Merge pull request #795 from Delta-Sierra/main

add raspberry Robin worm & others
This commit is contained in:
Alexandre Dulaunoy 2022-11-15 15:05:58 +01:00 committed by GitHub
commit 5b9b41b3e0
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 115 additions and 8 deletions

View file

@ -890,7 +890,11 @@
"refs": [
"https://www.bleepingcomputer.com/news/security/new-icedid-banking-trojan-discovered/",
"https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/",
"http://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html"
"http://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html",
"https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/"
],
"synonyms": [
"BokBot"
]
},
"related": [
@ -1193,5 +1197,5 @@
"value": "Dark Tequila"
}
],
"version": 16
"version": 17
}

View file

@ -14017,7 +14017,8 @@
".Clop2"
],
"refs": [
"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf"
"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf",
"https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/"
]
},
"uuid": "21b349c3-ede2-4e11-abda-1444eb272eff",
@ -24604,5 +24605,5 @@
"value": "Lorenz Ransomware"
}
],
"version": 108
"version": 109
}

View file

@ -3216,6 +3216,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "ad6d0074-476e-4c05-b0d9-79404f71bbba",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "3c1003a2-8364-467a-b9b8-fcc19724a9b5",
@ -3537,5 +3544,5 @@
"value": "Ragnatela"
}
],
"version": 40
"version": 41
}

View file

@ -9871,7 +9871,30 @@
},
"uuid": "ba9e1ed2-e142-48d0-a593-f73ac6d59ccd",
"value": "RomCom"
},
{
"description": "GOLD PRELUDE is a financially motivated cybercriminal threat group that operates the SocGholish (aka FAKEUPDATES) malware distribution network. GOLD PRELUDE operates a large global network of compromised websites, frequently running vulnerable content management systems (CMS), that redirect into a malicious traffic distribution system (TDS). The TDS, which researchers at Avast have named Parrot TDS, uses opaque criteria to select victims to serve a fake browser update page. These pages, which are customized to the specific visiting browser software, download the JavaScript-based SocGholish payload frequently embedded within a compressed archive.",
"meta": {
"refs": [
"https://www.secureworks.com/research/threat-profiles/gold-prelude"
],
"synonyms": [
"TA569",
"UNC1543"
]
},
"related": [
{
"dest-uuid": "cd32b19e-c365-4efc-9998-548e50e04a4c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
}
],
"version": 251
"uuid": "8134c96d-d6ed-49cc-99d6-fe74c0636387",
"value": "GOLD PRELUDE"
}
],
"version": 252
}

View file

@ -8575,7 +8575,8 @@
"description": "BumbleBee is a modular backdoor that comprises two applications, a server and a client application (a master and slaver application, respectively in the malwares jargon). Once the client application is deployed on the target computer (these are commonly local government devices), threat actors can control the machine using the server module. Let us take a deeper look into this backdoor.",
"meta": {
"refs": [
"https://www.trendmicro.com/en_us/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html"
"https://www.trendmicro.com/en_us/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html",
"https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/"
],
"type": [
"backdoor"
@ -8612,7 +8613,78 @@
},
"uuid": "e10ff67f-8b52-4648-9217-da53ff7d52f9",
"value": "SharPyShell"
},
{
"description": "Raspberry Robin has evolved from being a widely distributed worm with no observed post-infection actions when Red Canary first reported it in May 2022, to one of the largest malware distribution platforms currently active. ",
"meta": {
"refs": [
"https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/"
],
"type": [
"Worm"
]
},
"uuid": "70dc3e92-9b3b-4fc1-abd2-d98985d83225",
"value": "Raspberry Robin"
},
{
"description": "The Fauppod malware delivers a JavaScript backdoor to gain unauthorized access to the target system and deploy additional malware.",
"meta": {
"refs": [
"https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/"
]
},
"uuid": "9f0224f6-dd46-4a23-a3fd-d295abae5f93",
"value": "Fauppod"
},
{
"description": "This threat takes multiple screenshots of your desktop. It saves all screenshots in a .dat file that becomes a collection of bitmap images. According to Group-IB, FlawedAmmyy.downloader and Truebot would have been developed by the same individual",
"meta": {
"refs": [
"https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/"
],
"synonyms": [
"Silence"
]
},
"related": [
{
"dest-uuid": "ad6d0074-476e-4c05-b0d9-79404f71bbba",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"version": 156
"uuid": "ad6d0074-476e-4c05-b0d9-79404f71bbba",
"value": "Truebot"
},
{
"description": "FAKEUPDATES is a downloader written in JavaScript that communicates via HTTP. Supported payload types include executables and JavaScript. It writes the payloads to disk prior to launching them. FAKEUPDATES has led to further compromise via additional malware families that include CHTHONIC, DRIDEX, EMPIRE, KOADIC, DOPPELPAYMER, and AZORULT.\nFAKEUPDATES has been heavily used by UNC1543,a financially motivated group.\n\nSocGholish, first appearing in late 2017 and rising to prominence in mid-2018, has been used to describe both the web drive-by download network used to infect victims and the JavaScript-based loader malware that targets Windows systems.",
"meta": {
"refs": [
"https://www.malwarebytes.com/blog/news/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms",
"https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/",
"https://www.secureworks.com/research/threat-profiles/gold-prelude",
"https://redcanary.com/threat-detection-report/threats/socgholish/"
],
"synonyms": [
"FakeUpdate",
"SocGholish"
]
},
"related": [
{
"dest-uuid": "8134c96d-d6ed-49cc-99d6-fe74c0636387",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "used-by"
}
],
"uuid": "cd32b19e-c365-4efc-9998-548e50e04a4c",
"value": "FakeUpdates"
}
],
"version": 157
}