-of-fin7", + "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319" + ], + "synonyms": [ + "Lizar" + ], + "type": [] + }, + "uuid": "f8e7673a-c8dc-406a-851e-48756074b5c6", + "value": "DICELOADER" + }, { "description": "APT10's fork of the (open-source) Quasar RAT.", "meta": { @@ -22838,6 +23037,19 @@ "uuid": "8f5ce8a6-c5fe-4c62-b25b-6ce0f3b724c5", "value": "Dimnie" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dinodas_rat", + "https://www.welivesecurity.com/en/eset-research/operation-jacana-spying-guyana-entity/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a8eaa325-3e89-41af-9de0-ae2c992148a5", + "value": "DinodasRAT" + }, { "description": "Downloader.", "meta": { @@ -23115,7 +23327,7 @@ "value": "DogHousePower" }, { - "description": "", + "description": "Since late February 2023, Minodo Backdoor campaigns have been employed to deliver either the Project Nemesis information stealer or more sophisticated backdoors like Cobalt Strike. This backdoor collects basic system information, which it then transmits to the C2 server. In return, it receives an AES-encrypted payload. Notably, the Minodo Backdoor is designed to contact a different C2 address for domain-joined systems. This suggests that more capable backdoors, such as Cobalt Strike, are downloaded on higher-value targets instead of Project Nemesis.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.domino", @@ -23876,6 +24088,7 @@ "https://docs.broadcom.com/doc/w32-duqu-11-en", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet_research.pdf", "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/", + "https://web.archive.org/web/20230416140914if_/http://www.chinaview.cn/20230411/4e0fa0f4fd1d408aaddeef8be63a4757/202304114e0fa0f4fd1d408aaddeef8be63a4757_20230411161526_0531.pdf", "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf", "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf" @@ -23986,6 +24199,19 @@ "uuid": "1ecbcd20-f238-47ef-874b-08ef93266395", "value": "Dyre" }, + { + "description": "According to Elastic, EagerBee loads additional capabilities using remotely-downloaded PE files, hosted in C2. However, its implementation and coding practices reveal a lack of advanced skills from the author, relying on basic techniques. During their research, they identified string formatting and underlying behavior that aligns with previous research attributed to a Chinese-speaking threat actor referred to as LuckyMouse (APT27, EmissaryPanda).", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.eagerbee", + "https://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set" + ], + "synonyms": [], + "type": [] + }, + "uuid": "20615110-ec2a-4ead-a7e4-cadecf1fa6bc", + "value": "EagerBee" + }, { "description": "This RAT written in C# was derived from HorusEyesRat. It was modified by \"Arsium\" and published on GitHub. There is also a client builder included.\r\nGithub Source: https://github.com/arsium/EagleMonitorRAT", "meta": { @@ -24462,6 +24688,7 @@ "https://www.atomicmatryoshka.com/post/malware-headliners-emotet", "https://www.hornetsecurity.com/en/security-information/emotet-update-increases-downloads/", "https://blog.nviso.eu/2022/03/23/hunting-emotet-campaigns-with-kusto/", + "https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_Conti_Wizard_Spider_dc2a733e18.pdf", "https://www.us-cert.gov/ncas/alerts/TA18-201A", "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://pl-v.github.io/plv/posts/Emotet-unpacking/", @@ -24502,6 +24729,7 @@ "https://persianov.net/emotet-malware-analysis-part-2", "https://intezer.com/blog/research/how-hackers-use-binary-padding-to-outsmart-sandboxes/", "https://www.fortinet.com/blog/threat-research/bad-actors-capitalize-current-events-email-scams", + "https://infosecwriteups.com/unpacking-emotet-trojan-dac7e6119a0a", "https://www.securityartwork.es/2021/06/16/analisis-campana-emotet/", "https://www.zdnet.com/article/meet-the-white-hat-group-fighting-emotet-the-worlds-most-dangerous-malware/", "https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html", @@ -24702,6 +24930,19 @@ "uuid": "8dc64857-abb1-4926-8114-052f9ba4bc33", "value": "Entropy" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.entryshell", + "https://www.virusbulletin.com/conference/vb2023/abstracts/unveiling-activities-tropic-trooper-2023-deep-analysis-xiangoop-loader-and-entryshell-payload/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "73a0919b-1c81-4af5-a6d1-8fb5ae951269", + "value": "EntryShell" + }, { "description": "", "meta": { @@ -24723,6 +24964,7 @@ "https://mrtiepolo.medium.com/sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58", "https://blogs.blackberry.com/en/2023/03/nobelium-targets-eu-governments-assisting-ukraine", "https://go.recordedfuture.com/hubfs/reports/cta-2022-0503.pdf", + "https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing", "https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html", "https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/", "https://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/", @@ -25372,6 +25614,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fabookie", + "https://inside.harfanglab.io/blog/articles/cyber-threat-intelligence/loader-galore-taskloader-at-the-start-of-a-pay-per-install-infection-chain/", "https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1", "https://ics-cert.kaspersky.com/publications/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/" ], @@ -25945,6 +26188,7 @@ "https://securelist.com/the-flame-questions-and-answers-51/34344/", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://github.com/juanandresgs/papers/raw/master/Flame%202.0%20Risen%20from%20the%20Ashes.pdf", + "https://web.archive.org/web/20230416140914if_/http://www.chinaview.cn/20230411/4e0fa0f4fd1d408aaddeef8be63a4757/202304114e0fa0f4fd1d408aaddeef8be63a4757_20230411161526_0531.pdf", "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf", "https://www.crysys.hu/publications/files/skywiper.pdf", "https://storage.googleapis.com/chronicle-research/Flame%202.0%20Risen%20from%20the%20Ashes.pdf", @@ -26730,7 +26974,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gauss", "http://contagiodump.blogspot.com/2012/08/gauss-samples-nation-state-cyber.html", - "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf" + "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf", + "https://web.archive.org/web/20230416140914if_/http://www.chinaview.cn/20230411/4e0fa0f4fd1d408aaddeef8be63a4757/202304114e0fa0f4fd1d408aaddeef8be63a4757_20230411161526_0531.pdf" ], "synonyms": [], "type": [] @@ -27477,6 +27722,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.goldbackdoor", + "https://github.com/blackorbird/APT_REPORT/blob/master/group123/Stairwell-threat-report-The-ink-stained-trail-of-GOLDBACKDOOR.pdf", + "https://www.0x0v1.com/rearchive-goldbackdoor/", "https://stairwell.com/wp-content/uploads/2022/04/Stairwell-threat-report-The-ink-stained-trail-of-GOLDBACKDOOR.pdf" ], "synonyms": [], @@ -27844,6 +28091,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.graftor", "http://blog.talosintelligence.com/2017/09/graftor-but-i-never-asked-for-this.html", + "https://malware.news/t/graftor-but-i-never-asked-for-this/14857", "https://bin.re/blog/the-dga-of-symmi/" ], "synonyms": [ @@ -27915,10 +28163,12 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphdrop", "https://www.avertium.com/resources/threat-reports/evolution-of-russian-apt29-new-attacks-and-techniques-uncovered", "https://go.recordedfuture.com/hubfs/reports/cta-2023-0727-1.pdf", - "https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/" + "https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/", + "https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing" ], "synonyms": [ - "GraphicalProton" + "GraphicalProton", + "SPICYBEAT" ], "type": [] }, @@ -28576,7 +28826,9 @@ "https://github.com/HavocFramework/Havoc", "https://4pfsec.com/havoc-c2-first-look/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayling-taiwan-cyber-attacks", "https://twitter.com/embee_research/status/1579668721777643520?s=20&t=nDJOv1Yf5mQZKCou7qMrhQ", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf", "https://www.youtube.com/watch?v=ErPKP4Ms28s", "https://www.zscaler.com/blogs/security-research/havoc-across-cyberspace", "https://checkmarx.com/blog/first-known-targeted-oss-supply-chain-attacks-against-the-banking-sector/" @@ -29100,7 +29352,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hijackloader", - "https://www.zscaler.com/blogs/security-research/technical-analysis-hijackloader" + "https://www.zscaler.com/blogs/security-research/technical-analysis-hijackloader", + "https://alpine-sec.medium.com/hijackloader-targets-hotels-a-technical-analysis-c2795fc4f3a3" ], "synonyms": [], "type": [] @@ -29126,6 +29379,24 @@ "uuid": "35fd4bd7-d510-40fd-b89c-8a1b10dbc3f1", "value": "HiKit" }, + { + "description": "A new ransomware family was discovered in August 2019. Called HILDACRYPT, it is named after the Netflix cartoon “Hilda” because the TV show’s YouTube trailer was included in the ransom note of the original version of the malware.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hildacrypt", + "https://www.acronis.com/en-eu/blog/posts/popular-backup-solutions-easily-disabled-recent-hildacrypt-ransomware/", + "https://youtu.be/Oqg20dF8tTA", + "https://securitynews.sonicwall.com/xmlpost/hildacrypt-ransomware-actively-spreading-in-the-wild/", + "https://www.bleepingcomputer.com/news/security/hildacrypt-ransomware-developer-releases-decryption-keys/", + "https://www.acronis.com/en-eu/blog/posts/hildacrypt-ransomware-newcomer-hits-backup-and-anti-virus-solutions/", + "https://blog.sonicwall.com/en-us/2019/11/mindhunter-meeting-a-russian-ransomware-cell/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "fb637fc1-c06b-4b68-b261-0e1c0bd1e17b", + "value": "HILDACRYPT" + }, { "description": "", "meta": { @@ -29798,8 +30069,9 @@ "https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/", "https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7", "https://blog.talosintelligence.com/2020/07/valak-emerges.html", - "https://www.team-cymru.com/post/inside-the-icedid-backconnect-protocol", + "https://www.netresec.com/?page=Blog&month=2023-10&post=Forensic-Timeline-of-an-IcedID-Infection", "https://blog.group-ib.com/prometheus-tds", + "https://www.team-cymru.com/post/inside-the-icedid-backconnect-protocol", "https://www.team-cymru.com/post/inside-the-icedid-backconnect-protocol-part-2", "https://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766", "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", @@ -29818,8 +30090,8 @@ "https://thedfirreport.com/2022/04/25/quantum-ransomware/", "https://www.uptycs.com/blog/icedid-campaign-spotted-being-spiced-with-excel-4-macros", "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", - "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", + "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", "https://www.bleepingcomputer.com/news/security/hackers-target-ukrainian-govt-with-icedid-malware-zimbra-exploits/", "https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes", "https://forensicitguy.github.io/analyzing-icedid-document/", @@ -29834,6 +30106,7 @@ "https://blogs.vmware.com/security/2021/07/icedid-analysis-and-detection.html", "https://www.vkremez.com/2018/09/lets-learn-deeper-dive-into.html", "https://awakesecurity.com/blog/detecting-icedid-and-cobalt-strike-beacon-with-network-detection-and-response/", + "https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_Conti_Wizard_Spider_dc2a733e18.pdf", "https://malwation.com/icedid-malware-technical-analysis-report/", "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", "https://www.secureworks.com/research/threat-profiles/gold-swathmore", @@ -29875,6 +30148,7 @@ "https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf", "https://github.com/f0wl/deICEr", "https://securelist.com/malicious-spam-campaigns-delivering-banking-trojans/102917", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf", "https://isc.sans.edu/diary/Google+ads+lead+to+fake+software+pages+pushing+IcedID+Bokbot/29344", "https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/", "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", @@ -29963,6 +30237,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid_downloader", + "https://www.netresec.com/?page=Blog&month=2023-10&post=Forensic-Timeline-of-an-IcedID-Infection", "https://threatray.com/blog/a-new-icedid-gziploader-variant/", "http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/", "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/" @@ -30584,8 +30859,9 @@ "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", "https://www.cleafy.com/cleafy-labs/digital-banking-fraud-how-the-gozi-malware-work", "https://blog.yoroi.company/research/the-ursnif-gangs-keep-threatening-italy/", - "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader", + "https://twitter.com/JAMESWT_MHT/status/1712783250446328114?t=iLKXzsZuS1TTa0i9sZFkQA&s=19", "https://threatresearch.ext.hp.com/detecting-ta551-domains/", + "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader", "https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/", "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", "https://www.tgsoft.it/files/report/download.asp?id=568531345", @@ -30593,6 +30869,7 @@ "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", "https://insight-jp.nttsecurity.com/post/102i7af/steelclovergoogle", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf", "https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization", "https://malware.love/malware_analysis/reverse_engineering/2020/11/27/analyzing-a-vbs-dropper.html", "https://redcanary.com/resources/webinars/deep-dive-process-injection/", @@ -31806,7 +32083,7 @@ "value": "Knot" }, { - "description": "Koadic is a Windows post-exploitation framework and penetration testing tool that is publicly available on GitHub. Koadic has several options for staging payloads and creating implants, and performs most of its operations using Windows Script Host.", + "description": "Koadic is an open-source post-exploitation framework for Windows, created by zerosum0x0 and available on GitHub. The framework is written in Python and can generate JScript and VBScript payloads which can be written to disk or mapped directly into memory. Its capabilities include remote desktop access, command execution, lateral movement via SMB, file transfer, credential theft using Mimikatz, port scanning, and system information collection. It can also collect specific system information and targeted files based on their name or extension.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.koadic", @@ -32534,6 +32811,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lgoogloader", + "https://inside.harfanglab.io/blog/articles/cyber-threat-intelligence/loader-galore-taskloader-at-the-start-of-a-pay-per-install-infection-chain/", "https://blog.polyswarm.io/nullmixer-drops-multiple-malware-families" ], "synonyms": [], @@ -32888,6 +33166,7 @@ "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-recruiting-insiders-to-breach-corporate-networks/", "https://github.com/EmissarySpider/ransomware-descendants", "https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354", + "https://medium.com/@lcam/lighting-the-exfiltration-infrastructure-of-a-lockbit-affiliate-and-more-f57fbb7a4e79", "https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Lockbit.md", "https://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion", "https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-2-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254421", @@ -33503,7 +33782,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lu0bot", - "https://bazaar.abuse.ch/browse/tag/Lu0Bot/" + "https://bazaar.abuse.ch/browse/tag/Lu0Bot/", + "https://embee-research.ghost.io/practical-signatures-for-identifying-malware-with-yara/" ], "synonyms": [], "type": [] @@ -33511,6 +33791,22 @@ "uuid": "d81c068d-7420-40ee-ab50-5f29b2ccc314", "value": "Lu0Bot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.luadream", + "https://r136a1.dev/2023/09/22/more-on-dreamland/", + "https://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/" + ], + "synonyms": [ + "DreamLand" + ], + "type": [] + }, + "uuid": "a6fee19a-21e4-4e2c-9c1f-a38d0732f661", + "value": "LuaDream" + }, { "description": "According to PCRisk, The Luca stealer can extract a variety of information from compromised machines. It targets data related to the following: operating system, device name, CPUs, desktop environment, network interface, user account name, preferred system language, running processes, etc.\r\n\r\nThis malicious program can steal information from over thirty Chromium-based browsers. From these applications, Luca can obtain Internet cookies, account log-in credentials (usernames/passwords), and credit card numbers. Additionally, the stealer can extract data from password manager and cryptowallet browser extensions compatible with over twenty browsers.\r\n\r\nThis malware also targets various messaging applications like Telegram, Discord, ICQ, Skype, Element, etc. It likewise aims to acquire information from gaming-related software such as Steam and Uplay (Ubisoft Connect). Furthermore, some versions of Luca can take screenshots and download the files stored on victims' devices.", "meta": { @@ -33561,7 +33857,7 @@ "value": "Luminosity RAT" }, { - "description": "Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor \"Shamel\", who goes by the alias \"Lumma\". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the URI \"/c2sock\" and the user agent \"TeslaBrowser/5.5\".\"", + "description": "Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor \"Shamel\", who goes by the alias \"Lumma\". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent \"TeslaBrowser/5.5\".\" The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma", @@ -33573,6 +33869,7 @@ "https://medium.com/s2wblog/lumma-stealer-targets-youtubers-via-spear-phishing-email-ade740d486f7", "https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer", "https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/", + "https://www.intrinsec.com/lumma_stealer_actively_deployed_in_multiple_campaigns/", "https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/", "https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx" ], @@ -33789,7 +34086,7 @@ "value": "Maggie" }, { - "description": "", + "description": "According to Talos, MagicRAT is programmed in C++ programming language and uses the Qt Framework by statically linking it to the RAT on 32- and 64-bit versions. The Qt Framework is a programming library for developing graphical user interfaces, of which this RAT has none. Talos thinks that the objective was to increase the complexity of the code, thus making human analysis harder. On the other hand, since there are very few examples (if any) of malware programmed with Qt Framework, this also makes machine learning and heuristic analysis detection less reliable. The RAT uses the Qt classes throughout its entire code. The configuration is dynamically stored in a QSettings class eventually being saved to disk, a typical functionality provided by that class.\r\n\r\nMagicRAT provides the operator with a remote shell on the victim's system for arbitrary command execution, along with the ability to rename, move and delete files on the endpoint. The operator can determine the timing for the implant to sleep, change the C2 URLs and delete the implant from the infected system.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.magic_rat", @@ -34055,6 +34352,19 @@ "uuid": "54cd671e-b7e4-4dd3-9bfa-dc0ba5105944", "value": "ManameCrypt" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mango", + "https://www.welivesecurity.com/en/eset-research/oilrigs-outer-space-juicy-mix-same-ol-rig-new-drill-pipes/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e3be5820-5cf9-4455-9b46-c88e7fbebd85", + "value": "Mango" + }, { "description": "", "meta": { @@ -34189,6 +34499,19 @@ "uuid": "c19ac191-a881-437f-ae82-7bec174590cb", "value": "MarkiRAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.marracrypt", + "https://securitynews.sonicwall.com/xmlpost/marracrypt-ransomware-actively-spreading-in-the-wild/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "bbe77240-d8e5-41b5-88ac-e9a91aa54a13", + "value": "MarraCrypt" + }, { "description": "Ransomware written in Delphi.", "meta": { @@ -34824,9 +35147,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.merlin", - "https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f", "http://lockboxx.blogspot.com/2018/02/intro-to-using-gscript-for-red-teams.html", "https://github.com/Ne0nd0g/merlin", + "https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f", + "https://www.securonix.com/blog/threat-labs-security-advisory-new-starkvortex-attack-campaign-threat-actors-use-drone-manual-lures-to-deliver-merlinagent-payloads/", "http://lockboxx.blogspot.com/2018/02/merlin-for-red-teams.html" ], "synonyms": [], @@ -35333,6 +35657,7 @@ "https://labs.f-secure.com/blog/catching-lazarus-threat-intelligence-to-real-detection-logic-part-two", "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-152A_Karakurt_Data_Extortion_Group.pdf", "https://securelist.com/the-lazarus-group-deathnote-campaign/109490/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayling-taiwan-cyber-attacks", "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf", "https://volatility-labs.blogspot.com/2021/10/memory-forensics-r-illustrated.html", @@ -35466,6 +35791,22 @@ "uuid": "a4f8bacf-2076-4e00-863c-874cdd833a41", "value": "MiniASP" }, + { + "description": "miniBlindingCan is an HTTP(S) orchestrator.\r\n\r\nIt is a variant of the BlindingCan RAT, having the same command parsing logic, but supporting only a small subset of commands available previously. The main operations are the update of the malware configuration, and the download and execution of additional payloads from the attackers' C&C.\r\n\r\nThe miniBlindingCan malware was used in Operation DreamJob attacks against aerospace and media companies in Q2-Q3 2022.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.miniblindingcan", + "https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing", + "https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/" + ], + "synonyms": [ + "AIRDRY.V2" + ], + "type": [] + }, + "uuid": "d266693e-0564-47e7-93ac-128d491efcab", + "value": "miniBlindingCan" + }, { "description": "The MiniDuke toolset consists of multiple downloader and backdoor components", "meta": { @@ -35738,6 +36079,20 @@ "uuid": "e33aa1f8-a631-4274-afe0-f2fd3426332e", "value": "MobiRAT" }, + { + "description": "LNK files used to lure and orchestrate execution of various scripts, interacting with the Mocky API service.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mocky_lnk", + "https://www.zscaler.com/blogs/security-research/steal-it-campaign", + "https://cert.gov.ua/article/4492467" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0eb52072-a2db-4689-bc2d-ac0ae65bdd8c", + "value": "Mocky LNK" + }, { "description": "", "meta": { @@ -36534,6 +36889,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", "https://www.crowdstrike.com/blog/weaponizing-disk-image-files-analysis/", + "https://blog.cluster25.duskrise.com/2023/10/12/cve-2023-38831-russian-attack", "https://assets.virustotal.com/reports/2021trends.pdf", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", @@ -36550,6 +36906,7 @@ "https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/", "https://community.riskiq.com/article/24759ad2", "https://community.riskiq.com/article/ade260c6", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", "https://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat", "https://zero2auto.com/2020/06/07/dealing-with-obfuscated-macros/", @@ -36718,6 +37075,7 @@ "https://cofense.com/necurs-targeting-banks-pub-file-drops-flawedammyy/", "https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/the-new-face-of-necurs-noteworthy-changes-to-necurs-behaviors", + "https://www.bitsight.com/blog/joint-effort-with-microsoft-to-takedown-massive-criminal-botnet-necurs", "http://blog.talosintelligence.com/2017/03/necurs-diversifies.html", "https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/", "https://blogs.microsoft.com/on-the-issues/2020/03/10/necurs-botnet-cyber-crime-disrupt/", @@ -37023,6 +37381,19 @@ "uuid": "7c6ed154-3232-4b7a-80c3-8052ce0c7333", "value": "Netrepser" }, + { + "description": "Freely available network reconnaissance tool.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.netspy", + "https://github.com/shmilylty/netspy" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a7cc22b7-0d05-480f-b7f8-a6e6c658dd8f", + "value": "NetSpy" + }, { "description": "Enigma Software notes that NetSupport Manager is a genuine application, which was first released about twenty years ago. The purpose of the NetSupport Manager tool is to enable users to receive remote technical support or provide remote computer assistance. However, cyber crooks have hijacked this useful application and misappropriated it to use it in their harmful campaigns. The name of the modified version of the NetSupport Manager has been labeled the NetSupport Manager RAT.", "meta": { @@ -37445,6 +37816,19 @@ "uuid": "5f998c1d-0377-404d-8ece-dd3486758a44", "value": "NimGrabber" }, + { + "description": "Part of Mythic C2, written in Nim. \r\nConsidered deprecated, as it is only compatible with Mythic 2.1.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nimplant", + "https://github.com/MythicAgents/nimplant" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b8ecda1e-206e-4ab5-b9d7-e50276ba22ea", + "value": "Nimplant" + }, { "description": "Backdoor written in Nim.", "meta": { @@ -37580,6 +37964,7 @@ "https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479", "https://asec.ahnlab.com/1369", @@ -38998,12 +39383,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.petya", + "https://www.malwarebytes.com/blog/news/2016/06/petya-and-mischa-ransomware-duet-p2", "https://www.microsoft.com/security/blog/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/", "https://securelist.com/petya-the-two-in-one-trojan/74609/", "https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/", + "https://blogs.blackberry.com/en/2016/07/petya-and-mischa-for-all-part-ii-theyre-here", "https://blog.malwarebytes.com/malwarebytes-news/2017/07/bye-bye-petya-decryptor-old-versions-released/", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/", + "https://blogs.blackberry.com/en/2016/05/petya-and-mischa-for-all-the-raas-boom-expands-to-include-the-petya-mischa-combo", "https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html", "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/", "https://blog.malwarebytes.com/threat-analysis/2016/07/third-time-unlucky-improved-petya-is-out/", @@ -39416,6 +39804,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pirate_stealer", + "https://mostwanted002.page/post/malware-analysis-and-triage-report-piratestealer", "https://mostwanted002.cf/post/malware-analysis-and-triage-report-piratestealer/" ], "synonyms": [], @@ -41283,8 +41672,8 @@ "https://www.bleepingcomputer.com/news/security/qbot-malware-switches-to-new-windows-installer-infection-vector/", "https://www.varonis.com/blog/varonis-discovers-global-cyber-campaign-qbot/", "https://blog.quosec.net/posts/grap_qakbot_navigation/", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf", "https://0xthreatintel.medium.com/reversing-qakbot-tlp-white-d1b8b37ad8e7", - "https://github.com/prodaft/malware-ioc/blob/master/PTI-66/DarkGate.md", "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot", "https://www.atomicmatryoshka.com/post/malware-headliners-qakbot", @@ -41385,6 +41774,7 @@ "https://www.trendmicro.com/en_us/research/21/c/egregor-ransomware-cartel-members-arrested.html", "https://twitter.com/redcanary/status/1334224861628039169", "https://blog.cyble.com/2023/02/17/the-many-faces-of-qakbot-malware-a-look-at-its-diverse-distribution-methods/", + "https://blog.talosintelligence.com/qakbot-affiliated-actors-distribute-ransom/", "https://www.securityartwork.es/2021/06/16/analisis-campana-emotet/", "https://www.youtube.com/watch?v=gk7fCC5RiAQ", "https://www.fbi.gov/news/stories/fbi-partners-dismantle-qakbot-infrastructure-in-multinational-cyber-takedown", @@ -41453,14 +41843,18 @@ "value": "QuantLoader" }, { - "description": "A stager used by APT29 to download and run CobaltStrike.", + "description": "A stager used by APT29 to download and run CobaltStrike.\r\nHere, MUSKYBEAT refers to the in-memory dropper component, while STATICNOISE is the final payload / downloader.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.quarterrig", + "https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing", "https://go.recordedfuture.com/hubfs/reports/cta-2023-0727-1.pdf", "https://www.gov.pl/attachment/6f51bb1a-3ad2-461c-a16d-408915a56f77" ], - "synonyms": [], + "synonyms": [ + "MUSKYBEAT", + "STATICNOISE" + ], "type": [] }, "uuid": "ef29604c-1fc8-4f3f-9342-dbb28bb1bd5b", @@ -41513,6 +41907,7 @@ "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf", "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf", "https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html", "https://www.zscaler.com/blogs/security-research/look-hydrojiin-campaign", "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf?platform=hootsuite", @@ -41767,7 +42162,7 @@ "value": "Raccoon" }, { - "description": "", + "description": "Racket Downloader is an HTTP(S) downloader.\r\n\r\nIt uses a custom substitution cipher for decryption of its character strings, and RC5 with a 256-bit key for encryption and decryption of network traffic. \r\n\r\nIt sends an HTTP POST request containing a particular value that inspired its name, like \"?product_field=racket\" or \"prd_fld=racket\".\r\n\r\nRacket Downloader was deployed against South Korean targets running the Initech INISAFE CrossWeb EX software in Q2 2021 and Q1 2022.\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.racket", @@ -41882,6 +42277,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarok", + "https://www.tarlogic.com/blog/ragnarok-malware-stopper-vaccine/", "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://news.sophos.com/en-us/2020/05/21/asnarok2/", "https://github.com/k-vitali/Malware-Misc-RE/blob/master/2020-01-26-ragnarok-cfg-vk.notes.raw", @@ -42462,9 +42858,10 @@ "https://cloudsek.com/recordbreaker-the-resurgence-of-raccoon", "https://www.youtube.com/watch?v=NI_Yw2t9zoo", "https://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family", - "https://www.socinvestigation.com/raccoon-infostealer-malware-returns-with-new-ttps-detection-response/", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf", "https://asec.ahnlab.com/en/52072/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", + "https://www.socinvestigation.com/raccoon-infostealer-malware-returns-with-new-ttps-detection-response/", "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf", "https://socprime.com/blog/raccoon-stealer-detection-a-novel-malware-version-2-0-named-recordbreaker-offers-hackers-advanced-password-stealing-capabilities/", "https://blog.cyble.com/2022/11/08/massive-youtube-campaign-targeting-over-100-applications-to-deliver-info-stealer/", @@ -42507,6 +42904,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redcurl", + "https://bi.zone/eng/expertise/blog/red-wolf-vnov-shpionit-za-kommercheskimi-organizatsiyami/", "https://go.group-ib.com/report-redcurl-awakening-en" ], "synonyms": [], @@ -42614,10 +43012,12 @@ "https://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html", "https://insight-jp.nttsecurity.com/post/102i7af/steelclovergoogle", "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf", "https://blog.minerva-labs.com/become-a-vip-victim-with-new-discord-distributed-malware", "https://intel471.com/blog/privateloader-malware", "https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/", "https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem", + "https://embee-research.ghost.io/yara-rule-development-il-instructions-in-redline-malware/", "https://www.esentire.com/blog/redline-stealer-masquerades-as-photo-editing-software", "https://unit42.paloaltonetworks.com/bluesky-ransomware/", "https://muha2xmad.github.io/malware-analysis/fullredline/", @@ -42978,7 +43378,9 @@ "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html", "https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/", + "https://www.zscaler.com/blogs/security-research/latest-version-amadey-introduces-screen-capturing-and-pushes-remcos-rat", "https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/Remcos.md", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf", "https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities", "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", "https://threatresearch.ext.hp.com/malware-campaigns-targeting-african-banking-sector/", @@ -43189,6 +43591,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.revenge_rat", + "https://embee-research.ghost.io/introduction-to-dotnet-configuration-extraction-revengerat/", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://securelist.com/revengehotels/95229/", "https://www.uptycs.com/blog/revenge-rat-targeting-users-in-south-america", @@ -43574,16 +43977,18 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", "https://threatmon.io/rhadamanthys-stealer-analysis-threatmon/", + "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign", "https://www.zscaler.com/blogs/security-research/technical-analysis-rhadamanthys-obfuscation-techniques", - "https://research.checkpoint.com/2023/from-hidden-bee-to-rhadamanthys-the-evolution-of-custom-executable-formats/", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf", "https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023", + "https://research.checkpoint.com/2023/from-hidden-bee-to-rhadamanthys-the-evolution-of-custom-executable-formats/", "https://www.accenture.com/us-en/blogs/security/information-stealer-malware-on-dark-web", "https://www.secureworks.com/research/the-growing-threat-from-infostealers", "https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88", "https://research.checkpoint.com/2023/rhadamanthys-the-everything-bagel-infostealer/", "https://www.malware-traffic-analysis.net/2023/01/03/index.html", "https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/", - "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign", + "https://outpost24.com/blog/rhadamanthys-malware-analysis/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf" ], "synonyms": [], @@ -43710,7 +44115,7 @@ "value": "Ripper ATM" }, { - "description": "", + "description": "RisePro is a stealer that is spread through downloaders like win.privateloader. Once executed on a system, the malware can steal credit card information, passwords, and personal data.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.risepro", @@ -44468,6 +44873,7 @@ "https://www.hhs.gov/sites/default/files/bazarloader.pdf", "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox", "https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/", + "https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_Conti_Wizard_Spider_dc2a733e18.pdf", "https://thehackernews.com/2022/05/malware-analysis-trickbot.html", "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", @@ -46063,6 +46469,7 @@ "https://norfolkinfosec.com/some-notes-on-the-silence-proxy/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-187a", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://malware.love/malware_analysis/reverse_engineering/config_extraction/2023/07/13/truebot-config-extractor.html", "https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf", "https://www.group-ib.com/resources/threat-research/silence.html", "https://blogs.vmware.com/security/2023/06/carbon-blacks-truebot-detection.html", @@ -46339,16 +46746,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sliver", - "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", + "https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/", + "https://github.com/chronicle/GCTI", "https://www.telsy.com/download/5900/?uid=b797afdcfb", "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf", "https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f", - "https://www.immersivelabs.com/blog/detecting-and-decrypting-sliver-c2-a-threat-hunters-guide/", "https://www.ncsc.gov.uk/files/Advisory%20Further%20TTPs%20associated%20with%20SVR%20cyber%20actors.pdf", - "https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/", "https://github.com/BishopFox/sliver", - "https://github.com/chronicle/GCTI", "https://asec.ahnlab.com/en/47088/", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", + "https://www.immersivelabs.com/blog/detecting-and-decrypting-sliver-c2-a-threat-hunters-guide/", "https://embee-research.ghost.io/shodan-censys-queries/", "https://team-cymru.com/blog/2022/04/29/sliver-case-study-assessing-common-offensive-security-tools/", "https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike", @@ -46450,6 +46858,7 @@ "https://blog.vincss.net/2020/12/re018-1-analyzing-new-malware-of-china-panda-hacker-group-used-to-attack-supply-chain-against-vietnam-government-certification-authority.html", "https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", + "https://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set", "https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager", "https://0xthreatintel.medium.com/how-to-unpack-smanager-apt-tool-cb5909819214", "https://blog.vincss.net/2020/12/re017-2-phan-tich-ky-thuat-dong-ma-doc-moi-co-nhieu-dau-hieu-lien-quan-toi-nhom-tin-tac-Panda.html", @@ -46533,9 +46942,11 @@ "https://www.bleepingcomputer.com/news/security/new-golang-botnet-empties-windows-users-cryptocurrency-wallets/", "https://www.cert.pl/en/news/single/dissecting-smoke-loader/", "https://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/", - "https://youtu.be/QOypldw6hnY?t=3237", "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor", + "https://youtu.be/QOypldw6hnY?t=3237", + "https://inside.harfanglab.io/blog/articles/cyber-threat-intelligence/loader-galore-taskloader-at-the-start-of-a-pay-per-install-infection-chain/", "https://m.alvar.es/2020/06/unpacking-smokeloader-and.html", + "https://blog.cluster25.duskrise.com/2023/10/12/cve-2023-38831-russian-attack", "https://www.telekom.com/en/blog/group/article/a-new-way-to-encrypt-cc-server-urls-614886", "https://hatching.io/blog/tt-2020-08-27/", "https://m.alvar.es/2020/06/comparative-analysis-between-bindiff.html", @@ -46935,6 +47346,19 @@ "uuid": "016ea180-ec16-48ce-88ea-c78d8db369d5", "value": "SodaMaster" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.solar", + "https://www.welivesecurity.com/en/eset-research/oilrigs-outer-space-juicy-mix-same-ol-rig-new-drill-pipes/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1a11c0a9-8ab8-4e98-a7e6-e575eba33c93", + "value": "Solar" + }, { "description": "", "meta": { @@ -47433,6 +47857,24 @@ "uuid": "858a2cdb-9c89-436a-b8d4-60c725c7ac63", "value": "SquirtDanger" }, + { + "description": "sRDI allows for the conversion of DLL files to position independent shellcode. It attempts to be a fully functional PE loader supporting proper section permissions, TLS callbacks, and sanity checks. It can be thought of as a shellcode PE loader strapped to a packed DLL.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.srdi", + "https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing", + "https://github.com/monoxgas/sRDI", + "https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing", + "https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/" + ], + "synonyms": [ + "DAVESHELL" + ], + "type": [] + }, + "uuid": "90ee25aa-89a8-4d70-a4d8-aee44561a146", + "value": "sRDI" + }, { "description": "", "meta": { @@ -47600,10 +48042,12 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc", "https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf", "https://www.esentire.com/blog/stealc-delivered-via-deceptive-google-sheets", "https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/", - "https://github.com/muha2xmad/Python/blob/bdc7a711d5a775f8ae47b591f20fdd2e1360b77b/Stealc/stealc_config_extractor.ipynb", - "https://github.com/muha2xmad/Python/blob/bdc7a711d5a775f8ae47b591f20fdd2e1360b77b/Stealc/stealc_string_decryption.py" + "https://glyc3rius.github.io/2023/10/stealc/", + "https://github.com/muha2xmad/Python/blob/bdc7a711d5a775f8ae47b591f20fdd2e1360b77b/Stealc/stealc_string_decryption.py", + "https://github.com/muha2xmad/Python/blob/bdc7a711d5a775f8ae47b591f20fdd2e1360b77b/Stealc/stealc_config_extractor.ipynb" ], "synonyms": [], "type": [] @@ -47906,24 +48350,25 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet", - "https://news.yahoo.com/revealed-how-a-secret-dutch-mole-aided-the-us-israeli-stuxnet-cyber-attack-on-iran-160026018.html", "https://fmmresearch.wordpress.com/2020/09/28/the-emerald-connection-equationgroup-collaboration-with-stuxnet/", "https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf", - "https://www.welivesecurity.com/media_files/white-papers/Stuxnet_Under_the_Microscope.pdf", - "https://medium.com/s2wlab/w3-may-en-story-of-the-week-code-signing-certificate-on-the-darkweb-94c7ec437001", - "https://fmmresearch.files.wordpress.com/2020/09/theemeraldconnectionreport_fmmr-2.pdf", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://storage.googleapis.com/chronicle-research/STUXSHOP%20Stuxnet%20Dials%20In%20.pdf", "https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security", - "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://web.archive.org/web/20230416140914if_/http://www.chinaview.cn/20230411/4e0fa0f4fd1d408aaddeef8be63a4757/202304114e0fa0f4fd1d408aaddeef8be63a4757_20230411161526_0531.pdf", + "https://media.ccc.de/v/27c3-4245-en-adventures_in_analyzing_stuxnet", + "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", + "https://news.yahoo.com/revealed-how-a-secret-dutch-mole-aided-the-us-israeli-stuxnet-cyber-attack-on-iran-160026018.html", + "https://www.welivesecurity.com/media_files/white-papers/Stuxnet_Under_the_Microscope.pdf", + "https://storage.googleapis.com/chronicle-research/STUXSHOP%20Stuxnet%20Dials%20In%20.pdf", "https://www.spiegel.de/netzwelt/web/die-erste-cyberwaffe-und-ihre-folgen-a-a0ed08c9-5080-4ac2-8518-ed69347dc147", "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf", - "https://media.ccc.de/v/27c3-4245-en-adventures_in_analyzing_stuxnet", - "http://artemonsecurity.blogspot.de/2017/04/stuxnet-drivers-detailed-analysis.html", - "https://www.codeproject.com/articles/246545/stuxnet-malware-analysis-paper", "https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf", + "https://medium.com/s2wlab/w3-may-en-story-of-the-week-code-signing-certificate-on-the-darkweb-94c7ec437001", + "https://fmmresearch.files.wordpress.com/2020/09/theemeraldconnectionreport_fmmr-2.pdf", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://www.codeproject.com/articles/246545/stuxnet-malware-analysis-paper", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf", - "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf" + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "http://artemonsecurity.blogspot.de/2017/04/stuxnet-drivers-detailed-analysis.html" ], "synonyms": [], "type": [] @@ -48288,6 +48733,7 @@ "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", "https://www.solarwinds.com/securityadvisory/faq", "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", + "https://www.cisa.gov/news-events/analysis-reports/ar21-112a", "https://www.trendmicro.com/en_us/research/20/l/overview-of-recent-sunburst-targeted-attacks.html", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://www.solarwinds.com/securityadvisory", @@ -49550,6 +49996,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tiny_turla", + "https://infosec.exchange/@SophosXOps/111109357153515214", "https://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/", "https://blog.talosintelligence.com/2021/09/tinyturla.html" ], @@ -49625,6 +50072,7 @@ "https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf", "https://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/", "https://www.virusbulletin.com/virusbulletin/2014/04/tofsee-botnet", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", "https://gist.github.com/larsborn/0ec24d7b294248c51de0c3335802cbd4", "https://intel471.com/blog/privateloader-malware", @@ -49804,7 +50252,7 @@ "value": "TOUCHSHIFT" }, { - "description": "", + "description": "ToxicEye is a ransomware that spreads through phishing emails. The malware encrypts system files with AES-256 and demands a ransom in Bitcoin.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.toxiceye", @@ -49957,8 +50405,9 @@ "https://securityintelligence.com/posts/trickbot-gang-template-based-metaprogramming-bazar-malware/", "http://www.malware-traffic-analysis.net/2018/02/01/", "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", - "https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf", + "https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_Conti_Wizard_Spider_dc2a733e18.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module", + "https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf", "https://www.justice.gov/opa/pr/russian-national-extradited-united-states-face-charges-alleged-role-cybercriminal", "https://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412", "https://thehackernews.com/2022/05/malware-analysis-trickbot.html", @@ -51309,7 +51758,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_106", - "https://www.virustotal.com/gui/file/3c1cfc2b8b7e5c2d713ec5f329aa58a6b56a08240199761ba6da91e719d30705/detection" + "https://www.virustotal.com/gui/file/3c1cfc2b8b7e5c2d713ec5f329aa58a6b56a08240199761ba6da91e719d30705/detection", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/dark-river-you-can-t-see-them-but-they-re-there/", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/10/18092216/Updated-MATA-attacks-Eastern-Europe_full-report_ENG.pdf" ], "synonyms": [], "type": [] @@ -51323,10 +51774,13 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_107", "https://lab52.io/blog/2344-2/", + "https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing", "https://blog.eclecticiq.com/german-embassy-lure-likely-part-of-campaign-against-nato-aligned-ministries-of-foreign-affairs#a3", "https://mp.weixin.qq.com/s?__biz=MzUyMDEyNTkwNA%3D%3D&mid=2247494783&idx=1&sn=612cf3cea1ef62e04bfb6bd0ce3b6b65&chksm=f9ed80c0ce9a09d6f5edc1424df5260cb9a9cf55fe92bd922407eef960650e91ec8cc46933ab&scene=178&cur_album_id=1375769135073951745" ], - "synonyms": [], + "synonyms": [ + "ICEBEAT" + ], "type": [] }, "uuid": "e83a3731-9c84-4e36-a2da-9e6c9c2461d7", @@ -51865,6 +52319,7 @@ "https://threatpost.com/microsoft-help-files-vidar-malware/179078/", "https://eln0ty.github.io/malware%20analysis/vidar/", "https://isc.sans.edu/diary/rss/28468", + "https://xer0xe9.github.io/A-Case-of-Vidar-Infostealer-Part-2/", "https://blog.cyble.com/2022/11/08/massive-youtube-campaign-targeting-over-100-applications-to-deliver-info-stealer/", "https://asec.ahnlab.com/en/30875/", "https://asec.ahnlab.com/en/22932/", @@ -51877,6 +52332,7 @@ "https://blog.jaalma.io/vidar-infostealer-analysis/", "https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/", "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf", "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif", "https://www.secureworks.com/research/the-growing-threat-from-infostealers", "https://kienmanowar.wordpress.com/2022/12/17/quicknote-vidarstealer-analysis/", @@ -51888,6 +52344,7 @@ "https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem", "https://www.cynet.com/blog/cyops-lighthouse-vidar-stealer/", "https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign", + "https://xer0xe9.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/", "https://www.quorumcyber.com/wp-content/uploads/2023/01/Malware-Analysis-Vidar.pdf", "https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/", "https://twitter.com/sisoma2/status/1409816282065743872", @@ -52885,6 +53342,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wikiloader", "https://twitter.com/threatinsight/status/1679864625544978432", + "https://twitter.com/JAMESWT_MHT/status/1712783250446328114?t=iLKXzsZuS1TTa0i9sZFkQA&s=19", "https://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion" ], "synonyms": [ @@ -53458,6 +53916,19 @@ "uuid": "ba99edf0-1603-4f54-8fa9-18852417d0fc", "value": "XFSCashNCR" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.xiangoop", + "https://www.virusbulletin.com/conference/vb2023/abstracts/unveiling-activities-tropic-trooper-2023-deep-analysis-xiangoop-loader-and-entryshell-payload/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b61903a1-51e6-493c-885f-6ffda99371ea", + "value": "Xiangoop" + }, { "description": "Ransomware.", "meta": { @@ -54682,5 +55153,5 @@ "value": "Zyklon" } ], - "version": 19000 + "version": 19171 }