Merge branch 'MISP:main' into main

This commit is contained in:
Sebastien Larinier 2023-04-19 11:55:57 +02:00 committed by GitHub
commit 926035633f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
12 changed files with 12094 additions and 10502 deletions

View file

@ -18,6 +18,7 @@ The objective is to have a comment set of clusters for organizations starting an
to localized information (which is not shared) or additional information (that can be shared). to localized information (which is not shared) or additional information (that can be shared).
# Available Galaxy - clusters # Available Galaxy - clusters
## 360.net Threat Actors ## 360.net Threat Actors
[360.net Threat Actors](https://www.misp-project.org/galaxy.html#_360.net_threat_actors) - Known or estimated adversary groups as identified by 360.net. [360.net Threat Actors](https://www.misp-project.org/galaxy.html#_360.net_threat_actors) - Known or estimated adversary groups as identified by 360.net.
@ -148,7 +149,7 @@ Category: *tool* - source: *MISP Project* - total: *52* elements
## FIRST DNS Abuse Techniques Matrix ## FIRST DNS Abuse Techniques Matrix
[FIRST DNS Abuse Techniques Matrix](https://www.misp-project.org/galaxy.html#_first_dns_abuse_techniques_matrix) - The Domain Name System (DNS) is a critical part of the Internet, including mapping domain names to IP addresses. Malicious threat actors use domain names, their corresponding technical resources, and other parts of the DNS infrastructure, including its protocols, for their malicious cyber operations. CERTs are confronted with reported DNS abuse on a continuous basis, and rely heavily on DNS analysis and infrastructure to protect their constituencies. Understanding the international customary norms applicable for detecting and mitigating DNS abuse from the perspective of the global incident response community is critical for the open Internets stability, security and resiliency. See also https://www.first.org/global/sigs/dns/ for Tmore information. [FIRST DNS Abuse Techniques Matrix](https://www.misp-project.org/galaxy.html#_first_dns_abuse_techniques_matrix) - The Domain Name System (DNS) is a critical part of the Internet, including mapping domain names to IP addresses. Malicious threat actors use domain names, their corresponding technical resources, and other parts of the DNS infrastructure, including its protocols, for their malicious cyber operations. CERTs are confronted with reported DNS abuse on a continuous basis, and rely heavily on DNS analysis and infrastructure to protect their constituencies. Understanding the international customary norms applicable for detecting and mitigating DNS abuse from the perspective of the global incident response community is critical for the open Internets stability, security and resiliency. See also https://www.first.org/global/sigs/dns/ for more information.
Category: *first-dns* - source: *https://www.first.org/global/sigs/dns/* - total: *21* elements Category: *first-dns* - source: *https://www.first.org/global/sigs/dns/* - total: *21* elements
@ -382,7 +383,7 @@ Category: *measure* - source: *MISP Project* - total: *20* elements
[Ransomware](https://www.misp-project.org/galaxy.html#_ransomware) - Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar [Ransomware](https://www.misp-project.org/galaxy.html#_ransomware) - Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar
Category: *tool* - source: *Various* - total: *1624* elements Category: *tool* - source: *Various* - total: *1649* elements
[[HTML](https://www.misp-project.org/galaxy.html#_ransomware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ransomware.json)] [[HTML](https://www.misp-project.org/galaxy.html#_ransomware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ransomware.json)]
@ -422,7 +423,7 @@ Category: *sector* - source: *CERT-EU* - total: *117* elements
[Sigma-Rules](https://www.misp-project.org/galaxy.html#_sigma-rules) - MISP galaxy cluster based on Sigma Rules. [Sigma-Rules](https://www.misp-project.org/galaxy.html#_sigma-rules) - MISP galaxy cluster based on Sigma Rules.
Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2665* elements Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2696* elements
[[HTML](https://www.misp-project.org/galaxy.html#_sigma-rules)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sigma-rules.json)] [[HTML](https://www.misp-project.org/galaxy.html#_sigma-rules)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sigma-rules.json)]
@ -446,7 +447,7 @@ Category: *sod-matrix* - source: *https://github.com/cudeso/SoD-Matrix* - total:
[Stealer](https://www.misp-project.org/galaxy.html#_stealer) - A list of malware stealer. [Stealer](https://www.misp-project.org/galaxy.html#_stealer) - A list of malware stealer.
Category: *tool* - source: *Open Sources* - total: *11* elements Category: *tool* - source: *Open Sources* - total: *12* elements
[[HTML](https://www.misp-project.org/galaxy.html#_stealer)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/stealer.json)] [[HTML](https://www.misp-project.org/galaxy.html#_stealer)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/stealer.json)]
@ -470,7 +471,7 @@ Category: *target* - source: *Various* - total: *240* elements
[TDS](https://www.misp-project.org/galaxy.html#_tds) - TDS is a list of Traffic Direction System used by adversaries [TDS](https://www.misp-project.org/galaxy.html#_tds) - TDS is a list of Traffic Direction System used by adversaries
Category: *tool* - source: *MISP Project* - total: *10* elements Category: *tool* - source: *MISP Project* - total: *11* elements
[[HTML](https://www.misp-project.org/galaxy.html#_tds)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tds.json)] [[HTML](https://www.misp-project.org/galaxy.html#_tds)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tds.json)]
@ -486,7 +487,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements
[Threat Actor](https://www.misp-project.org/galaxy.html#_threat_actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group. [Threat Actor](https://www.misp-project.org/galaxy.html#_threat_actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.
Category: *actor* - source: *MISP Project* - total: *408* elements Category: *actor* - source: *MISP Project* - total: *418* elements
[[HTML](https://www.misp-project.org/galaxy.html#_threat_actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)] [[HTML](https://www.misp-project.org/galaxy.html#_threat_actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]
@ -494,7 +495,7 @@ Category: *actor* - source: *MISP Project* - total: *408* elements
[Tool](https://www.misp-project.org/galaxy.html#_tool) - threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries. [Tool](https://www.misp-project.org/galaxy.html#_tool) - threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.
Category: *tool* - source: *MISP Project* - total: *545* elements Category: *tool* - source: *MISP Project* - total: *549* elements
[[HTML](https://www.misp-project.org/galaxy.html#_tool)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tool.json)] [[HTML](https://www.misp-project.org/galaxy.html#_tool)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tool.json)]

View file

@ -205,7 +205,16 @@
}, },
"uuid": "2cef78bd-f097-4477-8888-79359042b515", "uuid": "2cef78bd-f097-4477-8888-79359042b515",
"value": "BOLDMOVE" "value": "BOLDMOVE"
},
{
"meta": {
"refs": [
"https://securelist.com/bad-magic-apt/109087/"
]
},
"uuid": "c866b002-1cb6-4c91-8a8b-f0b0c6ac2b1a",
"value": "PowerMagic"
} }
], ],
"version": 14 "version": 15
} }

View file

@ -1402,7 +1402,27 @@
}, },
"uuid": "b6919400-9b16-48ae-8379-fab26a506e32", "uuid": "b6919400-9b16-48ae-8379-fab26a506e32",
"value": "KmsdBot" "value": "KmsdBot"
},
{
"description": "Akamai researchers on the Security Intelligence Response Team (SIRT) have discovered a new Go-based, DDoS-focused botnet. The malware appears to have been named “Hinata” by the malware author after a character from the popular anime series, Naruto. We are calling it “HinataBot.” Looks like an attempt to rewrite Mirai in Go. The threat actors behind HinataBot originally distributed Mirai binaries.",
"meta": {
"refs": [
"https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet",
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.hinata_bot"
]
},
"related": [
{
"dest-uuid": "fcdfd4af-da35-49a8-9610-19be8a487185",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "040f2e89-b8be-4150-9426-c30f75e858a2",
"value": "HinataBot"
} }
], ],
"version": 30 "version": 31
} }

View file

@ -319,7 +319,871 @@
], ],
"uuid": "d7247cf9-13b6-4781-b789-a5f33521633b", "uuid": "d7247cf9-13b6-4781-b789-a5f33521633b",
"value": "NOBELIUM" "value": "NOBELIUM"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "China",
"synonyms": [
"APT41",
"BARIUM"
]
},
"uuid": "2fc42ffc-dd1a-560e-ac97-05e8fa27bbe5",
"value": "Brass Typhoon"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "China",
"synonyms": [
"CHROMIUM",
"ControlX"
]
},
"uuid": "3f8b7c98-7484-523f-9d58-181274e6fc8f",
"value": "Charcoal Typhoon"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "China",
"synonyms": [
"DEV-0322"
]
},
"uuid": "0bebd962-191a-5671-b5b0-f6de7c8180fc",
"value": "Circle Typhoon"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "China",
"synonyms": [
"APT40",
"GADOLINIUM",
"Kryptonite Panda",
"Leviathan",
"TEMP.Periscope"
]
},
"uuid": "dbc45b46-5b64-50d4-b0f1-d7de888d4e85",
"value": "Gingham Typhoon"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "China",
"synonyms": [
"GALLIUM"
]
},
"uuid": "ae4036de-c901-5f21-808a-f5c071ef509b",
"value": "Granite Typhoon"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "China",
"synonyms": [
"DEV-0234"
]
},
"uuid": "aa45a89c-4c2b-5f6b-9a3d-51abccaa9623",
"value": "Lilac Typhoon"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "China",
"synonyms": [
"APT5",
"Keyhole Panda",
"MANGANESE",
"TABCTENG"
]
},
"uuid": "fa562b27-d3ff-5e7c-9079-c957eb01a0e0",
"value": "Mulberry Typhoon"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "China",
"synonyms": [
"APT15",
"NICKEL",
"Vixen Panda",
"ke3chang"
]
},
"uuid": "66571167-13fe-5817-93e0-54ae8f206fdc",
"value": "Nylon Typhoon"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "China",
"synonyms": [
"APT30",
"LotusBlossom",
"RADIUM"
]
},
"uuid": "b3c378fc-1ce3-5a46-a32e-f55a584c6536",
"value": "Raspberry Typhoon"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "China",
"synonyms": [
"HAFNIUM"
]
},
"uuid": "9728610a-17cb-5cac-9322-ef19ae296a29",
"value": "Silk Typhoon"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "China",
"synonyms": [
"APT31",
"ZIRCONIUM"
]
},
"uuid": "27eb4928-b3e6-5ae1-bbb6-f73bce8d7c69",
"value": "Violet Typhoon"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Financially motivated",
"synonyms": [
"Bronze Starlight",
"DEV-0401",
"Emperor Dragonfly"
]
},
"uuid": "43fe584d-88e5-5f2b-a9fd-a866e62040bb",
"value": "Cinnamon Tempest"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Financially motivated",
"synonyms": [
"DEV-0950",
"FIN11",
"TA505"
]
},
"uuid": "b27dcdee-14b1-5842-86b3-32eacec94584",
"value": "Lace Tempest"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Financially motivated",
"synonyms": [
"DEV-0206",
"Purple Vallhund"
]
},
"uuid": "1b1524f4-16b0-5b85-aea4-844babea4ccb",
"value": "Mustard Tempest"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Financially motivated",
"synonyms": [
"DEV-0193",
"UNC2053",
"Wizard Spider"
]
},
"uuid": "120dc1ae-e850-5059-a4fb-520748ca6881",
"value": "Periwinkle Tempest"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Financially motivated",
"synonyms": [
"Choziosi loader",
"Chrome Loader",
"ClickPirate",
"DEV-0796"
]
},
"uuid": "3c9a0350-8d17-5624-872c-fe44969a5888",
"value": "Phlox Tempest"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Financially motivated",
"synonyms": [
"DEV-0237",
"FIN12"
]
},
"uuid": "567ea386-a78f-5550-ae7c-9c9eacdf45af",
"value": "Pistachio Tempest"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Financially motivated",
"synonyms": [
"Carbon Spider",
"ELBRUS",
"FIN7"
]
},
"uuid": "9471ad21-0553-5483-bf7c-e6ad9c062c79",
"value": "Sangria Tempest"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Financially motivated",
"synonyms": [
"CHIMBORAZO",
"TA505"
]
},
"uuid": "c85120d0-c397-5d30-9d57-3b019090acd5",
"value": "Spandex Tempest"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Financially motivated",
"synonyms": [
"DEV-0537",
"LAPSUS$"
]
},
"uuid": "d4dfb329-822c-5db3-a078-a8c0f77924da",
"value": "Strawberry Tempest"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Financially motivated",
"synonyms": [
"DEV-0832"
]
},
"uuid": "a01da064-988c-5ad3-92c6-9537adb6a5f0",
"value": "Vanilla Tempest"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Financially motivated",
"synonyms": [
"DEV-0504"
]
},
"uuid": "0662a721-a92e-50b3-a5ac-0c4142ac9aeb",
"value": "Velvet Tempest"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Financially motivated",
"synonyms": [
"PARINACOTA",
"Wadhrama"
]
},
"uuid": "5939e42e-06d0-5719-8072-62f0fc0821e8",
"value": "Wine Tempest"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Group in development",
"synonyms": [
"DEV-0257",
"UNC1151"
]
},
"uuid": "60ac9e2c-b3b2-5c6b-913e-935952e14c28",
"value": "Storm-0257"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Iran",
"synonyms": [
"NEPTUNIUM",
"Vice Leaker"
]
},
"uuid": "b06ff51a-77e7-5b7f-9938-4a2d37bce5a4",
"value": "Cotton Sandstorm"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Iran",
"synonyms": [
"CURIUM",
"TA456",
"Tortoise Shell"
]
},
"uuid": "b76e22b0-26a4-50ca-b876-09bc90a81b3b",
"value": "Crimson Sandstorm"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Iran",
"synonyms": [
"DEV-0228"
]
},
"uuid": "badacab7-5097-5817-8516-d8a72de2a71b",
"value": "Cuboid Sandstorm"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Iran",
"synonyms": [
"DEV-0343"
]
},
"uuid": "395473c6-be98-5369-82d1-cdbc97b3fddc",
"value": "Gray Sandstorm"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Iran",
"synonyms": [
"APT34",
"Cobalt Gypsy",
"EUROPIUM",
"OilRig"
]
},
"uuid": "b6260d6d-a2f7-5b79-8132-5c456a225f53",
"value": "Hazel Sandstorm"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Iran",
"synonyms": [
"Fox Kitten",
"PioneerKitten",
"RUBIDIUM",
"UNC757"
]
},
"uuid": "0757856a-1313-57d8-bb6c-f4c537e110da",
"value": "Lemon Sandstorm"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Iran",
"synonyms": [
"MERCURY",
"MuddyWater",
"SeedWorm",
"Static Kitten",
"TEMP.Zagros"
]
},
"uuid": "da68ca6d-250f-50f1-a585-240475fdbb35",
"value": "Mango Sandstorm"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Iran",
"synonyms": [
"DEV-0500",
"Moses Staff"
]
},
"uuid": "ef415059-e150-5324-877e-44b65ab022f5",
"value": "Marigold Sandstorm"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Iran",
"synonyms": [
"APT35",
"Charming Kitten",
"PHOSPHORUS"
]
},
"uuid": "400cd1b8-52b7-5a5c-984f-9b4af35ea231",
"value": "Mint Sandstorm"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Iran",
"synonyms": [
"APT33",
"HOLMIUM",
"Refined Kitten"
]
},
"uuid": "4c0f085a-70b1-5ee6-a45a-dc368f03e701",
"value": "Peach Sandstorm"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Iran",
"synonyms": [
"AMERICIUM",
"Agrius",
"BlackShadow",
"Deadwood",
"SharpBoys"
]
},
"uuid": "cca311c0-dc91-5aee-b282-5e412040dac3",
"value": "Pink Sandstorm"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Iran",
"synonyms": [
"DEV-0146",
"ZeroCleare"
]
},
"uuid": "562049d7-78f5-5a65-b7db-c509c9f483f7",
"value": "Pumpkin Sandstorm"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Iran",
"synonyms": [
"BOHRIUM"
]
},
"uuid": "4426d375-1435-5ccc-8c1f-f8688bd11f80",
"value": "Smoke Sandstorm"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Lebanon",
"synonyms": [
"POLONIUM"
]
},
"uuid": "ce5357da-0e15-5022-bd4f-74aa689d0b2e",
"value": "Plaid Rain"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "North Korea",
"synonyms": [
"Labyrinth Chollima",
"Lazarus",
"ZINC"
]
},
"uuid": "9630b0aa-ee9e-5b58-9f79-cf7fa8d291a8",
"value": "Diamond Sleet"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "North Korea",
"synonyms": [
"Kimsuky",
"THALLIUM",
"Velvet Chollima"
]
},
"uuid": "44be06b1-e17a-5ea6-a0a2-067933a7af77",
"value": "Emerald Sleet"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "North Korea",
"synonyms": [
"Konni",
"OSMIUM"
]
},
"uuid": "5163b2d9-7521-5225-a7a8-88d881fbc406",
"value": "Opal Sleet"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "North Korea",
"synonyms": [
"LAWRENCIUM"
]
},
"uuid": "1c5c67ad-c241-5103-99d0-daab5a554b0d",
"value": "Pearl Sleet"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "North Korea",
"synonyms": [
"CERIUM"
]
},
"uuid": "c29e7262-6a6f-501d-8c00-57f75f2172a3",
"value": "Ruby Sleet"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "North Korea",
"synonyms": [
"BlueNoroff",
"COPERNICIUM",
"Genie Spider"
]
},
"uuid": "3a32c54d-d86a-55de-b16a-d9a08a5cf49b",
"value": "Sapphire Sleet"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "North Korea",
"synonyms": [
"DEV-0530",
"H0lyGh0st"
]
},
"uuid": "ab314f1c-8d07-5edb-bb32-64d1105f74ff",
"value": "Storm-0530"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Private Sector Offensive Actor",
"synonyms": [
"Candiru",
"SOURGUM"
]
},
"uuid": "1b15288c-ff19-5f52-8c4b-6185de934ff8",
"value": "Caramel Tsunami"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Private Sector Offensive Actor",
"synonyms": [
"DSIRF",
"KNOTWEED"
]
},
"uuid": "9a4a662a-84a9-5b86-b241-7c5eef9cea4d",
"value": "Denim Tsunami"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Private Sector Offensive Actor",
"synonyms": [
"DEV-0336",
"NSO Group"
]
},
"uuid": "af54315b-3561-5046-8b9b-c3e9e05c0f77",
"value": "Night Tsunami"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Private Sector Offensive Actor",
"synonyms": [
"CyberRoot",
"DEV-0605"
]
},
"uuid": "2263b6c9-861a-5971-b882-9ea4a84fcf74",
"value": "Wisteria Tsunami"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Russia",
"synonyms": [
"ACTINIUM",
"Gamaredon",
"Primitive Bear",
"UNC530"
]
},
"uuid": "fc77a775-d06f-5efc-a6fa-0b2af01902a7",
"value": "Aqua Blizzard"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Russia",
"synonyms": [
"DEV-0586"
]
},
"uuid": "7f190457-6829-55c4-9b6b-bccdadb747cb",
"value": "Cadet Blizzard"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Russia",
"synonyms": [
"APT28",
"Fancy Bear",
"STRONTIUM"
]
},
"uuid": "8d84d7b0-7716-5ab3-a3a4-f373dd148347",
"value": "Forest Blizzard"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Russia",
"synonyms": [
"BROMINE",
"Crouching Yeti",
"Energetic Bear"
]
},
"uuid": "45d0f984-2b63-517b-922a-12924bcf4f68",
"value": "Ghost Blizzard"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Russia",
"synonyms": [
"APT29",
"Cozy Bear",
"NOBELIUM"
]
},
"uuid": "31982812-c8bf-5e85-b0ba-0c64a7d05d20",
"value": "Midnight Blizzard"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Russia",
"synonyms": [
"IRIDIUM",
"Sandworm"
]
},
"uuid": "473eb51c-36cb-5e3a-8347-2f57df809be9",
"value": "Seashell Blizzard"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Russia",
"synonyms": [
"Callisto",
"Reuse Team",
"SEABORGIUM"
]
},
"uuid": "06630ccd-98ed-5aec-8083-e04c894bd2d6",
"value": "Star Blizzard"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Russia",
"synonyms": [
"DEV-0665"
]
},
"uuid": "79f8646f-d127-51b7-b502-b096b445c322",
"value": "Sunglow Blizzard"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "South Korea",
"synonyms": [
"DUBNIUM",
"Dark Hotel",
"Tapaoux"
]
},
"uuid": "0a4ddab3-a1a6-5372-b11f-5edc25c0e548",
"value": "Zigzag Hail"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Turkey",
"synonyms": [
"SILICON",
"Sea Turtle"
]
},
"uuid": "fc91881e-92c0-5a63-a0b9-b253958a594e",
"value": "Marbled Dust"
},
{
"meta": {
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
"sector": "Vietnam",
"synonyms": [
"APT32",
"BISMUTH",
"OceanLotus"
]
},
"uuid": "37808cab-cbb3-560b-bebd-375fa328ea1e",
"value": "Canvas Cyclone"
} }
], ],
"version": 11 "version": 12
} }

View file

@ -0,0 +1,24 @@
{
"authors": [
"MISP Project"
],
"category": "tool",
"description": "Known public online services.",
"name": "online-service",
"source": "Open Sources",
"type": "online-service",
"uuid": "c0a960b6-bba4-4914-8d54-87011aaf447e",
"values": [
{
"description": "Your wiki, docs, & projects. Together. Notion is the connected workspace where better, faster work happens.",
"meta": {
"refs": [
"https://www.notion.so/product"
]
},
"uuid": "5c807e49-dc90-4f80-b044-49bb990acb61",
"value": "Notion"
}
],
"version": 1
}

View file

@ -3878,6 +3878,9 @@
"extensions": [ "extensions": [
".karma" ".karma"
], ],
"links": [
"http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion"
],
"payment-method": "Bitcoin", "payment-method": "Bitcoin",
"price": "0.5", "price": "0.5",
"ransomnotes-filenames": [ "ransomnotes-filenames": [
@ -11475,6 +11478,9 @@
{ {
"description": "The ransomware does not use a customized desktop wallpaper to signal its presence, and the only way to discover that SynAck has infected your PC is by the ransom notes dropped on the user's desktop, named in the format: RESTORE_INFO-[id].txt. For example: RESTORE_INFO-4ABFA0EF.txt\n In addition, SynAck also appends its own extension at the end of all files it encrypted. This file extensions format is ten random alpha characters for each file. For example: test.jpg.XbMiJQiuoh. Experts believe the group behind SynAck uses RDP brute-force attacks to access remote computers and manually download and install the ransomware.", "description": "The ransomware does not use a customized desktop wallpaper to signal its presence, and the only way to discover that SynAck has infected your PC is by the ransom notes dropped on the user's desktop, named in the format: RESTORE_INFO-[id].txt. For example: RESTORE_INFO-4ABFA0EF.txt\n In addition, SynAck also appends its own extension at the end of all files it encrypted. This file extensions format is ten random alpha characters for each file. For example: test.jpg.XbMiJQiuoh. Experts believe the group behind SynAck uses RDP brute-force attacks to access remote computers and manually download and install the ransomware.",
"meta": { "meta": {
"links": [
"http://xqkz2rmrqkeqf6sjbrb47jfwnqxcd4o2zvaxxzrpbh2piknms37rw2ad.onion/"
],
"payment-method": "Bitcoin", "payment-method": "Bitcoin",
"price": "2 100 $", "price": "2 100 $",
"ransomnotes-filenames": [ "ransomnotes-filenames": [
@ -13830,6 +13836,11 @@
{ {
"description": "Attackers are actively exploiting a recently disclosed vulnerability in Oracle WebLogic to install a new variant of ransomware called \"Sodinokibi.\" Sodinokibi attempts to encrypt data in a user's directory and delete shadow copy backups to make data recovery more difficult. Oracle first patched the issue on April 26, outside of their normal patch cycle, and assigned it CVE-2019-2725. This vulnerability is easy for attackers to exploit, as anyone with HTTP access to the WebLogic server could carry out an attack. Because of this, the bug has a CVSS score of 9.8/10. Attackers have been making use of this exploit in the wild since at least April 17. Cisco's Incident Response (IR) team, along with Cisco Talos, are actively investigating these attacks and Sodinokibi.", "description": "Attackers are actively exploiting a recently disclosed vulnerability in Oracle WebLogic to install a new variant of ransomware called \"Sodinokibi.\" Sodinokibi attempts to encrypt data in a user's directory and delete shadow copy backups to make data recovery more difficult. Oracle first patched the issue on April 26, outside of their normal patch cycle, and assigned it CVE-2019-2725. This vulnerability is easy for attackers to exploit, as anyone with HTTP access to the WebLogic server could carry out an attack. Because of this, the bug has a CVSS score of 9.8/10. Attackers have been making use of this exploit in the wild since at least April 17. Cisco's Incident Response (IR) team, along with Cisco Talos, are actively investigating these attacks and Sodinokibi.",
"meta": { "meta": {
"links": [
"http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/",
"http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/",
"http://blogxxu75w63ujqarv476otld7cyjkq4yoswzt4ijadkjwvg3vrvd5yd.onion/Blog"
],
"refs": [ "refs": [
"https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html" "https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html"
], ],
@ -13870,12 +13881,24 @@
{ {
"description": "A new ransomware family dubbed “Nemty” for the extension it adds to encrypted files has recently surfaced in the wild. According to a report from Bleeping Computer, New York-based reverse engineer Vitali Kremez posits that Nemty is possibly delivered through exposed remote desktop connections.", "description": "A new ransomware family dubbed “Nemty” for the extension it adds to encrypted files has recently surfaced in the wild. According to a report from Bleeping Computer, New York-based reverse engineer Vitali Kremez posits that Nemty is possibly delivered through exposed remote desktop connections.",
"meta": { "meta": {
"links": [
"http://zjoxyw5mkacojk5ptn2iprkivg5clow72mjkyk5ttubzxprjjnwapkad.onion"
],
"payment-method": "Bitcoin", "payment-method": "Bitcoin",
"price": "1000 $", "price": "1000 $",
"refs": [ "refs": [
"https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/nemty-ransomware-possibly-spreads-through-exposed-remote-desktop-connections" "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/nemty-ransomware-possibly-spreads-through-exposed-remote-desktop-connections"
] ]
}, },
"related": [
{
"dest-uuid": "d12f369c-f776-468a-8abf-8000b1b30642",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "related-to"
}
],
"uuid": "5fb75933-1ed5-4512-a062-d39865eedab0", "uuid": "5fb75933-1ed5-4512-a062-d39865eedab0",
"value": "Nemty" "value": "Nemty"
}, },
@ -13965,6 +13988,9 @@
"description": "Maze Ransomware encrypts files and makes them inaccessible while adding a custom extension containing part of the ID of the victim. The ransom note is placed inside a text file and an htm file. There are a few different extensions appended to files which are randomly generated.", "description": "Maze Ransomware encrypts files and makes them inaccessible while adding a custom extension containing part of the ID of the victim. The ransom note is placed inside a text file and an htm file. There are a few different extensions appended to files which are randomly generated.",
"meta": { "meta": {
"encryption": "ChaCha20 and RSA", "encryption": "ChaCha20 and RSA",
"links": [
"http://xfr3txoorcyy7tikjgj5dk3rvo3vsrpyaxnclyohkbfp3h277ap4tiad.onion"
],
"refs": [ "refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.maze", "https://malpedia.caad.fkie.fraunhofer.de/details/win.maze",
"https://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/", "https://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/",
@ -14131,6 +14157,9 @@
{ {
"description": "Detected in April 2019. Known for paralyzing the cities of Baltimore and Greenville. Probably also exfiltrate data", "description": "Detected in April 2019. Known for paralyzing the cities of Baltimore and Greenville. Probably also exfiltrate data",
"meta": { "meta": {
"links": [
"https://robinhoodleaks.tumblr.com"
],
"refs": [ "refs": [
"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf" "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf"
], ],
@ -14212,6 +14241,9 @@
".locked", ".locked",
".pysa" ".pysa"
], ],
"links": [
"http://pysa2bitc5ldeyfak4seeruqymqs4sj5wt5qkcq7aoyg4h2acqieywad.onion/partners.html"
],
"ransomnotes-filenames": [ "ransomnotes-filenames": [
"RECOVER_YOUR_DATA.txt" "RECOVER_YOUR_DATA.txt"
], ],
@ -14270,6 +14302,9 @@
"extensions": [ "extensions": [
".encrypt" ".encrypt"
], ],
"links": [
"http://veqlxhq7ub5qze3qy56zx2cig2e6tzsgxdspkubwbayqije6oatma6id.onion"
],
"ransomnotes": [ "ransomnotes": [
"All your data has been locked(crypted).\nHow to unclock(decrypt) instruction located in this TOR website:\nhttp://sg3dwqfpnr4sl5hh.onion/order/[Bitcoin address]\nUse TOR browser for access .onion websites.\nhttps://duckduckgo.com/html?q=tor+browser+how+to\n\nDo NOT remove this file and NOT remove last line in this file!\n[base64 encoded encrypted data]" "All your data has been locked(crypted).\nHow to unclock(decrypt) instruction located in this TOR website:\nhttp://sg3dwqfpnr4sl5hh.onion/order/[Bitcoin address]\nUse TOR browser for access .onion websites.\nhttps://duckduckgo.com/html?q=tor+browser+how+to\n\nDo NOT remove this file and NOT remove last line in this file!\n[base64 encoded encrypted data]"
], ],
@ -14323,6 +14358,10 @@
{ {
"description": "SunCrypt ransomware was discovered in October 2019 and in August 2020 it was added to Maze ransomwares cartel. It also follows some of Mazes tactics, techniques, and procedures. SunCrypt is launched and installed using an obfuscated PowerShell script. Infected email attachments (macros), torrent websites, malicious ads act as carriers for this ransomware.", "description": "SunCrypt ransomware was discovered in October 2019 and in August 2020 it was added to Maze ransomwares cartel. It also follows some of Mazes tactics, techniques, and procedures. SunCrypt is launched and installed using an obfuscated PowerShell script. Infected email attachments (macros), torrent websites, malicious ads act as carriers for this ransomware.",
"meta": { "meta": {
"links": [
"http://x2miyuiwpib2imjr5ykyjngdu7v6vprkkhjltrk4qafymtawey4qzwid.onion/",
"http://nbzzb6sa6xuura2z.onion"
],
"ransomnotes-filenames": [ "ransomnotes-filenames": [
"YOUR_FILES_ARE_ENCRYPTED.HTML" "YOUR_FILES_ARE_ENCRYPTED.HTML"
], ],
@ -14349,6 +14388,9 @@
".abcd", ".abcd",
".LockBit" ".LockBit"
], ],
"links": [
"http://lockbitkodidilol.onion"
],
"ransomnotes-filenames": [ "ransomnotes-filenames": [
"Restore-My-Files.txt" "Restore-My-Files.txt"
], ],
@ -14363,6 +14405,15 @@
"ABCD ransomware" "ABCD ransomware"
] ]
}, },
"related": [
{
"dest-uuid": "c09f73fd-c3c3-42b1-b355-b03ca4941110",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "8eda8bf1-db5a-412d-8511-45e2f7621d51", "uuid": "8eda8bf1-db5a-412d-8511-45e2f7621d51",
"value": "LockBit" "value": "LockBit"
}, },
@ -14427,6 +14478,9 @@
".dbe", ".dbe",
".0s" ".0s"
], ],
"links": [
"http://rnsm777cdsjrsdlbs4v5qoeppu3px6sb2igmh53jzrx7ipcrbjz5b2ad.onion/"
],
"ransomnotes": [ "ransomnotes": [
"Greetings, Texas Department of Transportation!\nRead this message CAREFULLY and contact someone from IT department..\nYour files are securely ENCRYPTED.\nNo third party decryption software EXISTS.\nMODIFICATION or RENAMING encrypted files may cause decryption failure.\nYou can send us an encrypted file (not greater than 400KB) and we will decrypt it FOR FREE, so you have no doubts in possibility to restore all Files\nFrom all aFFected systems ANY TIME.\nEncrypted File SHOULD NOT contain sensitive inFormation (technical, backups, databases, large documents).\nThe rest oF data will be available aFter the PAYMENT.\ninfrastructure rebuild will cost you MUCH more.\nContact us ONLY if you officially represent the whole affected network.\nThe ONLY attachments we accept are non archived encrypted files For test decryption.\nSpeak ENGLISH when contacting us.\nMail us: ***@protonmail.com\nWe kindly ask you not to use GMAIL, YAHOO or LIVE to contact us.\nThe PRICE depends on how quickly you do it. " "Greetings, Texas Department of Transportation!\nRead this message CAREFULLY and contact someone from IT department..\nYour files are securely ENCRYPTED.\nNo third party decryption software EXISTS.\nMODIFICATION or RENAMING encrypted files may cause decryption failure.\nYou can send us an encrypted file (not greater than 400KB) and we will decrypt it FOR FREE, so you have no doubts in possibility to restore all Files\nFrom all aFFected systems ANY TIME.\nEncrypted File SHOULD NOT contain sensitive inFormation (technical, backups, databases, large documents).\nThe rest oF data will be available aFter the PAYMENT.\ninfrastructure rebuild will cost you MUCH more.\nContact us ONLY if you officially represent the whole affected network.\nThe ONLY attachments we accept are non archived encrypted files For test decryption.\nSpeak ENGLISH when contacting us.\nMail us: ***@protonmail.com\nWe kindly ask you not to use GMAIL, YAHOO or LIVE to contact us.\nThe PRICE depends on how quickly you do it. "
], ],
@ -14487,6 +14541,11 @@
{ {
"description": "Ragnar Locker is a ransomware identified in December 2019 that targetscorporate networks inBig Game Huntingtargeted attacks. This reportpresents recent elements regarding this ransomware.", "description": "Ragnar Locker is a ransomware identified in December 2019 that targetscorporate networks inBig Game Huntingtargeted attacks. This reportpresents recent elements regarding this ransomware.",
"meta": { "meta": {
"links": [
"http://rgleak7op734elep.onion",
"http://rgleaktxuey67yrgspmhvtnrqtgogur35lwdrup4d3igtbm3pupc4lyd.onion/",
"http://p6o7m73ujalhgkiv.onion"
],
"refs": [ "refs": [
"https://www.bleepingcomputer.com/news/security/ragnar-locker-ransomware-targets-msp-enterprise-support-tools/", "https://www.bleepingcomputer.com/news/security/ragnar-locker-ransomware-targets-msp-enterprise-support-tools/",
"https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/", "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/",
@ -21117,7 +21176,10 @@
{ {
"description": "ransomware", "description": "ransomware",
"meta": { "meta": {
"date": "December 2020" "date": "December 2020",
"links": [
"http://ixltdyumdlthrtgx.onion"
]
}, },
"related": [ "related": [
{ {
@ -21726,6 +21788,11 @@
".marlock01", ".marlock01",
".ReadInstructions" ".ReadInstructions"
], ],
"links": [
"https://qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion",
"http://qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion/",
"http://medusaxko7jxtrojdkxo66j7ck4q5tgktf7uqsqyfry4ebnxlcbkccyd.onion"
],
"ransomnotes-filenames": [ "ransomnotes-filenames": [
"how_to_ recover_data.html", "how_to_ recover_data.html",
"how_to_recover_data.html.marlock01", "how_to_recover_data.html.marlock01",
@ -21883,7 +21950,21 @@
"value": "NazCrypt" "value": "NazCrypt"
}, },
{ {
"description": "ransomware", "description": "According to Vitali Kremez and Michael Gillespie, this ransomware shares much code with Nemty 2.5. A difference is removal of the RaaS component, which was switched to email communications for payments. Uses AES-128, which is then protected RSA2048.",
"meta": {
"links": [
"http://hxt254aygrsziejn.onion"
]
},
"related": [
{
"dest-uuid": "5fb75933-1ed5-4512-a062-d39865eedab0",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "related-to"
}
],
"uuid": "d12f369c-f776-468a-8abf-8000b1b30642", "uuid": "d12f369c-f776-468a-8abf-8000b1b30642",
"value": "Nefilim" "value": "Nefilim"
}, },
@ -22178,7 +22259,12 @@
"value": "Project57" "value": "Project57"
}, },
{ {
"description": "ransomware", "description": "PwndLocker is a ransomware that was observed in late 2019 and is reported to have been used to target businesses and local governments/cities. According to one source, ransom amounts demanded as part of PwndLocker activity range from $175k USD to $650k USD depending on the size of the network. PwndLocker attempts to disable a variety of Windows services so that their data can be encrypted. Various processes will also be targeted, such as web browsers and software related to security, backups, and databases. Shadow copies are cleared by the ransomware, and encryption of files occurs once the system has been prepared in this way. Executable files and those that are likely to be important for the system to continue to function appear to be skipped by the ransomware, and a large number of folders mostly related to Microsoft Windows system files are also ignored. As of March 2020, encrypted files have been observed with the added extensions of .key and .pwnd. Ransom notes are dropped in folders where encrypted files are found and also on the user's desktop.",
"meta": {
"links": [
"http://msaoyrayohnp32tcgwcanhjouetb5k54aekgnwg7dcvtgtecpumrxpqd.onion"
]
},
"related": [ "related": [
{ {
"dest-uuid": "421a3805-7741-4315-82c2-6c9aa30d0953", "dest-uuid": "421a3805-7741-4315-82c2-6c9aa30d0953",
@ -22733,6 +22819,12 @@
}, },
{ {
"description": "ransomware", "description": "ransomware",
"meta": {
"links": [
"http://hl66646wtlp2naoqnhattngigjp5palgqmbwixepcjyq5i534acgqyad.onion",
"https://snatch.press/"
]
},
"uuid": "1a58eeac-26dc-40e6-8182-22cd461ba736", "uuid": "1a58eeac-26dc-40e6-8182-22cd461ba736",
"value": "Snatch" "value": "Snatch"
}, },
@ -23583,6 +23675,11 @@
}, },
{ {
"description": "ransomware", "description": "ransomware",
"meta": {
"links": [
"http://7iulpt5i6whht6zo2r52f7vptxtjxs3vfcdxxazllikrtqpupn4epnqd.onion"
]
},
"uuid": "b8b0933a-896a-45d1-8284-ebc55dff1f98", "uuid": "b8b0933a-896a-45d1-8284-ebc55dff1f98",
"value": "Exorcist" "value": "Exorcist"
}, },
@ -23895,7 +23992,10 @@
{ {
"description": "ransomware", "description": "ransomware",
"meta": { "meta": {
"date": "November 2020" "date": "November 2020",
"links": [
"http://pay2key2zkg7arp3kv3cuugdaqwuesifnbofun4j6yjdw5ry7zw2asid.onion/"
]
}, },
"uuid": "678bc24d-a5c3-4ddd-9292-40958afa3492", "uuid": "678bc24d-a5c3-4ddd-9292-40958afa3492",
"value": "Pay2Key" "value": "Pay2Key"
@ -23968,6 +24068,9 @@
"description": "ransomware", "description": "ransomware",
"meta": { "meta": {
"date": "November 2020", "date": "November 2020",
"links": [
"http://3r6n77mpe737w4sbxxxrpc5phbluv6xhtdl5ujpnlvmck5tc7blq2rqd.onion"
],
"synonyms": [ "synonyms": [
"FiveHands" "FiveHands"
] ]
@ -24431,6 +24534,10 @@
".ragnarok", ".ragnarok",
".ragnarok_cry" ".ragnarok_cry"
], ],
"links": [
"http://wobpitin77vdsdiswr43duntv6eqw4rvphedutpaxycjdie6gg3binad.onion",
"http://sushlnty2j7qdzy64qnvyb6ajkwg7resd3p6agc2widnawodtcedgjid.onion/"
],
"refs": [ "refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnaro", "https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnaro",
"https://borncity.com/win/2021/03/27/tu-darmstadt-opfer-der-ragnarok-ransomware/" "https://borncity.com/win/2021/03/27/tu-darmstadt-opfer-der-ragnarok-ransomware/"
@ -24659,9 +24766,15 @@
{ {
"description": "Ransomware", "description": "Ransomware",
"meta": { "meta": {
"links": [
"http://mountnewsokhwilx.onion"
],
"refs": [ "refs": [
"https://www.cyclonis.com/mount-locker-ransomware-more-dangerous", "https://www.cyclonis.com/mount-locker-ransomware-more-dangerous",
"https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game" "https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game"
],
"synonyms": [
"Mount-Locker"
] ]
}, },
"uuid": "1da28691-684a-4cd2-b2f8-e80a123e150c", "uuid": "1da28691-684a-4cd2-b2f8-e80a123e150c",
@ -24681,6 +24794,9 @@
{ {
"description": "Ransomware", "description": "Ransomware",
"meta": { "meta": {
"links": [
"http://vbfqeh5nugm6r2u2qvghsdxm3fotf5wbxb5ltv6vw77vus5frdpuaiid.onion/"
],
"refs": [ "refs": [
"https://twitter.com/malwrhunterteam/status/1501857263493001217", "https://twitter.com/malwrhunterteam/status/1501857263493001217",
"https://dissectingmalwa.re/blog/pandora" "https://dissectingmalwa.re/blog/pandora"
@ -24692,6 +24808,9 @@
{ {
"description": "Ransomware", "description": "Ransomware",
"meta": { "meta": {
"links": [
"http://gamol6n6p2p4c3ad7gxmx3ur7wwdwlywebo2azv3vv5qlmjmole2zbyd.onion"
],
"refs": [ "refs": [
"https://www.sentinelone.com/labs/new-rook-ransomware-feeds-off-the-code-of-babuk", "https://www.sentinelone.com/labs/new-rook-ransomware-feeds-off-the-code-of-babuk",
"https://twitter.com/techyteachme/status/1464317136944435209" "https://twitter.com/techyteachme/status/1464317136944435209"
@ -24734,6 +24853,9 @@
{ {
"description": "Lorenz is a ransomware group that has been active since at least February 2021 and like many ransomware groups, performs double-extortion by exfiltrating data before encrypting systems.", "description": "Lorenz is a ransomware group that has been active since at least February 2021 and like many ransomware groups, performs double-extortion by exfiltrating data before encrypting systems.",
"meta": { "meta": {
"links": [
"http://lorenzmlwpzgxq736jzseuterytjueszsvznuibanxomlpkyxk6ksoyd.onion/"
],
"ransomnotes-refs": [ "ransomnotes-refs": [
"https://marvel-b1-cdn.bc0a.com/f00000000241276/arcticwolf.com/wp-content/uploads/2022/09/Screen-Shot-2022-09-12-at-11.18.04-AM-1024x246.png" "https://marvel-b1-cdn.bc0a.com/f00000000241276/arcticwolf.com/wp-content/uploads/2022/09/Screen-Shot-2022-09-12-at-11.18.04-AM-1024x246.png"
], ],
@ -24747,6 +24869,11 @@
{ {
"description": "First observed in June 2021, Hive ransomware was originally written in GoLang but recently, new Hive variants have been seen written in Rust. Targets Healthcare sector.", "description": "First observed in June 2021, Hive ransomware was originally written in GoLang but recently, new Hive variants have been seen written in Rust. Targets Healthcare sector.",
"meta": { "meta": {
"links": [
"http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/",
"http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion",
"http://hiveapi4nyabjdfz2hxdsr7otrcv6zq6m4rk5i2w7j64lrtny4b7vjad.onion/v1/companies/disclosed"
],
"ransomnotes": [ "ransomnotes": [
"Your network has been breached and all data were encrypted.\nPersonal data, financial reports and important documents are ready to disclose.\n\n To decrypt all the data and to prevent exfiltrated files to be disclosed at \nhttp://hive[REDACTED].onion/\nyou will need to purchase our decryption software.\n \nPlease contact our sales department at:v \n http://hive[REDACTED].onion/\n \n Login: [REDACTED]\n Password: [REDACTED]\n \nTo get an access to .onion websites download and install Tor Browser at:\n https://www.torproject.org/ (Tor Browser is not related to us)\n \n \nFollow the guidelines below to avoid losing your data:\n \n- Do not modify, rename or delete *.key.abc12 files. Your data will be \n undecryptable.\n- Do not modify or rename encrypted files. You will lose them.\n- Do not report to the Police, FBI, etc. They don't care about your business.\n They simply won't allow you to pay. As a result you will lose everything.\n- Do not hire a recovery company. They can't decrypt without the key. \n They also don't care about your business. They believe that they are \n good negotiators, but it is not. They usually fail. So speak for yourself.\n- Do not reject to purchase. Exfiltrated files will be publicly disclosed.", "Your network has been breached and all data were encrypted.\nPersonal data, financial reports and important documents are ready to disclose.\n\n To decrypt all the data and to prevent exfiltrated files to be disclosed at \nhttp://hive[REDACTED].onion/\nyou will need to purchase our decryption software.\n \nPlease contact our sales department at:v \n http://hive[REDACTED].onion/\n \n Login: [REDACTED]\n Password: [REDACTED]\n \nTo get an access to .onion websites download and install Tor Browser at:\n https://www.torproject.org/ (Tor Browser is not related to us)\n \n \nFollow the guidelines below to avoid losing your data:\n \n- Do not modify, rename or delete *.key.abc12 files. Your data will be \n undecryptable.\n- Do not modify or rename encrypted files. You will lose them.\n- Do not report to the Police, FBI, etc. They don't care about your business.\n They simply won't allow you to pay. As a result you will lose everything.\n- Do not hire a recovery company. They can't decrypt without the key. \n They also don't care about your business. They believe that they are \n good negotiators, but it is not. They usually fail. So speak for yourself.\n- Do not reject to purchase. Exfiltrated files will be publicly disclosed.",
"Your network has been breached and all data were encrypted.\nPersonal data, financial reports and important documents are ready to disclose.\n\n To decrypt all the data and to prevent exfiltrated files to be disclosed at \nhttp://hive[REDACTED].onion/\nyou will need to purchase our decryption software.\n \nPlease contact our sales department at:\n \n http://hive[REDACTED].onion/\n \n Login: test_hive_username\n Password: test_hive_password\n \nTo get an access to .onion websites download and install Tor Browser at:\n https://www.torproject.org/ (Tor Browser is not related to us)\n \n \nFollow the guidelines below to avoid losing your data:\n \n- Do not delete or reinstall VMs. There will be nothing to decrypt.\n- Do not modify, rename or delete *.key files. Your data will be \n undecryptable.\n- Do not modify or rename encrypted files. You will lose them.\n- Do not report to the Police, FBI, etc. They don't care about your business.\n They simply won't allow you to pay. As a result you will lose everything.\n- Do not hire a recovery company. They can't decrypt without the key. \n They also don't care about your business. They believe that they are \n good negotiators, but it is not. They usually fail. So speak for yourself.\n- Do not reject to purchase. Exfiltrated files will be publicly disclosed" "Your network has been breached and all data were encrypted.\nPersonal data, financial reports and important documents are ready to disclose.\n\n To decrypt all the data and to prevent exfiltrated files to be disclosed at \nhttp://hive[REDACTED].onion/\nyou will need to purchase our decryption software.\n \nPlease contact our sales department at:\n \n http://hive[REDACTED].onion/\n \n Login: test_hive_username\n Password: test_hive_password\n \nTo get an access to .onion websites download and install Tor Browser at:\n https://www.torproject.org/ (Tor Browser is not related to us)\n \n \nFollow the guidelines below to avoid losing your data:\n \n- Do not delete or reinstall VMs. There will be nothing to decrypt.\n- Do not modify, rename or delete *.key files. Your data will be \n undecryptable.\n- Do not modify or rename encrypted files. You will lose them.\n- Do not report to the Police, FBI, etc. They don't care about your business.\n They simply won't allow you to pay. As a result you will lose everything.\n- Do not hire a recovery company. They can't decrypt without the key. \n They also don't care about your business. They believe that they are \n good negotiators, but it is not. They usually fail. So speak for yourself.\n- Do not reject to purchase. Exfiltrated files will be publicly disclosed"
@ -24768,6 +24895,10 @@
{ {
"description": "", "description": "",
"meta": { "meta": {
"links": [
"http://quantum445bh3gzuyilxdzs5xdepf3b7lkcupswvkryf3n7hgzpxebid.onion/",
"http://quantum445bh3gzuyilxdzs5xdepf3b7lkcupswvkryf3n7hgzpxebid.onion"
],
"ransomnotes-refs": [ "ransomnotes-refs": [
"https://www.guidepointsecurity.com/wp-content/uploads/2021/04/Anonymized-Ransom-Note-1-1024x655.png" "https://www.guidepointsecurity.com/wp-content/uploads/2021/04/Anonymized-Ransom-Note-1-1024x655.png"
], ],
@ -24922,6 +25053,11 @@
}, },
{ {
"description": "Ransomware", "description": "Ransomware",
"meta": {
"links": [
"http://blog2hkbm6gogpv2b3uytzi3bj5d5zmc4asbybumjkhuqhas355janyd.onion/"
]
},
"uuid": "549c9766-b45d-4d14-86e8-e6a74d69d067", "uuid": "549c9766-b45d-4d14-86e8-e6a74d69d067",
"value": "RedAlert" "value": "RedAlert"
}, },
@ -24995,6 +25131,12 @@
}, },
{ {
"description": "Ransomware", "description": "Ransomware",
"meta": {
"links": [
"http://mbrlkbtq5jonaqkurjwmxftytyn2ethqvbxfu4rgjbkkknndqwae6byd.onion",
"http://k7kg3jqxang3wh7hnmaiokchk7qoebupfgoik6rha6mjpzwupwtj25yd.onion"
]
},
"uuid": "fec32bbf-c4f8-499d-8e2a-743bcdd071e7", "uuid": "fec32bbf-c4f8-499d-8e2a-743bcdd071e7",
"value": "PLAY Ransomware" "value": "PLAY Ransomware"
}, },
@ -25010,6 +25152,14 @@
}, },
{ {
"description": "Ransomware", "description": "Ransomware",
"meta": {
"links": [
"https://3f7nxkjway3d223j27lyad7v5cgmyaifesycvmwq7i7cbs23lb6llryd.onion/",
"https://www.karanews.live",
"https://karakurt.tech",
"https://karaleaks.com"
]
},
"uuid": "a7623a1b-4551-4e5a-a622-2b91dea16b42", "uuid": "a7623a1b-4551-4e5a-a622-2b91dea16b42",
"value": "Karakurt" "value": "Karakurt"
}, },
@ -25453,7 +25603,578 @@
}, },
"uuid": "50fdc311-e6c5-4843-9b91-24d66afbdb8d", "uuid": "50fdc311-e6c5-4843-9b91-24d66afbdb8d",
"value": "Donutleaks" "value": "Donutleaks"
},
{
"meta": {
"links": [
"http://h44jyyfomcbnnw5dha7zgwgkvpzbzbdyx2onu4fxaa5smxrgbjgq7had.onion/"
]
},
"uuid": "14658178-6fea-43bb-ae11-4ae5c2f14560",
"value": "Endurance"
},
{
"meta": {
"links": [
"http://leaksv7sroztl377bbohzl42i3ddlfsxopcb6355zc7olzigedm5agad.onion/posts"
]
},
"uuid": "11a458b9-df9c-486f-8556-2ae662df2802",
"value": "Entropy"
},
{
"meta": {
"links": [
"http://dg5fyig37abmivryrxlordrczn6d6r5wzcfe2msuo5mbbu2exnu46fid.onion"
]
},
"uuid": "3a074223-6c97-48ca-b019-50a16a37e956",
"value": "Ep918"
},
{
"meta": {
"links": [
"http://ransomocmou6mnbquqz44ewosbkjk3o5qjsl3orawojexfook2j7esad.onion/"
]
},
"uuid": "3c2835b1-53de-4755-ac0f-48dff1e53745",
"value": "Everest"
},
{
"meta": {
"links": [
"http://gcbejm2rcjftouqbxuhimj5oroouqcuxb2my4raxqa7efkz5bd5464id.onion/"
]
},
"uuid": "34c540d5-70ad-44cc-b5a2-cd8ec7e2efd6",
"value": "Freecivilian"
},
{
"meta": {
"links": [
"http://hkk62og3s2tce2gipcdxg3m27z4b62mrmml6ugctzdxs25o26q3a4mid.onion/"
]
},
"uuid": "29408532-b5d3-47ab-9b31-1ea63a084e45",
"value": "Fsteam"
},
{
"meta": {
"links": [
"http://griefcameifmv4hfr3auozmovz5yi6m3h3dwbuqw7baomfxoxz4qteid.onion/"
]
},
"uuid": "506716cf-7e60-46e5-a853-c8a67fe696f9",
"value": "Grief"
},
{
"meta": {
"links": [
"http://ws3dh6av66sjbxxkjpw5ao3wqzmtejnkzheswm4dz5rrwvular7xvkqd.onion/"
]
},
"uuid": "267b7b61-ed82-4809-aafe-9d2487c56f19",
"value": "Groove"
},
{
"meta": {
"links": [
"http://ft4zr2jzlqoyob7yg4fcpwyt37hox3ajajqnfkdvbfrkjioyunmqnpad.onion/login.php",
"http://midasbkic5eyfox4dhnijkzc7v7e4hpmsb2qgux7diqbpna4up4rtdad.onion/blog.php"
]
},
"uuid": "949fe61d-6df6-4f36-996b-c58bbbc5140f",
"value": "Haron"
},
{
"meta": {
"links": [
"http://r6d636w47ncnaukrpvlhmtdbvbeltc6enfcuuow3jclpmyga7cz374qd.onion"
]
},
"uuid": "3c5832ae-3961-423e-8331-218a7aa6e5db",
"value": "Hotarus"
},
{
"meta": {
"links": [
"http://kf6x3mjeqljqxjznaw65jixin7dpcunfxbbakwuitizytcpzn4iy5bad.onion/board/leak_list/",
"http://7kstc545azxeahkduxmefgwqkrrhq3mzohkzqvrv7aekob7z3iwkqvyd.onion/board/victim_list/"
]
},
"uuid": "deea56de-1237-46bf-9ea7-4e1a3b3acd10",
"value": "Icefire"
},
{
"meta": {
"links": [
"https://justice-blade.io"
]
},
"uuid": "71a6edfe-9764-4c9b-b528-e0ee7b73c110",
"value": "Justice_Blade"
},
{
"meta": {
"links": [
"https://kelvinsecteamcyber.wixsite.com/my-site/items"
]
},
"uuid": "3c61d677-a2a6-40fb-aadd-72974f68e62c",
"value": "Kelvin Security"
},
{
"meta": {
"links": [
"https://t.me/minsaudebr"
]
},
"uuid": "e2e035aa-eb95-48af-98a7-f18ddfcc347b",
"value": "Lapsus$"
},
{
"meta": {
"links": [
"http://yeuajcizwytgmrntijhxphs6wn5txp2prs6rpndafbsapek3zd4ubcid.onion/"
]
},
"uuid": "7dea3669-5ec4-4bdf-898f-c3a9f796365e",
"value": "Lilith"
},
{
"meta": {
"links": [
"http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion/",
"http://zqaflhty5hyziovsxgqvj2mrz5e5rs6oqxzb54zolccfnvtn5w2johad.onion",
"http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion",
"http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion",
"http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion",
"http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion",
"http://yq43odyrmzqvyezdindg2tokgogf3pn6bcdtvgczpz5a74tdxjbtk2yd.onion",
"http://oyarbnujct53bizjguvolxou3rmuda2vr72osyexngbdkhqebwrzsnad.onion",
"http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion",
"http://lockbitapt.uz",
"http://yq43odyrmzqvyezdindg2tokgogf3pn6bcdtvgczpz5a74tdxjbtk2yd.onion",
"http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion",
"http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion",
"http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion",
"http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion",
"http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion",
"http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion",
"http://lockbit7z2jwcskxpbokpemdxmltipntwlkmidcll2qirbu7ykg46eyd.onion"
]
},
"related": [
{
"dest-uuid": "8eda8bf1-db5a-412d-8511-45e2f7621d51",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "c09f73fd-c3c3-42b1-b355-b03ca4941110",
"value": "Lockbit3"
},
{
"meta": {
"links": [
"http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion",
"http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion",
"http://nclen75pwlgebpxpsqhlcnxsmdvpyrr7ogz36ehhatfmkvakeyden6ad.onion"
]
},
"uuid": "9886732d-76a2-4fbb-86b7-9e6a80669fb5",
"value": "Lolnek"
},
{
"meta": {
"links": [
"http://rbvuetuneohce3ouxjlbxtimyyxokb4btncxjbo44fbgxqy7tskinwad.onion/",
"http://4qbxi3i2oqmyzxsjg4fwe4aly3xkped52gq5orp6efpkeskvchqe27id.onion/"
]
},
"uuid": "46d56775-5f8c-411e-adbe-2acd07bf99ac",
"value": "Lv"
},
{
"meta": {
"links": [
"http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion"
]
},
"uuid": "95891bae-09a4-4d02-990e-2477cb09b9c2",
"value": "Mallox"
},
{
"meta": {
"links": [
"http://xembshruusobgbvxg4tcjs3jpdnks6xrr6nbokfxadcnlc53yxir22ad.onion"
]
},
"uuid": "7ecd6452-d521-4095-8fd7-eecdeb6c8d96",
"value": "Mbc"
},
{
"meta": {
"links": [
"http://midasbkic5eyfox4dhnijkzc7v7e4hpmsb2qgux7diqbpna4up4rtdad.onion/blog.php"
]
},
"uuid": "c0ce34c6-13b9-41ef-847c-840b090f2bfc",
"value": "Midas"
},
{
"meta": {
"links": [
"http://moishddxqnpdxpababec6exozpl2yr7idfhdldiz5525ao25bmasxhid.onion"
]
},
"uuid": "b2e44cc2-2df9-4210-a0ee-9ae913278c00",
"value": "Moisha"
},
{
"meta": {
"links": [
"http://monteoamwxlutyovf7oxeviwjlbu3vbgdmkncecl2ydteqncrmcv67yd.onion/",
"http://monteoamwxlutyovf7oxeviwjlbu3vbgdmkncecl2ydteqncrmcv67yd.onion/catalog/"
]
},
"uuid": "814f656d-7107-41d3-a934-1667e427ad8a",
"value": "Monte"
},
{
"meta": {
"links": [
"http://4s4lnfeujzo67fy2jebz2dxskez2gsqj2jeb35m75ktufxensdicqxad.onion/",
"http://mblogci3rudehaagbryjznltdp33ojwzkq6hn2pckvjq33rycmzczpid.onion/"
]
},
"uuid": "0ea4daa9-0b83-4acb-bc54-420635b7bfea",
"value": "Monti"
},
{
"meta": {
"links": [
"http://58b87e60649ccc808ac8mstiejnj.5s4ixqul2enwxrqv.onion"
]
},
"uuid": "8b726e6a-ed85-4a5b-a501-6bc06dab288d",
"value": "Mydecryptor"
},
{
"meta": {
"links": [
"http://n3twormruynhn3oetmxvasum2miix2jgg56xskdoyihra4wthvlgyeyd.onion"
]
},
"uuid": "815b13b2-2b94-4ea9-adc2-8193936a1c61",
"value": "N3Tworm"
},
{
"meta": {
"links": [
"http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion"
]
},
"uuid": "a449e5a4-a835-419e-af3e-d223c74d0536",
"value": "Netwalker"
},
{
"meta": {
"links": [
"http://nevcorps5cvivjf6i2gm4uia7cxng5ploqny2rgrinctazjlnqr2yiyd.onion/",
"http://nevbackvzwfu5yu3gszap77bg66koadds6eln37gxdhdk4jdsbkayrid.onion/",
"http://nevaffcwswjosddmw55qhn4u4secw42wlppzvf26k5onrlxjevm6avad.onion/"
]
},
"uuid": "9c517547-8002-4a9a-a360-8d836d2fe3e3",
"value": "Nevada"
},
{
"meta": {
"links": [
"http://gg5ryfgogainisskdvh4y373ap3b2mxafcibeh2lvq5x7fx76ygcosad.onion"
]
},
"uuid": "886a2d59-2e8d-4357-b70f-a6dd3d034dfd",
"value": "Nightsky"
},
{
"meta": {
"links": [
"http://lirncvjfmdhv6samxvvlohfqx7jklfxoxj7xn3fh7qeabs3taemdsdqd.onion",
"http://lirncvjfmdhv6samxvvlohfqx7jklfxoxj7xn3fh7qeabs3taemdsdqd.onion/",
"http://6yofnrq7evqrtz3tzi3dkbrdovtywd35lx3iqbc5dyh367nrdh4jgfyd.onion/"
]
},
"uuid": "2b2f2e07-f764-4cc2-86ac-cc087a953cbb",
"value": "Nokoyawa"
},
{
"meta": {
"links": [
"http://5mvifa3xq5m7sou3xzaajfz7h6eserp5fnkwotohns5pgbb5oxty3zad.onion"
]
},
"uuid": "e9e810e3-a919-4417-85d0-fcab700e45de",
"value": "Onepercent"
},
{
"meta": {
"links": [
"http://vbmisqjshn4yblehk2vbnil53tlqklxsdaztgphcilto3vdj4geao5qd.onion/"
]
},
"uuid": "fd2161a9-cd88-4d12-94d9-52b93b28eb5b",
"value": "Payloadbin"
},
{
"meta": {
"links": [
"http://promethw27cbrcot.onion/blog/"
]
},
"uuid": "bcf0a9da-dca3-42c0-b875-59d434564fbb",
"value": "Prometheus"
},
{
"meta": {
"links": [
"http://ozsxj4hwxub7gio347ac7tyqqozvfioty37skqilzo2oqfs4cw2mgtyd.onion/",
"http://24kckepr3tdbcomkimbov5nqv2alos6vmrmlxdr76lfmkgegukubctyd.onion",
"http://wlh3dpptx2gt7nsxcor37a3kiyaiy6qwhdv7o6nl6iuniu5ycze5ydid.onion/blog",
"http://kbsqoivihgdmwczmxkbovk7ss2dcynitwhhfu5yw725dboqo5kthfaad.onion/"
]
},
"uuid": "d5b3ce3d-59e2-4e56-a29a-42fb8b733a51",
"value": "Qilin"
},
{
"meta": {
"links": [
"http://gvka2m4qt5fod2fltkjmdk4gxh5oxemhpgmnmtjptms6fkgfzdd62tad.onion",
"http://gvka2m4qt5fod2fltkjmdk4gxh5oxemhpgmnmtjptms6fkgfzdd62tad.onion/"
]
},
"uuid": "065110c5-574a-4466-a336-e6c5f3ef86c4",
"value": "Qlocker"
},
{
"meta": {
"links": [
"http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion",
"http://rampjcdlqvgkoz5oywutpo6ggl7g6tvddysustfl6qzhr5osr24xxqqd.onion",
"http://ramp4u5iz4xx75vmt6nk5xfrs5mrmtokzszqxhhkjqlk7pbwykaz7zid.onion"
]
},
"uuid": "824f225c-7cd9-47e3-9f5b-c3194e4a26ea",
"value": "Ramp"
},
{
"meta": {
"links": [
"http://u67aylig7i6l657wxmp274eoilaowhp3boljowa6bli63rxyzfzsbtyd.onion/"
]
},
"uuid": "62e56597-01c8-4721-abd2-c7efa37fb566",
"value": "Ransomcartel"
},
{
"meta": {
"links": [
"http://xw7au5pnwtl6lozbsudkmyd32n6gnqdngitjdppybudan3x3pjgpmpid.onion",
"http://zohlm7ahjwegcedoz7lrdrti7bvpofymcayotp744qhx6gjmxbuo2yid.onion/"
]
},
"uuid": "00a6fc79-8a29-417b-a298-adc8e17d8aba",
"value": "Ransomhouse"
},
{
"meta": {
"links": [
"http://37rckgo66iydpvgpwve7b2el5q2zhjw4tv4lmyewufnpx4lhkekxkoqd.onion"
]
},
"uuid": "840d5e7b-e96f-426d-8cf0-a5a10f5e4a46",
"value": "Ranzy"
},
{
"meta": {
"links": [
"http://relic5zqwemjnu4veilml6prgyedj6phs7de3udhicuq53z37klxm6qd.onion"
]
},
"uuid": "f4340cdb-ed0c-411e-ae11-b14ee151886a",
"value": "Relic"
},
{
"meta": {
"links": [
"http://royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid.onion",
"http://royal4ezp7xrbakkus3oofjw6gszrohpodmdnfbe5e4w3og5sm7vb3qd.onion"
]
},
"uuid": "9a970739-24e3-4eb5-9154-d0ac6b2c378d",
"value": "Royal"
},
{
"meta": {
"links": [
"http://t2tqvp4pctcr7vxhgz5yd5x4ino5tw7jzs3whbntxirhp32djhi7q3id.onion"
]
},
"uuid": "470306b5-5a3b-4b63-9c02-0dc917584e72",
"value": "Rransom"
},
{
"meta": {
"links": [
"http://54bb47h5qu4k7l4d7v5ix3i6ak6elysn3net4by4ihmvrhu7cvbskoqd.onion/blog",
"http://54bb47h.blog"
]
},
"uuid": "efdf315c-e85c-4d87-b816-ec29dbea67b5",
"value": "Sabbath"
},
{
"meta": {
"links": [
"http://solidb2jco63vbhx4sfimnqmwhtdjk4jbbgq7a24cmzzkfse4rduxgid.onion/login"
]
},
"uuid": "70719914-dc82-4ab0-b925-da837b337c89",
"value": "Solidbit"
},
{
"meta": {
"links": [
"http://zj2ex44e2b2xi43m2txk4uwi3l55aglsarre7repw7rkfwpj54j46iqd.onion"
]
},
"uuid": "ce4eb745-e341-4f5d-be93-2af23b9ad756",
"value": "Sparta"
},
{
"meta": {
"links": [
"http://spookuhvfyxzph54ikjfwf2mwmxt572krpom7reyayrmxbkizbvkpaid.onion/blog/"
]
},
"uuid": "0d4a8359-d607-4e5a-b85c-c8248cfa520a",
"value": "Spook"
},
{
"meta": {
"links": [
"http://3slz4povugieoi3tw7sblxoowxhbzxeju427cffsst5fo2tizepwatid.onion"
]
},
"uuid": "6e20bdd2-31ac-4429-8aa7-4ce8cb7dc7b5",
"value": "Stormous"
},
{
"meta": {
"links": [
"http://tdoe2fiiamwkiadhx2a4dfq56ztlqhzl2vckgwmjtoanfaya4kqvvvyd.onion"
]
},
"uuid": "0e2d3ead-3de9-4089-b7a3-10790b6f70f2",
"value": "Unknown"
},
{
"meta": {
"links": [
"http://unsafeipw6wbkzzmj7yqp7bz6j7ivzynggmwxsm6u2wwfmfqrxqrrhyd.onion/"
]
},
"uuid": "df2b1358-b3f1-4af4-8153-02f4fc018b03",
"value": "Unsafe"
},
{
"meta": {
"links": [
"http://test.cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si76icnqd.onion"
]
},
"related": [
{
"dest-uuid": "731e4a5e-35f2-47b1-80ba-150b95fdc14d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "7fd558de-1dfe-432a-834b-3e2691ee7283",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "f4b870cb-8c61-40ab-865b-b8304a120ba5",
"value": "V Is Vendetta"
},
{
"meta": {
"links": [
"http://vfokxcdzjbpehgit223vzdzwte47l3zcqtafj34qrr26htjo4uf3obid.onion",
"http://746pbrxl7acvrlhzshosye3b3udk4plurpxt2pp27pojfhkkaooqiiqd.onion"
]
},
"uuid": "465828ea-6e81-4851-b02c-458d696629c1",
"value": "Vfokx"
},
{
"meta": {
"links": [
"http://4hzyuotli6maqa4u.onion",
"http://vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad.onion",
"http://ml3mjpuhnmse4kjij7ggupenw34755y4uj7t742qf7jg5impt5ulhkid.onion/",
"http://ssq4zimieeanazkzc5ld4v5hdibi2nzwzdibfh5n5w4pw5mcik76lzyd.onion/",
"http://wmp2rvrkecyx72i3x7ejhyd3yr6fn5uqo7wfus7cz7qnwr6uzhcbrwad.onion"
]
},
"uuid": "41979767-bfb8-4633-af1f-3946a599f922",
"value": "Vicesociety"
},
{
"meta": {
"links": [
"http://mrdxtxy6vqeqbmb4rvbvueh2kukb3e3mhu3wdothqn7242gztxyzycid.onion/"
]
},
"uuid": "8b2e6391-05b4-439e-b318-1c3ace388c2d",
"value": "Vsop"
},
{
"meta": {
"links": [
"http://xingnewj6m4qytljhfwemngm7r7rogrindbq7wrfeepejgxc3bwci7qd.onion/"
]
},
"uuid": "e92d5c00-81ae-4909-9994-74bf48180f22",
"value": "Xinglocker"
},
{
"meta": {
"links": [
"http://wj3b2wtj7u2bzup75tzhnso56bin6bnvsxcbwbfcuvzpc4vcixbywlid.onion"
]
},
"uuid": "64b7dc11-a627-43b2-91cd-38608784c53f",
"value": "Xinof"
},
{
"meta": {
"links": [
"http://jukswsxbh3jsxuddvidrjdvwuohtsy4kxg2axbppiyclomt2qciyfoad.onion/"
]
},
"uuid": "476de1fe-d9b7-441a-8cb9-e6648189be3b",
"value": "Yanluowang"
} }
], ],
"version": 117 "version": 118
} }

File diff suppressed because it is too large Load diff

View file

@ -209,7 +209,21 @@
}, },
"uuid": "9eb2a417-2bb6-496c-816b-bccb3f3074f6", "uuid": "9eb2a417-2bb6-496c-816b-bccb3f3074f6",
"value": "Rhadamanthys" "value": "Rhadamanthys"
},
{
"description": "Python-based Stealer including Discord, Steam...",
"meta": {
"refs": [
"https://github.com/SOrdeal/Sordeal-Stealer"
],
"synonyms": [
"Sordeal",
"Sordeal Stealer"
]
},
"uuid": "0266302b-52d3-44da-ab63-a8a6f16de737",
"value": "Sordeal-Stealer"
} }
], ],
"version": 12 "version": 13
} }

View file

@ -837,7 +837,8 @@
"https://unit42.paloaltonetworks.com/atoms/iron-taurus/", "https://unit42.paloaltonetworks.com/atoms/iron-taurus/",
"https://www.mandiant.com/resources/insights/apt-groups", "https://www.mandiant.com/resources/insights/apt-groups",
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
"https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/" "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/",
"https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html"
], ],
"synonyms": [ "synonyms": [
"GreedyTaotie", "GreedyTaotie",
@ -852,7 +853,8 @@
"BRONZE UNION", "BRONZE UNION",
"Lucky Mouse", "Lucky Mouse",
"G0027", "G0027",
"Iron Taurus" "Iron Taurus",
"Earth Smilodon"
] ]
}, },
"related": [ "related": [
@ -6071,14 +6073,16 @@
"https://www.darkreading.com/threat-intelligence/chinese-apt-bronze-president-spy-campaign-russian-military", "https://www.darkreading.com/threat-intelligence/chinese-apt-bronze-president-spy-campaign-russian-military",
"https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
"https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf" "https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf",
"https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html"
], ],
"synonyms": [ "synonyms": [
"BRONZE PRESIDENT", "BRONZE PRESIDENT",
"HoneyMyte", "HoneyMyte",
"Red Lich", "Red Lich",
"TEMP.HEX", "TEMP.HEX",
"BASIN" "BASIN",
"Earth Preta"
] ]
}, },
"uuid": "78bf726c-a9e6-11e8-9e43-77249a2f7339", "uuid": "78bf726c-a9e6-11e8-9e43-77249a2f7339",
@ -7443,7 +7447,8 @@
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf",
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
"https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
"https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/" "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/",
"https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf"
], ],
"synonyms": [ "synonyms": [
"G0096", "G0096",
@ -7459,7 +7464,8 @@
"Red Kelpie", "Red Kelpie",
"G0044", "G0044",
"Earth Baku", "Earth Baku",
"Amoeba" "Amoeba",
"HOODOO"
] ]
}, },
"related": [ "related": [

View file

@ -8754,7 +8754,43 @@
}, },
"uuid": "5c7fa5e1-352a-41c3-8e55-744e5fa88793", "uuid": "5c7fa5e1-352a-41c3-8e55-744e5fa88793",
"value": "AHK Bot" "value": "AHK Bot"
},
{
"description": "A tool first used in October 2022, abusing the Notion7 service to communicate and download further malicious files. Two versions of this tool have been observed.",
"meta": {
"refs": [
"https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services",
"https://www.gov.pl/attachment/6e085a2c-ac05-4b62-9423-5d6e9ef730bf",
"https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d"
]
},
"uuid": "0125ef58-2675-426f-90eb-0b189961199a",
"value": "SNOWYAMBER"
},
{
"description": "Used for the first time in February 2023. This tool is distinguished from the others by the embedded code that runs the COBALT STRIKE tool.",
"meta": {
"refs": [
"https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services",
"https://www.gov.pl/attachment/64193e8d-05e2-4cbf-bb4c-5f58da21fefb",
"https://www.gov.pl/attachment/6e085a2c-ac05-4b62-9423-5d6e9ef730bf"
]
},
"uuid": "f169f0b3-fe4d-40e5-a443-2561c98eb67e",
"value": "HALFRIG"
},
{
"description": "A tool first used in March 2023, sharing part of the code with HALFRIG. Two versions of this tool were observed.",
"meta": {
"refs": [
"https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services",
"https://www.gov.pl/attachment/6f51bb1a-3ad2-461c-a16d-408915a56f77",
"https://www.gov.pl/attachment/6e085a2c-ac05-4b62-9423-5d6e9ef730bf"
]
},
"uuid": "2d5072db-64e2-4d81-9b3a-3aa76cfa978b",
"value": "QUARTERRIG"
} }
], ],
"version": 161 "version": 162
} }

View file

@ -0,0 +1,9 @@
{
"description": "Known public online services.",
"icon": "cloud",
"name": "online-service",
"namespace": "misp",
"type": "online-service",
"uuid": "c0a960b6-bba4-4914-8d54-87011aaf447e",
"version": 1
}

View file

@ -1,7 +1,7 @@
python3 adoc_galaxy.py >a.txt python3 adoc_galaxy.py >a.txt
asciidoctor -a allow-uri-read a.txt asciidoctor -a allow-uri-read a.txt
asciidoctor-pdf -a allow-uri-read a.txt asciidoctor-pdf -a allow-uri-read a.txt
cp a.html ../../misp-website/static/galaxy.html cp a.html ../../misp-website-new/static/galaxy.html
cp a.pdf ../../misp-website/static/galaxy.pdf cp a.pdf ../../misp-website-new/static/galaxy.pdf
scp -l 81920 a.html circl@cpab.circl.lu:/var/www/nwww.circl.lu/doc/misp-galaxy/index.html scp -l 81920 a.html circl@cpab.circl.lu:/var/www/nwww.circl.lu/doc/misp-galaxy/index.html
scp -l 81920 a.pdf circl@cpab.circl.lu:/var/www/nwww.circl.lu/doc/misp-galaxy/galaxy.pdf scp -l 81920 a.pdf circl@cpab.circl.lu:/var/www/nwww.circl.lu/doc/misp-galaxy/galaxy.pdf