From 8389a3e1f3d601adf20a834e77101012227c3e84 Mon Sep 17 00:00:00 2001 From: root Date: Thu, 5 Jan 2017 14:07:14 +0100 Subject: [PATCH 01/10] Init --- clusters/exploit-kit.json | 525 ++++++++++++++++++++++++++++++++++++++ clusters/tds.json | 85 ++++++ galaxies/exploit-kit.json | 7 + galaxies/tds.json | 7 + 4 files changed, 624 insertions(+) create mode 100755 clusters/exploit-kit.json create mode 100755 clusters/tds.json create mode 100644 galaxies/exploit-kit.json create mode 100644 galaxies/tds.json diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json new file mode 100755 index 0000000..4a64b2f --- /dev/null +++ b/clusters/exploit-kit.json @@ -0,0 +1,525 @@ +{ + "values": [ + { "value": "Astrum", + "description": "The Astrum Exploit Kit is a private Exploit Kit used in massive scale malvertising campaigns. It's notable by its use of Steganography", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2014/09/astrum-ek.html", + "http://www.welivesecurity.com/2016/12/06/readers-popular-websites-targeted-stealthy-stegano-exploit-kit-hiding-pixels-malicious-ads/" + ], + "synonyms": [ + "Stegano EK" + ], + "status": "Active" + } + } +, + { "value": "DealersChoice", + "description": "DealersChoice is a Flash Player Exploit platform triggered by RTF", + "meta": { + "refs": [ + "http://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-ramps-up-spear-phishing-before-zero-days-get-patched/" + ], + "synonyms": [ + "Sednit RTF EK" + ], + "status": "Active" + } + } +, + { "value": "DNSChanger", + "description": "DNSChanger Exploit Kit is an exploit kit targeting Routers", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html", + "https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices" + ], + "synonyms": [ + "RouterEK" + ], + "status": "Active" + } + } +, + { "value": "Empire", + "description": "The Empire Pack is a variation of RIG operated by a load seller. It's being fed by many traffic actors", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html", + "" + ], + "synonyms": [ + "RIG-E" + ] + , + "status": "Active" + } + } +, + { "value": "Hunter", + "description": "Hunter EK is an evolution of 3Ros EK", + "meta": { + "refs": [ + "https://www.proofpoint.com/us/threat-insight/post/Hunter-Exploit-Kit-Targets-Brazilian-Banking-Customers" + ], + "synonyms": [ + "3ROS Exploit Kit" + ] + , + "status": "Active" + } + } +, + { "value": "Kaixin", + "description": "Kaixin is an exploit kit mainly seen behind compromised website in Asia", + "meta": { + "refs": [ + "http://www.kahusecurity.com/2013/deobfuscating-the-ck-exploit-kit/", + "http://www.kahusecurity.com/2012/new-chinese-exploit-pack/" + ], + "synonyms": [ + "CK vip", + "" + ] , + "status": "Active" + } + } +, + { "value": "Magnitude", + "description": "Magnitude EK", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2013/10/Magnitude.html", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/A-Peek-Into-the-Lion-s-Den-%E2%80%93-The-Magnitude--aka-PopAds--Exploit-Kit/", + "http://malware.dontneedcoffee.com/2014/02/and-real-name-of-magnitude-is.html" + ], + "synonyms": [ + "Popads EK", + "TopExp" + ], + "status": "Active" + } + } +, + { "value": "Neutrino", + "description": "Neutrino Exploit Kit has been one of the major exploit kit from its launch in 2013 till september 2016 when it become private (defense name for this variation is Neutrino-v). This EK vanished from march 2014 till november 2014.", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html", + "http://malware.dontneedcoffee.com/2014/11/neutrino-come-back.html" + ], + "synonyms": [ + "Job314", + "Neutrino Rebooted", + "Neutrino-v" + ] + , + "status": "Active" + } + } +, + { "value": "RIG", + "description": "RIG is an exploit kit that takes its source in Infinity EK itself an evolution of Redkit. It became dominant after the fall of Angler, Nuclear Pack and the end of public access to Neutrino. RIG-v is the name given to RIG 4 when it was only accessible by \"vip\" customers and when RIG 3 was still in use.", + "meta": { + "refs": [ + "http://www.kahusecurity.com/2014/rig-exploit-pack/", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/RIG-Reloaded---Examining-the-Architecture-of-RIG-Exploit-Kit-3-0/", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/RIG-Exploit-Kit-%E2%80%93-Diving-Deeper-into-the-Infrastructure/", + "http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html" + ], + "synonyms": [ + "RIG 3", + "RIG-v", + "RIG 4" + ], + "status": "Active" + } + } +, + { "value": "Sednit EK", + "description": "Sednit EK is the exploit kit used by APT28", + "meta": { + "refs": [ + "http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/" + ], + "synonyms": [ + "" + ], + "status": "Active" + } + } +, + { "value": "Bizarro Sundown", + "description": "Bizarro Sundown appears to be a fork of Sundown with added anti-analysis features", + "meta": { + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/new-bizarro-sundown-exploit-kit-spreads-locky/", + "https://blog.malwarebytes.com/cybercrime/exploits/2016/10/yet-another-sundown-ek-variant/" + ], + "synonyms": [ + "Sundown-b" + ], + "status": "Active" + } + } +, + { "value": "GreenFlash Sundown", + "description": "GreenFlash Sundown is a variation of Bizarro Sundown without landing", + "meta": { + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/new-bizarro-sundown-exploit-kit-spreads-locky/" + ], + "synonyms": [ + "Sundown-GF" + ], + "status": "Active" + } + } +, + { "value": "Sundown", + "description": "Sundown Exploit Kit is mainly built out of stolen code from other exploit kits", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2015/06/fast-look-at-sundown-ek.html", + "https://www.virusbulletin.com/virusbulletin/2015/06/beta-exploit-pack-one-more-piece-crimeware-infection-road" + ], + "synonyms": [ + "Beps", + "Xer", + "Beta" + ], + "status": "Active", + "colour": "#C03701" + } + } +, + { "value": "Angler", + "description": "The Angler Exploit Kit has been the most popular and evolved exploit kit from 2014 to middle of 2016. There was several variation. The historical \"indexm\" variant was used to spread Lurk. A vip version used notabily to spread Poweliks, the \"standard\" commercial version, and a declinaison tied to load selling (mostly bankers) that can be associated to EmpirePPC", + "meta": { + "refs": [ + "https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/", + "http://malware.dontneedcoffee.com/2015/12/xxx-is-angler-ek.html", + "http://malware.dontneedcoffee.com/2016/06/is-it-end-of-angler.html" + ], + "synonyms": [ + "XXX", + "AEK" + ], + "status": "Retired - Last seen: 2016-06-07" + } + } +, + { "value": "Archie", + "description": "Archie EK", + "meta": { + "refs": [ + "https://www.alienvault.com/blogs/labs-research/archie-just-another-exploit-kit" + ], + "status": "Retired" + } + } +, + { "value": "BlackHole", + "description": "The BlackHole Exploit Kit has been the most popular exploit kit from 2011 to 2013. It's activity stopped with Paunch's Arrest (all activity since then is marginal and based on the old leak)", + "meta": { + "refs": [ + "", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/Blackhole-Exploit-Kit-v2/", + "https://nakedsecurity.sophos.com/exploring-the-blackhole-exploit-kit/" + ], + "synonyms": [ + "BHEK" + ], + "status": "Retired - Last seen: 2013-10-07" + } + } +, + { "value": "Bleeding Life", + "description": "Bleeding Life", + "meta": { + "refs": [ + "", + "" + ], + "synonyms": [ + "BL", + "BL2" + ] + , + "status": "Retired" + } + } +, + { "value": "Cool", + "description": "The Cool Exploit Kit was a kind of BlackHole VIP in 2012/2013", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2012/10/newcoolek.html", + "http://malware.dontneedcoffee.com/2013/07/a-styxy-cool-ek.html", + "http://blog.trendmicro.com/trendlabs-security-intelligence/styx-exploit-pack-how-it-works/" + ], + "synonyms": [ + "CEK", + "Styxy Cool" + ], + "status": "Retired - Last seen: 2013-10-07" + } + } +, + { "value": "Fiesta", + "description": "Fiesta Exploit Kit", + "meta": { + "refs": [ + "http://blog.0x3a.com/post/110052845124/an-in-depth-analysis-of-the-fiesta-exploit-kit-an", + "http://www.kahusecurity.com/2011/neosploit-is-back/" + ], + "synonyms": [ + "NeoSploit", + "" + ] + , + "status": "Retired - Last Seen: beginning of 2015-07" + } + } +, + { "value": "FlashPack", + "description": "FlashPack EK got multiple fork. The most common variant seen was the standalone Flash version", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html", + "http://malware.dontneedcoffee.com/2013/04/meet-safe-pack-v20-again.html" + ], + "synonyms": [ + "FlashEK", + "SafePack", + "CritXPack", + "Vintage Pack" + ] + , + "status": "Retired - Last seen: middle of 2015-04" + } + } +, + { "value": "GrandSoft", + "description": "GrandSoft Exploit Kit was a quite common exploit kit used in 2012/2013", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2013/09/FinallyGrandSoft.html", + "http://malware.dontneedcoffee.com/2012/10/neosploit-now-showing-bh-ek-20-like.html", + "https://nakedsecurity.sophos.com/2012/08/24/sophos-sucks-malware/" + ], + "synonyms": [ + "StampEK", + "SofosFO" + ] , + "status": "Retired - Last seen: 2014-03" + } + } +, + { "value": "HanJuan", + "description": "Hanjuan EK was a one actor fed variation of Angler EK used in evolved malvertising chain targeting USA. It has been using a 0day (CVE-2015-0313) from beginning of December 2014 till beginning of February 2015", + "meta": { + "refs": [ + "http://www.malwaresigs.com/2013/10/14/unknown-ek/", + "https://blog.malwarebytes.com/threat-analysis/2014/08/shining-some-light-on-the-unknown-exploit-kit/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-exploit-kit-in-cve-2015-0313-attack", + "https://twitter.com/kafeine/status/562575744501428226" + ], + "synonyms": [ + "", + "" + ], + "status": "Retired - Last seen: 2015-07" + } + } +, + { "value": "Himan", + "description": "Himan Exploit Kit", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2013/10/HiMan.html" + ], + "synonyms": [ + "High Load" + ], + "status": "Retired - Last seen: 2014-04" + } + } +, + { "value": "Impact", + "description": "Impact EK", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2012/12/inside-impact-exploit-kit-back-on-track.html" + ], + "synonyms": [ + "", + "" + ] + , + "status": "Retired" + } + } +, + { "value": "Infinity", + "description": "Infinity is an evolution of Redkit", + "meta": { + "refs": [ + "http://blog.talosintel.com/2013/11/im-calling-this-goon-exploit-kit-for-now.html", + "http://www.kahusecurity.com/2014/the-resurrection-of-redkit/" + ], + "synonyms": [ + "Redkit v2.0", + "Goon" + ], + "status": "Retired - Last seen: 2014-07" + } + } +, + { "value": "Lightsout", + "description": "Lightsout Exploit Kit has been used in Watering Hole attack performed by the APT Group havex", + "meta": { + "refs": [ + "http://blog.talosintel.com/2014/03/hello-new-exploit-kit.html", + "http://blog.talosintel.com/2014/05/continued-analysis-of-lightsout-exploit.html", + "http://malwageddon.blogspot.fr/2013/09/unknown-ek-by-way-how-much-is-fish.html" + ], + "synonyms": [ + "" + ], + "status": "Unknown - Last seen: 2014-03" + } + } +, + { "value": "Niteris", + "description": "Niteris was used mainly to target Russian.", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2014/06/cottoncastle.html", + "http://malware.dontneedcoffee.com/2015/05/another-look-at-niteris-post.html" + ], + "synonyms": [ + "CottonCastle" + ], + "status": "Unknown - Last seen: 2015-11" + } + } +, + { "value": "Nuclear", + "description": "The Nuclear Pack appeared in 2009 and has been one of the longer living one. Spartan EK was a landing less variation of Nuclear Pack", + "meta": { + "refs": [ + "", + "http://blog.checkpoint.com/2016/05/17/inside-nuclears-core-unraveling-a-ransomware-as-a-service-infrastructure/" + ], + "synonyms": [ + "NEK", + "Nuclear Pack", + "Spartan" + ] , + "status": "Retired - Last seen: 2015-04-30" + } + } +, + { "value": "Phoenix", + "description": "Phoenix Exploit Kit", + "meta": { + "refs": [ + "http://malwareint.blogspot.fr/2010/09/phoenix-exploits-kit-v21-inside.html", + "http://blog.trendmicro.com/trendlabs-security-intelligence/now-exploiting-phoenix-exploit-kit-version-2-5/" + ], + "synonyms": [ + "PEK" + ], + "status": "Retired" + } + } +, + { "value": "Private Exploit Pack", + "description": "Private Exploit Pack", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2013/07/pep-new-bep.html", + "http://malwageddon.blogspot.fr/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html" + ], + "synonyms": [ + "PEP" + ], + "status": "Retired" + } + } +, + { "value": "Redkit", + "description": "Redkit has been a major exploit kit in 2012. One of its specific features was to allow its access against a share of a percentage of the customer's traffic", + "meta": { + "refs": [ + "https://www.trustwave.com/Resources/SpiderLabs-Blog/A-Wild-Exploit-Kit-Appears----Meet-RedKit/", + "http://malware.dontneedcoffee.com/2012/05/inside-redkit.html", + "https://nakedsecurity.sophos.com/2013/05/09/redkit-exploit-kit-part-2/" + ], + "status": "Retired" + } + } +, + { "value": "Sakura", + "description": "Description Here", + "meta": { + "refs": [ + "http://www.xylibox.com/2012/01/sakura-exploit-pack-10.html", + "" + ], + "status": "Retired - Last seen: 2013-09" + } + } +, + { "value": "Sweet-Orange", + "description": "Sweet Orange", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2012/12/juice-sweet-orange-2012-12.html", + "" + ], + "synonyms": [ + "SWO" + ], + "status": "Retired - Last seen: 2015-04-05" + } + } +, + { "value": "Styx", + "description": "Styx Exploit Kit", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2012/12/crossing-styx-styx-sploit-pack-20-cve.html", + "https://krebsonsecurity.com/2013/07/styx-exploit-pack-domo-arigato-pc-roboto/", + "http://malware.dontneedcoffee.com/2013/05/inside-styx-2013-05.html" + ], + "status":"Retired - Last seen: 2014-06" + } + } +, + { "value": "Unknown", + "description": "Unknown Exploit Kit. This is a place holder for any undocumented Exploit Kit. If you use this tag, we will be more than happy to give it a deep look.", + "meta": { + "refs": [ + "https://twitter.com/kafeine", + "https://twitter.com/node5", + "https://twitter.com/kahusecurity" + ] + } + } +], + "version": 2, + "uuid": "454f4e78-bd7c-11e6-a4a6-cec0c932ce01", + "description": "Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years", + "authors": [ + "Kafeine", + "Will Metcalf", + "KahuSecurity" + ], + "source": "MISP Project", + "type": "exploit-kit", + "name": "Exploit-Kit" +} diff --git a/clusters/tds.json b/clusters/tds.json new file mode 100755 index 0000000..66a4929 --- /dev/null +++ b/clusters/tds.json @@ -0,0 +1,85 @@ +{ + "values": [ + { "value": "Keitaro", + "description": "Keitaro TDS is among the mostly used TDS in drive by infection chains", + "meta": { + "refs": [ + "https://keitarotds.com/" + ] + }, + "type":"Commercial" + } +, + { "value": "Sutra", + "description": "Sutra TDS was dominant from 2012 till 2015", + "meta": { + "refs": [ + "http://kytoon.com/sutra-tds.html" + ], + "type"="Commercial" + } + } +, + { "value": "SimpleTDS", + "description": "SimpleTDS is a basic open source TDS", + "meta": { + "refs": [ + "https://sourceforge.net/projects/simpletds/" + ], + "synonyms": [ + "Stds" + ], + "type"="OpenSource" + } + } +, + { "value": "BossTDS", + "description": "BossTDS", + "meta": { + "refs": [ + "http://bosstds.com/" + ], + "type"="Commercial" + } + } +, + { "value": "BlackHat TDS", + "description": "BlackHat TDS is sold underground.", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2014/04/meet-blackhat-tds.html" + ], + "type"="Underground" + } + } +, + { "value": "Futuristic TDS", + "description": "Futuristic TDS is the TDS componenent of BlackOS/CookieBomb/NorthTale Iframer", + "meta": { + "refs": [ + "" + ], + "type"="Underground" + } + } +, + { "value": "Orchid TDS", + "description": "Orchid TDS was sold underground. Rare usage", + "meta": { + "refs": [ + "" + ], + "type"="Underground" + } + } + ], + "version": 1, + "uuid": "ab5fffaa-c5f6-11e6-9d9d-cec0c932ce01", + "description": "TDS is a list of Traffic Direction System used by adversaries", + "authors": [ + "Kafeine" + ], + "source": "MISP Project", + "type": "tds", + "name": "TDS" +} \ No newline at end of file diff --git a/galaxies/exploit-kit.json b/galaxies/exploit-kit.json new file mode 100644 index 0000000..cbcf2dc --- /dev/null +++ b/galaxies/exploit-kit.json @@ -0,0 +1,7 @@ +{ + "type" : "exploit-kit", + "name" : "Exploit-Kit", + "description":"Exploit-Kit is an enumeration of exploitation kit used by adversaries. The list includes document, browser and router exploit kits", + "version": 2, + "uuid": "6ab240ec-bd79-11e6-a4a6-cec0c932ce01" +} diff --git a/galaxies/tds.json b/galaxies/tds.json new file mode 100644 index 0000000..2763cf0 --- /dev/null +++ b/galaxies/tds.json @@ -0,0 +1,7 @@ +{ + "type" : "tds", + "name" : "TDS", + "description": "TDS is a list of Traffic Direction System used by adversaries", + "version": 2, + "uuid": "1b9a7d8e-bd7a-11e6-a4a6-cec0c932ce01" +} From 9517f26120f8f2c45b5bb0f2a4546720e4e777cd Mon Sep 17 00:00:00 2001 From: root Date: Thu, 5 Jan 2017 14:12:30 +0100 Subject: [PATCH 02/10] Mwi added --- clusters/exploit-kit.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index 4a64b2f..c96105e 100755 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -101,6 +101,20 @@ "status": "Active" } } +, + { "value": "MWI", + "description": "Microsoft Word Intruder is an exploit kit focused on Word and embedded flash exploits. The author wants to avoid their customer to use it in mass spam campaign, so it's most often connected to semi-targeted attacks", + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.html", + "https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-microsoft-word-intruder-revealed.pdf" + ], + "synonyms": [ + "" + ], + "status": "Active" + } + } , { "value": "Neutrino", "description": "Neutrino Exploit Kit has been one of the major exploit kit from its launch in 2013 till september 2016 when it become private (defense name for this variation is Neutrino-v). This EK vanished from march 2014 till november 2014.", From 49808e969fafe537951650576b94685041a7c48f Mon Sep 17 00:00:00 2001 From: root Date: Thu, 5 Jan 2017 14:16:51 +0100 Subject: [PATCH 03/10] EK galaxie --- galaxies/exploit-kit.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/galaxies/exploit-kit.json b/galaxies/exploit-kit.json index cbcf2dc..f86ddf1 100644 --- a/galaxies/exploit-kit.json +++ b/galaxies/exploit-kit.json @@ -1,7 +1,7 @@ { "type" : "exploit-kit", "name" : "Exploit-Kit", - "description":"Exploit-Kit is an enumeration of exploitation kit used by adversaries. The list includes document, browser and router exploit kits", + "description":"Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years", "version": 2, "uuid": "6ab240ec-bd79-11e6-a4a6-cec0c932ce01" } From 5dbcac9c30b1f5a7110a4ea8f7037e303e77db3b Mon Sep 17 00:00:00 2001 From: root Date: Thu, 5 Jan 2017 14:18:14 +0100 Subject: [PATCH 04/10] EK Cluster update --- clusters/exploit-kit.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index c96105e..28d9c39 100755 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -515,7 +515,7 @@ } , { "value": "Unknown", - "description": "Unknown Exploit Kit. This is a place holder for any undocumented Exploit Kit. If you use this tag, we will be more than happy to give it a deep look.", + "description": "Unknown Exploit Kit. This is a place holder for any undocumented Exploit Kit. If you use this tag, we will be more than happy to give the associated EK a deep look.", "meta": { "refs": [ "https://twitter.com/kafeine", From 9efa19fa47072a8838acd3069f660aeaa785a53a Mon Sep 17 00:00:00 2001 From: root Date: Thu, 5 Jan 2017 14:20:42 +0100 Subject: [PATCH 05/10] EK Cluster typo fix --- clusters/exploit-kit.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index 28d9c39..035eddc 100755 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -236,7 +236,7 @@ } , { "value": "BlackHole", - "description": "The BlackHole Exploit Kit has been the most popular exploit kit from 2011 to 2013. It's activity stopped with Paunch's Arrest (all activity since then is marginal and based on the old leak)", + "description": "The BlackHole Exploit Kit has been the most popular exploit kit from 2011 to 2013. Its activity stopped with Paunch's Arrest (all activity since then is marginal and based on the old leak)", "meta": { "refs": [ "", From d2dc4e81822b94b9634c53e7088e01423efb91bc Mon Sep 17 00:00:00 2001 From: root Date: Thu, 5 Jan 2017 14:28:01 +0100 Subject: [PATCH 06/10] EK Cluster : several fixes --- clusters/exploit-kit.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index 035eddc..bab4139 100755 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -236,7 +236,7 @@ } , { "value": "BlackHole", - "description": "The BlackHole Exploit Kit has been the most popular exploit kit from 2011 to 2013. Its activity stopped with Paunch's Arrest (all activity since then is marginal and based on the old leak)", + "description": "The BlackHole Exploit Kit has been the most popular exploit kit from 2011 to 2013. Its activity stopped with Paunch's arrest (all activity since then is anecdotal and based on an old leak)", "meta": { "refs": [ "", @@ -251,11 +251,11 @@ } , { "value": "Bleeding Life", - "description": "Bleeding Life", + "description": "Bleeding Life is an exploit kit that got open source with its version 2", "meta": { "refs": [ - "", - "" + "http://www.kahusecurity.com/2011/flash-used-in-idol-malvertisement/", + "http://thehackernews.com/2011/10/bleeding-life-2-exploit-pack-released.html" ], "synonyms": [ "BL", From 7df3b0b7b631689a67596cbc1e84378c2d6cee8d Mon Sep 17 00:00:00 2001 From: root Date: Thu, 5 Jan 2017 14:34:27 +0100 Subject: [PATCH 07/10] TDS Cluster: json fix --- clusters/tds.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/clusters/tds.json b/clusters/tds.json index 66a4929..0ce15d2 100755 --- a/clusters/tds.json +++ b/clusters/tds.json @@ -16,7 +16,7 @@ "refs": [ "http://kytoon.com/sutra-tds.html" ], - "type"="Commercial" + "type":"Commercial" } } , @@ -29,7 +29,7 @@ "synonyms": [ "Stds" ], - "type"="OpenSource" + "type":"OpenSource" } } , @@ -39,7 +39,7 @@ "refs": [ "http://bosstds.com/" ], - "type"="Commercial" + "type":"Commercial" } } , @@ -49,7 +49,7 @@ "refs": [ "http://malware.dontneedcoffee.com/2014/04/meet-blackhat-tds.html" ], - "type"="Underground" + "type":"Underground" } } , @@ -59,7 +59,7 @@ "refs": [ "" ], - "type"="Underground" + "type":"Underground" } } , @@ -69,7 +69,7 @@ "refs": [ "" ], - "type"="Underground" + "type":"Underground" } } ], From 9128289bc5c6d4786a134a6467dc8b87335d3b22 Mon Sep 17 00:00:00 2001 From: root Date: Thu, 5 Jan 2017 14:41:57 +0100 Subject: [PATCH 08/10] EK and TDS clusters : Removed empty entries --- clusters/exploit-kit.json | 36 ++++++------------------------------ clusters/tds.json | 6 ------ 2 files changed, 6 insertions(+), 36 deletions(-) diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index bab4139..6a04713 100755 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -46,8 +46,7 @@ "description": "The Empire Pack is a variation of RIG operated by a load seller. It's being fed by many traffic actors", "meta": { "refs": [ - "http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html", - "" + "http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html" ], "synonyms": [ "RIG-E" @@ -79,8 +78,7 @@ "http://www.kahusecurity.com/2012/new-chinese-exploit-pack/" ], "synonyms": [ - "CK vip", - "" + "CK vip" ] , "status": "Active" } @@ -108,9 +106,6 @@ "refs": [ "https://www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.html", "https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-microsoft-word-intruder-revealed.pdf" - ], - "synonyms": [ - "" ], "status": "Active" } @@ -157,9 +152,6 @@ "refs": [ "http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/", "http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/" - ], - "synonyms": [ - "" ], "status": "Active" } @@ -239,7 +231,6 @@ "description": "The BlackHole Exploit Kit has been the most popular exploit kit from 2011 to 2013. Its activity stopped with Paunch's arrest (all activity since then is anecdotal and based on an old leak)", "meta": { "refs": [ - "", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Blackhole-Exploit-Kit-v2/", "https://nakedsecurity.sophos.com/exploring-the-blackhole-exploit-kit/" ], @@ -251,7 +242,7 @@ } , { "value": "Bleeding Life", - "description": "Bleeding Life is an exploit kit that got open source with its version 2", + "description": "Bleeding Life is an exploit kit that became open source with its version 2", "meta": { "refs": [ "http://www.kahusecurity.com/2011/flash-used-in-idol-malvertisement/", @@ -290,8 +281,7 @@ "http://www.kahusecurity.com/2011/neosploit-is-back/" ], "synonyms": [ - "NeoSploit", - "" + "NeoSploit" ] , "status": "Retired - Last Seen: beginning of 2015-07" @@ -340,10 +330,6 @@ "https://blog.malwarebytes.com/threat-analysis/2014/08/shining-some-light-on-the-unknown-exploit-kit/", "http://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-exploit-kit-in-cve-2015-0313-attack", "https://twitter.com/kafeine/status/562575744501428226" - ], - "synonyms": [ - "", - "" ], "status": "Retired - Last seen: 2015-07" } @@ -367,10 +353,6 @@ "meta": { "refs": [ "http://malware.dontneedcoffee.com/2012/12/inside-impact-exploit-kit-back-on-track.html" - ], - "synonyms": [ - "", - "" ] , "status": "Retired" @@ -399,9 +381,6 @@ "http://blog.talosintel.com/2014/03/hello-new-exploit-kit.html", "http://blog.talosintel.com/2014/05/continued-analysis-of-lightsout-exploit.html", "http://malwageddon.blogspot.fr/2013/09/unknown-ek-by-way-how-much-is-fish.html" - ], - "synonyms": [ - "" ], "status": "Unknown - Last seen: 2014-03" } @@ -425,7 +404,6 @@ "description": "The Nuclear Pack appeared in 2009 and has been one of the longer living one. Spartan EK was a landing less variation of Nuclear Pack", "meta": { "refs": [ - "", "http://blog.checkpoint.com/2016/05/17/inside-nuclears-core-unraveling-a-ransomware-as-a-service-infrastructure/" ], "synonyms": [ @@ -481,8 +459,7 @@ "description": "Description Here", "meta": { "refs": [ - "http://www.xylibox.com/2012/01/sakura-exploit-pack-10.html", - "" + "http://www.xylibox.com/2012/01/sakura-exploit-pack-10.html" ], "status": "Retired - Last seen: 2013-09" } @@ -492,8 +469,7 @@ "description": "Sweet Orange", "meta": { "refs": [ - "http://malware.dontneedcoffee.com/2012/12/juice-sweet-orange-2012-12.html", - "" + "http://malware.dontneedcoffee.com/2012/12/juice-sweet-orange-2012-12.html" ], "synonyms": [ "SWO" diff --git a/clusters/tds.json b/clusters/tds.json index 0ce15d2..c9b9df7 100755 --- a/clusters/tds.json +++ b/clusters/tds.json @@ -56,9 +56,6 @@ { "value": "Futuristic TDS", "description": "Futuristic TDS is the TDS componenent of BlackOS/CookieBomb/NorthTale Iframer", "meta": { - "refs": [ - "" - ], "type":"Underground" } } @@ -66,9 +63,6 @@ { "value": "Orchid TDS", "description": "Orchid TDS was sold underground. Rare usage", "meta": { - "refs": [ - "" - ], "type":"Underground" } } From 7094d30926955a3eaaff230d2969f372f22a3e5d Mon Sep 17 00:00:00 2001 From: root Date: Thu, 5 Jan 2017 14:53:56 +0100 Subject: [PATCH 09/10] EK and TDS clusters : several minor fixes --- clusters/exploit-kit.json | 4 ++-- clusters/tds.json | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index 6a04713..f7beeab 100755 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -1,7 +1,7 @@ { "values": [ { "value": "Astrum", - "description": "The Astrum Exploit Kit is a private Exploit Kit used in massive scale malvertising campaigns. It's notable by its use of Steganography", + "description": "Astrum Exploit Kit is a private Exploit Kit used in massive scale malvertising campaigns. It's notable by its use of Steganography", "meta": { "refs": [ "http://malware.dontneedcoffee.com/2014/09/astrum-ek.html", @@ -29,7 +29,7 @@ } , { "value": "DNSChanger", - "description": "DNSChanger Exploit Kit is an exploit kit targeting Routers", + "description": "DNSChanger Exploit Kit is an exploit kit targeting Routers via the browser", "meta": { "refs": [ "http://malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html", diff --git a/clusters/tds.json b/clusters/tds.json index c9b9df7..845de92 100755 --- a/clusters/tds.json +++ b/clusters/tds.json @@ -54,7 +54,7 @@ } , { "value": "Futuristic TDS", - "description": "Futuristic TDS is the TDS componenent of BlackOS/CookieBomb/NorthTale Iframer", + "description": "Futuristic TDS is the TDS component of BlackOS/CookieBomb/NorthTale Iframer", "meta": { "type":"Underground" } From 45c7f28afd3b2526129ee05110319e31efd74fc2 Mon Sep 17 00:00:00 2001 From: root Date: Thu, 5 Jan 2017 16:03:04 +0100 Subject: [PATCH 10/10] TDS Cluster: EOF --- clusters/tds.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/tds.json b/clusters/tds.json index 845de92..4fcb935 100755 --- a/clusters/tds.json +++ b/clusters/tds.json @@ -76,4 +76,4 @@ "source": "MISP Project", "type": "tds", "name": "TDS" -} \ No newline at end of file +}