From 587dc8560b5508fad9502111c99948016be3bb9c Mon Sep 17 00:00:00 2001 From: marjatech Date: Mon, 4 Jul 2022 14:24:34 +0200 Subject: [PATCH] add script to automate malpedia update --- clusters/malpedia.json | 106 ++++++++++++++++++++++++++++++++---- tools/del_duplicate_refs.py | 17 ++++++ tools/fetch_malpedia.sh | 6 ++ 3 files changed, 119 insertions(+), 10 deletions(-) create mode 100755 tools/del_duplicate_refs.py create mode 100755 tools/fetch_malpedia.sh diff --git a/clusters/malpedia.json b/clusters/malpedia.json index 2a086b8..cb5af6a 100644 --- a/clusters/malpedia.json +++ b/clusters/malpedia.json @@ -213,6 +213,7 @@ "https://www.threatfabric.com/blogs/smishing-campaign-in-nl-spreading-cabassous-and-anatsa.html" ], "synonyms": [ + "ReBot", "TeaBot", "Toddler" ], @@ -3207,6 +3208,7 @@ "https://www.zdnet.com/article/blackcat-ransomware-implicated-in-attack-on-german-oil-companies/", "https://twitter.com/sisoma2/status/1473243875158499330", "https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html", + "https://killingthebear.jorgetesta.tech/actors/alphv", "https://www.theregister.com/2022/03/22/talos-ransomware-blackcat/", "https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/", "https://krebsonsecurity.com/2022/01/who-wrote-the-alphv-blackcat-ransomware-strain/", @@ -6931,6 +6933,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.fakeupdates", + "https://killingthebear.jorgetesta.tech/actors/evil-corp", "https://www.menlosecurity.com/blog/increase-in-attack-socgholish", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", @@ -10368,6 +10371,7 @@ "https://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/", "https://www.bleepingcomputer.com/news/security/pdf-smuggles-microsoft-word-doc-to-drop-snake-keylogger-malware/", "https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--89", + "https://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter", "https://habr.com/ru/company/group-ib/blog/477198/", "https://www.fortinet.com/blog/threat-research/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware", "https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/", @@ -12335,6 +12339,7 @@ "https://raw.githubusercontent.com/vc0RExor/Malware-Threat-Reports/main/Ransomware/Babuk/Babuk_Ransomware_EN_2021_05.pdf", "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", "https://www.bleepingcomputer.com/news/security/babyk-ransomware-wont-hit-charities-unless-they-support-lgbt-blm/", + "https://killingthebear.jorgetesta.tech/actors/evil-corp", "https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/", "https://securelist.com/ransomware-world-in-2021/102169/", "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", @@ -13561,6 +13566,7 @@ "https://therecord.media/german-wind-farm-operator-confirms-cybersecurity-incident-after-ransomware-group/", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", "https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html", + "https://killingthebear.jorgetesta.tech/actors/alphv", "https://github.com/f0wl/blackCatConf", "https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/", "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape", @@ -13958,6 +13964,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blister", "https://www.trendmicro.com/en_no/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html", + "https://killingthebear.jorgetesta.tech/actors/evil-corp", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/d/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload/iocs-thwarting-loaders-socgholish-blister.txt", "https://redcanary.com/blog/intelligence-insights-january-2022/", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", @@ -15202,6 +15209,7 @@ "https://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html", "https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html", "https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html", + "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers", "https://www.devo.com/blog/detect-and-investigate-hafnium-using-devo/", "https://unit42.paloaltonetworks.com/exchange-server-credential-harvesting/", "https://www.praetorian.com/blog/reproducing-proxylogon-exploit/", @@ -19139,6 +19147,7 @@ "https://www.zdnet.com/article/ransomware-gang-says-it-breached-one-of-nasas-it-contractors/", "https://techcrunch.com/2020/03/01/visser-breach/", "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://killingthebear.jorgetesta.tech/actors/evil-corp", "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/", "https://lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", @@ -19408,7 +19417,7 @@ "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/", "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much", "https://unit42.paloaltonetworks.com/travel-themed-phishing/", - "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", "https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/", @@ -19419,7 +19428,7 @@ "https://assets.virustotal.com/reports/2021trends.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "https://twitter.com/Cryptolaemus1/status/1407135648528711680", - "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-005.pdf", "https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps", "https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/", @@ -19464,6 +19473,7 @@ "https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/", "https://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office", "https://threatresearch.ext.hp.com/detecting-ta551-domains/", + "https://killingthebear.jorgetesta.tech/actors/evil-corp", "https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", @@ -20404,6 +20414,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.entropy", "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://killingthebear.jorgetesta.tech/actors/evil-corp", "https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/", "https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/?cmp=30728" ], @@ -21723,7 +21734,7 @@ "https://blog.malwarebytes.com/threat-analysis/2021/05/revisiting-the-nsis-based-crypter/", "http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html", "https://link.medium.com/uaBiIXgUU8", - "https://usualsuspect.re/article/formbook-hiding-in-plain-sight", + "https://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/", "https://blogs.blackberry.com/en/2021/09/threat-thursday-xloader-infostealer", "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", "https://www.lac.co.jp/lacwatch/report/20220307_002893.html", @@ -21740,6 +21751,7 @@ "https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/", "https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-inside-formbook-infostealer/", "https://www.netskope.com/blog/new-formbook-campaign-delivered-through-phishing-emails", + "https://usualsuspect.re/article/formbook-hiding-in-plain-sight", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", "https://www.hornetsecurity.com/en/threat-research/vba-purging-malspam-campaigns/", "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", @@ -21858,12 +21870,13 @@ "https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/", "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://nakedsecurity.sophos.com/2018/09/11/the-rise-of-targeted-ransomware/", + "https://killingthebear.jorgetesta.tech/actors/evil-corp", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf", - "https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/everis-bitpaymer-ransomware-attack-analysis-dridex/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/", "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", "https://www.secureworks.com/research/threat-profiles/gold-drake", "https://www.youtube.com/watch?v=LUxOcpIRxmg", @@ -23474,6 +23487,7 @@ "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", "https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp", "https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities", + "https://killingthebear.jorgetesta.tech/actors/evil-corp", "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox", "https://www.bleepingcomputer.com/news/security/evil-corp-switches-to-hades-ransomware-to-evade-sanctions/", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", @@ -24017,6 +24031,19 @@ "uuid": "2637315d-d31e-4b64-aa4b-2fc265b0a1a3", "value": "HesperBot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.heyoka", + "https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5833d95c-4131-4cd3-8600-fc40bb834fe3", + "value": "heyoka" + }, { "description": "", "meta": { @@ -24471,6 +24498,7 @@ "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", "https://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/", + "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers", "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/", "https://www.secureworks.com/research/threat-profiles/bronze-mayfair", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", @@ -25990,6 +26018,19 @@ "uuid": "7d69892e-d582-4545-8798-4a9a84a821ea", "value": "Kelihos" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.keona", + "https://twitter.com/3xp0rtblog/status/1536704209760010241" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b74ad48b-ac26-4748-adac-b824defbe315", + "value": "Keona" + }, { "description": "", "meta": { @@ -27906,6 +27947,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.macaw", + "https://killingthebear.jorgetesta.tech/actors/evil-corp", "https://www.bleepingcomputer.com/news/security/evil-corp-demands-40-million-in-new-macaw-ransomware-attacks/", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions" ], @@ -27968,6 +28010,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.magniber", "https://www.bleepingcomputer.com/news/security/fake-windows-10-updates-infect-you-with-magniber-ransomware/", "https://therecord.media/printnightmare-vulnerability-weaponized-by-magniber-ransomware-gang/", + "https://decoded.avast.io/janvojtesek/exploit-kits-vs-google-chrome/", "https://medium.com/coinmonks/passive-income-of-cyber-criminals-dissecting-bitcoin-multiplier-scam-b9d2b6048372", "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/", "https://asec.ahnlab.com/en/30645/", @@ -29762,6 +29805,19 @@ "uuid": "c57a4168-cd09-4611-a665-bbcede80f42b", "value": "Monero Miner" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mongall", + "https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e0627961-fc28-4b7d-bb44-f937defa052a", + "value": "mongall" + }, { "description": "", "meta": { @@ -32181,6 +32237,19 @@ "uuid": "46dc64c6-e927-44fc-b4a4-efd1677ae030", "value": "Pay2Key" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.payloadbin", + "https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "313c81ab-fba2-4577-8de6-863515a65c45", + "value": "PayloadBIN" + }, { "description": "PcShare is a open-source backdoor which has been seen modified and used by Chinese threat actors, mainly attacking countries in South East Asia.", "meta": { @@ -32400,8 +32469,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.phoenix_locker", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://killingthebear.jorgetesta.tech/actors/evil-corp", "https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions" ], @@ -41751,7 +41821,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.underminer_ek", - "https://blog.minerva-labs.com/underminer-exploit-kit-the-more-you-check-the-more-evasive-you-become" + "https://blog.minerva-labs.com/underminer-exploit-kit-the-more-you-check-the-more-evasive-you-become", + "https://decoded.avast.io/janvojtesek/exploit-kits-vs-google-chrome/" ], "synonyms": [], "type": [] @@ -42078,7 +42149,7 @@ "synonyms": [], "type": [] }, - "uuid": "7f93a8c3-edc7-4c91-a8e5-cc2cbe08880b", + "uuid": "33c661b3-b9e7-49a7-a82b-4b5977e79cae", "value": "win.unidentified_059" }, { @@ -43164,7 +43235,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wastedloader", - "https://www.bitdefender.com/files/News/CaseStudies/study/397/Bitdefender-PR-Whitepaper-RIG-creat5362-en-EN.pdf" + "https://www.bitdefender.com/files/News/CaseStudies/study/397/Bitdefender-PR-Whitepaper-RIG-creat5362-en-EN.pdf", + "https://killingthebear.jorgetesta.tech/actors/evil-corp" ], "synonyms": [], "type": [] @@ -43190,6 +43262,7 @@ "https://areteir.com/wp-content/uploads/2020/07/Ransomware-WastedLocker-1.pdf", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://killingthebear.jorgetesta.tech/actors/evil-corp", "https://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/", "https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf", "https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/", @@ -44519,6 +44592,19 @@ "uuid": "c0e8b64c-bd2c-4a3e-addc-0ed6cc1ba200", "value": "yty" }, + { + "description": "W32/Yunsip!tr.pws is classified as a password stealing trojan.\r\nPassword Stealing Trojan searches the infected system for passwords and send them to the hacker.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.yunsip", + "https://www.fortiguard.com/encyclopedia/virus/3229143" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1f8755ac-3dcc-43bd-a07f-cf0fbf2cdb7d", + "value": "Yunsip" + }, { "description": "Ransomware.", "meta": { @@ -45174,5 +45260,5 @@ "value": "Zyklon" } ], - "version": 14927 + "version": 14973 } diff --git a/tools/del_duplicate_refs.py b/tools/del_duplicate_refs.py new file mode 100755 index 0000000..2ec2896 --- /dev/null +++ b/tools/del_duplicate_refs.py @@ -0,0 +1,17 @@ +#!/usr/bin/env python3 +# coding=utf-8 +""" + Tool to remove duplicates in cluster references +""" +import sys +import json + +with open(sys.argv[1], 'r') as f: + data = json.load(f) + +for c in data['values']: + c['meta']['refs'] = list(dict.fromkeys(c['meta']['refs'])) + +with open(sys.argv[1], 'w') as f: + json.dump(data, f) + diff --git a/tools/fetch_malpedia.sh b/tools/fetch_malpedia.sh new file mode 100755 index 0000000..2b49b17 --- /dev/null +++ b/tools/fetch_malpedia.sh @@ -0,0 +1,6 @@ +#!/bin/bash +cd "${0%/*}" +wget -O malpedia.json https://malpedia.caad.fkie.fraunhofer.de/api/get/misp +mv malpedia.json ../clusters/malpedia.json +./del_duplicate_refs.py ../clusters/malpedia.json +(cd ..; ./jq_all_the_things.sh)