From 9c450a80d48bb3643de79091209afe38d82a21cb Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 14 Feb 2019 16:04:54 +0100 Subject: [PATCH] add Gallmaker and other clusters --- clusters/ransomware.json | 12 +++++++++++- clusters/threat-actor.json | 10 ++++++++++ clusters/tool.json | 9 +++++++++ 3 files changed, 30 insertions(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 4a0b8e8..fed823c 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -11749,7 +11749,17 @@ }, "uuid": "1e19dae5-80c3-4358-abcd-2bf0ba4c76fe", "value": "LockerGoga" + }, + { + "description": "We have been observing a malvertising campaign via Rig exploit kit delivering a cryptocurrency-mining malware and the GandCrab ransomware since July 25. On August 1, we found Rig’s traffic stream dropping a then-unknown ransomware. Delving into this seemingly new ransomware, we checked its ransom payment page in the Tor network and saw it was called Princess Evolution (detected by Trend Micro as RANSOM_PRINCESSLOCKER.B), and was actually a new version of the Princess Locker ransomware that emerged in 2016. Based on its recent advertisement in underground forums, it appears that its operators are peddling Princess Evolution as a ransomware as a service (RaaS) and are looking for affiliates.\nThe new malvertising campaign we observed since July 25 is notable in that the malvertisements included Coinhive (COINMINER_MALXMR.TIDBF). Even if users aren’t diverted to the exploit kit and infected with the ransomware, the cybercriminals can still earn illicit profit through cryptocurrency mining. Another characteristic of this new campaign is that they hosted their malvertisement page on a free web hosting service and used domain name system canonical name (DNS CNAME) to map their advertisement domain on a malicious webpage on the service.", + "meta": { + "refs": [ + "https://blog.trendmicro.com/trendlabs-security-intelligence/ransomware-as-a-service-princess-evolution-looking-for-affiliates/" + ] + }, + "uuid": "53da7991-62b7-4fe2-af02-447a0734f41d", + "value": "Princess Evolution" } ], - "version": 51 + "version": 52 } diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c225dad..99ce77b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6233,6 +6233,16 @@ }, "uuid": "27c97181-b8e9-43e1-93c0-f953cac45326", "value": "Siesta" + }, + { + "description": "Symantec researchers have uncovered a previously unknown attack group that is targeting government and military targets, including several overseas embassies of an Eastern European country, and military and defense targets in the Middle East. This group eschews custom malware and uses living off the land (LotL) tactics and publicly available hack tools to carry out activities that bear all the hallmarks of a cyber espionage campaign.\nThe group, which we have given the name Gallmaker, has been operating since at least December 2017, with its most recent activity observed in June 2018.", + "meta": { + "refs": [ + "https://www.symantec.com/blogs/threat-intelligence/gallmaker-attack-group" + ] + }, + "uuid": "c79dab01-3f9f-491e-8a5f-6423339c9f76", + "value": "Gallmaker" } ], "version": 90 diff --git a/clusters/tool.json b/clusters/tool.json index 4413d7a..defca1e 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -7519,6 +7519,15 @@ }, "uuid": "6e60cb73-0bcc-45bf-b14f-633aa7ffc8b4", "value": "OSX/Shlayer" + }, + { + "meta": { + "refs": [ + "https://www.virusbulletin.com/blog/2019/02/malspam-security-products-miss-banking-and-email-phishing-emotet-and-bushaloader/" + ] + }, + "uuid": "4473f19e-ad0f-4191-bb7f-a28ef7ae3be3", + "value": "Bushaloader" } ], "version": 109