From 2527d6333c0ccb41241ac0e2fe6a0eb6261a5b98 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Tue, 25 Oct 2016 15:11:09 +0200 Subject: [PATCH 1/4] removed empty synonym --- elements/adversary-groups.json | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/elements/adversary-groups.json b/elements/adversary-groups.json index 5f2e200..d82d587 100644 --- a/elements/adversary-groups.json +++ b/elements/adversary-groups.json @@ -770,10 +770,7 @@ "refs": [ "http://www.welivesecurity.com/2015/11/11/operathion-buhtrap-malware-distributed-via-ammyy-com/" ], - "country": "RU", - "synonyms": [ - "" - ] + "country": "RU" }, { "value": "Berserk Bear", From 973257d752e365bc35099398fa6199f86668b1fa Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Wed, 26 Oct 2016 15:20:42 +0200 Subject: [PATCH 2/4] corrected typo in njRAT synonym --- elements/threat-actor-tools.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/elements/threat-actor-tools.json b/elements/threat-actor-tools.json index efbdfd1..e404c41 100644 --- a/elements/threat-actor-tools.json +++ b/elements/threat-actor-tools.json @@ -72,7 +72,7 @@ }, { "value": "njRAT", - "synonyms": ["Bladakindi"], + "synonyms": ["Bladabindi"], "refs": ["http://www.fidelissecurity.com/files/files/FTA_1009-njRAT_Uncovered_rev2.pdf"] }, { From e6a86cf99315ef9bc4a0d05a4e33cb23300615a7 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Wed, 26 Oct 2016 16:26:35 +0200 Subject: [PATCH 3/4] added additional threat-actor-tools --- elements/threat-actor-tools.json | 88 +++++++++++++++++++++++++++++++- 1 file changed, 86 insertions(+), 2 deletions(-) diff --git a/elements/threat-actor-tools.json b/elements/threat-actor-tools.json index 93f6ce7..bd7b556 100644 --- a/elements/threat-actor-tools.json +++ b/elements/threat-actor-tools.json @@ -528,11 +528,95 @@ "description": "Unit 42 has observed a new version of Hworm (or Houdini) being used within multiple attacks. This blog outlines technical details of this new Hworm version and documents an attack campaign making use of the backdoor. Of the samples used in this attack, the first we observed were June 2016, while as-of publication we were still seeing attacks as recently as mid-October, suggesting that this is likely an active, ongoing campaign.", "refs": ["http://researchcenter.paloaltonetworks.com/2016/10/unit42-houdinis-magic-reappearance/"], "synonyms": ["Houdini"] + }, + { + "value": "Backdoor.Dripion", + "description": "Backdoor.Dripion was custom developed, deployed in a highly targeted fashion, and used command and control servers disguised as antivirus company websites.", + "refs": ["http://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan"], + "synonyms": ["Dripion"] + }, + { + "value": "Adwind", + "description": "Adwind is a backdoor written purely in Java that targets system supporting the Java runtime environment. Commands that can be used, among other things, to display messages on the system, open URLs, update the malware, download/execute files, and download/load plugins. A significant amount of additional functionality can be provided through downloadable plugins, including such things as remote control options and shell command execution.", + "refs": ["https://securelist.com/blog/research/73660/adwind-faq/"], + "synonyms": ["AlienSpy", "Frutas", "Unrecom", "Sockrat", "JSocket", "jRat"] + }, + { + "value": "Angler EK", + "description": "Angler Exploit Kit is a hacking tool that is produced to search for Java and Flash Player vulnerabilities on the attacked PC and use them with the aim to distribute malware infections. Angler Exploit Kit commonly checks to see if the PC it is proliferating to has Java or Flash.", + "refs": ["http://researchcenter.paloaltonetworks.com/2016/06/unit42-understanding-angler-exploit-kit-part-1-exploit-kit-fundamentals/", "https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/"] + }, + { + "value": "Bedep" + }, + { + "value": "Cromptui" + }, + { + "value": "Cryptowall", + "description": "CryptoWall is a new and highly destructive variant of ransomware. Ransomware is malicious software (malware) that infects your computer and holds hostage something of value to you in exchange for money. Older ransomware used to block access to computers. Newer ransomware, such as CryptoWall, takes your data hostage." + }, + { + "value": "CTB-Locker" + }, + { + "value": "Dridex", + "description": "Dridex is a strain of banking malware that leverages macros in Microsoft Office to infect systems. Once a computer has been infected, Dridex attackers can steal banking credentials and other personal information on the system to gain access to the financial records of a user.", + "refs": ["http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dridex-financial-trojan.pdf"], + "synonyms": ["Cridex"] + }, + { + "value": "Fareit" + }, + { + "value": "Gafgyt" + }, + { + "value": "Gamarue", + "description": "", + "refs": ["https://blog.gdatasoftware.com/2015/03/24274-the-andromeda-gamarue-botnet-is-on-the-rise-again"], + "synonyms": ["Andromeda"] + }, + { + "value": "Locky", + "description": "Ransomware" + }, + { + "value": "Necurs", + "description": "The Necurs botnet is a distributor of many pieces of malware, most notably Locky.", + "refs": ["https://en.wikipedia.org/wiki/Necurs_botnet"] + }, + { + "value": "Nuclear Pack", + "synonyms": ["Nuclear EK"] + }, + { + "value": "Palevo" + }, + { + "value": "Akbot", + "refs": ["https://en.wikipedia.org/wiki/Akbot"], + "synonyms": ["Qbot", "Qakbot", "PinkSlipBot"] + }, + { + "value": "Rig EK" + }, + { + "value": "Teslacrypt" + }, + { + "value": "Upatre", + "description": "Upatre is a Trojan downloader that is used to set up other threats on the victim's PC. Upatre has been used recently in several high profile Trojan attacks involving the Gameover Trojan. " + }, + { + "value": "Vawtrak", + "description": "Vawtrak is an information stealing malware family that is primarily used to gain unauthorised access to bank accounts through online banking websites.", + "refs": ["https://www.sophos.com/medialibrary/PDFs/technical%20papers/sophos-vawtrak-international-crimeware-as-a-service-tpna.pdf"] } ], - "version": 1, + "version": 2, "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", - "author": ["Alexandre Dulaunoy", "Florian Roth", "Timo Steffens"], + "author": ["Alexandre Dulaunoy", "Florian Roth", "Timo Steffens", "Christophe Vandeplas"], "type": "threat-actor-tools" } From bba38e9ece95b0b9a27c994d8d0f6b5be9a6b5f9 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Wed, 26 Oct 2016 16:42:11 +0200 Subject: [PATCH 4/4] minor correction --- elements/threat-actor-tools.json | 1 - 1 file changed, 1 deletion(-) diff --git a/elements/threat-actor-tools.json b/elements/threat-actor-tools.json index bd7b556..e62649d 100644 --- a/elements/threat-actor-tools.json +++ b/elements/threat-actor-tools.json @@ -573,7 +573,6 @@ }, { "value": "Gamarue", - "description": "", "refs": ["https://blog.gdatasoftware.com/2015/03/24274-the-andromeda-gamarue-botnet-is-on-the-rise-again"], "synonyms": ["Andromeda"] },