From 5e0bd260d61038f25953da24fdd22e8a977ad1d3 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 9 May 2018 16:12:02 +0200 Subject: [PATCH] update some clusters --- clusters/ransomware.json | 3 +- clusters/threat-actor.json | 11 ++++++-- clusters/tool.json | 58 ++++++++++++++++++++++++++++++++++++-- 3 files changed, 65 insertions(+), 7 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 7b266c4..616f9a4 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -9071,7 +9071,8 @@ "description": "The ransomware does not use a customized desktop wallpaper to signal its presence, and the only way to discover that SynAck has infected your PC is by the ransom notes dropped on the user's desktop, named in the format: RESTORE_INFO-[id].txt. For example: RESTORE_INFO-4ABFA0EF.txt\n In addition, SynAck also appends its own extension at the end of all files it encrypted. This file extensions format is ten random alpha characters for each file. For example: test.jpg.XbMiJQiuoh. Experts believe the group behind SynAck uses RDP brute-force attacks to access remote computers and manually download and install the ransomware.", "meta": { "refs": [ - "https://www.bleepingcomputer.com/news/security/synack-ransomware-sees-huge-spike-in-activity/" + "https://www.bleepingcomputer.com/news/security/synack-ransomware-sees-huge-spike-in-activity/", + "https://www.bleepingcomputer.com/news/security/synack-ransomware-uses-process-doppelg-nging-technique/" ], "synonyms": [ "Syn Ack" diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 13b3926..e1dba25 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1167,7 +1167,11 @@ "Unit 121", "Bureau 121", "NewRomanic Cyber Army Team", - "Bluenoroff" + "Bluenoroff", + "Group 77", + "Labyrinth Chollima", + "Operation Troy", + "Operation GhostSecret" ], "refs": [ "https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/", @@ -1176,7 +1180,8 @@ "http://www.mcafee.com/us/resources/white-papers/wp-dissecting-operation-troy.pdf", "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity", "https://www.us-cert.gov/ncas/alerts/TA17-318A", - "https://www.us-cert.gov/ncas/alerts/TA17-318B" + "https://www.us-cert.gov/ncas/alerts/TA17-318B", + "https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/" ] }, "value": "Lazarus Group", @@ -2689,5 +2694,5 @@ ], "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.", "uuid": "7cdff317-a673-4474-84ec-4f1754947823", - "version": 39 + "version": 40 } diff --git a/clusters/tool.json b/clusters/tool.json index 2dc8725..20e2897 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -11,7 +11,7 @@ ], "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", - "version": 68, + "version": 69, "values": [ { "meta": { @@ -1541,7 +1541,8 @@ { "meta": { "refs": [ - "https://en.wikipedia.org/wiki/Necurs_botnet" + "https://en.wikipedia.org/wiki/Necurs_botnet", + "https://www.bleepingcomputer.com/news/security/worlds-largest-spam-botnet-finds-a-new-way-to-avoid-detection-for-now/" ] }, "description": "The Necurs botnet is a distributor of many pieces of malware, most notably Locky.", @@ -3467,7 +3468,8 @@ "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/quant-loader-is-now-bundled-with-other-crappy-malware/", - "https://blogs.forcepoint.com/security-labs/locky-distributor-uses-newly-released-quant-loader-sold-russian-underground" + "https://blogs.forcepoint.com/security-labs/locky-distributor-uses-newly-released-quant-loader-sold-russian-underground", + "https://www.bleepingcomputer.com/news/security/worlds-largest-spam-botnet-finds-a-new-way-to-avoid-detection-for-now/" ] }, "uuid": "2d1aadfb-03c1-4580-b6ac-f12c6941067d" @@ -4172,6 +4174,56 @@ ] }, "uuid": "d83ec444-535c-11e8-ae83-831d0a85d77a" + }, + { + "value": "Huigezi malware", + "description": "backdoor trojan popular found prevalently in China", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/gaming/chinese-police-arrest-15-people-who-hid-malware-inside-pubg-cheat-apps/" + ] + }, + "uuid": "6aef5a32-5381-11e8-ac5a-bb46d8986552" + }, + { + "value": "FacexWorm", + "description": "Facebook, Chrome, and cryptocurrency users should be on the lookout for a new malware strain named FacexWorm that infects victims for the purpose of stealing passwords, stealing cryptocurrency funds, running cryptojacking scripts, and spamming Facebook users. This new strain was spotted in late April by Trend Micro researchers and appears to be related to two other Facebook Messenger spam campaigns, one that took place last August, and another one from December 2017, the latter spreading the Digmine malware. Researchers say FacexWorm's modus operandi is similar to the previous two campaigns, but with the addition of new techniques aimed at cryptocurrency users.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/facexworm-spreads-via-facebook-messenger-malicious-chrome-extension/" + ] + }, + "uuid": "86ac8c80-5382-11e8-b893-4f1651951472" + }, + { + "value": "Bankshot", + "description": "implant used in Operation GhostSecret", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/" + ] + }, + "uuid": "d9431c02-5391-11e8-931f-4beceb8bd697" + }, + { + "value": "Proxysvc", + "description": "downloader used in Operation GhostSecret", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/" + ] + }, + "uuid": "dafba168-5391-11e8-87e4-0f93b75d6ac0" + }, + { + "value": "Escad", + "description": "backdoor used in Operation GhostSecret", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/" + ] + }, + "uuid": "db36cf9a-5391-11e8-b53a-97adedf48055" } ] }