mirror of
https://github.com/MISP/misp-galaxy.git
synced 2024-11-29 18:27:19 +00:00
meta added as required by MISP 2.4.56
This commit is contained in:
parent
f9a567a77e
commit
7f02f62c57
1 changed files with 529 additions and 118 deletions
|
@ -14,20 +14,35 @@
|
||||||
{
|
{
|
||||||
"value": "Poison Ivy",
|
"value": "Poison Ivy",
|
||||||
"description": "Poison Ivy is a RAT which was freely available and first released in 2005.",
|
"description": "Poison Ivy is a RAT which was freely available and first released in 2005.",
|
||||||
"refs": ["https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "SPIVY",
|
"value": "SPIVY",
|
||||||
"description": "In March 2016, Unit 42 observed this new Poison Ivy variant we’ve named SPIVY being deployed via weaponized documents leveraging CVE-2015-2545.",
|
"description": "In March 2016, Unit 42 observed this new Poison Ivy variant we’ve named SPIVY being deployed via weaponized documents leveraging CVE-2015-2545.",
|
||||||
"refs": ["http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Torn RAT"
|
"value": "Torn RAT"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "OzoneRAT",
|
"value": "OzoneRAT",
|
||||||
"refs": ["https://blog.fortinet.com/2016/08/29/german-speakers-targeted-by-spam-leading-to-ozone-rat"],
|
"meta": {
|
||||||
"synonyms": ["Ozone RAT","ozonercp"]
|
"refs": [
|
||||||
|
"https://blog.fortinet.com/2016/08/29/german-speakers-targeted-by-spam-leading-to-ozone-rat"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"Ozone RAT",
|
||||||
|
"ozonercp"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "ZeGhost"
|
"value": "ZeGhost"
|
||||||
|
@ -35,28 +50,51 @@
|
||||||
{
|
{
|
||||||
"value": "Backdoor.Dripion",
|
"value": "Backdoor.Dripion",
|
||||||
"description": "Backdoor.Dripion was custom developed, deployed in a highly targeted fashion, and used command and control servers disguised as antivirus company websites.",
|
"description": "Backdoor.Dripion was custom developed, deployed in a highly targeted fashion, and used command and control servers disguised as antivirus company websites.",
|
||||||
"refs": ["http://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan"],
|
"meta": {
|
||||||
"synonyms": ["Dripion"]
|
"refs": [
|
||||||
|
"http://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"Dripion"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Elise Backdoor",
|
"value": "Elise Backdoor",
|
||||||
"synonyms": ["Elise"]
|
"synonyms": [
|
||||||
|
"Elise"
|
||||||
|
]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Trojan.Laziok",
|
"value": "Trojan.Laziok",
|
||||||
"synonyms": ["Laziok"],
|
"meta": {
|
||||||
"refs": ["http://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector"],
|
"synonyms": [
|
||||||
|
"Laziok"
|
||||||
|
],
|
||||||
|
"refs": [
|
||||||
|
"http://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector"
|
||||||
|
]
|
||||||
|
},
|
||||||
"description": "A new information stealer, Trojan.Laziok, acts as a reconnaissance tool allowing attackers to gather information and tailor their attack methods for each compromised computer."
|
"description": "A new information stealer, Trojan.Laziok, acts as a reconnaissance tool allowing attackers to gather information and tailor their attack methods for each compromised computer."
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Slempo",
|
"value": "Slempo",
|
||||||
"description": "Android-based malware",
|
"description": "Android-based malware",
|
||||||
"synonyms": ["GM-Bot", "Acecard"]
|
"meta": {
|
||||||
|
"synonyms": [
|
||||||
|
"GM-Bot",
|
||||||
|
"Acecard"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "PWOBot",
|
"value": "PWOBot",
|
||||||
"description": "We have discovered a malware family named ‘PWOBot’ that is fairly unique because it is written entirely in Python, and compiled via PyInstaller to generate a Microsoft Windows executable. The malware has been witnessed affecting a number of Europe-based organizations, particularly in Poland. Additionally, the malware is delivered via a popular Polish file-sharing web service.",
|
"description": "We have discovered a malware family named ‘PWOBot’ that is fairly unique because it is written entirely in Python, and compiled via PyInstaller to generate a Microsoft Windows executable. The malware has been witnessed affecting a number of Europe-based organizations, particularly in Poland. Additionally, the malware is delivered via a popular Polish file-sharing web service.",
|
||||||
"refs": ["http://researchcenter.paloaltonetworks.com/2016/04/unit42-python-based-pwobot-targets-european-organizations/"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"http://researchcenter.paloaltonetworks.com/2016/04/unit42-python-based-pwobot-targets-european-organizations/"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Lstudio"
|
"value": "Lstudio"
|
||||||
|
@ -66,23 +104,45 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Lost Door RAT",
|
"value": "Lost Door RAT",
|
||||||
"synonyms": ["LostDoor RAT"],
|
|
||||||
"descriptions": "We recently came across a cyber attack that used a remote access Trojan (RAT) called Lost Door, a tool currently offered on social media sites. What also struck us the most about this RAT (detected as BKDR_LODORAT.A) is how it abuses the Port Forward feature in routers.",
|
"descriptions": "We recently came across a cyber attack that used a remote access Trojan (RAT) called Lost Door, a tool currently offered on social media sites. What also struck us the most about this RAT (detected as BKDR_LODORAT.A) is how it abuses the Port Forward feature in routers.",
|
||||||
"refs": ["http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/"]
|
"meta": {
|
||||||
|
"synonyms": [
|
||||||
|
"LostDoor RAT"
|
||||||
|
],
|
||||||
|
"refs": [
|
||||||
|
"http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "njRAT",
|
"value": "njRAT",
|
||||||
"synonyms": ["Bladabindi"],
|
"meta": {
|
||||||
"refs": ["http://www.fidelissecurity.com/files/files/FTA_1009-njRAT_Uncovered_rev2.pdf"]
|
"synonyms": [
|
||||||
|
"Bladabindi"
|
||||||
|
],
|
||||||
|
"refs": [
|
||||||
|
"http://www.fidelissecurity.com/files/files/FTA_1009-njRAT_Uncovered_rev2.pdf"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "NanoCoreRAT",
|
"value": "NanoCoreRAT",
|
||||||
"synonyms": ["NanoCore"],
|
"meta": {
|
||||||
"refs": ["http://www.symantec.com/connect/blogs/nanocore-another-rat-tries-make-it-out-gutter"]
|
"synonyms": [
|
||||||
|
"NanoCore"
|
||||||
|
],
|
||||||
|
"refs": [
|
||||||
|
"http://www.symantec.com/connect/blogs/nanocore-another-rat-tries-make-it-out-gutter"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Sakula",
|
"value": "Sakula",
|
||||||
"synonyms": ["Sakurel"]
|
"meta": {
|
||||||
|
"synonyms": [
|
||||||
|
"Sakurel"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Derusbi"
|
"value": "Derusbi"
|
||||||
|
@ -113,7 +173,11 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Pirpi",
|
"value": "Pirpi",
|
||||||
"refs": ["http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "RARSTONE"
|
"value": "RARSTONE"
|
||||||
|
@ -129,7 +193,11 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Agent.BTZ",
|
"value": "Agent.BTZ",
|
||||||
"synonyms": ["ComRat"]
|
"meta": {
|
||||||
|
"synonyms": [
|
||||||
|
"ComRat"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Heseber BOT",
|
"value": "Heseber BOT",
|
||||||
|
@ -160,38 +228,76 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Cadelspy",
|
"value": "Cadelspy",
|
||||||
"synonyms": ["WinSpy"]
|
"meta": {
|
||||||
|
"synonyms": [
|
||||||
|
"WinSpy"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "CMStar",
|
"value": "CMStar",
|
||||||
"refs": ["http://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"http://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "DHS2015",
|
"value": "DHS2015",
|
||||||
"synonyms": ["iRAT"],
|
"meta": {
|
||||||
"refs": ["https://securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf"]
|
"synonyms": [
|
||||||
|
"iRAT"
|
||||||
|
],
|
||||||
|
"refs": [
|
||||||
|
"https://securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Gh0st Rat",
|
"value": "Gh0st Rat",
|
||||||
"description": "Gh0st Rat is a well-known Chinese remote access trojan which was originally made by C.Rufus Security Team several years ago.",
|
"description": "Gh0st Rat is a well-known Chinese remote access trojan which was originally made by C.Rufus Security Team several years ago.",
|
||||||
"synonyms": ["Gh0stRat, GhostRat"],
|
"meta": {
|
||||||
"refs": ["http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf"]
|
"synonyms": [
|
||||||
|
"Gh0stRat, GhostRat"
|
||||||
|
],
|
||||||
|
"refs": [
|
||||||
|
"http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Fakem RAT",
|
"value": "Fakem RAT",
|
||||||
"description": "Fakem RAT makes their network traffic look like well-known protocols (e.g. Messenger traffic, HTML pages). ",
|
"description": "Fakem RAT makes their network traffic look like well-known protocols (e.g. Messenger traffic, HTML pages). ",
|
||||||
"synonyms": ["FAKEM"],
|
"meta": {
|
||||||
"refs": ["http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-fakem-rat.pdf"]
|
"synonyms": [
|
||||||
|
"FAKEM"
|
||||||
|
],
|
||||||
|
"refs": [
|
||||||
|
"http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-fakem-rat.pdf"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "MFC Huner",
|
"value": "MFC Huner",
|
||||||
"synonyms": ["Hupigon", "BKDR_HUPIGON"],
|
"meta": {
|
||||||
"refs": ["http://blog.trendmicro.com/trendlabs-security-intelligence/japan-us-defense-industries-among-targeted-entities-in-latest-attack/"]
|
"synonyms": [
|
||||||
|
"Hupigon",
|
||||||
|
"BKDR_HUPIGON"
|
||||||
|
],
|
||||||
|
"refs": [
|
||||||
|
"http://blog.trendmicro.com/trendlabs-security-intelligence/japan-us-defense-industries-among-targeted-entities-in-latest-attack/"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Blackshades",
|
"value": "Blackshades",
|
||||||
"description": "Blackshades Remote Access Tool targets Microsoft Windows operating systems. Authors were arrested in 2012 and 2014.",
|
"description": "Blackshades Remote Access Tool targets Microsoft Windows operating systems. Authors were arrested in 2012 and 2014.",
|
||||||
"refs": ["https://www.justice.gov/usao-sdny/pr/manhattan-us-attorney-and-fbi-assistant-director-charge-announce-charges-connection","https://blog.malwarebytes.org/intelligence/2012/06/you-dirty-rat-part-2-blackshades-net/"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.justice.gov/usao-sdny/pr/manhattan-us-attorney-and-fbi-assistant-director-charge-announce-charges-connection",
|
||||||
|
"https://blog.malwarebytes.org/intelligence/2012/06/you-dirty-rat-part-2-blackshades-net/"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "CORESHELL"
|
"value": "CORESHELL"
|
||||||
|
@ -207,12 +313,20 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Havex RAT",
|
"value": "Havex RAT",
|
||||||
"synonyms": ["Havex"]
|
"meta": {
|
||||||
|
"synonyms": [
|
||||||
|
"Havex"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "KjW0rm",
|
"value": "KjW0rm",
|
||||||
"description": "RAT initially written in VB.",
|
"description": "RAT initially written in VB.",
|
||||||
"refs": ["https://www.sentinelone.com/blog/understanding-kjw0rm-malware-we-dive-in-to-the-tv5-cyber-attack/"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.sentinelone.com/blog/understanding-kjw0rm-malware-we-dive-in-to-the-tv5-cyber-attack/"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "TinyTyphon"
|
"value": "TinyTyphon"
|
||||||
|
@ -300,44 +414,84 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "ZXShell",
|
"value": "ZXShell",
|
||||||
"synonyms": ["Sensode"],
|
"meta": {
|
||||||
"refs": ["http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html"]
|
"synonyms": [
|
||||||
|
"Sensode"
|
||||||
|
],
|
||||||
|
"refs": [
|
||||||
|
"http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "T9000",
|
"value": "T9000",
|
||||||
"refs": ["http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "T5000",
|
"value": "T5000",
|
||||||
"synonyms": ["Plat1"],
|
"meta": {
|
||||||
"refs": ["http://www.cylance.com/techblog/Grand-Theft-Auto-Panda.shtml"]
|
"synonyms": [
|
||||||
|
"Plat1"
|
||||||
|
],
|
||||||
|
"refs": [
|
||||||
|
"http://www.cylance.com/techblog/Grand-Theft-Auto-Panda.shtml"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Taidoor",
|
"value": "Taidoor",
|
||||||
"refs": ["http://www.symantec.com/connect/blogs/trojantaidoor-takes-aim-policy-think-tanks"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"http://www.symantec.com/connect/blogs/trojantaidoor-takes-aim-policy-think-tanks"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Swisyn",
|
"value": "Swisyn",
|
||||||
"refs": ["http://labs.alienvault.com/labs/index.php/2013/latest-adobe-pdf-exploit-used-to-target-uyghur-and-tibetan-activists/"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"http://labs.alienvault.com/labs/index.php/2013/latest-adobe-pdf-exploit-used-to-target-uyghur-and-tibetan-activists/"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Rekaf",
|
"value": "Rekaf",
|
||||||
"refs": ["https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Scieron"
|
"value": "Scieron"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "SkeletonKey",
|
"value": "SkeletonKey",
|
||||||
"refs": ["http://www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis/"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"http://www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis/"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Skyipot",
|
"value": "Skyipot",
|
||||||
"refs": ["http://labs.alienvault.com/labs/index.php/2011/another-sykipot-sample-likely-targeting-us-federal-agencies/"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"http://labs.alienvault.com/labs/index.php/2011/another-sykipot-sample-likely-targeting-us-federal-agencies/"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Spindest",
|
"value": "Spindest",
|
||||||
"refs": ["http://www.threatconnect.com/news/threatconnect-enables-healthy-networking-biomed-life-sciences-industry/"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"http://www.threatconnect.com/news/threatconnect-enables-healthy-networking-biomed-life-sciences-industry/"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Preshin"
|
"value": "Preshin"
|
||||||
|
@ -347,56 +501,110 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "PCClient RAT",
|
"value": "PCClient RAT",
|
||||||
"refs": ["http://researchcenter.paloaltonetworks.com/2014/10/new-indicators-compromise-apt-group-nitro-uncovered/"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"http://researchcenter.paloaltonetworks.com/2014/10/new-indicators-compromise-apt-group-nitro-uncovered/"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Plexor"
|
"value": "Plexor"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Mongall",
|
"value": "Mongall",
|
||||||
"refs": ["https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "NeD Worm",
|
"value": "NeD Worm",
|
||||||
"refs": ["http://www.clearskysec.com/dustysky/"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"http://www.clearskysec.com/dustysky/"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "NewCT",
|
"value": "NewCT",
|
||||||
"refs": ["https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Nflog",
|
"value": "Nflog",
|
||||||
"refs": ["https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Janicab",
|
"value": "Janicab",
|
||||||
"refs": ["http://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"http://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Jripbot",
|
"value": "Jripbot",
|
||||||
"synonyms": ["Jiripbot"],
|
"meta": {
|
||||||
"refs": ["http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/butterfly-corporate-spies-out-for-financial-gain.pdf"]
|
"synonyms": [
|
||||||
|
"Jiripbot"
|
||||||
|
],
|
||||||
|
"refs": [
|
||||||
|
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/butterfly-corporate-spies-out-for-financial-gain.pdf"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Jolob",
|
"value": "Jolob",
|
||||||
"refs": ["http://pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whos-affected-and-whos-using-it-1.html"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"http://pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whos-affected-and-whos-using-it-1.html"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "IsSpace",
|
"value": "IsSpace",
|
||||||
"refs": ["https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Hoardy",
|
"value": "Hoardy",
|
||||||
"synonyms": ["Hoarde", "Phindolp", "BS2005"]
|
"meta": {
|
||||||
|
"synonyms": [
|
||||||
|
"Hoarde",
|
||||||
|
"Phindolp",
|
||||||
|
"BS2005"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Htran",
|
"value": "Htran",
|
||||||
"refs": ["http://www.secureworks.com/research/threats/htran/"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"http://www.secureworks.com/research/threats/htran/"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "HTTPBrowser",
|
"value": "HTTPBrowser",
|
||||||
"synonyms": ["TokenControl"],
|
"meta": {
|
||||||
"refs": ["https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop"]
|
"synonyms": [
|
||||||
|
"TokenControl"
|
||||||
|
],
|
||||||
|
"refs": [
|
||||||
|
"https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Disgufa"
|
"value": "Disgufa"
|
||||||
|
@ -406,141 +614,288 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Snifula",
|
"value": "Snifula",
|
||||||
"synonyms": ["Ursnif"],
|
"meta": {
|
||||||
"refs": ["https://www.circl.lu/pub/tr-13/"]
|
"synonyms": [
|
||||||
|
"Ursnif"
|
||||||
|
],
|
||||||
|
"refs": [
|
||||||
|
"https://www.circl.lu/pub/tr-13/"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Aumlib",
|
"value": "Aumlib",
|
||||||
"synonyms": ["Yayih", "mswab", "Graftor"],
|
"meta": {
|
||||||
"refs": ["http://www.cybersquared.com/killing-with-a-borrowed-knife-chaining-core-cloud-service-profile-infrastructure-for-cyber-attacks"]
|
"synonyms": [
|
||||||
|
"Yayih",
|
||||||
|
"mswab",
|
||||||
|
"Graftor"
|
||||||
|
],
|
||||||
|
"refs": [
|
||||||
|
"http://www.cybersquared.com/killing-with-a-borrowed-knife-chaining-core-cloud-service-profile-infrastructure-for-cyber-attacks"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "CTRat",
|
"value": "CTRat",
|
||||||
"refs": ["http://www.fireeye.com/blog/technical/threat-intelligence/2014/07/spy-of-the-tiger.html"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"http://www.fireeye.com/blog/technical/threat-intelligence/2014/07/spy-of-the-tiger.html"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Emdivi",
|
"value": "Emdivi",
|
||||||
"synonyms": ["Newsripper"],
|
"meta": {
|
||||||
"refs": ["http://www.symantec.com/connect/blogs/operation-cloudyomega-ichitaro-zero-day-and-ongoing-cyberespionage-campaign-targeting-japan"]
|
"synonyms": [
|
||||||
|
"Newsripper"
|
||||||
|
],
|
||||||
|
"refs": [
|
||||||
|
"http://www.symantec.com/connect/blogs/operation-cloudyomega-ichitaro-zero-day-and-ongoing-cyberespionage-campaign-targeting-japan"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Etumbot",
|
"value": "Etumbot",
|
||||||
"synonyms": ["Exploz", "Specfix", "RIPTIDE"],
|
"meta": {
|
||||||
"refs": ["www.arbornetworks.com/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf"]
|
"synonyms": [
|
||||||
|
"Exploz",
|
||||||
|
"Specfix",
|
||||||
|
"RIPTIDE"
|
||||||
|
],
|
||||||
|
"refs": [
|
||||||
|
"www.arbornetworks.com/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Fexel",
|
"value": "Fexel",
|
||||||
"synonyms": ["Loneagent"]
|
"meta": {
|
||||||
|
"synonyms": [
|
||||||
|
"Loneagent"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Fysbis",
|
"value": "Fysbis",
|
||||||
"refs": ["http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Hikit",
|
"value": "Hikit",
|
||||||
"refs": ["https://blog.bit9.com/2013/02/25/bit9-security-incident-update/"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://blog.bit9.com/2013/02/25/bit9-security-incident-update/"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Hancitor",
|
"value": "Hancitor",
|
||||||
"refs": ["https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear"],
|
"meta": {
|
||||||
"synonyms": ["Tordal","Chanitor"]
|
"refs": [
|
||||||
|
"https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"Tordal",
|
||||||
|
"Chanitor"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Ruckguv",
|
"value": "Ruckguv",
|
||||||
"refs": ["https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "HerHer Trojan",
|
"value": "HerHer Trojan",
|
||||||
"refs": ["http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Helminth backdoor",
|
"value": "Helminth backdoor",
|
||||||
"refs": ["http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "HDRoot",
|
"value": "HDRoot",
|
||||||
"refs": ["http://williamshowalter.com/a-universal-windows-bootkit/"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"http://williamshowalter.com/a-universal-windows-bootkit/"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "IRONGATE",
|
"value": "IRONGATE",
|
||||||
"refs": ["https://www.fireeye.com/blog/threat-research/2016/06/irongate_ics_malware.html"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.fireeye.com/blog/threat-research/2016/06/irongate_ics_malware.html"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "ShimRAT",
|
"value": "ShimRAT",
|
||||||
"refs": ["https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "X-Agent",
|
"value": "X-Agent",
|
||||||
"refs": ["http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/"],
|
"meta": {
|
||||||
"synonyms": ["XAgent"]
|
"refs": [
|
||||||
|
"http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"XAgent"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "X-Tunnel",
|
"value": "X-Tunnel",
|
||||||
"synonyms": ["XTunnel"]
|
"meta": {
|
||||||
|
"synonyms": [
|
||||||
|
"XTunnel"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Foozer",
|
"value": "Foozer",
|
||||||
"refs": ["https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "WinIDS",
|
"value": "WinIDS",
|
||||||
"refs": ["https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "DownRange",
|
"value": "DownRange",
|
||||||
"refs": ["https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Mad Max",
|
"value": "Mad Max",
|
||||||
"refs": ["https://www.arbornetworks.com/blog/asert/mad-max-dga/"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.arbornetworks.com/blog/asert/mad-max-dga/"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Crimson",
|
"value": "Crimson",
|
||||||
"description": "Crimson is malware used as part of a campaign known as Operation Transparent Tribe that targeted Indian diplomatic and military victims",
|
"description": "Crimson is malware used as part of a campaign known as Operation Transparent Tribe that targeted Indian diplomatic and military victims",
|
||||||
"refs": ["https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Prikormka",
|
"value": "Prikormka",
|
||||||
"description": "Operation Groundbait based on our research into the Prikormka malware family. This includes detailed technical analysis of the Prikormka malware family and its spreading mechanisms, and a description of the most noteworthy attack campaigns.",
|
"description": "Operation Groundbait based on our research into the Prikormka malware family. This includes detailed technical analysis of the Prikormka malware family and its spreading mechanisms, and a description of the most noteworthy attack campaigns.",
|
||||||
"refs": ["http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "NanHaiShu",
|
"value": "NanHaiShu",
|
||||||
"description": "This whitepaper details a malicious program we identify as NanHaiShu. Based on our analysis, the threat actor behind this malware targets government and private-sector organizations.",
|
"description": "This whitepaper details a malicious program we identify as NanHaiShu. Based on our analysis, the threat actor behind this malware targets government and private-sector organizations.",
|
||||||
"refs": ["https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Umbreon",
|
"value": "Umbreon",
|
||||||
"description": "Umbreon (sharing the same name as the Pokémon) targets Linux systems, including systems running both Intel and ARM processors, expanding the scope of this threat to include embedded devices as well.",
|
"description": "Umbreon (sharing the same name as the Pokémon) targets Linux systems, including systems running both Intel and ARM processors, expanding the scope of this threat to include embedded devices as well.",
|
||||||
"refs": ["http://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems/"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"http://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems/"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Odinaff",
|
"value": "Odinaff",
|
||||||
"description": "Odinaff is typically deployed in the first stage of an attack, to gain a foothold onto the network, providing a persistent presence and the ability to install additional tools onto the target network. These additional tools bear the hallmarks of a sophisticated attacker which has plagued the financial industry since at least 2013–Carbanak. This new wave of attacks has also used some infrastructure that has previously been used in Carbanak campaigns.",
|
"description": "Odinaff is typically deployed in the first stage of an attack, to gain a foothold onto the network, providing a persistent presence and the ability to install additional tools onto the target network. These additional tools bear the hallmarks of a sophisticated attacker which has plagued the financial industry since at least 2013–Carbanak. This new wave of attacks has also used some infrastructure that has previously been used in Carbanak campaigns.",
|
||||||
"refs": ["https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks"]
|
"refs": [
|
||||||
|
"https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks"
|
||||||
|
]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Hworm",
|
"value": "Hworm",
|
||||||
"description": "Unit 42 has observed a new version of Hworm (or Houdini) being used within multiple attacks. This blog outlines technical details of this new Hworm version and documents an attack campaign making use of the backdoor. Of the samples used in this attack, the first we observed were June 2016, while as-of publication we were still seeing attacks as recently as mid-October, suggesting that this is likely an active, ongoing campaign.",
|
"description": "Unit 42 has observed a new version of Hworm (or Houdini) being used within multiple attacks. This blog outlines technical details of this new Hworm version and documents an attack campaign making use of the backdoor. Of the samples used in this attack, the first we observed were June 2016, while as-of publication we were still seeing attacks as recently as mid-October, suggesting that this is likely an active, ongoing campaign.",
|
||||||
"refs": ["http://researchcenter.paloaltonetworks.com/2016/10/unit42-houdinis-magic-reappearance/"],
|
"meta": {
|
||||||
"synonyms": ["Houdini"]
|
"refs": [
|
||||||
|
"http://researchcenter.paloaltonetworks.com/2016/10/unit42-houdinis-magic-reappearance/"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"Houdini"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Backdoor.Dripion",
|
"value": "Backdoor.Dripion",
|
||||||
"description": "Backdoor.Dripion was custom developed, deployed in a highly targeted fashion, and used command and control servers disguised as antivirus company websites.",
|
"description": "Backdoor.Dripion was custom developed, deployed in a highly targeted fashion, and used command and control servers disguised as antivirus company websites.",
|
||||||
"refs": ["http://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan"],
|
"meta": {
|
||||||
"synonyms": ["Dripion"]
|
"refs": [
|
||||||
|
"http://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"Dripion"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Adwind",
|
"value": "Adwind",
|
||||||
"description": "Adwind is a backdoor written purely in Java that targets system supporting the Java runtime environment. Commands that can be used, among other things, to display messages on the system, open URLs, update the malware, download/execute files, and download/load plugins. A significant amount of additional functionality can be provided through downloadable plugins, including such things as remote control options and shell command execution.",
|
"description": "Adwind is a backdoor written purely in Java that targets system supporting the Java runtime environment. Commands that can be used, among other things, to display messages on the system, open URLs, update the malware, download/execute files, and download/load plugins. A significant amount of additional functionality can be provided through downloadable plugins, including such things as remote control options and shell command execution.",
|
||||||
"refs": ["https://securelist.com/blog/research/73660/adwind-faq/"],
|
"meta": {
|
||||||
"synonyms": ["AlienSpy", "Frutas", "Unrecom", "Sockrat", "JSocket", "jRat"]
|
"refs": [
|
||||||
|
"https://securelist.com/blog/research/73660/adwind-faq/"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"AlienSpy",
|
||||||
|
"Frutas",
|
||||||
|
"Unrecom",
|
||||||
|
"Sockrat",
|
||||||
|
"JSocket",
|
||||||
|
"jRat"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Angler EK",
|
"value": "Angler EK",
|
||||||
"description": "Angler Exploit Kit is a hacking tool that is produced to search for Java and Flash Player vulnerabilities on the attacked PC and use them with the aim to distribute malware infections. Angler Exploit Kit commonly checks to see if the PC it is proliferating to has Java or Flash.",
|
"description": "Angler Exploit Kit is a hacking tool that is produced to search for Java and Flash Player vulnerabilities on the attacked PC and use them with the aim to distribute malware infections. Angler Exploit Kit commonly checks to see if the PC it is proliferating to has Java or Flash.",
|
||||||
"refs": ["http://researchcenter.paloaltonetworks.com/2016/06/unit42-understanding-angler-exploit-kit-part-1-exploit-kit-fundamentals/", "https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"http://researchcenter.paloaltonetworks.com/2016/06/unit42-understanding-angler-exploit-kit-part-1-exploit-kit-fundamentals/",
|
||||||
|
"https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Bedep"
|
"value": "Bedep"
|
||||||
|
@ -558,8 +913,14 @@
|
||||||
{
|
{
|
||||||
"value": "Dridex",
|
"value": "Dridex",
|
||||||
"description": "Dridex is a strain of banking malware that leverages macros in Microsoft Office to infect systems. Once a computer has been infected, Dridex attackers can steal banking credentials and other personal information on the system to gain access to the financial records of a user.",
|
"description": "Dridex is a strain of banking malware that leverages macros in Microsoft Office to infect systems. Once a computer has been infected, Dridex attackers can steal banking credentials and other personal information on the system to gain access to the financial records of a user.",
|
||||||
"refs": ["http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dridex-financial-trojan.pdf"],
|
"meta": {
|
||||||
"synonyms": ["Cridex"]
|
"refs": [
|
||||||
|
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dridex-financial-trojan.pdf"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"Cridex"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Fareit"
|
"value": "Fareit"
|
||||||
|
@ -569,8 +930,14 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Gamarue",
|
"value": "Gamarue",
|
||||||
"refs": ["https://blog.gdatasoftware.com/2015/03/24274-the-andromeda-gamarue-botnet-is-on-the-rise-again"],
|
"meta": {
|
||||||
"synonyms": ["Andromeda"]
|
"refs": [
|
||||||
|
"https://blog.gdatasoftware.com/2015/03/24274-the-andromeda-gamarue-botnet-is-on-the-rise-again"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"Andromeda"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Locky",
|
"value": "Locky",
|
||||||
|
@ -579,19 +946,35 @@
|
||||||
{
|
{
|
||||||
"value": "Necurs",
|
"value": "Necurs",
|
||||||
"description": "The Necurs botnet is a distributor of many pieces of malware, most notably Locky.",
|
"description": "The Necurs botnet is a distributor of many pieces of malware, most notably Locky.",
|
||||||
"refs": ["https://en.wikipedia.org/wiki/Necurs_botnet"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://en.wikipedia.org/wiki/Necurs_botnet"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Nuclear Pack",
|
"value": "Nuclear Pack",
|
||||||
"synonyms": ["Nuclear EK"]
|
"meta": {
|
||||||
|
"synonyms": [
|
||||||
|
"Nuclear EK"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Palevo"
|
"value": "Palevo"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Akbot",
|
"value": "Akbot",
|
||||||
"refs": ["https://en.wikipedia.org/wiki/Akbot"],
|
"meta": {
|
||||||
"synonyms": ["Qbot", "Qakbot", "PinkSlipBot"]
|
"refs": [
|
||||||
|
"https://en.wikipedia.org/wiki/Akbot"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"Qbot",
|
||||||
|
"Qakbot",
|
||||||
|
"PinkSlipBot"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Rig EK"
|
"value": "Rig EK"
|
||||||
|
@ -606,34 +989,62 @@
|
||||||
{
|
{
|
||||||
"value": "Vawtrak",
|
"value": "Vawtrak",
|
||||||
"description": "Vawtrak is an information stealing malware family that is primarily used to gain unauthorised access to bank accounts through online banking websites.",
|
"description": "Vawtrak is an information stealing malware family that is primarily used to gain unauthorised access to bank accounts through online banking websites.",
|
||||||
"refs": ["https://www.sophos.com/medialibrary/PDFs/technical%20papers/sophos-vawtrak-international-crimeware-as-a-service-tpna.pdf"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.sophos.com/medialibrary/PDFs/technical%20papers/sophos-vawtrak-international-crimeware-as-a-service-tpna.pdf"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Empire",
|
"value": "Empire",
|
||||||
"description": "Empire is a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework",
|
"description": "Empire is a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework",
|
||||||
"refs": ["https://github.com/adaptivethreat/Empire"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://github.com/adaptivethreat/Empire"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Explosive",
|
"value": "Explosive",
|
||||||
"description": "Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive. ",
|
"description": "Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive. ",
|
||||||
"refs": ["https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "KeyBoy",
|
"value": "KeyBoy",
|
||||||
"description": "The actors used a new version of “KeyBoy,” a custom backdoor first disclosed by researchers at Rapid7 in June 2013. Their work outlined the capabilities of the backdoor, and exposed the protocols and algorithms used to hide the network communication and configuration data",
|
"description": "The actors used a new version of “KeyBoy,” a custom backdoor first disclosed by researchers at Rapid7 in June 2013. Their work outlined the capabilities of the backdoor, and exposed the protocols and algorithms used to hide the network communication and configuration data",
|
||||||
"refs": ["https://citizenlab.org/2016/11/parliament-keyboy/", "https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india"]
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://citizenlab.org/2016/11/parliament-keyboy/",
|
||||||
|
"https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Yahoyah",
|
"value": "Yahoyah",
|
||||||
"description": "The attacks in this case are associated with a campaign called Tropic Trooper, which has been active since at least 2011 and is known for heavily targeting Taiwan. One of the attacks used their known Yahoyah malware...",
|
"description": "The attacks in this case are associated with a campaign called Tropic Trooper, which has been active since at least 2011 and is known for heavily targeting Taiwan. One of the attacks used their known Yahoyah malware...",
|
||||||
"refs": ["http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/"],
|
"meta": {
|
||||||
"synonyms": ["W32/Seeav"]
|
"refs": [
|
||||||
|
"http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"W32/Seeav"
|
||||||
|
]
|
||||||
|
}
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"version": 2,
|
"version": 2,
|
||||||
"uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
|
"uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
|
||||||
"description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
|
"description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
|
||||||
"author": ["Alexandre Dulaunoy", "Florian Roth", "Timo Steffens", "Christophe Vandeplas"],
|
"author": [
|
||||||
|
"Alexandre Dulaunoy",
|
||||||
|
"Florian Roth",
|
||||||
|
"Timo Steffens",
|
||||||
|
"Christophe Vandeplas"
|
||||||
|
],
|
||||||
"source": "MISP Project",
|
"source": "MISP Project",
|
||||||
"type": "tools",
|
"type": "tools",
|
||||||
"name": "Tool"
|
"name": "Tool"
|
||||||
|
|
Loading…
Reference in a new issue