From d020efd276db943f2344b8e533974b94253becd3 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Tue, 15 Nov 2022 11:57:10 +0100 Subject: [PATCH 1/4] add raspberry Robin worm & others --- clusters/banker.json | 8 +++-- clusters/malpedia.json | 3 +- clusters/ransomware.json | 3 +- clusters/rat.json | 7 ++++ clusters/threat-actor.json | 23 ++++++++++++ clusters/tool.json | 73 ++++++++++++++++++++++++++++++++++++-- 6 files changed, 111 insertions(+), 6 deletions(-) diff --git a/clusters/banker.json b/clusters/banker.json index 3cbacec..38a2f19 100644 --- a/clusters/banker.json +++ b/clusters/banker.json @@ -890,7 +890,11 @@ "refs": [ "https://www.bleepingcomputer.com/news/security/new-icedid-banking-trojan-discovered/", "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", - "http://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html" + "http://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/" + ], + "synonyms": [ + "BokBot" ] }, "related": [ @@ -1193,5 +1197,5 @@ "value": "Dark Tequila" } ], - "version": 16 + "version": 17 } diff --git a/clusters/malpedia.json b/clusters/malpedia.json index 6c50ff2..3cfe156 100644 --- a/clusters/malpedia.json +++ b/clusters/malpedia.json @@ -7315,7 +7315,8 @@ "https://killingthebear.jorgetesta.tech/actors/evil-corp", "https://experience.mandiant.com/trending-evil/p/1", "https://www.lac.co.jp/lacwatch/report/20220407_002923.html", - "https://thehackernews.com/2022/07/microsoft-links-raspberry-robin-usb.html?_m=3n%2e009a%2e2800%2ejp0ao0cjb8%2e1shm" + "https://thehackernews.com/2022/07/microsoft-links-raspberry-robin-usb.html?_m=3n%2e009a%2e2800%2ejp0ao0cjb8%2e1shm", + "https://redcanary.com/threat-detection-report/threats/socgholish/" ], "synonyms": [ "FakeUpdate", diff --git a/clusters/ransomware.json b/clusters/ransomware.json index eca2ed9..6cf1624 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -14017,7 +14017,8 @@ ".Clop2" ], "refs": [ - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf" + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/" ] }, "uuid": "21b349c3-ede2-4e11-abda-1444eb272eff", diff --git a/clusters/rat.json b/clusters/rat.json index c87ed04..8e340bb 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -3216,6 +3216,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "ad6d0074-476e-4c05-b0d9-79404f71bbba", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "uuid": "3c1003a2-8364-467a-b9b8-fcc19724a9b5", diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b4923fb..f8bcc41 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -9884,6 +9884,29 @@ }, "uuid": "6a83b2bf-0c51-4c9b-89b0-35df7cab1dd5", "value": "APT-Q-12" + }, + { + "description": "GOLD PRELUDE is a financially motivated cybercriminal threat group that operates the SocGholish (aka FAKEUPDATES) malware distribution network. GOLD PRELUDE operates a large global network of compromised websites, frequently running vulnerable content management systems (CMS), that redirect into a malicious traffic distribution system (TDS). The TDS, which researchers at Avast have named Parrot TDS, uses opaque criteria to select victims to serve a fake browser update page. These pages, which are customized to the specific visiting browser software, download the JavaScript-based SocGholish payload frequently embedded within a compressed archive.", + "meta": { + "refs": [ + "https://www.secureworks.com/research/threat-profiles/gold-prelude" + ], + "synonyms": [ + "TA569", + "UNC1543" + ] + }, + "related": [ + { + "dest-uuid": "cd32b19e-c365-4efc-9998-548e50e04a4c", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + } + ], + "uuid": "8134c96d-d6ed-49cc-99d6-fe74c0636387", + "value": "GOLD PRELUDE" } ], "version": 250 diff --git a/clusters/tool.json b/clusters/tool.json index 4004769..bdf8e23 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -8575,7 +8575,8 @@ "description": "BumbleBee is a modular backdoor that comprises two applications, a server and a client application (a master and slaver application, respectively in the malware’s jargon). Once the client application is deployed on the target computer (these are commonly local government devices), threat actors can control the machine using the server module. Let us take a deeper look into this backdoor.", "meta": { "refs": [ - "https://www.trendmicro.com/en_us/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html" + "https://www.trendmicro.com/en_us/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/" ], "type": [ "backdoor" @@ -8612,7 +8613,75 @@ }, "uuid": "e10ff67f-8b52-4648-9217-da53ff7d52f9", "value": "SharPyShell" + }, + { + "description": "Raspberry Robin has evolved from being a widely distributed worm with no observed post-infection actions when Red Canary first reported it in May 2022, to one of the largest malware distribution platforms currently active. ", + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/" + ], + "type": "Worm" + }, + "uuid": "70dc3e92-9b3b-4fc1-abd2-d98985d83225", + "value": "Raspberry Robin" + }, + { + "description": "The Fauppod malware delivers a JavaScript backdoor to gain unauthorized access to the target system and deploy additional malware.", + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/" + ] + }, + "uuid": "9f0224f6-dd46-4a23-a3fd-d295abae5f93", + "value": "Fauppod" + }, + { + "description": "This threat takes multiple screenshots of your desktop. It saves all screenshots in a .dat file that becomes a collection of bitmap images. According to Group-IB, FlawedAmmyy.downloader and Truebot would have been developed by the same individual", + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/" + ], + "synonyms": [ + "Silence" + ] + }, + "related": [ + { + "dest-uuid": "ad6d0074-476e-4c05-b0d9-79404f71bbba", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], + "uuid": "ad6d0074-476e-4c05-b0d9-79404f71bbba", + "value": "Truebot" + }, + { + "description": "FAKEUPDATES is a downloader written in JavaScript that communicates via HTTP. Supported payload types include executables and JavaScript. It writes the payloads to disk prior to launching them. FAKEUPDATES has led to further compromise via additional malware families that include CHTHONIC, DRIDEX, EMPIRE, KOADIC, DOPPELPAYMER, and AZORULT.\nFAKEUPDATES has been heavily used by UNC1543,a financially motivated group.\n\nSocGholish, first appearing in late 2017 and rising to prominence in mid-2018, has been used to describe both the web drive-by download network used to infect victims and the JavaScript-based loader malware that targets Windows systems.", + "meta": { + "refs": [ + "https://www.malwarebytes.com/blog/news/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms", + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", + "https://www.secureworks.com/research/threat-profiles/gold-prelude" + ], + "synonyms": [ + "FakeUpdate", + "SocGholish" + ] + }, + "related": [ + { + "dest-uuid": "8134c96d-d6ed-49cc-99d6-fe74c0636387", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + } + ], + "uuid": "cd32b19e-c365-4efc-9998-548e50e04a4c", + "value": "FakeUpdates" } ], - "version": 156 + "version": 157 } From 91d535925f122038cb5da8a9415fb8a8727633bb Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Tue, 15 Nov 2022 13:36:49 +0100 Subject: [PATCH 2/4] version fix --- clusters/malpedia.json | 3 +-- clusters/threat-actor.json | 2 +- clusters/tool.json | 3 ++- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/clusters/malpedia.json b/clusters/malpedia.json index 3cfe156..6c50ff2 100644 --- a/clusters/malpedia.json +++ b/clusters/malpedia.json @@ -7315,8 +7315,7 @@ "https://killingthebear.jorgetesta.tech/actors/evil-corp", "https://experience.mandiant.com/trending-evil/p/1", "https://www.lac.co.jp/lacwatch/report/20220407_002923.html", - "https://thehackernews.com/2022/07/microsoft-links-raspberry-robin-usb.html?_m=3n%2e009a%2e2800%2ejp0ao0cjb8%2e1shm", - "https://redcanary.com/threat-detection-report/threats/socgholish/" + "https://thehackernews.com/2022/07/microsoft-links-raspberry-robin-usb.html?_m=3n%2e009a%2e2800%2ejp0ao0cjb8%2e1shm" ], "synonyms": [ "FakeUpdate", diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 54dfbb7..ec2f959 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -9896,5 +9896,5 @@ "value": "GOLD PRELUDE" } ], - "version": 251 + "version": 252 } diff --git a/clusters/tool.json b/clusters/tool.json index bdf8e23..7678317 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -8663,7 +8663,8 @@ "refs": [ "https://www.malwarebytes.com/blog/news/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms", "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", - "https://www.secureworks.com/research/threat-profiles/gold-prelude" + "https://www.secureworks.com/research/threat-profiles/gold-prelude", + "https://redcanary.com/threat-detection-report/threats/socgholish/" ], "synonyms": [ "FakeUpdate", From 9fc65c0e341d35b8afeefaa2b3c8a15c90b24244 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Tue, 15 Nov 2022 13:37:02 +0100 Subject: [PATCH 3/4] version fix --- clusters/ransomware.json | 2 +- clusters/rat.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 6cf1624..5878212 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -24605,5 +24605,5 @@ "value": "Lorenz Ransomware" } ], - "version": 108 + "version": 109 } diff --git a/clusters/rat.json b/clusters/rat.json index 8e340bb..d41e703 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -3544,5 +3544,5 @@ "value": "Ragnatela" } ], - "version": 40 + "version": 41 } From 2269f4decd7740596224cca3414c9aeaead42e65 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Tue, 15 Nov 2022 13:56:53 +0100 Subject: [PATCH 4/4] fix tool type --- clusters/tool.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 7678317..32ddca1 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -8620,7 +8620,9 @@ "refs": [ "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/" ], - "type": "Worm" + "type": [ + "Worm" + ] }, "uuid": "70dc3e92-9b3b-4fc1-abd2-d98985d83225", "value": "Raspberry Robin"