diff --git a/clusters/malpedia.json b/clusters/malpedia.json index d5fda06..0ede545 100644 --- a/clusters/malpedia.json +++ b/clusters/malpedia.json @@ -1,9 +1,12 @@ { "authors": [ - "Daniel Plohmann", + "Davide Arcuri", + "Alexandre Dulaunoy", "Steffen Enders", "Andrea Garavaglia", - "Davide Arcuri" + "Andras Iklody", + "Daniel Plohmann", + "Christophe Vandeplas" ], "category": "tool", "description": "Malware galaxy cluster based on Malpedia.", @@ -30,21 +33,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.androrat", + "https://github.com/DesignativeDave/androrat", "https://hotforsecurity.bitdefender.com/blog/possibly-italy-born-android-rat-reported-in-china-find-bitdefender-researchers-16264.html", - "https://github.com/DesignativeDave/androrat" + "https://www.kaspersky.com/blog/mobile-malware-part-4/24290/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "a3dad2be-ce62-4440-953b-00fbce7aba93", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "80447111-8085-40a4-a052-420926091ac6", "value": "AndroRAT" }, @@ -53,8 +49,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.anubisspy", - "http://blog.trendmicro.com/trendlabs-security-intelligence/cyberespionage-campaign-sphinx-goes-mobile-anubisspy/", - "https://documents.trendmicro.com/assets/tech-brief-cyberespionage-campaign-sphinx-goes-mobile-with-anubisspy.pdf" + "https://documents.trendmicro.com/assets/tech-brief-cyberespionage-campaign-sphinx-goes-mobile-with-anubisspy.pdf", + "http://blog.trendmicro.com/trendlabs-security-intelligence/cyberespionage-campaign-sphinx-goes-mobile-anubisspy/" ], "synonyms": [], "type": [] @@ -62,52 +58,83 @@ "uuid": "06ffb614-33ca-4b04-bf3b-623e68754184", "value": "AnubisSpy" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.asacub", + "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "dffa06ec-e94f-4fd7-8578-2a98aace5473", + "value": "Asacub" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.bahamut", "https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/", - "https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/" + "https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/" ], "synonyms": [], "type": [] }, "uuid": "4038c3bc-b559-45bb-bac1-9665a54dedf9", - "value": "Bahamut" + "value": "Bahamut (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.bankbot", - "http://blog.koodous.com/2017/04/decrypting-bankbot-communications.html", - "http://b0n1.blogspot.de/2017/05/tracking-android-bankbot.html", - "http://blog.koodous.com/2017/05/bankbot-on-google-play.html", "https://securityintelligence.com/after-big-takedown-efforts-20-more-bankbot-mobile-malware-apps-make-it-into-google-play/", - "https://www.welivesecurity.com/2017/11/21/new-campaigns-spread-banking-malware-google-play/" + "https://www.welivesecurity.com/2017/11/21/new-campaigns-spread-banking-malware-google-play/", + "http://b0n1.blogspot.de/2017/05/tracking-android-bankbot.html", + "http://blog.koodous.com/2017/04/decrypting-bankbot-communications.html", + "http://blog.koodous.com/2017/05/bankbot-on-google-play.html" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "4ed03b03-a34f-4583-9db1-6c58a4bd952b", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "85975621-5126-40cb-8083-55cbfa75121b", "value": "BankBot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.bianlian", + "https://www.threatfabric.com/blogs/bianlian_from_rags_to_riches_the_malware_dropper_that_had_a_dream.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1faaa5c5-ab4e-4101-b2d9-0e12207d70fc", + "value": "BianLian" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.busygasper", + "https://securelist.com/busygasper-the-unfriendly-spy/87627/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "4bf68bf8-08e5-46f3-ade5-0bd4f124b168", + "value": "BusyGasper" + }, { "description": "Catelites Bot (identified by Avast and SfyLabs in December 2017) is an Android trojan, with ties to CronBot. Once the malicious app is installed, attackers use social engineering tricks and window overlays to get credit card details from the victim.\r\nThe distribution vector seems to be fake apps from third-party app stores (not Google Play) or via malvertisement. After installation and activation, the app creates fake Gmail, Google Play and Chrome icons. Furthermore, the malware sends a fake system notification, telling the victim that they need to re-authenticate with Google Services and ask for their credit card details to be entered.\r\nCurrently the malware has overlays for over 2,200 apps of banks and financial institutions.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.catelites", - "https://blog.avast.com/new-of-mobile-malware-catelites-possibly-linked-to-cron-cyber-gang", + "https://blog.avast.com/new-version-of-mobile-malware-catelites-possibly-linked-to-cron-cyber-gang", "https://www.youtube.com/watch?v=1LOy0ZyjEOk" ], "synonyms": [], @@ -127,15 +154,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "d1c600f8-0fb6-4367-921b-85b71947d950", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "6e0545df-8df6-4990-971c-e96c4c60d561", "value": "Charger" }, @@ -144,41 +162,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.chrysaor", - "https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html", "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf", - "https://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html", + "https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html", "https://media.ccc.de/v/33c3-7901-pegasus_internals", - "https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/" + "https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/", + "https://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html" ], "synonyms": [ - "Pegasus", - "JigglyPuff" + "JigglyPuff", + "Pegasus" ], "type": [] }, - "related": [ - { - "dest-uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "9d7c772b-43f1-49cf-bc70-7a7cd2ed34c8", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "93799a9d-3537-43d8-b6f4-17215de1657c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "52acea22-7d88-433c-99e6-8fef1657e3ad", "value": "Chrysaor" }, @@ -207,15 +202,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "e186384b-8001-4cdd-b170-1548deb8bf04", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "93b1c63a-4a34-44fd-805b-0a3470ff7e6a", "value": "Connic" }, @@ -230,7 +216,7 @@ "type": [] }, "uuid": "8a42a699-1746-498b-a558-e7113bb916c0", - "value": "Cpuminer" + "value": "Cpuminer (Android)" }, { "description": "", @@ -242,15 +228,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "6671bb0b-4fab-44a7-92f9-f641a887a0aa", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "10d0115a-00b4-414e-972b-8320a2bb873c", "value": "DoubleLocker" }, @@ -264,17 +241,8 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "507fe748-5e4a-4b45-9e9f-8b1115f4e878", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "8269e779-db23-4c94-aafb-36ee94879417", - "value": "DualToy" + "value": "DualToy (Android)" }, { "description": "", @@ -299,18 +267,24 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "f691663a-b360-4c0d-a4ee-e9203139c38e", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "c9f2b058-6c22-462a-a20a-fca933a597dd", "value": "ExoBot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.faketgram", + "https://blog.talosintelligence.com/2018/11/persian-stalker.html" + ], + "synonyms": [ + "FakeTGram" + ], + "type": [] + }, + "uuid": "6c0fc7e4-4629-494f-b471-f7a8cc47c0e0", + "value": "FakeGram" + }, { "description": "", "meta": { @@ -322,7 +296,7 @@ "type": [] }, "uuid": "4305d59a-0d07-4021-a902-e7996378898b", - "value": "FlexiSpy" + "value": "FlexiSpy (Android)" }, { "description": "", @@ -349,15 +323,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "a01e1d0b-5303-4d11-94dc-7db74f3d599d", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "3b6c1771-6d20-4177-8be0-12116e254bf5", "value": "GhostCtrl" }, @@ -366,11 +331,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.glancelove", - "https://www.clearskysec.com/glancelove/", "https://www.haaretz.com/israel-news/hamas-cyber-ops-spied-on-israeli-soldiers-using-fake-world-cup-app-1.6241773", - "https://www.idf.il/en/minisites/hamas/hamas-uses-fake-facebook-profiles-to-target-israeli-soldiers/", + "https://www.ci-project.org/blog/2017/3/4/arid-viper", "https://securelist.com/breaking-the-weakest-link-of-the-strongest-chain/77562/", - "https://www.ci-project.org/blog/2017/3/4/arid-viper" + "https://www.idf.il/en/minisites/hamas/hamas-uses-fake-facebook-profiles-to-target-israeli-soldiers/", + "https://www.clearskysec.com/glancelove/" ], "synonyms": [], "type": [] @@ -378,6 +343,20 @@ "uuid": "24a709ef-c2e4-45ca-90b6-dfa184472f49", "value": "GlanceLove" }, + { + "description": "Cisco Talos identifies GPlayed as a malware written in .NET using the Xamarin environment for mobile applications. It is considered powerful because of its capability to adapt after its deployment. In order to achieve this adaptability, the operator has the capability to remotely load plugins, inject scripts and even compile new .NET code that can be executed. ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.gplayed", + "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html", + "https://blog.talosintelligence.com/2018/10/gplayerbanker.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "13dc1ec7-aba7-4553-b990-8323405a1d32", + "value": "GPlayed" + }, { "description": "", "meta": { @@ -414,15 +393,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "1cc8963b-5ad4-4e19-8e9a-57b0ff1ef926", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "8804e02c-a139-4c3d-8901-03302ca1faa0", "value": "JadeRAT" }, @@ -431,8 +401,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.kevdroid", - "https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html", - "https://researchcenter.paloaltonetworks.com/2018/04/unit42-reaper-groups-updated-mobile-arsenal/" + "https://researchcenter.paloaltonetworks.com/2018/04/unit42-reaper-groups-updated-mobile-arsenal/", + "https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html" ], "synonyms": [], "type": [] @@ -464,7 +434,7 @@ "type": [] }, "uuid": "0caf0292-b01a-4439-b56f-c75b71900bc0", - "value": "Lazarus" + "value": "Lazarus (Android)" }, { "description": "", @@ -489,15 +459,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "b8fa5036-813f-4887-b4d4-bb17b4a7eba0", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "a6f481fe-b6db-4507-bb3c-28f10d800e2f", "value": "Loki" }, @@ -511,22 +472,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "b8fa5036-813f-4887-b4d4-bb17b4a7eba0", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "fbda9705-677b-4c5b-9b0b-13b52eff587c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "4793a29b-1191-4750-810e-9301a6576fc4", "value": "LokiBot" }, @@ -544,15 +489,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "c9f2b058-6c22-462a-a20a-fca933a597dd", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "f691663a-b360-4c0d-a4ee-e9203139c38e", "value": "Marcher" }, @@ -561,8 +497,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.mazarbot", - "https://heimdalsecurity.com/blog/security-alert-mazar-bot-active-attacks-android-malware/", - "https://b0n1.blogspot.de/2017/08/phishing-attack-at-raiffeisen-bank-by.html" + "https://b0n1.blogspot.de/2017/08/phishing-attack-at-raiffeisen-bank-by.html", + "https://heimdalsecurity.com/blog/security-alert-mazar-bot-active-attacks-android-malware/" ], "synonyms": [], "type": [] @@ -580,15 +516,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "53e2e7e8-70a8-11e8-b0f8-33fcf651adaf", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "0a53ace4-98ae-442f-be64-b8e373948bde", "value": "MysteryBot" }, @@ -603,18 +530,22 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "f091dfcb-07f4-4414-849e-c644e7327d94", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "ec936d58-6607-4e33-aa97-0e587bbbdda5", "value": "OmniRAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.podec", + "https://securelist.com/jack-of-all-trades/83470/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "82f9c4c1-2619-4236-a701-776c6c781f45", + "value": "Podec" + }, { "description": "", "meta": { @@ -628,38 +559,8 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "56660521-6db4-4e5a-a927-464f22954b7c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "0a32ceea-fa66-47ab-8bde-150dbd6d2e40", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "3e2c99f9-66cd-48be-86e9-d7c1c164d87c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf", - "value": "X-Agent" + "value": "X-Agent (Android)" }, { "description": "", @@ -691,21 +592,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.redalert2", - "https://clientsidedetection.com/new_android_trojan_targeting_over_60_banks_and_social_apps.html", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/red-alert-2-0-android-trojan-spreads-via-third-party-app-stores" + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/red-alert-2-0-android-trojan-spreads-via-third-party-app-stores", + "https://clientsidedetection.com/new_android_trojan_targeting_over_60_banks_and_social_apps.html" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "d10f8cd5-0077-4d8f-9145-03815a68dd33", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "e9aaab46-abb1-4390-b37b-d0457d05b28f", "value": "RedAlert2" }, @@ -714,41 +606,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.retefe", - "http://blog.dornea.nu/2014/07/07/disect-android-apks-like-a-pro-static-code-analysis/", - "http://maldr0id.blogspot.ch/2014/09/android-malware-based-on-sms-encryption.html", "http://blog.angelalonso.es/2015/10/reversing-c2c-http-emmental.html", - "http://blog.angelalonso.es/2015/11/reversing-sms-c-protocol-of-emmental.html", "https://www.govcert.admin.ch/blog/33/the-retefe-saga", - "http://blog.angelalonso.es/2017/02/hunting-retefe-with-splunk-some24.html" + "http://blog.angelalonso.es/2017/02/hunting-retefe-with-splunk-some24.html", + "http://maldr0id.blogspot.ch/2014/09/android-malware-based-on-sms-encryption.html", + "http://blog.angelalonso.es/2015/11/reversing-sms-c-protocol-of-emmental.html", + "http://blog.dornea.nu/2014/07/07/disect-android-apks-like-a-pro-static-code-analysis/" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "80acc956-d418-42e3-bddf-078695a01289", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "87b69cb4-8b65-47ee-91b0-9b1decdd5c5c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "e159c4f8-3c22-49f9-a60a-16588a9c22b0", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "22ef1e56-7778-41d1-9b2b-737aa5bf9777", - "value": "Retefe" + "value": "Retefe (Android)" }, { "description": "", @@ -761,15 +630,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "f35f219a-6eed-11e8-980a-93bb96299951", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "31d2ce1f-44bf-4738-a41d-ddb43466cd82", "value": "Roaming Mantis" }, @@ -784,15 +644,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "05f5a051-d7a2-4757-a2f0-d685334d9374", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "db3dcfd1-79d2-4c91-898f-5f2463d7c417", "value": "Rootnik" }, @@ -807,15 +658,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "3e19d162-9ee1-11e8-b8d7-d32141691f1f", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "f5fded3c-8f45-471a-a372-d8be101e1b22", "value": "Skygofree" }, @@ -824,37 +666,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.slempo", - "https://www.pcworld.com/article/3035725/source-code-for-powerful-android-banking-malware-is-leaked.html", - "https://www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html" + "https://www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html", + "https://www.pcworld.com/article/3035725/source-code-for-powerful-android-banking-malware-is-leaked.html" ], "synonyms": [ "SlemBunk" ], "type": [] }, - "related": [ - { - "dest-uuid": "f8047de2-fefc-4ee0-825b-f1fae4b20c09", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "3d3aa832-8847-47c5-9e31-ef13ab7ab6fb", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "620981e8-49c8-486a-b30c-359702c8ffbc", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "d87e2574-7b9c-4ea7-98eb-88f3e139f6ff", "value": "Slempo" }, @@ -894,15 +713,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "93b1c63a-4a34-44fd-805b-0a3470ff7e6a", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "e186384b-8001-4cdd-b170-1548deb8bf04", "value": "SpyBanker" }, @@ -916,15 +726,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "ea727e26-b3de-44f8-86c5-11a912c7a8aa", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "31592c69-d540-4617-8253-71ae0c45526c", "value": "SpyNote" }, @@ -964,22 +765,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "a33df440-f112-4a5e-a290-3c65dae6091d", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "426ead34-b3e6-45c7-ba22-5b8f3b8214bd", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "d99c0a47-9d61-4d92-86ec-86a87b060d76", "value": "Svpeng" }, @@ -993,15 +778,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "60857664-0671-4b12-ade9-86ee6ecb026a", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "e3e90666-bc19-4741-aca8-1e4cbc2f4c9e", "value": "Switcher" }, @@ -1067,10 +843,10 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.triada", "https://www.nowsecure.com/blog/2016/11/21/android-malware-analysis-radare-triada-trojan/", - "http://contagiominidump.blogspot.de/2016/07/android-triada-modular-trojan.html", + "https://blog.checkpoint.com/2016/06/17/in-the-wild-mobile-malware-implements-new-features/", "https://securelist.com/everyone-sees-not-what-they-want-to-see/74997/", "https://securelist.com/attack-on-zygote-a-new-twist-in-the-evolution-of-mobile-threats/74032/", - "https://blog.checkpoint.com/2016/06/17/in-the-wild-mobile-malware-implements-new-features/" + "http://contagiominidump.blogspot.de/2016/07/android-triada-modular-trojan.html" ], "synonyms": [], "type": [] @@ -1078,6 +854,19 @@ "uuid": "fa5fdfd2-8142-43f5-9b48-d1033b5398c8", "value": "Triada" }, + { + "description": "Bitdefender described Triout as a Android spyware, which appears to act as a framework for building extensive surveillance capabilities into seemingly benign applications. Found bundled with a repackaged app, the spyware’s surveillance capabilities involve hiding its presence on the device, recording phone calls, logging incoming text messages, recoding videos, taking pictures and collecting GPS coordinates, then broadcasting all of that to an attacker-controlled C&C (command and control) server.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.triout", + "https://labs.bitdefender.com/wp-content/uploads/downloads/triout-the-malware-framework-for-android-that-packs-potent-spyware-capabilities/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "bd9ce51c-53f9-411b-b46a-aba036c433b1", + "value": "Triout" + }, { "description": "", "meta": { @@ -1122,8 +911,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.wirex", - "https://www.flashpoint-intel.com/blog/wirex-botnet-industry-collaboration/", - "https://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet/" + "https://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet/", + "https://www.flashpoint-intel.com/blog/wirex-botnet-industry-collaboration/" ], "synonyms": [], "type": [] @@ -1136,35 +925,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.xbot", - "https://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/", - "https://blog.avast.com/2015/02/17/angry-android-hacker-hides-xbot-malware-in-popular-application-icons/" + "https://blog.avast.com/2015/02/17/angry-android-hacker-hides-xbot-malware-in-popular-application-icons/", + "https://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "da21929e-40c0-443d-bdf4-6b60d15448b4", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "5a78ec38-8b93-4dde-a99e-0c9b77674838", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "e683cd91-40b4-4e1c-be25-34a27610a22e", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "4cfa42a3-71d9-43e2-bf23-daa79f326387", "value": "Xbot" }, @@ -1186,8 +952,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.zoopark", - "https://securelist.com/whos-who-in-the-zoo/85394", - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf" + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf", + "https://securelist.com/whos-who-in-the-zoo/85394" ], "synonyms": [], "type": [] @@ -1200,8 +966,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ztorg", - "https://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1", "http://blog.fortinet.com/2017/03/08/teardown-of-android-ztorg-part-2", + "https://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1", "https://securelist.com/ztorg-from-rooting-to-sms/78775/" ], "synonyms": [ @@ -1231,47 +997,44 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite", "http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/", - "https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/", - "https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf" + "https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf", + "https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/" ], "synonyms": [ - "gayfgt", "Gafgyt", + "gayfgt", + "lizkebab", "qbot", - "torlus", - "lizkebab" + "torlus" ], "type": [] }, - "related": [ - { - "dest-uuid": "5fe338c6-723e-43ed-8165-43d95fa93689", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "40795af6-b721-11e8-9fcb-570c0b384135", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "81917a93-6a70-4334-afe2-56904c1fafe9", "value": "Bashlite" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bcmpupnp_hunter", + "https://blog.netlab.360.com/bcmpupnp_hunter-a-100k-botnet-turns-home-routers-to-email-spammers-en/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d8dd47a5-85fe-4f07-89dc-00301468d209", + "value": "BCMPUPnP_Hunter" + }, { "description": "This is in the same family as eBury, Calfbot, and is also likely related to DarkLeech", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cdorked", - "https://www.symantec.com/security-center/writeup/2013-050214-5501-99", - "https://blogs.cisco.com/security/linuxcdorked-faqs", - "https://www.welivesecurity.com/2013/05/02/the-stealthiness-of-linuxcdorked-a-clarification/", "https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/", - "https://blog.sucuri.net/2014/03/windigo-linux-analysis-ebury-and-cdorked.html" + "https://blog.sucuri.net/2014/03/windigo-linux-analysis-ebury-and-cdorked.html", + "https://www.symantec.com/security-center/writeup/2013-050214-5501-99", + "https://www.welivesecurity.com/2013/05/02/the-stealthiness-of-linuxcdorked-a-clarification/", + "https://blogs.cisco.com/security/linuxcdorked-faqs" ], "synonyms": [ "CDorked.A" @@ -1306,17 +1069,17 @@ "type": [] }, "uuid": "8a42a699-1746-498b-a558-e7113bb916c0", - "value": "Cpuminer" + "value": "Cpuminer (ELF)" }, { "description": "This payload has been used to compromise kernel.org back in August of 2011 and has hit cPanel Support which in turn, has infected quite a few cPanel servers. It is a credential stealing payload which steals SSH keys, passwords, and potentially other credentials.\r\n\r\nThis family is part of a wider range of tools which are described in detail in the operation windigo whitepaper by ESET.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ebury", - "https://www.justice.gov/opa/pr/russian-citizen-pleads-guilty-involvement-global-botnet-conspiracy", "https://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf", - "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/", - "https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/" + "https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/", + "https://www.justice.gov/opa/pr/russian-citizen-pleads-guilty-involvement-global-botnet-conspiracy", + "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/" ], "synonyms": [], "type": [] @@ -1334,17 +1097,8 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "ee73e375-3ac2-4ce0-b24b-74fd82d52864", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "479353aa-c6d7-47a7-b5f0-3f97fd904864", - "value": "Erebus" + "value": "Erebus (ELF)" }, { "description": "", @@ -1359,6 +1113,19 @@ "uuid": "79b2b3c0-6119-4511-9c33-2a48532b6a60", "value": "ext4" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.haiduc", + "https://documents.trendmicro.com/assets/Perl-Based_Shellbot_Looks_to_Target_Organizations_via_C&C_appendix.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "dd85732f-cbf8-4f2c-af5c-f51ef7d99b6a", + "value": "Haiduc" + }, { "description": "", "meta": { @@ -1376,15 +1143,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "383fd414-3805-11e8-ac12-c7b5af38ff67", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "ff8ee85f-4175-4f5a-99e5-0cbc378f1489", "value": "Hajime" }, @@ -1406,27 +1164,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hideandseek", - "https://labs.bitdefender.com/2018/01/new-hide-n-seek-iot-botnet-using-custom-built-peer-to-peer-communication-spotted-in-the-wild/", - "https://labs.bitdefender.com/2018/05/hide-and-seek-iot-botnet-resurfaces-with-new-tricks-persistence/", "https://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-iot-botnet-capable-of-surviving-device-reboots/", - "https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/", + "https://labs.bitdefender.com/2018/01/new-hide-n-seek-iot-botnet-using-custom-built-peer-to-peer-communication-spotted-in-the-wild/", + "https://blog.netlab.360.com/hns-botnet-recent-activities-en/", "https://www.bleepingcomputer.com/news/security/hns-evolves-from-iot-to-cross-platform-botnet/", - "https://blog.netlab.360.com/hns-botnet-recent-activities-en/" + "https://labs.bitdefender.com/2018/05/hide-and-seek-iot-botnet-resurfaces-with-new-tricks-persistence/", + "https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/" ], "synonyms": [ "HNS" ], "type": [] }, - "related": [ - { - "dest-uuid": "cdf1148c-5358-11e8-87e5-ab60d455597f", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "41bf8f3e-bb6a-445d-bb74-d08aae61a94b", "value": "Hide and Seek" }, @@ -1435,9 +1184,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.iot_reaper", - "https://research.checkpoint.com/new-iot-botnet-storm-coming/", "http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/", "https://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm", + "https://research.checkpoint.com/new-iot-botnet-storm-coming/", "https://embedi.com/blog/grim-iot-reaper-1-and-0-day-vulnerabilities-at-the-service-of-botnets/" ], "synonyms": [ @@ -1521,24 +1270,8 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "dcbf1aaa-1fdd-4bfc-a35e-145ffdfb5ac5", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "fcdfd4af-da35-49a8-9610-19be8a487185", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "17e12216-a303-4a00-8283-d3fe92d0934c", - "value": "Mirai" + "value": "Mirai (ELF)" }, { "description": "", @@ -1551,7 +1284,7 @@ "type": [] }, "uuid": "6d5a5357-4126-4950-b8c3-ee78b1172217", - "value": "Mokes" + "value": "Mokes (ELF)" }, { "description": "", @@ -1559,8 +1292,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.moose", "http://www.welivesecurity.com/2015/05/26/moose-router-worm/", - "http://www.welivesecurity.com/2016/11/02/linuxmoose-still-breathing/", - "http://gosecure.net/2016/11/02/exposing-the-ego-market-the-cybercrime-performed-by-the-linux-moose-botnet/" + "http://gosecure.net/2016/11/02/exposing-the-ego-market-the-cybercrime-performed-by-the-linux-moose-botnet/", + "http://www.welivesecurity.com/2016/11/02/linuxmoose-still-breathing/" ], "synonyms": [], "type": [] @@ -1586,26 +1319,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.owari", - "https://www.bleepingcomputer.com/news/security/router-crapfest-malware-author-builds-18-000-strong-botnet-in-a-day/", - "https://twitter.com/ankit_anubhav/status/1019647993547550720", + "https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html", "https://twitter.com/360Netlab/status/1019759516789821441", "https://twitter.com/hrbrmstr/status/1019922651203227653", "https://blog.newskysecurity.com/understanding-the-iot-hacker-a-conversation-with-owari-sora-iot-botnet-author-117feff56863", - "https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html", - "https://www.scmagazine.com/malware-author-anarchy-builds-18000-strong-huawei-router-botnet/article/782395/" + "https://www.bleepingcomputer.com/news/security/router-crapfest-malware-author-builds-18-000-strong-botnet-in-a-day/", + "https://www.scmagazine.com/malware-author-anarchy-builds-18000-strong-huawei-router-botnet/article/782395/", + "https://twitter.com/ankit_anubhav/status/1019647993547550720" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "f24ad5ca-04c5-4cd0-bd72-209ebce4fdbc", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "ec67f206-6464-48cf-a012-3cdfc1278488", "value": "Owari" }, @@ -1614,9 +1338,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.penquin_turla", - "https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_PDF_eng.pdf", "https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_AppendixB.pdf", - "https://twitter.com/juanandres_gs/status/944741575837528064" + "https://twitter.com/juanandres_gs/status/944741575837528064", + "https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_PDF_eng.pdf" ], "synonyms": [], "type": [] @@ -1624,6 +1348,22 @@ "uuid": "262e0cf2-2fed-4d37-8d7a-0fd62c712840", "value": "Penquin Turla" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.perlbot", + "https://documents.trendmicro.com/assets/Perl-Based_Shellbot_Looks_to_Target_Organizations_via_C&C_appendix.pdf" + ], + "synonyms": [ + "DDoS Perl IrcBot", + "ShellBot" + ], + "type": [] + }, + "uuid": "24b77c9b-7e7e-4192-8161-b6727728170f", + "value": "PerlBot" + }, { "description": "", "meta": { @@ -1634,15 +1374,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "e3e91fe2-c7ce-11e8-8e85-6bc15cd2a63c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "2ee05352-3d4a-448b-825d-9d6c10792bf7", "value": "Persirai" }, @@ -1677,8 +1408,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rex", - "https://thisissecurity.net/2016/10/28/octopus-rex-evolution-of-a-multi-task-botnet/", - "https://rednaga.io/2016/09/21/reversing_go_binaries_like_a_pro/" + "https://rednaga.io/2016/09/21/reversing_go_binaries_like_a_pro/", + "https://thisissecurity.net/2016/10/28/octopus-rex-evolution-of-a-multi-task-botnet/" ], "synonyms": [], "type": [] @@ -1691,32 +1422,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.satori", - "http://blog.netlab.360.com/warning-satori-a-new-mirai-variant-is-spreading-in-worm-style-on-port-37215-and-52869-en/", - "http://www.eweek.com/security/collaborative-takedown-kills-iot-worm-satori", - "http://blog.netlab.360.com/art-of-steal-satori-variant-is-robbing-eth-bitcoin-by-replacing-wallet-address-en/", "https://www.arbornetworks.com/blog/asert/the-arc-of-satori/", + "http://blog.netlab.360.com/art-of-steal-satori-variant-is-robbing-eth-bitcoin-by-replacing-wallet-address-en/", "https://blog.radware.com/security/botnets/2018/02/new-satori-botnet-variant-enslaves-thousands-dasan-wifi-routers/", + "http://www.eweek.com/security/collaborative-takedown-kills-iot-worm-satori", + "http://blog.netlab.360.com/warning-satori-a-new-mirai-variant-is-spreading-in-worm-style-on-port-37215-and-52869-en/", "https://krebsonsecurity.com/2018/09/alleged-satori-iot-botnet-operator-sought-media-spotlight-got-indicted/" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "1ad4697b-3388-48ed-8621-85abebf5dbbf", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "e77cf495-632a-4459-aad1-cdf29d73683f", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "9e5d83a8-1181-43fe-a77f-28c8c75ffbd0", "value": "Satori" }, @@ -1769,15 +1484,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "f258f96c-8281-4b24-8aa7-4e23d1a5540e", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "275d65b9-0894-4c9b-a255-83daddb2589c", "value": "SSHDoor" }, @@ -1804,15 +1510,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "92f38212-94e2-4d70-9b5e-e977eb1e7b79", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "a874575e-0ad7-464d-abb6-8f4b7964aa92", "value": "Torii" }, @@ -1834,9 +1531,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.tsunami", - "https://www.8ackprotect.com/blog/big_brother_is_attacking_you", "http://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/", - "http://get.cyberx-labs.com/radiation-report" + "http://get.cyberx-labs.com/radiation-report", + "https://www.8ackprotect.com/blog/big_brother_is_attacking_you" ], "synonyms": [ "Amnesia", @@ -1872,22 +1569,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "3d8e547d-9456-4f32-a895-dc86134e282f", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "2a18f5dd-40fc-444b-a7c6-85f94b3eee13", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "637000f7-4363-44e0-b795-9cfb7a3dc460", "value": "Umbreon" }, @@ -1935,7 +1616,7 @@ "type": [] }, "uuid": "47a8fedb-fd60-493a-9b7d-082bdb85621e", - "value": "Wirenet" + "value": "Wirenet (ELF)" }, { "description": "", @@ -1944,49 +1625,19 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xagent", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", - "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", + "http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/", "https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf", - "http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/" + "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf" ], "synonyms": [ - "splm", "chopstick", - "fysbis" + "fysbis", + "splm" ], "type": [] }, - "related": [ - { - "dest-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "56660521-6db4-4e5a-a927-464f22954b7c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "0a32ceea-fa66-47ab-8bde-150dbd6d2e40", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "3e2c99f9-66cd-48be-86e9-d7c1c164d87c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf", - "value": "X-Agent" + "value": "X-Agent (ELF)" }, { "description": "", @@ -2001,14 +1652,27 @@ "uuid": "32b95dc7-03a6-45ab-a991-466208dd92d2", "value": "Xaynnalc" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xbash", + "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ee54fc1e-c574-4836-8cdb-992ac38cef32", + "value": "Xbash" + }, { "description": "Linux DDoS C&C Malware", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xorddos", - "https://en.wikipedia.org/wiki/Xor_DDoS", "https://www.cdnetworks.com/resources/whitepapers/sg/Whitepaper23.pdf", - "https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html" + "https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html", + "https://en.wikipedia.org/wiki/Xor_DDoS" ], "synonyms": [], "type": [] @@ -2041,17 +1705,8 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "507fe748-5e4a-4b45-9e9f-8b1115f4e878", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "8269e779-db23-4c94-aafb-36ee94879417", - "value": "DualToy" + "value": "DualToy (iOS)" }, { "description": "", @@ -2076,17 +1731,8 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "bc32df24-8e80-44bc-80b0-6a4d55661aa5", - "value": "WireLurker" + "value": "WireLurker (iOS)" }, { "description": "Part of Malware-as-service platform\r\nUsed as a generic name for Java-based RAT\r\nFunctionality\r\n- collect general system and user information \r\n- terminate process\r\n-log keystroke\r\n-take screenshot and access webcam\r\n- steal cache password from local or web forms\r\n- download and execute Malware\r\n- modify registry\r\n- download components\r\n- Denial of Service attacks\r\n- Acquire VPN certificates\r\n\r\nInitial infection vector\r\n1. Email to JAR files attached\r\n2. Malspam URL to downlaod the malware\r\n\r\nPersistence\r\n- Runkey - HKCU\\Software\\Microsoft\\Windows\\current version\\run\r\n\r\nHiding\r\nUses attrib.exe \r\n\r\nNotes on Adwind\r\nThe malware is not known to be proxy aware", @@ -2102,44 +1748,14 @@ ], "synonyms": [ "AlienSpy", - "JSocket", "Frutas", - "UNRECOM", "JBifrost", - "Sockrat" + "JSocket", + "Sockrat", + "UNRECOM" ], "type": [] }, - "related": [ - { - "dest-uuid": "b76d9845-815c-4e77-9538-6b737269da2f", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "ab4694d6-7043-41f2-b328-d93bec9c1b22", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "ce1a9641-5bb8-4a61-990a-870e9ef36ac1", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "dadccdda-a4c2-4021-90b9-61a394e602be", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "8eb9d4aa-257a-45eb-8c65-95c18500171c", "value": "AdWind" }, @@ -2164,24 +1780,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.jrat", + "https://blog.trendmicro.com/trendlabs-security-intelligence/jacksbot-has-some-dirty-tricks-up-its-sleeves/", "https://github.com/java-rat", - "https://www.intego.com/mac-security-blog/new-multiplatform-backdoor-jacksbot-discovered", - "https://blog.trendmicro.com/trendlabs-security-intelligence/jacksbot-has-some-dirty-tricks-up-its-sleeves/" + "https://www.intego.com/mac-security-blog/new-multiplatform-backdoor-jacksbot-discovered" ], "synonyms": [ "Jacksbot" ], "type": [] }, - "related": [ - { - "dest-uuid": "1df62d96-88f8-473c-94a2-252eb360ba62", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "f2a9f583-b4dd-4669-8808-49c8bbacc376", "value": "jRAT" }, @@ -2195,15 +1802,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "669a0e4d-9760-49fc-bdf5-0471f84e0c76", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "ff24997d-1f17-4f00-b9b8-b3392146540f", "value": "jSpy" }, @@ -2212,8 +1810,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.qarallax_rat", - "https://labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/", - "http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spam/" + "http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spam/", + "https://labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/" ], "synonyms": [], "type": [] @@ -2227,8 +1825,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.qrat", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/", - "https://www.digitrustgroup.com/java-rat-qrat/", - "https://blogs.forcepoint.com/security-labs/look-qrypter-adwind%E2%80%99s-major-rival-cross-platform-maas-market" + "https://blogs.forcepoint.com/security-labs/look-qrypter-adwind%E2%80%99s-major-rival-cross-platform-maas-market", + "https://www.digitrustgroup.com/java-rat-qrat/" ], "synonyms": [ "Quaverse RAT" @@ -2248,15 +1846,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "a51f07ae-ab2c-45ee-aa9c-1db7873e7bb4", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "da032a95-b02a-4af2-b563-69f686653af4", "value": "Ratty" }, @@ -2270,15 +1859,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "06d735e7-1db1-4dbe-ab4b-acbe419f902b", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "fd419da6-5c0d-461e-96ee-64397efac63b", "value": "AIRBREAK" }, @@ -2292,18 +1872,22 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "81faf0c1-0595-436b-a66a-05d8b435bccd", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "fb75a753-24ba-4b58-b7ed-2e39b0c68c65", "value": "Bateleur" }, + { + "description": "According to the GitHub repo, CACTUSTORCH is a JavaScript and VBScript shellcode launcher. It will spawn a 32 bit version of the binary specified and inject shellcode into it.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.cactustorch", + "https://github.com/mdsecactivebreach/CACTUSTORCH" + ], + "synonyms": [], + "type": [] + }, + "uuid": "efbb5a7c-8c01-4aca-ac21-8dd614b256f7", + "value": "CACTUSTORCH" + }, { "description": "WebAssembly-based crpyto miner.", "meta": { @@ -2333,13 +1917,27 @@ "uuid": "d47ca107-3e03-4c25-88f9-8156426b7f60", "value": "CukieGrab" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon", + "https://twitter.com/ItsReallyNick/status/1059898708286939136" + ], + "synonyms": [], + "type": [] + }, + "uuid": "85c25380-69d7-4d7e-b279-6b6791fd40bd", + "value": "Griffon" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.kopiluwak", - "https://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/", - "https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack" + "https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack", + "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", + "https://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/" ], "synonyms": [], "type": [] @@ -2439,8 +2037,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_050", - "https://gist.github.com/9b/141a5c7ab8b4280901722e2cd931b7ef", - "https://community.riskiq.com/projects/53b4bd1e-dad0-306b-7712-d2a608400c8f" + "https://community.riskiq.com/projects/53b4bd1e-dad0-306b-7712-d2a608400c8f", + "https://gist.github.com/9b/141a5c7ab8b4280901722e2cd931b7ef" ], "synonyms": [], "type": [] @@ -2466,8 +2064,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.bella", - "https://blog.malwarebytes.com/threat-analysis/2017/05/another-osx-dok-dropper-found-installing-new-backdoor/", - "https://github.com/kai5263499/Bella" + "https://github.com/kai5263499/Bella", + "https://blog.malwarebytes.com/threat-analysis/2017/05/another-osx-dok-dropper-found-installing-new-backdoor/" ], "synonyms": [], "type": [] @@ -2483,8 +2081,8 @@ "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed" ], "synonyms": [ - "Mask", - "Appetite" + "Appetite", + "Mask" ], "type": [] }, @@ -2527,15 +2125,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "5bc62523-dc80-46b4-b5cb-9caf44c11552", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "74360d1e-8f85-44d1-8ce7-e76afb652142", "value": "CpuMeaner" }, @@ -2545,8 +2134,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.creative_updater", "https://blog.malwarebytes.com/threat-analysis/2018/02/new-mac-cryptominer-distributed-via-a-macupdate-hack/", - "https://digitasecurity.com/blog/2018/02/05/creativeupdater/", - "https://objective-see.com/blog/blog_0x29.html" + "https://objective-see.com/blog/blog_0x29.html", + "https://digitasecurity.com/blog/2018/02/05/creativeupdater/" ], "synonyms": [], "type": [] @@ -2559,31 +2148,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.crisis", + "https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?", "http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html", - "https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines", - "https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?" + "https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "c359c74e-4155-4e66-a344-b56947f75119", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "c17f6e4b-70c5-42f8-a91b-19d73485bd04", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "4b2ab902-811e-4b50-8510-43454d77d027", - "value": "Crisis" + "value": "Crisis (OS X)" }, { "description": "", @@ -2644,8 +2217,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.flashback", - "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed", "http://contagiodump.blogspot.com/2012/04/osxflashbacko-sample-some-domains.html", + "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed", "http://contagiodump.blogspot.com/2012/04/osxflashbackk-sample-mac-os-malware.html" ], "synonyms": [], @@ -2659,11 +2232,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.fruitfly", + "https://www.documentcloud.org/documents/4346338-Phillip-Durachinsky-Indictment.html", "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/", - "https://arstechnica.com/security/2017/01/newly-discovered-mac-malware-may-have-circulated-in-the-wild-for-2-years/", "https://arstechnica.com/security/2017/07/perverse-malware-infecting-hundreds-of-macs-remained-undetected-for-years/", "https://www.virusbulletin.com/virusbulletin/2017/11/vb2017-paper-offensive-malware-analysis-dissecting-osxfruitflyb-custom-cc-server/", - "https://www.documentcloud.org/documents/4346338-Phillip-Durachinsky-Indictment.html", + "https://arstechnica.com/security/2017/01/newly-discovered-mac-malware-may-have-circulated-in-the-wild-for-2-years/", "https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Patrick-Wardle-Offensive-Malware-Analysis-Fruit-Fly-UPDATED..pdf" ], "synonyms": [ @@ -2671,15 +2244,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "6a6525b9-4656-4973-ab45-588592395d0c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "a517cdd1-6c82-4b29-bdd2-87e281227597", "value": "FruitFly" }, @@ -2718,21 +2282,12 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.keranger", "https://objective-see.com/blog/blog_0x16.html", - "http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/", - "https://www.macworld.com/article/3234650/macs/keranger-the-first-in-the-wild-ransomware-for-macs-but-certainly-not-the-last.html" + "https://www.macworld.com/article/3234650/macs/keranger-the-first-in-the-wild-ransomware-for-macs-but-certainly-not-the-last.html", + "http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "63292b32-9867-4fb2-9e59-d4983d4fd5d1", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "01643bc9-bd61-42e8-b9f1-5fbf83dcd786", "value": "KeRanger" }, @@ -2771,70 +2326,19 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.komplex", - "http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/", - "https://objective-see.com/blog/blog_0x16.html", - "https://blog.malwarebytes.com/threat-analysis/2016/09/komplex-mac-backdoor-answers-old-questions/", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", - "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf" + "https://objective-see.com/blog/blog_0x16.html", + "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf", + "http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/", + "https://blog.malwarebytes.com/threat-analysis/2016/09/komplex-mac-backdoor-answers-old-questions/" ], "synonyms": [ - "SedUploader", "JHUHUGIT", - "JKEYSKW" + "JKEYSKW", + "SedUploader" ], "type": [] }, - "related": [ - { - "dest-uuid": "f108215f-3487-489d-be8b-80e346d32518", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "75c79f95-4c84-4650-9158-510f0ce4831d", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "1de47f51-1f20-403b-a2e1-5eaabe275faa", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "3948ce95-468e-4ce1-82b1-57439c6d6afd", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "6bd20349-1231-4aaa-ba2a-f4b09d3b344c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "d26b5518-8d7f-41a6-b539-231e4962853e", "value": "Komplex" }, @@ -2857,8 +2361,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.leverage", - "https://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-targeted/", - "https://www.alienvault.com/blogs/labs-research/osx-leveragea-analysis" + "https://www.alienvault.com/blogs/labs-research/osx-leveragea-analysis", + "https://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-targeted/" ], "synonyms": [], "type": [] @@ -2876,15 +2380,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "14f08f6f-7f58-48a8-8469-472244ffb571", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "910d3c78-1a9e-4600-a3ea-4aa5563f0f13", "value": "MacDownloader" }, @@ -2906,21 +2401,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macransom", - "https://blog.fortinet.com/2017/06/09/macransom-offered-as-ransomware-as-a-service", - "https://objective-see.com/blog/blog_0x1E.html" + "https://objective-see.com/blog/blog_0x1E.html", + "https://blog.fortinet.com/2017/06/09/macransom-offered-as-ransomware-as-a-service" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "7574c7f1-5075-4230-aca9-d6c0956f1fac", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "66862f1a-5823-4a9a-bd80-439aaafc1d8b", "value": "MacRansom" }, @@ -2934,15 +2420,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "b7cea5fe-d3fe-47cf-ba82-104c90e130ff", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "c9915d41-d1fb-45bc-997e-5cd9c573d8e7", "value": "MacSpy" }, @@ -2977,14 +2454,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.mokes", - "https://objective-see.com/blog/blog_0x16.html", - "https://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered/" + "https://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered/", + "https://objective-see.com/blog/blog_0x16.html" ], "synonyms": [], "type": [] }, "uuid": "6d5a5357-4126-4950-b8c3-ee78b1172217", - "value": "Mokes" + "value": "Mokes (OS X)" }, { "description": "", @@ -2996,15 +2473,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "4e2f0af2-6d2d-4a49-adc9-fae3745fcb72", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "aa1bf4e5-9c44-42a2-84e5-7526e4349405", "value": "Mughthesec" }, @@ -3050,22 +2518,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "e211ea8d-5042-48ae-86c6-15186d1f8dba", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "091c9923-5939-4bde-9db5-56abfb51f1a2", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "bad1057c-4f92-4747-a0ec-31bcc062dab8", "value": "Patcher" }, @@ -3074,8 +2526,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.pirrit", - "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf", - "http://www.zdnet.com/article/maker-of-sneaky-mac-adware-sends-security-researcher-cease-and-desist-letter/" + "http://www.zdnet.com/article/maker-of-sneaky-mac-adware-sends-security-researcher-cease-and-desist-letter/", + "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf" ], "synonyms": [], "type": [] @@ -3090,12 +2542,12 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.proton_rat", "https://www.cybereason.com/labs-blog/labs-proton-b-what-this-mac-malware-actually-does", "https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/11/osx-proton-spreading-through-fake-symantec-blog/", - "https://objective-see.com/blog/blog_0x1D.html", + "https://www.hackread.com/hackers-selling-undetectable-proton-mac-malware/", "https://securelist.com/calisto-trojan-for-macos/86543/", "https://threatpost.com/handbrake-for-mac-compromised-with-proton-spyware/125518/", "https://objective-see.com/blog/blog_0x1F.html", "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/", - "https://www.hackread.com/hackers-selling-undetectable-proton-mac-malware/", + "https://objective-see.com/blog/blog_0x1D.html", "https://www.cybersixgill.com/wp-content/uploads/2017/02/02072017%20-%20Proton%20-%20A%20New%20MAC%20OS%20RAT%20-%20Sixgill%20Threat%20Report.pdf" ], "synonyms": [ @@ -3116,15 +2568,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "29e52693-b325-4c14-93de-8f2ff9dca8bf", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "70059ec2-9315-4af7-b65b-2ec35676a7bb", "value": "Pwnet" }, @@ -3134,38 +2577,15 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.retefe", "http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/", + "https://www.govcert.admin.ch/blog/33/the-retefe-saga", "http://www.brycampbell.co.uk/new-blog/2017/4/30/retefe-and-osxdok-one-and-the-same", - "https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/", - "https://www.govcert.admin.ch/blog/33/the-retefe-saga" + "https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/" ], "synonyms": [ "Retefe" ], "type": [] }, - "related": [ - { - "dest-uuid": "22ef1e56-7778-41d1-9b2b-737aa5bf9777", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "87b69cb4-8b65-47ee-91b0-9b1decdd5c5c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "e159c4f8-3c22-49f9-a60a-16588a9c22b0", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "80acc956-d418-42e3-bddf-078695a01289", "value": "Dok" }, @@ -3193,54 +2613,22 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "80a014ba-3fef-4768-990b-37d8bd10d7f4", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "22332d52-c0c2-443c-9ffb-f08c0d23722c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "d674ffd2-1f27-403b-8fe9-b4af6e303e5c", - "value": "Uroburos" + "value": "Uroburos (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.winnti", - " https://401trg.pw/an-update-on-winnti/", - "https://401trg.pw/winnti-evolution-going-open-source/" + "https://401trg.pw/winnti-evolution-going-open-source/", + " https://401trg.pw/an-update-on-winnti/" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "d3afa961-a80c-4043-9509-282cdf69ab21", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "9b3a4cff-1c5a-4fd6-b49c-27240b6d622c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "7f8166e2-c7f4-4b48-a07b-681b61a8f2c1", - "value": "Winnti" + "value": "Winnti (OS X)" }, { "description": "", @@ -3253,17 +2641,8 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "bc32df24-8e80-44bc-80b0-6a4d55661aa5", - "value": "WireLurker" + "value": "WireLurker (OS X)" }, { "description": "", @@ -3277,58 +2656,29 @@ "type": [] }, "uuid": "47a8fedb-fd60-493a-9b7d-082bdb85621e", - "value": "Wirenet" + "value": "Wirenet (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xagent", + "http://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/", "https://twitter.com/PhysicalDrive0/status/845009226388918273", - "https://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf", - "http://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/" + "https://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "56660521-6db4-4e5a-a927-464f22954b7c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "0a32ceea-fa66-47ab-8bde-150dbd6d2e40", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "3e2c99f9-66cd-48be-86e9-d7c1c164d87c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf", - "value": "X-Agent" + "value": "X-Agent (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xslcmd", + "https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html", "https://objective-see.com/blog/blog_0x16.html" ], "synonyms": [], @@ -3385,7 +2735,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.bondupdater", - "https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2" + "https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2", + "https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/" ], "synonyms": [], "type": [] @@ -3417,22 +2768,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "6e45f758-7bd9-44b8-a21c-7309614ae176", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "4df1b257-c242-46b0-b120-591430066b6f", "value": "POSHSPY" }, @@ -3446,15 +2781,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "9fa93bb7-2997-4864-aa0e-0e667990dec8", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "5c5beab9-614c-4c86-b369-086234ddb43c", "value": "PowerWare" }, @@ -3468,15 +2794,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "63f6df51-4de3-495a-864f-0a7e30c3b419", "value": "POWRUNER" }, @@ -3498,8 +2815,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.roguerobin", - "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/", - "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca" + "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca", + "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/" ], "synonyms": [], "type": [] @@ -3507,6 +2824,22 @@ "uuid": "1e27a569-1899-4f6f-8c42-aa91bf0a539d", "value": "RogueRobin" }, + { + "description": "sLoad is a PowerShell downloader that most frequently delivers Ramnit banker and includes noteworthy reconnaissance features. The malware gathers information about the infected system including a list of running processes, the presence of Outlook, and the presence of Citrix-related files. sLoad can also take screenshots and check the DNS cache for specific domains (e.g., targeted banks), as well as load external binaries.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.sload", + "https://cyware.com/news/new-sload-malware-downloader-being-leveraged-by-apt-group-ta554-to-spread-ramnit-7d03f2d9", + "https://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy", + "https://isc.sans.edu/forums/diary/Malicious+Powershell+Targeting+UK+Bank+Customers/23675/", + "https://www.vkremez.com/2018/08/lets-learn-in-depth-into-latest-ramnit.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e78c0259-9299-4e55-b934-17c6a3ac4bc2", + "value": "sLoad" + }, { "description": "", "meta": { @@ -3551,14 +2884,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.brickerbot", - "https://www.bleepingcomputer.com/news/security/brickerbot-author-claims-he-bricked-two-million-devices/", - "https://www.bleepingcomputer.com/news/security/brickerbot-author-retires-claiming-to-have-bricked-over-10-million-iot-devices/", - "https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-102-01A", - "http://seclists.org/fulldisclosure/2017/Mar/7", "https://security.radware.com/ddos-threats-attacks/brickerbot-pdos-permanent-denial-of-service/", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/BrickerBot-mod_plaintext-Analysis/", + "https://www.bleepingcomputer.com/news/security/brickerbot-author-claims-he-bricked-two-million-devices/", "https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf", - "http://depastedihrn3jtw.onion/show.php?md5=2c822a990ff22d56f3b9eb89ed722c3f" + "https://www.trustwave.com/Resources/SpiderLabs-Blog/BrickerBot-mod_plaintext-Analysis/", + "https://www.bleepingcomputer.com/news/security/brickerbot-author-retires-claiming-to-have-bricked-over-10-million-iot-devices/", + "http://depastedihrn3jtw.onion/show.php?md5=2c822a990ff22d56f3b9eb89ed722c3f", + "https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-102-01A", + "http://seclists.org/fulldisclosure/2017/Mar/7" ], "synonyms": [], "type": [] @@ -3591,7 +2924,7 @@ "type": [] }, "uuid": "4305d59a-0d07-4021-a902-e7996378898b", - "value": "FlexiSpy" + "value": "FlexiSpy (symbian)" }, { "description": "The NJCCIC describes 7ev3n as a ransomware \"that targets the Windows OS and spreads via spam emails containing malicious attachments, as well as file sharing networks. It installs multiple files in the LocalAppData folder, each of which controls different functions including disabling bootup recovery options, deleting the ransomware installation file, encrypting data, and gaining administrator privileges. This variant also adds registry keys that disables various Windows function keys such as F1, F3, F4, F10, Alt, Num Lock, Ctrl, Enter, Escape, Shift, and Tab. Files encrypted by 7ev3n are labeled with a .R5A extension. It also locks victims out of Windows recovery options making it challenging to repair the damage done by 7ev3n.\"", @@ -3604,15 +2937,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "664701d6-7948-4e80-a333-1d1938103ba1", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "ac2608e9-7851-409f-b842-e265b877a53c", "value": "7ev3n" }, @@ -3623,12 +2947,12 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.9002", "https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html", "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf", - "https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/", "https://community.hpe.com/t5/Security-Research/9002-RAT-a-second-building-on-the-left/ba-p/6894315", "http://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/", "https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html", - "https://www.fireeye.com/blog/threat-research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html", + "https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/", "https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures", + "https://www.fireeye.com/blog/threat-research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/" ], "synonyms": [ @@ -3637,29 +2961,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "73a4793a-ce55-4159-b2a6-208ef29b326f", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "70c31066-237a-11e8-8eff-37ef1ad0c703", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "2f899e3e-1a46-43ea-8e68-140603ce943d", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "bab647d7-c9d6-4697-8fd2-1295c7429e1f", "value": "9002 RAT" }, @@ -3669,7 +2970,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.abaddon_pos", "https://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak", - "https://threatpost.com/new-pos-malware-pinkkite-takes-flight/130428/" + "https://threatpost.com/new-pos-malware-pinkkite-takes-flight/130428/", + "https://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software" ], "synonyms": [ "PinkKite" @@ -3679,6 +2981,19 @@ "uuid": "a492a3e0-13cb-4b7d-93c1-027e7e69b44d", "value": "AbaddonPOS" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.abantes", + "https://github.com/ElektroKill/AbantesTrojan" + ], + "synonyms": [], + "type": [] + }, + "uuid": "27b54000-26b5-405f-9296-9fbc9217a8c9", + "value": "abantes" + }, { "description": "", "meta": { @@ -3722,8 +3037,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.adam_locker", - "https://twitter.com/JaromirHorejsi/status/813712587997249536", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-dec-19-dec-31-2016" + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-dec-19-dec-31-2016", + "https://twitter.com/JaromirHorejsi/status/813712587997249536" ], "synonyms": [], "type": [] @@ -3742,7 +3057,7 @@ "type": [] }, "uuid": "ace3cb99-3523-44a1-92cc-9f002cf364bf", - "value": "win.adkoob" + "value": "AdKoob" }, { "description": "AdvisorsBot is a downloader named after early command and control domains that all contained the word \"advisors\". The malware is written in C and employs a number of anti-analysis features such as junk code, stack strings and Windows API function hashing.", @@ -3775,13 +3090,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_btz", - "http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html", - "https://securelist.com/blog/virus-watch/58551/agent-btz-a-source-of-inspiration/", - "https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified", - "https://blog.gdata.de/2015/01/23779-weiterentwicklung-anspruchsvoller-spyware-von-agent-btz-zu-comrat", - "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", "http://www.intezer.com/new-variants-of-agent-btz-comrat-found/", - "http://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/" + "https://securelist.com/blog/virus-watch/58551/agent-btz-a-source-of-inspiration/", + "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", + "http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html", + "https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified", + "http://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/", + "https://blog.gdata.de/2015/01/23779-weiterentwicklung-anspruchsvoller-spyware-von-agent-btz-zu-comrat" ], "synonyms": [ "ComRAT", @@ -3789,29 +3104,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "9223bf17-7e32-4833-9574-9ffd8c929765", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "da5880b4-f7da-4869-85f2-e0aba84b8565", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "da079741-05e6-458c-b434-011263dc691c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "d9cc15f7-0880-4ae4-8df4-87c58338d6b8", "value": "Agent.BTZ" }, @@ -3831,15 +3123,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "f8cd62cb-b9d3-4352-8f46-0961cfde104c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "b88e29cf-79d9-42bc-b369-0383b5e04380", "value": "Agent Tesla" }, @@ -3875,17 +3158,17 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alina_pos", "http://www.xylibox.com/2013/02/alina-34-pos-malware.html", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Casting-a-Shadow-on-POS/", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Following-The-Shadow-Part-2/", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Following-The-Shadow-Part-1/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/two-new-pos-malware-affecting-us-smbs/", "https://www.nuix.com/blog/alina-continues-spread-its-wings", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina-POS-malware--sparks--off-a-new-variant/" + "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina-POS-malware--sparks--off-a-new-variant/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/two-new-pos-malware-affecting-us-smbs/", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Casting-a-Shadow-on-POS/", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Following-The-Shadow-Part-1/", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Following-The-Shadow-Part-2/" ], "synonyms": [ + "alina_eagle", "alina_spark", - "katrina", - "alina_eagle" + "katrina" ], "type": [] }, @@ -3897,8 +3180,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.allaple", - "https://researchcenter.paloaltonetworks.com/2014/08/hunting-mutex/", - "https://trapx.com/wp-content/uploads/2017/08/White_Paper_TrapX_AllapleWorm.pdf" + "https://trapx.com/wp-content/uploads/2017/08/White_Paper_TrapX_AllapleWorm.pdf", + "https://researchcenter.paloaltonetworks.com/2014/08/hunting-mutex/" ], "synonyms": [ "Starman" @@ -3956,15 +3239,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "dd356ed3-42b8-4587-ae53-95f933517612", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "5060756f-8385-465d-a7dd-7bf09a54da92", "value": "Alphabet Ransomware" }, @@ -3978,15 +3252,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "a27fff00-995a-4598-ba00-05921bf20e80", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "c1b9e8c5-9283-4dbe-af10-45956a446fb7", "value": "AlphaLocker" }, @@ -4022,26 +3287,17 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alureon", "http://contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html", - "http://contagiodump.blogspot.com/2011/02/tdss-tdl-4-alureon-32-bit-and-64-bit.html", - "http://contagiodump.blogspot.com/2010/02/list-of-aurora-hydraq-roarur-files.html" + "http://contagiodump.blogspot.com/2010/02/list-of-aurora-hydraq-roarur-files.html", + "http://contagiodump.blogspot.com/2011/02/tdss-tdl-4-alureon-32-bit-and-64-bit.html" ], "synonyms": [ "Olmarik", "Pihar", - "TDSS", - "TDL" + "TDL", + "TDSS" ], "type": [] }, - "related": [ - { - "dest-uuid": "61a17703-7837-4cc9-b022-b5ed6b30efc1", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "ad4e6779-59a6-4ad6-98de-6bd871ddb271", "value": "Alureon" }, @@ -4066,39 +3322,30 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.andromeda", - "http://blog.morphisec.com/andromeda-tactics-analyzed", - "https://blog.avast.com/andromeda-under-the-microscope", - "https://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis", - "http://www.0xebfe.net/blog/2013/03/30/fooled-by-andromeda/", - "https://byte-atlas.blogspot.ch/2015/04/kf-andromeda-bruteforcing.html", - "https://blog.fortinet.com/2014/04/23/andromeda-2-7-features", - "https://blog.fortinet.com/2014/05/19/new-anti-analysis-tricks-in-andromeda-2-08", - "https://www.virusbulletin.com/virusbulletin/2013/08/andromeda-2-7-features", "https://blog.fortinet.com/2014/04/16/a-good-look-at-the-andromeda-botnet", - "http://resources.infosecinstitute.com/andromeda-bot-analysis-part-two/", - "http://resources.infosecinstitute.com/andromeda-bot-analysis/", - "https://blogs.technet.microsoft.com/mmpc/2017/12/04/microsoft-teams-up-with-law-enforcement-and-other-partners-to-disrupt-gamarue-andromeda/", - "https://eternal-todo.com/blog/andromeda-gamarue-loves-json", "https://www.europol.europa.eu/newsroom/news/andromeda-botnet-dismantled-in-international-cyber-operation", - "https://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/" + "https://blog.avast.com/andromeda-under-the-microscope", + "https://www.virusbulletin.com/virusbulletin/2013/08/andromeda-2-7-features", + "http://resources.infosecinstitute.com/andromeda-bot-analysis-part-two/", + "http://blog.morphisec.com/andromeda-tactics-analyzed", + "https://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis", + "http://resources.infosecinstitute.com/andromeda-bot-analysis/", + "http://www.0xebfe.net/blog/2013/03/30/fooled-by-andromeda/", + "https://blog.fortinet.com/2014/05/19/new-anti-analysis-tricks-in-andromeda-2-08", + "https://blogs.technet.microsoft.com/mmpc/2017/12/04/microsoft-teams-up-with-law-enforcement-and-other-partners-to-disrupt-gamarue-andromeda/", + "https://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/", + "https://eternal-todo.com/blog/andromeda-gamarue-loves-json", + "https://blog.fortinet.com/2014/04/23/andromeda-2-7-features", + "https://byte-atlas.blogspot.ch/2015/04/kf-andromeda-bruteforcing.html" ], "synonyms": [ - "Gamarue", "B106-Gamarue", "B67-SS-Gamarue", + "Gamarue", "b66" ], "type": [] }, - "related": [ - { - "dest-uuid": "b9f00c61-6cd1-4112-a632-c8d3837a7ddd", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "07f46d21-a5d4-4359-8873-18e30950df1a", "value": "Andromeda" }, @@ -4152,22 +3399,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "e38b8876-5780-4574-9adf-304e9d659bdb", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "d5d3f9de-21b5-482e-b716-5f2f13182990", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "e87d9df4-b464-4458-ae1f-31cea40d5f96", "value": "Apocalypse" }, @@ -4201,8 +3432,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.arik_keylogger", - "https://www.invincea.com/2016/09/crimeware-as-a-service-goes-mainstream/", - "http://remote-keylogger.net/" + "http://remote-keylogger.net/", + "https://www.invincea.com/2016/09/crimeware-as-a-service-goes-mainstream/" ], "synonyms": [ "Aaron Keylogger" @@ -4214,6 +3445,19 @@ }, { "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.arkei_stealer", + "https://www.bleepingcomputer.com/news/security/hacker-breaches-syscoin-github-account-and-poisons-official-client/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "59eff508-7f26-4fd8-b526-5772a9f3d9a6", + "value": "Arkei Stealer" + }, + { + "description": "ARS Loader, also known as ARS VBS Loader, is written in Visual Basic Script and its main purpose is to control an infected machine via different available commands, acting as a remote access trojan (RAT). Its code is based on ASPC, another Visual Basic Script malware, which at the same time seems to be based on SafeLoader.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ars_loader", @@ -4224,15 +3468,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "cd6527d1-17a7-4825-8b4b-56e113d0efb1", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "1a4f99cc-c078-41f8-9749-e1dc524fc795", "value": "ARS VBS Loader" }, @@ -4265,8 +3500,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.asprox", - "http://oalabs.openanalysis.net/2014/12/04/inside-the-new-asprox-kuluoz-october-2013-january-2014/", - "https://researchcenter.paloaltonetworks.com/2015/08/whats-next-in-malware-after-kuluoz/" + "https://researchcenter.paloaltonetworks.com/2015/08/whats-next-in-malware-after-kuluoz/", + "https://www.virusbulletin.com/virusbulletin/2012/11/tracking-2012-sasfis-campaign", + "http://oalabs.openanalysis.net/2014/12/04/inside-the-new-asprox-kuluoz-october-2013-january-2014/" ], "synonyms": [ "Aseljo", @@ -4274,15 +3510,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "0d58f329-1356-468c-88ab-e21fbb64c02b", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "ba557993-f64e-4538-8f13-dafaa3c0db00", "value": "Asprox" }, @@ -4370,8 +3597,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.august_stealer", - "https://hazmalware.blogspot.de/2016/12/analysis-of-august-stealer-malware.html", - "https://www.proofpoint.com/us/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene" + "https://www.proofpoint.com/us/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene", + "https://hazmalware.blogspot.de/2016/12/analysis-of-august-stealer-malware.html" ], "synonyms": [], "type": [] @@ -4404,29 +3631,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "73a4793a-ce55-4159-b2a6-208ef29b326f", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "70c31066-237a-11e8-8eff-37ef1ad0c703", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "bab647d7-c9d6-4697-8fd2-1295c7429e1f", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "2f899e3e-1a46-43ea-8e68-140603ce943d", "value": "Aurora" }, @@ -4504,8 +3708,9 @@ "https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/", "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan", "http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html", + "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside", "https://malwarebreakdown.com/2017/11/12/seamless-campaign-delivers-ramnit-via-rig-ek-at-188-225-82-158-follow-up-malware-is-azorult-stealer/", - "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside" + "https://research.checkpoint.com/the-emergence-of-the-new-azorult-3-3/" ], "synonyms": [ "PuffStealer", @@ -4521,26 +3726,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.babar", - "https://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/", - "https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope", "http://www.spiegel.de/media/media-35683.pdf", + "https://researchcenter.paloaltonetworks.com/2017/09/unit42-analysing-10-year-old-snowball/", "https://drive.google.com/a/cyphort.com/file/d/0B9Mrr-en8FX4dzJqLWhDblhseTA/", - "https://researchcenter.paloaltonetworks.com/2017/09/unit42-analysing-10-year-old-snowball/" + "https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope", + "https://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/" ], "synonyms": [ "SNOWBALL" ], "type": [] }, - "related": [ - { - "dest-uuid": "57b221bc-7ed6-4080-bc66-813d17009485", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "947dffa1-0184-48d4-998e-1899ad97e93e", "value": "Babar" }, @@ -4557,6 +3753,19 @@ "uuid": "30c2e5c6-851d-4f3a-8b6e-2e7b69a26467", "value": "BABYMETAL" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.backnet", + "https://github.com/valsov/BackNet" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e2840cc1-c43d-4542-9818-a3c15a0f9f7a", + "value": "BackNet" + }, { "description": "", "meta": { @@ -4576,9 +3785,11 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.backswap", "https://securityintelligence.com/backswap-malware-now-targets-six-banks-in-spain/", + "https://www.f5.com/labs/articles/threat-intelligence/backswap-defrauds-online-banking-customers-using-hidden-input-fi", + "https://www.cert.pl/en/news/single/backswap-malware-analysis/", + "https://research.checkpoint.com/the-evolution-of-backswap/", "https://www.cyberbit.com/blog/endpoint-security/backswap-banker-malware-hides-inside-replicas-of-legitimate-programs/", - "https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/", - "https://www.cert.pl/en/news/single/backswap-malware-analysis/" + "https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/" ], "synonyms": [], "type": [] @@ -4617,11 +3828,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.badnews", - "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf", "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1", - "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2", + "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf", + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/", "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/" + "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2" ], "synonyms": [], "type": [] @@ -4638,15 +3849,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "d530ea76-9bbc-4276-a2e3-df04e0e5a14c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "f09af1cc-cf9d-499a-9026-e783a3897508", "value": "Bagle" }, @@ -4662,7 +3864,7 @@ "type": [] }, "uuid": "4038c3bc-b559-45bb-bac1-9665a54dedf9", - "value": "Bahamut" + "value": "Bahamut (Windows)" }, { "description": "", @@ -4697,25 +3899,16 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.banjori", "http://blog.kleissner.org/?p=69", "http://osint.bambenekconsulting.com/feeds/", - "http://blog.kleissner.org/?p=192", - "https://www.johannesbader.ch/2015/02/the-dga-of-banjori/" + "https://www.johannesbader.ch/2015/02/the-dga-of-banjori/", + "http://blog.kleissner.org/?p=192" ], "synonyms": [ - "MultiBanker 2", + "BackPatcher", "BankPatch", - "BackPatcher" + "MultiBanker 2" ], "type": [] }, - "related": [ - { - "dest-uuid": "f68555ff-6fbd-4f5a-bc23-34996f629c52", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "137cde28-5c53-489b-ad0b-d0fa2e342324", "value": "Banjori" }, @@ -4730,15 +3923,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "d9431c02-5391-11e8-931f-4beceb8bd697", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "bc67677c-c0e7-4fb1-8619-7f43fa3ff886", "value": "Bankshot" }, @@ -4751,15 +3935,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "3cf2c880-e0b5-4311-9c4e-6293f2a566e7", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "1dfd3ba6-7f82-407f-958d-c4a2ac055123", "value": "Bart" }, @@ -4798,15 +3973,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "cad1d6db-3a6c-4d67-8f6e-627d8a168d6a", "value": "BBSRAT" }, @@ -4819,15 +3985,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "066f8ad3-0c99-43eb-990c-8fae2c232f62", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "af338ac2-8103-4419-8393-fb4f3b43af4b", "value": "Bedep" }, @@ -4862,11 +4019,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot", + "https://www.cybereason.com/blog/betabot-banking-trojan-neurevt", "https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39", "https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/6087-betabot-y-fleercivet-dos-nuevos-informes-de-codigo-danino-del-ccn-cert.html", "http://www.xylibox.com/2015/04/betabot-retrospective.html", + "https://asert.arbornetworks.com/beta-bot-a-code-review/", "http://resources.infosecinstitute.com/beta-bot-analysis-part-1/#gref", - "https://www.arbornetworks.com/blog/asert/beta-bot-a-code-review/", "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/BetaBot.pdf?la=en", "http://www.malwaredigger.com/2013/09/how-to-extract-betabot-config-info.html" ], @@ -4875,15 +4033,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "3d7c771b-b175-41c9-8ba1-904ef29715fa", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "837c5618-69dc-4817-8672-b3d7ae644f5c", "value": "BetaBot" }, @@ -4905,8 +4054,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.billgates", "https://securelist.com/versatile-ddos-trojan-for-linux/64361/", - "https://www.akamai.com/kr/ko/multimedia/documents/state-of-the-internet/bill-gates-botnet-threat-advisory.pdf", - "https://habrahabr.ru/post/213973/" + "https://habrahabr.ru/post/213973/", + "https://www.akamai.com/kr/ko/multimedia/documents/state-of-the-internet/bill-gates-botnet-threat-advisory.pdf" ], "synonyms": [], "type": [] @@ -4962,29 +4111,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackenergy", - "https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/", + "https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/", "https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/", - "https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/" + "https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "5a22cad7-65fa-4b7a-a7aa-7915a6101efa", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "82c644ab-550a-4a83-9b35-d545f4719069", "value": "BlackEnergy" }, @@ -4996,9 +4129,9 @@ "https://blog.trendmicro.com/trendlabs-security-intelligence/new-blackpos-malware-emerges-in-the-wild-targets-retail-accounts/" ], "synonyms": [ + "Kaptoxa", "POSWDS", - "Reedum", - "Kaptoxa" + "Reedum" ], "type": [] }, @@ -5024,9 +4157,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackshades", "https://blog.malwarebytes.com/threat-analysis/2014/05/taking-off-the-blackshades/", - "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-2-blackshades-net/", "https://blog.malwarebytes.com/threat-analysis/2012/06/blackshades-in-syria/", - "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html" + "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html", + "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-2-blackshades-net/" ], "synonyms": [], "type": [] @@ -5098,15 +4231,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "41f45758-0376-42a8-bc07-8f2ffbee3ad2", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "f9d0e934-879c-4668-b959-6bf7bdc96f5d", "value": "Bozok" }, @@ -5122,15 +4246,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "4c057ade-6989-11e8-9efd-ab33ed427468", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "d97ae60e-612a-4feb-908a-8c4d32e9d763", "value": "Brambul" }, @@ -5151,8 +4266,7 @@ "description": "There is no reference available for this family and all known samples have version 1.0.0.\r\n\r\nPdb-strings in the samples suggest that this is an \"exclusive\" loader, known as \"breakthrough\" (maybe), e.g. C:\\Users\\Exclusiv\\Desktop\\хп-пробив\\Release\\build.pdb\r\n\r\nThe communication url parameters are pretty unique in this combination:\r\ngate.php?hwid=&os=&build=1.0.0&cpu=8\r\n\r\n is one of:\r\nWindows95\r\nWindows98\r\nWindowsMe\r\nWindows95family\r\nWindowsNT3\r\nWindowsNT4\r\nWindows2000\r\nWindowsXP\r\nWindowsServer2003\r\nWindowsNTfamily\r\nWindowsVista\r\nWindows7\r\nWindows8\r\nWindows10\r\n", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.breakthrough_loader", - "https://malpedia.caad.fkie.fraunhofer.de" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.breakthrough_loader" ], "synonyms": [], "type": [] @@ -5165,8 +4279,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bredolab", - "https://www.fireeye.com/blog/threat-research/2010/10/bredolab-its-not-the-size-of-the-dog-in-fight.html", - "https://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/" + "https://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/", + "https://www.fireeye.com/blog/threat-research/2010/10/bredolab-its-not-the-size-of-the-dog-in-fight.html" ], "synonyms": [], "type": [] @@ -5192,28 +4306,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bs2005", - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", - "https://github.com/nccgroup/Royal_APT" + "https://github.com/nccgroup/Royal_APT", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "67fc172a-36fa-4a35-88eb-4ba730ed52a6", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "25cd01bc-1346-4415-8f8d-d3656309ef6b", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "35e00ff0-704e-4e61-b9bb-9ed20a4a008f", "value": "BS2005" }, @@ -5239,29 +4337,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "66781866-f064-467d-925d-5e5f290352f0", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "7ca93488-c357-44c3-b246-3f88391aca5a", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "276c2c2e-09da-44cf-a3f7-806b3feb41da", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "16794655-c0e2-4510-9169-f862df104045", "value": "Bugat" }, @@ -5270,9 +4345,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.buhtrap", - "https://www.arbornetworks.com/blog/asert/diving-buhtrap-banking-trojan-activity/", - "https://www.symantec.com/connect/blogs/russian-bank-employees-received-fake-job-offers-targeted-email-attack", "https://www.group-ib.com/brochures/gib-buhtrap-report.pdf", + "https://www.symantec.com/connect/blogs/russian-bank-employees-received-fake-job-offers-targeted-email-attack", + "https://www.arbornetworks.com/blog/asert/diving-buhtrap-banking-trojan-activity/", "https://www.welivesecurity.com/2015/04/09/operation-buhtrap/" ], "synonyms": [ @@ -5288,13 +4363,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bundestrojaner", - "http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf", "http://www.stoned-vienna.com/analysis-of-german-bundestrojaner.html", - "https://www.f-secure.com/weblog/archives/00002249.html" + "https://www.f-secure.com/weblog/archives/00002249.html", + "http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf" ], "synonyms": [ - "R2D2", - "0zapftis" + "0zapftis", + "R2D2" ], "type": [] }, @@ -5306,10 +4381,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bunitu", - "https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/", - "https://blog.malwarebytes.com/threat-analysis/2015/08/whos-behind-your-proxy-uncovering-bunitus-secrets/", + "https://zerophagemalware.com/2017/06/07/rig-ek-via-fake-eve-online-website-drops-bunitu/", "http://malware-traffic-analysis.net/2017/05/09/index.html", - "https://zerophagemalware.com/2017/06/07/rig-ek-via-fake-eve-online-website-drops-bunitu/" + "https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/", + "https://blog.malwarebytes.com/threat-analysis/2015/08/whos-behind-your-proxy-uncovering-bunitus-secrets/" ], "synonyms": [], "type": [] @@ -5336,20 +4411,14 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.buzus" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.buzus", + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Yimfoca.A" + ], + "synonyms": [ + "Yimfoca" ], - "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "27a7fd9b-ec9a-4f4a-b3f5-a3b81c71970a", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "69a3e0ed-1727-4a9c-ae21-1e32322ede93", "value": "Buzus" }, @@ -5415,15 +4484,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "2fafe8b2-b0db-11e8-a81e-4b62ee50bd87", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "ecac83ab-cd64-4def-979a-40aeeca0400b", "value": "CamuBot" }, @@ -5440,29 +4500,33 @@ "uuid": "1e722d81-085e-4beb-8901-aa27fe502dba", "value": "Cannibal Rat" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cannon", + "https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "3fada5b6-0b3d-4b83-97c9-2157c959704c", + "value": "Cannon" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.carbanak", - "https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf", + "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html", "https://www.fox-it.com/en/wp-content/uploads/sites/11/Anunak_APT-against-financial-institutions2.pdf", - "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html" + "https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf" ], "synonyms": [ "Anunak" ], "type": [] }, - "related": [ - { - "dest-uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "8c246ec4-eaa5-42c0-b137-29f28cbb6832", "value": "Carbanak" }, @@ -5488,15 +4552,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "1d9fbf33-faea-40c1-b543-c7b39561f0ff", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "3d3da4c0-004c-400c-9da6-f83fd35d907e", "value": "Cardinal RAT" }, @@ -5510,15 +4565,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "63b3e6fb-9bb8-43dc-9cbf-7681b049b5d6", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "3198501e-0ff0-43b7-96f0-321b463ab656", "value": "Casper" }, @@ -5541,7 +4587,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ccleaner_backdoor", "https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities", - "https://www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/", + "https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident", "http://www.intezer.com/evidence-aurora-operation-still-active-part-2-more-ties-uncovered-between-ccleaner-hack-chinese-hackers/", "https://blog.avast.com/avast-threat-labs-analysis-of-ccleaner-incident", "http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html", @@ -5550,7 +4596,7 @@ "https://www.wired.com/story/ccleaner-malware-targeted-tech-firms", "https://blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer", "https://twitter.com/craiu/status/910148928796061696", - "https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident", + "https://www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/", "http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor", "https://www.crowdstrike.com/blog/in-depth-analysis-of-the-ccleaner-backdoor-stage-2-dropper-and-its-payload/", "http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html" @@ -5582,27 +4628,18 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cerber", "http://blog.trendmicro.com/trendlabs-security-intelligence/cerber-starts-evading-machine-learning/", + "https://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html", "https://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/", - "https://www.virusbulletin.com/virusbulletin/2017/12/vb2017-paper-nine-circles-cerber/", - "https://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html" + "https://www.virusbulletin.com/virusbulletin/2017/12/vb2017-paper-nine-circles-cerber/" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "190edf95-9cd9-4e4a-a228-b716d52a751b", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "79a7203a-6ea5-4c39-abd4-faa20cf8821a", "value": "Cerber" }, { - "description": "", + "description": "This malware family delivers its artifacts packed with free and generic packers. It writes files to windows temporary folders, downloads additional malware (generally cryptominers) and deletes itself.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cerbu_miner" @@ -5613,6 +4650,20 @@ "uuid": "ba7706c1-7d2a-4031-9acc-cb862860da1a", "value": "Cerbu" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.chainshot", + "https://researchcenter.paloaltonetworks.com/2018/09/unit42-slicing-dicing-cve-2018-5002-payloads-new-chainshot-malware/", + "https://www.icebrg.io/blog/adobe-flash-zero-day-targeted-attack" + ], + "synonyms": [], + "type": [] + }, + "uuid": "36f9a5e0-9a78-4b9a-9072-1596c91b59b6", + "value": "Chainshot" + }, { "description": "", "meta": { @@ -5620,8 +4671,8 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chches", "https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html", "https://www.jpcert.or.jp/magazine/acreport-ChChes_ps1.html", - "https://www.jpcert.or.jp/magazine/acreport-ChChes.html", "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/", + "https://www.jpcert.or.jp/magazine/acreport-ChChes.html", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf" ], "synonyms": [ @@ -5629,22 +4680,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "d71604d2-a17e-4b4e-82be-19cb54f93161", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "6eee9bf9-ffce-4c88-a5ad-9d80f6fc727c", "value": "ChChes" }, @@ -5657,9 +4692,9 @@ "https://www.trustwave.com/Resources/SpiderLabs-Blog/New-Memory-Scraping-Technique-in-Cherry-Picker-PoS-Malware/" ], "synonyms": [ - "cherrypickerpos", + "cherry_picker", "cherrypicker", - "cherry_picker" + "cherrypickerpos" ], "type": [] }, @@ -5717,15 +4752,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "6deb9f26-969b-45aa-9222-c23663fd6ef8", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "9441a589-e23d-402d-9603-5e55e3e33971", "value": "Chthonic" }, @@ -5734,23 +4760,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.citadel", - "https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/", "http://www.xylibox.com/2016/02/citadel-0011-atmos.html", "http://blog.jpcert.or.jp/2016/02/banking-trojan--27d6.html", + "https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/", "https://www.arbornetworks.com/blog/asert/the-citadel-and-gameover-campaigns-of-5cb682c10440b2ebaf9f28c1fe438468/" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "9eb89081-3245-423a-995f-c1d78ce39619", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "7f550cae-98b7-4a0c-bed2-d79227dc6310", "value": "Citadel" }, @@ -5764,15 +4781,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "d840e5af-3e6b-49af-ab82-fb4f8740bf55", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "c2bd0771-55d6-4242-986d-4bfd735998ba", "value": "Client Maximus" }, @@ -5807,10 +4815,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cmstar", - "https://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/", - "https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan", "https://twitter.com/ClearskySec/status/963829930776723461", - "https://www.votiro.com/single-post/2018/02/13/New-campaign-targeting-Ukrainians-holds-secrets-in-documents-properties" + "https://www.votiro.com/single-post/2018/02/13/New-campaign-targeting-Ukrainians-holds-secrets-in-documents-properties", + "https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan", + "https://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/" ], "synonyms": [ "meciv" @@ -5825,37 +4833,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html", + "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", + "https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py", + "https://www.lac.co.jp/lacwatch/people/20180521_001638.html", + "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html", "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/", - "https://www.lac.co.jp/lacwatch/people/20180521_001638.html" + "https://pylos.co/2018/11/18/cozybear-in-from-the-cold/", + "https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "ca44dd5e-fd9e-48b5-99cb-0b2629b9265f", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "3da22160-12d9-4d27-a99f-338e8de3844a", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "1a1d3ea4-972e-4c48-8d85-08d9db8f1550", "value": "Cobalt Strike" }, @@ -5864,21 +4853,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobian_rat", - "https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat", - "https://securityaffairs.co/wordpress/62573/malware/cobian-rat-backdoor.html" + "https://securityaffairs.co/wordpress/62573/malware/cobian-rat-backdoor.html", + "https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "8c49da10-2b59-42c4-81e6-75556decdecb", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "aa553bbd-f6e4-4774-9ec5-4607aa2004b8", "value": "Cobian RAT" }, @@ -5888,8 +4868,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobint", "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint", - "https://www.group-ib.com/blog/renaissance", - "https://asert.arbornetworks.com/double-the-infection-double-the-fun/" + "https://asert.arbornetworks.com/double-the-infection-double-the-fun/", + "https://www.group-ib.com/blog/renaissance" ], "synonyms": [ "COOLPANTS" @@ -5904,11 +4884,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra", - "https://blog.gdatasoftware.com/2015/01/23926-analysis-of-project-cobra", - "https://www.melani.admin.ch/dam/melani/de/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf", - "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/", + "https://github.com/hfiref0x/TDL", "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/", - "https://github.com/hfiref0x/TDL" + "https://www.melani.admin.ch/dam/melani/de/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf", + "https://blog.gdatasoftware.com/2015/01/23926-analysis-of-project-cobra", + "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/" ], "synonyms": [ "Carbon" @@ -5962,8 +4942,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coinminer", - "https://secrary.com/ReversingMalware/CoinMiner/", - "https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/amp/" + "https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/amp/", + "https://secrary.com/ReversingMalware/CoinMiner/" ], "synonyms": [], "type": [] @@ -6033,10 +5013,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.computrace", - "https://asert.arbornetworks.com/lojack-becomes-a-double-agent/", + "https://www.lastline.com/labsblog/apt28-rollercoaster-the-lowdown-on-hijacked-lojack/", "https://bartblaze.blogspot.de/2014/11/thoughts-on-absolute-computrace.html", - "https://www.absolute.com/en/resources/faq/absolute-response-to-arbor-lojack-research", - "https://www.lastline.com/labsblog/apt28-rollercoaster-the-lowdown-on-hijacked-lojack/" + "https://asert.arbornetworks.com/lojack-becomes-a-double-agent/", + "https://www.absolute.com/en/resources/faq/absolute-response-to-arbor-lojack-research" ], "synonyms": [ "lojack" @@ -6078,6 +5058,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.conficker", + "https://www.honeynet.org/files/KYE-Conficker.pdf", + "https://www.sophos.com/fr-fr/medialibrary/PDFs/marketing%20material/confickeranalysis.pdf", + "http://www.csl.sri.com/users/vinod/papers/Conficker/addendumC/index.html", + "https://github.com/tillmannw/cnfckr", + "http://www.confickerworkinggroup.org/wiki/uploads/Conficker_Working_Group_Lessons_Learned_17_June_2010_final.pdf", "http://contagiodump.blogspot.com/2009/05/win32conficker.html" ], "synonyms": [ @@ -6086,15 +5071,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "ab49815e-8ba6-41ec-9f51-8a9587334069", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "5f638985-49e1-4059-b2eb-f2ffa397b212", "value": "Conficker" }, @@ -6103,8 +5079,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.confucius", - "https://researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/", - "https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/" + "https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/", + "https://researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/" ], "synonyms": [], "type": [] @@ -6143,22 +5119,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.corebot", - "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/02/ASERT-Threat-Intelligence-Brief-2016-02-Corebot-1.pdf", "https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/", + "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/02/ASERT-Threat-Intelligence-Brief-2016-02-Corebot-1.pdf", "http://blog.deepinstinct.com/2017/11/08/a-deeper-dive-into-corebots-comeback/" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "8a3d46db-d3b4-4f89-99e2-d1f0de3f484c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "495377c4-1be5-4c65-ba66-94c221061415", "value": "Corebot" }, @@ -6169,8 +5136,8 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coreshell", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", - "http://malware.prevenity.com/2014/08/malware-info.html", - "http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware.html" + "http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware.html", + "http://malware.prevenity.com/2014/08/malware-info.html" ], "synonyms": [], "type": [] @@ -6196,9 +5163,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crashoverride", - "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", "https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/", - "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", + "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf", + "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/" ], "synonyms": [ "Crash", @@ -6244,29 +5212,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "8d8efbc6-d1b7-4ec8-bab3-591edba337d0", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "858edfb8-793a-430b-8acc-4310e7d2f0d3", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "a61fc694-a88a-484d-a648-db35b49932fd", "value": "Crimson" }, @@ -6275,62 +5220,30 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crisis", + "https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?", "http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html", - "https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines", - "https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?" + "https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "c359c74e-4155-4e66-a344-b56947f75119", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "c17f6e4b-70c5-42f8-a91b-19d73485bd04", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "4b2ab902-811e-4b50-8510-43454d77d027", - "value": "Crisis" + "value": "Crisis (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryakl", - "https://hackmag.com/security/ransomware-russian-style/", "https://securelist.ru/shifrovalshhik-cryakl-ili-fantomas-razbushevalsya/24070/", - "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Cryakl-B/detailed-analysis.aspx", "https://www.v3.co.uk/v3-uk/news/3026414/belgian-police-release-decryption-keys-for-cryakl-ransomware", - "https://twitter.com/demonslay335/status/971164798376468481" + "https://hackmag.com/security/ransomware-russian-style/", + "https://twitter.com/demonslay335/status/971164798376468481", + "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Cryakl-B/detailed-analysis.aspx" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "3c51fc0e-42d8-4ff0-b1bd-5c8c20271a39", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "4f3e494e-0e37-4894-94b2-741a8100f07a", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "32fa6c53-b4fc-47f8-894c-1ea74180e02f", "value": "Cryakl" }, @@ -6343,22 +5256,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "8ff729d9-aee5-4b85-a59d-3f57e105be40", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "629f6986-2c1f-4d0a-b805-e4ef3e2ce634", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "980ea9fa-d29d-4a44-bb87-0c050f8ddeaf", "value": "CryLocker" }, @@ -6394,21 +5291,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptolocker", - "https://www.secureworks.com/research/cryptolocker-ransomware", - "https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware" + "https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware", + "https://www.secureworks.com/research/cryptolocker-ransomware" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "b35b1ca2-f99c-4495-97a5-b8f30225cb90", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "c5a783da-9ff3-4427-84c5-428480b21cc7", "value": "CryptoLocker" }, @@ -6430,23 +5318,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptomix", - "https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/", - "https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/" + "https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/", + "https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/" ], "synonyms": [ "CryptFile2" ], "type": [] }, - "related": [ - { - "dest-uuid": "c76110ea-15f1-4adf-a28d-c707374dbb3a", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "55d5742e-20f5-4c9a-887a-4dbd5b37d921", "value": "CryptoMix" }, @@ -6512,15 +5391,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "4bb11db7-17a0-4536-b817-419ae6299004", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "bc0c1e48-102c-4e6b-9b86-c442c4798159", "value": "CryptoWire" }, @@ -6536,29 +5406,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "26c8b446-305c-4057-83bc-85b09630281e", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "b817ce63-f1c3-49de-bd8b-fd56c3f956c9", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "7f6cd579-b021-4896-80da-fcc07c35c8b2", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "ae4aa1ef-4da0-4952-9583-9d47f84edad9", "value": "CryptoFortress" }, @@ -6572,15 +5419,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "de53f392-8794-43d1-a38b-c0b90c20a3fb", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "2f65f056-6cba-4a5b-9aaf-daf31eb76fc2", "value": "CryptoRansomeware" }, @@ -6616,9 +5454,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cuegoe", "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", - "https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal", + "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3451", "http://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html", - "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3451" + "https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal" ], "synonyms": [ "Windshield?" @@ -6663,15 +5501,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "35e25aad-7c39-4a1d-aa17-73fa638362e8", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "9e8655fc-5bba-4efd-b3c0-db89ee2e0e0b", "value": "Cutwail" }, @@ -6687,15 +5516,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "c3cf4e88-704b-4d7c-8185-ee780804f3d3", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "062d8577-d6e6-4c97-bcac-eb6eb1a50a8d", "value": "CyberGate" }, @@ -6708,15 +5528,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "587589df-ee42-43f4-9480-c65d6e1d7e0f", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "8bde6075-8c5b-4ff1-be9a-4e2b1d3419aa", "value": "CyberSplitter" }, @@ -6760,15 +5571,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "844417c6-a404-4c4e-8e93-84db596d725b", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "4f7decd4-054b-4dd7-89cc-9bdb248f7c8a", "value": "DanaBot" }, @@ -6777,10 +5579,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcomet", - "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/", - "https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/", "https://darkcomet.net", - "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html" + "https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/", + "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html", + "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/" ], "synonyms": [ "Fynloski", @@ -6788,22 +5590,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "8a21ae06-d257-48a0-989b-1c9aebedabc2", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "9ad11139-e928-45cf-a0b4-937290642e92", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "5086a6e0-53b2-4d96-9eb3-a0237da2e591", "value": "DarkComet" }, @@ -6812,8 +5598,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkmegi", - "http://contagiodump.blogspot.com/2012/04/this-is-darkmegie-rootkit-sample-kindly.html", - "http://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html" + "http://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html", + "http://contagiodump.blogspot.com/2012/04/this-is-darkmegie-rootkit-sample-kindly.html" ], "synonyms": [], "type": [] @@ -6827,23 +5613,14 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkmoon", "http://contagiodump.blogspot.com/2010/01/jan-17-trojan-darkmoonb-exe-haiti.html", - "http://contagiodump.blogspot.com/2010/07/cve-2010-2568-keylogger-win32chyminea.html", - "https://www.f-secure.com/v-descs/trojan-downloader_w32_chymine_a.shtml" + "https://www.f-secure.com/v-descs/trojan-downloader_w32_chymine_a.shtml", + "http://contagiodump.blogspot.com/2010/07/cve-2010-2568-keylogger-win32chyminea.html" ], "synonyms": [ "Chymine" ], "type": [] }, - "related": [ - { - "dest-uuid": "310f437b-29e7-4844-848c-7220868d074a", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "81ca4876-b4a4-43e9-b8a9-8a88709dd3d2", "value": "Darkmoon" }, @@ -6878,8 +5655,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darksky", - "https://blog.radware.com/security/2018/02/darksky-botnet/", "http://telegra.ph/Analiz-botneta-DarkSky-12-30", + "https://blog.radware.com/security/2018/02/darksky-botnet/", "https://github.com/ims0rry/DarkSky-botnet" ], "synonyms": [], @@ -6933,9 +5710,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.daserf", - "https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/", "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/", - "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/" ], "synonyms": [ "Muirim", @@ -6943,15 +5720,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "70f6c71f-bc0c-4889-86e3-ef04e5b8415b", "value": "Daserf" }, @@ -6960,8 +5728,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.datper", - "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html" ], "synonyms": [], @@ -6980,15 +5748,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "57dd0828-79d7-11e8-a7d8-57db14e1ef24", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "cae8384d-b01b-4f9c-a31b-f693e12ea6b2", "value": "DDKONG" }, @@ -6997,8 +5756,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.decebal", - "https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf", "https://community.softwaregrp.com/t5/Security-Research/POS-malware-a-look-at-Dexter-and-Decebal/ba-p/272157", + "https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf", "https://www.fireeye.com/blog/threat-research/2014/10/data-theft-in-aisle-9-a-fireeye-look-at-threats-to-retailers.html" ], "synonyms": [], @@ -7070,22 +5829,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "eff68b97-f36e-4827-ab1a-90523c16774c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "7ea00126-add3-407e-b69d-d4aa1b3049d5", "value": "Derusbi" }, @@ -7106,13 +5849,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dexter", - "https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25658/en_US/McAfee_Labs_Threat_Advisory-LusyPOS.pdf", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Dexter-Malware--Getting-Your-Hands-Dirty/", - "https://blog.fortinet.com/2014/03/10/how-dexter-steals-credit-card-information", "https://securitykitten.github.io/2014/12/01/lusypos-and-tor.html", + "https://volatility-labs.blogspot.com/2012/12/unpacking-dexter-pos-memory-dump.html", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Dexter-Malware--Getting-Your-Hands-Dirty/", "http://contagiodump.blogspot.com/2012/12/dexter-pos-infostealer-samples-and.html", - "https://blog.trendmicro.com/trendlabs-security-intelligence/infostealer-dexter-targets-checkout-systems/", - "https://volatility-labs.blogspot.com/2012/12/unpacking-dexter-pos-memory-dump.html" + "https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25658/en_US/McAfee_Labs_Threat_Advisory-LusyPOS.pdf", + "https://blog.fortinet.com/2014/03/10/how-dexter-steals-credit-card-information", + "https://blog.trendmicro.com/trendlabs-security-intelligence/infostealer-dexter-targets-checkout-systems/" ], "synonyms": [ "LusyPOS" @@ -7123,30 +5866,16 @@ "value": "Dexter" }, { - "description": "", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.de_loader", - "https://blog.fortinet.com/2016/06/21/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users", - "https://blogs.forcepoint.com/security-labs/zeus-delivered-deloader-defraud-customers-canadian-banks", - "https://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware" - ], - "synonyms": [], - "type": [] - }, - "uuid": "d0c6df05-8d89-4ce8-8ea2-8a4f617fa8f2", - "value": "DE Loader" - }, - { - "description": "", + "description": "According to MalwareBytes, the Dharma Ransomware family is installed manually by attackers hacking into computers over Remote Desktop Protocol Services (RDP). The attackers will scan the Internet for computers running RDP, usually on TCP port 3389, and then attempt to brute force the password for the computer.\r\n\r\nOnce they gain access to the computer they will install the ransomware and let it encrypt the computer. If the attackers are able to encrypt other computers on the network, they will attempt to do so as well.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dharma", + "https://www.carbonblack.com/2018/07/10/carbon-black-tau-threat-analysis-recent-dharma-ransomware-highlights-attackers-continued-use-open-source-tools/", "https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/" ], "synonyms": [ - "Crysis", - "Arena" + "Arena", + "Crysis" ], "type": [] }, @@ -7158,16 +5887,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.diamondfox", - "https://www.scmagazine.com/inside-diamondfox/article/578478/", "https://blog.malwarebytes.com/threat-analysis/2017/03/diamond-fox-p1/", - "https://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/", "http://blog.checkpoint.com/2017/05/10/diamondfox-modular-malware-one-stop-shop/", - "https://blog.cylance.com/a-study-in-bots-diamondfox" + "https://www.scmagazine.com/inside-diamondfox/article/578478/", + "https://blog.cylance.com/a-study-in-bots-diamondfox", + "https://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/" ], "synonyms": [ "Crystal", - "Gorynych", - "Gorynch" + "Gorynch", + "Gorynych" ], "type": [] }, @@ -7184,15 +5913,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "9fed4326-a7ad-4c58-ab87-90ac3957d82f", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "8f5ce8a6-c5fe-4c62-b25b-6ce0f3b724c5", "value": "Dimnie" }, @@ -7207,15 +5927,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "cdcc59a0-955e-412d-b481-8dff4bce6fdf", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "61b2dd12-2381-429d-bb64-e3210804a462", "value": "DirCrypt" }, @@ -7224,12 +5935,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.disttrack", - "https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis", - "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/?adbsc=social68389776&adbid=804134348374970368&adbpl=tw&adbpr=4487645412", - "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", - "http://www.vinransomware.com/blog/detailed-threat-analysis-of-shamoon-2-0-malware", + "http://contagiodump.blogspot.com/2012/08/shamoon-or-disttracka-samples.html", "http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/", - "http://contagiodump.blogspot.com/2012/08/shamoon-or-disttracka-samples.html" + "http://www.vinransomware.com/blog/detailed-threat-analysis-of-shamoon-2-0-malware", + "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/?adbsc=social68389776&adbid=804134348374970368&adbpl=tw&adbpr=4487645412", + "https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis", + "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon" ], "synonyms": [], "type": [] @@ -7242,8 +5953,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dma_locker", - "https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/", "https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-strikes-back/", + "https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/", "https://blog.malwarebytes.com/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/" ], "synonyms": [], @@ -7257,39 +5968,29 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnsmessenger", - "https://blog.talosintelligence.com/2017/03/dnsmessenger.html", "http://wraithhacker.com/2017/10/11/more-info-on-evolved-dnsmessenger/", - "https://blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html" + "https://blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html", + "https://blog.talosintelligence.com/2017/03/dnsmessenger.html" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "ee8ccb36-2596-43a3-a044-b8721dbeb2ab", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "4f6aa78c-c3d4-4883-9840-96ca2f5d6d47", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "b376580e-aba1-4ac9-9c2d-2df429efecf6", "value": "DNSMessenger" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnspionage", + "https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ef46bd90-91d0-4208-b3f7-08b65acb8438", + "value": "DNSpionage" + }, { "description": "DogHousePower is a PyInstaller-based ransomware targeting web and database servers. It is delivered through a PowerShell downloader and was hosted on Github.", "meta": { @@ -7311,8 +6012,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dorkbot_ngrbot", "https://securingtomorrow.mcafee.com/mcafee-labs/ngrbot-spreads-via-chat/", - "http://stopmalvertising.com/rootkits/analysis-of-ngrbot.html", - "https://research.checkpoint.com/dorkbot-an-investigation/" + "https://research.checkpoint.com/dorkbot-an-investigation/", + "http://stopmalvertising.com/rootkits/analysis-of-ngrbot.html" ], "synonyms": [], "type": [] @@ -7338,10 +6039,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublepulsar", - "https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/", + "https://countercept.com/our-thinking/doublepulsar-usermode-analysis-generic-reflective-dll-loader/", "https://github.com/countercept/doublepulsar-c2-traffic-decryptor", "https://countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/", - "https://countercept.com/our-thinking/doublepulsar-usermode-analysis-generic-reflective-dll-loader/" + "https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/" ], "synonyms": [], "type": [] @@ -7362,22 +6063,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "08d20cd2-f084-45ee-8558-fa6ef5a18519", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "837a295c-15ff-41c0-9b7e-5f2fb502b00a", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "e6a077cb-42cc-4193-9006-9ceda8c0dff2", "value": "Downdelph" }, @@ -7404,15 +6089,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "227862fd-ae83-4e3d-bb69-cc1a45a13aed", "value": "DownPaper" }, @@ -7460,22 +6136,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "44754726-e1d5-4e5f-a113-234c4a8ca65e", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "276c2c2e-09da-44cf-a3f7-806b3feb41da", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "b4216929-1626-4444-bdd7-bfd4b68a766e", "value": "Dridex" }, @@ -7485,8 +6145,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dropshot", "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", - "https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-1/", - "https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-2/" + "https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-2/", + "https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-1/" ], "synonyms": [], "type": [] @@ -7516,27 +6176,18 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "507fe748-5e4a-4b45-9e9f-8b1115f4e878", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "8269e779-db23-4c94-aafb-36ee94879417", - "value": "DualToy" + "value": "DualToy (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dubnium_darkhotel", - "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2/3/", - "http://blog.jpcert.or.jp/2016/06/asruex-malware-infecting-through-shortcut-files.html", "https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/", - "https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/" + "https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/", + "http://blog.jpcert.or.jp/2016/06/asruex-malware-infecting-through-shortcut-files.html", + "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2/3/" ], "synonyms": [], "type": [] @@ -7600,31 +6251,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dyre", + "https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf", "https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/", - "https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates", - "https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf" + "https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates" ], "synonyms": [ "Dyreza" ], "type": [] }, - "related": [ - { - "dest-uuid": "63c2a130-8a5b-452f-ad96-07cf0af12ffe", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "15e969e6-f031-4441-a49b-f401332e4b00", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "1ecbcd20-f238-47ef-874b-08ef93266395", "value": "Dyre" }, @@ -7638,22 +6273,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "254f4f67-d850-4dc5-8ddb-2e955ddea287", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "b96be762-56a0-4407-be04-fcba76c1ff29", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "24fe5fef-6325-4c21-9c35-a0ecd185e254", "value": "EDA2" }, @@ -7680,15 +6299,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "c0ea7b89-d246-4eb7-8de4-b4e17e135051", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "eb189fd3-ca39-4bc7-be2d-4ea9e89d9ab9", "value": "Elirks" }, @@ -7697,30 +6307,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.elise", - "https://securelist.com/blog/research/70726/the-spring-dragon-apt/", "https://www.accenture.com/t20180127T003755Z__w__/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf", "https://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", + "https://securelist.com/blog/research/70726/the-spring-dragon-apt/", "https://www.joesecurity.org/blog/8409877569366580427" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "d70fd29d-590e-4ed5-b72f-6ce0142019c6", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "3477a25d-e04b-475e-8330-39f66c10cc01", "value": "Elise" }, @@ -7729,23 +6323,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.emdivi", - "http://blog.trendmicro.com/trendlabs-security-intelligence/attackers-target-organizations-in-japan-transform-local-sites-into-cc-servers-for-emdivi-backdoor/", "http://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/", + "http://blog.jpcert.or.jp/2015/11/decrypting-strings-in-emdivi.html", "https://securelist.com/new-activity-of-the-blue-termite-apt/71876/", - "http://blog.jpcert.or.jp/2015/11/decrypting-strings-in-emdivi.html" + "http://blog.trendmicro.com/trendlabs-security-intelligence/attackers-target-organizations-in-japan-transform-local-sites-into-cc-servers-for-emdivi-backdoor/" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "a8395aae-1496-417d-98ee-3ecbcd9a94a0", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "6bf7aa6a-3003-4222-805e-776cb86dc78a", "value": "Emdivi" }, @@ -7767,8 +6352,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.enfal", - "https://www.bsk-consulting.de/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/", "http://la.trendmicro.com/media/misc/lurid-downloader-enfal-report-en.pdf", + "https://www.bsk-consulting.de/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/", "https://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/" ], "synonyms": [ @@ -7776,15 +6361,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "251fbae2-78f6-4de7-84f6-194c727a64ad", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "2a4cacb7-80a1-417e-8b9c-54b4089f35d9", "value": "Enfal" }, @@ -7793,23 +6369,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.equationdrug", - "http://artemonsecurity.blogspot.com/2017/03/equationdrug-rootkit-analysis-mstcp32sys.html", - "https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/", "https://securelist.com/inside-the-equationdrug-espionage-platform/69203/", - "https://cdn.securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf" + "https://cdn.securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf", + "https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/", + "http://artemonsecurity.blogspot.com/2017/03/equationdrug-rootkit-analysis-mstcp32sys.html" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "3e0c2d35-87cb-40f9-b341-a6c8dbec697e", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "c4490972-3403-4043-9d61-899c0a440940", "value": "EquationDrug" }, @@ -7818,15 +6385,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.equationgroup", - "https://laanwj.github.io/2016/09/23/seconddate-adventures.html", - "https://laanwj.github.io/2016/09/17/seconddate-cnc.html", - "https://laanwj.github.io/2016/09/13/blatsting-rsa.html", - "https://laanwj.github.io/2016/09/11/buzzdirection.html", - "https://laanwj.github.io/2016/09/09/blatsting-lp-transcript.html", - "https://laanwj.github.io/2016/09/04/blatsting-command-and-control.html", - "https://laanwj.github.io/2016/09/01/tadaqueos.html", "https://laanwj.github.io/2016/08/28/feintcloud.html", - "https://laanwj.github.io/2016/08/22/blatsting.html" + "https://laanwj.github.io/2016/09/17/seconddate-cnc.html", + "https://laanwj.github.io/2016/09/04/blatsting-command-and-control.html", + "https://laanwj.github.io/2016/08/22/blatsting.html", + "https://laanwj.github.io/2016/09/11/buzzdirection.html", + "https://laanwj.github.io/2016/09/23/seconddate-adventures.html", + "https://laanwj.github.io/2016/09/13/blatsting-rsa.html", + "https://laanwj.github.io/2016/09/01/tadaqueos.html", + "https://laanwj.github.io/2016/09/09/blatsting-lp-transcript.html" ], "synonyms": [], "type": [] @@ -7844,17 +6411,8 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "ee73e375-3ac2-4ce0-b24b-74fd82d52864", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "479353aa-c6d7-47a7-b5f0-3f97fd904864", - "value": "Erebus" + "value": "Erebus (Windows)" }, { "description": "Eredel Stealer is a low price malware that allows for extracting passwords, cookies, screen desktop from browsers and programs.\r\n\r\nAccording to nulled[.]to:\r\n\r\nSupported browsers\r\nChromium Based: Chromium, Google Chrome, Kometa, Amigo, Torch, Orbitum, Opera, Opera Neon, Comodo Dragon, Nichrome (Rambler), Yandex Browser, Maxthon5, Sputnik, Epic Privacy Browser, Vivaldi, CocCoc and other Chromium Based browsers.\r\n\r\n- Stealing FileZilla\r\n- Stealing an account from Telegram\r\n- Stealing AutoFill\r\n- Theft of wallets: Bitcoin | Dash | Monero | Electrum | Ethereum | Litecoin\r\n- Stealing files from the desktop. Supports any formats, configurable via telegram-bot", @@ -7874,70 +6432,55 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eternal_petya", - "https://securelist.com/schroedingers-petya/78870/", - "https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/", + "http://blog.talosintelligence.com/2017/10/bad-rabbit.html", "https://securelist.com/from-blackenergy-to-expetr/78937/", - "https://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4", - "https://tisiphone.net/2017/06/28/why-notpetya-kept-me-awake-you-should-worry-too/", - "https://labsblog.f-secure.com/2017/06/29/petya-i-want-to-believe/", - "http://blog.erratasec.com/2017/06/nonpetya-no-evidence-it-was-smokescreen.html", - "https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b", - "https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/", - "https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/", - "http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html", - "https://labsblog.f-secure.com/2017/06/30/eternal-petya-from-a-developers-perspective/", - "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", - "https://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/", - "https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-yet-another-stolen-piece-package/", + "https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html", "https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/", - "https://www.gdatasoftware.com/blog/2017/07/29859-who-is-behind-petna", - "https://www.crowdstrike.com/blog/fast-spreading-petrwrap-ransomware-attack-combines-eternalblue-exploit-credential-stealing/", + "https://labsblog.f-secure.com/2017/06/30/eternal-petya-from-a-developers-perspective/", + "http://www.intezer.com/notpetya-returns-bad-rabbit/", + "https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/", + "https://threatpost.com/ukrainian-man-arrested-charged-in-notpetya-distribution/127391/", + "http://blog.erratasec.com/2017/06/nonpetya-no-evidence-it-was-smokescreen.html", "https://www.crowdstrike.com/blog/petrwrap-technical-analysis-part-2-further-findings-and-potential-for-mbr-recovery/", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/september/eternalglue-part-one-rebuilding-notpetya-to-assess-real-world-resilience/", + "https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-yet-another-stolen-piece-package/", + "https://www.riskiq.com/blog/labs/badrabbit/", + "https://labsblog.f-secure.com/2017/06/29/petya-i-want-to-believe/", "https://www.theguardian.com/technology/2017/jul/03/notpetya-malware-attacks-ukraine-warrant-retaliation-nato-researcher-tomas-minarik", "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/", - "https://threatpost.com/ukrainian-man-arrested-charged-in-notpetya-distribution/127391/", - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/september/eternalglue-part-one-rebuilding-notpetya-to-assess-real-world-resilience/", - "https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/?utm_content=buffer8ffe4&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer", - "https://securelist.com/bad-rabbit-ransomware/82851/", "https://www.wired.com/story/badrabbit-ransomware-notpetya-russia-ukraine/", + "https://www.crowdstrike.com/blog/fast-spreading-petrwrap-ransomware-attack-combines-eternalblue-exploit-credential-stealing/", + "https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b", + "http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html", + "https://securelist.com/schroedingers-petya/78870/", + "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/", - "http://blog.talosintelligence.com/2017/10/bad-rabbit.html", - "http://www.intezer.com/notpetya-returns-bad-rabbit/", - "https://www.riskiq.com/blog/labs/badrabbit/", - "https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html", + "https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/", + "https://www.gdatasoftware.com/blog/2017/07/29859-who-is-behind-petna", + "https://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4", "https://labsblog.f-secure.com/2017/10/27/the-big-difference-with-bad-rabbit/", + "https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/?utm_content=buffer8ffe4&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer", + "https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/", + "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/", + "https://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/", + "https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html", + "https://tisiphone.net/2017/06/28/why-notpetya-kept-me-awake-you-should-worry-too/", "https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-badrabbit-encryption-routine-specifics.html", - "https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html" + "https://securelist.com/bad-rabbit-ransomware/82851/" ], "synonyms": [ + "BadRabbit", + "Diskcoder.C", "ExPetr", - "Pnyetya", - "Petna", + "NonPetya", "NotPetya", "Nyetya", - "NonPetya", - "nPetya", - "Diskcoder.C", - "BadRabbit" + "Petna", + "Pnyetya", + "nPetya" ], "type": [] }, - "related": [ - { - "dest-uuid": "e8af6388-6575-4812-94a8-9df1567294c5", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "00c31914-bc0e-11e8-8241-3ff3b5e4671d", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "6f736038-4f74-435b-8904-6870ee0e23ba", "value": "EternalPetya" }, @@ -7947,8 +6490,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.etumbot", "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf", - "https://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategic-web-compromise", - "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html" + "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html", + "https://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategic-web-compromise" ], "synonyms": [ "HighTide" @@ -7963,8 +6506,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilbunny", - "https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope", - "https://www.cyphort.com/evilbunny-malware-instrumented-lua/" + "https://www.cyphort.com/evilbunny-malware-instrumented-lua/", + "https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope" ], "synonyms": [], "type": [] @@ -7984,29 +6527,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "c9b4ec27-0a43-4671-a967-bcac5df0e056", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "c542f369-f06d-4168-8c84-fdf5fc7f2a8d", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "438c6d0f-03f0-4b49-89d2-40bf5349c3fc", "value": "EvilGrab" }, @@ -8015,9 +6535,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilpony", + "https://www.s21sec.com/en/blog/2017/07/ramnit-and-its-pony-module/", "https://techhelplist.com/spam-list/1104-2017-03-27-your-amazon-com-order-has-shipped-malware", - "https://threatpost.com/docusign-phishing-campaign-includes-hancitor-downloader/125724/", - "https://www.s21sec.com/en/blog/2017/07/ramnit-and-its-pony-module/" + "https://threatpost.com/docusign-phishing-campaign-includes-hancitor-downloader/125724/" ], "synonyms": [ "CREstealer" @@ -8048,8 +6568,8 @@ "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies" ], "synonyms": [ - "Sabresac", - "Saber" + "Saber", + "Sabresac" ], "type": [] }, @@ -8061,8 +6581,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.exchange_tool", - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", - "https://github.com/nccgroup/Royal_APT" + "https://github.com/nccgroup/Royal_APT", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" ], "synonyms": [], "type": [] @@ -8075,10 +6595,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.extreme_rat", - "https://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html", - "https://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html", "https://community.rsa.com/community/products/netwitness/blog/2017/08/02/malspam-delivers-xtreme-rat-8-1-2017", - "https://www.symantec.com/connect/blogs/colombians-major-target-email-campaigns-delivering-xtreme-rat" + "https://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html", + "https://www.symantec.com/connect/blogs/colombians-major-target-email-campaigns-delivering-xtreme-rat", + "https://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html" ], "synonyms": [ "ExtRat" @@ -8093,8 +6613,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eye_pyramid", - "https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/", - "http://blog.talosintel.com/2017/01/Eye-Pyramid.html" + "http://blog.talosintel.com/2017/01/Eye-Pyramid.html", + "https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/" ], "synonyms": [], "type": [] @@ -8107,8 +6627,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fakedga", - "https://github.com/360netlab/DGA/issues/36", "http://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html", + "https://github.com/360netlab/DGA/issues/36", "http://www.freebuf.com/column/153424.html" ], "synonyms": [ @@ -8160,15 +6680,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "1e25d254-3f03-4752-b8d6-023a23e7d4ae", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "6d441619-c5f5-45ff-bc63-24cecd0b237e", "value": "Fanny" }, @@ -8190,9 +6701,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fast_pos", - "http://documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/fastpos-updates-in-time-for-retail-sale-season/", - "http://documents.trendmicro.com/assets/Appendix%20-%20FastPOS%20Updates%20in%20Time%20for%20the%20Retail%20Sale%20Season.pdf" + "http://documents.trendmicro.com/assets/Appendix%20-%20FastPOS%20Updates%20in%20Time%20for%20the%20Retail%20Sale%20Season.pdf", + "http://documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf" ], "synonyms": [], "type": [] @@ -8210,15 +6721,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "07a41ea7-17b2-4852-bfd7-54211c477dc0", "value": "Felismus" }, @@ -8228,6 +6730,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.felixroot", "https://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257", + "https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf", "https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html" ], "synonyms": [], @@ -8247,34 +6750,11 @@ "http://www.sempersecurus.org/2012/08/cridex-analysis-using-volatility.html" ], "synonyms": [ - "Cridex", - "Bugat" + "Bugat", + "Cridex" ], "type": [] }, - "related": [ - { - "dest-uuid": "276c2c2e-09da-44cf-a3f7-806b3feb41da", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "7ca93488-c357-44c3-b246-3f88391aca5a", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "16794655-c0e2-4510-9169-f862df104045", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "66781866-f064-467d-925d-5e5f290352f0", "value": "Feodo" }, @@ -8304,6 +6784,19 @@ "uuid": "ed0b8ac9-973b-4aaa-9904-8c7ed2e73933", "value": "FileIce" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.final1stspy", + "https://www.intezer.com/apt37-final1stspy-reaping-the-freemilk/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "87467366-679d-425c-8bea-b9f77c543252", + "value": "Final1stSpy" + }, { "description": "", "meta": { @@ -8325,12 +6818,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.finfisher", + "https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campaigns/", "https://artemonsecurity.blogspot.de/2017/01/finfisher-rootkit-analysis.html", "https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html", - "https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campaigns/", "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/", - "http://www.msreverseengineering.com/blog/2018/1/23/a-walk-through-tutorial-with-code-on-statically-unpacking-the-finspy-vm-part-one-x86-deobfuscation", "https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf", + "http://www.msreverseengineering.com/blog/2018/1/23/a-walk-through-tutorial-with-code-on-statically-unpacking-the-finspy-vm-part-one-x86-deobfuscation", "https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/" ], "synonyms": [ @@ -8338,15 +6831,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "a5528622-3a8a-4633-86ce-8cdaf8423858", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "541b64bc-87ec-4cc2-aaee-329355987853", "value": "FinFisher RAT" }, @@ -8360,15 +6844,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "968df869-7f60-4420-989f-23dfdbd58668", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "9ad28356-184c-4f02-89f5-1b70981598c3", "value": "Fireball" }, @@ -8382,15 +6857,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "721ba430-fd28-454c-8512-24339ef2235f", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "c4346ed0-1d74-4476-a78c-299bce0409bd", "value": "FireCrypt" }, @@ -8404,15 +6870,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "6ef11b6e-d81a-465b-9dce-fab5c6fe807b", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "9715c6bc-4b1e-49a2-b1d8-db4f4c4f042c", "value": "FireMalv" }, @@ -8442,15 +6899,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "3c1003a2-8364-467a-b9b8-fcc19724a9b5", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "18419355-fd28-41a6-bffe-2df68a7166c4", "value": "FlawedAmmyy" }, @@ -8465,21 +6913,21 @@ "type": [] }, "uuid": "4305d59a-0d07-4021-a902-e7996378898b", - "value": "FlexiSpy" + "value": "FlexiSpy (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.floki_bot", - "http://blog.talosintel.com/2016/12/flokibot-collab.html#more", + "https://www.flashpoint-intel.com/blog/cybercrime/floki-bot-emerges-new-malware-kit/", + "https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/", "https://www.cylance.com/en_us/blog/threat-spotlight-flokibot-pos-malware.html", "https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/", "http://adelmas.com/blog/flokibot.php", - "https://www.arbornetworks.com/blog/asert/flokibot-invades-pos-trouble-brazil/", - "https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/", - "https://www.flashpoint-intel.com/blog/cybercrime/floki-bot-emerges-new-malware-kit/", - "https://www.flashpoint-intel.com/flokibot-curious-case-brazilian-connector/" + "http://blog.talosintel.com/2016/12/flokibot-collab.html#more", + "https://www.flashpoint-intel.com/flokibot-curious-case-brazilian-connector/", + "https://www.arbornetworks.com/blog/asert/flokibot-invades-pos-trouble-brazil/" ], "synonyms": [], "type": [] @@ -8518,24 +6966,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fobber", - "http://blog.wizche.ch/fobber/malware/analysis/2015/08/10/fobber-encryption.html", - "http://www.govcert.admin.ch/downloads/whitepapers/govcertch_fobber_analysis.pdf", "https://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/", + "http://www.govcert.admin.ch/downloads/whitepapers/govcertch_fobber_analysis.pdf", "https://www.govcert.admin.ch/blog/12/analysing-a-new-ebanking-trojan-called-fobber", + "http://blog.wizche.ch/fobber/malware/analysis/2015/08/10/fobber-encryption.html", "http://byte-atlas.blogspot.ch/2015/08/knowledge-fragment-unwrapping-fobber.html" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "da124511-463c-4514-ad05-7ec8db1b38aa", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "bb836040-c161-4932-8f89-bc2ca2e8c1c0", "value": "Fobber" }, @@ -8546,10 +6985,12 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook", "https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html", "http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/", + "https://www.peerlyst.com/posts/how-to-understand-formbook-a-new-malware-as-a-service-sudhendu?", "http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html", "https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/", "https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/", "http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html", + "https://www.peerlyst.com/posts/how-to-analyse-formbook-a-new-malware-as-a-service-sudhendu?trk=explore_page_resources_recent", "https://blog.talosintelligence.com/2018/06/my-little-formbook.html" ], "synonyms": [], @@ -8592,6 +7033,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.friedex", + "https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/", "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/" ], "synonyms": [ @@ -8607,8 +7049,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.furtim", - "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4341&sid=af76b944112a234fa933cc934d21cd9f", - "https://sentinelone.com/blogs/sfg-furtims-parent/" + "https://sentinelone.com/blogs/sfg-furtims-parent/", + "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4341&sid=af76b944112a234fa933cc934d21cd9f" ], "synonyms": [], "type": [] @@ -8660,15 +7102,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_p2p", - "https://www.wired.com/?p=2171700", - "https://www.fox-it.com/nl/wp-content/uploads/sites/12/FoxIT-Whitepaper_Blackhat-web.pdf", + "https://www.cert.pl/wp-content/uploads/2015/12/2013-06-p2p-rap_en.pdf", "http://www.syssec-project.eu/m/page-media/3/zeus_malware13.pdf", + "https://www.wired.com/?p=2171700", "https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware", - "https://www.cert.pl/wp-content/uploads/2015/12/2013-06-p2p-rap_en.pdf" + "https://www.fox-it.com/nl/wp-content/uploads/sites/12/FoxIT-Whitepaper_Blackhat-web.pdf" ], "synonyms": [ - "ZeuS P2P", - "GOZ" + "GOZ", + "ZeuS P2P" ], "type": [] }, @@ -8701,7 +7143,8 @@ "https://isc.sans.edu/diary/23417", "https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html", "http://csecybsec.com/download/zlab/20181001_CSE_GandCrabv5.pdf", - "https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/" + "https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/", + "https://www.europol.europa.eu/newsroom/news/pay-no-more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom" ], "synonyms": [ "GrandCrab" @@ -8709,7 +7152,7 @@ "type": [] }, "uuid": "a8d83baa-cf2e-4329-92d7-06c8ccdeb275", - "value": "win.gandcrab" + "value": "Gandcrab" }, { "description": "Gaudox is a http loader, written in C/C++. The author claims to have put much effort into making this bot efficient and stable. Its rootkit functionality hides it in Windows Explorer (32bit only).", @@ -8745,23 +7188,14 @@ "https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/", "https://securelist.com/introducing-whitebear/81638/", "https://www.youtube.com/watch?v=Pvzhtjl86wc", - "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", - "https://github.com/eset/malware-ioc/tree/master/turla" + "https://github.com/eset/malware-ioc/tree/master/turla", + "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf" ], "synonyms": [ "WhiteBear" ], "type": [] }, - "related": [ - { - "dest-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "0a3047b3-6a38-48ff-8f9c-49a5c28e3ada", "value": "Gazer" }, @@ -8783,8 +7217,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gearinformer", - "https://wapacklabs.blogspot.ch/2017/02/rebranding-ispy-keylogger-gear-informer.html", - "https://www.rekings.com/ispy-customers/" + "https://www.rekings.com/ispy-customers/", + "https://wapacklabs.blogspot.ch/2017/02/rebranding-ispy-keylogger-gear-informer.html" ], "synonyms": [], "type": [] @@ -8798,20 +7232,23 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.geodo", "https://malfind.com/index.php/2018/07/23/deobfuscating-emotets-powershell-payload/", + "https://www.intezer.com/mitigating-emotet-the-most-common-banking-trojan/", "http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/", + "https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/", "https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html", "https://blog.kryptoslogic.com/malware/2018/08/01/emotet.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/", "https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/", "https://cloudblogs.microsoft.com/microsoftsecure/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/?source=mmpc", "https://research.checkpoint.com/emotet-tricky-trojan-git-clones/", "https://www.cert.pl/en/news/single/analysis-of-emotet-v4/", "https://www.fidelissecurity.com/threatgeek/2017/07/emotet-takes-wing-spreader", "https://www.us-cert.gov/ncas/alerts/TA18-201A", - "https://www.intezer.com/mitigating-emotet-the-most-common-banking-trojan/", "https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor", "https://feodotracker.abuse.ch/?filter=version_e", "https://www.gdata.de/blog/2017/10/30110-emotet-beutet-outlook-aus", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/", + "https://blog.kryptoslogic.com/malware/2018/10/31/emotet-email-theft.html", "http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1" ], "synonyms": [ @@ -8820,22 +7257,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "3f7616bd-f1de-46ee-87c2-43c0c2edaa28", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "8e002f78-7fb8-4e70-afd7-0b4ac655be26", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "d29eb927-d53d-4af2-b6ce-17b3a1b34fe7", "value": "Geodo" }, @@ -8857,10 +7278,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.getmypass", - "https://securitykitten.github.io/2014/11/26/getmypass-point-of-sale-malware.html", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-evolution-of-point-of-sale-pos-malware", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-pos-malware-kicks-off-holiday-shopping-weekend/", - "https://securitykitten.github.io/2015/01/08/getmypass-point-of-sale-malware-update.html" + "https://securitykitten.github.io/2014/11/26/getmypass-point-of-sale-malware.html", + "https://securitykitten.github.io/2015/01/08/getmypass-point-of-sale-malware-update.html", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-evolution-of-point-of-sale-pos-malware" ], "synonyms": [ "getmypos" @@ -8892,8 +7313,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghostnet", - "http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html", - "https://en.wikipedia.org/wiki/GhostNet" + "https://en.wikipedia.org/wiki/GhostNet", + "http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html" ], "synonyms": [ "Remosh" @@ -8916,15 +7337,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "a68f1b43-c742-4f90-974d-2e74ec703e44", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "6201c337-1599-4ced-be9e-651a624c20be", "value": "GhostAdmin" }, @@ -8943,20 +7355,11 @@ "https://blog.cylance.com/the-ghost-dragon" ], "synonyms": [ - "PCRat", - "Gh0st RAT" + "Gh0st RAT", + "PCRat" ], "type": [] }, - "related": [ - { - "dest-uuid": "255a59a7-db2d-44fc-9ca9-5859b65817c3", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "225fa6cf-dc9c-4b86-873b-cdf1d9dd3738", "value": "Ghost RAT" }, @@ -8993,25 +7396,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.globeimposter", - "https://blog.ensilo.com/globeimposter-ransomware-technical", - "https://www.acronis.com/en-us/blog/posts/globeimposter-ransomware-holiday-gift-necurs-botnet", "https://www.bleepingcomputer.com/news/security/new-doc-globeimposter-ransomware-variant-malspam-campaign-underway/", "https://blog.fortinet.com/2017/08/05/analysis-of-new-globeimposter-ransomware-variant", "https://info.phishlabs.com/blog/globe-imposter-ransomware-makes-a-new-run", - "https://isc.sans.edu/diary/23417" + "https://isc.sans.edu/diary/23417", + "https://blog.ensilo.com/globeimposter-ransomware-technical", + "https://www.acronis.com/en-us/blog/posts/globeimposter-ransomware-holiday-gift-necurs-botnet" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "e03873ef-9e3d-4d07-85d8-e22a55f60c19", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "73806c57-cef8-4f7b-a78b-7949ef83b2c2", "value": "GlobeImposter" }, @@ -9045,17 +7439,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba", - "https://www.welivesecurity.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs/", - "https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/", - "https://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/", + "http://resources.infosecinstitute.com/tdss4-part-1/", "http://malwarefor.me/2015-04-13-nuclear-ek-glupteba-and-operation-windigo/", - "http://resources.infosecinstitute.com/tdss4-part-1/" + "https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/", + "https://www.welivesecurity.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs/", + "https://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/" ], "synonyms": [], "type": [] }, "uuid": "978cfb82-5fe9-46d2-9607-9bcdfeaaa58c", - "value": "win.glupteba" + "value": "Glupteba" }, { "description": "", @@ -9088,9 +7482,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.goldeneye", - "http://www.threatgeek.com/2017/02/spying-on-goldeneye-ransomware.html", + "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/", "https://blog.malwarebytes.com/threat-analysis/2016/12/goldeneye-ransomware-the-petyamischa-combo-rebranded/", - "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/" + "http://www.threatgeek.com/2017/02/spying-on-goldeneye-ransomware.html" ], "synonyms": [ "Petya/Mischa" @@ -9173,37 +7567,28 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gootkit", "https://www.lexsi.com/securityhub/homer-simpson-brian-krebs-rencontrent-zeus-gootkit/", - "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3669", + "http://blog.cert.societegenerale.com/2015/04/analyzing-gootkits-persistence-mechanism.html", "https://securityintelligence.com/gootkit-developers-dress-it-up-with-web-traffic-proxy/", + "https://forums.juniper.net/t5/Security-Now/New-Gootkit-Banking-Trojan-variant-pushes-the-limits-on-evasive/ba-p/319055", "https://www.f5.com/labs/articles/threat-intelligence/tackling-gootkit-s-traps", "https://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/", "https://www.us-cert.gov/ncas/alerts/TA16-336A", + "http://www.vkremez.com/2018/04/lets-learn-in-depth-dive-into-gootkit.html", "https://securityintelligence.com/gootkit-bobbing-and-weaving-to-avoid-prying-eyes/", "https://www.youtube.com/watch?v=242Tn0IL2jE", - "http://blog.cert.societegenerale.com/2015/04/analyzing-gootkits-persistence-mechanism.html", + "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3669", "https://www.s21sec.com/en/blog/2016/05/reverse-engineering-gootkit/", "http://blog.trendmicro.com/trendlabs-security-intelligence/fake-judicial-spam-leads-to-backdoor-with-fake-certificate-authority/", - "http://www.vkremez.com/2018/04/lets-learn-in-depth-dive-into-gootkit.html", "https://news.drweb.com/show/?i=4338&lng=en", - "https://www.cyphort.com/angler-ek-leads-to-fileless-gootkit/", "https://www.youtube.com/watch?v=QgUlPvEE4aw", - "https://forums.juniper.net/t5/Security-Now/New-Gootkit-Banking-Trojan-variant-pushes-the-limits-on-evasive/ba-p/319055" + "https://www.cyphort.com/angler-ek-leads-to-fileless-gootkit/" ], "synonyms": [ - "talalpek", - "Xswkit" + "Xswkit", + "talalpek" ], "type": [] }, - "related": [ - { - "dest-uuid": "07ffcf9f-b9c0-4b22-af4b-78527427e6f5", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "329efac7-922e-4d8b-90a9-4a87c3281753", "value": "GootKit" }, @@ -9217,15 +7602,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "b6ddc2c6-5890-4c60-9b10-4274d1a9cc22", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "9fbb5822-1660-4651-9f57-b6f83a881786", "value": "GovRAT" }, @@ -9234,11 +7610,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi", - "https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007", - "http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/", + "http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html", "https://www.secureworks.com/research/gozi", "https://lokalhost.pl/gozi_tree.txt", - "http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html" + "https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007", + "http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/" ], "synonyms": [ "CRM", @@ -9249,29 +7625,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "75b01a1e-3269-4f4c-bdba-37af4e9c3f54", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "4f3ad937-bf2f-40cb-9695-a2bedfd41bfa", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "b9448d2a-a23c-4bf2-92a1-d860716ba2f3", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "75329c9e-a218-4299-87b2-8f667cd9e40c", "value": "Gozi" }, @@ -9280,24 +7633,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gpcode", - "https://www.symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99&tabid=2", "http://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html", + "http://www.zdnet.com/article/whos-behind-the-gpcode-ransomware/", "https://de.securelist.com/analysis/59479/erpresser/", "ftp://ftp.tuwien.ac.at/languages/php/oldselfphp/internet-security/analysen/index-id-200883584.html", - "http://www.zdnet.com/article/whos-behind-the-gpcode-ransomware/" + "https://www.symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99&tabid=2" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "7914f9c9-3257-464c-b918-3754c4d018af", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "127c3d76-6323-4363-93e0-cd06ade0dd52", "value": "GPCode" }, @@ -9324,15 +7668,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "f3ac3d86-0fa2-4049-bfbc-1970004b8d32", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "94b942e2-cc29-447b-97e2-e496cbf2aadf", "value": "Graftor" }, @@ -9419,15 +7754,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "8410d208-7450-407d-b56c-e5c1ced19632", "value": "gsecdump" }, @@ -9488,30 +7814,23 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor", - "http://www.morphick.com/resources/lab-blog/closer-look-hancitor", "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear", - "https://blog.minerva-labs.com/new-hancitor-pimp-my-downloader", "https://researchcenter.paloaltonetworks.com/2016/08/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/", - "https://researchcenter.paloaltonetworks.com/2016/08/unit42-pythons-and-unicorns-and-hancitoroh-my-decoding-binaries-through-emulation/", - "https://researchcenter.paloaltonetworks.com/2018/02/unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks/", + "http://www.morphick.com/resources/lab-blog/closer-look-hancitor", + "https://blog.minerva-labs.com/new-hancitor-pimp-my-downloader", "https://researchcenter.paloaltonetworks.com/2018/02/unit42-dissecting-hancitors-latest-2018-packer/", "https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html", - "https://www.zscaler.com/blogs/research/chanitor-downloader-actively-installing-vawtrak" + "https://researchcenter.paloaltonetworks.com/2018/02/unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks/", + "https://www.vkremez.com/2018/11/lets-learn-in-depth-reversing-of.html", + "https://www.zscaler.com/blogs/research/chanitor-downloader-actively-installing-vawtrak", + "https://boozallenmts.com/resources/news/closer-look-hancitor", + "https://researchcenter.paloaltonetworks.com/2016/08/unit42-pythons-and-unicorns-and-hancitoroh-my-decoding-binaries-through-emulation/" ], "synonyms": [ "Chanitor" ], "type": [] }, - "related": [ - { - "dest-uuid": "ff0404a1-465f-4dd5-8b66-ee773628ca64", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "4166ab63-24b0-4448-92ea-21c8deef978d", "value": "Hancitor" }, @@ -9553,15 +7872,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "d7183f66-59ec-4803-be20-237b442259fc", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "c04fc02e-f35a-44b6-a9b0-732bf2fc551a", "value": "Havex RAT" }, @@ -9570,27 +7880,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hawkeye_keylogger", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/How-I-Cracked-a-Keylogger-and-Ended-Up-in-Someone-s-Inbox/", - "https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html", + "https://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/", "https://nakedsecurity.sophos.com/2016/02/29/the-hawkeye-attack-how-cybercrooks-target-small-businesses-for-big-money/", - "https://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/", + "https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html", "http://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html", - "https://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/" + "https://www.trustwave.com/Resources/SpiderLabs-Blog/How-I-Cracked-a-Keylogger-and-Ended-Up-in-Someone-s-Inbox/", + "https://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/" ], "synonyms": [ "Predator Pain" ], "type": [] }, - "related": [ - { - "dest-uuid": "42a97a5d-ee33-492a-b20f-758ecdbf1aed", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "31615066-dbff-4134-b467-d97a337b408b", "value": "HawkEye Keylogger" }, @@ -9612,22 +7913,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.helminth", - "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/", + "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", "https://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", - "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html" + "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "19d89300-ff97-4281-ac42-76542e744092", "value": "Helminth" }, @@ -9655,15 +7947,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "6489895b-0213-4564-9cfc-777df58d84c9", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "ca8482d9-657b-49fe-8345-6ed962a9735a", "value": "Herbst" }, @@ -9704,15 +7987,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "b7102922-8aad-4b29-8518-6d87c3ba45bb", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "4d8da0af-cfd7-4990-b211-af0e9906eca0", "value": "Hermes Ransomware" }, @@ -9745,29 +8019,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hiddentear", - "https://github.com/goliate/hidden-tear", "https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/hidden-tear-project-forbidden-fruit-is-the-sweetest/", - "https://twitter.com/struppigel/status/950787783353884672" + "https://twitter.com/struppigel/status/950787783353884672", + "https://github.com/goliate/hidden-tear" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "254f4f67-d850-4dc5-8ddb-2e955ddea287", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "24fe5fef-6325-4c21-9c35-a0ecd185e254", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "b96be762-56a0-4407-be04-fcba76c1ff29", "value": "HiddenTear" }, @@ -9872,15 +8130,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "7362581a-a7d1-4060-b225-e227f2df2b60", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "e8d1a1f3-3170-4562-9a18-cadf000e48d0", "value": "htpRAT" }, @@ -9897,15 +8146,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "3fb18a77-91ef-4c68-a9a9-fa6bdbea38e8", "value": "HTran" }, @@ -9927,9 +8167,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.httpdropper", - "http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html", + "https://www.sans.org/reading-room/whitepapers/critical/tracing-lineage-darkseoul-36787", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/dissecting-operation-troy.pdf", - "https://www.sans.org/reading-room/whitepapers/critical/tracing-lineage-darkseoul-36787" + "http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html" ], "synonyms": [ "httpdr0pper" @@ -9965,15 +8205,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "e5f7bb36-c982-4f5a-9b29-ab73d2c5f70e", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "94466a80-964f-467e-b4b3-0e1375174464", "value": "Hworm" }, @@ -9995,9 +8226,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid", + "https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html", "https://digitalguardian.com/blog/iceid-banking-trojan-targeting-banks-payment-card-providers-e-commerce-sites", "https://www.fidelissecurity.com/threatgeek/2017/11/tracking-emotet-payload-icedid", + "https://www.youtube.com/watch?v=wObF9n2UIAM", "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", + "https://www.youtube.com/watch?v=7Dk7NkIbVqY", "https://www.vkremez.com/2018/09/lets-learn-deeper-dive-into.html", "http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/", "https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/" @@ -10007,15 +8241,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "9d67069c-b778-486f-8158-53f5dcd05d08", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "26f5afaf-0bd7-4741-91ab-917bdd837330", "value": "IcedID" }, @@ -10024,8 +8249,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid_downloader", - "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", - "http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/" + "http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/", + "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/" ], "synonyms": [], "type": [] @@ -10051,22 +8276,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ice_ix", + "https://blog.trendmicro.com/trendlabs-security-intelligence/zeus-gets-another-update/", "https://securelist.com/ice-ix-not-cool-at-all/29111/", - "https://www.virusbulletin.com/virusbulletin/2012/08/inside-ice-ix-bot-descendent-zeus", - "https://blog.trendmicro.com/trendlabs-security-intelligence/zeus-gets-another-update/" + "https://www.virusbulletin.com/virusbulletin/2012/08/inside-ice-ix-bot-descendent-zeus" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "1d4a5704-c6fb-4bbb-92b2-88dc67f86339", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "44a1706e-f6dc-43ea-ac85-9a4f2407b9a3", "value": "Ice IX" }, @@ -10129,8 +8345,8 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy", "http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/", "https://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/", - "https://github.com/pan-unit42/iocs/blob/master/prince_of_persia/hashes.csv", "https://www.intezer.com/prince-of-persia-the-sands-of-foudre/", + "https://github.com/pan-unit42/iocs/blob/master/prince_of_persia/hashes.csv", "https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/" ], "synonyms": [ @@ -10164,15 +8380,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "10f50ef8-6e3b-11e8-a648-d73fb4d2f48e", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "22755fda-497e-4ef0-823e-5cb6d8701420", "value": "InvisiMole" }, @@ -10182,6 +8389,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb", "https://www.vkremez.com/2018/08/lets-learn-in-depth-reversing-of-recent.html", + "https://arielkoren.com/blog/2016/11/01/ursnif-malware-deep-technical-dive/", "https://github.com/gbrindisi/malware/tree/master/windows/gozi-isfb", "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html", "https://lokalhost.pl/gozi_tree.txt", @@ -10192,8 +8400,7 @@ "https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/", "https://journal.cecyf.fr/ojs/index.php/cybin/article/view/15", "https://www.rsa.com/de-de/resources/pandemiya-emerges-new-malware-alternative-zeus-based", - "https://www.cylance.com/en_us/blog/threat-spotlight-ursnif-infostealer-malware.html", - "https://arielkoren.com/blog/2016/11/01/ursnif-malware-deep-technical-dive/" + "https://www.cylance.com/en_us/blog/threat-spotlight-ursnif-infostealer-malware.html" ], "synonyms": [ "Gozi ISFB", @@ -10202,22 +8409,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "ffbbbc14-1cdb-4be9-a631-ed53c5407369", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "0f96a666-bf26-44e0-8ad6-f2136208c924", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "a171321e-4968-4ac0-8497-3250c1f0d77d", "value": "ISFB" }, @@ -10239,8 +8430,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ismdoor", - "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", - "http://www.clearskysec.com/greenbug/" + "http://www.clearskysec.com/greenbug/", + "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon" ], "synonyms": [], "type": [] @@ -10284,15 +8475,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "b9707a57-d15f-4937-b022-52cc17f6783f", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "a3f41c96-a5c8-4dfe-b7fa-d9d75f97979a", "value": "IsSpace" }, @@ -10321,15 +8503,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "8e3d44d0-6768-4b54-88b0-2e004a7f2297", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "2c51a717-726b-4813-9fcc-1265694b128e", "value": "Jaff" }, @@ -10350,8 +8523,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jaku", - "https://www-01.ibm.com/support/docview.wss?uid=ssg1S1010146", - "https://www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf" + "https://www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf", + "https://www-01.ibm.com/support/docview.wss?uid=ssg1S1010146" ], "synonyms": [ "Reconcyc" @@ -10383,15 +8556,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "1e3384ae-4b48-4c96-b7c2-bc1cc1eda203", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "910c3fd2-56e5-4f1d-8df0-2aa0b293b7d9", "value": "Jigsaw" }, @@ -10405,15 +8569,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "a954e642-4cf4-4293-a4b0-c82cf2db785d", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "551b568f-68fa-4483-a10c-a6452ae6289e", "value": "Jimmy" }, @@ -10442,15 +8597,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "673d05fa-4066-442c-bdb6-0c0a2da5ae62", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "8201c8d2-1dab-4473-bbdf-42952b3d5fc6", "value": "Joao" }, @@ -10464,15 +8610,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "4d4528ff-6260-4b5d-b2ea-6e11ca02c396", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "97f12ca8-dc84-4a8c-b4c6-8ec1d1e79631", "value": "Jolob" }, @@ -10547,21 +8684,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.karius", - "https://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/", - "https://research.checkpoint.com/banking-trojans-development/" + "https://research.checkpoint.com/banking-trojans-development/", + "https://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "a088c428-d0bb-49c8-9ed7-dcced0c74754", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "8a01c3be-17b7-4e5a-b0b2-6c1f5ccb82cf", "value": "Karius" }, @@ -10589,15 +8717,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "a5399473-859b-4c64-999b-a3b4070cd513", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "bab92070-3589-4b7e-bf05-4f54bfefc2ca", "value": "Kazuar" }, @@ -10626,15 +8745,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "07b10419-e8b5-4b5f-a179-77fc9b127dc6", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "7d69892e-d582-4545-8798-4a9a84a821ea", "value": "Kelihos" }, @@ -10643,9 +8753,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.keyboy", - "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/", "https://citizenlab.ca/2016/11/parliament-keyboy/", + "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html", "https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/" ], "synonyms": [ @@ -10653,29 +8763,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "2a16a1d4-a098-4f17-80f3-3cfc6c60b539", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "74167065-90b3-4c29-807a-79b6f098e45b", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "a673b4fb-a864-4a5b-94ab-3fc4f5606cc8", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "28c13455-7f95-40a5-9568-1e8732503507", "value": "KeyBoy" }, @@ -10684,9 +8771,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.keylogger_apt3", - "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong", + "https://intrusiontruth.wordpress.com/2017/05/09/apt3-is-boyusec-a-chinese-intelligence-contractor/", "https://twitter.com/smoothimpact/status/773631684038107136", - "https://intrusiontruth.wordpress.com/2017/05/09/apt3-is-boyusec-a-chinese-intelligence-contractor/" + "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" ], "synonyms": [], "type": [] @@ -10704,15 +8791,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "f7f53bb8-37ed-4bbe-9809-ca1594431536", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "0c213d7f-8c71-4341-aeb0-13be71fbf4e5", "value": "KEYMARBLE" }, @@ -10720,22 +8798,26 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.khrat", - "https://blogs.forcepoint.com/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor", - "https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.keypass", + "https://securelist.com/keypass-ransomware/87412/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "447e5d7d-dd23-43b3-8cbc-b835498a49dd", + "value": "KeyPass" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.khrat", + "https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/", + "https://blogs.forcepoint.com/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "72b702d9-43c3-40b9-b004-8d0671225fb8", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "361d3f09-8bc8-4b5a-803f-8686cf346047", "value": "KHRAT" }, @@ -10763,15 +8845,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "aef0fdd4-38b6-11e8-afdd-3b6145112467", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "e81f3e3f-966c-4c99-8d4b-fc0a1d3bb027", "value": "KillDisk" }, @@ -10781,9 +8854,10 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kins", "https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/", - "https://github.com/nyx0/KINS", + "https://www.youtube.com/watch?v=C-dEOt0GzSE", "https://securityintelligence.com/zeus-maple-variant-targets-canadian-online-banking-customers/", - "https://www.youtube.com/watch?v=C-dEOt0GzSE" + "https://www.vkremez.com/2018/10/lets-learn-exploring-zeusvm-banking.html", + "https://github.com/nyx0/KINS" ], "synonyms": [ "Kasper Internet Non-Security", @@ -10791,18 +8865,23 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "bc0be3a4-89d8-4c4c-b2aa-2dddbed1f71d", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "07f6bbff-a09a-4580-96ea-62795a8dae11", "value": "KINS" }, + { + "description": "KleptoParasite Stealer is advertised on Hackforums as a noob-friendly stealer. It is modular and comes with a IP retriever module, a Outlook stealer (32bit/64bit) and a Chrome/Firefox stealer (32bit/64bit). Earlier versions come bundled (loader plus modules), newer versions come with a loader (167k) that grabs the modules.\r\n\r\nPDB-strings suggest a relationship to JogLog v6 and v7.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kleptoparasite_stealer" + ], + "synonyms": [ + "Joglog" + ], + "type": [] + }, + "uuid": "618b6f23-fc83-4aff-8b0a-7f7138be625c", + "value": "KleptoParasite Stealer" + }, { "description": "", "meta": { @@ -10828,15 +8907,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "f9e0b922-253c-40fa-a6d2-e60ec9c6980b", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "3b5faa15-e87e-4aaf-b791-2c5e593793e6", "value": "Koadic" }, @@ -10859,29 +8929,13 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.konni", "http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html", - "http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html", + "https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant", "https://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/", - "https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant" + "http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "5b930a23-7d88-481f-8791-abc7b3dd93d2", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "24ee55e3-697f-482f-8fa8-d05999df40cd", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "f982fa2d-f78f-4fe1-a86d-d10471a3ebcf", "value": "Konni" }, @@ -10905,23 +8959,14 @@ "https://securitykitten.github.io/2014/11/25/curious-korlia.html", "https://camal.coseinc.com/publish/2013Bisonal.pdf", "https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/", - "https://www.rsaconference.com/writable/presentations/file_upload/cle-t04_final_v1.pdf", - "http://asec.ahnlab.com/tag/Operation%20Bitter%20Biscuit" + "http://asec.ahnlab.com/tag/Operation%20Bitter%20Biscuit", + "https://www.rsaconference.com/writable/presentations/file_upload/cle-t04_final_v1.pdf" ], "synonyms": [ "Bisonal" ], "type": [] }, - "related": [ - { - "dest-uuid": "23f6da78-873a-4ab0-9167-c8b0563627a5", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "52d98d2f-db62-430d-8658-5cadaeff6cd7", "value": "Korlia" }, @@ -10930,9 +8975,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kovter", - "https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/", + "https://github.com/ewhitehats/kovterTools/blob/master/KovterWhitepaper.pdf", "https://blog.malwarebytes.com/threat-analysis/2015/01/major-malvertising-campaign-hits-sites-with-combined-total-monthly-traffic-of-1-5bn-visitors/", - "https://github.com/ewhitehats/kovterTools/blob/master/KovterWhitepaper.pdf" + "https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless" ], "synonyms": [], "type": [] @@ -10953,15 +8999,30 @@ "uuid": "b1fe4226-1783-48d4-b1d2-417703a03b3d", "value": "KPOT Stealer" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kraken", + "https://www.bleepingcomputer.com/news/security/kraken-cryptor-ransomware-masquerading-as-superantispyware-security-program/", + "https://securingtomorrow.mcafee.com/mcafee-labs/fallout-exploit-kit-releases-the-kraken-ransomware-on-its-victims/", + "https://www.recordedfuture.com/kraken-cryptor-ransomware/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "3d7ae6b9-8161-470e-a7b6-752151b21657", + "value": "Kraken" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.krbanker", + "http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/", "https://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan", - "http://training.nshc.net/ENG/Document/virus/20140305_Internet_Bank_Pharming_-_BlackMoon_Ver_1.0_External_ENG.pdf", "https://zairon.wordpress.com/2014/04/15/trojan-banking-47d18761d46d8e7c4ad49cc575b0acc2bb3f49bb56a3d29fb1ec600447cb89a4/", - "http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/" + "http://training.nshc.net/ENG/Document/virus/20140305_Internet_Bank_Pharming_-_BlackMoon_Ver_1.0_External_ENG.pdf" ], "synonyms": [ "BlackMoon" @@ -10989,13 +9050,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kronos", - "https://www.securonix.com/securonix-threat-research-kronos-osiris-banking-trojan-attack", + "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/", "https://www.proofpoint.com/us/threat-insight/post/kronos-reborn", "https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/", "https://www.lexsi.com/securityhub/overview-kronos-banking-malware-rootkit/?lang=en", "https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/", "https://www.lexsi.com/securityhub/kronos-decrypting-the-configuration-file-and-injects/?lang=en", - "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/", + "https://www.securonix.com/securonix-threat-research-kronos-osiris-banking-trojan-attack", "https://www.morphick.com/resources/news/scanpos-new-pos-malware-being-distributed-kronos", "https://securityintelligence.com/the-father-of-zeus-kronos-malware-discovered/", "https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware", @@ -11006,18 +9067,22 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "5b42af8e-8fdc-11e8-bf48-f32ff64d5502", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "62a7c823-9af0-44ee-ac05-8765806d2a17", "value": "Kronos" }, + { + "description": "A keylogger used by Turla.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ksl0t", + "https://0ffset.wordpress.com/2018/10/05/post-0x17-2-turla-keylogger/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "aa93d030-abef-4215-bc9e-6c7483562d19", + "value": "KSL0T" + }, { "description": "", "meta": { @@ -11069,15 +9134,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "d1e548b8-4793-11e8-8dea-6beff82cac0a", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "2fc93875-eebb-41ff-a66e-84471c6cd5a3", "value": "Kwampirs" }, @@ -11086,10 +9142,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lambert", - "https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/", - "https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7", "http://adelmas.com/blog/longhorn.php", - "https://www.youtube.com/watch?v=jeLd-gw2bWo" + "https://www.youtube.com/watch?v=jeLd-gw2bWo", + "https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7", + "https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/" ], "synonyms": [], "type": [] @@ -11115,11 +9171,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.latentbot", - "http://malware-traffic-analysis.net/2017/04/25/index.html", "https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html", + "https://cys-centrum.com/ru/news/module_trojan_for_unauthorized_access", + "http://malware-traffic-analysis.net/2017/04/25/index.html", "https://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/", - "https://www.cert.pl/news/single/latentbot-modularny-i-silnie-zaciemniony-bot/", - "https://cys-centrum.com/ru/news/module_trojan_for_unauthorized_access" + "https://www.cert.pl/news/single/latentbot-modularny-i-silnie-zaciemniony-bot/" ], "synonyms": [], "type": [] @@ -11134,14 +9190,14 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lazarus", "https://www.bleepingcomputer.com/news/security/polish-banks-infected-with-malware-hosted-on-their-own-governments-site/", "https://twitter.com/PhysicalDrive0/status/828915536268492800", - "https://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html", - "http://baesystemsai.blogspot.de/2016/05/cyber-heist-attribution.html" + "http://baesystemsai.blogspot.de/2016/05/cyber-heist-attribution.html", + "https://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html" ], "synonyms": [], "type": [] }, "uuid": "0caf0292-b01a-4439-b56f-c75b71900bc0", - "value": "Lazarus" + "value": "Lazarus (Windows)" }, { "description": "", @@ -11154,15 +9210,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "7ccd3821-e825-4ff8-b4be-92c9732ce708", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "686a9217-3978-47c0-9989-dd2a3438ba72", "value": "Laziok" }, @@ -11185,8 +9232,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.leouncia", "https://www.rsaconference.com/writable/presentations/file_upload/crwd-t11-hide_and_seek-how_threat_actors_respond_in_the_face_of_public_exposure.pdf", - "https://www.fireeye.com/blog/threat-research/2010/12/leouncia-yet-another-backdoor.html", - "https://www.fireeye.com/blog/threat-research/2010/12/leouncia-yet-another-backdoor-part-2.html" + "https://www.fireeye.com/blog/threat-research/2010/12/leouncia-yet-another-backdoor-part-2.html", + "https://www.fireeye.com/blog/threat-research/2010/12/leouncia-yet-another-backdoor.html" ], "synonyms": [ "shoco" @@ -11201,23 +9248,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lethic", - "https://www.arbornetworks.com/blog/asert/lethic-spambot-analysis-pills-watches-and-diplomas/", - "http://resources.infosecinstitute.com/win32lethic-botnet-analysis/", + "http://www.malware-traffic-analysis.net/2017/11/02/index.html", "http://www.vkremez.com/2017/11/lets-learn-lethic-spambot-survey-of.html", - "http://www.malware-traffic-analysis.net/2017/11/02/index.html" + "https://www.arbornetworks.com/blog/asert/lethic-spambot-analysis-pills-watches-and-diplomas/", + "http://resources.infosecinstitute.com/win32lethic-botnet-analysis/" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "a73e150f-1431-4f72-994a-4000405eff07", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "342f5c56-861c-4a06-b5db-85c3c424f51f", "value": "Lethic" }, @@ -11251,8 +9289,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.litehttp", - "https://malware.news/t/recent-litehttp-activities-and-iocs/21053", - "https://github.com/zettabithf/LiteHTTP" + "https://github.com/zettabithf/LiteHTTP", + "https://malware.news/t/recent-litehttp-activities-and-iocs/21053" ], "synonyms": [], "type": [] @@ -11267,25 +9305,16 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.locky", "http://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html", "https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/", - "https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/", - "https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/", + "https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/", "http://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html", "https://blog.botfrei.de/2017/08/weltweite-spamwelle-verbreitet-teufliche-variante-des-locky/", - "https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/", + "https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/", + "https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/", "https://www.cylance.com/en_us/blog/threat-spotlight-locky-ransomware.html" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "8d51a22e-3485-4480-af96-8ed0305a7aa6", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "24c9bb9f-1f9a-4e01-95d8-86c51733e11c", "value": "Locky" }, @@ -11375,62 +9404,53 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws", - "https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file", - "https://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/", - "https://r3mrum.wordpress.com/2017/05/07/loki-bot-atrifacts/", "https://github.com/R3MRUM/loki-parse", "http://www.malware-traffic-analysis.net/2017/06/12/index.html", - "http://blog.fernandodominguez.me/lokis-antis-analysis/", - "https://phishme.com/loki-bot-malware/", "https://www.lastline.com/blog/password-stealing-malware-loki-bot/", "https://www.sans.org/reading-room/whitepapers/malicious/loki-bot-information-stealer-keylogger-more-37850", + "https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file", + "http://blog.fernandodominguez.me/lokis-antis-analysis/", + "https://phishme.com/loki-bot-malware/", + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://r3mrum.wordpress.com/2017/05/07/loki-bot-atrifacts/", + "https://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/", "https://github.com/d00rt/hijacked_lokibot_version/blob/master/doc/LokiBot_hijacked_2018.pdf", - "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" + "https://securelist.com/loki-bot-stealing-corporate-passwords/87595/" ], "synonyms": [ "Loki", - "LokiPWS", - "LokiBot" + "LokiBot", + "LokiPWS" ], "type": [] }, - "related": [ - { - "dest-uuid": "a6f481fe-b6db-4507-bb3c-28f10d800e2f", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "fbda9705-677b-4c5b-9b0b-13b52eff587c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "4793a29b-1191-4750-810e-9301a6576fc4", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "b8fa5036-813f-4887-b4d4-bb17b4a7eba0", "value": "Loki Password Stealer (PWS)" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lordix", + "https://twitter.com/hexlax/status/1058356670835908610" + ], + "synonyms": [], + "type": [] + }, + "uuid": "fa61a690-fd9c-4036-97fb-bf3674aa60b2", + "value": "Lordix" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.luminosity_rat", - "https://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/", + "https://krebsonsecurity.com/2018/07/luminositylink-rat-author-pleads-guilty/", "https://researchcenter.paloaltonetworks.com/2018/02/unit42-rat-trapped-luminositylink-falls-foul-vermin-eradication-efforts/", - "https://www.proofpoint.com/us/threat-insight/post/Light-After-Dark", - "https://umbrella.cisco.com/blog/2017/01/18/finding-the-rats-nest/", + "https://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/", "http://malwarenailed.blogspot.com/2016/07/luminosity-rat-re-purposed.html", - "https://krebsonsecurity.com/2018/07/luminositylink-rat-author-pleads-guilty/" + "https://umbrella.cisco.com/blog/2017/01/18/finding-the-rats-nest/", + "https://www.proofpoint.com/us/threat-insight/post/Light-After-Dark" ], "synonyms": [], "type": [] @@ -11468,14 +9488,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lyposit", - "https://blog.avast.com/2013/05/20/lockscreen-win32lyposit-displayed-as-a-fake-macos-app/", "http://malware.dontneedcoffee.com/2012/11/inside-view-of-lyposit-aka-for-its.html", + "https://blog.avast.com/2013/05/20/lockscreen-win32lyposit-displayed-as-a-fake-macos-app/", "http://malware.dontneedcoffee.com/2013/05/unveiling-locker-bomba-aka-lucky-locker.html" ], "synonyms": [ - "Lucky Locker", "Adneukine", - "Bomba Locker" + "Bomba Locker", + "Lucky Locker" ], "type": [] }, @@ -11585,9 +9605,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.maktub", - "https://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/", + "https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/", "https://bartblaze.blogspot.de/2018/04/maktub-ransomware-possibly-rebranded-as.html", - "https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/" + "https://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/" ], "synonyms": [], "type": [] @@ -11613,24 +9633,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mamba", - "http://blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/", - "https://securelist.com/the-return-of-mamba-ransomware/79403/" + "https://securelist.com/the-return-of-mamba-ransomware/79403/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/" ], "synonyms": [ - "HDDCryptor", - "DiskCryptor" + "DiskCryptor", + "HDDCryptor" ], "type": [] }, - "related": [ - { - "dest-uuid": "95be4cd8-1d98-484f-a328-a5917a05e3c8", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "df320366-7970-4af0-b1f4-9f9492dede53", "value": "Mamba" }, @@ -11647,15 +9658,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "dba2cf74-16a9-4ed8-8536-6542fda95999", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "54cd671e-b7e4-4dd3-9bfa-dc0ba5105944", "value": "ManameCrypt" }, @@ -11686,15 +9688,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "52caade6-ba7b-474e-b173-63f4332aa808", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "5b75db42-b8f2-4e52-81d3-f329e49e1af2", "value": "Manifestus" }, @@ -11747,15 +9740,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "aa3fc68c-413c-4bfb-b4cd-bca7094da985", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "59717468-271e-4d15-859a-130681c17ddb", "value": "Matrix Banker" }, @@ -11763,7 +9747,8 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.matrix_ransom" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.matrix_ransom", + "https://www.blackhoodie.re/assets/archive/Matrix_Ransomware_blackhoodie.pdf" ], "synonyms": [], "type": [] @@ -11802,10 +9787,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mbrlock", + "http://id-ransomware.blogspot.com.tr/2018/02/mbrlock-hax-ransomware.html", "https://www.bleepingcomputer.com/news/security/dexcrypt-mbrlocker-demands-30-yuan-to-gain-access-to-computer/", "https://www.hybrid-analysis.com/sample/dfc56a704b5e031f3b0d2d0ea1d06f9157758ad950483b44ac4b77d33293cb38?environmentId=100", - "https://app.any.run/tasks/0a7e643f-7562-4575-b8a5-747bd6b5f02d", - "http://id-ransomware.blogspot.com.tr/2018/02/mbrlock-hax-ransomware.html" + "https://app.any.run/tasks/0a7e643f-7562-4575-b8a5-747bd6b5f02d" ], "synonyms": [ "DexLocker" @@ -11820,10 +9805,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mebromi", - "http://contagiodump.blogspot.com/2011/09/mebromi-bios-rootkit-affecting-award.html", "https://www.symantec.com/connect/blogs/bios-threat-showing-again", - "http://www.theregister.co.uk/2011/09/14/bios_rootkit_discovered/", - "https://www.webroot.com//blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/" + "https://www.webroot.com//blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/", + "http://contagiodump.blogspot.com/2011/09/mebromi-bios-rootkit-affecting-award.html", + "http://www.theregister.co.uk/2011/09/14/bios_rootkit_discovered/" ], "synonyms": [ "MyBios" @@ -11851,16 +9836,32 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.medusa", - "https://webcache.googleusercontent.com/search?q=cache:ZbKznF-dogcJ:https://www.toolbase.me/board/topic/10061-b-medusa-irc-ddos-botnet-bypass-cf-cookie-protections/", - "https://news.drweb.com/show/?i=10302&lng=en", "https://www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight/", - "https://zerophagemalware.com/2017/10/13/rig-ek-via-malvertising-drops-a-miner/" + "https://zerophagemalware.com/2017/10/13/rig-ek-via-malvertising-drops-a-miner/", + "https://news.drweb.com/show/?i=10302&lng=en", + "https://webcache.googleusercontent.com/search?q=cache:ZbKznF-dogcJ:https://www.toolbase.me/board/topic/10061-b-medusa-irc-ddos-botnet-bypass-cf-cookie-protections/" ], "synonyms": [], "type": [] }, "uuid": "237a1c2d-eb14-483d-9a2e-82f10b63ec06", - "value": "win.medusa" + "value": "Medusa" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.metamorfo", + "https://blog.talosintelligence.com/2018/11/metamorfo-brazilian-campaigns.html", + "https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html" + ], + "synonyms": [ + "Casbaneiro" + ], + "type": [] + }, + "uuid": "18dc3e7a-600d-4e5f-a283-86156b938530", + "value": "Metamorfo" }, { "description": "", @@ -11960,9 +9961,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz", "https://github.com/gentilkiwi/mimikatz", - " https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", "https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/", - "http://blog.gentilkiwi.com/securite/un-observateur-evenements-aveugle" + "http://blog.gentilkiwi.com/securite/un-observateur-evenements-aveugle", + " https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks" ], "synonyms": [], "type": [] @@ -12014,31 +10015,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirai", - "https://twitter.com/PhysicalDrive0/status/830070569202749440", "https://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/", - "https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html" + "https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html", + "https://twitter.com/PhysicalDrive0/status/830070569202749440" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "dcbf1aaa-1fdd-4bfc-a35e-145ffdfb5ac5", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "fcdfd4af-da35-49a8-9610-19be8a487185", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "17e12216-a303-4a00-8283-d3fe92d0934c", - "value": "Mirai" + "value": "Mirai (Windows)" }, { "description": "", @@ -12050,15 +10035,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "d1597713-fe7a-45bd-8b59-1a13c7e097d8", "value": "Misdat" }, @@ -12099,15 +10075,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "74bd8c09-73d5-4ad8-ab1f-e94a4853c936", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "6363cc2f-08f1-47a0-adbf-5cf19ea89ffd", "value": "MM Core" }, @@ -12157,10 +10124,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.moker", - "https://breakingmalware.com/malware/moker-part-1-dissecting-a-new-apt-under-the-microscope/", "https://breakingmalware.com/malware/moker-part-2-capabilities/", - "http://blog.ensilo.com/moker-a-new-apt-discovered-within-a-sensitive-network", - "https://blog.malwarebytes.com/threat-analysis/2017/04/elusive-moker-trojan/" + "https://blog.malwarebytes.com/threat-analysis/2017/04/elusive-moker-trojan/", + "https://breakingmalware.com/malware/moker-part-1-dissecting-a-new-apt-under-the-microscope/", + "http://blog.ensilo.com/moker-a-new-apt-discovered-within-a-sensitive-network" ], "synonyms": [], "type": [] @@ -12179,7 +10146,7 @@ "type": [] }, "uuid": "6d5a5357-4126-4950-b8c3-ee78b1172217", - "value": "Mokes" + "value": "Mokes (Windows)" }, { "description": "", @@ -12221,15 +10188,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "89bd2020-2594-45c4-8957-522c0ac41370", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "c57a4168-cd09-4611-a665-bbcede80f42b", "value": "Monero Miner" }, @@ -12243,29 +10201,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "f266754c-d0aa-4918-95a3-73b28eaa66e3", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "76ec1827-68a1-488f-9899-2b788ea8db64", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "8465177f-16c8-47fc-a4c8-f4c0409fe460", "value": "MoonWind" }, @@ -12301,8 +10236,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mosquito", - "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf", - "https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/" + "https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/", + "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", + "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" ], "synonyms": [], "type": [] @@ -12335,20 +10271,6 @@ "uuid": "dde61acb-8c0f-4a3a-8450-96e233f2ddc1", "value": "mozart" }, - { - "description": "", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.mpk", - "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", - "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" - ], - "synonyms": [], - "type": [] - }, - "uuid": "a37c826a-bb30-49fb-952a-63b1cab366c3", - "value": "MPK" - }, { "description": "", "meta": { @@ -12368,8 +10290,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.multigrain_pos", - "https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html", - "https://www.pandasecurity.com/mediacenter/malware/multigrain-malware-pos/" + "https://www.pandasecurity.com/mediacenter/malware/multigrain-malware-pos/", + "https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html" ], "synonyms": [], "type": [] @@ -12399,15 +10321,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "0b097926-2e1a-4134-8ab9-4c16d0cca0fc", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "f7081626-130a-48d5-83a9-759b3ef198ec", "value": "Murofet" }, @@ -12494,8 +10407,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.naikon", - "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", - "https://securelist.com/analysis/publications/69953/the-naikon-apt/" + "https://securelist.com/analysis/publications/69953/the-naikon-apt/", + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] @@ -12509,8 +10422,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", - "https://www.bleepingcomputer.com/news/security/nanocore-rat-author-gets-33-months-in-prison/", - "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://www.bleepingcomputer.com/news/security/nanocore-rat-author-gets-33-months-in-prison/" ], "synonyms": [], "type": [] @@ -12527,15 +10440,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "03a91686-c607-49a8-a4e2-2054833c0013", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "00e1373c-fddf-4b06-9770-e980cc0ada6b", "value": "NanoLocker" }, @@ -12563,15 +10467,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "73cb7ecc-25e3-11e8-a97b-c35ec4e7dcf8", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "d8295eba-60ef-4900-8091-d694180de565", "value": "Nautilus" }, @@ -12585,15 +10480,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "6ea032a0-d54a-463b-b016-2b7b9b9a5b7e", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "ec0cad2c-0c13-491a-a869-1dc1758c8872", "value": "NavRAT" }, @@ -12609,23 +10495,14 @@ "https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Necurs-Recurs/", "https://blog.trendmicro.com/trendlabs-security-intelligence/the-new-face-of-necurs-noteworthy-changes-to-necurs-behaviors", - "https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/", - "https://cofense.com/necurs-targeting-banks-pub-file-drops-flawedammyy/" + "https://cofense.com/necurs-targeting-banks-pub-file-drops-flawedammyy/", + "https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/" ], "synonyms": [ "nucurs" ], "type": [] }, - "related": [ - { - "dest-uuid": "97d34770-44cc-4ecb-bdce-ba11581c0e2a", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "53ad08a6-cca9-401a-a6da-3c0bff2890eb", "value": "Necurs" }, @@ -12654,15 +10531,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "fde50aaa-f5de-4cb8-989a-babb57d6a704", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "0bc03bfa-1439-4162-bb33-ec9f8f952ee5", "value": "NetC" }, @@ -12678,15 +10546,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "3bb8052e-8ed2-48e3-a2cf-7358bae8c6b5", "value": "NETEAGLE" }, @@ -12731,22 +10590,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "cafd0bf8-2b9c-46c7-ae3c-3e0f42c5062e", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "59b70721-6fed-4805-afa5-4ff2554bef81", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "3a26ee44-3224-48f3-aefb-3978c972d928", "value": "NetTraveler" }, @@ -12755,11 +10598,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire", - "https://www.circl.lu/pub/tr-23/", + "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/", "https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data", - "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", - "http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html" + "http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html", + "https://www.circl.lu/pub/tr-23/" ], "synonyms": [ "Recam" @@ -12779,15 +10622,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "5c2eeaec-25e3-11e8-9d28-7f64aba5b173", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "101c2c0e-c082-4b5a-b820-2da789e839d9", "value": "Neuron" }, @@ -12796,37 +10630,21 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.neutrino", - "http://securitykitten.github.io/an-evening-with-n3utrino/", - "http://malware.dontneedcoffee.com/2014/06/neutrino-bot-aka-kasidet.html", - "https://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/", - "https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet", + "https://securityblog.switch.ch/2017/07/07/94-ch-li-domain-names-hijacked-and-used-for-drive-by/", "https://blog.malwarebytes.com/threat-analysis/2015/08/inside-neutrino-botnet-builder/", - "http://blog.trendmicro.com/trendlabs-security-intelligence/credit-card-scraping-kasidet-builder-leads-to-spike-in-detections/", - "https://www.zscaler.com/blogs/research/malicious-office-files-dropping-kasidet-and-dridex", + "https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet", + "http://securitykitten.github.io/an-evening-with-n3utrino/", + "https://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/", "https://blog.malwarebytes.com/cybercrime/2017/01/post-holiday-spam-campaign-delivers-neutrino-bot/", - "https://securityblog.switch.ch/2017/07/07/94-ch-li-domain-names-hijacked-and-used-for-drive-by/" + "http://blog.trendmicro.com/trendlabs-security-intelligence/credit-card-scraping-kasidet-builder-leads-to-spike-in-detections/", + "http://malware.dontneedcoffee.com/2014/06/neutrino-bot-aka-kasidet.html", + "https://www.zscaler.com/blogs/research/malicious-office-files-dropping-kasidet-and-dridex" ], "synonyms": [ "Kasidet" ], "type": [] }, - "related": [ - { - "dest-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "218ae39b-2f92-4355-91c6-50cce319d26d", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "3760920e-4d1a-40d8-9e60-508079499076", "value": "Neutrino" }, @@ -12843,15 +10661,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "551b568f-68fa-4483-a10c-a6452ae6289e", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "a954e642-4cf4-4293-a4b0-c82cf2db785d", "value": "Neutrino POS" }, @@ -12873,9 +10682,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.newposthings", - "https://asert.arbornetworks.com/lets-talk-about-newposthings/", - "https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/newposthings-has-new-pos-things/", + "https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html", + "https://asert.arbornetworks.com/lets-talk-about-newposthings/", "http://www.cyintanalysis.com/a-quick-look-at-a-likely-newposthings-sample/" ], "synonyms": [], @@ -12909,15 +10718,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "c5e3766c-9527-47c3-94db-f10de2c56248", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "ec50a75e-81f0-48b3-b1df-215eac646421", "value": "NewCT" }, @@ -12939,8 +10739,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nexus_logger", - "https://twitter.com/PhysicalDrive0/status/842853292124360706", - "http://researchcenter.paloaltonetworks.com/2017/03/unit42-nexuslogger-new-cloud-based-keylogger-enters-market/" + "http://researchcenter.paloaltonetworks.com/2017/03/unit42-nexuslogger-new-cloud-based-keylogger-enters-market/", + "https://twitter.com/PhysicalDrive0/status/842853292124360706" ], "synonyms": [], "type": [] @@ -12992,26 +10792,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat", - "https://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services", "http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf", "http://csecybsec.com/download/zlab/20171221_CSE_Bladabindi_Report.pdf", "http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/", - "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services" ], "synonyms": [ "Bladabindi" ], "type": [] }, - "related": [ - { - "dest-uuid": "a860d257-4a39-47ec-9230-94cac67ebf7e", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "ff611c24-289e-4f2d-88d2-cfbf771a4e4b", "value": "NjRAT" }, @@ -13025,15 +10816,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "e7080bce-99b5-4615-a798-a192ed89bd5a", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "94793dbc-3649-40a4-9ccc-1b32846ecb3a", "value": "Nocturnal Stealer" }, @@ -13083,9 +10865,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim", - "https://www.cert.pl/en/news/single/nymaim-revisited/", "https://arielkoren.com/blog/2016/11/02/nymaim-deep-technical-dive-adventures-in-evasive-malware/", "https://public.gdatasoftware.com/Web/Landingpages/DE/GI-Spring2014/slides/004_plohmann.pdf", + "https://www.cert.pl/en/news/single/nymaim-revisited/", "https://bitbucket.org/daniel_plohmann/idapatchwork" ], "synonyms": [ @@ -13093,15 +10875,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "d36f4834-b958-4f32-aff0-5263e0034408", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "9b5255c6-44e5-4ec3-bc03-7e00e220c937", "value": "Nymaim" }, @@ -13118,6 +10891,32 @@ "uuid": "c8e8392f-883e-412e-9b0b-02137d0875da", "value": "Nymaim2" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.oceansalt", + "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "01cef4e7-a8a8-4b42-b509-f91c5d415354", + "value": "Oceansalt" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.octopus", + "https://securelist.com/octopus-infested-seas-of-central-asia/88200/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "777b76f9-5390-4899-b201-ebaa8a329c96", + "value": "Octopus" + }, { "description": "", "meta": { @@ -13140,18 +10939,25 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "e2fa7aea-fb33-4efc-b61b-ccae71b32e7d", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "045df65f-77fe-4880-af34-62ca33936c6e", "value": "Odinaff" }, + { + "description": "According to FireEye, OLDBAIT is a credential stealer that has been observed to be used by APT28.\r\nIt targets Internet Explorer, Mozilla Firefox, Eudora, The Bat! (an email client by a Moldovan company), and Becky! (an email client made by a Japanese company). It can use both HTTP or SMTP to exfiltrate data.\r\nIn some places it is mistakenly named \"Sasfis\", which however seems to be a completely different and unrelated malware family.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.oldbait", + "https://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", + "https://www.secjuice.com/fancy-bear-review/" + ], + "synonyms": [ + "Sasfis" + ], + "type": [] + }, + "uuid": "b79a6b61-f122-4823-a4ab-bbab89fcaf75", + "value": "OLDBAIT" + }, { "description": "Malware which seems to have no function other than to disrupt computer systems related to the 2018 Winter Olympic event.", "meta": { @@ -13161,6 +10967,7 @@ "https://www.lastline.com/labsblog/olympic-destroyer-south-korea/", "https://securelist.com/the-devils-in-the-rich-header/84348/", "https://cyber.wtf/2018/03/28/dissecting-olympic-destroyer-a-walk-through/", + "https://www.virusbulletin.com/virusbulletin/2018/10/vb2018-paper-who-wasnt-responsible-olympic-destroyer/", "https://securelist.com/olympic-destroyer-is-still-alive/86169/", "http://blog.talosintelligence.com/2018/02/who-wasnt-responsible-for-olympic.html", "https://www.lastline.com/labsblog/attribution-from-russia-with-code/", @@ -13169,15 +10976,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "76d5c7a2-73c3-11e8-bd92-db4d715af093", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "f3ba8a50-0105-4aa9-90b2-01df15f50b28", "value": "Olympic Destroyer" }, @@ -13212,21 +11010,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.onionduke", - "http://contagiodump.blogspot.com/2014/11/onionduke-samples.html", - "https://www.f-secure.com/weblog/archives/00002764.html" + "https://www.f-secure.com/weblog/archives/00002764.html", + "http://contagiodump.blogspot.com/2014/11/onionduke-samples.html" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "b136d088-a829-432c-ac26-5529c26d4c7e", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "abd10caa-7d4c-4c22-8dae-8d32f13232d7", "value": "OnionDuke" }, @@ -13238,8 +11027,8 @@ "https://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html" ], "synonyms": [ - "SBot", - "Onliner" + "Onliner", + "SBot" ], "type": [] }, @@ -13251,8 +11040,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oopsie", - "https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/", - "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr" + "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr", + "https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/" ], "synonyms": [], "type": [] @@ -13265,10 +11054,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.opachki", - "http://contagiodump.blogspot.com/2010/03/march-2010-opachki-trojan-update-and.html", - "http://contagiodump.blogspot.com/2009/11/win32opachkia-trojan-that-removes-zeus.html", + "https://forum.malekal.com/viewtopic.php?t=21806", "https://isc.sans.edu/diary/Opachki%2C+from+%28and+to%29+Russia+with+love/7519", - "https://forum.malekal.com/viewtopic.php?t=21806" + "http://contagiodump.blogspot.com/2009/11/win32opachkia-trojan-that-removes-zeus.html", + "http://contagiodump.blogspot.com/2010/03/march-2010-opachki-trojan-update-and.html" ], "synonyms": [], "type": [] @@ -13320,10 +11109,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.orcus_rat", - "https://orcustechnologies.com/", + "https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors", "https://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/", "http://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/", - "https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors" + "https://orcustechnologies.com/" ], "synonyms": [], "type": [] @@ -13336,21 +11125,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ordinypt", - "https://www.gdata.de/blog/2017/11/30151-ordinypt", - "https://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/" + "https://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/", + "https://www.gdata.de/blog/2017/11/30151-ordinypt" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "1d46f816-d159-4457-b98e-c34307d90655", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "7fd96553-4c78-43de-824f-82645ed4fac5", "value": "Ordinypt" }, @@ -13401,21 +11181,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.padcrypt", - "https://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/", - "https://johannesbader.ch/2016/03/the-dga-of-padcrypt/" + "https://johannesbader.ch/2016/03/the-dga-of-padcrypt/", + "https://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "57c5df76-e72f-41b9-be29-89395f83a77c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "c21335f5-b145-4029-b1bc-161362c7ce80", "value": "PadCrypt" }, @@ -13441,9 +11212,9 @@ "https://github.com/JR0driguezB/malware_configs/tree/master/PandaBanker", "https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/", "https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers", - "https://www.proofpoint.com/tw/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market", - "https://f5.com/labs/articles/threat-intelligence/malware/panda-malware-broadens-targets-to-cryptocurrency-exchanges-and-social-media", "https://www.arbornetworks.com/blog/asert/panda-bankers-future-dga/", + "https://f5.com/labs/articles/threat-intelligence/malware/panda-malware-broadens-targets-to-cryptocurrency-exchanges-and-social-media", + "https://www.proofpoint.com/tw/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market", "https://www.spamhaus.org/news/article/771/", "https://www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html", "http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html", @@ -13506,24 +11277,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.petya", - "https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/", "https://blog.malwarebytes.com/threat-analysis/2016/05/petya-and-mischa-ransomware-duet-p1/", "https://blog.malwarebytes.com/threat-analysis/2016/07/third-time-unlucky-improved-petya-is-out/", "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/", - "https://blog.malwarebytes.com/malwarebytes-news/2017/07/bye-bye-petya-decryptor-old-versions-released/" + "https://blog.malwarebytes.com/malwarebytes-news/2017/07/bye-bye-petya-decryptor-old-versions-released/", + "https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "7c5a1e93-7ab2-4b08-ada9-e82c4feaed0a", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "34c9dbaa-97ac-4e1e-9eca-b7c492d67efc", "value": "Petya" }, @@ -13542,16 +11304,29 @@ "uuid": "add29684-94b7-4c75-a43b-d039c4b76158", "value": "pgift" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.phandoor", + "https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]Andariel_a_Subgroup_of_Lazarus%20(3).pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "3a77d0d4-6fb1-4092-9fe3-bf1f51a6677c", + "value": "PhanDoor" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.philadelphia_ransom", - "https://blogs.forcepoint.com/security-labs/shelf-ransomware-used-target-healthcare-sector", + "https://www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/", "https://www.cylance.com/en_us/blog/threat-spotlight-philadelphia-ransomware.html", "https://www.proofpoint.com/us/threat-insight/post/philadelphia-ransomware-customization-commodity-malware", - "https://krebsonsecurity.com/2017/03/ransomware-for-dummies-anyone-can-do-it/", - "https://www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/" + "https://blogs.forcepoint.com/security-labs/shelf-ransomware-used-target-healthcare-sector", + "https://krebsonsecurity.com/2017/03/ransomware-for-dummies-anyone-can-do-it/" ], "synonyms": [], "type": [] @@ -13566,8 +11341,8 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex", "https://www.johannesbader.ch/2016/02/phorpiex/", "https://blog.trendmicro.com/trendlabs-security-intelligence/shylock-not-the-lone-threat-targeting-skype/", - "https://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows", - "https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/" + "https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/", + "https://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows" ], "synonyms": [ "Trik" @@ -13622,8 +11397,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pittytiger_rat", - "https://securingtomorrow.mcafee.com/mcafee-labs/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities/", - "https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf" + "https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf", + "https://securingtomorrow.mcafee.com/mcafee-labs/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities/" ], "synonyms": [], "type": [] @@ -13641,9 +11416,9 @@ "http://webcache.googleusercontent.com/search?q=cache:JN3yRXXuYsYJ:https://www.arbornetworks.com/blog/asert/peeking-at-pkybot" ], "synonyms": [ + "Bublik", "Pykbot", - "TBag", - "Bublik" + "TBag" ], "type": [] }, @@ -13660,15 +11435,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "58b24db2-79d7-11e8-9b1b-bbdbc798af4f", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "66087a9c-b5ac-4d6d-b79e-c0294728c876", "value": "PLAINTEE" }, @@ -13690,34 +11456,19 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.plead", - "http://www.freebuf.com/column/159865.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/", - "http://blog.jpcert.or.jp/2018/03/malware-tscooki-7aa0.html", - "https://documents.trendmicro.com/assets/appendix-following-the-trail-of-blacktechs-cyber-espionage-campaigns.pdf", "https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html", - "https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/" + "http://www.freebuf.com/column/159865.html", + "https://blogs.jpcert.or.jp/en/2018/11/tscookie2.html", + "http://blog.jpcert.or.jp/2018/03/malware-tscooki-7aa0.html", + "https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/", + "https://documents.trendmicro.com/assets/appendix-following-the-trail-of-blacktechs-cyber-espionage-campaigns.pdf" ], "synonyms": [ "TSCookie" ], "type": [] }, - "related": [ - { - "dest-uuid": "a71ed71f-b8f4-416d-9c57-910a42e59430", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "d1482c9e-6af3-11e8-aa8e-279274bd10c7", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "43a56ed7-8092-4b36-998c-349b02b3bd0d", "value": "PLEAD" }, @@ -13726,21 +11477,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.plexor", - "https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/", - "https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7" + "https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7", + "https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "8fb00a59-0dec-4d7f-bd53-9826b3929f39", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "5c860744-bb12-4587-a852-ee060fd4dd64", "value": "Plexor" }, @@ -13777,51 +11519,28 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx", + "http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html", + "http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html", + "https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/", "https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf", "https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf", - "http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html", - "http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html", - "http://blog.jpcert.or.jp/2017/02/plugx-poison-iv-919a.html", - "http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html", - "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf", + "https://community.rsa.com/thread/185439", "https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/", - "https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/", - "https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/", - "https://www.lac.co.jp/lacwatch/people/20171218_001445.html", "https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/", + "https://www.lac.co.jp/lacwatch/people/20171218_001445.html", + "https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/", "https://securelist.com/time-of-death-connected-medicine/84315/", - "https://community.rsa.com/thread/185439" + "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf", + "http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html", + "http://blog.jpcert.or.jp/2017/02/plugx-poison-iv-919a.html", + "https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf" ], "synonyms": [ "Korplug" ], "type": [] }, - "related": [ - { - "dest-uuid": "663f8ef9-4c50-499a-b765-f377d23c1070", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "f4b159ea-97e5-483b-854b-c48a78d562aa", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "036bd099-fe80-46c2-9c4c-e5c6df8dcdee", "value": "PlugX" }, @@ -13835,15 +11554,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "800bdfba-6d66-480f-9f45-15845c05cb5d", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "fb4313ea-1fb6-4766-8b5c-b41fd347e4c5", "value": "pngdowner" }, @@ -13858,6 +11568,7 @@ "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html", "https://blog.fortinet.com/2017/09/15/deep-analysis-of-new-poison-ivy-plugx-variant-part-ii", "https://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/", + "http://blogs.360.cn/post/APT_C_01_en.html", "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/blob/master/2016/2016.04.26.New_Poison_Ivy_Activity_Targeting_Myanmar_Asian_Countries/New%20Poison%20Ivy%20Activity%20Targeting%20Myanmar%2C%20Asian%20Countries.pdf", "https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" ], @@ -13867,36 +11578,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "4e104fef-8a2c-4679-b497-6e86d7d47db0", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "2abe89de-46dd-4dae-ae22-b49a593aff54", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "e336aeba-b61a-44e0-a0df-cd52a5839db5", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7", "value": "Poison Ivy" }, @@ -13910,15 +11591,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "b22cafb4-ccef-4935-82f4-631a6e539b8e", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "5ee77368-5e09-4016-ae73-82b99e830832", "value": "Polyglot" }, @@ -13932,27 +11604,11 @@ "https://github.com/nyx0/Pony" ], "synonyms": [ - "Siplog", - "Fareit" + "Fareit", + "Siplog" ], "type": [] }, - "related": [ - { - "dest-uuid": "ff0404a1-465f-4dd5-8b66-ee773628ca64", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "652b5242-b790-4695-ad0e-b79bbf78f351", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "cd201689-4bf1-4c5b-ac4d-21c4dcc39e7d", "value": "Pony" }, @@ -14032,15 +11688,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "c79f5876-e3b9-417a-8eaf-8f1b01a0fecd", "value": "PowerDuke" }, @@ -14082,15 +11729,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "1f1be19e-d1b5-408b-90a0-03ad27cc8924", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "606f778a-8b99-4880-8da8-b923651d627b", "value": "PowerRatankba" }, @@ -14107,6 +11745,19 @@ "uuid": "2c9c42bc-8f26-4122-9454-a7eed8cd8886", "value": "prb_backdoor" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.predator", + "https://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "54041c03-5714-4247-9226-3c801f59bc07", + "value": "Predator The Thief" + }, { "description": "", "meta": { @@ -14125,8 +11776,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.prilex", - "https://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-prilex-cutlet-maker-atm-malware-families/", - "https://www.kaspersky.com/blog/chip-n-pin-cloning/21502" + "https://www.kaspersky.com/blog/chip-n-pin-cloning/21502", + "https://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-prilex-cutlet-maker-atm-malware-families/" ], "synonyms": [], "type": [] @@ -14139,9 +11790,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.princess_locker", + "https://www.bleepingcomputer.com/news/security/introducing-her-royal-highness-the-princess-locker-ransomware/", "https://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/", - "https://hshrzd.wordpress.com/2016/11/17/princess-locker-decryptor/", - "https://www.bleepingcomputer.com/news/security/introducing-her-royal-highness-the-princess-locker-ransomware/" + "https://hshrzd.wordpress.com/2016/11/17/princess-locker-decryptor/" ], "synonyms": [], "type": [] @@ -14187,15 +11838,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "d5138738-846e-4466-830c-cd2bb6ad09cf", "value": "Pteranodon" }, @@ -14232,10 +11874,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pupy", - "https://github.com/n1nj4sec/pupy", - "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", + "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations", "https://blog.cyber4sight.com/2017/02/malicious-powershell-script-analysis-indicates-shamoon-actors-used-pupy-rat/", - "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations" + "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", + "https://github.com/n1nj4sec/pupy" ], "synonyms": [], "type": [] @@ -14248,23 +11890,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pushdo", - "https://www.secureworks.com/research/pushdo", + "https://www.blueliv.com/research/tracking-the-footproints-of-pushdo-trojan/", "https://www.trendmicro.de/cloud-content/us/pdfs/business/white-papers/wp_study-of-pushdo-cutwail-botnet.pdf", - "http://malware-traffic-analysis.net/2017/04/03/index2.html", - "https://www.blueliv.com/research/tracking-the-footproints-of-pushdo-trojan/" + "https://www.secureworks.com/research/pushdo", + "http://malware-traffic-analysis.net/2017/04/03/index2.html" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "94d12a03-6ae8-4006-a98f-80c15e6f95c0", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "b39ffc73-db5f-4a8a-acd2-bee958d69155", "value": "Pushdo" }, @@ -14298,9 +11931,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pwnpos", + "https://twitter.com/physicaldrive0/status/573109512145649664", "https://blog.trendmicro.com/trendlabs-security-intelligence/pwnpos-old-undetected-pos-malware-still-causing-havoc/", - "https://www.brimorlabsblog.com/2015/03/and-you-get-pos-malware-nameand-you-get.html", - "https://twitter.com/physicaldrive0/status/573109512145649664" + "https://www.brimorlabsblog.com/2015/03/and-you-get-pos-malware-nameand-you-get.html" ], "synonyms": [], "type": [] @@ -14313,8 +11946,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pykspa", - "https://www.johannesbader.ch/2015/03/the-dga-of-pykspa/", "https://www.johannesbader.ch/2015/07/pykspas-inferior-dga-version/", + "https://www.johannesbader.ch/2015/03/the-dga-of-pykspa/", "https://www.youtube.com/watch?v=HfSQlC76_s4" ], "synonyms": [], @@ -14357,25 +11990,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.qadars", + "https://securityintelligence.com/meanwhile-britain-qadars-v3-hardens-evasion-targets-18-uk-banks/", + "https://pages.phishlabs.com/rs/130-BFB-942/images/Qadars%20-%20Final.pdf", + "https://securityintelligence.com/an-analysis-of-the-qadars-trojan/", "https://info.phishlabs.com/blog/dissecting-the-qadars-banking-trojan", "https://www.johannesbader.ch/2016/04/the-dga-of-qadars/", - "https://securityintelligence.com/an-analysis-of-the-qadars-trojan/", - "https://securityintelligence.com/meanwhile-britain-qadars-v3-hardens-evasion-targets-18-uk-banks/", - "https://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/", - "https://pages.phishlabs.com/rs/130-BFB-942/images/Qadars%20-%20Final.pdf" + "https://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "a717c873-6670-447a-ba98-90db6464c07d", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "080b2071-2d69-4b76-962e-3d0142074bcb", "value": "Qadars" }, @@ -14385,36 +12009,20 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot", "https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/", - "https://www.cylance.com/en_us/blog/threat-spotlight-the-return-of-qakbot-malware.html", - "https://media.scmagazine.com/documents/225/bae_qbot_report_56053.pdf", "https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/", - "https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf", - "http://contagiodump.blogspot.com/2010/11/template.html", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf", + "http://contagiodump.blogspot.com/2010/11/template.html", + "https://media.scmagazine.com/documents/225/bae_qbot_report_56053.pdf", + "https://www.cylance.com/en_us/blog/threat-spotlight-the-return-of-qakbot-malware.html", + "https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf", "https://www.vkremez.com/2018/07/lets-learn-in-depth-reversing-of-qakbot.html" ], "synonyms": [ - "Qbot", - "Pinkslipbot" + "Pinkslipbot", + "Qbot" ], "type": [] }, - "related": [ - { - "dest-uuid": "ac2ff27d-a7cb-46fe-ae32-cfe571dc614d", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "b2ec1f16-2a76-4910-adc5-ecb3570e7c1a", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "2ccaccd0-8362-4224-8497-2012e7cc7549", "value": "QakBot" }, @@ -14454,22 +12062,13 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.quant_loader", "https://malwarebreakdown.com/2017/10/10/malvertising-campaign-uses-rig-ek-to-drop-quant-loader-which-downloads-formbook/", "https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/", - "https://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/", + "https://blogs.forcepoint.com/security-labs/locky-distributor-uses-newly-released-quant-loader-sold-russian-underground", "https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat", - "https://blogs.forcepoint.com/security-labs/locky-distributor-uses-newly-released-quant-loader-sold-russian-underground" + "https://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "2d1aadfb-03c1-4580-b6ac-f12c6941067d", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "e6005ce5-3e3d-4dfb-8de7-3da45e89e549", "value": "Quant Loader" }, @@ -14479,28 +12078,19 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat", "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/", + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://github.com/quasar/QuasarRAT/tree/master/Client", + "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/", "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf?platform=hootsuite", "https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/", "https://twitter.com/malwrhunterteam/status/789153556255342596", - "http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments", - "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/", - "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/", - "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" + "http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "6efa425c-3731-44fd-9224-2a62df061a2d", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "05252643-093b-4070-b62f-d5836683a9fa", "value": "Quasar RAT" }, @@ -14527,15 +12117,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "674c3bf6-2e16-427d-ab0f-b91676a460cd", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "98bcb2b9-bc3a-4ffb-859a-94bd03c1cc3c", "value": "Radamant" }, @@ -14549,18 +12130,22 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "5a3df9d7-82de-445e-a218-406b970600d7", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "271752e3-67ca-48bc-ade2-30eec11defca", "value": "RadRAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rakhni", + "https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "cf6887d9-3d68-4f89-9d61-e97dcc4d8c20", + "value": "Rakhni" + }, { "description": "", "meta": { @@ -14594,34 +12179,18 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramnit", "https://malwarebreakdown.com/2017/08/23/the-seamless-campaign-isnt-losing-any-steam/", - "https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/", "http://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html", - "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-ramnit-analysis-15-en.pdf", - "http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html", "http://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html", - "https://research.checkpoint.com/ramnits-network-proxy-servers/" + "https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/", + "https://research.checkpoint.com/ramnits-network-proxy-servers/", + "http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html", + "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-ramnit-analysis-15-en.pdf" ], "synonyms": [ "Nimnul" ], "type": [] }, - "related": [ - { - "dest-uuid": "7e2288ec-e7d4-4833-9245-a2bc5ae40ee2", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "8ed81090-f098-4878-b87e-2d801b170759", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "542161c0-47a4-4297-baca-5ed98386d228", "value": "Ramnit" }, @@ -14630,23 +12199,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ranbyus", - "https://www.johannesbader.ch/2015/05/the-dga-of-ranbyus/", - "http://www.xylibox.com/2013/01/trojanwin32spyranbyus.html", "https://www.welivesecurity.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs/", - "https://www.welivesecurity.com/2012/06/05/smartcard-vulnerabilities-in-modern-banking-malware/" + "https://www.welivesecurity.com/2012/06/05/smartcard-vulnerabilities-in-modern-banking-malware/", + "http://www.xylibox.com/2013/01/trojanwin32spyranbyus.html", + "https://www.johannesbader.ch/2015/05/the-dga-of-ranbyus/" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "6720f960-0382-479b-a0f8-f9e008995af4", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "5d9a27e7-3110-470a-ac0d-2bf00cac7846", "value": "Ranbyus" }, @@ -14660,15 +12220,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "383d7ebb-9b08-4874-b5d7-dc02b499c38f", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "50c92b0b-cae3-41e7-b7d8-dffc2c88ac4b", "value": "Ranscam" }, @@ -14682,15 +12233,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "f0fcbac5-6216-4c3c-adcb-3aa06ab23340", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "5310903e-0704-4ca4-ab1b-52d243dddb06", "value": "Ransoc" }, @@ -14699,8 +12241,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomlock", - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-022215-2340-99&tabid=2", - "https://forum.malekal.com/viewtopic.php?t=36485&start=" + "https://forum.malekal.com/viewtopic.php?t=36485&start=", + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-022215-2340-99&tabid=2" ], "synonyms": [ "WinLock" @@ -14715,8 +12257,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rapid_ransom", - "https://twitter.com/malwrhunterteam/status/977275481765613569", - "https://twitter.com/malwrhunterteam/status/997748495888076800" + "https://twitter.com/malwrhunterteam/status/997748495888076800", + "https://twitter.com/malwrhunterteam/status/977275481765613569" ], "synonyms": [], "type": [] @@ -14755,8 +12297,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ratabankapos", - "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf", - "http://blog.trex.re.kr/3" + "http://blog.trex.re.kr/3", + "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf" ], "synonyms": [], "type": [] @@ -14775,15 +12317,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "9752aef4-a1f3-4328-929f-b64eb0536090", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "80f87001-ff40-4e33-bd12-12ed1a92d1d7", "value": "RawPOS" }, @@ -14796,27 +12329,11 @@ "https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/" ], "synonyms": [ - "Remote Control System", - "Crisis" + "Crisis", + "Remote Control System" ], "type": [] }, - "related": [ - { - "dest-uuid": "4b2ab902-811e-4b50-8510-43454d77d027", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "c17f6e4b-70c5-42f8-a91b-19d73485bd04", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "c359c74e-4155-4e66-a344-b56947f75119", "value": "RCS" }, @@ -14838,23 +12355,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.reactorbot", + "https://www.symantec.com/connect/blogs/new-carberp-variant-heads-down-under", "http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html", - "http://www.malwaredigger.com/2015/06/rovnix-payload-and-plugin-analysis.html", "http://blog.trendmicro.com/trendlabs-security-intelligence/rovnix-infects-systems-with-password-protected-macros/", - "https://www.symantec.com/connect/blogs/new-carberp-variant-heads-down-under" + "http://www.malwaredigger.com/2015/06/rovnix-payload-and-plugin-analysis.html" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "d939e802-acb2-4881-bdaf-ece1eccf5699", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "9d58d94f-6885-4a38-b086-b9978ac62c1f", "value": "ReactorBot" }, @@ -14868,15 +12376,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "826c31ca-2617-47e4-b236-205da3881182", "value": "Reaver" }, @@ -14898,49 +12397,32 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redleaves", - "http://blog.macnica.net/blog/2017/12/post-8c22.html", - "https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf", "http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html", + "https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "http://blog.macnica.net/blog/2017/12/post-8c22.html", "https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Red%20Leaves", "https://www.jpcert.or.jp/magazine/acreport-redleaves.html" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "ad6a1b4a-6d79-40d4-adb7-1d7ca697347e", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "90124cc8-1205-4e63-83ad-5c45a110b1e6", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "3df08e23-1d0b-41ed-b735-c4eca46ce48e", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "a70e93a7-3578-47e1-9926-0818979ed866", "value": "RedLeaves" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.redyms", + "https://www.welivesecurity.com/2013/02/04/what-do-win32redyms-and-tdl4-have-in-common/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "36893c2a-28ad-4dd3-a66b-906f1dd15b92", + "value": "Redyms" + }, { "description": "", "meta": { @@ -14951,15 +12433,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "f762860a-5e7a-43bf-bef4-06bd27e0b023", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "cd5f5165-7bd3-4430-b0bc-2c8fa518f618", "value": "Red Alert" }, @@ -14987,15 +12460,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "2c62f08a-9bd9-11e8-9e20-db9ec0d2b277", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "9ee0eb87-7648-4581-b301-7472a48946ad", "value": "reGeorg" }, @@ -15009,22 +12473,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "0cf21558-1217-4d36-9536-2919cfd44825", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "4cbe9373-6b5e-42d0-9750-e0b7fc0d58bb", "value": "Regin" }, @@ -15033,27 +12481,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos", - "https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html", + "https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "http://malware-traffic-analysis.net/2017/12/22/index.html", "https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2", "https://krabsonsecurity.com/2018/03/02/analysing-remcos-rats-executable/", "https://myonlinesecurity.co.uk/fake-order-spoofed-from-finchers-ltd-sankyo-rubber-delivers-remcos-rat-via-ace-attachments/", - "https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/", + "https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html", "https://secrary.com/ReversingMalware/RemcosRAT/" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "f647cca0-7416-47e9-8342-94b84dd436cc", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "2894aee2-e0ec-417a-811e-74a68ab967b2", "value": "Remcos" }, @@ -15062,8 +12501,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remexi", - "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf", - "https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions" + "https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf" ], "synonyms": [], "type": [] @@ -15081,15 +12520,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "6a3c3fbc-97ec-4938-b64e-2679e4b73db9", "value": "Remsec" }, @@ -15136,10 +12566,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.retefe", - "https://www.govcert.admin.ch/blog/33/the-retefe-saga", - "https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/", + "https://github.com/cocaman/retefe", "https://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targets-sweden-switzerland-and-japan/", - "https://github.com/cocaman/retefe" + "https://www.govcert.admin.ch/blog/33/the-retefe-saga", + "https://www.govcert.admin.ch/blog/35/reversing-retefe", + "https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/" ], "synonyms": [ "Tsukuba", @@ -15147,40 +12578,17 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "80acc956-d418-42e3-bddf-078695a01289", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "87b69cb4-8b65-47ee-91b0-9b1decdd5c5c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "e159c4f8-3c22-49f9-a60a-16588a9c22b0", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "22ef1e56-7778-41d1-9b2b-737aa5bf9777", - "value": "Retefe" + "value": "Retefe (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.revenge_rat", - "http://blog.deniable.org/blog/2016/08/26/lurking-around-revenge-rat/", "https://isc.sans.edu/diary/rss/22590", - "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "http://blog.deniable.org/blog/2016/08/26/lurking-around-revenge-rat/" ], "synonyms": [ "Revetrat" @@ -15195,8 +12603,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rgdoor", - "https://researchcenter.paloaltonetworks.com/2017/09/unit42-striking-oil-closer-look-adversary-infrastructure/", - "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/" + "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", + "https://researchcenter.paloaltonetworks.com/2017/09/unit42-striking-oil-closer-look-adversary-infrastructure/" ], "synonyms": [], "type": [] @@ -15204,6 +12612,19 @@ "uuid": "daddd1dc-c415-4970-89ee-526ee8de2ec1", "value": "RGDoor" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rifdoor", + "https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]Andariel_a_Subgroup_of_Lazarus%20(3).pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "2639b71e-1bf1-4cd2-8fa2-9498e893ef3f", + "value": "Rifdoor" + }, { "description": "", "meta": { @@ -15221,7 +12642,8 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.rincux" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rincux", + "https://www.virusbulletin.com/uploads/pdf/conference_slides/2011/Edwards-Nazario-VB2011.pdf" ], "synonyms": [], "type": [] @@ -15291,15 +12713,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "61184aea-e87b-467d-b36e-cfc75ccb242f", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "38f57823-ccc2-424b-8140-8ba30325af9c", "value": "Rokku" }, @@ -15308,12 +12721,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rokrat", - "http://blog.talosintelligence.com/2017/04/introducing-rokrat.html", "http://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/002/191/original/Talos_RokRatWhitePaper.pdf", - "http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html", + "http://blog.talosintelligence.com/2017/04/introducing-rokrat.html", "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", - "https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/", - "https://www.youtube.com/watch?v=uoBQE5s2ba4" + "https://www.intezer.com/apt37-final1stspy-reaping-the-freemilk/", + "http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/rokrat-analysis/", + "https://www.youtube.com/watch?v=uoBQE5s2ba4", + "http://v3lo.tistory.com/24", + "https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/" ], "synonyms": [], "type": [] @@ -15383,15 +12799,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "53e94bc9-c8d2-4fb6-9c02-00841e454050", "value": "Rover" }, @@ -15400,32 +12807,23 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rovnix", - "https://securelist.com/cybercriminals-switch-from-mbr-to-ntfs-2/29117/", - "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=981", - "https://news.drweb.ru/?i=1772&c=23&lng=ru&p=0", "https://www.welivesecurity.com/2012/07/13/rovnix-bootkit-framework-updated/", - "https://blogs.technet.microsoft.com/mmpc/2013/07/25/the-evolution-of-rovnix-private-tcpip-stacks/", + "https://news.drweb.ru/?i=1772&c=23&lng=ru&p=0", + "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-RodionovMatrosov.pdf", + "https://securelist.com/cybercriminals-switch-from-mbr-to-ntfs-2/29117/", "https://blogs.technet.microsoft.com/mmpc/2014/05/04/the-evolution-of-rovnix-new-virtual-file-system-vfs/", "http://www.malwaretech.com/2014/05/rovnix-new-evolution.html", - "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-RodionovMatrosov.pdf", + "https://blogs.technet.microsoft.com/mmpc/2013/07/25/the-evolution-of-rovnix-private-tcpip-stacks/", + "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=981", "http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html" ], "synonyms": [ - "Mayachok", + "BkLoader", "Cidox", - "BkLoader" + "Mayachok" ], "type": [] }, - "related": [ - { - "dest-uuid": "a4036a28-3d94-11e8-ad9f-97ada3c6d5fb", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "8d984309-b7fa-4ccf-a6b7-da17283aae2f", "value": "Rovnix" }, @@ -15434,21 +12832,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.royalcli", - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", - "https://github.com/nccgroup/Royal_APT" + "https://github.com/nccgroup/Royal_APT", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "ac04d0b0-c6b5-4125-acd7-c58dfe7ad4cf", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "92d87656-5e5b-410c-bdb6-bf028324dc72", "value": "RoyalCli" }, @@ -15457,8 +12846,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_dns", - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", - "https://github.com/nccgroup/Royal_APT" + "https://github.com/nccgroup/Royal_APT", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" ], "synonyms": [], "type": [] @@ -15489,15 +12878,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "e6952b4d-e96d-4641-a88f-60074776d553", "value": "RTM" }, @@ -15524,15 +12904,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "d70bd6a8-5fd4-42e8-8e39-fb18daeccdb2", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "b88b50c0-3db9-4b8f-8564-4f56f991bee2", "value": "Ruckguv" }, @@ -15573,15 +12944,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "40bce827-4049-46e4-8323-3ab58f0f00bc", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "512e0b13-a52b-45ef-9230-7172f5e976d4", "value": "Rurktar" }, @@ -15590,30 +12952,34 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rustock", - "https://www.secureworks.com/blog/research-21041", + "http://sunbeltsecurity.com/dl/Rootkit%20Installation%20and%20Obfuscation%20in%20Rustock.pdf", + "http://blog.threatexpert.com/2008/05/rustockc-unpacking-nested-doll.html", "http://contagiodump.blogspot.com/2011/10/rustock-samples-and-analysis-links.html", "https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/chiang/chiang_html/index.html", - "http://blog.threatexpert.com/2008/05/rustockc-unpacking-nested-doll.html", - "http://blog.novirusthanks.org/2008/11/i-wormnuwarw-rustocke-variant-analysis/", - "http://sunbeltsecurity.com/dl/Rootkit%20Installation%20and%20Obfuscation%20in%20Rustock.pdf", + "https://krebsonsecurity.com/2011/03/microsoft-hunting-rustock-controllers/", "http://www.drweb.com/upload/6c5e138f917290cb99224a8f8226354f_1210062403_DDOCUMENTSArticales_PRDrWEB_RustockC_eng.pdf", - "https://krebsonsecurity.com/2011/03/microsoft-hunting-rustock-controllers/" + "https://www.secureworks.com/blog/research-21041", + "http://blog.novirusthanks.org/2008/11/i-wormnuwarw-rustocke-variant-analysis/" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "9bca63cc-f0c7-4704-9c5f-b5bf473a9b43", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "76e98e04-0ab7-4000-80ee-7bcbcf9c110d", "value": "Rustock" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk", + "https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "62c79940-184e-4b8d-9237-35434bb79678", + "value": "Ryuk" + }, { "description": "", "meta": { @@ -15621,8 +12987,8 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sage_ransom", "https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/", "https://www.govcert.admin.ch/blog/27/saga-2.0-comes-with-ip-generation-algorithm-ipga", - "https://blog.malwarebytes.com/threat-analysis/2017/03/explained-sage-ransomware/", - "http://malware-traffic-analysis.net/2017/10/13/index.html" + "http://malware-traffic-analysis.net/2017/10/13/index.html", + "https://blog.malwarebytes.com/threat-analysis/2017/03/explained-sage-ransomware/" ], "synonyms": [ "Saga" @@ -15637,9 +13003,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat", + "https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/sakula-an-adventure-in-dll-planting/?page=1", - "https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Sakula", "https://www.symantec.com/security_response/writeup.jsp?docid=2014-022401-3212-99", + "https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Sakula", "https://www.secureworks.com/research/sakula-malware-family" ], "synonyms": [ @@ -15647,29 +13014,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "3eca2d5f-41bf-4ad4-847f-df18befcdc44", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "f6c137f0-979c-4ce2-a0e5-2a080a5a1746", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "e88eb9b1-dc8b-4696-8dcf-0c29924d0f8b", "value": "Sakula RAT" }, @@ -15696,15 +13040,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "6fe5f49d-48b5-4dc2-92f7-8c94397b9c96", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "cf752563-ad8a-4286-b2b3-9acf24a0a09a", "value": "Sality" }, @@ -15713,24 +13048,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.samsam", - "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/samsam-ransomware-chooses-its-targets-carefully-wpna.aspx", - "https://nakedsecurity.sophos.com/2018/05/01/samsam-ransomware-a-mean-old-dog-with-a-nasty-new-trick-report/", "http://blog.talosintel.com/2016/03/samsam-ransomware.html", - "http://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html", - "https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/" + "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/samsam-ransomware-chooses-its-targets-carefully-wpna.aspx", + "https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/", + "https://www.justice.gov/opa/pr/two-iranian-men-indicted-deploying-ransomware-extort-hospitals-municipalities-and-public", + "https://nakedsecurity.sophos.com/2018/05/01/samsam-ransomware-a-mean-old-dog-with-a-nasty-new-trick-report/", + "http://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "731e4a5e-35f2-47b1-80ba-150b95fdc14d", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "696d78cb-1716-4ca0-b678-c03c7cfec19a", "value": "SamSam" }, @@ -15765,6 +13092,27 @@ "uuid": "5aed5403-9c52-4de6-9c8d-d29e5197ef7e", "value": "Sarhust" }, + { + "description": "Sasfis acts mostly as a downloader that has been observed to download Asprox and FakeAV. According to a VirusBulletin article from 2012, it is likely authored by the same group as SmokeLoader.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sasfis", + "https://blog.trendmicro.com/trendlabs-security-intelligence/sasfis-malware-uses-a-new-trick/", + "https://www.symantec.com/security-center/writeup/2010-020210-5440-99", + "https://blog.trendmicro.com/trendlabs-security-intelligence/sasfis-fizzles-in-the-background/", + "https://isc.sans.edu/forums/diary/Sasfis+Propagation/8860/", + "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/sasfis", + "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Sasfis-O/detailed-analysis.aspx", + "https://www.virusbulletin.com/virusbulletin/2012/11/tracking-2012-sasfis-campaign" + ], + "synonyms": [ + "Oficla" + ], + "type": [] + }, + "uuid": "4c4ceb45-b326-45aa-8f1a-1229e90c78b4", + "value": "Sasfis" + }, { "description": "", "meta": { @@ -15777,15 +13125,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "61d8bba8-7b22-493f-b023-97ffe7f17caf", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "5639f7db-ab70-4b86-8a2f-9c4e3927ba91", "value": "Satan Ransomware" }, @@ -15799,15 +13138,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "a127a59e-9e4c-4c2b-b833-cabd076c3016", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "09b555be-8bac-44b2-8741-922ee0b87880", "value": "Satana" }, @@ -15821,15 +13151,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "35849d8f-5bac-475b-82f8-7d555f37de12", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "bdc7cc9c-c46d-4f77-b903-2335cc1a3369", "value": "Sathurbot" }, @@ -15838,8 +13159,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.scanpos", - "https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware", - "https://www.morphick.com/resources/news/scanpos-new-pos-malware-being-distributed-kronos" + "https://www.morphick.com/resources/news/scanpos-new-pos-malware-being-distributed-kronos", + "https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware" ], "synonyms": [], "type": [] @@ -15898,15 +13219,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "1d07212e-6292-40a4-a5e9-30aef83b6207", "value": "SeaDaddy" }, @@ -15928,8 +13240,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sedll", + "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", - "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" + "https://www.recordedfuture.com/chinese-threat-actor-tempperiscope/" ], "synonyms": [], "type": [] @@ -15942,10 +13255,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sedreco", - "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", + "http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware_15.html", + "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", "https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/", - "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf" + "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html" ], "synonyms": [ "azzy", @@ -15953,22 +13267,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "6374fc53-9a0d-41ba-b9cf-2a9765d69fbb", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "21ab9e14-602a-4a76-a308-dbf5d6a91d75", "value": "Sedreco" }, @@ -15977,63 +13275,26 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.seduploader", - "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", - "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf", - "http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/", "https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/", + "https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html", + "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/", + "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf", + "http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html", + "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "http://www.welivesecurity.com/2015/07/10/sednit-apt-group-meets-hacking-team/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/", "https://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/", "https://blog.xpnsec.com/apt28-hospitality-malware-part-2/", - "https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html", - "https://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed", - "http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html", - "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/" + "https://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed" ], "synonyms": [ - "jhuhugit", - "jkeyskw", + "carberplike", "downrage", - "carberplike" + "jhuhugit", + "jkeyskw" ], "type": [] }, - "related": [ - { - "dest-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "d26b5518-8d7f-41a6-b539-231e4962853e", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "1de47f51-1f20-403b-a2e1-5eaabe275faa", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "3948ce95-468e-4ce1-82b1-57439c6d6afd", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "6bd20349-1231-4aaa-ba2a-f4b09d3b344c", "value": "Seduploader" }, @@ -16058,15 +13319,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "bd4bfbab-c21d-4971-b70c-b180bcf40630", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "0d4ca924-7e7e-4385-b14d-f504b4d206e5", "value": "Serpico" }, @@ -16084,15 +13336,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "2448a4e1-46e3-4c42-9fd1-f51f8ede58c1", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "e089e945-a523-4d11-a135-396f9b6c1dc7", "value": "ShadowPad" }, @@ -16143,23 +13386,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sharpknot", - "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf", - "https://eromang.zataz.com/tag/agentbase-exe/" + "https://eromang.zataz.com/tag/agentbase-exe/", + "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf" ], "synonyms": [ "Bitrep" ], "type": [] }, - "related": [ - { - "dest-uuid": "3784c74-691a-4110-94f6-66e60224aa92", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "d31f1c73-d14b-41e2-bb16-81ee1d886e43", "value": "SHARPKNOT" }, @@ -16186,15 +13420,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "67d712c8-d254-4820-83fa-9a892b87923b", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "6e668c0c-7085-4951-87d4-0334b6a5cdb3", "value": "Shifu" }, @@ -16216,21 +13441,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shujin", - "https://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/", - "http://www.nyxbone.com/malware/chineseRansom.html" + "http://www.nyxbone.com/malware/chineseRansom.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "b9963d52-a391-4e9c-92e7-d2a147d5451f", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "77c20bd9-5403-4f99-bae5-c54f3f38a6b6", "value": "Shujin" }, @@ -16252,12 +13468,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shylock", + "https://malwarereversing.wordpress.com/2011/09/27/debugging-injected-code-with-ida-pro/", + "http://contagiodump.blogspot.com/2011/09/sept-21-greedy-shylock-financial.html", "https://securityintelligence.com/merchant-of-fraud-returns-shylock-polymorphic-financial-malware-infections-on-the-rise/", "https://securityintelligence.com/shylocks-new-trick-evading-malware-researchers/", "https://www.europol.europa.eu/newsroom/news/global-action-targeting-shylock-malware", - "https://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw", - "http://contagiodump.blogspot.com/2011/09/sept-21-greedy-shylock-financial.html", - "https://malwarereversing.wordpress.com/2011/09/27/debugging-injected-code-with-ida-pro/" + "https://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw" ], "synonyms": [ "Caphaw" @@ -16279,7 +13495,7 @@ "type": [] }, "uuid": "3c43bd4c-8c40-47b5-ae97-3dd0f0c0e8d8", - "value": "win.sidewinder" + "value": "SideWinder" }, { "description": "", @@ -16314,22 +13530,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.silence", - "https://securelist.com/the-silence/83009/", "http://www.intezer.com/silenceofthemoles/", + "https://securelist.com/the-silence/83009/", "https://www.group-ib.com/resources/threat-research/silence.html" ], - "synonyms": [], + "synonyms": [ + "TrueBot" + ], "type": [] }, - "related": [ - { - "dest-uuid": "304fd753-c917-4008-8f85-81390c37a070", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "0df52c23-690b-4703-83f7-5befc38ab376", "value": "Silence" }, @@ -16338,8 +13547,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.silon", - "http://contagiodump.blogspot.com/2009/11/new-banking-trojan-w32silon-msjet51dll.html", - "http://www.internetnews.com/security/article.php/3846186/TwoHeaded+Trojan+Targets+Online+Banks.htm" + "http://www.internetnews.com/security/article.php/3846186/TwoHeaded+Trojan+Targets+Online+Banks.htm", + "http://contagiodump.blogspot.com/2009/11/new-banking-trojan-w32silon-msjet51dll.html" ], "synonyms": [], "type": [] @@ -16371,15 +13580,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "347e7a64-8ee2-487f-bcb3-ca7564fa836c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "467ee29c-317f-481a-a77c-69961eb88c4d", "value": "Simda" }, @@ -16390,27 +13590,18 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sinowal", "https://en.wikipedia.org/wiki/Torpig", "https://www.symantec.com/security_response/writeup.jsp?docid=2008-010718-3448-99&tabid=2", - "https://www.welivesecurity.com/2013/03/13/how-theola-malware-uses-a-chrome-plugin-for-banking-fraud/", - "https://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan" + "https://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan", + "https://www.welivesecurity.com/2013/03/13/how-theola-malware-uses-a-chrome-plugin-for-banking-fraud/" ], "synonyms": [ - "Theola", - "Quarian", - "Mebroot", "Anserin", + "Mebroot", + "Quarian", + "Theola", "Torpig" ], "type": [] }, - "related": [ - { - "dest-uuid": "415a3667-4ac4-4718-a6ea-617540a4abb1", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "ad5bcaef-1a86-4cc7-8f2e-32306b995018", "value": "Sinowal" }, @@ -16425,15 +13616,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "b533439d-b060-4c90-80e0-9dce67b0c6fb", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "0fba78fc-47a1-45e1-b5df-71bcabd23b5d", "value": "Sisfader" }, @@ -16511,39 +13693,23 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader", "https://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/", - "https://eternal-todo.com/blog/smokeloader-analysis-yulia-photo", + "https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet/", "https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html", "https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/", "https://info.phishlabs.com/blog/smoke-loader-adds-additional-obfuscation-methods-to-mitigate-analysis", "https://www.spamhaus.org/news/article/774/smoke-loader-improves-encryption-after-microsoft-spoils-its-campaign", - "https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet/", + "https://eternal-todo.com/blog/smokeloader-analysis-yulia-photo", "https://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader/", - "https://int0xcc.svbtle.com/a-taste-of-our-own-medicine-how-smokeloader-is-deceiving-dynamic-configuration-extraction-by-using-binary-code-as-bait", "https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/", - "https://blog.badtrace.com/post/anti-hooking-checks-of-smokeloader-2018/", - "https://www.cert.pl/en/news/single/dissecting-smoke-loader/" + "https://int0xcc.svbtle.com/a-taste-of-our-own-medicine-how-smokeloader-is-deceiving-dynamic-configuration-extraction-by-using-binary-code-as-bait", + "https://www.cert.pl/en/news/single/dissecting-smoke-loader/", + "https://blog.badtrace.com/post/anti-hooking-checks-of-smokeloader-2018/" ], "synonyms": [ "Dofoil" ], "type": [] }, - "related": [ - { - "dest-uuid": "0c824410-58ff-49b2-9cf2-1c96b182bdf0", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "81f41bae-2ba9-4cec-9613-776be71645ca", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "ba91d713-c36e-4d98-9fb7-e16496a69eec", "value": "SmokeLoader" }, @@ -16560,27 +13726,32 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "f93acc85-8d2c-41e0-b0c5-47795b8c6194", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "26b91007-a8ae-4e32-bd99-292e44735c3d", "value": "Smominru" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.smrss32", + "https://www.bleepingcomputer.com/forums/t/623132/smrss32-encrypted-ransomware-help-support-how-to-decryptbmp/", + "https://www.youtube.com/watch?v=7gCU31ScJgk" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1fe0b2fe-5f9b-4359-b362-be611537442a", + "value": "Smrss32 Ransomware" + }, { "description": "A downloader trojan with some infostealer capabilities focused on the browser. Previously observed as part of RigEK campaigns.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.snatch_loader", - "https://myonlinesecurity.co.uk/your-order-no-8194788-has-been-processed-malspam-delivers-malware/", + "https://zerophagemalware.com/2017/12/11/malware-snatch-loader-reloaded/", "https://twitter.com/VK_Intel/status/898549340121288704", "https://www.arbornetworks.com/blog/asert/snatchloader-reloaded/", - "https://zerophagemalware.com/2017/12/11/malware-snatch-loader-reloaded/" + "https://myonlinesecurity.co.uk/your-order-no-8194788-has-been-processed-malspam-delivers-malware/" ], "synonyms": [], "type": [] @@ -16615,29 +13786,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "75b01a1e-3269-4f4c-bdba-37af4e9c3f54", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "75329c9e-a218-4299-87b2-8f667cd9e40c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "b9448d2a-a23c-4bf2-92a1-d860716ba2f3", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "4f3ad937-bf2f-40cb-9695-a2bedfd41bfa", "value": "Snifula" }, @@ -16696,9 +13844,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.socksbot", - "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", + "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", "https://www.accenture.com/t00010101T000000Z__w__/gb-en/_acnmedia/PDF-83/Accenture-Goldfin-Security-Alert.pdf", - "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" + "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" ], "synonyms": [ "BIRDDOG", @@ -16765,22 +13913,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "9ca488bd-9587-48ef-b923-1743523e63b2", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "f5ac89a7-e129-43b7-bd68-e3cb1e5a3ba2", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "f4cac204-3d3f-4bb6-84bd-fc27b2f5158c", "value": "SOUNDBITE" }, @@ -16802,12 +13934,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spora_ransom", - "http://malware-traffic-analysis.net/2017/01/17/index2.html", - "https://github.com/MinervaLabsResearch/SporaVaccination", - "https://www.linkedin.com/pulse/spora-ransomware-understanding-hta-infection-vector-kevin-douglas", - "https://blog.malwarebytes.com/threat-analysis/2017/03/spora-ransomware/", "https://nakedsecurity.sophos.com/2017/06/26/how-spora-ransomware-tries-to-fool-antivirus/", - "https://www.gdatasoftware.com/blog/2017/01/29442-spora-worm-and-ransomware" + "https://blog.malwarebytes.com/threat-analysis/2017/03/spora-ransomware/", + "https://www.linkedin.com/pulse/spora-ransomware-understanding-hta-infection-vector-kevin-douglas", + "https://www.gdatasoftware.com/blog/2017/01/29442-spora-worm-and-ransomware", + "https://github.com/MinervaLabsResearch/SporaVaccination", + "http://malware-traffic-analysis.net/2017/01/17/index2.html" ], "synonyms": [], "type": [] @@ -16836,17 +13968,8 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "4db80a62-d318-48e7-b70b-759924ff515e", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], - "uuid": "39f609e3-e6fe-4c2c-af0e-b28bc81b2ecf", - "value": "Spy-Net" + "uuid": "552745f4-6702-47a5-b517-9b099937573f", + "value": "win.spynet_rat" }, { "description": "", @@ -16866,22 +13989,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sslmm", - "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", + "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf", "https://securelist.com/analysis/publications/69953/the-naikon-apt/", - "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf" + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "009db412-762d-4256-8df9-eb213be01ffd", "value": "SslMM" }, @@ -16993,10 +14107,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stresspaint", - "https://security.radware.com/malware/stresspaint-malware-targeting-facebook-credentials/", "https://arstechnica.com/information-technology/2018/04/tens-of-thousands-of-facebook-accounts-compromised-in-days-by-malware/", - "https://blog.radware.com/security/2018/04/stresspaint-malware-campaign-targeting-facebook-credentials/", - "https://www.bleepingcomputer.com/news/security/stresspaint-malware-steals-facebook-credentials-and-session-cookies/" + "https://www.bleepingcomputer.com/news/security/stresspaint-malware-steals-facebook-credentials-and-session-cookies/", + "https://security.radware.com/malware/stresspaint-malware-targeting-facebook-credentials/", + "https://blog.radware.com/security/2018/04/stresspaint-malware-campaign-targeting-facebook-credentials/" ], "synonyms": [], "type": [] @@ -17009,9 +14123,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.strongpity", - "https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/", "https://twitter.com/physicaldrive0/status/786293008278970368", "https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/", + "https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/", "https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/" ], "synonyms": [], @@ -17030,15 +14144,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "1b63293f-13f0-4c25-9bf6-6ebc023fc8ff", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "6ad84f52-0025-4a9d-861a-65c870f47988", "value": "Stuxnet" }, @@ -17099,10 +14204,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sykipot", - "https://www.symantec.com/connect/blogs/sykipot-attacks", - "https://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/", "https://www.alienvault.com/blogs/labs-research/sykipot-is-back", - "https://community.rsa.com/thread/185437" + "https://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/", + "https://community.rsa.com/thread/185437", + "https://www.symantec.com/connect/blogs/sykipot-attacks" ], "synonyms": [ "getkys" @@ -17122,15 +14227,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "04585cd8-54ae-420f-9191-8ddb9b88a80c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "a396a0bb-6dc5-424a-bdbd-f8ba808ca2c2", "value": "SynAck" }, @@ -17144,15 +14240,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "83d10b83-9038-4dd6-b305-f14c21478588", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "e717a26d-17aa-4cd7-88de-dc75aa365232", "value": "SyncCrypt" }, @@ -17186,22 +14273,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sys10", - "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", + "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf", "https://securelist.com/analysis/publications/69953/the-naikon-apt/", - "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf" + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "7f8730af-f683-423f-9ee1-5f6875a80481", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "2ae57534-6aac-4025-8d93-888dab112b45", "value": "Sys10" }, @@ -17210,8 +14288,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.syscon", - "http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/", - "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/" + "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/" ], "synonyms": [], "type": [] @@ -17232,6 +14310,21 @@ "uuid": "a4b9c526-42d0-4de9-ab8e-e78f99655d11", "value": "SysGet" }, + { + "description": "Sysraw stealer got its name because at some point, it was started as \"ZSysRaw\\sysraw.exe\". PDB strings suggest the name \"Clipsa\" though. First stage connects to /WPCoreLog/, the second one to /WPSecurity/. Its behavior suggest that it is an info stealer. It creates a rather large amount of files in a subdirectory (e.g. data) named \"1?[-+].dat\" and POSTs them.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sysraw_stealer", + "https://zerophagemalware.com/2017/09/21/rig-ek-via-rulan-drops-an-infostealer/" + ], + "synonyms": [ + "Clipsa" + ], + "type": [] + }, + "uuid": "f90e9fb9-d60d-415e-9f7f-786ee45f6947", + "value": "Sysraw Stealer" + }, { "description": "", "meta": { @@ -17249,9 +14342,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.szribi", + "https://www.virusbulletin.com/virusbulletin/2007/11/spam-kernel", "https://www.fireeye.com/blog/threat-research/2008/11/technical-details-of-srizbis-domain-generation-algorithm.html", - "https://www.secureworks.com/research/srizbi", - "https://www.virusbulletin.com/virusbulletin/2007/11/spam-kernel" + "https://www.secureworks.com/research/srizbi" ], "synonyms": [], "type": [] @@ -17364,15 +14457,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "99d83ee8-6870-4af2-a3c8-cf86baff7cb3", "value": "TDTESS" }, @@ -17394,8 +14478,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.teledoor", - "https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/", - "http://blog.talosintelligence.com/2017/07/the-medoc-connection.html" + "http://blog.talosintelligence.com/2017/07/the-medoc-connection.html", + "https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/" ], "synonyms": [], "type": [] @@ -17420,25 +14504,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.terminator_rat", - "https://www.welivesecurity.com/wp-content/uploads/2014/01/Advanced-Persistent-Threats.pdf", "https://malware.lu/assets/files/articles/RAP002_APT1_Technical_backstage.1.0.pdf", - "https://documents.trendmicro.com/assets/wp/wp-fakem-rat.pdf", - "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html" + "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html", + "https://www.welivesecurity.com/wp-content/uploads/2014/01/Advanced-Persistent-Threats.pdf", + "https://documents.trendmicro.com/assets/wp/wp-fakem-rat.pdf" ], "synonyms": [ "Fakem RAT" ], "type": [] }, - "related": [ - { - "dest-uuid": "eead5605-0d79-4942-a6c2-efa6853cdf6b", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "b127028b-ecb1-434b-abea-e4df3ca458b9", "value": "Terminator RAT" }, @@ -17476,15 +14551,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "361d7a90-2fde-4fc7-91ed-fdce26eb790f", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "24fabbe0-27a2-4c93-a6a6-c14767efaa25", "value": "Thanatos" }, @@ -17493,9 +14559,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.thanatos_ransom", - "https://www.bleepingcomputer.com/news/security/thanatos-ransomware-decryptor-released-by-the-cisco-talos-group/", + "https://blog.talosintelligence.com/2018/06/ThanatosDecryptor.html", "https://www.bleepingcomputer.com/news/security/thanatos-ransomware-is-first-to-use-bitcoin-cash-messes-up-encryption/", - "https://blog.talosintelligence.com/2018/06/ThanatosDecryptor.html" + "https://www.bleepingcomputer.com/news/security/thanatos-ransomware-decryptor-released-by-the-cisco-talos-group/" ], "synonyms": [], "type": [] @@ -17546,8 +14612,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tidepool", - "http://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/", - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf" + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf", + "http://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/" ], "synonyms": [], "type": [] @@ -17560,40 +14626,24 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinba", - "http://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world/", - "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_w32-tinba-tinybanker.pdf", "https://labsblog.f-secure.com/2016/01/18/analyzing-tinba-configuration-data/", - "http://garage4hackers.com/entry.php?b=3086", - "https://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-domains/", - "https://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant", - "http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html", + "http://www.theregister.co.uk/2012/06/04/small_banking_trojan/", "https://securityintelligence.com/tinba-trojan-sets-its-sights-on-romania/", + "https://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-domains/", "http://contagiodump.blogspot.com/2012/06/amazon.html", - "http://www.theregister.co.uk/2012/06/04/small_banking_trojan/" + "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_w32-tinba-tinybanker.pdf", + "https://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant", + "http://garage4hackers.com/entry.php?b=3086", + "http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html", + "http://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world/" ], "synonyms": [ - "Zusy", + "Illi", "TinyBanker", - "Illi" + "Zusy" ], "type": [] }, - "related": [ - { - "dest-uuid": "75f53ead-1aee-4f91-8cb9-b4170d747cfc", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "5594b171-32ec-4145-b712-e7701effffdd", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "5eee35b6-bd21-4b67-b198-e9320fcf2c88", "value": "Tinba" }, @@ -17602,7 +14652,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinyloader", - "https://www.fidelissecurity.com/threatgeek/2017/07/deconstructing-tinyloader-0" + "https://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak", + "https://www.fidelissecurity.com/threatgeek/2017/07/deconstructing-tinyloader-0", + "https://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software" ], "synonyms": [], "type": [] @@ -17621,40 +14673,17 @@ "https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html", "https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/", "https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/", - "https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/", - "https://krebsonsecurity.com/tag/nuclear-bot/" + "https://krebsonsecurity.com/tag/nuclear-bot/", + "https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/" ], "synonyms": [ - "NukeBot", - "Nuclear Bot", "MicroBankingTrojan", + "Nuclear Bot", + "NukeBot", "Xbot" ], "type": [] }, - "related": [ - { - "dest-uuid": "da21929e-40c0-443d-bdf4-6b60d15448b4", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "4cfa42a3-71d9-43e2-bf23-daa79f326387", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "e683cd91-40b4-4e1c-be25-34a27610a22e", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "5a78ec38-8b93-4dde-a99e-0c9b77674838", "value": "TinyNuke" }, @@ -17668,15 +14697,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "1b591586-e1ef-4a32-8dae-791aca5ddf41", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "d2414f4a-1eda-4d80-84d3-ed130ca14e3c", "value": "TinyTyphon" }, @@ -17710,24 +14730,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee", - "https://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/", "https://www.cert.pl/en/news/single/tofsee-en/", - "https://www.cert.pl/en/news/single/a-deeper-look-at-tofsee-modules/" + "https://www.cert.pl/en/news/single/a-deeper-look-at-tofsee-modules/", + "https://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/" ], "synonyms": [ "Gheg" ], "type": [] }, - "related": [ - { - "dest-uuid": "ca11e3f2-cda1-45dc-bed1-8708fa9e27a6", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "53e617fc-d71e-437b-a1a1-68b815d1ff49", "value": "Tofsee" }, @@ -17736,46 +14747,36 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.torrentlocker", - "http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/", - "http://www.isightpartners.com/2014/08/analysis-torrentlocker-new-strain-malware-using-components-cryptolocker-cryptowall/" + "http://www.isightpartners.com/2014/08/analysis-torrentlocker-new-strain-malware-using-components-cryptolocker-cryptowall/", + "http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "26c8b446-305c-4057-83bc-85b09630281e", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "b817ce63-f1c3-49de-bd8b-fd56c3f956c9", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "ae4aa1ef-4da0-4952-9583-9d47f84edad9", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "7f6cd579-b021-4896-80da-fcc07c35c8b2", "value": "TorrentLocker" }, + { + "description": "tRat is a modular RAT written in Delphi and has appeared in campaigns in September and October of 2018.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.trat", + "https://www.proofpoint.com/us/threat-insight/post/trat-new-modular-rat-appears-multiple-email-campaigns" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b9e6e4bd-57e8-44e7-853c-8dcb83c26079", + "value": "tRat" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.treasurehunter", - "http://adelmas.com/blog/treasurehunter.php", + "https://www.fireeye.com/blog/threat-research/2016/03/treasurehunt_a_cust.html", "https://www.flashpoint-intel.com/blog/treasurehunter-source-code-leaked/", - "https://www.fireeye.com/blog/threat-research/2016/03/treasurehunt_a_cust.html" + "http://adelmas.com/blog/treasurehunter.php" ], "synonyms": [ "huntpos" @@ -17793,11 +14794,13 @@ "https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/", "https://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412", "http://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module", "https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre", "https://www.flashpoint-intel.com/blog/trickbot-account-checking-hybrid-attack-model/", "https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/", "https://www.youtube.com/watch?v=KMcSAlS9zGE", "https://www.arbornetworks.com/blog/asert/trickbot-banker-insights/", + "https://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Tale-of-the-Two-Payloads-%E2%80%93-TrickBot-and-Nitol/", "http://www.vkremez.com/2018/04/lets-learn-trickbot-implements-network.html", "https://securityintelligence.com/trickbot-takes-to-latin-america-continues-to-expand-its-global-reach/", @@ -17815,6 +14818,7 @@ "http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot", "https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/", "http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/evolving-trickbot-adds-detection-evasion-and-screen-locking-features", "https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/", "http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html", "https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-3-core", @@ -17822,34 +14826,19 @@ "https://www.youtube.com/watch?v=EdchPEHnohw", "https://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html", "https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html", + "https://www.vkremez.com/2018/11/lets-learn-introducing-latest-trickbot.html", "https://www.youtube.com/watch?v=lTywPmZEU1A", "https://qmemcpy.github.io/post/reverse-engineering-malware-trickbot-part-1-packer", "https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf", "https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/" ], "synonyms": [ - "Trickster", "TheTrick", - "TrickLoader" + "TrickLoader", + "Trickster" ], "type": [] }, - "related": [ - { - "dest-uuid": "a7dbd72f-8d53-48c6-a9db-d16e7648b2d4", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "07e3260b-d80c-4c86-bd28-8adc111bbec6", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "c824813c-9c79-4917-829a-af72529e8329", "value": "TrickBot" }, @@ -17858,29 +14847,29 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.triton", - "https://dragos.com/blog/trisis/TRISIS-01.pdf", - "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%E2%80%94Safety%20System%20Targeted%20Malware_S508C.pdf", "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html", "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware", - "https://github.com/ICSrepo/TRISIS-TRITON-HATMAN" + "https://github.com/ICSrepo/TRISIS-TRITON-HATMAN", + "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%E2%80%94Safety%20System%20Targeted%20Malware_S508C.pdf", + "https://dragos.com/blog/trisis/TRISIS-01.pdf" ], "synonyms": [ - "Trisis", - "HatMan" + "HatMan", + "Trisis" ], "type": [] }, "uuid": "79606b2b-72f0-41e3-8116-1093c1f94b15", - "value": "win.triton" + "value": "Triton" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.trochilus_rat", + "https://github.com/5loyd/trochilus/", "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf", - "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://github.com/5loyd/trochilus/" + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf" ], "synonyms": [], "type": [] @@ -17893,8 +14882,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.troldesh", - "https://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/", - "https://securelist.com/the-shade-encryptor-a-double-threat/72087/" + "https://securelist.com/the-shade-encryptor-a-double-threat/72087/", + "https://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/" ], "synonyms": [ "Shade" @@ -17938,15 +14927,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "db1355a7-e5c9-4e2c-8da7-eccf2ae9bf5c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "fab34d66-5668-460a-bc0f-250b9417cdbf", "value": "TURNEDUP" }, @@ -17975,15 +14955,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "102c3898-85e0-43ee-ae28-62a0a3ed9507", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "ccde5b0d-fe13-48e6-a6f4-4e434ce29371", "value": "UACMe" }, @@ -17992,8 +14963,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.udpos", - "https://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns", - "https://threatmatrix.cylance.com/en_us/home/threat-spotlight-inside-udpos-malware.html" + "https://threatmatrix.cylance.com/en_us/home/threat-spotlight-inside-udpos-malware.html", + "https://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns" ], "synonyms": [], "type": [] @@ -18047,17 +15018,8 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "39f609e3-e6fe-4c2c-af0e-b28bc81b2ecf", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], - "uuid": "4db80a62-d318-48e7-b70b-759924ff515e", - "value": "unidentified_005" + "uuid": "ff80f82d-2556-4cda-8cf2-aa6b21d59dc9", + "value": "win.unidentified_005" }, { "description": "", @@ -18221,19 +15183,6 @@ "uuid": "f716681e-c1fd-439a-83aa-3147bb9f082f", "value": "Unidentified 033" }, - { - "description": "", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_034", - "https://zerophagemalware.com/2017/09/21/rig-ek-via-rulan-drops-an-infostealer/" - ], - "synonyms": [], - "type": [] - }, - "uuid": "f90e9fb9-d60d-415e-9f7f-786ee45f6947", - "value": "Unidentified 034" - }, { "description": "", "meta": { @@ -18440,9 +15389,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.upas", - "https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/", "https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html", - "https://twitter.com/ulexec/status/1005096227741020160" + "https://twitter.com/ulexec/status/1005096227741020160", + "https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/" ], "synonyms": [ "Rombrast" @@ -18464,15 +15413,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "99d9110d-85a4-4819-9f85-05e4b73aa5f3", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "925390a6-f88d-46dc-96ae-4ebc9f0b50b0", "value": "Upatre" }, @@ -18494,11 +15434,12 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.urlzone", "https://www.gdatasoftware.com/blog/2013/12/23978-bebloh-a-well-known-banking-trojan-with-noteworthy-innovations", - "https://www.fireeye.com/blog/threat-research/2016/01/urlzone_zones_inon.html", - "https://www.virusbulletin.com/virusbulletin/2012/09/urlzone-reloaded-new-evolution/", "https://www.johannesbader.ch/2015/01/the-dga-of-shiotob/", "https://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan", + "https://www.fireeye.com/blog/threat-research/2016/01/urlzone_zones_inon.html", "https://www.arbornetworks.com/blog/asert/an-update-on-the-urlzone-banker/", + "https://www.crowdstrike.com/blog/cutwail-spam-campaign-uses-steganography-to-distribute-urlzone/", + "https://www.virusbulletin.com/virusbulletin/2012/09/urlzone-reloaded-new-evolution/", "https://krebsonsecurity.com/2011/07/trojan-tricks-victims-into-transfering-funds/" ], "synonyms": [ @@ -18507,15 +15448,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "67a1a317-9f79-42bd-a4b2-fa1867d37d27", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "ed9f995b-1b41-4b83-a978-d956670fdfbe", "value": "UrlZone" }, @@ -18523,31 +15455,23 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.uroburos" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.uroburos", + "https://www.gdatasoftware.com/blog/2014/05/23958-uroburos-rootkit-belgian-foreign-ministry-stricken", + "https://www.gdatasoftware.com/blog/2014/03/23966-uroburos-deeper-travel-into-kernel-protection-mitigation", + "https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified", + "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3193&sid=9fe4a57263c91a8b18bc43ae23afc453", + "https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence", + "https://www.gdatasoftware.com/blog/2014/02/23968-uroburos-highly-complex-espionage-software-with-russian-roots", + "https://www.gdatasoftware.com/blog/2014/06/23953-analysis-of-uroburos-using-windbg", + "https://www.carbonblack.com/2017/08/18/threat-analysis-carbon-black-threat-research-dissects-png-dropper/" ], "synonyms": [ "Snake" ], "type": [] }, - "related": [ - { - "dest-uuid": "80a014ba-3fef-4768-990b-37d8bd10d7f4", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "22332d52-c0c2-443c-9ffb-f08c0d23722c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "d674ffd2-1f27-403b-8fe9-b4af6e303e5c", - "value": "Uroburos" + "value": "Uroburos (Windows)" }, { "description": "", @@ -18555,34 +15479,18 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vawtrak", "https://threatpost.com/pos-attacks-net-crooks-20-million-stolen-bank-cards/117595/", - "https://www.blueliv.com/downloads/network-insights-into-vawtrak-v2.pdf", "http://thehackernews.com/2017/01/neverquest-fbi-hacker.html", "https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak", + "https://www.blueliv.com/downloads/network-insights-into-vawtrak-v2.pdf", "https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/" ], "synonyms": [ "Catch", - "grabnew", - "NeverQuest" + "NeverQuest", + "grabnew" ], "type": [] }, - "related": [ - { - "dest-uuid": "e95dd1ba-7485-4c02-bf2e-14beedbcf053", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "f3813bbd-682c-400d-8165-778be6d3f91f", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "b662c253-5c87-4ae6-a30e-541db0845f67", "value": "Vawtrak" }, @@ -18657,21 +15565,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.virut", - "https://www.theregister.co.uk/2018/01/10/taiwanese_police_malware/", - "https://blog.malwarebytes.com/threat-analysis/2018/03/blast-from-the-past-stowaway-virut-delivered-with-chinese-ddos-bot/" + "https://blog.malwarebytes.com/threat-analysis/2018/03/blast-from-the-past-stowaway-virut-delivered-with-chinese-ddos-bot/", + "https://www.theregister.co.uk/2018/01/10/taiwanese_police_malware/" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "cc1432a1-6580-4338-b119-a43236528ea1", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "2e99f27c-6791-4695-b88b-de4d4cbda8d6", "value": "Virut" }, @@ -18686,20 +15585,11 @@ ], "synonyms": [ "VMzeus", - "ZeusVM", - "Zberp" + "Zberp", + "ZeusVM" ], "type": [] }, - "related": [ - { - "dest-uuid": "09d1cad8-6b06-48d7-a968-5b17bbe9ca65", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "c32740a4-db2c-4d71-80bd-7377185f4a6f", "value": "VM Zeus" }, @@ -18722,7 +15612,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.volgmer", - "https://www.us-cert.gov/ncas/alerts/TA17-318B" + "https://www.us-cert.gov/ncas/alerts/TA17-318B", + "https://securelist.com/operation-applejeus/87553/" ], "synonyms": [ "FALLCHILL", @@ -18730,36 +15621,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "e0bea149-2def-484f-b658-f782a4f94815", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "0a52e73b-d7e9-45ae-9bda-46568f753931", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "bbfd4fb4-3e5a-43bf-b4bb-eaf5ef4fb25f", "value": "Volgmer" }, @@ -18781,8 +15642,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vskimmer", - "http://vkremez.weebly.com/cyber-security/-backdoor-win32hesetoxa-vskimmer-pos-malware-analysis", "http://www.xylibox.com/2013/01/vskimmer.html", + "http://vkremez.weebly.com/cyber-security/-backdoor-win32hesetoxa-vskimmer-pos-malware-analysis", "https://securingtomorrow.mcafee.com/mcafee-labs/vskimmer-botnet-targets-credit-card-payment-terminals/" ], "synonyms": [], @@ -18809,39 +15670,30 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor", - "https://themoscowtimes.com/news/wcry-virus-reportedly-infects-russian-interior-ministrys-computer-network-57984", "https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today", - "https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/", - "https://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign", - "https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/", - "http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/", - "https://blog.comae.io/wannacry-the-largest-ransom-ware-infection-in-history-f37da8e30a58", - "https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html", - "https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e", "https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html", + "http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html", "https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168", - "https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/", - "https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d", + "https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e", + "https://blog.comae.io/wannacry-the-largest-ransom-ware-infection-in-history-f37da8e30a58", + "https://themoscowtimes.com/news/wcry-virus-reportedly-infects-russian-interior-ministrys-computer-network-57984", + "https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/", + "https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/", + "https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html", "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group", + "https://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign", + "https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/", "https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/", - "http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html" + "http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/", + "https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d" ], "synonyms": [ - "Wcry", + "Wana Decrypt0r", "WannaCry", - "Wana Decrypt0r" + "Wcry" ], "type": [] }, - "related": [ - { - "dest-uuid": "d62ab8d5-4ba1-4c45-8a63-13fdb099b33c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "ad67ff31-2a02-43f9-8b12-7df7e4fcccd6", "value": "WannaCryptor" }, @@ -19063,15 +15915,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "e0e79fab-0f1d-4fc2-b424-208cb019a9cd", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "d84ebd91-58f6-459f-96a1-d028a1719914", "value": "WellMess" }, @@ -19093,22 +15936,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.winmm", - "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", + "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf", "https://securelist.com/analysis/publications/69953/the-naikon-apt/", - "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf" + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "22addc7b-b39f-483d-979a-1b35147da5de", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "6a100902-7204-4f20-b838-545ed86d4428", "value": "WinMM" }, @@ -19117,34 +15951,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti", - "http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/", - "http://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/", - "https://www.protectwise.com/blog/winnti-evolution-going-open-source.html", - "https://github.com/TKCERT/winnti-nmap-script", "https://github.com/TKCERT/winnti-suricata-lua", - "https://github.com/TKCERT/winnti-detector" + "http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/", + "https://github.com/TKCERT/winnti-nmap-script", + "https://www.protectwise.com/blog/winnti-evolution-going-open-source.html", + "https://github.com/TKCERT/winnti-detector", + "http://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "d3afa961-a80c-4043-9509-282cdf69ab21", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "9b3a4cff-1c5a-4fd6-b49c-27240b6d622c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "7f8166e2-c7f4-4b48-a07b-681b61a8f2c1", - "value": "Winnti" + "value": "Winnti (Windows)" }, { "description": "", @@ -19169,22 +15987,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "6b62e336-176f-417b-856a-8552dd8c44e1", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "36c0faf0-428e-4e7f-93c5-824bb0495ac9", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "6b6cf608-cc2c-40d7-8500-afca3e35e7e4", "value": "Wipbot" }, @@ -19197,8 +15999,8 @@ "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" ], "synonyms": [ - "Wimmie", - "Syndicasec" + "Syndicasec", + "Wimmie" ], "type": [] }, @@ -19249,8 +16051,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.woolger", - "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf", - "http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf" + "http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf", + "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" ], "synonyms": [ "WoolenLogger" @@ -19266,50 +16068,20 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xagent", "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/", - "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", + "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", - "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", + "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", "http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf" ], "synonyms": [ - "splm", - "chopstick" + "chopstick", + "splm" ], "type": [] }, - "related": [ - { - "dest-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "56660521-6db4-4e5a-a927-464f22954b7c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "0a32ceea-fa66-47ab-8bde-150dbd6d2e40", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "3e2c99f9-66cd-48be-86e9-d7c1c164d87c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf", - "value": "X-Agent" + "value": "X-Agent (Windows)" }, { "description": "", @@ -19341,8 +16113,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xpan", - "https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/", - "https://securelist.com/blog/research/78110/xpan-i-am-your-father/" + "https://securelist.com/blog/research/78110/xpan-i-am-your-father/", + "https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/" ], "synonyms": [], "type": [] @@ -19384,9 +16156,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xsplus", - "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", + "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf", "https://securelist.com/analysis/publications/69953/the-naikon-apt/", - "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf" + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [ "nokian" @@ -19397,50 +16169,47 @@ "value": "xsPlus" }, { - "description": "", + "description": "X-Tunnel is a network proxy tool that implements a custom network protocol encapsulated in the TLS protocol.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xtunnel", + "https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/", + "https://www.root9b.com/sites/default/files/whitepapers/root9b_follow_up_report_apt28.pdf", + "https://www.invincea.com/2016/07/tunnel-of-gov-dnc-hack-and-the-russian-xtunnel/", + "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", - "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", - "https://www.invincea.com/2016/07/tunnel-of-gov-dnc-hack-and-the-russian-xtunnel/", - "https://www.root9b.com/sites/default/files/whitepapers/R9b_FSOFACY_0.pdf", - "https://www.root9b.com/sites/default/files/whitepapers/root9b_follow_up_report_apt28.pdf", - "https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/", - "http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf" + "http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf", + "https://www.root9b.com/sites/default/files/whitepapers/R9b_FSOFACY_0.pdf" ], "synonyms": [ "xaps" ], "type": [] }, - "related": [ - { - "dest-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "6d180bd7-3c77-4faf-b98b-dc2ab5f49101", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "53089817-6d65-4802-a7d2-5ccc3d919b74", "value": "X-Tunnel" }, + { + "description": "This is a rewrite of win.xtunnel using the .NET framework that surfaced late 2017.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.xtunnel_net", + "https://www.ncsc.gov.uk/alerts/indicators-compromise-malware-used-apt28" + ], + "synonyms": [], + "type": [] + }, + "uuid": "000e25a4-4623-4afc-883d-ecc15be8f9d0", + "value": "X-Tunnel (.NET)" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xxmm", - "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", - "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/" + "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" ], "synonyms": [ "ShadowWalker" @@ -19462,29 +16231,6 @@ ], "type": [] }, - "related": [ - { - "dest-uuid": "74167065-90b3-4c29-807a-79b6f098e45b", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "28c13455-7f95-40a5-9568-1e8732503507", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "2a16a1d4-a098-4f17-80f3-3cfc6c60b539", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "a673b4fb-a864-4a5b-94ab-3fc4f5606cc8", "value": "Yahoyah" }, @@ -19496,8 +16242,8 @@ "https://www.fireeye.com/blog/threat-research/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html" ], "synonyms": [ - "bbsinfo", - "aumlib" + "aumlib", + "bbsinfo" ], "type": [] }, @@ -19579,14 +16325,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeroaccess", - "https://blog.malwarebytes.com/threat-analysis/2013/07/zeroaccess-anti-debug-uses-debugger/", - "https://blog.malwarebytes.com/threat-analysis/2013/08/sophos-discovers-zeroaccess-using-rlo/", "http://contagiodump.blogspot.com/2010/11/zeroaccess-max-smiscer-crimeware.html", - "http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/", - "http://resources.infosecinstitute.com/zeroaccess-malware-part-2-the-kernel-mode-device-driver-stealth-rootkit/", "http://resources.infosecinstitute.com/zeroaccess-malware-part-3-the-device-driver-process-injection-rootkit/", "http://resources.infosecinstitute.com/zeroaccess-malware-part-4-tracing-the-crimeware-origins-by-reversing-injected-code/", - "http://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html" + "https://blog.malwarebytes.com/threat-analysis/2013/08/sophos-discovers-zeroaccess-using-rlo/", + "http://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html", + "http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/", + "http://resources.infosecinstitute.com/zeroaccess-malware-part-2-the-kernel-mode-device-driver-stealth-rootkit/", + "https://blog.malwarebytes.com/threat-analysis/2013/07/zeroaccess-anti-debug-uses-debugger/" ], "synonyms": [ "Max++", @@ -19620,22 +16366,6 @@ "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "4ab44516-ad75-4e43-a280-705dc0420e2f", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "ff00fa92-b32e-46b6-88ca-98357ebe3f54", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "9b0aa458-dfa9-48af-87ea-c36d1501376c", "value": "ZeroT" }, @@ -19644,53 +16374,30 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus", - "http://contagiodump.blogspot.com/2010/07/zeus-version-scheme-by-trojan-author.html", - "http://contagiodump.blogspot.com/2010/07/zeus-trojan-research-links.html", - "https://www.secureworks.com/research/zeus?threat=zeus", - "https://www.symantec.com/connect/blogs/brief-look-zeuszbot-20", - "https://www.symantec.com/connect/blogs/spyeye-s-kill-zeus-bark-worse-its-bite", - "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf", - "https://nakedsecurity.sophos.com/2010/07/24/sample-run/", - "http://eternal-todo.com/blog/zeus-spreading-facebook", - "http://eternal-todo.com/blog/new-zeus-binary", - "http://eternal-todo.com/blog/detecting-zeus", - "https://www.mnin.org/write/ZeusMalware.pdf", - "http://malwareint.blogspot.com/2009/07/special-zeus-botnet-for-dummies.html", - "http://malwareint.blogspot.com/2010/01/leveraging-zeus-to-send-spam-through.html", - "http://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html", - "http://malwareint.blogspot.com/2010/03/new-phishing-campaign-against-facebook.html", - "http://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html", "https://zeustracker.abuse.ch/monitor.php", - "http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html" + "http://contagiodump.blogspot.com/2010/07/zeus-version-scheme-by-trojan-author.html", + "http://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html", + "http://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html", + "http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html", + "http://eternal-todo.com/blog/new-zeus-binary", + "http://contagiodump.blogspot.com/2010/07/zeus-trojan-research-links.html", + "https://www.symantec.com/connect/blogs/spyeye-s-kill-zeus-bark-worse-its-bite", + "https://nakedsecurity.sophos.com/2010/07/24/sample-run/", + "https://www.mnin.org/write/ZeusMalware.pdf", + "https://www.symantec.com/connect/blogs/brief-look-zeuszbot-20", + "http://malwareint.blogspot.com/2010/01/leveraging-zeus-to-send-spam-through.html", + "http://eternal-todo.com/blog/zeus-spreading-facebook", + "http://malwareint.blogspot.com/2010/03/new-phishing-campaign-against-facebook.html", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf", + "http://eternal-todo.com/blog/detecting-zeus", + "https://www.secureworks.com/research/zeus?threat=zeus", + "http://malwareint.blogspot.com/2009/07/special-zeus-botnet-for-dummies.html" ], "synonyms": [ "Zbot" ], "type": [] }, - "related": [ - { - "dest-uuid": "0ce448de-c2bb-4c6e-9ad7-c4030f02b4d7", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "f0ec2df5-2e38-4df3-970d-525352006f2e", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "e878d24d-f122-48c4-930c-f6b6d5f0ee28", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "4e8c1ab7-2841-4823-a5d1-39284fb0969a", "value": "Zeus" }, @@ -19707,40 +16414,35 @@ "value": "Zeus MailSniffer" }, { - "description": "", + "description": "This family describes the Zeus-variant that includes a version of OpenSSL and usually is downloaded by Zloader.\r\n\r\nIn June 2016, the version 1.5.4.0 (PE timestamp: 2016.05.11) appeared, downloaded by Zloader (known as DEloader at that time). OpenSSL 1.0.1p is statically linked to it, thus its size is roughly 1.2 MB. In subsequent months, that size increased up to 1.6 MB.\r\nIn January 2017, with version 1.14.8.0, OpenSSL 1.0.2j was linked to it, increasing the size to 1.8 MB. Soon after also in January 2017, with version v1.15.0.0 the code was obfuscated, blowing up the size of the binary to 2.2 MB.\r\n\r\nPlease note that IBM X-Force decided to call win.zloader/win.zeus_openssl \"Zeus Sphinx\", after mentioning it as \"a new version of Zeus Sphinx\" in their initial post in August 2016. Malpedia thus lists the alias \"Zeus XSphinx\" for win.zeus_openssl - the X to refer to IBM X-Force.\r\n\r\nZeus Sphinx on the one hand has the following versioning (\"slow increase\")\r\n- 2015/09 v1.0.1.0 (Zeus Sphinx size: 1.5 MB)\r\n- 2016/02 v1.0.1.2 (Zeus Sphinx size: 1.5 MB)\r\n- 2016/04 v1.0.2.0 (Zeus Sphinx size: 1.5 MB)\r\n\r\nZeus OpenSSL on the other hand has the following versioning (\"fast increase\")\r\n- 2016/05 v1.5.4.0 (Zeus OpenSSL size: 1.2 MB)\r\n- 2017/01 v1.14.8.0 (Zeus OpenSSL size: 1.8 MB)\r\n- 2017/01 v1.15.0.0 (Zeus OpenSSL size: 2.2 MB)", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_sphinx", + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_openssl", + "https://asert.arbornetworks.com/great-dga-sphinx/", "https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/", - "https://web.archive.org/web/20160130165709/http://darkmatters.norsecorp.com/2015/08/24/sphinx-new-zeus-variant-for-sale-on-the-black-market/", - "https://securityintelligence.com/uk-banks-hit-with-new-zeus-sphinx-variant-and-renewed-kronos-banking-trojan-attacks/" + "https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/" ], - "synonyms": [], - "type": [] - }, - "related": [ - { - "dest-uuid": "8914802c-3aca-4a0d-874a-85ac7a1bc505", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], - "uuid": "997c20b0-0992-498a-b69d-fc16ab2fd4e4", - "value": "Zeus Sphinx" - }, - { - "description": "The sample listed here was previously mislabeled and is now integrated into win.floki_bot. The family is to-be-updated once we have a \"real\" Zeus SSL sample.", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_ssl" + "synonyms": [ + "XSphinx" ], - "synonyms": [], "type": [] }, "uuid": "74fc6a3a-cc51-4065-bdd9-fcef18c988a0", - "value": "Zeus SSL" + "value": "Zeus OpenSSL" + }, + { + "description": "This family describes the vanilla Zeus-variant that includes TOR (and Polipo proxy). It has an almost 90% overlap with Zeus v2.0.8.9.\r\nPlease note that IBM X-Force decided to call win.zloader/win.zeus_openssl \"Zeus Sphinx\", after mentioning it as \"a new version of Zeus Sphinx\" in their initial post in August 2016. Malpedia thus lists the alias \"Zeus XSphinx\" for win.zeus_openssl - the X to refer to IBM X-Force.\r\n\r\nZeus Sphinx on the one hand has the following versioning (\"slow increase\")\r\n- 2015/09 v1.0.1.0 (Zeus Sphinx size: 1.5 MB)\r\n- 2016/02 v1.0.1.2 (Zeus Sphinx size: 1.5 MB)\r\n- 2016/04 v1.0.2.0 (Zeus Sphinx size: 1.5 MB)\r\n\r\nZeus OpenSSL on the other hand has the following versioning (\"fast increase\")\r\n- 2016/05 v1.5.4.0 (Zeus OpenSSL size: 1.2 MB)\r\n- 2017/01 v1.14.8.0 (Zeus OpenSSL size: 1.8 MB)\r\n- 2017/01 v1.15.0.0 (Zeus OpenSSL size: 2.2 MB)", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_sphinx", + "https://securityaffairs.co/wordpress/39592/cyber-crime/sphinx-variant-zeus-trojan.html", + "https://web.archive.org/web/20160130165709/http://darkmatters.norsecorp.com/2015/08/24/sphinx-new-zeus-variant-for-sale-on-the-black-market/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "997c20b0-0992-498a-b69d-fc16ab2fd4e4", + "value": "Zeus Sphinx" }, { "description": "", @@ -19783,28 +16485,23 @@ "value": "ZhMimikatz" }, { - "description": "A banking trojan first observed in October 2016 has grown into a sophisticated hacking tool that works primarily as a banking trojan, but could also be used as an infostealer or backdoor.", + "description": "This family describes the (initially small) loader, which downloads Zeus OpenSSL.\r\n\r\nIn June 2016, a new loader was dubbed DEloader by Fortinet. It has some functions borrowed from Zeus 2.0.8.9 (e.g. the versioning, nrv2b, binstorage-labels), but more importantly, it downloaded a Zeus-like banking trojan (-> Zeus OpenSSL). Furthermore, the loader shared its versioning with the Zeus OpenSSL it downloaded.\r\nThe initial samples from May 2016 were small (17920 bytes). At some point, visualEncrypt/Decrypt was added, e.g. in v1.11.0.0 (September 2016) with size 27648 bytes. In January 2017 with v1.15.0.0, obfuscation was added, which blew the size up to roughly 80k, and the loader became known as Zloader aka Terdot. These changes may be related to the Moskalvzapoe Distribution Network, which started the distribution of it at the same time.\r\n\r\nPlease note that IBM X-Force decided to call win.zloader/win.zeus_openssl \"Zeus Sphinx\", after mentioning it as \"a new version of Zeus Sphinx\" in their initial post in August 2016. Malpedia thus lists the alias \"Zeus XSphinx\" for win.zeus_openssl - the X to refer to IBM X-Force.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zloader", + "https://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html", + "https://securityintelligence.com/around-the-world-with-zeus-sphinx-from-canada-to-australia-and-back/", + "https://www.forcepoint.com/blog/security-labs/zeus-delivered-deloader-defraud-customers-canadian-banks", "https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/", - "https://labs.bitdefender.com/2017/11/terdot-zeus-based-malware-strikes-back-with-a-blast-from-the-past/", - "https://www.arbornetworks.com/blog/asert/great-dga-sphinx/" + "https://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware", + "https://securityintelligence.com/zeus-sphinx-pushes-empty-configuration-files-what-has-the-sphinx-got-cooking/" ], "synonyms": [ - "Zeus Terdot" + "DELoader", + "Terdot" ], "type": [] }, - "related": [ - { - "dest-uuid": "2eb658ed-aff4-4253-a21f-9059b133ce17", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "13236f94-802b-4abc-aaa9-cb80cf4df9ed", "value": "Zloader" }, @@ -19828,24 +16525,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zxshell", + "https://github.com/smb01/zxshell", "https://blogs.cisco.com/security/talos/opening-zxshell", - "https://blogs.rsa.com/cat-phishing/", - "https://github.com/smb01/zxshell" + "https://blogs.rsa.com/cat-phishing/" ], "synonyms": [ "Sensocode" ], "type": [] }, - "related": [ - { - "dest-uuid": "5b9dc67e-bae4-44f3-b58d-6d842a744104", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "23920e3b-246a-4172-bf9b-5e9f90510a15", "value": "ZXShell" }, @@ -19854,30 +16542,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zyklon", - "https://www.fireeye.com/blog/threat-research/2018/01/microsoft-office-vulnerabilities-used-to-distribute-zyklon-malware.html" + "https://www.fireeye.com/blog/threat-research/2018/01/microsoft-office-vulnerabilities-used-to-distribute-zyklon-malware.html", + "https://blog.talosintelligence.com/2017/05/modified-zyklon-and-plugins-from-india.html", + "https://asert.arbornetworks.com/wp-content/uploads/2017/05/zyklon_season.pdf" ], "synonyms": [], "type": [] }, - "related": [ - { - "dest-uuid": "390abe30-8b9e-439e-a6d3-2ee978f05fba", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "78ef77ac-a570-4fb9-af80-d04c09dff9ab", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "721e9af0-8a60-4b9e-9137-c23e86d75722", "value": "Zyklon" } ], - "version": 1651 + "version": 1838 }