From 4a7560d1917e73aca1d5de7afdf534de0c50544b Mon Sep 17 00:00:00 2001 From: Thomas Dupuy Date: Mon, 15 Feb 2021 12:52:53 -0500 Subject: [PATCH 1/2] Add Exaramel and P.A.S. webshell tool. --- clusters/tool.json | 38 +++++++++++++++++++++++++++++++++++++- 1 file changed, 37 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 0606a6a..5ddaf2f 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -8235,7 +8235,43 @@ "related": [], "uuid": "1974ea65-7312-4d91-a592-649983b46554", "value": "Caterpillar WebShell" + }, + { + "description": "The P.A.S. webshell was developed by an ukrainian student, Jaroslav Volodimirovich Panchenko, who used the nick-name Profexer. It was developed in PHP and features a characteristic password-based encryption. This tool was available through a form on his website, where a user had to provide a password to receive a custom webshell. The form suggested a donation to the developer. It was commonly used, including during a WORDPRESS website attack.", + "meta": { + "refs": [ + "https://us-cert.cisa.gov/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf" + ], + "synonyms": [ + "Fobushell" + ], + "type": [ + "webshell" + ] + }, + "related": [], + "uuid": "6baa1f46-daa9-4f40-952b-ec613c835abb", + "value": "P.A.S. webshell" + }, + { + "description": "", + "meta": { + "refs": [ + "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf" + ], + "synonyms": [ + "" + ], + "type": [ + "backdoor" + ] + }, + "related": [], + "uuid": "95174297-6dff-47d9-bcb9-263f9b2efcfb", + "value": "Exaramel" } ], - "version": 141 + "version": 142 } From 178e16dc13f726afa2e97dd2527e87698f89795e Mon Sep 17 00:00:00 2001 From: Thomas Dupuy Date: Tue, 16 Feb 2021 10:32:37 -0500 Subject: [PATCH 2/2] Remove empty values. --- clusters/tool.json | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index 5ddaf2f..9e4ac50 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -8255,15 +8255,12 @@ "value": "P.A.S. webshell" }, { - "description": "", + "description": "Exaramel is a backdoor first publicly reported by ESET in 2018. Two samples were identified, one targeting the WINDOWS operating system and the other targeting LINUX operating systems.", "meta": { "refs": [ "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf" ], - "synonyms": [ - "" - ], "type": [ "backdoor" ]