From 924eda26ca68dd94eabd29e5c0744136b2a63aa3 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Tue, 12 Jul 2022 10:49:11 +0200 Subject: [PATCH 1/3] Add EnemyBot +relationships --- clusters/botnet.json | 38 +++++++++++++++++++++++++++++++++++++- clusters/malpedia.json | 11 ++++++++++- 2 files changed, 47 insertions(+), 2 deletions(-) diff --git a/clusters/botnet.json b/clusters/botnet.json index 460e4d5..4922a88 100644 --- a/clusters/botnet.json +++ b/clusters/botnet.json @@ -1291,7 +1291,43 @@ }, "uuid": "3e40c1af-51f5-4b02-b189-74567125c6e0", "value": "Ripprbot" + }, + { + "Value": "EnemyBot", + "description": "In mid-March [2022], FortiGuard Labs observed a new DDoS botnet calling itself “Enemybot” and attributing itself to Keksec, a threat group that specializes in cryptomining and DDoS attacks.\n\nThis botnet is mainly derived from Gafgyt’s source code but has been observed to borrow several modules from Mirai’s original source code.\n\nIt uses several methods of obfuscation for its strings to hinder analysis and hide itself from other botnets. Furthermore, it connects to a command-and-control (C2) server that is hidden in the Tor network, making its takedown more complicated.\n\nEnemybot has been seen targeting routers from Seowon Intech, D-Link, and exploits a recently reported iRZ router vulnerability to infect more devices.", + "meta": { + "refs": [ + "https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/", + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.enemybot", + "https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet", + "https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers" + ] + }, + "related": [ + { + "dest-uuid": "262d18be-7cab-46c2-bcb0-47fff17604aa", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "fcdfd4af-da35-49a8-9610-19be8a487185", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "variant-of" + }, + { + "dest-uuid": "40795af6-b721-11e8-9fcb-570c0b384135", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "variant-of" + } + ], + "uuid": "a5a067c9-c4d7-4f33-8e6f-01b903f89908" } ], - "version": 25 + "version": 26 } diff --git a/clusters/malpedia.json b/clusters/malpedia.json index cb5af6a..c2551c1 100644 --- a/clusters/malpedia.json +++ b/clusters/malpedia.json @@ -3875,6 +3875,15 @@ "synonyms": [], "type": [] }, + "related": [ + { + "dest-uuid": "a5a067c9-c4d7-4f33-8e6f-01b903f89908", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], "uuid": "262d18be-7cab-46c2-bcb0-47fff17604aa", "value": "EnemyBot" }, @@ -45260,5 +45269,5 @@ "value": "Zyklon" } ], - "version": 14973 + "version": 14974 } From 71c93f5b24053ce39c9df540d849a843a434eb34 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Tue, 12 Jul 2022 10:53:14 +0200 Subject: [PATCH 2/3] fix caps typo --- clusters/botnet.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/clusters/botnet.json b/clusters/botnet.json index 4922a88..ac9d202 100644 --- a/clusters/botnet.json +++ b/clusters/botnet.json @@ -1293,7 +1293,6 @@ "value": "Ripprbot" }, { - "Value": "EnemyBot", "description": "In mid-March [2022], FortiGuard Labs observed a new DDoS botnet calling itself “Enemybot” and attributing itself to Keksec, a threat group that specializes in cryptomining and DDoS attacks.\n\nThis botnet is mainly derived from Gafgyt’s source code but has been observed to borrow several modules from Mirai’s original source code.\n\nIt uses several methods of obfuscation for its strings to hinder analysis and hide itself from other botnets. Furthermore, it connects to a command-and-control (C2) server that is hidden in the Tor network, making its takedown more complicated.\n\nEnemybot has been seen targeting routers from Seowon Intech, D-Link, and exploits a recently reported iRZ router vulnerability to infect more devices.", "meta": { "refs": [ @@ -1326,7 +1325,8 @@ "type": "variant-of" } ], - "uuid": "a5a067c9-c4d7-4f33-8e6f-01b903f89908" + "uuid": "a5a067c9-c4d7-4f33-8e6f-01b903f89908", + "value": "EnemyBot" } ], "version": 26 From 300d6087704c36c499fd92b61bf4a925b56a6c87 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Tue, 12 Jul 2022 10:54:37 +0200 Subject: [PATCH 3/3] jq --- clusters/ransomware.json | 1 - 1 file changed, 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index b0311a0..371526c 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -24555,7 +24555,6 @@ }, "uuid": "5617e6fa-4e6a-4011-9385-6b1165786563", "value": "HelloXD" - }, { "description": "Maui ransomware stand out because of a lack of several key features commonly seen with tooling from RaaS providers, such as an embedded ransom note to provide recovery instructions or automated means of transmitting encryption keys to attackers. Instead, it is believed that Maui is manually operated, in which operators will specify which files to encrypt when executing it and then exfiltrate the resulting runtime artifacts. There are many aspects to Maui ransomware that are unknown, including usage context.",