mirror of
https://github.com/MISP/misp-galaxy.git
synced 2024-11-23 07:17:17 +00:00
update some clusters
This commit is contained in:
parent
d76e2c97a4
commit
5e0bd260d6
3 changed files with 65 additions and 7 deletions
|
@ -9071,7 +9071,8 @@
|
||||||
"description": "The ransomware does not use a customized desktop wallpaper to signal its presence, and the only way to discover that SynAck has infected your PC is by the ransom notes dropped on the user's desktop, named in the format: RESTORE_INFO-[id].txt. For example: RESTORE_INFO-4ABFA0EF.txt\n In addition, SynAck also appends its own extension at the end of all files it encrypted. This file extensions format is ten random alpha characters for each file. For example: test.jpg.XbMiJQiuoh. Experts believe the group behind SynAck uses RDP brute-force attacks to access remote computers and manually download and install the ransomware.",
|
"description": "The ransomware does not use a customized desktop wallpaper to signal its presence, and the only way to discover that SynAck has infected your PC is by the ransom notes dropped on the user's desktop, named in the format: RESTORE_INFO-[id].txt. For example: RESTORE_INFO-4ABFA0EF.txt\n In addition, SynAck also appends its own extension at the end of all files it encrypted. This file extensions format is ten random alpha characters for each file. For example: test.jpg.XbMiJQiuoh. Experts believe the group behind SynAck uses RDP brute-force attacks to access remote computers and manually download and install the ransomware.",
|
||||||
"meta": {
|
"meta": {
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://www.bleepingcomputer.com/news/security/synack-ransomware-sees-huge-spike-in-activity/"
|
"https://www.bleepingcomputer.com/news/security/synack-ransomware-sees-huge-spike-in-activity/",
|
||||||
|
"https://www.bleepingcomputer.com/news/security/synack-ransomware-uses-process-doppelg-nging-technique/"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Syn Ack"
|
"Syn Ack"
|
||||||
|
|
|
@ -1167,7 +1167,11 @@
|
||||||
"Unit 121",
|
"Unit 121",
|
||||||
"Bureau 121",
|
"Bureau 121",
|
||||||
"NewRomanic Cyber Army Team",
|
"NewRomanic Cyber Army Team",
|
||||||
"Bluenoroff"
|
"Bluenoroff",
|
||||||
|
"Group 77",
|
||||||
|
"Labyrinth Chollima",
|
||||||
|
"Operation Troy",
|
||||||
|
"Operation GhostSecret"
|
||||||
],
|
],
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/",
|
"https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/",
|
||||||
|
@ -1176,7 +1180,8 @@
|
||||||
"http://www.mcafee.com/us/resources/white-papers/wp-dissecting-operation-troy.pdf",
|
"http://www.mcafee.com/us/resources/white-papers/wp-dissecting-operation-troy.pdf",
|
||||||
"https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity",
|
"https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity",
|
||||||
"https://www.us-cert.gov/ncas/alerts/TA17-318A",
|
"https://www.us-cert.gov/ncas/alerts/TA17-318A",
|
||||||
"https://www.us-cert.gov/ncas/alerts/TA17-318B"
|
"https://www.us-cert.gov/ncas/alerts/TA17-318B",
|
||||||
|
"https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"value": "Lazarus Group",
|
"value": "Lazarus Group",
|
||||||
|
@ -2689,5 +2694,5 @@
|
||||||
],
|
],
|
||||||
"description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
|
"description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
|
||||||
"uuid": "7cdff317-a673-4474-84ec-4f1754947823",
|
"uuid": "7cdff317-a673-4474-84ec-4f1754947823",
|
||||||
"version": 39
|
"version": 40
|
||||||
}
|
}
|
||||||
|
|
|
@ -11,7 +11,7 @@
|
||||||
],
|
],
|
||||||
"description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
|
"description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
|
||||||
"uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
|
"uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
|
||||||
"version": 68,
|
"version": 69,
|
||||||
"values": [
|
"values": [
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
@ -1541,7 +1541,8 @@
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://en.wikipedia.org/wiki/Necurs_botnet"
|
"https://en.wikipedia.org/wiki/Necurs_botnet",
|
||||||
|
"https://www.bleepingcomputer.com/news/security/worlds-largest-spam-botnet-finds-a-new-way-to-avoid-detection-for-now/"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"description": "The Necurs botnet is a distributor of many pieces of malware, most notably Locky.",
|
"description": "The Necurs botnet is a distributor of many pieces of malware, most notably Locky.",
|
||||||
|
@ -3467,7 +3468,8 @@
|
||||||
"meta": {
|
"meta": {
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://www.bleepingcomputer.com/news/security/quant-loader-is-now-bundled-with-other-crappy-malware/",
|
"https://www.bleepingcomputer.com/news/security/quant-loader-is-now-bundled-with-other-crappy-malware/",
|
||||||
"https://blogs.forcepoint.com/security-labs/locky-distributor-uses-newly-released-quant-loader-sold-russian-underground"
|
"https://blogs.forcepoint.com/security-labs/locky-distributor-uses-newly-released-quant-loader-sold-russian-underground",
|
||||||
|
"https://www.bleepingcomputer.com/news/security/worlds-largest-spam-botnet-finds-a-new-way-to-avoid-detection-for-now/"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "2d1aadfb-03c1-4580-b6ac-f12c6941067d"
|
"uuid": "2d1aadfb-03c1-4580-b6ac-f12c6941067d"
|
||||||
|
@ -4172,6 +4174,56 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "d83ec444-535c-11e8-ae83-831d0a85d77a"
|
"uuid": "d83ec444-535c-11e8-ae83-831d0a85d77a"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"value": "Huigezi malware",
|
||||||
|
"description": "backdoor trojan popular found prevalently in China",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.bleepingcomputer.com/news/gaming/chinese-police-arrest-15-people-who-hid-malware-inside-pubg-cheat-apps/"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "6aef5a32-5381-11e8-ac5a-bb46d8986552"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"value": "FacexWorm",
|
||||||
|
"description": "Facebook, Chrome, and cryptocurrency users should be on the lookout for a new malware strain named FacexWorm that infects victims for the purpose of stealing passwords, stealing cryptocurrency funds, running cryptojacking scripts, and spamming Facebook users. This new strain was spotted in late April by Trend Micro researchers and appears to be related to two other Facebook Messenger spam campaigns, one that took place last August, and another one from December 2017, the latter spreading the Digmine malware. Researchers say FacexWorm's modus operandi is similar to the previous two campaigns, but with the addition of new techniques aimed at cryptocurrency users.",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.bleepingcomputer.com/news/security/facexworm-spreads-via-facebook-messenger-malicious-chrome-extension/"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "86ac8c80-5382-11e8-b893-4f1651951472"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"value": "Bankshot",
|
||||||
|
"description": "implant used in Operation GhostSecret",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "d9431c02-5391-11e8-931f-4beceb8bd697"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"value": "Proxysvc",
|
||||||
|
"description": "downloader used in Operation GhostSecret",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "dafba168-5391-11e8-87e4-0f93b75d6ac0"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"value": "Escad",
|
||||||
|
"description": "backdoor used in Operation GhostSecret",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "db36cf9a-5391-11e8-b53a-97adedf48055"
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue