From 92bb39265362c975f225c2c0e18d6e794d5718e3 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Tue, 31 Jan 2017 09:21:19 +0100
Subject: [PATCH 1/4] Flokibot added
---
clusters/tool.json | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/clusters/tool.json b/clusters/tool.json
index d583a21..62b5699 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -1252,7 +1252,7 @@
},
"description": "Shamoon,[a] also known as Disttrack, is a modular computer virus discovered by Seculert[1] in 2012, targeting recent NT kernel-based versions of Microsoft Windows. The virus has been used for cyber espionage in the energy sector.[2][3][4] Its discovery was announced on 16 August 2012 by Symantec,[3] Kaspersky Lab,[5] and Seculert.[6] Similarities have been highlighted by Kaspersky Lab and Seculert between Shamoon and the Flame malware.[5][6]",
"value": "Shamoon"
- },
+ },
{
"value": "GhostAdmin",
"description": "According to MalwareHunterTeam and other researchers that have looked at the malware's source code, GhostAdmin seems to be a reworked version of CrimeScene, another botnet malware family that was active around 3-4 years ago.",
@@ -1274,9 +1274,17 @@
"meta": {
"refs": ["http://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/"]
}
+ },
+ {
+ "value": "Flokibot",
+ "description": "",
+ "meta": {
+ "refs": ["https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/"],
+ "synonyms": ["Floki Bot"]
+ }
}
],
- "version": 16,
+ "version": 17,
"uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
"description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
"author": [
From 30d9233db65360f6ec5f6550c18f3a4bb48dd620 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Fri, 3 Feb 2017 22:26:40 +0100
Subject: [PATCH 2/4] ZeroT added
---
clusters/tool.json | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/clusters/tool.json b/clusters/tool.json
index 62b5699..cd3e1e2 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -1277,14 +1277,21 @@
},
{
"value": "Flokibot",
- "description": "",
+ "description": "Floki Bot, described recently by Dr. Peter Stephenson from SC Magazine, is yet another bot based on the leaked Zeus code. However, the author came up with various custom modifications that makes it more interesting.",
"meta": {
- "refs": ["https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/"],
+ "refs": ["https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/", "https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/"],
"synonyms": ["Floki Bot"]
}
+ },
+ {
+ "value": "ZeroT",
+ "description": "Most recently, we have observed the same group targeting military and aerospace interests in Russia and Belarus. Since the summer of 2016, this group began using a new downloader known as ZeroT to install the PlugX remote access Trojan (RAT) and added Microsoft Compiled HTML Help (.chm) as one of the initial droppers delivered in spear-phishing emails.",
+ "meta": {
+ "refs": ["https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"]
+ }
}
],
- "version": 17,
+ "version": 18,
"uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
"description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
"author": [
From 06da6ce1541d2d488d574a5bbfcaeffda7905c3e Mon Sep 17 00:00:00 2001
From: root
Date: Sun, 5 Feb 2017 17:52:57 +0100
Subject: [PATCH 3/4] Added Microsoft Naming
---
clusters/exploit-kit.json | 19 ++++++++++++-------
1 file changed, 12 insertions(+), 7 deletions(-)
diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json
index f7beeab..3a5bb7b 100755
--- a/clusters/exploit-kit.json
+++ b/clusters/exploit-kit.json
@@ -52,7 +52,7 @@
"RIG-E"
]
,
- "status": "Active"
+ "status": "Unknown - Last seen: 2016-12-29"
}
}
,
@@ -140,7 +140,8 @@
"synonyms": [
"RIG 3",
"RIG-v",
- "RIG 4"
+ "RIG 4",
+ "Meadgive"
],
"status": "Active"
}
@@ -211,7 +212,8 @@
],
"synonyms": [
"XXX",
- "AEK"
+ "AEK",
+ "Axpergle"
],
"status": "Retired - Last seen: 2016-06-07"
}
@@ -281,7 +283,8 @@
"http://www.kahusecurity.com/2011/neosploit-is-back/"
],
"synonyms": [
- "NeoSploit"
+ "NeoSploit",
+ "Fiexp"
]
,
"status": "Retired - Last Seen: beginning of 2015-07"
@@ -409,7 +412,8 @@
"synonyms": [
"NEK",
"Nuclear Pack",
- "Spartan"
+ "Spartan",
+ "Neclu"
] ,
"status": "Retired - Last seen: 2015-04-30"
}
@@ -472,7 +476,8 @@
"http://malware.dontneedcoffee.com/2012/12/juice-sweet-orange-2012-12.html"
],
"synonyms": [
- "SWO"
+ "SWO",
+ "Anogre"
],
"status": "Retired - Last seen: 2015-04-05"
}
@@ -501,7 +506,7 @@
}
}
],
- "version": 2,
+ "version": 3,
"uuid": "454f4e78-bd7c-11e6-a4a6-cec0c932ce01",
"description": "Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years",
"authors": [
From 645c2e527e6a5be9f951d747f64ccc294c585781 Mon Sep 17 00:00:00 2001
From: Kafeine
Date: Sun, 5 Feb 2017 16:58:56 +0000
Subject: [PATCH 4/4] Indent
---
clusters/exploit-kit.json | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json
index 3a5bb7b..006b21d 100755
--- a/clusters/exploit-kit.json
+++ b/clusters/exploit-kit.json
@@ -10,7 +10,7 @@
"synonyms": [
"Stegano EK"
],
- "status": "Active"
+ "status": "Unknown - Last Seen 2016-12-07"
}
}
,
@@ -121,7 +121,7 @@
"synonyms": [
"Job314",
"Neutrino Rebooted",
- "Neutrino-v"
+ "Neutrino-v"
]
,
"status": "Active"
@@ -195,7 +195,7 @@
"synonyms": [
"Beps",
"Xer",
- "Beta"
+ "Beta"
],
"status": "Active",
"colour": "#C03701"
@@ -213,7 +213,7 @@
"synonyms": [
"XXX",
"AEK",
- "Axpergle"
+ "Axpergle"
],
"status": "Retired - Last seen: 2016-06-07"
}
@@ -284,7 +284,7 @@
],
"synonyms": [
"NeoSploit",
- "Fiexp"
+ "Fiexp"
]
,
"status": "Retired - Last Seen: beginning of 2015-07"
@@ -453,7 +453,7 @@
"refs": [
"https://www.trustwave.com/Resources/SpiderLabs-Blog/A-Wild-Exploit-Kit-Appears----Meet-RedKit/",
"http://malware.dontneedcoffee.com/2012/05/inside-redkit.html",
- "https://nakedsecurity.sophos.com/2013/05/09/redkit-exploit-kit-part-2/"
+ "https://nakedsecurity.sophos.com/2013/05/09/redkit-exploit-kit-part-2/"
],
"status": "Retired"
}
@@ -477,7 +477,7 @@
],
"synonyms": [
"SWO",
- "Anogre"
+ "Anogre"
],
"status": "Retired - Last seen: 2015-04-05"
}
@@ -488,7 +488,7 @@
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2012/12/crossing-styx-styx-sploit-pack-20-cve.html",
- "https://krebsonsecurity.com/2013/07/styx-exploit-pack-domo-arigato-pc-roboto/",
+ "https://krebsonsecurity.com/2013/07/styx-exploit-pack-domo-arigato-pc-roboto/",
"http://malware.dontneedcoffee.com/2013/05/inside-styx-2013-05.html"
],
"status":"Retired - Last seen: 2014-06"
@@ -500,7 +500,7 @@
"meta": {
"refs": [
"https://twitter.com/kafeine",
- "https://twitter.com/node5",
+ "https://twitter.com/node5",
"https://twitter.com/kahusecurity"
]
}