Merge pull request #247 from Delta-Sierra/master

New clusters

clusters/backdoor.json

@@ -5,6 +5,7 @@
   "description": "A list of backdoor malware.",
   "name": "Backdoor",
   "source": "Open Sources",
+  "version": 2,
   "type": "backdoor",
   "uuid": "75436e27-cb57-4f32-bf1d-9636dd78a2bf",
   "values": [
@@ -16,9 +17,21 @@
           "https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html"
         ]
       },
-      "uuid": "e0e79fab-0f1d-4fc2-b424-208cb019a9cd",
-      "value": "WellMess"
+      "value": "WellMess",
+      "uuid": "e0e79fab-0f1d-4fc2-b424-208cb019a9cd"
+    },
+    {
+      "value": "Rosenbridge",
+      "description": "The rosenbridge backdoor is a small, non-x86 core embedded alongside the main x86 core in the CPU. It is enabled by a model-specific-register control bit, and then toggled with a launch-instruction. The embedded core is then fed commands, wrapped in a specially formatted x86 instruction. The core executes these commands (which we call the 'deeply embedded instruction set'), bypassing all memory protections and privilege checks.\n\nWhile the backdoor should require kernel level access to activate, it has been observed to be enabled by default on some systems, allowing any unprivileged code to modify the kernel.\n\nThe rosenbridge backdoor is entirely distinct from other publicly known coprocessors on x86 CPUs, such as the Management Engine or Platform Security Processor; it is more deeply embedded than any known coprocessor, having access to not only all of the CPU's memory, but its register file and execution pipeline as well.",
+      "meta": {
+        "date": "August 2018",
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/backdoor-mechanism-discovered-in-via-c3-x86-processors/",
+          "https://github.com/xoreaxeaxeax/rosenbridge",
+          "https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Christopher%20Domas/DEFCON-26-Christopher-Domas-GOD-MODE-%20UNLOCKED-hardware-backdoors-in-x86-CPUs.pdf"
+        ]
+      },
+      "uuid": "2bb165dc-9f93-11e8-ae64-d3dbab0dd786"
     }
-  ],
-  "version": 1
+  ]
 }

clusters/ransomware.json

@@ -10345,6 +10345,30 @@
       },
       "uuid": "b48a7d62-9bc4-11e8-a7c5-47d13fad265f",
       "value": "Unnamed Android Ransomware"
+    },
+    {
+      "value": "KEYPASS",
+      "description": "A new distribution campaign is underway for a STOP Ransomware variant called KeyPass based on the amount of victims that have been seen. Unfortunately, how the ransomware is being distributed is unknown at this time.",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/new-keypass-ransomware-campaign-underway/"
+        ],
+        "synonyms": [
+          "KeyPass"
+        ],
+        "ransomnotes": [
+          "!!!KEYPASS_DECRYPTION_INFO!!!.txt",
+          "Attention!\n\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KEYPASS\n\nThe only method of recovering files is to purchase an decrypt software and unique private key.\n\nAfter purchase you will start decrypt software, enter your unique private key and it will decrypt all your data.\n\nOnly we can give you this key and only we can recover your files.\n\nYou need to contact us by e-mail keypass@bitmessage.ch send us your personal ID and wait for further instructions.\n\nFor you to be sure, that we can decrypt your files - you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.\n\nPrice for decryption $300.\n\nThis price avaliable if you contact us first 72 hours.\n\nE-mail address to contact us:\n\nkeypass@bitmessage.ch\n\n\n\nReserve e-mail address to contact us:\n\nkeypass@india.com\n\n\n\nYour personal id:\n[id]"
+        ],
+        "extensions": [
+          ".KEYPASS"
+        ]
+      },
+      "uuid": "22b4070e-9efe-11e8-b617-ab269f54596c"
+    },
+    {
+      "value": "STOP Ransomware",
+      "uuid": "c76c4d24-9f99-11e8-808d-a7f1c66a53c5"
     }
   ],
   "version": 28