diff --git a/clusters/banker.json b/clusters/banker.json index 3cbacec..38a2f19 100644 --- a/clusters/banker.json +++ b/clusters/banker.json @@ -890,7 +890,11 @@ "refs": [ "https://www.bleepingcomputer.com/news/security/new-icedid-banking-trojan-discovered/", "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", - "http://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html" + "http://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/" + ], + "synonyms": [ + "BokBot" ] }, "related": [ @@ -1193,5 +1197,5 @@ "value": "Dark Tequila" } ], - "version": 16 + "version": 17 } diff --git a/clusters/ransomware.json b/clusters/ransomware.json index eca2ed9..5878212 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -14017,7 +14017,8 @@ ".Clop2" ], "refs": [ - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf" + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/" ] }, "uuid": "21b349c3-ede2-4e11-abda-1444eb272eff", @@ -24604,5 +24605,5 @@ "value": "Lorenz Ransomware" } ], - "version": 108 + "version": 109 } diff --git a/clusters/rat.json b/clusters/rat.json index c87ed04..d41e703 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -3216,6 +3216,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "ad6d0074-476e-4c05-b0d9-79404f71bbba", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "uuid": "3c1003a2-8364-467a-b9b8-fcc19724a9b5", @@ -3537,5 +3544,5 @@ "value": "Ragnatela" } ], - "version": 40 + "version": 41 } diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 8ae52c7..ec2f959 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -9871,7 +9871,30 @@ }, "uuid": "ba9e1ed2-e142-48d0-a593-f73ac6d59ccd", "value": "RomCom" + }, + { + "description": "GOLD PRELUDE is a financially motivated cybercriminal threat group that operates the SocGholish (aka FAKEUPDATES) malware distribution network. GOLD PRELUDE operates a large global network of compromised websites, frequently running vulnerable content management systems (CMS), that redirect into a malicious traffic distribution system (TDS). The TDS, which researchers at Avast have named Parrot TDS, uses opaque criteria to select victims to serve a fake browser update page. These pages, which are customized to the specific visiting browser software, download the JavaScript-based SocGholish payload frequently embedded within a compressed archive.", + "meta": { + "refs": [ + "https://www.secureworks.com/research/threat-profiles/gold-prelude" + ], + "synonyms": [ + "TA569", + "UNC1543" + ] + }, + "related": [ + { + "dest-uuid": "cd32b19e-c365-4efc-9998-548e50e04a4c", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + } + ], + "uuid": "8134c96d-d6ed-49cc-99d6-fe74c0636387", + "value": "GOLD PRELUDE" } ], - "version": 251 + "version": 252 } diff --git a/clusters/tool.json b/clusters/tool.json index 4004769..32ddca1 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -8575,7 +8575,8 @@ "description": "BumbleBee is a modular backdoor that comprises two applications, a server and a client application (a master and slaver application, respectively in the malware’s jargon). Once the client application is deployed on the target computer (these are commonly local government devices), threat actors can control the machine using the server module. Let us take a deeper look into this backdoor.", "meta": { "refs": [ - "https://www.trendmicro.com/en_us/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html" + "https://www.trendmicro.com/en_us/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/" ], "type": [ "backdoor" @@ -8612,7 +8613,78 @@ }, "uuid": "e10ff67f-8b52-4648-9217-da53ff7d52f9", "value": "SharPyShell" + }, + { + "description": "Raspberry Robin has evolved from being a widely distributed worm with no observed post-infection actions when Red Canary first reported it in May 2022, to one of the largest malware distribution platforms currently active. ", + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/" + ], + "type": [ + "Worm" + ] + }, + "uuid": "70dc3e92-9b3b-4fc1-abd2-d98985d83225", + "value": "Raspberry Robin" + }, + { + "description": "The Fauppod malware delivers a JavaScript backdoor to gain unauthorized access to the target system and deploy additional malware.", + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/" + ] + }, + "uuid": "9f0224f6-dd46-4a23-a3fd-d295abae5f93", + "value": "Fauppod" + }, + { + "description": "This threat takes multiple screenshots of your desktop. It saves all screenshots in a .dat file that becomes a collection of bitmap images. According to Group-IB, FlawedAmmyy.downloader and Truebot would have been developed by the same individual", + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/" + ], + "synonyms": [ + "Silence" + ] + }, + "related": [ + { + "dest-uuid": "ad6d0074-476e-4c05-b0d9-79404f71bbba", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], + "uuid": "ad6d0074-476e-4c05-b0d9-79404f71bbba", + "value": "Truebot" + }, + { + "description": "FAKEUPDATES is a downloader written in JavaScript that communicates via HTTP. Supported payload types include executables and JavaScript. It writes the payloads to disk prior to launching them. FAKEUPDATES has led to further compromise via additional malware families that include CHTHONIC, DRIDEX, EMPIRE, KOADIC, DOPPELPAYMER, and AZORULT.\nFAKEUPDATES has been heavily used by UNC1543,a financially motivated group.\n\nSocGholish, first appearing in late 2017 and rising to prominence in mid-2018, has been used to describe both the web drive-by download network used to infect victims and the JavaScript-based loader malware that targets Windows systems.", + "meta": { + "refs": [ + "https://www.malwarebytes.com/blog/news/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms", + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", + "https://www.secureworks.com/research/threat-profiles/gold-prelude", + "https://redcanary.com/threat-detection-report/threats/socgholish/" + ], + "synonyms": [ + "FakeUpdate", + "SocGholish" + ] + }, + "related": [ + { + "dest-uuid": "8134c96d-d6ed-49cc-99d6-fe74c0636387", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + } + ], + "uuid": "cd32b19e-c365-4efc-9998-548e50e04a4c", + "value": "FakeUpdates" } ], - "version": 156 + "version": 157 }