From 93396c524da9d4a49ecf23d393ffb734e20c44c6 Mon Sep 17 00:00:00 2001 From: Thomas Dupuy Date: Fri, 12 Feb 2021 12:00:17 -0500 Subject: [PATCH 1/6] Add Caterpillar WebShell. --- clusters/tool.json | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 4bab6de..0606a6a 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -8221,7 +8221,21 @@ "related": [], "uuid": "e1bfe1d9-190c-4cf4-aec8-a8f2c41c7d8b", "value": "HyperBro" + }, + { + "description": "", + "meta": { + "refs": [ + "https://www.clearskysec.com/cedar/" + ], + "type": [ + "webshell" + ] + }, + "related": [], + "uuid": "1974ea65-7312-4d91-a592-649983b46554", + "value": "Caterpillar WebShell" } ], - "version": 140 + "version": 141 } From 4a7560d1917e73aca1d5de7afdf534de0c50544b Mon Sep 17 00:00:00 2001 From: Thomas Dupuy Date: Mon, 15 Feb 2021 12:52:53 -0500 Subject: [PATCH 2/6] Add Exaramel and P.A.S. webshell tool. --- clusters/tool.json | 38 +++++++++++++++++++++++++++++++++++++- 1 file changed, 37 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 0606a6a..5ddaf2f 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -8235,7 +8235,43 @@ "related": [], "uuid": "1974ea65-7312-4d91-a592-649983b46554", "value": "Caterpillar WebShell" + }, + { + "description": "The P.A.S. webshell was developed by an ukrainian student, Jaroslav Volodimirovich Panchenko, who used the nick-name Profexer. It was developed in PHP and features a characteristic password-based encryption. This tool was available through a form on his website, where a user had to provide a password to receive a custom webshell. The form suggested a donation to the developer. It was commonly used, including during a WORDPRESS website attack.", + "meta": { + "refs": [ + "https://us-cert.cisa.gov/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf" + ], + "synonyms": [ + "Fobushell" + ], + "type": [ + "webshell" + ] + }, + "related": [], + "uuid": "6baa1f46-daa9-4f40-952b-ec613c835abb", + "value": "P.A.S. webshell" + }, + { + "description": "", + "meta": { + "refs": [ + "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf" + ], + "synonyms": [ + "" + ], + "type": [ + "backdoor" + ] + }, + "related": [], + "uuid": "95174297-6dff-47d9-bcb9-263f9b2efcfb", + "value": "Exaramel" } ], - "version": 141 + "version": 142 } From 178e16dc13f726afa2e97dd2527e87698f89795e Mon Sep 17 00:00:00 2001 From: Thomas Dupuy Date: Tue, 16 Feb 2021 10:32:37 -0500 Subject: [PATCH 3/6] Remove empty values. --- clusters/tool.json | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index 5ddaf2f..9e4ac50 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -8255,15 +8255,12 @@ "value": "P.A.S. webshell" }, { - "description": "", + "description": "Exaramel is a backdoor first publicly reported by ESET in 2018. Two samples were identified, one targeting the WINDOWS operating system and the other targeting LINUX operating systems.", "meta": { "refs": [ "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf" ], - "synonyms": [ - "" - ], "type": [ "backdoor" ] From e9eb0c7a6c3eae7dc97162bf78b1de0f62ba1411 Mon Sep 17 00:00:00 2001 From: Thijsvanede Date: Fri, 19 Feb 2021 12:01:47 +0100 Subject: [PATCH 4/6] Fix: rename "Innitial Access" to "Initial Access" Renamed mitre-ics-tactics "Innitial Access" to "Initial Access". Original was a minor spelling mistake. The fixed naming corresponds to the original ATT&CK framework description https://collaborate.mitre.org/attackics/index.php/Initial_Access --- clusters/mitre-ics-tactics.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/mitre-ics-tactics.json b/clusters/mitre-ics-tactics.json index 8cb8cae..56102ce 100644 --- a/clusters/mitre-ics-tactics.json +++ b/clusters/mitre-ics-tactics.json @@ -271,7 +271,7 @@ ] }, "uuid": "2366ffb0-91ba-4b8e-bfad-d460c98d43a8", - "value": "Innitial Access" + "value": "Initial Access" } ], "version": 1 From eeafff97680b7f53b1750ee704e56415e472d546 Mon Sep 17 00:00:00 2001 From: Thomas Dupuy Date: Tue, 23 Feb 2021 11:15:31 -0500 Subject: [PATCH 5/6] Add RDAT backdoor --- clusters/tool.json | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 9e4ac50..21bb1b5 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -8268,7 +8268,21 @@ "related": [], "uuid": "95174297-6dff-47d9-bcb9-263f9b2efcfb", "value": "Exaramel" + }, + { + "description": "RDAT is a backdoor used by the suspected Iranian threat group OilRig. RDAT was originally identified in 2017 and targeted companies in the telecommunications sector.", + "meta": { + "refs": [ + "https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/" + ], + "type": [ + "backdoor" + ] + }, + "related": [], + "uuid": "d357a6ff-00e5-4fcc-8b9e-4a9d98a736e7", + "value": "RDAT" } ], - "version": 142 + "version": 143 } From 5c6f3a036bf1e3decb541bca0f6df5b66fa04b80 Mon Sep 17 00:00:00 2001 From: Rony Date: Wed, 24 Feb 2021 21:55:04 +0530 Subject: [PATCH 6/6] removing DePrimon DePrimon is not a TA, added malfamily (waiting for approval) to Malpedia to better reflect that. --- clusters/threat-actor.json | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2fd7c74..74ca0d2 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7996,21 +7996,6 @@ "uuid": "947a450a-df6c-4c2e-807b-0da8ecea1d26", "value": "Attor" }, - { - "description": "DePriMon is an unusually advanced downloader whose developers have put extra effort into setting up the architecture and crafting the critical components.", - "meta": { - "cfr-target-category": [ - "Private sector", - "Finance" - ], - "cfr-type-of-incident": "Espionage", - "refs": [ - "https://www.welivesecurity.com/2019/11/21/deprimon-default-print-monitor-malicious-downloader" - ] - }, - "uuid": "443faf38-ad93-4421-8a53-47ad84b195fa", - "value": "DePriMon" - }, { "description": "According to 360 TIC the actor has carried out continuous cyber espionage activities since 2011 on key units and departments of the Chinese government, military industry, scientific research, and finance. The organization focuses on information related to the nuclear industry and scientific research. The targets were mainly concentrated in mainland China...[M]ore than 670 malware samples have been collected from the group, including more than 60 malicious plugins specifically for lateral movement; more than 40 C2 domain names and IPs related to the organization have also been discovered.", "meta": {